changed credential set_lifetime to be in absolute time, not relative. Fixed registry...

author Josh Karlin <jkarlin@bbn.com>

Fri, 8 Oct 2010 15:14:48 +0000 (11:14 -0400)

committer Josh Karlin <jkarlin@bbn.com>

Fri, 8 Oct 2010 15:14:48 +0000 (11:14 -0400)
author Josh Karlin <jkarlin@bbn.com>
Fri, 8 Oct 2010 15:14:48 +0000 (11:14 -0400)
committer Josh Karlin <jkarlin@bbn.com>
Fri, 8 Oct 2010 15:14:48 +0000 (11:14 -0400)
diff --git a/sfa/client/sfi.py b/sfa/client/sfi.py

index f7eecb3..e149b0f 100755 (executable)
--- a/sfa/client/sfi.py
+++ b/sfa/client/sfi.py
@@ -404,8 +404,8 @@ class Sfi:
          if (os.path.isfile(file)):
              credential = Credential(filename=file)
              # make sure it isnt expired 
-            if not credential.get_lifetime or \
-               datetime.datetime.today() < credential.get_lifetime():
+            if not credential.get_expiration or \
+               datetime.datetime.today() < credential.get_expiration():
                  return credential
          return None 
   
diff --git a/sfa/managers/aggregate_manager_pl.py b/sfa/managers/aggregate_manager_pl.py

index a2b4f58..01e6b41 100644 (file)
--- a/sfa/managers/aggregate_manager_pl.py
+++ b/sfa/managers/aggregate_manager_pl.py
@@ -58,7 +58,7 @@ def __get_registry_objects(slice_xrn, creds, users):
          reg_objects['site'] = site
  
          slice = {}
-        slice['expires'] = int(time.mktime(Credential(string=creds[0]).get_lifetime().timetuple()))
+        slice['expires'] = int(time.mktime(Credential(string=creds[0]).get_expiration().timetuple()))
          slice['hrn'] = hrn
          slice['name'] = hrn_to_pl_slicename(hrn)
          slice['url'] = hrn
diff --git a/sfa/managers/registry_manager_pl.py b/sfa/managers/registry_manager_pl.py

index f5f4b48..4c54e5f 100644 (file)
--- a/sfa/managers/registry_manager_pl.py
+++ b/sfa/managers/registry_manager_pl.py
@@ -66,6 +66,8 @@ def get_credential(api, xrn, type, is_self=False):
      #new_cred.set_pubkey(object_gid.get_pubkey())
      new_cred.set_privileges(rights)
      new_cred.get_privileges().delegate_all_privileges(True)
+    if 'expires' in record:
+        new_cred.set_expiration(int(record['expires']))
      auth_kind = "authority,ma,sa"
      # Parent not necessary, verify with certs
      #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
diff --git a/sfa/methods/RenewSliver.py b/sfa/methods/RenewSliver.py

index ce753fe..c337bc0 100644 (file)
--- a/sfa/methods/RenewSliver.py
+++ b/sfa/methods/RenewSliver.py
@@ -31,7 +31,7 @@ class RenewSliver(Method):
  
          # Validate that the time does not go beyond the credential's expiration time
          requested_time = parse(expiration_time)
-        if requested_time > Credential(string=valid_creds[0]).get_lifetime():
+        if requested_time > Credential(string=valid_creds[0]).get_expiration():
              raise InsufficientRights('SliverStatus: Credential expires before requested expiration time')
         
          manager = self.api.get_interface_manager()
diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py

index 4971cdd..c09f1bf 100644 (file)
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -43,8 +43,8 @@ from sfa.trust.rights import Right, Rights
  from sfa.trust.gid import GID
  from sfa.util.namespace import *
  
-# Two years, in seconds 
-DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2
+# 2 weeks, in seconds 
+DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14
  
  
  # TODO:
@@ -256,10 +256,9 @@ class Credential(object):
          self.gidObject = legacy.get_gid_object()
          lifetime = legacy.get_lifetime()
          if not lifetime:
-            # Default to two years
-            self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
+            self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
          else:
-            self.set_lifetime(int(lifetime))
+            self.set_expiration(int(lifetime))
          self.lifeTime = legacy.get_lifetime()
          self.set_privileges(legacy.get_privileges())
          self.get_privileges().delegate_all_privileges(legacy.get_delegate())
@@ -314,28 +313,30 @@ class Credential(object):
              self.decode()
          return self.gidObject
  
+
+            
      ##
-    # set the lifetime of this credential
-    #
-    # @param lifetime lifetime of credential
-    # . if lifeTime is a datetime object, it is used for the expiration time
-    # . if lifeTime is an integer value, it is considered the number of seconds
-    #   remaining before expiration
-
-    def set_lifetime(self, lifeTime):
-        if isinstance(lifeTime, int):
-            self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow()
+    # Expiration: an absolute UTC time of expiration (as either an int or datetime)
+    # 
+    def set_expiration(self, expiration):
+        if isinstance(expiration, int):
+            self.expiration = datetime.datetime.fromtimestamp(expiration)
          else:
-            self.expiration = lifeTime
+            self.expiration = expiration
+            
  
