import os
import datetime
-from xml.dom.minidom import Document, parseString
from tempfile import mkstemp
+from xml.dom.minidom import Document, parseString
+from dateutil.parser import parse
+
+import sfa.util.sfalogging
from sfa.trust.certificate import Keypair
from sfa.trust.credential_legacy import CredentialLegacy
from sfa.trust.rights import *
from sfa.trust.gid import *
from sfa.util.faults import *
-from sfa.util.sfalogging import logger
-from dateutil.parser import parse
# not be changed else the signature is no longer valid. So, once
# you have loaded an existing signed credential, do not call encode() or sign() on it.
+def filter_creds_by_caller(creds, caller_hrn):
+ """
+ Returns a list of creds who's gid caller matches the
+ specified caller hrn
+ """
+ if not isinstance(creds, list): creds = [creds]
+ caller_creds = []
+ for cred in creds:
+ try:
+ tmp_cred = Credential(string=cred)
+ if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:
+ caller_creds.append(cred)
+ except: pass
+ return caller_creds
+
class Credential(object):
##
trusted_cert_objects.append(GID(filename=f))
ok_trusted_certs.append(f)
except Exception, exc:
- logger.error("Failed to load trusted cert from %s: %r", f, exc)
+ sfa.util.sfalogging.logger.error("Failed to load trusted cert from %s: %r", f, exc)
trusted_certs = ok_trusted_certs
# Use legacy verification if this is a legacy credential
# Maybe should be (hrn, type) = urn_to_hrn(root_cred_signer.get_urn())
root_cred_signer_type = root_cred_signer.get_type()
if (root_cred_signer_type == 'authority'):
- #logger.debug('Cred signer is an authority')
+ #sfa.util.sfalogging.logger.debug('Cred signer is an authority')
# signer is an authority, see if target is in authority's domain
hrn = root_cred_signer.get_hrn()
if root_target_gid.get_hrn().startswith(hrn):
parent_cred.verify_parent(parent_cred.parent)
- def delegate(self, delegee_gid, keyfile):
+ def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile):
"""
Return a delegated copy of this credential, delegated to the
specified gid's user.
"""
# get the gid of the object we are delegating
object_gid = self.get_gid_object()
- object_hrn = self.get_hrn()
+ object_hrn = object_gid.get_hrn()
# the hrn of the user who will be delegated to
- if isinstance(delegee_gid, str):
- delegee_gid = GID(string=records[0]['gid'])
+ delegee_gid = GID(filename=delegee_gidfile)
delegee_hrn = delegee_gid.get_hrn()
-
- user_key = Keypair(filename=keyfile)
- user_hrn = self.get_gid_caller().get_hrn()
+
+ #user_key = Keypair(filename=keyfile)
+ #user_hrn = self.get_gid_caller().get_hrn()
subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn)
dcred = Credential(subject=subject_string)
dcred.set_gid_caller(delegee_gid)
dcred.set_gid_object(object_gid)
- privs = self.get_privileges()
+ dcred.set_parent(self)
+ dcred.set_lifetime(self.get_lifetime())
dcred.set_privileges(self.get_privileges())
dcred.get_privileges().delegate_all_privileges(True)
- dcred.set_pubkey(object_gid.get_pubkey())
- dcred.set_issuer(user_key, user_hrn)
- dcred.set_parent(self)
+ #dcred.set_issuer_keys(keyfile, delegee_gidfile)
+ dcred.set_issuer_keys(caller_keyfile, caller_gidfile)
dcred.encode()
dcred.sign()