--- /dev/null
+doc:
+ pythondoc.py ../util/cert.py ../util/credential.py ../util/gid.py ../util/rights.py
+
\ No newline at end of file
--- /dev/null
+This directory contains API documentation. See the developer's wiki for a
+general design overview.
+
+API documentation is generated by using the pytondoc tool.
+See http://effbot.org/zone/pythondoc.htm to obtain the tool.
--- /dev/null
+<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
+<html>
+<head>
+<meta http-equiv='Content-Type' content='text/html; charset=us-ascii' />
+<title>The cert Module</title>
+</head>
+<body>
+<h1>The cert Module</h1>
+<p>Geniwrapper uses two crypto libraries: pyOpenSSL and M2Crypto to implement
+the necessary crypto functionality. Ideally just one of these libraries
+would be used, but unfortunately each of these libraries is independently
+lacking. The pyOpenSSL library is missing many necessary functions, and
+the M2Crypto library has crashed inside of some of the functions. The
+design decision is to use pyOpenSSL whenever possible as it seems more
+stable, and only use M2Crypto for those functions that are not possible
+in pyOpenSSL.
+
+This module exports two classes: Keypair and Certificate.</p>
+<dl>
+<dt><b>Certificate(create=False, subject=None, string=None, filename=None)</b> (class) [<a href='#cert.Certificate-class'>#</a>]</dt>
+<dd>
+<p>The certificate class implements a general purpose X509 certificate, making
+use of the appropriate pyOpenSSL or M2Crypto abstractions.</p>
+<p>For more information about this class, see <a href='#cert.Certificate-class'><i>The Certificate Class</i></a>.</p>
+</dd>
+<dt><b>Keypair(create=False, string=None, filename=None)</b> (class) [<a href='#cert.Keypair-class'>#</a>]</dt>
+<dd>
+<p>Public-private key pairs are implemented by the Keypair class.</p>
+<p>For more information about this class, see <a href='#cert.Keypair-class'><i>The Keypair Class</i></a>.</p>
+</dd>
+</dl>
+<h2><a id='cert.Certificate-class' name='cert.Certificate-class'>The Certificate Class</a></h2>
+<dl>
+<dt><b>Certificate(create=False, subject=None, string=None, filename=None)</b> (class) [<a href='#cert.Certificate-class'>#</a>]</dt>
+<dd>
+<p>The certificate class implements a general purpose X509 certificate, making
+use of the appropriate pyOpenSSL or M2Crypto abstractions. It also adds
+several addition features, such as the ability to maintain a chain of
+parent certificates, and storage of application-specific data.
+
+Certificates include the ability to maintain a chain of parents. Each
+certificate includes a pointer to it's parent certificate. When loaded
+from a file or a string, the parent chain will be automatically loaded.
+When saving a certificate to a file or a string, the caller can choose
+whether to save the parent certificates as well.</p>
+</dd>
+<dt><a id='cert.Certificate.__init__-method' name='cert.Certificate.__init__-method'><b>__init__(create=False, subject=None, string=None, filename=None)</b></a> [<a href='#cert.Certificate.__init__-method'>#</a>]</dt>
+<dd>
+<p>Create a certificate object.</p>
+<dl>
+<dt><i>create</i></dt>
+<dd>
+If create==True, then also create a blank X509 certificate.</dd>
+<dt><i>subject</i></dt>
+<dd>
+If subject!=None, then create a blank certificate and set
+ it's subject name.</dd>
+<dt><i>string</i></dt>
+<dd>
+If string!=None, load the certficate from the string.</dd>
+<dt><i>filename</i></dt>
+<dd>
+If filename!=None, load the certficiate from the file.</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.add_extension-method' name='cert.Certificate.add_extension-method'><b>add_extension(name, critical, value)</b></a> [<a href='#cert.Certificate.add_extension-method'>#</a>]</dt>
+<dd>
+<p>Add an X509 extension to the certificate. Add_extension can only be called
+once for a particular extension name, due to limitations in the underlying
+library.</p>
+<dl>
+<dt><i>name</i></dt>
+<dd>
+string containing name of extension</dd>
