From: Sandrine Avakian Date: Tue, 4 Sep 2012 10:25:55 +0000 (+0200) Subject: Merge branch 'master' into senslab2 X-Git-Tag: sfa-2.1-24~3^2~91 X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=commitdiff_plain;h=7c6754da189699add4e360c5f590e2e64fd181c5;hp=97d09a321eff49c73c09f44a10d1ae0d7767d250 Merge branch 'master' into senslab2 Conflicts: sfa/util/xrn.py --- diff --git a/init.d/sfa b/init.d/sfa index 6a3ed370..69cf6f6f 100755 --- a/init.d/sfa +++ b/init.d/sfa @@ -233,7 +233,8 @@ function db_start () { check fi check - sfaadmin reg sync_db + # mention sfaadmin.py instead of just sfaadmin for people who do not install through rpm + sfaadmin.py reg sync_db MESSAGE=$"SFA: Checking for PostgreSQL server" echo -n "$MESSAGE" diff --git a/sfa/methods/DeleteSliver.py b/sfa/methods/DeleteSliver.py index 697b6d3e..c9e40a4a 100644 --- a/sfa/methods/DeleteSliver.py +++ b/sfa/methods/DeleteSliver.py @@ -22,7 +22,7 @@ class DeleteSliver(Method): Parameter(dict, "options"), ] - returns = Parameter(int, "1 if successful") + returns = Parameter(bool, "True if successful") def call(self, xrn, creds, options): (hrn, type) = urn_to_hrn(xrn) @@ -32,6 +32,5 @@ class DeleteSliver(Method): origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name)) - self.api.manager.DeleteSliver(self.api, xrn, creds, options) + return self.api.manager.DeleteSliver(self.api, xrn, creds, options) - return 1 diff --git a/sfa/openstack/nova_driver.py b/sfa/openstack/nova_driver.py index d1d2c1a4..50112cd9 100644 --- a/sfa/openstack/nova_driver.py +++ b/sfa/openstack/nova_driver.py @@ -8,7 +8,7 @@ from sfa.util.faults import MissingSfaInfo, UnknownSfaType, \ from sfa.util.sfalogging import logger from sfa.util.defaultdict import defaultdict from sfa.util.sfatime import utcparse, datetime_to_string, datetime_to_epoch -from sfa.util.xrn import Xrn, hrn_to_urn, get_leaf, urn_to_sliver_id +from sfa.util.xrn import Xrn, hrn_to_urn, get_leaf from sfa.openstack.osxrn import OSXrn, hrn_to_os_slicename, hrn_to_os_tenant_name from sfa.util.cache import Cache from sfa.trust.credential import Credential @@ -399,9 +399,7 @@ class NovaDriver(Driver): raise SliverDoesNotExist("You have not allocated any slivers here") result = {} - top_level_status = 'unknown' - if instances: - top_level_status = 'ready' + top_level_status = 'ready' result['geni_urn'] = slice_urn result['plos_login'] = 'root' # do we need real dates here? @@ -418,15 +416,19 @@ class NovaDriver(Driver): res['plos_created_at'] = datetime_to_string(utcparse(instance.created)) res['plos_boot_state'] = instance.status res['plos_sliver_type'] = self.shell.nova_manager.flavors.find(id=instance.flavor['id']).name - sliver_id = Xrn(slice_urn).get_sliver_id(instance.id) - res['geni_urn'] = sliver_id + res['geni_urn'] = Xrn(slice_urn, type='slice', id=instance.id).get_urn() if instance.status.lower() == 'active': res['boot_state'] = 'ready' res['geni_status'] = 'ready' + elif instance.status.lower() == 'error': + res['boot_state'] = 'failed' + res['geni_status'] = 'failed' + top_level_status = 'failed' else: - res['boot_state'] = 'unknown' - res['geni_status'] = 'unknown' + res['boot_state'] = 'notready' + res['geni_status'] = 'notready' + top_level_status = 'notready' resources.append(res) result['geni_status'] = top_level_status diff --git a/sfa/openstack/osaggregate.py b/sfa/openstack/osaggregate.py index d5d0bfa5..8d4b8360 100644 --- a/sfa/openstack/osaggregate.py +++ b/sfa/openstack/osaggregate.py @@ -3,11 +3,12 @@ import os import socket import base64 import string -import random +import random +import time from collections import defaultdict from nova.exception import ImageNotFound from nova.api.ec2.cloud import CloudController -from sfa.util.faults import SfaAPIError +from sfa.util.faults import SfaAPIError, InvalidRSpec from sfa.rspecs.rspec import RSpec from sfa.rspecs.elements.hardware_type import HardwareType from sfa.rspecs.elements.node import Node @@ -16,6 +17,7 @@ from sfa.rspecs.elements.login import Login from sfa.rspecs.elements.disk_image import DiskImage from sfa.rspecs.elements.services import Services from sfa.rspecs.elements.interface import Interface +from sfa.rspecs.elements.fw_rule import FWRule from sfa.util.xrn import Xrn from sfa.planetlab.plxrn import PlXrn from sfa.openstack.osxrn import OSXrn, hrn_to_os_slicename @@ -36,12 +38,7 @@ def pubkeys_to_user_data(pubkeys): def instance_to_sliver(instance, slice_xrn=None): sliver_id = None - if slice_xrn: - xrn = Xrn(slice_xrn, 'slice') - sliver_id = xrn.get_sliver_id(instance.project_id, instance.hostname, instance.id) - - sliver = Sliver({'slice_id': sliver_id, - 'name': instance.name, + sliver = Sliver({'name': instance.name, 'type': instance.name, 'cpus': str(instance.vcpus), 'memory': str(instance.ram), @@ -92,7 +89,7 @@ class OSAggregate: zones = self.get_availability_zones() name = hrn_to_os_slicename(slice_xrn) instances = self.driver.shell.nova_manager.servers.findall(name=name) - node_dict = {} + rspec_nodes = [] for instance in instances: # determine node urn node_xrn = instance.metadata.get('component_id') @@ -101,29 +98,39 @@ class OSAggregate: else: node_xrn = OSXrn(xrn=node_xrn, type='node') - if not node_xrn.urn in node_dict: - rspec_node = Node() - rspec_node['component_id'] = node_xrn.urn - rspec_node['component_name'] = node_xrn.name - rspec_node['component_manager_id'] = Xrn(self.driver.hrn, 'authority+cm').get_urn() - rspec_node['slivers'] = [] - node_dict[node_xrn.urn] = rspec_node - else: - rspec_node = node_dict[node_xrn.urn] - + rspec_node = Node() + rspec_node['component_id'] = node_xrn.urn + rspec_node['component_name'] = node_xrn.name + rspec_node['component_manager_id'] = Xrn(self.driver.hrn, 'authority+cm').get_urn() if instance.metadata.get('client_id'): rspec_node['client_id'] = instance.metadata.get('client_id') - + + # get sliver details + sliver_xrn = OSXrn(xrn=slice_xrn, type='slice', id=instance.id) + rspec_node['sliver_id'] = sliver_xrn.get_urn() flavor = self.driver.shell.nova_manager.flavors.find(id=instance.flavor['id']) sliver = instance_to_sliver(flavor) - rspec_node['slivers'].append(sliver) + # get firewall rules + fw_rules = [] + group_name = instance.metadata.get('security_groups') + if group_name: + group = self.driver.shell.nova_manager.security_groups.find(name=group_name) + for rule in group.rules: + port_range ="%s:%s" % (rule['from_port'], rule['to_port']) + fw_rule = FWRule({'protocol': rule['ip_protocol'], + 'port_range': port_range, + 'cidr_ip': rule['ip_range']['cidr']}) + fw_rules.append(fw_rule) + sliver['fw_rules'] = fw_rules + rspec_node['slivers']= [sliver] + # get disk image image = self.driver.shell.image_manager.get_images(id=instance.image['id']) if isinstance(image, list) and len(image) > 0: image = image[0] disk_image = image_to_rspec_disk_image(image) sliver['disk_image'] = [disk_image] - # build interfaces + # get interfaces rspec_node['services'] = [] rspec_node['interfaces'] = [] addresses = instance.addresses @@ -139,11 +146,15 @@ class OSAggregate: for private_ip in addresses.get('private', []): if_xrn = PlXrn(auth=self.driver.hrn, - interface='node%s:eth0' % (instance.hostId)) - interface = Interface({'component_id': if_xrn.urn}) + interface='node%s' % (instance.hostId)) + if_client_id = Xrn(if_xrn.urn, type='interface', id="eth%s" %if_index).urn + if_sliver_id = Xrn(rspec_node['sliver_id'], type='slice', id="eth%s" %if_index).urn + interface = Interface({'component_id': if_xrn.urn, + 'client_id': if_client_id, + 'sliver_id': if_sliver_id}) interface['ips'] = [{'address': private_ip['addr'], #'netmask': private_ip['network'], - 'type': private_ip['version']}] + 'type': 'ipv%s' % str(private_ip['version'])}] rspec_node['interfaces'].append(interface) # slivers always provide the ssh service @@ -153,8 +164,9 @@ class OSAggregate: 'port':'22', 'username': 'root'}) service = Services({'login': login}) rspec_node['services'].append(service) + rspec_nodes.append(rspec_node) - return node_dict.values() + return rspec_nodes def get_aggregate_nodes(self): zones = self.get_availability_zones() @@ -233,6 +245,11 @@ class OSAggregate: cidr_ip = rule.get('cidr_ip'), port_range = rule.get('port_range'), icmp_type_code = rule.get('icmp_type_code')) + # Open ICMP by default + security_group.add_rule_to_group(group_name, + protocol = "icmp", + cidr_ip = "0.0.0.0/0", + icmp_type_code = "-1:-1") return group_name def add_rule_to_security_group(self, group_name, **kwds): @@ -278,6 +295,8 @@ class OSAggregate: image = instance.get('disk_image') if image and isinstance(image, list): image = image[0] + else: + raise InvalidRSpec("Must specify a disk_image for each VM") image_id = self.driver.shell.nova_manager.images.find(name=image['name']) fw_rules = instance.get('fw_rules', []) group_name = self.create_security_group(instance_name, fw_rules) @@ -322,7 +341,7 @@ class OSAggregate: self.driver.shell.nova_manager.servers.delete(instance) # deleate this instance's security groups thread_manager.run(_delete_security_group, instance) - return 1 + return True def stop_instances(self, instance_name, tenant_name): diff --git a/sfa/planetlab/plaggregate.py b/sfa/planetlab/plaggregate.py index 46154e6f..1b2535a6 100644 --- a/sfa/planetlab/plaggregate.py +++ b/sfa/planetlab/plaggregate.py @@ -1,5 +1,5 @@ #!/usr/bin/python -from sfa.util.xrn import Xrn, hrn_to_urn, urn_to_hrn, urn_to_sliver_id +from sfa.util.xrn import Xrn, hrn_to_urn, urn_to_hrn from sfa.util.sfatime import utcparse, datetime_to_string from sfa.util.sfalogging import logger @@ -118,7 +118,7 @@ class PlAggregate: # sort slivers by node id for node_id in slice['node_ids']: - sliver = Sliver({'sliver_id': urn_to_sliver_id(slice_urn, slice['slice_id'], node_id, authority=self.driver.hrn), + sliver = Sliver({'sliver_id': Xrn(slice_urn, type='slice', id=node_id, authority=self.driver.hrn).urn, 'name': slice['name'], 'type': 'plab-vserver', 'tags': []}) diff --git a/sfa/planetlab/pldriver.py b/sfa/planetlab/pldriver.py index 0951e8c0..21fa2270 100644 --- a/sfa/planetlab/pldriver.py +++ b/sfa/planetlab/pldriver.py @@ -7,7 +7,7 @@ from sfa.util.faults import MissingSfaInfo, UnknownSfaType, \ from sfa.util.sfalogging import logger from sfa.util.defaultdict import defaultdict from sfa.util.sfatime import utcparse, datetime_to_string, datetime_to_epoch -from sfa.util.xrn import hrn_to_urn, get_leaf, urn_to_sliver_id +from sfa.util.xrn import Xrn, hrn_to_urn, get_leaf from sfa.util.cache import Cache # one would think the driver should not need to mess with the SFA db, but.. @@ -691,7 +691,7 @@ class PlDriver (Driver): if node['last_contact'] is not None: res['pl_last_contact'] = datetime_to_string(utcparse(node['last_contact'])) - sliver_id = urn_to_sliver_id(slice_urn, slice['slice_id'], node['node_id'], authority=self.hrn) + sliver_id = Xrn(slice_urn, type='slice', id=node['node_id'], authority=self.hrn).urn res['geni_urn'] = sliver_id if node['boot_state'] == 'boot': res['geni_status'] = 'ready' @@ -772,7 +772,7 @@ class PlDriver (Driver): slicename = hrn_to_pl_slicename(slice_hrn) slices = self.shell.GetSlices({'name': slicename}) if not slices: - return 1 + return True slice = slices[0] # determine if this is a peer slice @@ -787,7 +787,7 @@ class PlDriver (Driver): finally: if peer: self.shell.BindObjectToPeer('slice', slice['slice_id'], peer, slice['peer_slice_id']) - return 1 + return True def renew_sliver (self, slice_urn, slice_hrn, creds, expiration_time, options): slicename = hrn_to_pl_slicename(slice_hrn) diff --git a/sfa/rspecs/elements/versions/pgv2Interface.py b/sfa/rspecs/elements/versions/pgv2Interface.py index 29845913..7144fa9b 100644 --- a/sfa/rspecs/elements/versions/pgv2Interface.py +++ b/sfa/rspecs/elements/versions/pgv2Interface.py @@ -8,7 +8,7 @@ class PGv2Interface: def add_interfaces(xml, interfaces): if isinstance(interfaces, list): for interface in interfaces: - if_elem = xml.add_instance('interface', interface, ['component_id', 'client_id']) + if_elem = xml.add_instance('interface', interface, ['component_id', 'client_id', 'sliver_id']) ips = interface.get('ips', []) for ip in ips: if_elem.add_instance('ip', {'address': ip.get('address'), diff --git a/sfa/rspecs/elements/versions/pgv2Node.py b/sfa/rspecs/elements/versions/pgv2Node.py index 88787b52..51916898 100644 --- a/sfa/rspecs/elements/versions/pgv2Node.py +++ b/sfa/rspecs/elements/versions/pgv2Node.py @@ -58,7 +58,6 @@ class PGv2Node: for initscript in node.get('pl_initscripts', []): slivers['tags'].append({'name': 'initscript', 'value': initscript['name']}) PGv2SliverType.add_slivers(node_elem, slivers) - return node_elems @staticmethod diff --git a/sfa/rspecs/elements/versions/plosv1FWRule.py b/sfa/rspecs/elements/versions/plosv1FWRule.py index 974fc3d9..744a36f3 100644 --- a/sfa/rspecs/elements/versions/plosv1FWRule.py +++ b/sfa/rspecs/elements/versions/plosv1FWRule.py @@ -7,11 +7,12 @@ class PLOSv1FWRule: if not rules: return for rule in rules: - rule_elem = xml.add_element('plos:fw_rule') + rule_elem = xml.add_element('{%s}fw_rule' % xml.namespaces['plos']) rule_elem.set('protocol', rule.get('protocol')) rule_elem.set('port_range', rule.get('port_range')) rule_elem.set('cidr_ip', rule.get('cidr_ip')) - rule_elem.set('icmp_type_code', rule.get('icmp_type_code')) + if rule.get('icmp_type_code'): + rule_elem.set('icmp_type_code', rule.get('icmp_type_code')) @staticmethod def get_rules(xml): diff --git a/sfa/rspecs/versions/pgv2.py b/sfa/rspecs/versions/pgv2.py index f96b449d..f8759d8e 100644 --- a/sfa/rspecs/versions/pgv2.py +++ b/sfa/rspecs/versions/pgv2.py @@ -1,6 +1,6 @@ from copy import deepcopy from StringIO import StringIO -from sfa.util.xrn import Xrn, urn_to_sliver_id +from sfa.util.xrn import Xrn from sfa.rspecs.version import RSpecVersion from sfa.rspecs.elements.versions.pgv2Link import PGv2Link from sfa.rspecs.elements.versions.pgv2Node import PGv2Node @@ -143,7 +143,7 @@ class PGv2(RSpecVersion): # set the sliver id #slice_id = sliver_info.get('slice_id', -1) #node_id = sliver_info.get('node_id', -1) - #sliver_id = urn_to_sliver_id(sliver_urn, slice_id, node_id) + #sliver_id = Xrn(xrn=sliver_urn, type='slice', id=str(node_id)).get_urn() #node_elem.set('sliver_id', sliver_id) # add the sliver type elemnt diff --git a/sfa/server/sfaapi.py b/sfa/server/sfaapi.py index 9fe7656c..48bd21c4 100644 --- a/sfa/server/sfaapi.py +++ b/sfa/server/sfaapi.py @@ -212,7 +212,6 @@ class SfaApi (XmlrpcApi): code = { 'geni_code': GENICODE.SUCCESS, 'am_type': 'sfa', - 'am_code': None, } if isinstance(result, SfaFault): code['geni_code'] = result.faultCode diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py index 35435cd7..59ec4427 100644 --- a/sfa/trust/certificate.py +++ b/sfa/trust/certificate.py @@ -1,791 +1,791 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- - -## -# SFA uses two crypto libraries: pyOpenSSL and M2Crypto to implement -# the necessary crypto functionality. Ideally just one of these libraries -# would be used, but unfortunately each of these libraries is independently -# lacking. The pyOpenSSL library is missing many necessary functions, and -# the M2Crypto library has crashed inside of some of the functions. The -# design decision is to use pyOpenSSL whenever possible as it seems more -# stable, and only use M2Crypto for those functions that are not possible -# in pyOpenSSL. -# -# This module exports two classes: Keypair and Certificate. -## -# - -import functools -import os -import tempfile -import base64 -from tempfile import mkstemp - -from OpenSSL import crypto -import M2Crypto -from M2Crypto import X509 - -from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent -from sfa.util.sfalogging import logger - -glo_passphrase_callback = None - -## -# A global callback may be implemented for requesting passphrases from the -# user. The function will be called with three arguments: -# -# keypair_obj: the keypair object that is calling the passphrase -# string: the string containing the private key that's being loaded -# x: unknown, appears to be 0, comes from pyOpenSSL and/or m2crypto -# -# The callback should return a string containing the passphrase. - -def set_passphrase_callback(callback_func): - global glo_passphrase_callback - - glo_passphrase_callback = callback_func - -## -# Sets a fixed passphrase. - -def set_passphrase(passphrase): - set_passphrase_callback( lambda k,s,x: passphrase ) - -## -# Check to see if a passphrase works for a particular private key string. -# Intended to be used by passphrase callbacks for input validation. - -def test_passphrase(string, passphrase): - try: - crypto.load_privatekey(crypto.FILETYPE_PEM, string, (lambda x: passphrase)) - return True - except: - return False - -def convert_public_key(key): - keyconvert_path = "/usr/bin/keyconvert.py" - if not os.path.isfile(keyconvert_path): - raise IOError, "Could not find keyconvert in %s" % keyconvert_path - - # we can only convert rsa keys - if "ssh-dss" in key: - raise Exception, "keyconvert: dss keys are not supported" - - (ssh_f, ssh_fn) = tempfile.mkstemp() - ssl_fn = tempfile.mktemp() - os.write(ssh_f, key) - os.close(ssh_f) - - cmd = keyconvert_path + " " + ssh_fn + " " + ssl_fn - os.system(cmd) - - # this check leaves the temporary file containing the public key so - # that it can be expected to see why it failed. - # TODO: for production, cleanup the temporary files - if not os.path.exists(ssl_fn): - raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed." - - k = Keypair() - try: - k.load_pubkey_from_file(ssl_fn) - return k - except: - logger.log_exc("convert_public_key caught exception") - raise - finally: - # remove the temporary files - if os.path.exists(ssh_fn): - os.remove(ssh_fn) - if os.path.exists(ssl_fn): - os.remove(ssl_fn) - -## -# Public-private key pairs are implemented by the Keypair class. -# A Keypair object may represent both a public and private key pair, or it -# may represent only a public key (this usage is consistent with OpenSSL). - -class Keypair: - key = None # public/private keypair - m2key = None # public key (m2crypto format) - - ## - # Creates a Keypair object - # @param create If create==True, creates a new public/private key and - # stores it in the object - # @param string If string!