+ miscell reformatting for narrower text
######################################## *_produce methods
### step1
# unconditionnally create a self-signed certificate
######################################## *_produce methods
### step1
# unconditionnally create a self-signed certificate
- def self_signed_cert_produce (self,output):
+ def self_signed_cert_produce (self, output):
self.assert_private_key()
private_key_filename = self.private_key_filename()
keypair=Keypair(filename=private_key_filename)
self.assert_private_key()
private_key_filename = self.private_key_filename()
keypair=Keypair(filename=private_key_filename)
self_signed.sign ()
self_signed.save_to_file (output)
self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
self_signed.sign ()
self_signed.save_to_file (output)
self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
certificate_filename = self.self_signed_cert_filename()
certificate_string = self.plain_read (certificate_filename)
self.assert_private_key()
certificate_filename = self.self_signed_cert_filename()
certificate_string = self.plain_read (certificate_filename)
self.assert_private_key()
- registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+ registry_proxy = SfaServerProxy (self.registry_url,
+ self.private_key_filename(),
certificate_filename)
try:
credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
certificate_filename)
try:
credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
raise IOError,"Missing %s file %s"%(kind,filename)
return True
raise IOError,"Missing %s file %s"%(kind,filename)
return True
- def assert_private_key (self): return self.assert_filename (self.private_key_filename(),"private key")
- def assert_self_signed_cert (self): return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate")
- def assert_my_credential (self): return self.assert_filename (self.my_credential_filename(),"user's credential")
- def assert_my_gid (self): return self.assert_filename (self.my_gid_filename(),"user's GID")
+ def assert_private_key (self):
+ return self.assert_filename (self.private_key_filename(),"private key")
+ def assert_self_signed_cert (self):
+ return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate")
+ def assert_my_credential (self):
+ return self.assert_filename (self.my_credential_filename(),"user's credential")
+ def assert_my_gid (self):
+ return self.assert_filename (self.my_gid_filename(),"user's GID")
# decorator to make up the other methods
# decorator to make up the other methods
import sys
from types import StringTypes
import sys
from types import StringTypes
-from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \
- BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, Forbidden, \
- BadArgs
+from sfa.util.faults import InsufficientRights, MissingCallerGID, \
+ MissingTrustedRoots, PermissionError, BadRequestHash, \
+ ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \
+ Forbidden, BadArgs
from sfa.util.sfalogging import logger
from sfa.util.config import Config
from sfa.util.xrn import Xrn, get_authority
from sfa.util.sfalogging import logger
from sfa.util.config import Config
from sfa.util.xrn import Xrn, get_authority
self.load_trusted_certs()
def load_trusted_certs(self):
self.load_trusted_certs()
def load_trusted_certs(self):
- self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
- self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
+ self.trusted_cert_list = \
+ TrustedRoots(self.config.get_trustedroots_dir()).get_list()
+ self.trusted_cert_file_list = \
+ TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
- # this convenience methods extracts speaking_for_xrn from the passed options using 'geni_speaking_for'
+ # this convenience methods extracts speaking_for_xrn
+ # from the passed options using 'geni_speaking_for'
def checkCredentialsSpeaksFor (self, *args, **kwds):
if 'options' not in kwds:
logger.error ("checkCredentialsSpeaksFor was not passed options=options")
def checkCredentialsSpeaksFor (self, *args, **kwds):
if 'options' not in kwds:
logger.error ("checkCredentialsSpeaksFor was not passed options=options")
error="checkCredentials: expected a string, received %s"%(type(cred))
else:
cred_obj=Credential(string=cred)
error="checkCredentials: expected a string, received %s"%(type(cred))
else:
cred_obj=Credential(string=cred)
- logger.info("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+ logger.info("failed to validate credential - dump=%s"%\
+ cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
return error
error = sys.exc_info()[:2]
return error
if not isinstance(xrns, list):
xrns = [xrns]
if not isinstance(xrns, list):
xrns = [xrns]
- slice_xrns = Xrn.filter_type(xrns, 'slice')
+ slice_xrns = Xrn.filter_type(xrns, 'slice')
sliver_xrns = Xrn.filter_type(xrns, 'sliver')
# we are not able to validate slivers in the traditional way so
sliver_xrns = Xrn.filter_type(xrns, 'sliver')
# we are not able to validate slivers in the traditional way so
def check(self, credential, operation, hrn = None):
"""
def check(self, credential, operation, hrn = None):
"""
- Check the credential against the peer cert (callerGID included
+ Check the credential against the peer cert (callerGID) included
in the credential matches the caller that is connected to the
HTTPS connection, check if the credential was signed by a
trusted cert and check if the credential is allowed to perform
in the credential matches the caller that is connected to the
HTTPS connection, check if the credential was signed by a
trusted cert and check if the credential is allowed to perform
raise InsufficientRights(operation)
if self.trusted_cert_list:
raise InsufficientRights(operation)
if self.trusted_cert_list:
- self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
+ self.client_cred.verify(self.trusted_cert_file_list,
+ self.config.SFA_CREDENTIAL_SCHEMA)
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
def check_ticket(self, ticket):
"""
def check_ticket(self, ticket):
"""
- Check if the tickt was signed by a trusted cert
+ Check if the ticket was signed by a trusted cert
"""
if self.trusted_cert_list:
client_ticket = SfaTicket(string=ticket)
"""
if self.trusted_cert_list:
client_ticket = SfaTicket(string=ticket)
rl = Rights()
type = reg_record.type
rl = Rights()
type = reg_record.type
- logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
+ logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%\
+ (reg_record, caller_hrn))
if type == 'slice':
# researchers in the slice are in the DB as-is
if type == 'slice':
# researchers in the slice are in the DB as-is
# make sure it is not expired
if self.get_expiration() < datetime.datetime.utcnow():
# make sure it is not expired
if self.get_expiration() < datetime.datetime.utcnow():
- raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.strftime(SFATIME_FORMAT)))
+ raise CredentialNotVerifiable("Credential %s expired at %s" % \
+ (self.get_summary_tostring(),
+ self.expiration.strftime(SFATIME_FORMAT)))
# Verify the signatures
filename = self.save_to_random_tmp_file()
# Verify the signatures
filename = self.save_to_random_tmp_file()
if trusted_certs is None:
break
if trusted_certs is None:
break
-# print "Doing %s --verify --node-id '%s' %s %s 2>&1" % \
-# (self.xmlsec_path, ref, cert_args, filename)
- verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
- % (self.xmlsec_path, ref, cert_args, filename)).read()
+ command = '{} --verify --node-id "{}" {} {} 2>&1'.\
+ format(self.xmlsec_path, ref, cert_args, filename)
+ logger.debug("Running '{}'".format(command))
+ verified = os.popen(command).read()
+ logger.debug("xmlsec command returned {}".format(verified))
if not verified.strip().startswith("OK"):
# xmlsec errors have a msg= which is the interesting bit.
mstart = verified.find("msg=")
if not verified.strip().startswith("OK"):
# xmlsec errors have a msg= which is the interesting bit.
mstart = verified.find("msg=")
mstart = mstart + 4
mend = verified.find('\\', mstart)
msg = verified[mstart:mend]
mstart = mstart + 4
mend = verified.find('\\', mstart)
msg = verified[mstart:mend]
- raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip()))
+ raise CredentialNotVerifiable("xmlsec1 error verifying cred %s"
+ "using Signature ID %s: %s %s" % \
+ (self.get_summary_tostring(),
+ ref, msg, verified.strip()))
os.remove(filename)
# Verify the parents (delegation)
os.remove(filename)
# Verify the parents (delegation)