+<dt><i>value</i></dt>
+<dd>
+string containing value of the extension</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.create-method' name='cert.Certificate.create-method'><b>create()</b></a> [<a href='#cert.Certificate.create-method'>#</a>]</dt>
+<dd>
+<p>Create a blank X509 certificate and store it in this object.</p>
+</dd>
+<dt><a id='cert.Certificate.get_data-method' name='cert.Certificate.get_data-method'><b>get_data()</b></a> [<a href='#cert.Certificate.get_data-method'>#</a>]</dt>
+<dd>
+<p>Return the data string that was previously set with set_data</p>
+</dd>
+<dt><a id='cert.Certificate.get_extension-method' name='cert.Certificate.get_extension-method'><b>get_extension(name)</b></a> [<a href='#cert.Certificate.get_extension-method'>#</a>]</dt>
+<dd>
+<p>Get an X509 extension from the certificate</p>
+</dd>
+<dt><a id='cert.Certificate.get_issuer-method' name='cert.Certificate.get_issuer-method'><b>get_issuer(which="CN")</b></a> [<a href='#cert.Certificate.get_issuer-method'>#</a>]</dt>
+<dd>
+<p>Get the issuer name</p>
+</dd>
+<dt><a id='cert.Certificate.get_parent-method' name='cert.Certificate.get_parent-method'><b>get_parent()</b></a> [<a href='#cert.Certificate.get_parent-method'>#</a>]</dt>
+<dd>
+<p>Return the certificate object of the parent of this certificate.</p>
+</dd>
+<dt><a id='cert.Certificate.get_pubkey-method' name='cert.Certificate.get_pubkey-method'><b>get_pubkey()</b></a> [<a href='#cert.Certificate.get_pubkey-method'>#</a>]</dt>
+<dd>
+<p>Get the public key of the certificate.
+It is returned in the form of a Keypair object.</p>
+</dd>
+<dt><a id='cert.Certificate.get_subject-method' name='cert.Certificate.get_subject-method'><b>get_subject(which="CN")</b></a> [<a href='#cert.Certificate.get_subject-method'>#</a>]</dt>
+<dd>
+<p>Get the subject name of the certificate</p>
+</dd>
+<dt><a id='cert.Certificate.is_pubkey-method' name='cert.Certificate.is_pubkey-method'><b>is_pubkey(pkey)</b></a> [<a href='#cert.Certificate.is_pubkey-method'>#</a>]</dt>
+<dd>
+<p>Return True if pkey is identical to the public key that is contained in the certificate.</p>
+<dl>
+<dt><i>pkey</i></dt>
+<dd>
+Keypair object</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.is_signed_by_cert-method' name='cert.Certificate.is_signed_by_cert-method'><b>is_signed_by_cert(cert)</b></a> [<a href='#cert.Certificate.is_signed_by_cert-method'>#</a>]</dt>
+<dd>
+<p>Given a certificate cert, verify that this certificate was signed by the
+public key contained in cert. Throw an exception otherwise.</p>
+<dl>
+<dt><i>cert</i></dt>
+<dd>
+certificate object</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.load_from_file-method' name='cert.Certificate.load_from_file-method'><b>load_from_file(filename)</b></a> [<a href='#cert.Certificate.load_from_file-method'>#</a>]</dt>
+<dd>
+<p>Load the certificate from a file</p>
+</dd>
+<dt><a id='cert.Certificate.load_from_pyopenssl_x509-method' name='cert.Certificate.load_from_pyopenssl_x509-method'><b>load_from_pyopenssl_x509(x509)</b></a> [<a href='#cert.Certificate.load_from_pyopenssl_x509-method'>#</a>]</dt>
+<dd>
+<p>Given a pyOpenSSL X509 object, store that object inside of this
+certificate object.</p>
+</dd>
+<dt><a id='cert.Certificate.load_from_string-method' name='cert.Certificate.load_from_string-method'><b>load_from_string(string)</b></a> [<a href='#cert.Certificate.load_from_string-method'>#</a>]</dt>
+<dd>
+<p>Load the certificate from a string</p>
+</dd>
+<dt><a id='cert.Certificate.save_to_file-method' name='cert.Certificate.save_to_file-method'><b>save_to_file(filename, save_parents=False)</b></a> [<a href='#cert.Certificate.save_to_file-method'>#</a>]</dt>
+<dd>
+<p>Save the certificate to a file.</p>
+<dl>
+<dt><i>save_parents</i></dt>
+<dd>
+If save_parents==True, then also save the parent certificates.</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.save_to_string-method' name='cert.Certificate.save_to_string-method'><b>save_to_string(save_parents=False)</b></a> [<a href='#cert.Certificate.save_to_string-method'>#</a>]</dt>