=None, load the keypair from the string (PEM) - # @param filename If filename!=None, load the keypair from the file - - def __init__(self, create=False, string=None, filename=None): - if create: - self.create() - if string: - self.load_from_string(string) - if filename: - self.load_from_file(filename) - - ## - # Create a RSA public/private key pair and store it inside the keypair object - - def create(self): - self.key = crypto.PKey() - self.key.generate_key(crypto.TYPE_RSA, 1024) - - ## - # Save the private key to a file - # @param filename name of file to store the keypair in - - def save_to_file(self, filename): - open(filename, 'w').write(self.as_pem()) - self.filename=filename - - ## - # Load the private key from a file. Implicity the private key includes the public key. - - def load_from_file(self, filename): - self.filename=filename - buffer = open(filename, 'r').read() - self.load_from_string(buffer) - - ## - # Load the private key from a string. Implicitly the private key includes the public key. - - def load_from_string(self, string): - if glo_passphrase_callback: - self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string, functools.partial(glo_passphrase_callback, self, string) ) - self.m2key = M2Crypto.EVP.load_key_string(string, functools.partial(glo_passphrase_callback, self, string) ) - else: - self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string) - self.m2key = M2Crypto.EVP.load_key_string(string) - - ## - # Load the public key from a string. No private key is loaded. - - def load_pubkey_from_file(self, filename): - # load the m2 public key - m2rsakey = M2Crypto.RSA.load_pub_key(filename) - self.m2key = M2Crypto.EVP.PKey() - self.m2key.assign_rsa(m2rsakey) - - # create an m2 x509 cert - m2name = M2Crypto.X509.X509_Name() - m2name.add_entry_by_txt(field="CN", type=0x1001, entry="junk", len=-1, loc=-1, set=0) - m2x509 = M2Crypto.X509.X509() - m2x509.set_pubkey(self.m2key) - m2x509.set_serial_number(0) - m2x509.set_issuer_name(m2name) - m2x509.set_subject_name(m2name) - ASN1 = M2Crypto.ASN1.ASN1_UTCTIME() - ASN1.set_time(500) - m2x509.set_not_before(ASN1) - m2x509.set_not_after(ASN1) - # x509v3 so it can have extensions - # prob not necc since this cert itself is junk but still... - m2x509.set_version(2) - junk_key = Keypair(create=True) - m2x509.sign(pkey=junk_key.get_m2_pkey(), md="sha1") - - # convert the m2 x509 cert to a pyopenssl x509 - m2pem = m2x509.as_pem() - pyx509 = crypto.load_certificate(crypto.FILETYPE_PEM, m2pem) - - # get the pyopenssl pkey from the pyopenssl x509 - self.key = pyx509.get_pubkey() - self.filename=filename - - ## - # Load the public key from a string. No private key is loaded. - - def load_pubkey_from_string(self, string): - (f, fn) = tempfile.mkstemp() - os.write(f, string) - os.close(f) - self.load_pubkey_from_file(fn) - os.remove(fn) - - ## - # Return the private key in PEM format. - - def as_pem(self): - return crypto.dump_privatekey(crypto.FILETYPE_PEM, self.key) - - ## - # Return an M2Crypto key object - - def get_m2_pkey(self): - if not self.m2key: - self.m2key = M2Crypto.EVP.load_key_string(self.as_pem()) - return self.m2key - - ## - # Returns a string containing the public key represented by this object. - - def get_pubkey_string(self): - m2pkey = self.get_m2_pkey() - return base64.b64encode(m2pkey.as_der()) - - ## - # Return an OpenSSL pkey object - - def get_openssl_pkey(self): - return self.key - - ## - # Given another Keypair object, return TRUE if the two keys are the same. - - def is_same(self, pkey): - return self.as_pem() == pkey.as_pem() - - def sign_string(self, data): - k = self.get_m2_pkey() - k.sign_init() - k.sign_update(data) - return base64.b64encode(k.sign_final()) - - def verify_string(self, data, sig): - k = self.get_m2_pkey() - k.verify_init() - k.verify_update(data) - return M2Crypto.m2.verify_final(k.ctx, base64.b64decode(sig), k.pkey) - - def compute_hash(self, value): - return self.sign_string(str(value)) - - # only informative - def get_filename(self): - return getattr(self,'filename',None) - - def dump (self, *args, **kwargs): - print self.dump_string(*args, **kwargs) - - def dump_string (self): - result="" - result += "KEYPAIR: pubkey=%40s..."%self.get_pubkey_string() - filename=self.get_filename() - if filename: result += "Filename %s\n"%filename - return result - -## -# The certificate class implements a general purpose X509 certificate, making -# use of the appropriate pyOpenSSL or M2Crypto abstractions. It also adds -# several addition features, such as the ability to maintain a chain of -# parent certificates, and storage of application-specific data. -# -# Certificates include the ability to maintain a chain of parents. Each -# certificate includes a pointer to it's parent certificate. When loaded -# from a file or a string, the parent chain will be automatically loaded. -# When saving a certificate to a file or a string, the caller can choose -# whether to save the parent certificates as well. - -class Certificate: - digest = "md5" - - cert = None - issuerKey = None - issuerSubject = None - parent = None - isCA = None # will be a boolean once set - - separator="-----parent-----" - - ## - # Create a certificate object. - # - # @param lifeDays life of cert in days - default is 1825==5 years - # @param create If create==True, then also create a blank X509 certificate. - # @param subject If subject!=None, then create a blank certificate and set - # it's subject name. - # @param string If string!=None, load the certficate from the string. - # @param filename If filename!=None, load the certficiate from the file. - # @param isCA If !=None, set whether this cert is for a CA - - def __init__(self, lifeDays=1825, create=False, subject=None, string=None, filename=None, isCA=None): - self.data = {} - if create or subject: - self.create(lifeDays) - if subject: - self.set_subject(subject) - if string: - self.load_from_string(string) - if filename: - self.load_from_file(filename) - - # Set the CA bit if a value was supplied - if isCA != None: - self.set_is_ca(isCA) - - # Create a blank X509 certificate and store it in this object. - - def create(self, lifeDays=1825): - self.cert = crypto.X509() - # FIXME: Use different serial #s - self.cert.set_serial_number(3) - self.cert.gmtime_adj_notBefore(0) # 0 means now - self.cert.gmtime_adj_notAfter(lifeDays*60*60*24) # five years is default - self.cert.set_version(2) # x509v3 so it can have extensions - - - ## - # Given a pyOpenSSL X509 object, store that object inside of this - # certificate object. - - def load_from_pyopenssl_x509(self, x509): - self.cert = x509 - - ## - # Load the certificate from a string - - def load_from_string(self, string): - # if it is a chain of multiple certs, then split off the first one and - # load it (support for the ---parent--- tag as well as normal chained certs) - - string = string.strip() - - # If it's not in proper PEM format, wrap it - if string.count('-----BEGIN CERTIFICATE') == 0: - string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string - - # If there is a PEM cert in there, but there is some other text first - # such as the text of the certificate, skip the text - beg = string.find('-----BEGIN CERTIFICATE') - if beg > 0: - # skipping over non cert beginning - string = string[beg:] - - parts = [] - - if string.count('-----BEGIN CERTIFICATE-----') > 1 and \ - string.count(Certificate.separator) == 0: - parts = string.split('-----END CERTIFICATE-----',1) - parts[0] += '-----END CERTIFICATE-----' - else: - parts = string.split(Certificate.separator, 1) - - self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, parts[0]) - - # if there are more certs, then create a parent and let the parent load - # itself from the remainder of the string - if len(parts) > 1 and parts[1] != '': - self.parent = self.__class__() - self.parent.load_from_string(parts[1]) - - ## - # Load the certificate from a file - - def load_from_file(self, filename): - file = open(filename) - string = file.read() - self.load_from_string(string) - self.filename=filename - - ## - # Save the certificate to a string. - # - # @param save_parents If save_parents==True, then also save the parent certificates. - - def save_to_string(self, save_parents=True): - string = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert) - if save_parents and self.parent: - string = string + self.parent.save_to_string(save_parents) - return string - - ## - # Save the certificate to a file. - # @param save_parents If save_parents==True, then also save the parent certificates. - - def save_to_file(self, filename, save_parents=True, filep=None): - string = self.save_to_string(save_parents=save_parents) - if filep: - f = filep - else: - f = open(filename, 'w') - f.write(string) - f.close() - self.filename=filename - - ## - # Save the certificate to a random file in /tmp/ - # @param save_parents If save_parents==True, then also save the parent certificates. - def save_to_random_tmp_file(self, save_parents=True): - fp, filename = mkstemp(suffix='cert', text=True) - fp = os.fdopen(fp, "w") - self.save_to_file(filename, save_parents=True, filep=fp) - return filename - - ## - # Sets the issuer private key and name - # @param key Keypair object containing the private key of the issuer - # @param subject String containing the name of the issuer - # @param cert (optional) Certificate object containing the name of the issuer - - def set_issuer(self, key, subject=None, cert=None): - self.issuerKey = key - if subject: - # it's a mistake to use subject and cert params at the same time - assert(not cert) - if isinstance(subject, dict) or isinstance(subject, str): - req = crypto.X509Req() - reqSubject = req.get_subject() - if (isinstance(subject, dict)): - for key in reqSubject.keys(): - setattr(reqSubject, key, subject[key]) - else: - setattr(reqSubject, "CN", subject) - subject = reqSubject - # subject is not valid once req is out of scope, so save req - self.issuerReq = req - if cert: - # if a cert was supplied, then get the subject from the cert - subject = cert.cert.get_subject() - assert(subject) - self.issuerSubject = subject - - ## - # Get the issuer name - - def get_issuer(self, which="CN"): - x = self.cert.get_issuer() - return getattr(x, which) - - ## - # Set the subject name of the certificate - - def set_subject(self, name): - req = crypto.X509Req() - subj = req.get_subject() - if (isinstance(name, dict)): - for key in name.keys(): - setattr(subj, key, name[key]) - else: - setattr(subj, "CN", name) - self.cert.set_subject(subj) - - ## - # Get the subject name of the certificate - - def get_subject(self, which="CN"): - x = self.cert.get_subject() - return getattr(x, which) - - ## - # Get a pretty-print subject name of the certificate - - def get_printable_subject(self): - x = self.cert.get_subject() - return "[ OU: %s, CN: %s, SubjectAltName: %s ]" % (getattr(x, "OU"), getattr(x, "CN"), self.get_data()) - - ## - # Get the public key of the certificate. - # - # @param key Keypair object containing the public key - - def set_pubkey(self, key): - assert(isinstance(key, Keypair)) - self.cert.set_pubkey(key.get_openssl_pkey()) - - ## - # Get the public key of the certificate. - # It is returned in the form of a Keypair object. - - def get_pubkey(self): - m2x509 = X509.load_cert_string(self.save_to_string()) - pkey = Keypair() - pkey.key = self.cert.get_pubkey() - pkey.m2key = m2x509.get_pubkey() - return pkey - - def set_intermediate_ca(self, val): - return self.set_is_ca(val) - - # Set whether this cert is for a CA. All signers and only signers should be CAs. - # The local member starts unset, letting us check that you only set it once - # @param val Boolean indicating whether this cert is for a CA - def set_is_ca(self, val): - if val is None: - return - - if self.isCA != None: - # Can't double set properties - raise Exception, "Cannot set basicConstraints CA:?? more than once. Was %s, trying to set as %s" % (self.isCA, val) - - self.isCA = val - if val: - self.add_extension('basicConstraints', 1, 'CA:TRUE') - else: - self.add_extension('basicConstraints', 1, 'CA:FALSE') - - - - ## - # Add an X509 extension to the certificate. Add_extension can only be called - # once for a particular extension name, due to limitations in the underlying - # library. - # - # @param name string containing name of extension - # @param value string containing value of the extension - - def add_extension(self, name, critical, value): - oldExtVal = None - try: - oldExtVal = self.get_extension(name) - except: - # M2Crypto LookupError when the extension isn't there (yet) - pass - - # This code limits you from adding the extension with the same value - # The method comment says you shouldn't do this with the same name - # But actually it (m2crypto) appears to allow you to do this. - if oldExtVal and oldExtVal == value: - # don't add this extension again - # just do nothing as here - return - # FIXME: What if they are trying to set with a different value? - # Is this ever OK? Or should we raise an exception? -# elif oldExtVal: -# raise "Cannot add extension %s which had val %s with new val %s" % (name, oldExtVal, value) - - ext = crypto.X509Extension (name, critical, value) - self.cert.add_extensions([ext]) - - ## - # Get an X509 extension from the certificate - - def get_extension(self, name): - - # pyOpenSSL does not have a way to get extensions - m2x509 = X509.load_cert_string(self.save_to_string()) - value = m2x509.get_ext(name).get_value() - - return value - - ## - # Set_data