util/credential.py

   1 # credential.py
   2 #
   3 # implements GENI credentials
   4 #
   5 # Credentials are layered on top of certificates, and are essentially a
   6 # certificate that stores a tuple of parameters.
   7
   8 from cert import *
   9 from rights import *
  10 from gid import *
  11 import xmlrpclib
  12
  13 # Credential is a tuple:
  14 #     (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
  15 #
  16 # These fields are encoded using xmlrpc into the subjectAltName field of the
  17 # x509 certificate. Note: Call encode() once the fields have been filled in
  18 # to perform this encoding.
  19
  20 class Credential(Certificate):
  21     gidCaller = None
  22     gidObject = None
  23     lifeTime = None
  24     privileges = None
  25     delegate = False
  26
  27     def __init__(self, create=False, subject=None, string=None, filename=None):
  28         Certificate.__init__(self, create, subject, string, filename)
  29
  30     def create_similar(self):
  31         return Credential()
  32
  33     def set_gid_caller(self, gid):
  34         self.gidCaller = gid
  35
  36     def get_gid_caller(self):
  37         if not self.gidCaller:
  38             self.decode()
  39         return self.gidCaller
  40
  41     def set_gid_object(self, gid):
  42         self.gidObject = gid
  43
  44     def get_gid_object(self):
  45         if not self.gidObject:
  46             self.decode()
  47         return self.gidObject
  48
  49     def set_lifetime(self, lifeTime):
  50         self.lifeTime = lifeTime
  51
  52     def get_lifetime(self):
  53         if not self.lifeTime:
  54             self.decode()
  55         return self.lifeTime
  56
  57     def set_delegate(self, delegate):
  58         self.delegate = delegate
  59
  60     def get_delegate(self):
  61         if not self.delegate:
  62             self.decode()
  63         return self.delegate
  64
  65     def set_privileges(self, privs):
  66         if isinstance(privs, str):
  67             self.privileges = RightList(string = privs)
  68         else:
  69             self.privileges = privs
  70
  71     def get_privileges(self):
  72         if not self.privileges:
  73             self.decode()
  74         return self.privileges
  75
  76     def can_perform(self, op_name):
  77         rights = self.get_privileges()
  78         if not rights:
  79             return False
  80         return rights.can_perform(op_name)
  81
  82     def encode(self):
  83         dict = {"gidCaller": None,
  84                 "gidObject": None,
  85                 "lifeTime": self.lifeTime,
  86                 "privileges": None,
  87                 "delegate": self.delegate}
  88         if self.gidCaller:
  89             dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True)
  90         if self.gidObject:
  91             dict["gidObject"] = self.gidObject.save_to_string(save_parents=True)
  92         if self.privileges:
  93             dict["privileges"] = self.privileges.save_to_string()
  94         str = xmlrpclib.dumps((dict,), allow_none=True)
  95         self.set_data(str)
  96
  97     def decode(self):
  98         data = self.get_data()
  99         if data:
 100             dict = xmlrpclib.loads(self.get_data())[0][0]
 101         else:
 102             dict = {}
 103
 104         self.lifeTime = dict.get("lifeTime", None)
 105         self.delegate = dict.get("delegate", None)
 106
 107         privStr = dict.get("privileges", None)
 108         if privStr:
 109             self.privileges = RightList(string = privStr)
 110         else:
 111             self.privileges = None
 112
 113         gidCallerStr = dict.get("gidCaller", None)
 114         if gidCallerStr:
 115             self.gidCaller = GID(string=gidCallerStr)
 116         else:
 117             self.gidCaller = None
 118
 119         gidObjectStr = dict.get("gidObject", None)
 120         if gidObjectStr:
 121             self.gidObject = GID(string=gidObjectStr)
 122         else:
 123             self.gidObject = None
 124
 125     def verify_chain(self, trusted_certs = None):
 126         # do the normal certificate verification stuff
 127         Certificate.verify_chain(self, trusted_certs)
 128
 129         if self.parent:
 130             # make sure the parent delegated rights to the child
 131             if not self.parent.get_delegate():
 132                 raise MissingDelegateBit(self.parent.get_subject())
 133
 134             # XXX todo: make sure child rights are a subset of parent rights
 135
 136         return
 137
 138     def dump(self, dump_parents=False):
 139         print "CREDENTIAL", self.get_subject()
 140
 141         print "      privs:", self.get_privileges().save_to_string()
 142
 143         print "  gidCaller:"
 144         gidCaller = self.get_gid_caller()
 145         if gidCaller:
 146             gidCaller.dump(8, dump_parents)
 147
 148         print "  gidObject:"
 149         gidObject = self.get_gid_object()
 150         if gidObject:
 151             gidObject.dump(8, dump_parents)
 152
 153         print "   delegate:", self.get_delegate()
 154
 155         if self.parent and dump_parents:
 156            print "PARENT",
 157            self.parent.dump(dump_parents)
 158
 159
 160
 161
 162