+<dd>
+<p>Save the certificate to a string.</p>
+<dl>
+<dt><i>save_parents</i></dt>
+<dd>
+If save_parents==True, then also save the parent certificates.</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.set_data-method' name='cert.Certificate.set_data-method'><b>set_data(str)</b></a> [<a href='#cert.Certificate.set_data-method'>#</a>]</dt>
+<dd>
+<p>Set_data is a wrapper around add_extension. It stores the parameter str in
+the X509 subject_alt_name extension. Set_data can only be called once, due
+to limitations in the underlying library.</p>
+</dd>
+<dt><a id='cert.Certificate.set_issuer-method' name='cert.Certificate.set_issuer-method'><b>set_issuer(key, subject=None, cert=None)</b></a> [<a href='#cert.Certificate.set_issuer-method'>#</a>]</dt>
+<dd>
+<p>Sets the issuer private key and name</p>
+<dl>
+<dt><i>key</i></dt>
+<dd>
+Keypair object containing the private key of the issuer</dd>
+<dt><i>subject</i></dt>
+<dd>
+String containing the name of the issuer</dd>
+<dt><i>cert</i></dt>
+<dd>
+(optional) Certificate object containing the name of the issuer</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.set_parent-method' name='cert.Certificate.set_parent-method'><b>set_parent(p)</b></a> [<a href='#cert.Certificate.set_parent-method'>#</a>]</dt>
+<dd>
+<p>Set the parent certficiate.</p>
+<dl>
+<dt><i>p</i></dt>
+<dd>
+certificate object.</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.set_pubkey-method' name='cert.Certificate.set_pubkey-method'><b>set_pubkey(key)</b></a> [<a href='#cert.Certificate.set_pubkey-method'>#</a>]</dt>
+<dd>
+<p>Get the public key of the certificate.</p>
+<dl>
+<dt><i>key</i></dt>
+<dd>
+Keypair object containing the public key</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.set_subject-method' name='cert.Certificate.set_subject-method'><b>set_subject(name)</b></a> [<a href='#cert.Certificate.set_subject-method'>#</a>]</dt>
+<dd>
+<p>Set the subject name of the certificate</p>
+</dd>
+<dt><a id='cert.Certificate.sign-method' name='cert.Certificate.sign-method'><b>sign()</b></a> [<a href='#cert.Certificate.sign-method'>#</a>]</dt>
+<dd>
+<p>Sign the certificate using the issuer private key and issuer subject previous set with set_issuer().</p>
+</dd>
+<dt><a id='cert.Certificate.verify-method' name='cert.Certificate.verify-method'><b>verify(pkey)</b></a> [<a href='#cert.Certificate.verify-method'>#</a>]</dt>
+<dd>
+<p>Verify the authenticity of a certificate.</p>
+<dl>
+<dt><i>pkey</i></dt>
+<dd>
+is a Keypair object representing a public key. If Pkey
+ did not sign the certificate, then an exception will be thrown.</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Certificate.verify_chain-method' name='cert.Certificate.verify_chain-method'><b>verify_chain(trusted_certs=None)</b></a> [<a href='#cert.Certificate.verify_chain-method'>#</a>]</dt>
+<dd>
+<p>Verification examines a chain of certificates to ensure that each parent
+signs the child, and that some certificate in the chain is signed by a
+trusted certificate.
+
+Verification is a basic recursion: <pre>
+ if this_certificate was signed by trusted_certs:
+ return
+ else
+ return verify_chain(parent, trusted_certs)
+</pre>
+
+At each recursion, the parent is tested to ensure that it did sign the
+child. If a parent did not sign a child, then an exception is thrown. If
+the bottom of the recursion is reached and the certificate does not match
+a trusted root, then an exception is thrown.
+
+</p><dl>
+<dt><i>Trusted_certs</i></dt>
+<dd>
+is a list of certificates that are trusted.</dd>
+</dl><br />
+</dd>
+</dl>
+<h2><a id='cert.Keypair-class' name='cert.Keypair-class'>The Keypair Class</a></h2>
+<dl>
+<dt><b>Keypair(create=False, string=None, filename=None)</b> (class) [<a href='#cert.Keypair-class'>#</a>]</dt>
+<dd>
+<p>Public-private key pairs are implemented by the Keypair class.