      ##
      # get the lifetime of the credential (in datetime format)
  
-    def get_lifetime(self):
+    def get_expiration(self):
          if not self.expiration:
              self.decode()
          return self.expiration
  
+    ##
+    # For legacy sake
+    def get_lifetime(self):
+        return self.get_expiration()
   
      ##
      # set the privileges
@@ -398,7 +399,7 @@ class Credential(object):
          append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
          append_sub(doc, cred, "uuid", "")
          if not self.expiration:
-            self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
+            self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(DEFAULT_CREDENTIAL_LIFETIME))
          self.expiration = self.expiration.replace(microsecond=0)
          append_sub(doc, cred, "expires", self.expiration.isoformat())
          privileges = doc.createElement("privileges")
@@ -581,7 +582,7 @@ class Credential(object):
          
  
          self.set_refid(cred.getAttribute("xml:id"))
-        self.set_lifetime(parse(getTextNode(cred, "expires")))
+        self.set_expiration(parse(getTextNode(cred, "expires")))
          self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
          self.gidObject = GID(string=getTextNode(cred, "target_gid"))   
  
@@ -673,7 +674,7 @@ class Credential(object):
              return True
          
          # make sure it is not expired
-        if self.get_lifetime() < datetime.datetime.utcnow():
+        if self.get_expiration() < datetime.datetime.utcnow():
              raise CredentialNotVerifiable("Credential expired at %s" % self.expiration.isoformat())
  
          # Verify the signatures
@@ -781,7 +782,7 @@ class Credential(object):
              raise CredentialNotVerifiable("Target gid not equal between parent and child")
  
          # make sure my expiry time is <= my parent's
-        if not parent_cred.get_lifetime() >= self.get_lifetime():
+        if not parent_cred.get_expiration() >= self.get_expiration():
              raise CredentialNotVerifiable("Delegated credential expires after parent")
  
          # make sure my signer is the parent's caller
@@ -814,7 +815,7 @@ class Credential(object):
          dcred.set_gid_caller(delegee_gid)
          dcred.set_gid_object(object_gid)
          dcred.set_parent(self)
-        dcred.set_lifetime(self.get_lifetime())
+        dcred.set_expiration(self.get_expiration())
          dcred.set_privileges(self.get_privileges())
          dcred.get_privileges().delegate_all_privileges(True)
          #dcred.set_issuer_keys(keyfile, delegee_gidfile)
diff --git a/tests/testCred.py b/tests/testCred.py

index 32fac4a..5a563d6 100755 (executable)
--- a/tests/testCred.py
+++ b/tests/testCred.py
@@ -32,7 +32,7 @@ class TestCred(unittest.TestCase):
        cred.set_gid_object(gidObject)
        self.assertEqual(cred.get_gid_object().get_subject(), gidObject.get_subject())
  
-      cred.set_lifetime(lifeTime)
+      cred.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=lifeTime))
        
        cred.set_privileges(rights)
        self.assertEqual(cred.get_privileges().save_to_string(), rights)
@@ -81,7 +81,7 @@ class TestCred(unittest.TestCase):
        cred = Credential()
        cred.set_gid_caller(gidCaller)
        cred.set_gid_object(gidObject)
-      cred.set_lifetime(3600)
+      cred.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=3600))
        cred.set_privileges("embed:1, bind:1")
        cred.encode()
  
@@ -103,7 +103,7 @@ class TestCred(unittest.TestCase):
        delegated.set_gid_caller(gidDelegatee)
        delegated.set_gid_object(gidObject)      
        delegated.set_parent(cred)
-      delegated.set_lifetime(600)
+      delegated.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=600))
        delegated.set_privileges("embed:1, bind:1")
        gidCaller.save_to_file("/tmp/caller_gid")
        ckeys.save_to_file("/tmp/caller_pkey")      
@@ -120,7 +120,7 @@ class TestCred(unittest.TestCase):
        backup = Credential(string=delegated.get_xml())
  
        # Test that verify catches an incorrect lifetime      
-      delegated.set_lifetime(6000)
+      delegated.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=6000))
        delegated.encode()
        delegated.sign()
        try:
author	Josh Karlin <jkarlin@bbn.com>
	Fri, 8 Oct 2010 15:14:48 +0000 (11:14 -0400)
committer	Josh Karlin <jkarlin@bbn.com>
	Fri, 8 Oct 2010 15:14:48 +0000 (11:14 -0400)
sfa/client/sfi.py		patch \| blob \| history
sfa/managers/aggregate_manager_pl.py		patch \| blob \| history
sfa/managers/registry_manager_pl.py		patch \| blob \| history
sfa/methods/RenewSliver.py		patch \| blob \| history
sfa/trust/credential.py		patch \| blob \| history
tests/testCred.py		patch \| blob \| history