new credentials are now working.. at least for list and get_resources

diff --git a/sfa/server/modpythonapi/AuthenticatedApi.py b/sfa/server/modpythonapi/AuthenticatedApi.py
index f87d4bb..e86781f 100755 (executable)
--- a/sfa/server/modpythonapi/AuthenticatedApi.py
+++ b/sfa/server/modpythonapi/AuthenticatedApi.py
@@ -42,12 +42,6 @@ class AuthenticatedApi(BaseApi):
     def validateCred(self, cred):
         if self.trusted_cert_list:
             cred.verify(self.trusted_cert_file_list)
-            caller_gid = cred.get_gid_caller()
-            object_gid = cred.get_gid_object()
-            if caller_gid:
-                caller_gid.verify_chain(self.trusted_cert_list)
-            if object_gid:
-                object_gid.verify_chain(self.trusted_cert_list)
 
     def authenticateGid(self, gidStr, argList, requestHash):
         gid = GID(string = gidStr)

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 51b7edc..15d3b58 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -58,10 +58,6 @@ class Auth:
 
         if self.trusted_cert_list:
             self.client_cred.verify(self.trusted_cert_file_list)
-            if self.client_gid:
-                self.client_gid.verify_chain(self.trusted_cert_list)
-            if self.object_gid:
-                self.object_gid.verify_chain(self.trusted_cert_list)
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
 
@@ -100,12 +96,6 @@ class Auth:
     def validateCred(self, cred):
         if self.trusted_cert_list:
             cred.verify(self.trusted_cert_file_list)
-            caller_gid = cred.get_gid_caller()
-            object_gid = cred.get_gid_object()
-            if caller_gid:
-                caller_gid.verify_chain(self.trusted_cert_list)
-            if object_gid:
-                object_gid.verify_chain(self.trusted_cert_list)
 
     def authenticateGid(self, gidStr, argList, requestHash=None):
         gid = GID(string = gidStr)

diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index 4acaa20..84d9d93 100644 (file)
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -175,7 +175,8 @@ class Credential(object):
         self.gidObject = legacy.get_gid_object()
         lifetime = legacy.get_lifetime()
         if not lifetime:
-            self.set_lifetime(3600)
+            # Default to two years
+            self.set_lifetime(1051200)
         else:
             self.set_lifetime(int(lifetime))
         self.lifeTime = legacy.get_lifetime()
@@ -540,6 +541,7 @@ class Credential(object):
     #   to trusted roots (performed by xmlsec1)
     # . That the issuer of the credential is the authority in the target's urn
     #    . In the case of a delegated credential, this must be true of the root
+    # . That all of the gids presented in the credential are valid
     #
     # -- For Delegates (credentials with parents)
     # . The privileges must be a subset of the parent credentials
@@ -562,6 +564,17 @@ class Credential(object):
         filename = self.save_to_random_tmp_file()
         cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
 
+        # Verify the gids of this cred and of its parents
+        trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
+
+        cur_cred = self
+        while cur_cred:
+            cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
+            cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
+            if self.parent_xml:
+                cur_cred = Credential(string=self.parent_xml)
+            else:
+                cur_cred = None
         
         refs = []
         refs.append("Sig_%s" % self.get_refid())
@@ -589,10 +602,8 @@ class Credential(object):
 
     ##
     # Make sure the issuer of this credential is the target's authority
-    # Security hole: Because PL GID's use hrns in the CN instead of urns,
-    # the type is not checked, only the authority name.
-    def verify_issuer(self):
-        target_authority = get_authority(self.get_gid_object().get_hrn())
+    def verify_issuer(self):        
+        target_authority = get_authority(self.get_gid_object().get_urn())
 
         # Find the root credential's refid
         cur_cred = self
@@ -610,6 +621,7 @@ class Credential(object):
             if sig.get_refid().lower() == root_refid.lower():
                 root_issuer = sig.get_issuer_gid().get_urn()
                 
+                
         # Ensure that the signer of the root credential is the target_authority
         target_authority = hrn_to_urn(target_authority, 'authority')
 

diff --git a/sfa/util/namespace.py b/sfa/util/namespace.py
index e3a7536..ebc8146 100644 (file)
--- a/sfa/util/namespace.py
+++ b/sfa/util/namespace.py
@@ -9,7 +9,11 @@ def get_leaf(hrn):
     parts = hrn.split(".")
     return ".".join(parts[-1:])
 
-def get_authority(hrn):
+def get_authority(xrn):
+    hrn, type = urn_to_hrn(xrn)
+    if type and type == 'authority':
+        return hrn
+    
     parts = hrn.split(".")
     return ".".join(parts[:-1])