1 #----------------------------------------------------------------------
2 # Copyright (c) 2008 Board of Trustees, Princeton University
4 # Permission is hereby granted, free of charge, to any person obtaining
5 # a copy of this software and/or hardware specification (the "Work") to
6 # deal in the Work without restriction, including without limitation the
7 # rights to use, copy, modify, merge, publish, distribute, sublicense,
8 # and/or sell copies of the Work, and to permit persons to whom the Work
9 # is furnished to do so, subject to the following conditions:
11 # The above copyright notice and this permission notice shall be
12 # included in all copies or substantial portions of the Work.
14 # THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
18 # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
19 # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 # OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
22 #----------------------------------------------------------------------
24 # Implements SFA Credentials
26 # Credentials are signed XML files that assign a subject gid privileges to an object gid
30 from types import StringTypes
32 from StringIO import StringIO
33 from tempfile import mkstemp
34 from xml.dom.minidom import Document, parseString
38 from lxml import etree
43 from xml.parsers.expat import ExpatError
45 from sfa.util.faults import CredentialNotVerifiable, ChildRightsNotSubsetOfParent
46 from sfa.util.sfalogging import logger
47 from sfa.util.sfatime import utcparse
48 from sfa.trust.credential_legacy import CredentialLegacy
49 from sfa.trust.rights import Right, Rights, determine_rights
50 from sfa.trust.gid import GID
51 from sfa.util.xrn import urn_to_hrn, hrn_authfor_hrn
54 DEFAULT_CREDENTIAL_LIFETIME = 86400 * 31
58 # . make privs match between PG and PL
59 # . Need to add support for other types of credentials, e.g. tickets
60 # . add namespaces to signed-credential element?
62 signature_template = \
64 <Signature xml:id="Sig_%s" xmlns="http://www.w3.org/2000/09/xmldsig#">
66 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
67 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
70 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
72 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
73 <DigestValue></DigestValue>
88 # PG formats the template (whitespace) slightly differently.
89 # Note that they don't include the xmlns in the template, but add it later.
90 # Otherwise the two are equivalent.
91 #signature_template_as_in_pg = \
93 #<Signature xml:id="Sig_%s" >
95 # <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
96 # <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
97 # <Reference URI="#%s">
99 # <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
101 # <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
102 # <DigestValue></DigestValue>
109 # <X509IssuerSerial/>
118 # Convert a string into a bool
119 # used to convert an xsd:boolean to a Python boolean
121 if str.lower() in ['true','1']:
127 # Utility function to get the text of an XML element
129 def getTextNode(element, subele):
130 sub = element.getElementsByTagName(subele)[0]
131 if len(sub.childNodes) > 0:
132 return sub.childNodes[0].nodeValue
137 # Utility function to set the text of an XML element
138 # It creates the element, adds the text to it,
139 # and then appends it to the parent.
141 def append_sub(doc, parent, element, text):
142 ele = doc.createElement(element)
143 ele.appendChild(doc.createTextNode(text))
144 parent.appendChild(ele)
147 # Signature contains information about an xmlsec1 signature
148 # for a signed-credential
151 class Signature(object):
153 def __init__(self, string=None):
155 self.issuer_gid = None
172 def set_refid(self, id):
175 def get_issuer_gid(self):
180 def set_issuer_gid(self, gid):
185 doc = parseString(self.xml)
187 logger.log_exc ("Failed to parse credential, %s"%self.xml)
189 sig = doc.getElementsByTagName("Signature")[0]
190 self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))
191 keyinfo = sig.getElementsByTagName("X509Data")[0]
192 szgid = getTextNode(keyinfo, "X509Certificate")
193 szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid
194 self.set_issuer_gid(GID(string=szgid))
197 self.xml = signature_template % (self.get_refid(), self.get_refid())
201 # A credential provides a caller gid with privileges to an object gid.
202 # A signed credential is signed by the object's authority.
204 # Credentials are encoded in one of two ways. The legacy style places
205 # it in the subjectAltName of an X509 certificate. The new credentials
206 # are placed in signed XML.
209 # In general, a signed credential obtained externally should
210 # not be changed else the signature is no longer valid. So, once
211 # you have loaded an existing signed credential, do not call encode() or sign() on it.