+A Keypair object may represent both a public and private key pair, or it
+may represent only a public key (this usage is consistent with OpenSSL).</p>
+</dd>
+<dt><a id='cert.Keypair.__init__-method' name='cert.Keypair.__init__-method'><b>__init__(create=False, string=None, filename=None)</b></a> [<a href='#cert.Keypair.__init__-method'>#</a>]</dt>
+<dd>
+<p>Creates a Keypair object</p>
+<dl>
+<dt><i>create</i></dt>
+<dd>
+If create==True, creates a new public/private key and
+ stores it in the object</dd>
+<dt><i>string</i></dt>
+<dd>
+If string!=None, load the keypair from the string (PEM)</dd>
+<dt><i>filename</i></dt>
+<dd>
+If filename!=None, load the keypair from the file</dd>
+</dl><br />
+</dd>
+<dt><a id='cert.Keypair.as_pem-method' name='cert.Keypair.as_pem-method'><b>as_pem()</b></a> [<a href='#cert.Keypair.as_pem-method'>#</a>]</dt>
+<dd>
+<p>Return the private key in PEM format.</p>
+</dd>
+<dt><a id='cert.Keypair.create-method' name='cert.Keypair.create-method'><b>create()</b></a> [<a href='#cert.Keypair.create-method'>#</a>]</dt>
+<dd>
+<p>Create a RSA public/private key pair and store it inside the keypair object</p>
+</dd>
+<dt><a id='cert.Keypair.get_m2_pkey-method' name='cert.Keypair.get_m2_pkey-method'><b>get_m2_pkey()</b></a> [<a href='#cert.Keypair.get_m2_pkey-method'>#</a>]</dt>
+<dd>
+<p>Return an OpenSSL pkey object</p>
+</dd>
+<dt><a id='cert.Keypair.get_openssl_pkey-method' name='cert.Keypair.get_openssl_pkey-method'><b>get_openssl_pkey()</b></a> [<a href='#cert.Keypair.get_openssl_pkey-method'>#</a>]</dt>
+<dd>
+<p>Given another Keypair object, return TRUE if the two keys are the same.</p>
+</dd>
+<dt><a id='cert.Keypair.load_from_file-method' name='cert.Keypair.load_from_file-method'><b>load_from_file(filename)</b></a> [<a href='#cert.Keypair.load_from_file-method'>#</a>]</dt>
+<dd>
+<p>Load the private key from a file. Implicity the private key includes the public key.</p>
+</dd>
+<dt><a id='cert.Keypair.load_from_string-method' name='cert.Keypair.load_from_string-method'><b>load_from_string(string)</b></a> [<a href='#cert.Keypair.load_from_string-method'>#</a>]</dt>
+<dd>
+<p>Load the private key from a string. Implicitly the private key includes the public key.</p>
+</dd>
+<dt><a id='cert.Keypair.load_pubkey_from_file-method' name='cert.Keypair.load_pubkey_from_file-method'><b>load_pubkey_from_file(filename)</b></a> [<a href='#cert.Keypair.load_pubkey_from_file-method'>#</a>]</dt>
+<dd>
+<p>Load the public key from a string. No private key is loaded.</p>
+</dd>
+<dt><a id='cert.Keypair.load_pubkey_from_string-method' name='cert.Keypair.load_pubkey_from_string-method'><b>load_pubkey_from_string(string)</b></a> [<a href='#cert.Keypair.load_pubkey_from_string-method'>#</a>]</dt>
+<dd>
+<p>Load the public key from a string. No private key is loaded.</p>
+</dd>
+<dt><a id='cert.Keypair.save_to_file-method' name='cert.Keypair.save_to_file-method'><b>save_to_file(filename)</b></a> [<a href='#cert.Keypair.save_to_file-method'>#</a>]</dt>
+<dd>
+<p>Save the private key to a file</p>
+<dl>
+<dt><i>filename</i></dt>
+<dd>
+name of file to store the keypair in</dd>
+</dl><br />
+</dd>
+</dl>
+</body></html>
--- /dev/null
+<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
+<html>
+<head>
+<meta http-equiv='Content-Type' content='text/html; charset=us-ascii' />
+<title>The credential Module</title>
+</head>
+<body>
+<h1>The credential Module</h1>
+<p>Implements Geni Credentials
+
+Credentials are layered on top of certificates, and are essentially a
+certificate that stores a tuple of parameters.</p>
+<dl>
+<dt><b>Credential(create=False, subject=None, string=None, filename=None)</b> (class) [<a href='#credential.Credential-class'>#</a>]</dt>
+<dd>
+<p>Credential is a tuple:
+ (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
+
+These fields are encoded using xmlrpc into the subjectAltName field of the