is a wrapper around add_extension. It stores the parameter str in - # the X509 subject_alt_name extension. Set_data can only be called once, due - # to limitations in the underlying library. - - def set_data(self, str, field='subjectAltName'): - # pyOpenSSL only allows us to add extensions, so if we try to set the - # same extension more than once, it will not work - if self.data.has_key(field): - raise "Cannot set ", field, " more than once" - self.data[field] = str - self.add_extension(field, 0, str) - - ## - # Return the data string that was previously set with set_data - - def get_data(self, field='subjectAltName'): - if self.data.has_key(field): - return self.data[field] - - try: - uri = self.get_extension(field) - self.data[field] = uri - except LookupError: - return None - - return self.data[field] - - ## - # Sign the certificate using the issuer private key and issuer subject previous set with set_issuer(). - - def sign(self): - logger.debug('certificate.sign') - assert self.cert != None - assert self.issuerSubject != None - assert self.issuerKey != None - self.cert.set_issuer(self.issuerSubject) - self.cert.sign(self.issuerKey.get_openssl_pkey(), self.digest) - - ## - # Verify the authenticity of a certificate. - # @param pkey is a Keypair object representing a public key. If Pkey - # did not sign the certificate, then an exception will be thrown. - - def verify(self, pkey): - # pyOpenSSL does not have a way to verify signatures - m2x509 = X509.load_cert_string(self.save_to_string()) - m2pkey = pkey.get_m2_pkey() - # verify it - return m2x509.verify(m2pkey) - - # XXX alternatively, if openssl has been patched, do the much simpler: - # try: - # self.cert.verify(pkey.get_openssl_key()) - # return 1 - # except: - # return 0 - - ## - # Return True if pkey is identical to the public key that is contained in the certificate. - # @param pkey Keypair object - - def is_pubkey(self, pkey): - return self.get_pubkey().is_same(pkey) - - ## - # Given a certificate cert, verify that this certificate was signed by the - # public key contained in cert. Throw an exception otherwise. - # - # @param cert certificate object - - def is_signed_by_cert(self, cert): - k = cert.get_pubkey() - result = self.verify(k) - return result - - ## - # Set the parent certficiate. - # - # @param p certificate object. - - def set_parent(self, p): - self.parent = p - - ## - # Return the certificate object of the parent of this certificate. - - def get_parent(self): - return self.parent - - ## - # Verification examines a chain of certificates to ensure that each parent - # signs the child, and that some certificate in the chain is signed by a - # trusted certificate. - # - # Verification is a basic recursion: 
-    #     if this_certificate was signed by trusted_certs:
-    #         return
-    #     else
-    #         return verify_chain(parent, trusted_certs)
-    #
- # - # At each recursion, the parent is tested to ensure that it did sign the - # child. If a parent did not sign a child, then an exception is thrown. If - # the bottom of the recursion is reached and the certificate does not match - # a trusted root, then an exception is thrown. - # Also require that parents are CAs. - # - # @param Trusted_certs is a list of certificates that are trusted. - # - - def verify_chain(self, trusted_certs = None): - # Verify a chain of certificates. Each certificate must be signed by - # the public key contained in it's parent. The chain is recursed - # until a certificate is found that is signed by a trusted root. - - # verify expiration time - if self.cert.has_expired(): - logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject()) - raise CertExpired(self.get_printable_subject(), "client cert") - - # if this cert is signed by a trusted_cert, then we are set - for trusted_cert in trusted_certs: - if self.is_signed_by_cert(trusted_cert): - # verify expiration of trusted_cert ? - if not trusted_cert.cert.has_expired(): - logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%( - self.get_printable_subject(), trusted_cert.get_printable_subject())) - return trusted_cert - else: - logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%( - self.get_printable_subject(),trusted_cert.get_printable_subject())) - raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject()) - - # if there is no parent, then no way to verify the chain - if not self.parent: - logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs))) - raise CertMissingParent(self.get_printable_subject() + ": Issuer %s is not one of the %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs))) - - # if it wasn't signed by the parent... - if not self.is_signed_by_cert(self.parent): - logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\ - (self.get_printable_subject(), - self.parent.get_printable_subject(), - self.get_issuer())) - raise CertNotSignedByParent("%s: Parent %s, issuer %s"\ - % (self.get_printable_subject(), - self.parent.get_printable_subject(), - self.get_issuer())) - - # Confirm that the parent is a CA. Only CAs can be trusted as - # signers. - # Note that trusted roots are not parents, so don't need to be - # CAs. - # Ugly - cert objects aren't parsed so we need to read the - # extension and hope there are no other basicConstraints - if not self.parent.isCA and not (self.parent.get_extension('basicConstraints') == 'CA:TRUE'): - logger.warn("verify_chain: cert %s's parent %s is not a CA" % \ - (self.get_printable_subject(), self.parent.get_printable_subject())) - raise CertNotSignedByParent("%s: Parent %s not a CA" % (self.get_printable_subject(), - self.parent.get_printable_subject())) - - # if the parent isn't verified... - logger.debug("verify_chain: .. %s, -> verifying parent %s"%\ - (self.get_printable_subject(),self.parent.get_printable_subject())) - self.parent.verify_chain(trusted_certs) - - return - - ### more introspection - def get_extensions(self): - # pyOpenSSL does not have a way to get extensions - triples=[] - m2x509 = X509.load_cert_string(self.save_to_string()) - nb_extensions=m2x509.get_ext_count() - logger.debug("X509 had %d extensions"%nb_extensions) - for i in range(nb_extensions): - ext=m2x509.get_ext_at(i) - triples.append( (ext.get_name(), ext.get_value(), ext.get_critical(),) ) - return triples - - def get_data_names(self): - return self.data.keys() - - def get_all_datas (self): - triples=self.get_extensions() - for name in self.get_data_names(): - triples.append( (name,self.get_data(name),'data',) ) - return triples - - # only informative - def get_filename(self): - return getattr(self,'filename',None) - - def dump (self, *args, **kwargs): - print self.dump_string(*args, **kwargs) - - def dump_string (self,show_extensions=False): - result = "" - result += "CERTIFICATE for %s\n"%self.get_printable_subject() - result += "Issued by %s\n"%self.get_issuer() - filename=self.get_filename() - if filename: result += "Filename %s\n"%filename - if show_extensions: - all_datas=self.get_all_datas() - result += " has %d extensions/data attached"%len(all_datas) - for (n,v,c) in all_datas: - if c=='data': - result += " data: %s=%s\n"%(n,v) - else: - result += " ext: %s (crit=%s)=<<<%s>>>\n"%(n,c,v) - return result +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- + +## +# SFA uses two crypto libraries: pyOpenSSL and M2Crypto to implement +# the necessary crypto functionality. Ideally just one of these libraries +# would be used, but unfortunately each of these libraries is independently +# lacking. The pyOpenSSL library is missing many necessary functions, and +# the M2Crypto library has crashed inside of some of the functions. The +# design decision is to use pyOpenSSL whenever possible as it seems more +# stable, and only use M2Crypto for those functions that are not possible +# in pyOpenSSL. +# +# This module exports two classes: Keypair and Certificate. +## +# + +import functools +import os +import tempfile +import base64 +from tempfile import mkstemp + +from OpenSSL import crypto +import M2Crypto +from M2Crypto import X509 + +from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent +from sfa.util.sfalogging import logger + +glo_passphrase_callback = None + +## +# A global callback may be implemented for requesting passphrases from the +# user. The function will be called with three arguments: +# +# keypair_obj: the keypair object that is calling the passphrase +# string: the string containing the private key that's being loaded +# x: unknown, appears to be 0, comes from pyOpenSSL and/or m2crypto +# +# The callback should return a string containing the passphrase. + +def set_passphrase_callback(callback_func): + global glo_passphrase_callback + + glo_passphrase_callback = callback_func + +## +# Sets a fixed passphrase. + +def set_passphrase(passphrase): + set_passphrase_callback( lambda k,s,x: passphrase ) + +## +# Check to see if a passphrase works for a particular private key string. +# Intended to be used by passphrase callbacks for input validation. + +def test_passphrase(string, passphrase): + try: + crypto.load_privatekey(crypto.FILETYPE_PEM, string, (lambda x: passphrase)) + return True + except: + return False + +def convert_public_key(key): + keyconvert_path = "/usr/bin/keyconvert.py" + if not os.path.isfile(keyconvert_path): + raise IOError, "Could not find keyconvert in %s" % keyconvert_path + + # we can only convert rsa keys + if "ssh-dss" in key: + raise Exception, "keyconvert: dss keys are not supported" + + (ssh_f, ssh_fn) = tempfile.mkstemp() + ssl_fn = tempfile.mktemp() + os.write(ssh_f, key) + os.close(ssh_f) + + cmd = keyconvert_path + " " + ssh_fn + " " + ssl_fn + os.system(cmd) + + # this check leaves the temporary file containing the public key so + # that it can be expected to see why it failed. + # TODO: for production, cleanup the temporary files + if not os.path.exists(ssl_fn): + raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed." + + k = Keypair() + try: + k.load_pubkey_from_file(ssl_fn) + return k + except: + logger.log_exc("convert_public_key caught exception") + raise + finally: + # remove the temporary files + if os.path.exists(ssh_fn): + os.remove(ssh_fn) + if os.path.exists(ssl_fn): + os.remove(ssl_fn) + +## +# Public-private key pairs are implemented by the Keypair class. +# A Keypair object may represent both a public and private key pair, or it +# may represent only a public key (this usage is consistent with OpenSSL). + +class Keypair: + key = None # public/private keypair + m2key = None # public key (m2crypto format) + + ## + # Creates a Keypair object + # @param create If create==True, creates a new public/private key and + # stores it in the object + # @param string If string!=None, load the keypair from the string (PEM) + # @param filename If filename!=None, load the keypair from the file + + def __init__(self, create=False, string=None, filename=None): + if create: + self.create() + if string: + self.load_from_string(string) + if filename: + self.load_from_file(filename) + + ## + # Create a RSA public/private key pair and store it inside the keypair object + + def create(self): + self.key = crypto.PKey() + self.key.generate_key(crypto.TYPE_RSA, 1024) + + ## + # Save the private key to a file + # @param filename name of file to store the keypair in + + def save_to_file(self, filename): + open(filename, 'w').write(self.as_pem()) + self.filename=filename + + ## + # Load the private key from a file. Implicity the private key includes the public key. + + def load_from_file(self, filename): + self.filename=filename + buffer = open(filename, 'r').read() + self.load_from_string(buffer) + + ## + # Load the private key from a string. Implicitly the private key includes the public key. + + def load_from_string(self, string): + if glo_passphrase_callback: + self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string, functools.partial(glo_passphrase_callback, self, string) ) + self.m2key = M2Crypto.EVP.load_key_string(string, functools.partial(glo_passphrase_callback, self, string) ) + else: + self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string) + self.m2key = M2Crypto.EVP.load_key_string(string) + + ## + # Load the public key from a string. No private key is loaded. + + def load_pubkey_from_file(self, filename): + # load the m2 public key + m2rsakey = M2Crypto.RSA.load_pub_key(filename) + self.m2key = M2Crypto.EVP.PKey() + self.m2key.assign_rsa(m2rsakey) + + # create an m2 x509 cert + m2name = M2Crypto.X509.X509_Name() + m2name.add_entry_by_txt(field="CN", type=0x1001, entry="junk", len=-1, loc=-1, set=0) + m2x509 = M2Crypto.X509.X509() + m2x509.set_pubkey(self.m2key) + m2x509.set_serial_number(0) + m2x509.set_issuer_name(m2name) + m2x509.set_subject_name(m2name) + ASN1 = M2Crypto.ASN1.ASN1_UTCTIME() + ASN1.set_time(500) + m2x509.set_not_before(ASN1) + m2x509.set_not_after(ASN1) + # x509v3 so it can have extensions + # prob not necc since this cert itself is junk but still... + m2x509.set_version(2) + junk_key = Keypair(create=True) + m2x509.sign(pkey=junk_key.get_m2_pkey(), md="sha1") + + # convert the m2 x509 cert to a pyopenssl x509 + m2pem = m2x509.as_pem() + pyx509 = crypto.load_certificate(crypto.FILETYPE_PEM, m2pem) + + # get the pyopenssl pkey from the pyopenssl x509 + self.key = pyx509.get_pubkey() + self.filename=filename + + ## + # Load the public key from a string. No private key is loaded. + + def load_pubkey_from_string(self, string): + (f, fn) = tempfile.mkstemp() + os.write(f, string) + os.close(f) + self.load_pubkey_from_file(fn) + os.remove(fn) + + ## + # Return the private key in PEM format. + + def as_pem(self): + return crypto.dump_privatekey(crypto.FILETYPE_PEM, self.key) + + ## + # Return an M2Crypto key object + + def get_m2_pkey(self): + if not self.m2key: + self.m2key = M2Crypto.EVP.load_key_string(self.as_pem()) + return self.m2key + + ## + # Returns a string containing the public key represented by this object. + + def get_pubkey_string(self): + m2pkey = self.get_m2_pkey() + return base64.b64encode(m2pkey.as_der()) + + ## + # Return an OpenSSL pkey object + + def get_openssl_pkey(self): + return self.key + + ## + # Given another Keypair object, return TRUE if the two keys are the same. + + def is_same(self, pkey): + return self.as_pem() == pkey.as_pem() + + def sign_string(self, data): + k = self.get_m2_pkey() + k.sign_init() + k.sign_update(data) + return base64.b64encode(k.sign_final()) + + def verify_string(self, data, sig): + k = self.get_m2_pkey() + k.verify_init() + k.verify_update(data) + return M2Crypto.m2.verify_final(k.ctx, base64.b64decode(sig), k.pkey) + + def compute_hash(self, value): + return self.sign_string(str(value)) + + # only informative + def get_filename(self): + return getattr(self,'filename',None) + + def dump (self, *args, **kwargs): + print self.dump_string(*args, **kwargs) + + def dump_string (self): + result="" + result += "KEYPAIR: pubkey=%40s..."%self.get_pubkey_string() + filename=self.get_filename() + if filename: result += "Filename %s\n"%filename + return result + +## +# The certificate class implements a general purpose X509 certificate, making +# use of the appropriate pyOpenSSL or M2Crypto abstractions. It also adds +# several addition features, such as the ability to maintain a chain of +# parent certificates, and storage of application-specific data. +# +# Certificates include the ability to maintain a chain of parents. Each +# certificate includes a pointer to it's parent certificate. When loaded +# from a file or a string, the parent chain will be automatically loaded. +# When saving a certificate to a file or a string, the caller can choose +# whether to save the parent certificates as well. + +class Certificate: + digest = "md5" + + cert = None + issuerKey = None + issuerSubject = None + parent = None + isCA = None # will be a boolean once set + + separator="-----parent-----" + + ## + # Create a certificate object. + # + # @param lifeDays life of cert in days - default is 1825==5 years + # @param create If create==True, then also create a blank X509 certificate. + # @param subject If subject!