213 def filter_creds_by_caller(creds, caller_hrn_list):
215 Returns a list of creds who's gid caller matches the
218 if not isinstance(creds, list): creds = [creds]
219 if not isinstance(caller_hrn_list, list):
220 caller_hrn_list = [caller_hrn_list]
224 tmp_cred = Credential(string=cred)
225 if tmp_cred.get_gid_caller().get_hrn() in caller_hrn_list:
226 caller_creds.append(cred)
230 class Credential(object):
233 # Create a Credential object
235 # @param create If true, create a blank x509 certificate
236 # @param subject If subject!=None, create an x509 cert with the subject name
237 # @param string If string!=None, load the credential from the string
238 # @param filename If filename!=None, load the credential from the file
239 # FIXME: create and subject are ignored!
240 def __init__(self, create=False, subject=None, string=None, filename=None, cred=None):
241 self.gidCaller = None
242 self.gidObject = None
243 self.expiration = None
244 self.privileges = None
245 self.issuer_privkey = None
246 self.issuer_gid = None
247 self.issuer_pubkey = None
249 self.signature = None
257 if isinstance(cred, StringTypes):
259 elif isinstance(cred, dict):
260 string = cred['geni_value']
261 self.type = cred['geni_type']
262 self.version = cred['geni_version']
265 # Check if this is a legacy credential, translate it if so
266 if string or filename:
270 str = file(filename).read()
272 if str.strip().startswith("-----"):
273 self.legacy = CredentialLegacy(False,string=str)
274 self.translate_legacy(str)
279 # Find an xmlsec1 path
280 self.xmlsec_path = ''
281 paths = ['/usr/bin','/usr/local/bin','/bin','/opt/bin','/opt/local/bin']
283 if os.path.isfile(path + '/' + 'xmlsec1'):
284 self.xmlsec_path = path + '/' + 'xmlsec1'
287 def get_subject(self):
288 if not self.gidObject:
290 return self.gidObject.get_printable_subject()
292 # sounds like this should be __repr__ instead ??
293 def get_summary_tostring(self):
294 if not self.gidObject:
296 obj = self.gidObject.get_printable_subject()
297 caller = self.gidCaller.get_printable_subject()
298 exp = self.get_expiration()
299 # Summarize the rights too? The issuer?
300 return "[ Grant %s rights on %s until %s ]" % (caller, obj, exp)
302 def get_signature(self):
303 if not self.signature:
305 return self.signature
307 def set_signature(self, sig):
312 # Translate a legacy credential into a new one
314 # @param String of the legacy credential
316 def translate_legacy(self, str):
317 legacy = CredentialLegacy(False,string=str)
318 self.gidCaller = legacy.get_gid_caller()
319 self.gidObject = legacy.get_gid_object()
320 lifetime = legacy.get_lifetime()
322 self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
324 self.set_expiration(int(lifetime))
325 self.lifeTime = legacy.get_lifetime()
326 self.set_privileges(legacy.get_privileges())
327 self.get_privileges().delegate_all_privileges(legacy.get_delegate())
330 # Need the issuer's private key and name
331 # @param key Keypair object containing the private key of the issuer
332 # @param gid GID of the issuing authority
334 def set_issuer_keys(self, privkey, gid):
335 self.issuer_privkey = privkey
336 self.issuer_gid = gid
340 # Set this credential's parent
341 def set_parent(self, cred):
346 # set the GID of the caller
348 # @param gid GID object of the caller
350 def set_gid_caller(self, gid):
352 # gid origin caller is the caller's gid by default
353 self.gidOriginCaller = gid
356 # get the GID of the object
358 def get_gid_caller(self):
359 if not self.gidCaller:
361 return self.gidCaller
364 # set the GID of the object
366 # @param gid GID object of the object
368 def set_gid_object(self, gid):
372 # get the GID of the object
374 def get_gid_object(self):
375 if not self.gidObject:
377 return self.gidObject
380 # Expiration: an absolute UTC time of expiration (as either an int or string or datetime)
382 def set_expiration(self, expiration):
383 if isinstance(expiration, (int, float)):
384 self.expiration = datetime.datetime.fromtimestamp(expiration)
385 elif isinstance (expiration, datetime.datetime):
386 self.expiration = expiration
387 elif isinstance (expiration, StringTypes):
388 self.expiration = utcparse (expiration)
390 logger.error ("unexpected input type in Credential.set_expiration")
394 # get the lifetime of the credential (always in datetime format)
396 def get_expiration(self):
397 if not self.expiration:
399 # at this point self.expiration is normalized as a datetime - DON'T call utcparse again
400 return self.expiration
404 def get_lifetime(self):
405 return self.get_expiration()
410 # @param privs either a comma-separated list of privileges of a Rights object
412 def set_privileges(self, privs):
413 if isinstance(privs, str):
414 self.privileges = Rights(string = privs)
416 self.privileges = privs
419 # return the privileges as a Rights object
421 def get_privileges(self):
422 if not self.privileges:
424 return self.privileges
427 # determine whether the credential allows a particular operation to be
430 # @param op_name string specifying name of operation ("lookup", "update", etc)
432 def can_perform(self, op_name):
433 rights = self.get_privileges()
438 return rights.can_perform(op_name)
442 # Encode the attributes of the credential into an XML string
443 # This should be done immediately before signing the credential.