+x509 certificate.</p>
+<p>For more information about this class, see <a href='#credential.Credential-class'><i>The Credential Class</i></a>.</p>
+</dd>
+</dl>
+<h2><a id='credential.Credential-class' name='credential.Credential-class'>The Credential Class</a></h2>
+<dl>
+<dt><b>Credential(create=False, subject=None, string=None, filename=None)</b> (class) [<a href='#credential.Credential-class'>#</a>]</dt>
+<dd>
+<p>Credential is a tuple:
+ (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
+
+These fields are encoded using xmlrpc into the subjectAltName field of the
+x509 certificate. Note: Call encode() once the fields have been filled in
+to perform this encoding.</p>
+</dd>
+<dt><a id='credential.Credential.__init__-method' name='credential.Credential.__init__-method'><b>__init__(create=False, subject=None, string=None, filename=None)</b></a> [<a href='#credential.Credential.__init__-method'>#</a>]</dt>
+<dd>
+<p>Create a Credential object</p>
+<dl>
+<dt><i>create</i></dt>
+<dd>
+If true, create a blank x509 certificate</dd>
+<dt><i>subject</i></dt>
+<dd>
+If subject!=None, create an x509 cert with the subject name</dd>
+<dt><i>string</i></dt>
+<dd>
+If string!=None, load the credential from the string</dd>
+<dt><i>filename</i></dt>
+<dd>
+If filename!=None, load the credential from the file</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.can_perform-method' name='credential.Credential.can_perform-method'><b>can_perform(op_name)</b></a> [<a href='#credential.Credential.can_perform-method'>#</a>]</dt>
+<dd>
+<p>determine whether the credential allows a particular operation to be
+performed</p>
+<dl>
+<dt><i>op_name</i></dt>
+<dd>
+string specifying name of operation ("lookup", "update", etc)</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.decode-method' name='credential.Credential.decode-method'><b>decode()</b></a> [<a href='#credential.Credential.decode-method'>#</a>]</dt>
+<dd>
+<p>Retrieve the attributes of the credential from the alt-subject-name field
+of the X509 certificate. This is automatically done by the various
+get_* methods of this class and should not need to be called explicitly.</p>
+</dd>
+<dt><a id='credential.Credential.dump-method' name='credential.Credential.dump-method'><b>dump(dump_parents=False)</b></a> [<a href='#credential.Credential.dump-method'>#</a>]</dt>
+<dd>
+<p>Dump the contents of a credential to stdout in human-readable format</p>
+<dl>
+<dt><i>dump_parents</i></dt>
+<dd>
+If true, also dump the parent certificates</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.encode-method' name='credential.Credential.encode-method'><b>encode()</b></a> [<a href='#credential.Credential.encode-method'>#</a>]</dt>
+<dd>
+<p>Encode the attributes of the credential into a string and store that
+string in the alt-subject-name field of the X509 object. This should be
+done immediately before signing the credential.</p>
+</dd>
+<dt><a id='credential.Credential.get_delegate-method' name='credential.Credential.get_delegate-method'><b>get_delegate()</b></a> [<a href='#credential.Credential.get_delegate-method'>#</a>]</dt>
+<dd>
+<p>get the delegate bit</p>
+</dd>
+<dt><a id='credential.Credential.get_gid_caller-method' name='credential.Credential.get_gid_caller-method'><b>get_gid_caller()</b></a> [<a href='#credential.Credential.get_gid_caller-method'>#</a>]</dt>
+<dd>
+<p>get the GID of the object</p>
+</dd>
+<dt><a id='credential.Credential.get_gid_object-method' name='credential.Credential.get_gid_object-method'><b>get_gid_object()</b></a> [<a href='#credential.Credential.get_gid_object-method'>#</a>]</dt>
+<dd>
+<p>get the GID of the object</p>
+</dd>
+<dt><a id='credential.Credential.get_lifetime-method' name='credential.Credential.get_lifetime-method'><b>get_lifetime()</b></a> [<a href='#credential.Credential.get_lifetime-method'>#</a>]</dt>
+<dd>
+<p>get the lifetime of the credential</p>