=None, then create a blank certificate and set + # it's subject name. + # @param string If string!=None, load the certficate from the string. + # @param filename If filename!=None, load the certficiate from the file. + # @param isCA If !=None, set whether this cert is for a CA + + def __init__(self, lifeDays=1825, create=False, subject=None, string=None, filename=None, isCA=None): + self.data = {} + if create or subject: + self.create(lifeDays) + if subject: + self.set_subject(subject) + if string: + self.load_from_string(string) + if filename: + self.load_from_file(filename) + + # Set the CA bit if a value was supplied + if isCA != None: + self.set_is_ca(isCA) + + # Create a blank X509 certificate and store it in this object. + + def create(self, lifeDays=1825): + self.cert = crypto.X509() + # FIXME: Use different serial #s + self.cert.set_serial_number(3) + self.cert.gmtime_adj_notBefore(0) # 0 means now + self.cert.gmtime_adj_notAfter(lifeDays*60*60*24) # five years is default + self.cert.set_version(2) # x509v3 so it can have extensions + + + ## + # Given a pyOpenSSL X509 object, store that object inside of this + # certificate object. + + def load_from_pyopenssl_x509(self, x509): + self.cert = x509 + + ## + # Load the certificate from a string + + def load_from_string(self, string): + # if it is a chain of multiple certs, then split off the first one and + # load it (support for the ---parent--- tag as well as normal chained certs) + + string = string.strip() + + # If it's not in proper PEM format, wrap it + if string.count('-----BEGIN CERTIFICATE') == 0: + string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string + + # If there is a PEM cert in there, but there is some other text first + # such as the text of the certificate, skip the text + beg = string.find('-----BEGIN CERTIFICATE') + if beg > 0: + # skipping over non cert beginning + string = string[beg:] + + parts = [] + + if string.count('-----BEGIN CERTIFICATE-----') > 1 and \ + string.count(Certificate.separator) == 0: + parts = string.split('-----END CERTIFICATE-----',1) + parts[0] += '-----END CERTIFICATE-----' + else: + parts = string.split(Certificate.separator, 1) + + self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, parts[0]) + + # if there are more certs, then create a parent and let the parent load + # itself from the remainder of the string + if len(parts) > 1 and parts[1] != '': + self.parent = self.__class__() + self.parent.load_from_string(parts[1]) + + ## + # Load the certificate from a file + + def load_from_file(self, filename): + file = open(filename) + string = file.read() + self.load_from_string(string) + self.filename=filename + + ## + # Save the certificate to a string. + # + # @param save_parents If save_parents==True, then also save the parent certificates. + + def save_to_string(self, save_parents=True): + string = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert) + if save_parents and self.parent: + string = string + self.parent.save_to_string(save_parents) + return string + + ## + # Save the certificate to a file. + # @param save_parents If save_parents==True, then also save the parent certificates. + + def save_to_file(self, filename, save_parents=True, filep=None): + string = self.save_to_string(save_parents=save_parents) + if filep: + f = filep + else: + f = open(filename, 'w') + f.write(string) + f.close() + self.filename=filename + + ## + # Save the certificate to a random file in /tmp/ + # @param save_parents If save_parents==True, then also save the parent certificates. + def save_to_random_tmp_file(self, save_parents=True): + fp, filename = mkstemp(suffix='cert', text=True) + fp = os.fdopen(fp, "w") + self.save_to_file(filename, save_parents=True, filep=fp) + return filename + + ## + # Sets the issuer private key and name + # @param key Keypair object containing the private key of the issuer + # @param subject String containing the name of the issuer + # @param cert (optional) Certificate object containing the name of the issuer + + def set_issuer(self, key, subject=None, cert=None): + self.issuerKey = key + if subject: + # it's a mistake to use subject and cert params at the same time + assert(not cert) + if isinstance(subject, dict) or isinstance(subject, str): + req = crypto.X509Req() + reqSubject = req.get_subject() + if (isinstance(subject, dict)): + for key in reqSubject.keys(): + setattr(reqSubject, key, subject[key]) + else: + setattr(reqSubject, "CN", subject) + subject = reqSubject + # subject is not valid once req is out of scope, so save req + self.issuerReq = req + if cert: + # if a cert was supplied, then get the subject from the cert + subject = cert.cert.get_subject() + assert(subject) + self.issuerSubject = subject + + ## + # Get the issuer name + + def get_issuer(self, which="CN"): + x = self.cert.get_issuer() + return getattr(x, which) + + ## + # Set the subject name of the certificate + + def set_subject(self, name): + req = crypto.X509Req() + subj = req.get_subject() + if (isinstance(name, dict)): + for key in name.keys(): + setattr(subj, key, name[key]) + else: + setattr(subj, "CN", name) + self.cert.set_subject(subj) + + ## + # Get the subject name of the certificate + + def get_subject(self, which="CN"): + x = self.cert.get_subject() + return getattr(x, which) + + ## + # Get a pretty-print subject name of the certificate + + def get_printable_subject(self): + x = self.cert.get_subject() + return "[ OU: %s, CN: %s, SubjectAltName: %s ]" % (getattr(x, "OU"), getattr(x, "CN"), self.get_data()) + + ## + # Get the public key of the certificate. + # + # @param key Keypair object containing the public key + + def set_pubkey(self, key): + assert(isinstance(key, Keypair)) + self.cert.set_pubkey(key.get_openssl_pkey()) + + ## + # Get the public key of the certificate. + # It is returned in the form of a Keypair object. + + def get_pubkey(self): + m2x509 = X509.load_cert_string(self.save_to_string()) + pkey = Keypair() + pkey.key = self.cert.get_pubkey() + pkey.m2key = m2x509.get_pubkey() + return pkey + + def set_intermediate_ca(self, val): + return self.set_is_ca(val) + + # Set whether this cert is for a CA. All signers and only signers should be CAs. + # The local member starts unset, letting us check that you only set it once + # @param val Boolean indicating whether this cert is for a CA + def set_is_ca(self, val): + if val is None: + return + + if self.isCA != None: + # Can't double set properties + raise Exception, "Cannot set basicConstraints CA:?? more than once. Was %s, trying to set as %s" % (self.isCA, val) + + self.isCA = val + if val: + self.add_extension('basicConstraints', 1, 'CA:TRUE') + else: + self.add_extension('basicConstraints', 1, 'CA:FALSE') + + + + ## + # Add an X509 extension to the certificate. Add_extension can only be called + # once for a particular extension name, due to limitations in the underlying + # library. + # + # @param name string containing name of extension + # @param value string containing value of the extension + + def add_extension(self, name, critical, value): + oldExtVal = None + try: + oldExtVal = self.get_extension(name) + except: + # M2Crypto LookupError when the extension isn't there (yet) + pass + + # This code limits you from adding the extension with the same value + # The method comment says you shouldn't do this with the same name + # But actually it (m2crypto) appears to allow you to do this. + if oldExtVal and oldExtVal == value: + # don't add this extension again + # just do nothing as here + return + # FIXME: What if they are trying to set with a different value? + # Is this ever OK? Or should we raise an exception? +# elif oldExtVal: +# raise "Cannot add extension %s which had val %s with new val %s" % (name, oldExtVal, value) + + ext = crypto.X509Extension (name, critical, value) + self.cert.add_extensions([ext]) + + ## + # Get an X509 extension from the certificate + + def get_extension(self, name): + + # pyOpenSSL does not have a way to get extensions + m2x509 = X509.load_cert_string(self.save_to_string()) + value = m2x509.get_ext(name).get_value() + + return value + + ## + # Set_data is a wrapper around add_extension. It stores the parameter str in + # the X509 subject_alt_name extension. Set_data can only be called once, due + # to limitations in the underlying library. + + def set_data(self, str, field='subjectAltName'): + # pyOpenSSL only allows us to add extensions, so if we try to set the + # same extension more than once, it will not work + if self.data.has_key(field): + raise "Cannot set ", field, " more than once" + self.data[field] = str + self.add_extension(field, 0, str) + + ## + # Return the data string that was previously set with set_data + + def get_data(self, field='subjectAltName'): + if self.data.has_key(field): + return self.data[field] + + try: + uri = self.get_extension(field) + self.data[field] = uri + except LookupError: + return None + + return self.data[field] + + ## + # Sign the certificate using the issuer private key and issuer subject previous set with set_issuer(). + + def sign(self): + logger.debug('certificate.sign') + assert self.cert != None + assert self.issuerSubject != None + assert self.issuerKey != None + self.cert.set_issuer(self.issuerSubject) + self.cert.sign(self.issuerKey.get_openssl_pkey(), self.digest) + + ## + # Verify the authenticity of a certificate. + # @param pkey is a Keypair object representing a public key. If Pkey + # did not sign the certificate, then an exception will be thrown. + + def verify(self, pkey): + # pyOpenSSL does not have a way to verify signatures + m2x509 = X509.load_cert_string(self.save_to_string()) + m2pkey = pkey.get_m2_pkey() + # verify it + return m2x509.verify(m2pkey) + + # XXX alternatively, if openssl has been patched, do the much simpler: + # try: + # self.cert.verify(pkey.get_openssl_key()) + # return 1 + # except: + # return 0 + + ## + # Return True if pkey is identical to the public key that is contained in the certificate. + # @param pkey Keypair object + + def is_pubkey(self, pkey): + return self.get_pubkey().is_same(pkey) + + ## + # Given a certificate cert, verify that this certificate was signed by the + # public key contained in cert. Throw an exception otherwise. + # + # @param cert certificate object + + def is_signed_by_cert(self, cert): + k = cert.get_pubkey() + result = self.verify(k) + return result + + ## + # Set the parent certficiate. + # + # @param p certificate object. + + def set_parent(self, p): + self.parent = p + + ## + # Return the certificate object of the parent of this certificate. + + def get_parent(self): + return self.parent + + ## + # Verification examines a chain of certificates to ensure that each parent + # signs the child, and that some certificate in the chain is signed by a + # trusted certificate. + # + # Verification is a basic recursion: 
+    #     if this_certificate was signed by trusted_certs:
+    #         return
+    #     else
+    #         return verify_chain(parent, trusted_certs)
+    #
+ # + # At each recursion, the parent is tested to ensure that it did sign the + # child. If a parent did not sign a child, then an exception is thrown. If + # the bottom of the recursion is reached and the certificate does not match + # a trusted root, then an exception is thrown. + # Also require that parents are CAs. + # + # @param Trusted_certs is a list of certificates that are trusted. + # + + def verify_chain(self, trusted_certs = None): + # Verify a chain of certificates. Each certificate must be signed by + # the public key contained in it's parent. The chain is recursed + # until a certificate is found that is signed by a trusted root. + + # verify expiration time + if self.cert.has_expired(): + logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject()) + raise CertExpired(self.get_printable_subject(), "client cert") + + # if this cert is signed by a trusted_cert, then we are set + for trusted_cert in trusted_certs: + if self.is_signed_by_cert(trusted_cert): + # verify expiration of trusted_cert ? + if not trusted_cert.cert.has_expired(): + logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%( + self.get_printable_subject(), trusted_cert.get_printable_subject())) + return trusted_cert + else: + logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%( + self.get_printable_subject(),trusted_cert.get_printable_subject())) + raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject()) + + # if there is no parent, then no way to verify the chain + if not self.parent: + logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs))) + raise CertMissingParent(self.get_printable_subject() + ": Issuer %s is not one of the %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs))) + + # if it wasn't signed by the parent... + if not self.is_signed_by_cert(self.parent): + logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\ + (self.get_printable_subject(), + self.parent.get_printable_subject(), + self.get_issuer())) + raise CertNotSignedByParent("%s: Parent %s, issuer %s"\ + % (self.get_printable_subject(), + self.parent.get_printable_subject(), + self.get_issuer())) + + # Confirm that the parent is a CA. Only CAs can be trusted as + # signers. + # Note that trusted roots are not parents, so don't need to be + # CAs. + # Ugly - cert objects aren't parsed so we need to read the + # extension and hope there are no other basicConstraints + if not self.parent.isCA and not (self.parent.get_extension('basicConstraints') == 'CA:TRUE'): + logger.warn("verify_chain: cert %s's parent %s is not a CA" % \ + (self.get_printable_subject(), self.parent.get_printable_subject())) + raise CertNotSignedByParent("%s: Parent %s not a CA" % (self.get_printable_subject(), + self.parent.get_printable_subject())) + + # if the parent isn't verified... + logger.debug("verify_chain: .. %s, -> verifying parent %s"%\ + (self.get_printable_subject(),self.parent.get_printable_subject())) + self.parent.verify_chain(trusted_certs) + + return + + ### more introspection + def get_extensions(self): + # pyOpenSSL does not have a way to get extensions + triples=[] + m2x509 = X509.load_cert_string(self.save_to_string()) + nb_extensions=m2x509.get_ext_count() + logger.debug("X509 had %d extensions"%nb_extensions) + for i in range(nb_extensions): + ext=m2x509.get_ext_at(i) + triples.append( (ext.get_name(), ext.get_value(), ext.get_critical(),) ) + return triples + + def get_data_names(self): + return self.data.keys() + + def get_all_datas (self): + triples=self.get_extensions() + for name in self.get_data_names(): + triples.append( (name,self.get_data(name),'data',) ) + return triples + + # only informative + def get_filename(self): + return getattr(self,'filename',None) + + def dump (self, *args, **kwargs): + print self.dump_string(*args, **kwargs) + + def dump_string (self,show_extensions=False): + result = "" + result += "CERTIFICATE for %s\n"%self.get_printable_subject() + result += "Issued by %s\n"%self.get_issuer() + filename=self.get_filename() + if filename: result += "Filename %s\n"%filename + if show_extensions: + all_datas=self.get_all_datas() + result += " has %d extensions/data attached"%len(all_datas) + for (n,v,c) in all_datas: + if c=='data': + result += " data: %s=%s\n"%(n,v) + else: + result += " ext: %s (crit=%s)=<<<%s>>>\n"%(n,c,v) + return result diff --git a/sfa/trust/credential_legacy.py b/sfa/trust/credential_legacy.py index 85ddc68d..b5fc449a 100644 --- a/sfa/trust/credential_legacy.py +++ b/sfa/trust/credential_legacy.py @@ -1,270 +1,270 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- -## -# Implements SFA Credentials -# -# Credentials are layered on top of certificates, and are essentially a -# certificate that stores a tuple of parameters. -## - - -import xmlrpclib - -from sfa.util.faults import MissingDelegateBit, ChildRightsNotSubsetOfParent -from sfa.trust.certificate import Certificate -from sfa.trust.gid import GID - -## -# Credential is a tuple: -# (GIDCaller, GIDObject, LifeTime, Privileges, Delegate) -# -# These fields are encoded using xmlrpc into the subjectAltName field of the -# x509 certificate. Note: Call encode() once the fields have been filled in -# to perform this encoding. - -class CredentialLegacy(Certificate): - gidCaller = None - gidObject = None - lifeTime = None - privileges = None - delegate = False - - ## - # Create a Credential object - # - # @param create If true, create a blank x509 certificate - # @param subject If subject!