from tempfile import mkstemp
from xml.dom.minidom import Document, parseString
-from sfa.util.py23 import StringType
-from sfa.util.py23 import StringIO
+from sfa.util.py23 import PY3, StringType, StringIO
HAVELXML = False
try:
f = filep
else:
f = open(filename, "w")
+ if PY3 and isinstance(self.xml, bytes):
+ self.xml = self.xml.decode()
f.write(self.xml)
f.close()
def save_to_string(self, save_parents=True):
if not self.xml:
self.encode()
+ if PY3 and isinstance(self.xml, bytes):
+ self.xml = self.xml.decode()
return self.xml
def get_refid(self):
# If caller explicitly passed in None that means skip cert chain validation.
# - Strange and not typical
if trusted_certs is not None:
- # Verify the gids of this cred and of its parents
+ # Verify the caller and object gids of this cred and of its parents
for cur_cred in self.get_credential_list():
- cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
- cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
-
+ # check both the caller and the subject
+ for gid in cur_cred.get_gid_object(), cur_cred.get_gid_caller():
+ logger.debug("Credential.verify: verifying chain {}"
+ .format(gid.pretty_cert()))
+ logger.debug("Credential.verify: against trusted {}"
+ .format(" ".join(trusted_certs)))
+ gid.verify_chain(trusted_cert_objects)
+
refs = []
refs.append("Sig_{}".format(self.get_refid()))
message = "Delegated credential {} not signed by parent {}'s caller"\
.format(self.pretty_cred(), parent_cred.pretty_cred())
logger.error(message)
- logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_cred()))
+ logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_cert()))
logger.error("compare1 parent details {}".format(parent_cred.get_gid_caller().save_to_string()))
- logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_cred()))
+ logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_crert()))
logger.error("compare2 self details {}".format(self.get_signature().get_issuer_gid().save_to_string()))
raise CredentialNotVerifiable(message)
return getattr(self,'filename',None)
def actual_caller_hrn(self):
- """a helper method used by some API calls like e.g. Allocate
+ """
+ a helper method used by some API calls like e.g. Allocate
to try and find out who really is the original caller
This admittedly is a bit of a hack, please USE IN LAST RESORT
This code uses a heuristic to identify a delegated credential
- A first known restriction if for traffic that gets through a slice manager
- in this case the hrn reported is the one from the last SM in the call graph
- which is not at all what is meant here"""
+ A first known restriction if for traffic that gets through a
+ slice manager in this case the hrn reported is the one from
+ the last SM in the call graph which is not at all what is
+ meant here
+ """
- caller_hrn = self.get_gid_caller().get_hrn()
- issuer_hrn = self.get_signature().get_issuer_gid().get_hrn()
+ caller_hrn, caller_type = urn_to_hrn(self.get_gid_caller().get_urn())
+ issuer_hrn, issuer_type = urn_to_hrn(self.get_signature().get_issuer_gid().get_urn())
subject_hrn = self.get_gid_object().get_hrn()
+ # if the caller is a user and the issuer is not
+ # it's probably the former
+ if caller_type == "user" and issuer_type != "user":
+ actual_caller_hrn = caller_hrn
# if we find that the caller_hrn is an immediate descendant of the issuer, then
# this seems to be a 'regular' credential
- if caller_hrn.startswith(issuer_hrn):
- actual_caller_hrn=caller_hrn
+ elif caller_hrn.startswith(issuer_hrn):
+ actual_caller_hrn = caller_hrn
# else this looks like a delegated credential, and the real caller is the issuer
else:
- actual_caller_hrn=issuer_hrn
+ actual_caller_hrn = issuer_hrn
logger.info("actual_caller_hrn: caller_hrn={}, issuer_hrn={}, returning {}"
- .format(caller_hrn,issuer_hrn,actual_caller_hrn))
+ .format(caller_hrn, issuer_hrn, actual_caller_hrn))
return actual_caller_hrn
##