445 # In general, a signed credential obtained externally should
446 # not be changed else the signature is no longer valid. So, once
447 # you have loaded an existing signed credential, do not call encode() or sign() on it.
450 # Create the XML document
452 signed_cred = doc.createElement("signed-credential")
455 # Note that credential/policy.xsd are really the PG schemas
457 # Note that delegation of credentials between the 2 only really works
458 # cause those schemas are identical.
459 # Also note these PG schemas talk about PG tickets and CM policies.
460 signed_cred.setAttribute("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance")
461 signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.planet-lab.org/resources/sfa/credential.xsd")
462 signed_cred.setAttribute("xsi:schemaLocation", "http://www.planet-lab.org/resources/sfa/ext/policy/1 http://www.planet-lab.org/resources/sfa/ext/policy/1/policy.xsd")
464 # PG says for those last 2:
465 # signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd")
466 # signed_cred.setAttribute("xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd")
468 doc.appendChild(signed_cred)
470 # Fill in the <credential> bit
471 cred = doc.createElement("credential")
472 cred.setAttribute("xml:id", self.get_refid())
473 signed_cred.appendChild(cred)
474 append_sub(doc, cred, "type", "privilege")
475 append_sub(doc, cred, "serial", "8")
476 append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
477 append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
478 append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
479 append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
480 append_sub(doc, cred, "uuid", "")
481 if not self.expiration:
482 self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
483 self.expiration = self.expiration.replace(microsecond=0)
484 append_sub(doc, cred, "expires", self.expiration.isoformat())
485 privileges = doc.createElement("privileges")
486 cred.appendChild(privileges)
489 rights = self.get_privileges()
490 for right in rights.rights:
491 priv = doc.createElement("privilege")
492 append_sub(doc, priv, "name", right.kind)
493 append_sub(doc, priv, "can_delegate", str(right.delegate).lower())
494 privileges.appendChild(priv)
496 # Add the parent credential if it exists
498 sdoc = parseString(self.parent.get_xml())
499 # If the root node is a signed-credential (it should be), then
500 # get all its attributes and attach those to our signed_cred
502 # Specifically, PG and PLadd attributes for namespaces (which is reasonable),
503 # and we need to include those again here or else their signature
504 # no longer matches on the credential.
505 # We expect three of these, but here we copy them all:
506 # signed_cred.setAttribute("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance")
507 # and from PG (PL is equivalent, as shown above):
508 # signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd")
509 # signed_cred.setAttribute("xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd")
512 # PL now also declares these, with different URLs, so
513 # the code notices those attributes already existed with
514 # different values, and complains.
515 # This happens regularly on delegation now that PG and
516 # PL both declare the namespace with different URLs.
517 # If the content ever differs this is a problem,
518 # but for now it works - different URLs (values in the attributes)
519 # but the same actual schema, so using the PG schema
520 # on delegated-to-PL credentials works fine.
522 # Note: you could also not copy attributes
523 # which already exist. It appears that both PG and PL
524 # will actually validate a slicecred with a parent
525 # signed using PG namespaces and a child signed with PL
526 # namespaces over the whole thing. But I don't know
527 # if that is a bug in xmlsec1, an accident since
528 # the contents of the schemas are the same,
529 # or something else, but it seems odd. And this works.