=None, create an x509 cert with the subject name - # @param string If string!=None, load the credential from the string - # @param filename If filename!=None, load the credential from the file - - def __init__(self, create=False, subject=None, string=None, filename=None): - Certificate.__init__(self, create, subject, string, filename) - - ## - # set the GID of the caller - # - # @param gid GID object of the caller - - def set_gid_caller(self, gid): - self.gidCaller = gid - # gid origin caller is the caller's gid by default - self.gidOriginCaller = gid - - ## - # get the GID of the object - - def get_gid_caller(self): - if not self.gidCaller: - self.decode() - return self.gidCaller - - ## - # set the GID of the object - # - # @param gid GID object of the object - - def set_gid_object(self, gid): - self.gidObject = gid - - ## - # get the GID of the object - - def get_gid_object(self): - if not self.gidObject: - self.decode() - return self.gidObject - - ## - # set the lifetime of this credential - # - # @param lifetime lifetime of credential - - def set_lifetime(self, lifeTime): - self.lifeTime = lifeTime - - ## - # get the lifetime of the credential - - def get_lifetime(self): - if not self.lifeTime: - self.decode() - return self.lifeTime - - ## - # set the delegate bit - # - # @param delegate boolean (True or False) - - def set_delegate(self, delegate): - self.delegate = delegate - - ## - # get the delegate bit - - def get_delegate(self): - if not self.delegate: - self.decode() - return self.delegate - - ## - # set the privileges - # - # @param privs either a comma-separated list of privileges of a Rights object - - def set_privileges(self, privs): - if isinstance(privs, str): - self.privileges = Rights(string = privs) - else: - self.privileges = privs - - ## - # return the privileges as a Rights object - - def get_privileges(self): - if not self.privileges: - self.decode() - return self.privileges - - ## - # determine whether the credential allows a particular operation to be - # performed - # - # @param op_name string specifying name of operation ("lookup", "update", etc) - - def can_perform(self, op_name): - rights = self.get_privileges() - if not rights: - return False - return rights.can_perform(op_name) - - ## - # Encode the attributes of the credential into a string and store that - # string in the alt-subject-name field of the X509 object. This should be - # done immediately before signing the credential. - - def encode(self): - dict = {"gidCaller": None, - "gidObject": None, - "lifeTime": self.lifeTime, - "privileges": None, - "delegate": self.delegate} - if self.gidCaller: - dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True) - if self.gidObject: - dict["gidObject"] = self.gidObject.save_to_string(save_parents=True) - if self.privileges: - dict["privileges"] = self.privileges.save_to_string() - str = xmlrpclib.dumps((dict,), allow_none=True) - self.set_data('URI:http://' + str) - - ## - # Retrieve the attributes of the credential from the alt-subject-name field - # of the X509 certificate. This is automatically done by the various - # get_* methods of this class and should not need to be called explicitly. - - def decode(self): - data = self.get_data().lstrip('URI:http://') - - if data: - dict = xmlrpclib.loads(data)[0][0] - else: - dict = {} - - self.lifeTime = dict.get("lifeTime", None) - self.delegate = dict.get("delegate", None) - - privStr = dict.get("privileges", None) - if privStr: - self.privileges = Rights(string = privStr) - else: - self.privileges = None - - gidCallerStr = dict.get("gidCaller", None) - if gidCallerStr: - self.gidCaller = GID(string=gidCallerStr) - else: - self.gidCaller = None - - gidObjectStr = dict.get("gidObject", None) - if gidObjectStr: - self.gidObject = GID(string=gidObjectStr) - else: - self.gidObject = None - - ## - # Verify that a chain of credentials is valid (see cert.py:verify). In - # addition to the checks for ordinary certificates, verification also - # ensures that the delegate bit was set by each parent in the chain. If - # a delegate bit was not set, then an exception is thrown. - # - # Each credential must be a subset of the rights of the parent. - - def verify_chain(self, trusted_certs = None): - # do the normal certificate verification stuff - Certificate.verify_chain(self, trusted_certs) - - if self.parent: - # make sure the parent delegated rights to the child - if not self.parent.get_delegate(): - raise MissingDelegateBit(self.parent.get_subject()) - - # make sure the rights given to the child are a subset of the - # parents rights - if not self.parent.get_privileges().is_superset(self.get_privileges()): - raise ChildRightsNotSubsetOfParent(self.get_subject() - + " " + self.parent.get_privileges().save_to_string() - + " " + self.get_privileges().save_to_string()) - - return - - ## - # Dump the contents of a credential to stdout in human-readable format - # - # @param dump_parents If true, also dump the parent certificates - - def dump(self, *args, **kwargs): - print self.dump_string(*args,**kwargs) - - def dump_string(self, dump_parents=False): - result="" - result += "CREDENTIAL %s\n" % self.get_subject() - - result += " privs: %s\n" % self.get_privileges().save_to_string() - - gidCaller = self.get_gid_caller() - if gidCaller: - result += " gidCaller:\n" - gidCaller.dump(8, dump_parents) - - gidObject = self.get_gid_object() - if gidObject: - result += " gidObject:\n" - result += gidObject.dump_string(8, dump_parents) - - result += " delegate: %s" % self.get_delegate() - - if self.parent and dump_parents: - result += "PARENT\n" - result += self.parent.dump_string(dump_parents) - - return result +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- +## +# Implements SFA Credentials +# +# Credentials are layered on top of certificates, and are essentially a +# certificate that stores a tuple of parameters. +## + + +import xmlrpclib + +from sfa.util.faults import MissingDelegateBit, ChildRightsNotSubsetOfParent +from sfa.trust.certificate import Certificate +from sfa.trust.gid import GID + +## +# Credential is a tuple: +# (GIDCaller, GIDObject, LifeTime, Privileges, Delegate) +# +# These fields are encoded using xmlrpc into the subjectAltName field of the +# x509 certificate. Note: Call encode() once the fields have been filled in +# to perform this encoding. + +class CredentialLegacy(Certificate): + gidCaller = None + gidObject = None + lifeTime = None + privileges = None + delegate = False + + ## + # Create a Credential object + # + # @param create If true, create a blank x509 certificate + # @param subject If subject!=None, create an x509 cert with the subject name + # @param string If string!=None, load the credential from the string + # @param filename If filename!=None, load the credential from the file + + def __init__(self, create=False, subject=None, string=None, filename=None): + Certificate.__init__(self, create, subject, string, filename) + + ## + # set the GID of the caller + # + # @param gid GID object of the caller + + def set_gid_caller(self, gid): + self.gidCaller = gid + # gid origin caller is the caller's gid by default + self.gidOriginCaller = gid + + ## + # get the GID of the object + + def get_gid_caller(self): + if not self.gidCaller: + self.decode() + return self.gidCaller + + ## + # set the GID of the object + # + # @param gid GID object of the object + + def set_gid_object(self, gid): + self.gidObject = gid + + ## + # get the GID of the object + + def get_gid_object(self): + if not self.gidObject: + self.decode() + return self.gidObject + + ## + # set the lifetime of this credential + # + # @param lifetime lifetime of credential + + def set_lifetime(self, lifeTime): + self.lifeTime = lifeTime + + ## + # get the lifetime of the credential + + def get_lifetime(self): + if not self.lifeTime: + self.decode() + return self.lifeTime + + ## + # set the delegate bit + # + # @param delegate boolean (True or False) + + def set_delegate(self, delegate): + self.delegate = delegate + + ## + # get the delegate bit + + def get_delegate(self): + if not self.delegate: + self.decode() + return self.delegate + + ## + # set the privileges + # + # @param privs either a comma-separated list of privileges of a Rights object + + def set_privileges(self, privs): + if isinstance(privs, str): + self.privileges = Rights(string = privs) + else: + self.privileges = privs + + ## + # return the privileges as a Rights object + + def get_privileges(self): + if not self.privileges: + self.decode() + return self.privileges + + ## + # determine whether the credential allows a particular operation to be + # performed + # + # @param op_name string specifying name of operation ("lookup", "update", etc) + + def can_perform(self, op_name): + rights = self.get_privileges() + if not rights: + return False + return rights.can_perform(op_name) + + ## + # Encode the attributes of the credential into a string and store that + # string in the alt-subject-name field of the X509 object. This should be + # done immediately before signing the credential. + + def encode(self): + dict = {"gidCaller": None, + "gidObject": None, + "lifeTime": self.lifeTime, + "privileges": None, + "delegate": self.delegate} + if self.gidCaller: + dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True) + if self.gidObject: + dict["gidObject"] = self.gidObject.save_to_string(save_parents=True) + if self.privileges: + dict["privileges"] = self.privileges.save_to_string() + str = xmlrpclib.dumps((dict,), allow_none=True) + self.set_data('URI:http://' + str) + + ## + # Retrieve the attributes of the credential from the alt-subject-name field + # of the X509 certificate. This is automatically done by the various + # get_* methods of this class and should not need to be called explicitly. + + def decode(self): + data = self.get_data().lstrip('URI:http://') + + if data: + dict = xmlrpclib.loads(data)[0][0] + else: + dict = {} + + self.lifeTime = dict.get("lifeTime", None) + self.delegate = dict.get("delegate", None) + + privStr = dict.get("privileges", None) + if privStr: + self.privileges = Rights(string = privStr) + else: + self.privileges = None + + gidCallerStr = dict.get("gidCaller", None) + if gidCallerStr: + self.gidCaller = GID(string=gidCallerStr) + else: + self.gidCaller = None + + gidObjectStr = dict.get("gidObject", None) + if gidObjectStr: + self.gidObject = GID(string=gidObjectStr) + else: + self.gidObject = None + + ## + # Verify that a chain of credentials is valid (see cert.py:verify). In + # addition to the checks for ordinary certificates, verification also + # ensures that the delegate bit was set by each parent in the chain. If + # a delegate bit was not set, then an exception is thrown. + # + # Each credential must be a subset of the rights of the parent. + + def verify_chain(self, trusted_certs = None): + # do the normal certificate verification stuff + Certificate.verify_chain(self, trusted_certs) + + if self.parent: + # make sure the parent delegated rights to the child + if not self.parent.get_delegate(): + raise MissingDelegateBit(self.parent.get_subject()) + + # make sure the rights given to the child are a subset of the + # parents rights + if not self.parent.get_privileges().is_superset(self.get_privileges()): + raise ChildRightsNotSubsetOfParent(self.get_subject() + + " " + self.parent.get_privileges().save_to_string() + + " " + self.get_privileges().save_to_string()) + + return + + ## + # Dump the contents of a credential to stdout in human-readable format + # + # @param dump_parents If true, also dump the parent certificates + + def dump(self, *args, **kwargs): + print self.dump_string(*args,**kwargs) + + def dump_string(self, dump_parents=False): + result="" + result += "CREDENTIAL %s\n" % self.get_subject() + + result += " privs: %s\n" % self.get_privileges().save_to_string() + + gidCaller = self.get_gid_caller() + if gidCaller: + result += " gidCaller:\n" + gidCaller.dump(8, dump_parents) + + gidObject = self.get_gid_object() + if gidObject: + result += " gidObject:\n" + result += gidObject.dump_string(8, dump_parents) + + result += " delegate: %s" % self.get_delegate() + + if self.parent and dump_parents: + result += "PARENT\n" + result += self.parent.dump_string(dump_parents) + + return result diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py index 2653cf02..4f482707 100644 --- a/sfa/trust/gid.py +++ b/sfa/trust/gid.py @@ -1,258 +1,258 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- -## -# Implements SFA GID. GIDs are based on certificates, and the GID class is a -# descendant of the certificate class. -## - -import xmlrpclib -import uuid - -from sfa.trust.certificate import Certificate - -from sfa.util.faults import GidInvalidParentHrn, GidParentHrn -from sfa.util.sfalogging import logger -from sfa.util.xrn import hrn_to_urn, urn_to_hrn, hrn_authfor_hrn - -## -# Create a new uuid. Returns the UUID as a string. - -def create_uuid(): - return str(uuid.uuid4().int) - -## -# GID is a tuple: -# (uuid, urn, public_key) -# -# UUID is a unique identifier and is created by the python uuid module -# (or the utility function create_uuid() in gid.py). -# -# HRN is a human readable name. It is a dotted form similar to a backward domain -# name. For example, planetlab.us.arizona.bakers. -# -# URN is a human readable identifier of form: -# "urn:publicid:IDN+toplevelauthority[:sub-auth.]*[\res. type]\ +object name" -# For example, urn:publicid:IDN+planetlab:us:arizona+user+bakers -# -# PUBLIC_KEY is the public key of the principal identified by the UUID/HRN. -# It is a Keypair object as defined in the cert.py module. -# -# It is expected that there is a one-to-one pairing between UUIDs and HRN, -# but it is uncertain how this would be inforced or if it needs to be enforced. -# -# These fields are encoded using xmlrpc into the subjectAltName field of the -# x509 certificate. Note: Call encode() once the fields have been filled in -# to perform this encoding. - - -class GID(Certificate): - uuid = None - hrn = None - urn = None - email = None # for adding to the SubjectAltName - - ## - # Create a new GID object - # - # @param create If true, create the X509 certificate - # @param subject If subject!=None, create the X509 cert and set the subject name - # @param string If string!=None, load the GID from a string - # @param filename If filename!=None, load the GID from a file - # @param lifeDays life of GID in days - default is 1825==5 years - - def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825): - - Certificate.