+</dd>
+<dt><a id='credential.Credential.get_privileges-method' name='credential.Credential.get_privileges-method'><b>get_privileges()</b></a> [<a href='#credential.Credential.get_privileges-method'>#</a>]</dt>
+<dd>
+<p>return the privileges as a RightList object</p>
+</dd>
+<dt><a id='credential.Credential.set_delegate-method' name='credential.Credential.set_delegate-method'><b>set_delegate(delegate)</b></a> [<a href='#credential.Credential.set_delegate-method'>#</a>]</dt>
+<dd>
+<p>set the delegate bit</p>
+<dl>
+<dt><i>delegate</i></dt>
+<dd>
+boolean (True or False)</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.set_gid_caller-method' name='credential.Credential.set_gid_caller-method'><b>set_gid_caller(gid)</b></a> [<a href='#credential.Credential.set_gid_caller-method'>#</a>]</dt>
+<dd>
+<p>set the GID of the caller</p>
+<dl>
+<dt><i>gid</i></dt>
+<dd>
+GID object of the caller</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.set_gid_object-method' name='credential.Credential.set_gid_object-method'><b>set_gid_object(gid)</b></a> [<a href='#credential.Credential.set_gid_object-method'>#</a>]</dt>
+<dd>
+<p>set the GID of the object</p>
+<dl>
+<dt><i>gid</i></dt>
+<dd>
+GID object of the object</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.set_lifetime-method' name='credential.Credential.set_lifetime-method'><b>set_lifetime(lifeTime)</b></a> [<a href='#credential.Credential.set_lifetime-method'>#</a>]</dt>
+<dd>
+<p>set the lifetime of this credential</p>
+<dl>
+<dt><i>lifetime</i></dt>
+<dd>
+lifetime of credential</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.set_privileges-method' name='credential.Credential.set_privileges-method'><b>set_privileges(privs)</b></a> [<a href='#credential.Credential.set_privileges-method'>#</a>]</dt>
+<dd>
+<p>set the privileges</p>
+<dl>
+<dt><i>privs</i></dt>
+<dd>
+either a comma-separated list of privileges of a RightList object</dd>
+</dl><br />
+</dd>
+<dt><a id='credential.Credential.verify_chain-method' name='credential.Credential.verify_chain-method'><b>verify_chain(trusted_certs=None)</b></a> [<a href='#credential.Credential.verify_chain-method'>#</a>]</dt>
+<dd>
+<p>Verify that a chain of credentials is valid (see cert.py:verify). In
+addition to the checks for ordinary certificates, verification also
+ensures that the delegate bit was set by each parent in the chain. If
+a delegate bit was not set, then an exception is thrown.</p>
+</dd>
+</dl>
+</body></html>
--- /dev/null
+<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
+<html>
+<head>
+<meta http-equiv='Content-Type' content='text/html; charset=us-ascii' />
+<title>The gid Module</title>
+</head>
+<body>
+<h1>The gid Module</h1>
+<p>Implements GENI GID. GIDs are based on certificates, and the GID class is a
+descendant of the certificate class.</p>
+<dl>
+<dt><a id='gid.create_uuid-function' name='gid.create_uuid-function'><b>create_uuid()</b></a> [<a href='#gid.create_uuid-function'>#</a>]</dt>
+<dd>
+<p>Create a new uuid. Returns the UUID as a string.</p>
+</dd>
+<dt><b>GID(create=False, subject=None, string=None, filename=None, uuid=None, hrn=None)</b> (class) [<a href='#gid.GID-class'>#</a>]</dt>
+<dd>
+<p>GID is a tuplie:
+ (uuid, hrn, public_key)
+
+UUID is a unique identifier and is created by the python uuid module
+ (or the utility function create_uuid() in gid.py).</p>
+<p>For more information about this class, see <a href='#gid.GID-class'><i>The GID Class</i></a>.</p>
+</dd>
+</dl>
+<h2><a id='gid.GID-class' name='gid.GID-class'>The GID Class</a></h2>
+<dl>
+<dt><b>GID(create=False, subject=None, string=None, filename=None, uuid=None, hrn=None)</b> (class) [<a href='#gid.GID-class'>#</a>]</dt>
+<dd>
+<p>GID is a tuplie:
+ (uuid, hrn, public_key)
+
+UUID is a unique identifier and is created by the python uuid module
+ (or the utility function create_uuid() in gid.py).