530 parentRoot = sdoc.documentElement
531 if parentRoot.tagName == "signed-credential" and parentRoot.hasAttributes():
532 for attrIx in range(0, parentRoot.attributes.length):
533 attr = parentRoot.attributes.item(attrIx)
534 # returns the old attribute of same name that was
536 # Below throws InUse exception if we forgot to clone the attribute first
537 oldAttr = signed_cred.setAttributeNode(attr.cloneNode(True))
538 if oldAttr and oldAttr.value != attr.value:
539 msg = "Delegating cred from owner %s to %s over %s replaced attribute %s value '%s' with '%s'" % (self.parent.gidCaller.get_urn(), self.gidCaller.get_urn(), self.gidObject.get_urn(), oldAttr.name, oldAttr.value, attr.value)
541 #raise CredentialNotVerifiable("Can't encode new valid delegated credential: %s" % msg)
543 p_cred = doc.importNode(sdoc.getElementsByTagName("credential")[0], True)
544 p = doc.createElement("parent")
545 p.appendChild(p_cred)
547 # done handling parent credential
549 # Create the <signatures> tag
550 signatures = doc.createElement("signatures")
551 signed_cred.appendChild(signatures)
553 # Add any parent signatures
555 for cur_cred in self.get_credential_list()[1:]:
556 sdoc = parseString(cur_cred.get_signature().get_xml())
557 ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
558 signatures.appendChild(ele)
560 # Get the finished product
561 self.xml = doc.toxml()
564 def save_to_random_tmp_file(self):
565 fp, filename = mkstemp(suffix='cred', text=True)
566 fp = os.fdopen(fp, "w")
567 self.save_to_file(filename, save_parents=True, filep=fp)
570 def save_to_file(self, filename, save_parents=True, filep=None):
576 f = open(filename, "w")
580 def save_to_string(self, save_parents=True):
590 def set_refid(self, rid):
594 # Figure out what refids exist, and update this credential's id
595 # so that it doesn't clobber the others. Returns the refids of
598 def updateRefID(self):
600 self.set_refid('ref0')
605 next_cred = self.parent
607 refs.append(next_cred.get_refid())
609 next_cred = next_cred.parent
614 # Find a unique refid for this credential
615 rid = self.get_refid()
618 rid = "ref%d" % (val + 1)
623 # Return the set of parent credential ref ids
632 # Sign the XML file created by encode()
635 # In general, a signed credential obtained externally should
636 # not be changed else the signature is no longer valid. So, once
637 # you have loaded an existing signed credential, do not call encode() or sign() on it.
640 if not self.issuer_privkey or not self.issuer_gid:
642 doc = parseString(self.get_xml())
643 sigs = doc.getElementsByTagName("signatures")[0]
645 # Create the signature template to be signed
646 signature = Signature()
647 signature.set_refid(self.get_refid())
648 sdoc = parseString(signature.get_xml())
649 sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
650 sigs.appendChild(sig_ele)
652 self.xml = doc.toxml()
655 # Split the issuer GID into multiple certificates if it's a chain
656 chain = GID(filename=self.issuer_gid)
659 gid_files.append(chain.save_to_random_tmp_file(False))
660 if chain.get_parent():
661 chain = chain.get_parent()
666 # Call out to xmlsec1 to sign it
667 ref = 'Sig_%s' % self.get_refid()
668 filename = self.save_to_random_tmp_file()
669 signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
670 % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
673 for gid_file in gid_files:
678 # This is no longer a legacy credential
687 # Retrieve the attributes of the credential from the XML.
688 # This is automatically called by the various get_* methods of
689 # this class and should not need to be called explicitly.
694 doc = parseString(self.xml)
696 signed_cred = doc.getElementsByTagName("signed-credential")
698 # Is this a signed-cred or just a cred?