__init__(self, lifeDays, create, subject, string, filename) - if subject: - logger.debug("Creating GID for subject: %s" % subject) - if uuid: - self.uuid = int(uuid) - if hrn: - self.hrn = hrn - self.urn = hrn_to_urn(hrn, 'unknown') - if urn: - self.urn = urn - self.hrn, type = urn_to_hrn(urn) - - def set_uuid(self, uuid): - if isinstance(uuid, str): - self.uuid = int(uuid) - else: - self.uuid = uuid - - def get_uuid(self): - if not self.uuid: - self.decode() - return self.uuid - - def set_hrn(self, hrn): - self.hrn = hrn - - def get_hrn(self): - if not self.hrn: - self.decode() - return self.hrn - - def set_urn(self, urn): - self.urn = urn - self.hrn, type = urn_to_hrn(urn) - - def get_urn(self): - if not self.urn: - self.decode() - return self.urn - - # Will be stuffed into subjectAltName - def set_email(self, email): - self.email = email - - def get_email(self): - if not self.email: - self.decode() - return self.email - - def get_type(self): - if not self.urn: - self.decode() - _, t = urn_to_hrn(self.urn) - return t - - ## - # Encode the GID fields and package them into the subject-alt-name field - # of the X509 certificate. This must be called prior to signing the - # certificate. It may only be called once per certificate. - - def encode(self): - if self.urn: - urn = self.urn - else: - urn = hrn_to_urn(self.hrn, None) - - str = "URI:" + urn - - if self.uuid: - str += ", " + "URI:" + uuid.UUID(int=self.uuid).urn - - if self.email: - str += ", " + "email:" + self.email - - self.set_data(str, 'subjectAltName') - - - ## - # Decode the subject-alt-name field of the X509 certificate into the - # fields of the GID. This is automatically called by the various get_*() - # functions in this class. - - def decode(self): - data = self.get_data('subjectAltName') - dict = {} - if data: - if data.lower().startswith('uri:http://'): - dict = xmlrpclib.loads(data[11:])[0][0] - else: - spl = data.split(', ') - for val in spl: - if val.lower().startswith('uri:urn:uuid:'): - dict['uuid'] = uuid.UUID(val[4:]).int - elif val.lower().startswith('uri:urn:publicid:idn+'): - dict['urn'] = val[4:] - elif val.lower().startswith('email:'): - # FIXME: Ensure there isn't cruft in that address... - # EG look for email:copy,.... - dict['email'] = val[6:] - - self.uuid = dict.get("uuid", None) - self.urn = dict.get("urn", None) - self.hrn = dict.get("hrn", None) - self.email = dict.get("email", None) - if self.urn: - self.hrn = urn_to_hrn(self.urn)[0] - - ## - # Dump the credential to stdout. - # - # @param indent specifies a number of spaces to indent the output - # @param dump_parents If true, also dump the parents of the GID - - def dump(self, *args, **kwargs): - print self.dump_string(*args,**kwargs) - - def dump_string(self, indent=0, dump_parents=False): - result=" "*(indent-2) + "GID\n" - result += " "*indent + "hrn:" + str(self.get_hrn()) +"\n" - result += " "*indent + "urn:" + str(self.get_urn()) +"\n" - result += " "*indent + "uuid:" + str(self.get_uuid()) + "\n" - if self.get_email() is not None: - result += " "*indent + "email:" + str(self.get_email()) + "\n" - filename=self.get_filename() - if filename: result += "Filename %s\n"%filename - - if self.parent and dump_parents: - result += " "*indent + "parent:\n" - result += self.parent.dump_string(indent+4, dump_parents) - return result - - ## - # Verify the chain of authenticity of the GID. First perform the checks - # of the certificate class (verifying that each parent signs the child, - # etc). In addition, GIDs also confirm that the parent's HRN is a prefix - # of the child's HRN, and the parent is of type 'authority'. - # - # Verifying these prefixes prevents a rogue authority from signing a GID - # for a principal that is not a member of that authority. For example, - # planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo. - - def verify_chain(self, trusted_certs = None): - # do the normal certificate verification stuff - trusted_root = Certificate.verify_chain(self, trusted_certs) - - if self.parent: - # make sure the parent's hrn is a prefix of the child's hrn - if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()): - raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) - - # Parent must also be an authority (of some type) to sign a GID - # There are multiple types of authority - accept them all here - if not self.parent.get_type().find('authority') == 0: - raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type())) - - # Then recurse up the chain - ensure the parent is a trusted - # root or is in the namespace of a trusted root - self.parent.verify_chain(trusted_certs) - else: - # make sure that the trusted root's hrn is a prefix of the child's - trusted_gid = GID(string=trusted_root.save_to_string()) - trusted_type = trusted_gid.get_type() - trusted_hrn = trusted_gid.get_hrn() - #if trusted_type == 'authority': - # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] - cur_hrn = self.get_hrn() - if not hrn_authfor_hrn(trusted_hrn, cur_hrn): - raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert: %s" % (trusted_hrn, cur_hrn)) - - # There are multiple types of authority - accept them all here - if not trusted_type.find('authority') == 0: - raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type)) - - return +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- +## +# Implements SFA GID. GIDs are based on certificates, and the GID class is a +# descendant of the certificate class. +## + +import xmlrpclib +import uuid + +from sfa.trust.certificate import Certificate + +from sfa.util.faults import GidInvalidParentHrn, GidParentHrn +from sfa.util.sfalogging import logger +from sfa.util.xrn import hrn_to_urn, urn_to_hrn, hrn_authfor_hrn + +## +# Create a new uuid. Returns the UUID as a string. + +def create_uuid(): + return str(uuid.uuid4().int) + +## +# GID is a tuple: +# (uuid, urn, public_key) +# +# UUID is a unique identifier and is created by the python uuid module +# (or the utility function create_uuid() in gid.py). +# +# HRN is a human readable name. It is a dotted form similar to a backward domain +# name. For example, planetlab.us.arizona.bakers. +# +# URN is a human readable identifier of form: +# "urn:publicid:IDN+toplevelauthority[:sub-auth.]*[\res. type]\ +object name" +# For example, urn:publicid:IDN+planetlab:us:arizona+user+bakers +# +# PUBLIC_KEY is the public key of the principal identified by the UUID/HRN. +# It is a Keypair object as defined in the cert.py module. +# +# It is expected that there is a one-to-one pairing between UUIDs and HRN, +# but it is uncertain how this would be inforced or if it needs to be enforced. +# +# These fields are encoded using xmlrpc into the subjectAltName field of the +# x509 certificate. Note: Call encode() once the fields have been filled in +# to perform this encoding. + + +class GID(Certificate): + uuid = None + hrn = None + urn = None + email = None # for adding to the SubjectAltName + + ## + # Create a new GID object + # + # @param create If true, create the X509 certificate + # @param subject If subject!=None, create the X509 cert and set the subject name + # @param string If string!=None, load the GID from a string + # @param filename If filename!=None, load the GID from a file + # @param lifeDays life of GID in days - default is 1825==5 years + + def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825): + + Certificate.__init__(self, lifeDays, create, subject, string, filename) + if subject: + logger.debug("Creating GID for subject: %s" % subject) + if uuid: + self.uuid = int(uuid) + if hrn: + self.hrn = hrn + self.urn = hrn_to_urn(hrn, 'unknown') + if urn: + self.urn = urn + self.hrn, type = urn_to_hrn(urn) + + def set_uuid(self, uuid): + if isinstance(uuid, str): + self.uuid = int(uuid) + else: + self.uuid = uuid + + def get_uuid(self): + if not self.uuid: + self.decode() + return self.uuid + + def set_hrn(self, hrn): + self.hrn = hrn + + def get_hrn(self): + if not self.hrn: + self.decode() + return self.hrn + + def set_urn(self, urn): + self.urn = urn + self.hrn, type = urn_to_hrn(urn) + + def get_urn(self): + if not self.urn: + self.decode() + return self.urn + + # Will be stuffed into subjectAltName + def set_email(self, email): + self.email = email + + def get_email(self): + if not self.email: + self.decode() + return self.email + + def get_type(self): + if not self.urn: + self.decode() + _, t = urn_to_hrn(self.urn) + return t + + ## + # Encode the GID fields and package them into the subject-alt-name field + # of the X509 certificate. This must be called prior to signing the + # certificate. It may only be called once per certificate. + + def encode(self): + if self.urn: + urn = self.urn + else: + urn = hrn_to_urn(self.hrn, None) + + str = "URI:" + urn + + if self.uuid: + str += ", " + "URI:" + uuid.UUID(int=self.uuid).urn + + if self.email: + str += ", " + "email:" + self.email + + self.set_data(str, 'subjectAltName') + + + ## + # Decode the subject-alt-name field of the X509 certificate into the + # fields of the GID. This is automatically called by the various get_*() + # functions in this class. + + def decode(self): + data = self.get_data('subjectAltName') + dict = {} + if data: + if data.lower().startswith('uri:http://'): + dict = xmlrpclib.loads(data[11:])[0][0] + else: + spl = data.split(', ') + for val in spl: + if val.lower().startswith('uri:urn:uuid:'): + dict['uuid'] = uuid.UUID(val[4:]).int + elif val.lower().startswith('uri:urn:publicid:idn+'): + dict['urn'] = val[4:] + elif val.lower().startswith('email:'): + # FIXME: Ensure there isn't cruft in that address... + # EG look for email:copy,.... + dict['email'] = val[6:] + + self.uuid = dict.get("uuid", None) + self.urn = dict.get("urn", None) + self.hrn = dict.get("hrn", None) + self.email = dict.get("email", None) + if self.urn: + self.hrn = urn_to_hrn(self.urn)[0] + + ## + # Dump the credential to stdout. + # + # @param indent specifies a number of spaces to indent the output + # @param dump_parents If true, also dump the parents of the GID + + def dump(self, *args, **kwargs): + print self.dump_string(*args,**kwargs) + + def dump_string(self, indent=0, dump_parents=False): + result=" "*(indent-2) + "GID\n" + result += " "*indent + "hrn:" + str(self.get_hrn()) +"\n" + result += " "*indent + "urn:" + str(self.get_urn()) +"\n" + result += " "*indent + "uuid:" + str(self.get_uuid()) + "\n" + if self.get_email() is not None: + result += " "*indent + "email:" + str(self.get_email()) + "\n" + filename=self.get_filename() + if filename: result += "Filename %s\n"%filename + + if self.parent and dump_parents: + result += " "*indent + "parent:\n" + result += self.parent.dump_string(indent+4, dump_parents) + return result + + ## + # Verify the chain of authenticity of the GID. First perform the checks + # of the certificate class (verifying that each parent signs the child, + # etc). In addition, GIDs also confirm that the parent's HRN is a prefix + # of the child's HRN, and the parent is of type 'authority'. + # + # Verifying these prefixes prevents a rogue authority from signing a GID + # for a principal that is not a member of that authority. For example, + # planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo. + + def verify_chain(self, trusted_certs = None): + # do the normal certificate verification stuff + trusted_root = Certificate.verify_chain(self, trusted_certs) + + if self.parent: + # make sure the parent's hrn is a prefix of the child's hrn + if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()): + raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) + + # Parent must also be an authority (of some type) to sign a GID + # There are multiple types of authority - accept them all here + if not self.parent.get_type().find('authority') == 0: + raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type())) + + # Then recurse up the chain - ensure the parent is a trusted + # root or is in the namespace of a trusted root + self.parent.verify_chain(trusted_certs) + else: + # make sure that the trusted root's hrn is a prefix of the child's + trusted_gid = GID(string=trusted_root.save_to_string()) + trusted_type = trusted_gid.get_type() + trusted_hrn = trusted_gid.get_hrn() + #if trusted_type == 'authority': + # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] + cur_hrn = self.get_hrn() + if not hrn_authfor_hrn(trusted_hrn, cur_hrn): + raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert: %s" % (trusted_hrn, cur_hrn)) + + # There are multiple types of authority - accept them all here + if not trusted_type.find('authority') == 0: + raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type)) + + return diff --git a/sfa/util/enumeration.py b/sfa/util/enumeration.py index bea2ce98..b65508f8 100644 --- a/sfa/util/enumeration.py +++ b/sfa/util/enumeration.py @@ -1,35 +1,35 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- - -class Enum(set): - def __init__(self, *args, **kwds): - set.__init__(self) - enums = dict(zip(args, [object() for i in range(len(args))]), **kwds) - for (key, value) in enums.items(): - setattr(self, key, value) - self.add(eval('self.%s' % key)) - - -#def Enum2(*args, **kwds): -# enums = dict(zip(sequential, range(len(sequential))), **named) -# return type('Enum', (), enums) +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- + +class Enum(set): + def __init__(self, *args, **kwds): + set.__init__(self) + enums = dict(zip(args, [object() for i in range(len(args))]), **kwds) + for (key, value) in enums.items(): + setattr(self, key, value) + self.add(eval('self.%s' % key)) + + +#def Enum2(*args, **kwds): +# enums = dict(zip(sequential, range(len(sequential))), **named) +# return type('Enum', (), enums) diff --git a/sfa/util/faults.py b/sfa/util/faults.py index 848d8182..1dd8131b 100644 --- a/sfa/util/faults.py +++ b/sfa/util/faults.py @@ -1,332 +1,332 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- -# -# SFA API faults -# - -import xmlrpclib -from sfa.util.genicode import GENICODE - -class SfaFault(xmlrpclib.Fault): - def __init__(self, faultCode, faultString, extra = None): - if extra: - faultString += ": " + str(extra) - xmlrpclib.Fault.__init__(self, faultCode, faultString) - -class SfaInvalidAPIMethod(SfaFault): - def __init__(self, method, interface = None, extra = None): - faultString = "Invalid method " + method - if interface: - faultString += " for interface " + interface - SfaFault.__init__(self, GENICODE.UNSUPPORTED, faultString, extra) - -class SfaInvalidArgumentCount(SfaFault): - def __init__(self, got, min, max = min, extra = None): - if min != max: - expected = "%d-%d" % (min, max) - else: - expected = "%d" % min - faultString = "Expected %s arguments, got %d" % \ - (expected, got) - SfaFault.__init__(self, GENICODE.BADARGS, faultString, extra) - -class SfaInvalidArgument(SfaFault): - def __init__(self, extra = None, name = None): - if name is not None: - faultString = "Invalid %s value" % name - else: - faultString = "Invalid argument" - SfaFault.__init__(self, GENICODE.BADARGS, faultString, extra) - -class SfaAuthenticationFailure(SfaFault): - def __init__(self, extra = None): - faultString = "Failed to authenticate call" - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - -class SfaDBError(SfaFault): - def __init__(self, extra = None): - faultString = "Database error" - SfaFault.__init__(self, GENICODE.DBERROR, faultString, extra) - -class SfaPermissionDenied(SfaFault): - def __init__(self, extra = None): - faultString = "Permission denied" - SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) - -class SfaNotImplemented(SfaFault): - def __init__(self, interface=None, extra = None): - faultString = "Not implemented" - if interface: - faultString += " at interface " + interface - SfaFault.__init__(self, GENICODE.UNSUPPORTED, faultString, extra) - -class SfaAPIError(SfaFault): - def __init__(self, extra = None): - faultString = "Internal API error" - SfaFault.__init__(self, GENICODE.SERVERERROR, faultString, extra) - -class MalformedHrnException(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Malformed HRN: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, extra) - def __str__(self): - return repr(self.value) - -class TreeException(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Tree Exception: %(value)s, " % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class NonExistingRecord(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Non exsiting record %(value)s, " % locals() - SfaFault.