From: Thierry Parmentelat Date: Tue, 14 Apr 2015 15:02:28 +0000 (+0200) Subject: hopefully nicer and more helpful messages when verify_parent fails X-Git-Tag: sfa-3.1-15~3 X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=commitdiff_plain;h=115294b52c31fd1689d5433f78ac563027640a0e hopefully nicer and more helpful messages when verify_parent fails exception should be shorter and easier to read, while full details still go in the logs --- diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 1f924e02..66401f89 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -972,20 +972,28 @@ class Credential(object): # make sure the rights given to the child are a subset of the # parents rights (and check delegate bits) if not parent_cred.get_privileges().is_superset(self.get_privileges()): - raise ChildRightsNotSubsetOfParent( - "Parent cred (ref {}) rights {} " - .format(parent_cred.get_refid(), - self.parent.get_privileges().save_to_string()) - + " not superset of delegated cred %s (ref %s) rights {}" - .format(self.pretty_cred(), self.get_refid(), - self.get_privileges().save_to_string())) + message = ( + "Parent cred {} (ref {}) rights {} " + " not superset of delegated cred {} (ref {}) rights {}" + .format(parent_cred.pretty_cred(),parent_cred.get_refid(), + parent_cred.get_privileges().pretty_rights(), + self.pretty_cred(), self.get_refid(), + self.get_privileges().pretty_rights())) + logger.error(message) + logger.error("parent details {}".format(parent_cred.get_privileges().save_to_string())) + logger.error("self details {}".format(self.get_privileges().save_to_string())) + raise ChildRightsNotSubsetOfParent(message) # make sure my target gid is the same as the parent's if not parent_cred.get_gid_object().save_to_string() == \ self.get_gid_object().save_to_string(): - raise CredentialNotVerifiable( + message = ( "Delegated cred {}: Target gid not equal between parent and child. Parent {}" .format(self.pretty_cred(), parent_cred.pretty_cred())) + logger.error(message) + logger.error("parent details {}".format(parent_cred.save_to_string())) + logger.error("self details {}".format(self.save_to_string())) + raise CredentialNotVerifiable(message) # make sure my expiry time is <= my parent's if not parent_cred.get_expiration() >= self.get_expiration(): @@ -999,8 +1007,10 @@ class Credential(object): message = "Delegated credential {} not signed by parent {}'s caller"\ .format(self.pretty_cred(), parent_cred.pretty_cred()) logger.error(message) - logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().save_to_string())) - logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().save_to_string())) + logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_cred())) + logger.error("compare1 parent details {}".format(parent_cred.get_gid_caller().save_to_string())) + logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_cred())) + logger.error("compare2 self details {}".format(self.get_signature().get_issuer_gid().save_to_string())) raise CredentialNotVerifiable(message) # Recurse diff --git a/sfa/trust/rights.py b/sfa/trust/rights.py index d7c768f4..28e11b35 100644 --- a/sfa/trust/rights.py +++ b/sfa/trust/rights.py @@ -273,3 +273,5 @@ class Rights: return False return True + def pretty_rights(self): + return "".format(";".join(["{}".format(r) for r in self.rights]))