From: Thierry Parmentelat Date: Tue, 20 Jan 2015 08:03:11 +0000 (+0100) Subject: add debug trace when invoking xmlsec1 X-Git-Tag: sfa-3.1-14~12 X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=commitdiff_plain;h=92b43f0e1f1a0fe453cd3a289f90c3961f12ab7c add debug trace when invoking xmlsec1 + miscell reformatting for narrower text --- diff --git a/sfa/client/sfaclientlib.py b/sfa/client/sfaclientlib.py index 78f6f48d..bc4a1d14 100644 --- a/sfa/client/sfaclientlib.py +++ b/sfa/client/sfaclientlib.py @@ -121,7 +121,7 @@ class SfaClientBootstrap: ######################################## *_produce methods ### step1 # unconditionnally create a self-signed certificate - def self_signed_cert_produce (self,output): + def self_signed_cert_produce (self, output): self.assert_private_key() private_key_filename = self.private_key_filename() keypair=Keypair(filename=private_key_filename) @@ -131,7 +131,7 @@ class SfaClientBootstrap: self_signed.sign () self_signed.save_to_file (output) self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\ - (self.hrn,output)) + (self.hrn, output)) return output ### step2 @@ -142,7 +142,8 @@ class SfaClientBootstrap: certificate_filename = self.self_signed_cert_filename() certificate_string = self.plain_read (certificate_filename) self.assert_private_key() - registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(), + registry_proxy = SfaServerProxy (self.registry_url, + self.private_key_filename(), certificate_filename) try: credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user") @@ -316,10 +317,14 @@ class SfaClientBootstrap: raise IOError,"Missing %s file %s"%(kind,filename) return True - def assert_private_key (self): return self.assert_filename (self.private_key_filename(),"private key") - def assert_self_signed_cert (self): return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate") - def assert_my_credential (self): return self.assert_filename (self.my_credential_filename(),"user's credential") - def assert_my_gid (self): return self.assert_filename (self.my_gid_filename(),"user's GID") + def assert_private_key (self): + return self.assert_filename (self.private_key_filename(),"private key") + def assert_self_signed_cert (self): + return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate") + def assert_my_credential (self): + return self.assert_filename (self.my_credential_filename(),"user's credential") + def assert_my_gid (self): + return self.assert_filename (self.my_gid_filename(),"user's GID") # decorator to make up the other methods diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 59ca4c27..2120a80d 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -4,9 +4,10 @@ import sys from types import StringTypes -from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \ - BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, Forbidden, \ - BadArgs +from sfa.util.faults import InsufficientRights, MissingCallerGID, \ + MissingTrustedRoots, PermissionError, BadRequestHash, \ + ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \ + Forbidden, BadArgs from sfa.util.sfalogging import logger from sfa.util.config import Config from sfa.util.xrn import Xrn, get_authority @@ -34,10 +35,13 @@ class Auth: self.load_trusted_certs() def load_trusted_certs(self): - self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() - self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() + self.trusted_cert_list = \ + TrustedRoots(self.config.get_trustedroots_dir()).get_list() + self.trusted_cert_file_list = \ + TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() - # this convenience methods extracts speaking_for_xrn from the passed options using 'geni_speaking_for' + # this convenience methods extracts speaking_for_xrn + # from the passed options using 'geni_speaking_for' def checkCredentialsSpeaksFor (self, *args, **kwds): if 'options' not in kwds: logger.error ("checkCredentialsSpeaksFor was not passed options=options") @@ -62,7 +66,8 @@ class Auth: error="checkCredentials: expected a string, received %s"%(type(cred)) else: cred_obj=Credential(string=cred) - logger.info("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) + logger.info("failed to validate credential - dump=%s"%\ + cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] return error @@ -76,7 +81,7 @@ class Auth: if not isinstance(xrns, list): xrns = [xrns] - slice_xrns = Xrn.filter_type(xrns, 'slice') + slice_xrns = Xrn.filter_type(xrns, 'slice') sliver_xrns = Xrn.filter_type(xrns, 'sliver') # we are not able to validate slivers in the traditional way so @@ -122,7 +127,7 @@ class Auth: def check(self, credential, operation, hrn = None): """ - Check the credential against the peer cert (callerGID included + Check the credential against the peer cert (callerGID) included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a trusted cert and check if the credential is allowed to perform @@ -152,7 +157,8 @@ class Auth: raise InsufficientRights(operation) if self.trusted_cert_list: - self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) + self.client_cred.verify(self.trusted_cert_file_list, + self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) @@ -168,7 +174,7 @@ class Auth: def check_ticket(self, ticket): """ - Check if the tickt was signed by a trusted cert + Check if the ticket was signed by a trusted cert """ if self.trusted_cert_list: client_ticket = SfaTicket(string=ticket) @@ -315,7 +321,8 @@ class Auth: rl = Rights() type = reg_record.type - logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn)) + logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%\ + (reg_record, caller_hrn)) if type == 'slice': # researchers in the slice are in the DB as-is diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 9d0fd283..f4f192de 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -798,7 +798,9 @@ class Credential(object): # make sure it is not expired if self.get_expiration() < datetime.datetime.utcnow(): - raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.strftime(SFATIME_FORMAT))) + raise CredentialNotVerifiable("Credential %s expired at %s" % \ + (self.get_summary_tostring(), + self.expiration.strftime(SFATIME_FORMAT))) # Verify the signatures filename = self.save_to_random_tmp_file() @@ -826,10 +828,11 @@ class Credential(object): if trusted_certs is None: break -# print "Doing %s --verify --node-id '%s' %s %s 2>&1" % \ -# (self.xmlsec_path, ref, cert_args, filename) - verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \ - % (self.xmlsec_path, ref, cert_args, filename)).read() + command = '{} --verify --node-id "{}" {} {} 2>&1'.\ + format(self.xmlsec_path, ref, cert_args, filename) + logger.debug("Running '{}'".format(command)) + verified = os.popen(command).read() + logger.debug("xmlsec command returned {}".format(verified)) if not verified.strip().startswith("OK"): # xmlsec errors have a msg= which is the interesting bit. mstart = verified.find("msg=") @@ -838,7 +841,10 @@ class Credential(object): mstart = mstart + 4 mend = verified.find('\\', mstart) msg = verified[mstart:mend] - raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip())) + raise CredentialNotVerifiable("xmlsec1 error verifying cred %s" + "using Signature ID %s: %s %s" % \ + (self.get_summary_tostring(), + ref, msg, verified.strip())) os.remove(filename) # Verify the parents (delegation)