__init__(self, GENICODE.SEARCHFAILED, faultString, extra) - def __str__(self): - return repr(self.value) - -class ExistingRecord(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Existing record: %(value)s, " % locals() - SfaFault.__init__(self, GENICODE.REFUSED, faultString, extra) - def __str__(self): - return repr(self.value) - - -class InvalidRPCParams(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Invalid RPC Params: %(value)s, " % locals() - SfaFault.__init__(self, GENICODE.RPCERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -# SMBAKER exceptions follow - -class ConnectionKeyGIDMismatch(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Connection Key GID mismatch: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class MissingCallerGID(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Missing Caller GID: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class RecordNotFound(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Record not found: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class UnknownSfaType(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Unknown SFA Type: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class MissingAuthority(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Missing authority: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class PlanetLabRecordDoesNotExist(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "PlanetLab record does not exist : %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class PermissionError(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Permission error: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) - def __str__(self): - return repr(self.value) - -class InsufficientRights(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Insufficient rights: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) - def __str__(self): - return repr(self.value) - -class MissingDelegateBit(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Missing delegate bit: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) - def __str__(self): - return repr(self.value) - -class ChildRightsNotSubsetOfParent(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Child rights not subset of parent: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) - def __str__(self): - return repr(self.value) - -class CertMissingParent(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Cert missing parent: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class CertNotSignedByParent(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Cert not signed by parent: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class GidParentHrn(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Cert URN is not an extension of its parent: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class GidInvalidParentHrn(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "GID invalid parent hrn: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class SliverDoesNotExist(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Sliver does not exist : %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class BadRequestHash(xmlrpclib.Fault): - def __init__(self, hash = None, extra = None): - faultString = "bad request hash: " + str(hash) - xmlrpclib.Fault.__init__(self, GENICODE.ERROR, faultString) - -class MissingTrustedRoots(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Trusted root directory does not exist: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.SERVERERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class MissingSfaInfo(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Missing information: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class InvalidRSpec(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Invalid RSpec: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class InvalidRSpecVersion(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Invalid RSpec version: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.BADVERSION, faultString, extra) - def __str__(self): - return repr(self.value) - -class UnsupportedRSpecVersion(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Unsupported RSpec version: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.UNSUPPORTED, faultString, extra) - def __str__(self): - return repr(self.value) - -class InvalidRSpecElement(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Invalid RSpec Element: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class InvalidXML(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Invalid XML Document: %(value)s" % locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class AccountNotEnabled(SfaFault): - def __init__(self, extra = None): - faultString = "Account Disabled" - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class CredentialNotVerifiable(SfaFault): - def __init__(self, value, extra = None): - self.value = value - faultString = "Unable to verify credential: %(value)s, " %locals() - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - def __str__(self): - return repr(self.value) - -class CertExpired(SfaFault): - def __init__(self, value, extra=None): - self.value = value - faultString = "%s cert is expired" % value - SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) - +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- +# +# SFA API faults +# + +import xmlrpclib +from sfa.util.genicode import GENICODE + +class SfaFault(xmlrpclib.Fault): + def __init__(self, faultCode, faultString, extra = None): + if extra: + faultString += ": " + str(extra) + xmlrpclib.Fault.__init__(self, faultCode, faultString) + +class SfaInvalidAPIMethod(SfaFault): + def __init__(self, method, interface = None, extra = None): + faultString = "Invalid method " + method + if interface: + faultString += " for interface " + interface + SfaFault.__init__(self, GENICODE.UNSUPPORTED, faultString, extra) + +class SfaInvalidArgumentCount(SfaFault): + def __init__(self, got, min, max = min, extra = None): + if min != max: + expected = "%d-%d" % (min, max) + else: + expected = "%d" % min + faultString = "Expected %s arguments, got %d" % \ + (expected, got) + SfaFault.__init__(self, GENICODE.BADARGS, faultString, extra) + +class SfaInvalidArgument(SfaFault): + def __init__(self, extra = None, name = None): + if name is not None: + faultString = "Invalid %s value" % name + else: + faultString = "Invalid argument" + SfaFault.__init__(self, GENICODE.BADARGS, faultString, extra) + +class SfaAuthenticationFailure(SfaFault): + def __init__(self, extra = None): + faultString = "Failed to authenticate call" + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + +class SfaDBError(SfaFault): + def __init__(self, extra = None): + faultString = "Database error" + SfaFault.__init__(self, GENICODE.DBERROR, faultString, extra) + +class SfaPermissionDenied(SfaFault): + def __init__(self, extra = None): + faultString = "Permission denied" + SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) + +class SfaNotImplemented(SfaFault): + def __init__(self, interface=None, extra = None): + faultString = "Not implemented" + if interface: + faultString += " at interface " + interface + SfaFault.__init__(self, GENICODE.UNSUPPORTED, faultString, extra) + +class SfaAPIError(SfaFault): + def __init__(self, extra = None): + faultString = "Internal API error" + SfaFault.__init__(self, GENICODE.SERVERERROR, faultString, extra) + +class MalformedHrnException(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Malformed HRN: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, extra) + def __str__(self): + return repr(self.value) + +class TreeException(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Tree Exception: %(value)s, " % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class NonExistingRecord(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Non exsiting record %(value)s, " % locals() + SfaFault.__init__(self, GENICODE.SEARCHFAILED, faultString, extra) + def __str__(self): + return repr(self.value) + +class ExistingRecord(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Existing record: %(value)s, " % locals() + SfaFault.__init__(self, GENICODE.REFUSED, faultString, extra) + def __str__(self): + return repr(self.value) + + +class InvalidRPCParams(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Invalid RPC Params: %(value)s, " % locals() + SfaFault.__init__(self, GENICODE.RPCERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +# SMBAKER exceptions follow + +class ConnectionKeyGIDMismatch(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Connection Key GID mismatch: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class MissingCallerGID(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Missing Caller GID: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class RecordNotFound(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Record not found: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class UnknownSfaType(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Unknown SFA Type: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class MissingAuthority(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Missing authority: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class PlanetLabRecordDoesNotExist(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "PlanetLab record does not exist : %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class PermissionError(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Permission error: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) + def __str__(self): + return repr(self.value) + +class InsufficientRights(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Insufficient rights: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) + def __str__(self): + return repr(self.value) + +class MissingDelegateBit(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Missing delegate bit: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) + def __str__(self): + return repr(self.value) + +class ChildRightsNotSubsetOfParent(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Child rights not subset of parent: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.FORBIDDEN, faultString, extra) + def __str__(self): + return repr(self.value) + +class CertMissingParent(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Cert missing parent: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class CertNotSignedByParent(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Cert not signed by parent: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class GidParentHrn(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Cert URN is not an extension of its parent: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class GidInvalidParentHrn(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "GID invalid parent hrn: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class SliverDoesNotExist(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Sliver does not exist : %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class BadRequestHash(xmlrpclib.Fault): + def __init__(self, hash = None, extra = None): + faultString = "bad request hash: " + str(hash) + xmlrpclib.Fault.__init__(self, GENICODE.ERROR, faultString) + +class MissingTrustedRoots(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Trusted root directory does not exist: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.SERVERERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class MissingSfaInfo(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Missing information: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class InvalidRSpec(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Invalid RSpec: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class InvalidRSpecVersion(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Invalid RSpec version: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.BADVERSION, faultString, extra) + def __str__(self): + return repr(self.value) + +class UnsupportedRSpecVersion(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Unsupported RSpec version: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.UNSUPPORTED, faultString, extra) + def __str__(self): + return repr(self.value) + +class InvalidRSpecElement(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Invalid RSpec Element: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class InvalidXML(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Invalid XML Document: %(value)s" % locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class AccountNotEnabled(SfaFault): + def __init__(self, extra = None): + faultString = "Account Disabled" + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class CredentialNotVerifiable(SfaFault): + def __init__(self, value, extra = None): + self.value = value + faultString = "Unable to verify credential: %(value)s, " %locals() + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + def __str__(self): + return repr(self.value) + +class CertExpired(SfaFault): + def __init__(self, value, extra=None): + self.value = value + faultString = "%s cert is expired" % value + SfaFault.__init__(self, GENICODE.ERROR, faultString, extra) + diff --git a/sfa/util/genicode.py b/sfa/util/genicode.py index 61ae4895..ca201a0a 100644 --- a/sfa/util/genicode.py +++ b/sfa/util/genicode.py @@ -1,45 +1,45 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- - -from sfa.util.enumeration import Enum - -GENICODE = Enum( - SUCCESS=0, - BADARGS=1, - ERROR=2, - FORBIDDEN=3, - BADVERSION=4, - SERVERERROR=5, - TOOBIG=6, - REFUSED=7, - TIMEDOUT=8, - DBERROR=9, - RPCERROR=10, - UNAVAILABLE=11, - SEARCHFAILED=12, - UNSUPPORTED=13, - BUSY=14, - EXPIRED=15, - INPORGRESS=16, - ALREADYEXISTS=17 -) +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- + +from sfa.util.enumeration import Enum + +GENICODE = Enum( + SUCCESS=0, + BADARGS=1, + ERROR=2, + FORBIDDEN=3, + BADVERSION=4, + SERVERERROR=5, + TOOBIG=6, + REFUSED=7, + TIMEDOUT=8, + DBERROR=9, + RPCERROR=10, + UNAVAILABLE=11, + SEARCHFAILED=12, + UNSUPPORTED=13, + BUSY=14, + EXPIRED=15, + INPORGRESS=16, + ALREADYEXISTS=17 +) diff --git a/sfa/util/sfalogging.py b/sfa/util/sfalogging.py index 5529fe73..495a2747 100644 --- a/sfa/util/sfalogging.py +++ b/sfa/util/sfalogging.py @@ -1,201 +1,201 @@ -#!