699 if len(signed_cred) > 0:
700 creds = signed_cred[0].getElementsByTagName("credential")
701 signatures = signed_cred[0].getElementsByTagName("signatures")
702 if len(signatures) > 0:
703 sigs = signatures[0].getElementsByTagName("Signature")
705 creds = doc.getElementsByTagName("credential")
707 if creds is None or len(creds) == 0:
708 # malformed cred file
709 raise CredentialNotVerifiable("Malformed XML: No credential tag found")
711 # Just take the first cred if there are more than one
714 self.set_refid(cred.getAttribute("xml:id"))
715 self.set_expiration(utcparse(getTextNode(cred, "expires")))
716 self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
717 self.gidObject = GID(string=getTextNode(cred, "target_gid"))
721 privs = cred.getElementsByTagName("privileges")[0]
723 for priv in privs.getElementsByTagName("privilege"):
724 kind = getTextNode(priv, "name")
725 deleg = str2bool(getTextNode(priv, "can_delegate"))
727 # Convert * into the default privileges for the credential's type
728 # Each inherits the delegatability from the * above
729 _ , type = urn_to_hrn(self.gidObject.get_urn())
730 rl = determine_rights(type, self.gidObject.get_urn())
735 rlist.add(Right(kind.strip(), deleg))
736 self.set_privileges(rlist)
740 parent = cred.getElementsByTagName("parent")
742 parent_doc = parent[0].getElementsByTagName("credential")[0]
743 parent_xml = parent_doc.toxml()
744 self.parent = Credential(string=parent_xml)
747 # Assign the signatures to the credentials
749 Sig = Signature(string=sig.toxml())
751 for cur_cred in self.get_credential_list():
752 if cur_cred.get_refid() == Sig.get_refid():
753 cur_cred.set_signature(Sig)
758 # trusted_certs: A list of trusted GID filenames (not GID objects!)
759 # Chaining is not supported within the GIDs by xmlsec1.
761 # trusted_certs_required: Should usually be true. Set False means an
762 # empty list of trusted_certs would still let this method pass.
763 # It just skips xmlsec1 verification et al. Only used by some utils
766 # . All of the signatures are valid and that the issuers trace back
767 # to trusted roots (performed by xmlsec1)
768 # . The XML matches the credential schema
769 # . That the issuer of the credential is the authority in the target's urn
770 # . In the case of a delegated credential, this must be true of the root
771 # . That all of the gids presented in the credential are valid
772 # . Including verifying GID chains, and includ the issuer
773 # . The credential is not expired
775 # -- For Delegates (credentials with parents)
776 # . The privileges must be a subset of the parent credentials
777 # . The privileges must have "can_delegate" set for each delegated privilege
778 # . The target gid must be the same between child and parents
779 # . The expiry time on the child must be no later than the parent
780 # . The signer of the child must be the owner of the parent
782 # -- Verify does *NOT*
783 # . ensure that an xmlrpc client's gid matches a credential gid, that
784 # must be done elsewhere
786 # @param trusted_certs: The certificates of trusted CA certificates
787 def verify(self, trusted_certs=None, schema=None, trusted_certs_required=True):
791 # validate against RelaxNG schema
792 if HAVELXML and not self.legacy:
793 if schema and os.path.exists(schema):
794 tree = etree.parse(StringIO(self.xml))
795 schema_doc = etree.parse(schema)
796 xmlschema = etree.XMLSchema(schema_doc)
797 if not xmlschema.validate(tree):
798 error = xmlschema.error_log.last_error
799 message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line)
800 raise CredentialNotVerifiable(message)
802 if trusted_certs_required and trusted_certs is None:
805 # trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
806 trusted_cert_objects = []
807 ok_trusted_certs = []
808 # If caller explicitly passed in None that means skip cert chain validation.
809 # Strange and not typical
810 if trusted_certs is not None:
811 for f in trusted_certs:
813 # Failures here include unreadable files
815 trusted_cert_objects.append(GID(filename=f))
816 ok_trusted_certs.append(f)
817 except Exception, exc:
818 logger.error("Failed to load trusted cert from %s: %r", f, exc)
819 trusted_certs = ok_trusted_certs
821 # Use legacy verification if this is a legacy credential
823 self.legacy.verify_chain(trusted_cert_objects)
824 if self.legacy.client_gid:
825 self.legacy.client_gid.verify_chain(trusted_cert_objects)
826 if self.legacy.object_gid:
827 self.legacy.object_gid.verify_chain(trusted_cert_objects)
830 # make sure it is not expired
831 if self.get_expiration() < datetime.datetime.utcnow():
832 raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.isoformat()))
834 # Verify the signatures
835 filename = self.save_to_random_tmp_file()
836 if trusted_certs is not None:
837 cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
839 # If caller explicitly passed in None that means skip cert chain validation.