+
+HRN is a human readable name. It is a dotted form similar to a backward domain
+ name. For example, planetlab.us.arizona.bakers.
+
+PUBLIC_KEY is the public key of the principal identified by the UUID/HRN.
+It is a Keypair object as defined in the cert.py module.
+
+It is expected that there is a one-to-one pairing between UUIDs and HRN,
+but it is uncertain how this would be inforced or if it needs to be enforced.
+
+These fields are encoded using xmlrpc into the subjectAltName field of the
+x509 certificate. Note: Call encode() once the fields have been filled in
+to perform this encoding.</p>
+</dd>
+<dt><a id='gid.GID.__init__-method' name='gid.GID.__init__-method'><b>__init__(create=False, subject=None, string=None, filename=None, uuid=None, hrn=None)</b></a> [<a href='#gid.GID.__init__-method'>#</a>]</dt>
+<dd>
+<p>Create a new GID object</p>
+<dl>
+<dt><i>create</i></dt>
+<dd>
+If true, create the X509 certificate</dd>
+<dt><i>subject</i></dt>
+<dd>
+If subject!=None, create the X509 cert and set the subject name</dd>
+<dt><i>string</i></dt>
+<dd>
+If string!=None, load the GID from a string</dd>
+<dt><i>filename</i></dt>
+<dd>
+If filename!=None, load the GID from a file</dd>
+</dl><br />
+</dd>
+<dt><a id='gid.GID.decode-method' name='gid.GID.decode-method'><b>decode()</b></a> [<a href='#gid.GID.decode-method'>#</a>]</dt>
+<dd>
+<p>Decode the subject-alt-name field of the X509 certificate into the
+fields of the GID. This is automatically called by the various get_*()
+functions in this class.</p>
+</dd>
+<dt><a id='gid.GID.dump-method' name='gid.GID.dump-method'><b>dump(indent=0, dump_parents=False)</b></a> [<a href='#gid.GID.dump-method'>#</a>]</dt>
+<dd>
+<p>Dump the credential to stdout.</p>
+<dl>
+<dt><i>indent</i></dt>
+<dd>
+specifies a number of spaces to indent the output</dd>
+<dt><i>dump_parents</i></dt>
+<dd>
+If true, also dump the parents of the GID</dd>
+</dl><br />
+</dd>
+<dt><a id='gid.GID.encode-method' name='gid.GID.encode-method'><b>encode()</b></a> [<a href='#gid.GID.encode-method'>#</a>]</dt>
+<dd>
+<p>Encode the GID fields and package them into the subject-alt-name field
+of the X509 certificate. This must be called prior to signing the
+certificate. It may only be called once per certificate.</p>
+</dd>
+<dt><a id='gid.GID.verify_chain-method' name='gid.GID.verify_chain-method'><b>verify_chain(trusted_certs=None)</b></a> [<a href='#gid.GID.verify_chain-method'>#</a>]</dt>
+<dd>
+<p>Verify the chain of authenticity of the GID. First perform the checks
+of the certificate class (verifying that each parent signs the child,
+etc). In addition, GIDs also confirm that the parent's HRN is a prefix
+of the child's HRN.
+
+Verifying these prefixes prevents a rogue authority from signing a GID
+for a principal that is not a member of that authority. For example,
+planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo.</p>
+</dd>
+</dl>
+</body></html>
--- /dev/null
+<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
+<html>
+<head>
+<meta http-equiv='Content-Type' content='text/html; charset=us-ascii' />
+<title>The rights Module</title>
+</head>
+<body>
+<h1>The rights Module</h1>
+<p>This Module implements rights and lists of rights for the Geni wrapper. Rights
+are implemented by two classes:
+
+Right - represents a single right
+
+RightList - represents a list of rights
+
+A right may allow several different operations. For example, the "info" right
+allows "listslices", "listcomponentresources", etc.</p>
+<dl>
+<dt><a id='rights.privilege_table-variable' name='rights.privilege_table-variable'><b>privilege_table</b></a> (variable) [<a href='#rights.privilege_table-variable'>#</a>]</dt>
+<dd>
+<p>privilege_table is a list of priviliges and what operations are allowed
+per privilege.</p>
+</dd>
+<dt><b>Right(kind)</b> (class) [<a href='#rights.Right-class'>#</a>]</dt>
+<dd>
+<p>The Right class represents a single privilege.</p>
+<p>For more information about this class, see <a href='#rights.Right-class'><i>The Right Class</i></a>.</p>
+</dd>
+<dt><b>RightList(string=None)</b> (class) [<a href='#rights.RightList-class'>#</a>]</dt>
+<dd>
+<p>A RightList object represents a list of privileges.</p>
+<p>For more information about this class, see <a href='#rights.RightList-class'><i>The RightList Class</i></a>.</p>
+</dd>
+</dl>
+<h2><a id='rights.Right-class' name='rights.Right-class'>The Right Class</a></h2>
+<dl>
+<dt><b>Right(kind)</b> (class) [<a href='#rights.Right-class'>#</a>]</dt>
+<dd>
+<p>The Right class represents a single privilege.</p>
+</dd>
+<dt><a id='rights.Right.can_perform-method' name='rights.Right.can_perform-method'><b>can_perform(op_name)</b></a> [<a href='#rights.Right.can_perform-method'>#</a>]</dt>
+<dd>
+<p>Test to see if this right object is allowed to perform an operation.