/usr/bin/python - -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- - -import os, sys -import traceback -import logging, logging.handlers - -CRITICAL=logging.CRITICAL -ERROR=logging.ERROR -WARNING=logging.WARNING -INFO=logging.INFO -DEBUG=logging.DEBUG - -# a logger that can handle tracebacks -class _SfaLogger: - def __init__ (self,logfile=None,loggername=None,level=logging.INFO): - # default is to locate loggername from the logfile if avail. - if not logfile: - #loggername='console' - #handler=logging.StreamHandler() - #handler.setFormatter(logging.Formatter("%(levelname)s %(message)s")) - logfile = "/var/log/sfa.log" - - if not loggername: - loggername=os.path.basename(logfile) - try: - handler=logging.handlers.RotatingFileHandler(logfile,maxBytes=1000000, backupCount=5) - except IOError: - # This is usually a permissions error becaue the file is - # owned by root, but httpd is trying to access it. - tmplogfile=os.getenv("TMPDIR", "/tmp") + os.path.sep + os.path.basename(logfile) - # In strange uses, 2 users on same machine might use same code, - # meaning they would clobber each others files - # We could (a) rename the tmplogfile, or (b) - # just log to the console in that case. - # Here we default to the console. - if os.path.exists(tmplogfile) and not os.access(tmplogfile,os.W_OK): - loggername = loggername + "-console" - handler = logging.StreamHandler() - else: - handler=logging.handlers.RotatingFileHandler(tmplogfile,maxBytes=1000000, backupCount=5) - handler.setFormatter(logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")) - self.logger=logging.getLogger(loggername) - self.logger.setLevel(level) - # check if logger already has the handler we're about to add - handler_exists = False - for l_handler in self.logger.handlers: - if l_handler.baseFilename == handler.baseFilename and \ - l_handler.level == handler.level: - handler_exists = True - - if not handler_exists: - self.logger.addHandler(handler) - - self.loggername=loggername - - def setLevel(self,level): - self.logger.setLevel(level) - - # shorthand to avoid having to import logging all over the place - def setLevelDebug(self): - self.logger.setLevel(logging.DEBUG) - - # define a verbose option with s/t like - # parser.add_option("-v", "--verbose", action="count", dest="verbose", default=0) - # and pass the coresponding options.verbose to this method to adjust level - def setLevelFromOptVerbose(self,verbose): - if verbose==0: - self.logger.setLevel(logging.WARNING) - elif verbose==1: - self.logger.setLevel(logging.INFO) - elif verbose>=2: - self.logger.setLevel(logging.DEBUG) - # in case some other code needs a boolean - def getBoolVerboseFromOpt(self,verbose): - return verbose>=1 - - #################### - def info(self, msg): - self.logger.info(msg) - - def debug(self, msg): - self.logger.debug(msg) - - def warn(self, msg): - self.logger.warn(msg) - - # some code is using logger.warn(), some is using logger.warning() - def warning(self, msg): - self.logger.warning(msg) - - def error(self, msg): - self.logger.error(msg) - - def critical(self, msg): - self.logger.critical(msg) - - # logs an exception - use in an except statement - def log_exc(self,message): - self.error("%s BEG TRACEBACK"%message+"\n"+traceback.format_exc().strip("\n")) - self.error("%s END TRACEBACK"%message) - - def log_exc_critical(self,message): - self.critical("%s BEG TRACEBACK"%message+"\n"+traceback.format_exc().strip("\n")) - self.critical("%s END TRACEBACK"%message) - - # for investigation purposes, can be placed anywhere - def log_stack(self,message): - to_log="".join(traceback.format_stack()) - self.info("%s BEG STACK"%message+"\n"+to_log) - self.info("%s END STACK"%message) - - def enable_console(self, stream=sys.stdout): - formatter = logging.Formatter("%(message)s") - handler = logging.StreamHandler(stream) - handler.setFormatter(formatter) - self.logger.addHandler(handler) - - -info_logger = _SfaLogger(loggername='info', level=logging.INFO) -debug_logger = _SfaLogger(loggername='debug', level=logging.DEBUG) -warn_logger = _SfaLogger(loggername='warning', level=logging.WARNING) -error_logger = _SfaLogger(loggername='error', level=logging.ERROR) -critical_logger = _SfaLogger(loggername='critical', level=logging.CRITICAL) -logger = info_logger -sfi_logger = _SfaLogger(logfile=os.path.expanduser("~/.sfi/")+'sfi.log',loggername='sfilog', level=logging.DEBUG) -######################################## -import time - -def profile(logger): - """ - Prints the runtime of the specified callable. Use as a decorator, e.g., - - @profile(logger) - def foo(...): - ... - """ - def logger_profile(callable): - def wrapper(*args, **kwds): - start = time.time() - result = callable(*args, **kwds) - end = time.time() - args = map(str, args) - args += ["%s = %s" % (name, str(value)) for (name, value) in kwds.iteritems()] - # should probably use debug, but then debug is not always enabled - logger.info("PROFILED %s (%s): %.02f s" % (callable.__name__, ", ".join(args), end - start)) - return result - return wrapper - return logger_profile - - -if __name__ == '__main__': - print 'testing sfalogging into logger.log' - logger1=_SfaLogger('logger.log', loggername='std(info)') - logger2=_SfaLogger('logger.log', loggername='error', level=logging.ERROR) - logger3=_SfaLogger('logger.log', loggername='debug', level=logging.DEBUG) - - for (logger,msg) in [ (logger1,"std(info)"),(logger2,"error"),(logger3,"debug")]: - - print "====================",msg, logger.logger.handlers - - logger.enable_console() - logger.critical("logger.critical") - logger.error("logger.error") - logger.warn("logger.warning") - logger.info("logger.info") - logger.debug("logger.debug") - logger.setLevel(logging.DEBUG) - logger.debug("logger.debug again") - - @profile(logger) - def sleep(seconds = 1): - time.sleep(seconds) - - logger.info('console.info') - sleep(0.5) - logger.setLevel(logging.DEBUG) - sleep(0.25) - +#!/usr/bin/python + +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- + +import os, sys +import traceback +import logging, logging.handlers + +CRITICAL=logging.CRITICAL +ERROR=logging.ERROR +WARNING=logging.WARNING +INFO=logging.INFO +DEBUG=logging.DEBUG + +# a logger that can handle tracebacks +class _SfaLogger: + def __init__ (self,logfile=None,loggername=None,level=logging.INFO): + # default is to locate loggername from the logfile if avail. + if not logfile: + #loggername='console' + #handler=logging.StreamHandler() + #handler.setFormatter(logging.Formatter("%(levelname)s %(message)s")) + logfile = "/var/log/sfa.log" + + if not loggername: + loggername=os.path.basename(logfile) + try: + handler=logging.handlers.RotatingFileHandler(logfile,maxBytes=1000000, backupCount=5) + except IOError: + # This is usually a permissions error becaue the file is + # owned by root, but httpd is trying to access it. + tmplogfile=os.getenv("TMPDIR", "/tmp") + os.path.sep + os.path.basename(logfile) + # In strange uses, 2 users on same machine might use same code, + # meaning they would clobber each others files + # We could (a) rename the tmplogfile, or (b) + # just log to the console in that case. + # Here we default to the console. + if os.path.exists(tmplogfile) and not os.access(tmplogfile,os.W_OK): + loggername = loggername + "-console" + handler = logging.StreamHandler() + else: + handler=logging.handlers.RotatingFileHandler(tmplogfile,maxBytes=1000000, backupCount=5) + handler.setFormatter(logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")) + self.logger=logging.getLogger(loggername) + self.logger.setLevel(level) + # check if logger already has the handler we're about to add + handler_exists = False + for l_handler in self.logger.handlers: + if l_handler.baseFilename == handler.baseFilename and \ + l_handler.level == handler.level: + handler_exists = True + + if not handler_exists: + self.logger.addHandler(handler) + + self.loggername=loggername + + def setLevel(self,level): + self.logger.setLevel(level) + + # shorthand to avoid having to import logging all over the place + def setLevelDebug(self): + self.logger.setLevel(logging.DEBUG) + + # define a verbose option with s/t like + # parser.add_option("-v", "--verbose", action="count", dest="verbose", default=0) + # and pass the coresponding options.verbose to this method to adjust level + def setLevelFromOptVerbose(self,verbose): + if verbose==0: + self.logger.setLevel(logging.WARNING) + elif verbose==1: + self.logger.setLevel(logging.INFO) + elif verbose>=2: + self.logger.setLevel(logging.DEBUG) + # in case some other code needs a boolean + def getBoolVerboseFromOpt(self,verbose): + return verbose>=1 + + #################### + def info(self, msg): + self.logger.info(msg) + + def debug(self, msg): + self.logger.debug(msg) + + def warn(self, msg): + self.logger.warn(msg) + + # some code is using logger.warn(), some is using logger.warning() + def warning(self, msg): + self.logger.warning(msg) + + def error(self, msg): + self.logger.error(msg) + + def critical(self, msg): + self.logger.critical(msg) + + # logs an exception - use in an except statement + def log_exc(self,message): + self.error("%s BEG TRACEBACK"%message+"\n"+traceback.format_exc().strip("\n")) + self.error("%s END TRACEBACK"%message) + + def log_exc_critical(self,message): + self.critical("%s BEG TRACEBACK"%message+"\n"+traceback.format_exc().strip("\n")) + self.critical("%s END TRACEBACK"%message) + + # for investigation purposes, can be placed anywhere + def log_stack(self,message): + to_log="".join(traceback.format_stack()) + self.info("%s BEG STACK"%message+"\n"+to_log) + self.info("%s END STACK"%message) + + def enable_console(self, stream=sys.stdout): + formatter = logging.Formatter("%(message)s") + handler = logging.StreamHandler(stream) + handler.setFormatter(formatter) + self.logger.addHandler(handler) + + +info_logger = _SfaLogger(loggername='info', level=logging.INFO) +debug_logger = _SfaLogger(loggername='debug', level=logging.DEBUG) +warn_logger = _SfaLogger(loggername='warning', level=logging.WARNING) +error_logger = _SfaLogger(loggername='error', level=logging.ERROR) +critical_logger = _SfaLogger(loggername='critical', level=logging.CRITICAL) +logger = info_logger +sfi_logger = _SfaLogger(logfile=os.path.expanduser("~/.sfi/")+'sfi.log',loggername='sfilog', level=logging.DEBUG) +######################################## +import time + +def profile(logger): + """ + Prints the runtime of the specified callable. Use as a decorator, e.g., + + @profile(logger) + def foo(...): + ... + """ + def logger_profile(callable): + def wrapper(*args, **kwds): + start = time.time() + result = callable(*args, **kwds) + end = time.time() + args = map(str, args) + args += ["%s = %s" % (name, str(value)) for (name, value) in kwds.iteritems()] + # should probably use debug, but then debug is not always enabled + logger.info("PROFILED %s (%s): %.02f s" % (callable.__name__, ", ".join(args), end - start)) + return result + return wrapper + return logger_profile + + +if __name__ == '__main__': + print 'testing sfalogging into logger.log' + logger1=_SfaLogger('logger.log', loggername='std(info)') + logger2=_SfaLogger('logger.log', loggername='error', level=logging.ERROR) + logger3=_SfaLogger('logger.log', loggername='debug', level=logging.DEBUG) + + for (logger,msg) in [ (logger1,"std(info)"),(logger2,"error"),(logger3,"debug")]: + + print "====================",msg, logger.logger.handlers + + logger.enable_console() + logger.critical("logger.critical") + logger.error("logger.error") + logger.warn("logger.warning") + logger.info("logger.info") + logger.debug("logger.debug") + logger.setLevel(logging.DEBUG) + logger.debug("logger.debug again") + + @profile(logger) + def sleep(seconds = 1): + time.sleep(seconds) + + logger.info('console.info') + sleep(0.5) + logger.setLevel(logging.DEBUG) + sleep(0.25) + diff --git a/sfa/util/sfatime.py b/sfa/util/sfatime.py index 70f88302..48796892 100644 --- a/sfa/util/sfatime.py +++ b/sfa/util/sfatime.py @@ -1,66 +1,66 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- -from types import StringTypes -import dateutil.parser -import datetime -import time - -from sfa.util.sfalogging import logger - -DATEFORMAT = "%Y-%m-%dT%H:%M:%SZ" - -def utcparse(input): - """ Translate a string into a time using dateutil.parser.parse but make sure it's in UTC time and strip -the timezone, so that it's compatible with normal datetime.datetime objects. - -For safety this can also handle inputs that are either timestamps, or datetimes -""" - # prepare the input for the checks below by - # casting strings ('1327098335') to ints - if isinstance(input, StringTypes): - try: - input = int(input) - except ValueError: - pass - - if isinstance (input, datetime.datetime): - logger.warn ("argument to utcparse already a datetime - doing nothing") - return input - elif isinstance (input, StringTypes): - t = dateutil.parser.parse(input) - if t.utcoffset() is not None: - t = t.utcoffset() + t.replace(tzinfo=None) - return t - elif isinstance (input, (int,float,long)): - return datetime.datetime.fromtimestamp(input) - else: - logger.error("Unexpected type in utcparse [%s]"%type(input)) - -def datetime_to_string(input): - return datetime.datetime.strftime(input, DATEFORMAT) - -def datetime_to_utc(input): - return time.gmtime(datetime_to_epoch(input)) - -def datetime_to_epoch(input): - return int(time.mktime(input.timetuple())) +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- +from types import StringTypes +import dateutil.parser +import datetime +import time + +from sfa.util.sfalogging import logger + +DATEFORMAT = "%Y-%m-%dT%H:%M:%SZ" + +def utcparse(input): + """ Translate a string into a time using dateutil.parser.parse but make sure it's in UTC time and strip +the timezone, so that it's compatible with normal datetime.datetime objects. + +For safety this can also handle inputs that are either timestamps, or datetimes +""" + # prepare the input for the checks below by + # casting strings ('1327098335') to ints + if isinstance(input, StringTypes): + try: + input = int(input) + except ValueError: + pass + + if isinstance (input, datetime.datetime): + logger.warn ("argument to utcparse already a datetime - doing nothing") + return input + elif isinstance (input, StringTypes): + t = dateutil.parser.parse(input) + if t.utcoffset() is not None: + t = t.utcoffset() + t.replace(tzinfo=None) + return t + elif isinstance (input, (int,float,long)): + return datetime.datetime.fromtimestamp(input) + else: + logger.error("Unexpected type in utcparse [%s]"%type(input)) + +def datetime_to_string(input): + return datetime.datetime.strftime(input, DATEFORMAT) + +def datetime_to_utc(input): + return time.gmtime(datetime_to_epoch(input)) + +def datetime_to_epoch(input): + return int(time.mktime(input.timetuple())) diff --git a/sfa/util/xrn.py b/sfa/util/xrn.py index 985b5711..e548fa56 100644 --- a/sfa/util/xrn.py +++ b/sfa/util/xrn.py @@ -32,9 +32,6 @@ def urn_to_hrn(urn): xrn=Xrn(urn); return (xrn.hrn, xrn.type) def hrn_to_urn(hrn,type): return Xrn(hrn, type=type).urn def hrn_authfor_hrn(parenthrn, hrn): return Xrn.hrn_is_auth_for_hrn(parenthrn, hrn) -def urn_to_sliver_id(urn, slice_id, node_id, index=0, authority=None): - return Xrn(urn).get_sliver_id(slice_id, node_id, index, authority) - class Xrn: ########## basic tools on HRNs @@ -119,12 +116,15 @@ class Xrn: # self.type # self.path # provide either urn, or (hrn + type) - def __init__ (self, xrn, type=None): + def __init__ (self, xrn, type=None, id=None): if not xrn: xrn = "" # user has specified xrn : guess if urn or hrn + self.id = id if Xrn.is_urn(xrn): self.hrn=None self.urn=xrn + if id: + self.urn = "%s:%s" % (self.urn, str(id)) self.urn_to_hrn() else: self.urn=None @@ -168,19 +168,20 @@ class Xrn: self._normalize() return ':'.join( [Xrn.unescape(x) for x in self.authority] ) - def get_sliver_id(self, slice_id, node_id=None, index=0, authority=None): + def set_authority(self, authority): + """ + update the authority section of an existing urn + """ + authority_hrn = self.get_authority_hrn() + if not authority_hrn.startswith(authority): + hrn = ".".join([authority,authority_hrn, self.get_leaf()]) + else: + hrn = ".".join([authority_hrn, self.get_leaf()]) + + self.hrn = hrn + self.hrn_to_urn() self._normalize() - urn = self.get_urn() - if authority: - authority_hrn = self.get_authority_hrn() - if not authority_hrn.startswith(authority): - hrn = ".".join([authority,authority_hrn, self.get_leaf()]) - else: - hrn = ".".join([authority_hrn, self.get_leaf()]) - urn = Xrn(hrn, self.get_type()).get_urn() - parts = [part for part in [urn, slice_id, node_id, index] if part is not None] - return ":".join(map(str, [parts])) - + def urn_to_hrn(self): """ compute tuple (hrn, type) from urn @@ -210,6 +211,10 @@ class Xrn: hrn = '.'.join([Xrn.escape(part).replace(':','.') for part in parts if part]) # dont replace ':' in the name section if name: + parts = name.split(':') + if len(parts) > 1: + self.id = ":".join(parts[1:]) + name = parts[0] hrn += '.%s' % Xrn.escape(name) self.hrn=str(hrn) @@ -245,7 +250,10 @@ class Xrn: urn = "+".join(['',authority_string,Xrn.unescape(name)]) else: urn = "+".join(['',authority_string,self.type,Xrn.unescape(name)]) - + + if hasattr(self, 'id') and self.id: + urn = "%s:%s" % (urn, self.id) + self.urn = Xrn.URN_PREFIX + urn def dump_string(self):