840 # - Strange and not typical
841 if trusted_certs is not None:
842 # Verify the gids of this cred and of its parents
843 for cur_cred in self.get_credential_list():
844 cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
845 cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
848 refs.append("Sig_%s" % self.get_refid())
850 parentRefs = self.updateRefID()
851 for ref in parentRefs:
852 refs.append("Sig_%s" % ref)
855 # If caller explicitly passed in None that means skip xmlsec1 validation.
856 # Strange and not typical
857 if trusted_certs is None:
860 # print "Doing %s --verify --node-id '%s' %s %s 2>&1" % \
861 # (self.xmlsec_path, ref, cert_args, filename)
862 verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
863 % (self.xmlsec_path, ref, cert_args, filename)).read()
864 if not verified.strip().startswith("OK"):
865 # xmlsec errors have a msg= which is the interesting bit.
866 mstart = verified.find("msg=")
868 if mstart > -1 and len(verified) > 4:
870 mend = verified.find('\\', mstart)
871 msg = verified[mstart:mend]
872 raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip()))
875 # Verify the parents (delegation)
877 self.verify_parent(self.parent)
879 # Make sure the issuer is the target's authority, and is
881 self.verify_issuer(trusted_cert_objects)
885 # Creates a list of the credential and its parents, with the root
886 # (original delegated credential) as the last item in the list
887 def get_credential_list(self):
891 list.append(cur_cred)
893 cur_cred = cur_cred.parent
899 # Make sure the credential's target gid (a) was signed by or (b)
900 # is the same as the entity that signed the original credential,
901 # or (c) is an authority over the target's namespace.
902 # Also ensure that the credential issuer / signer itself has a valid
903 # GID signature chain (signed by an authority with namespace rights).
904 def verify_issuer(self, trusted_gids):
905 root_cred = self.get_credential_list()[-1]
906 root_target_gid = root_cred.get_gid_object()
907 root_cred_signer = root_cred.get_signature().get_issuer_gid()
910 # Allow non authority to sign target and cred about target.
912 # Why do we need to allow non authorities to sign?
913 # If in the target gid validation step we correctly
914 # checked that the target is only signed by an authority,
915 # then this is just a special case of case 3.
916 # This short-circuit is the common case currently -
917 # and cause GID validation doesn't check 'authority',
918 # this allows users to generate valid slice credentials.
919 if root_target_gid.is_signed_by_cert(root_cred_signer):
920 # cred signer matches target signer, return success
924 # Allow someone to sign credential about themeselves. Used?
925 # If not, remove this.
926 #root_target_gid_str = root_target_gid.save_to_string()
927 #root_cred_signer_str = root_cred_signer.save_to_string()
928 #if root_target_gid_str == root_cred_signer_str:
929 # # cred signer is target, return success
934 # root_cred_signer is not the target_gid
935 # So this is a different gid that we have not verified.
936 # xmlsec1 verified the cert chain on this already, but
937 # it hasn't verified that the gid meets the HRN namespace
939 # Below we'll ensure that it is an authority.
940 # But we haven't verified that it is _signed by_ an authority
941 # We also don't know if xmlsec1 requires that cert signers
944 # Note that if verify() gave us no trusted_gids then this
945 # call will fail. So skip it if we have no trusted_gids
946 if trusted_gids and len(trusted_gids) > 0:
947 root_cred_signer.verify_chain(trusted_gids)
949 logger.debug("No trusted gids. Cannot verify that cred signer is signed by a trusted authority. Skipping that check.")
951 # See if the signer is an authority over the domain of the target.
952 # There are multiple types of authority - accept them all here
953 # Maybe should be (hrn, type) = urn_to_hrn(root_cred_signer.get_urn())
954 root_cred_signer_type = root_cred_signer.get_type()
955 if (root_cred_signer_type.find('authority') == 0):
956 #logger.debug('Cred signer is an authority')
957 # signer is an authority, see if target is in authority's domain
958 signerhrn = root_cred_signer.get_hrn()
959 if hrn_authfor_hrn(signerhrn, root_target_gid.get_hrn()):
962 # We've required that the credential be signed by an authority
963 # for that domain. Reasonable and probably correct.
964 # A looser model would also allow the signer to be an authority
965 # in my control framework - eg My CA or CH. Even if it is not
966 # the CH that issued these, eg, user credentials.