+Returns True if the operation is allowed, False otherwise.</p>
+<dl>
+<dt><i>op_name</i></dt>
+<dd>
+is a string naming the operation. For example "listslices".</dd>
+</dl><br />
+</dd>
+<dt><a id='rights.Right.is_superset-method' name='rights.Right.is_superset-method'><b>is_superset(child)</b></a> [<a href='#rights.Right.is_superset-method'>#</a>]</dt>
+<dd>
+<p>Test to see if this right is a superset of a child right. A right is a
+superset if every operating that is allowed by the child is also allowed
+by this object.</p>
+<dl>
+<dt><i>child</i></dt>
+<dd>
+is a Right object describing the child right</dd>
+</dl><br />
+</dd>
+</dl>
+<h2><a id='rights.RightList-class' name='rights.RightList-class'>The RightList Class</a></h2>
+<dl>
+<dt><b>RightList(string=None)</b> (class) [<a href='#rights.RightList-class'>#</a>]</dt>
+<dd>
+<p>A RightList object represents a list of privileges.</p>
+</dd>
+<dt><a id='rights.RightList.add-method' name='rights.RightList.add-method'><b>add(right)</b></a> [<a href='#rights.RightList.add-method'>#</a>]</dt>
+<dd>
+<p>Add a right to this list</p>
+<dl>
+<dt><i>right</i></dt>
+<dd>
+is either a Right object or a string describing the right</dd>
+</dl><br />
+</dd>
+<dt><a id='rights.RightList.can_perform-method' name='rights.RightList.can_perform-method'><b>can_perform(op_name)</b></a> [<a href='#rights.RightList.can_perform-method'>#</a>]</dt>
+<dd>
+<p>Check to see if some right in this list allows an operation. This is
+done by evaluating the can_perform function of each operation in the
+list.</p>
+<dl>
+<dt><i>op_name</i></dt>
+<dd>
+is an operation to check, for example "listslices"</dd>
+</dl><br />
+</dd>
+<dt><a id='rights.RightList.is_superset-method' name='rights.RightList.is_superset-method'><b>is_superset(child)</b></a> [<a href='#rights.RightList.is_superset-method'>#</a>]</dt>
+<dd>
+<p>Check to see if all of the rights in this rightlist are a superset
+of all the rights in a child rightlist. A rightlist is a superset
+if there is no operation in the child rightlist that cannot be
+performed in the parent rightlist.</p>
+<dl>
+<dt><i>child</i></dt>
+<dd>
+is a rightlist object describing the child</dd>
+</dl><br />
+</dd>
+<dt><a id='rights.RightList.load_from_string-method' name='rights.RightList.load_from_string-method'><b>load_from_string(string)</b></a> [<a href='#rights.RightList.load_from_string-method'>#</a>]</dt>
+<dd>
+<p>Load the rightlist object from a string</p>
+</dd>
+<dt><a id='rights.RightList.save_to_string-method' name='rights.RightList.save_to_string-method'><b>save_to_string()</b></a> [<a href='#rights.RightList.save_to_string-method'>#</a>]</dt>
+<dd>
+<p>Save the rightlist object to a string. It is saved in the format of a
+comma-separated list.</p>
+</dd>
+</dl>
+</body></html>
git://git.onelab.eu / sfa.git / commitdiff