968 # Give up, credential does not pass issuer verification
970 raise CredentialNotVerifiable("Could not verify credential owned by %s for object %s. Cred signer %s not the trusted authority for Cred target %s" % (self.gidCaller.get_urn(), self.gidObject.get_urn(), root_cred_signer.get_hrn(), root_target_gid.get_hrn()))
974 # -- For Delegates (credentials with parents) verify that:
975 # . The privileges must be a subset of the parent credentials
976 # . The privileges must have "can_delegate" set for each delegated privilege
977 # . The target gid must be the same between child and parents
978 # . The expiry time on the child must be no later than the parent
979 # . The signer of the child must be the owner of the parent
980 def verify_parent(self, parent_cred):
981 # make sure the rights given to the child are a subset of the
982 # parents rights (and check delegate bits)
983 if not parent_cred.get_privileges().is_superset(self.get_privileges()):
984 raise ChildRightsNotSubsetOfParent(("Parent cred ref %s rights " % parent_cred.get_refid()) +
985 self.parent.get_privileges().save_to_string() + (" not superset of delegated cred %s ref %s rights " % (self.get_summary_tostring(), self.get_refid())) +
986 self.get_privileges().save_to_string())
988 # make sure my target gid is the same as the parent's
989 if not parent_cred.get_gid_object().save_to_string() == \
990 self.get_gid_object().save_to_string():
991 raise CredentialNotVerifiable("Delegated cred %s: Target gid not equal between parent and child. Parent %s" % (self.get_summary_tostring(), parent_cred.get_summary_tostring()))
993 # make sure my expiry time is <= my parent's
994 if not parent_cred.get_expiration() >= self.get_expiration():
995 raise CredentialNotVerifiable("Delegated credential %s expires after parent %s" % (self.get_summary_tostring(), parent_cred.get_summary_tostring()))
997 # make sure my signer is the parent's caller
998 if not parent_cred.get_gid_caller().save_to_string(False) == \
999 self.get_signature().get_issuer_gid().save_to_string(False):
1000 raise CredentialNotVerifiable("Delegated credential %s not signed by parent %s's caller" % (self.get_summary_tostring(), parent_cred.get_summary_tostring()))
1003 if parent_cred.parent:
1004 parent_cred.verify_parent(parent_cred.parent)
1007 def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile):
1009 Return a delegated copy of this credential, delegated to the
1010 specified gid's user.
1012 # get the gid of the object we are delegating
1013 object_gid = self.get_gid_object()
1014 object_hrn = object_gid.get_hrn()
1016 # the hrn of the user who will be delegated to
1017 delegee_gid = GID(filename=delegee_gidfile)
1018 delegee_hrn = delegee_gid.get_hrn()
1020 #user_key = Keypair(filename=keyfile)
1021 #user_hrn = self.get_gid_caller().get_hrn()
1022 subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn)
1023 dcred = Credential(subject=subject_string)
1024 dcred.set_gid_caller(delegee_gid)
1025 dcred.set_gid_object(object_gid)
1026 dcred.set_parent(self)
1027 dcred.set_expiration(self.get_expiration())
1028 dcred.set_privileges(self.get_privileges())
1029 dcred.get_privileges().delegate_all_privileges(True)
1030 #dcred.set_issuer_keys(keyfile, delegee_gidfile)
1031 dcred.set_issuer_keys(caller_keyfile, caller_gidfile)
1038 def get_filename(self):
1039 return getattr(self,'filename',None)
1042 # Dump the contents of a credential to stdout in human-readable format
1044 # @param dump_parents If true, also dump the parent certificates
1045 def dump (self, *args, **kwargs):
1046 print self.dump_string(*args, **kwargs)
1049 def dump_string(self, dump_parents=False):
1051 result += "CREDENTIAL %s\n" % self.get_subject()
1052 filename=self.get_filename()
1053 if filename: result += "Filename %s\n"%filename
1054 result += " privs: %s\n" % self.get_privileges().save_to_string()
1055 gidCaller = self.get_gid_caller()
1057 result += " gidCaller:\n"
1058 result += gidCaller.dump_string(8, dump_parents)
1060 if self.get_signature():
1062 self.get_signature().get_issuer_gid().dump(8, dump_parents)
1064 gidObject = self.get_gid_object()
1066 result += " gidObject:\n"
1067 result += gidObject.dump_string(8, dump_parents)
1069 if self.parent and dump_parents:
1070 result += "\nPARENT"
1071 result += self.parent.dump_string(True)