From dbc31b969660cd331b0350e235a8e1e75e8802e0 Mon Sep 17 00:00:00 2001 From: Tony Mack Date: Fri, 26 Aug 2011 13:01:54 -0400 Subject: [PATCH] improved error and log messages --- sfa/trust/certificate.py | 36 ++++++++++++++++++++++-------------- sfa/trust/credential.py | 37 ++++++++++++++++++++++++++----------- sfa/trust/gid.py | 2 +- 3 files changed, 49 insertions(+), 26 deletions(-) diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py index 13f89756..8cbe1724 100644 --- a/sfa/trust/certificate.py +++ b/sfa/trust/certificate.py @@ -480,6 +480,7 @@ class Certificate: else: setattr(subj, "CN", name) self.cert.set_subject(subj) + ## # Get the subject name of the certificate @@ -487,6 +488,13 @@ class Certificate: x = self.cert.get_subject() return getattr(x, which) + ## + # Get a pretty-print subject name of the certificate + + def get_printable_subject(self): + x = self.cert.get_subject() + return "[ OU: %s, CN: %s, SubjectAltName: %s ]" % (getattr(x, "OU"), getattr(x, "CN"), self.get_data()) + ## # Get the public key of the certificate. # @@ -689,31 +697,31 @@ class Certificate: # verify expiration time if self.cert.has_expired(): - logger.debug("verify_chain: NO our certificate has expired") - raise CertExpired(self.get_subject(), "client cert") - + logger.debug("verify_chain: NO our certificate %s has expired" % self.get_printable_subject()) + raise CertExpired(self.get_printable_subject(), "client cert") + # if this cert is signed by a trusted_cert, then we are set for trusted_cert in trusted_certs: if self.is_signed_by_cert(trusted_cert): # verify expiration of trusted_cert ? if not trusted_cert.cert.has_expired(): logger.debug("verify_chain: YES cert %s signed by trusted cert %s"%( - self.get_subject(), trusted_cert.get_subject())) + self.get_printable_subject(), trusted_cert.get_printable_subject())) return trusted_cert else: logger.debug("verify_chain: NO cert %s is signed by trusted_cert %s, but this is expired..."%( - self.get_subject(),trusted_cert.get_subject())) - raise CertExpired(self.get_subject(),"trusted_cert %s"%trusted_cert.get_subject()) + self.get_printable_subject(),trusted_cert.get_printable_subject())) + raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject()) # if there is no parent, then no way to verify the chain if not self.parent: - logger.debug("verify_chain: NO %s has no parent and is not in trusted roots"%self.get_subject()) - raise CertMissingParent(self.get_subject()) + logger.debug("verify_chain: NO %s has no parent and issuer %s is not in %d trusted roots"%self.get_printable_subject(), self.get_issuer(), len(trusted_certs)) + raise CertMissingParent(self.get_printable_subject(), "Non trusted issuer: %s out of %d trusted roots" % (self.get_issuer(), len(trusted_certs))) # if it wasn't signed by the parent... if not self.is_signed_by_cert(self.parent): - logger.debug("verify_chain: NO %s is not signed by parent"%self.get_subject()) - return CertNotSignedByParent(self.get_subject()) + logger.debug("verify_chain: NO %s is not signed by parent %s, but by %s"%self.get_printable_subject(), self.parent.get_printable_subject(), self.get_issuer()) + return CertNotSignedByParent(self.get_printable_subject(), "parent %s, issuer %s" % (selr.parent.get_printable_subject(), self.get_issuer())) # Confirm that the parent is a CA. Only CAs can be trusted as # signers. @@ -722,11 +730,11 @@ class Certificate: # Ugly - cert objects aren't parsed so we need to read the # extension and hope there are no other basicConstraints if not self.parent.isCA and not (self.parent.get_extension('basicConstraints') == 'CA:TRUE'): - logger.warn("verify_chain: cert %s's parent %s is not a CA" % (self.get_subject(), self.parent.get_subject())) - return CertNotSignedByParent(self.get_subject()) + logger.warn("verify_chain: cert %s's parent %s is not a CA" % (self.get_printable_subject(), self.parent.get_printable_subject())) + return CertNotSignedByParent(self.get_printable_subject(), "Parent %s not a CA" % self.parent.get_printable_subject()) # if the parent isn't verified... - logger.debug("verify_chain: .. %s, -> verifying parent %s"%(self.get_subject(),self.parent.get_subject())) + logger.debug("verify_chain: .. %s, -> verifying parent %s"%(self.get_printable_subject(),self.parent.get_printable_subject())) self.parent.verify_chain(trusted_certs) return @@ -761,7 +769,7 @@ class Certificate: def dump_string (self,show_extensions=False): result = "" - result += "CERTIFICATE for %s\n"%self.get_subject() + result += "CERTIFICATE for %s\n"%self.get_printable_subject() result += "Issued by %s\n"%self.get_issuer() filename=self.get_filename() if filename: result += "Filename %s\n"%filename diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 3480a725..f112a959 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -269,7 +269,16 @@ class Credential(object): def get_subject(self): if not self.gidObject: self.decode() - return self.gidObject.get_subject() + return self.gidObject.get_printable_subject() + + def get_summary_tostring(self): + if not self.gidObject: + self.decode() + obj = self.gidObject.get_printable_subject() + caller = self.gidCaller.get_printable_subject() + exp = self.get_expiration() + # Summarize the rights too? The issuer? + return "[ Grant %s rights on %s until %s ]" % (caller, obj, exp) def get_signature(self): if not self.signature: @@ -672,13 +681,19 @@ class Credential(object): # Is this a signed-cred or just a cred? if len(signed_cred) > 0: - cred = signed_cred[0].getElementsByTagName("credential")[0] + creds = signed_cred[0].getElementsByTagName("credential") signatures = signed_cred[0].getElementsByTagName("signatures") if len(signatures) > 0: sigs = signatures[0].getElementsByTagName("Signature") else: - cred = doc.getElementsByTagName("credential")[0] + creds = doc.getElementsByTagName("credential") + if creds is None or len(creds) == 0: + # malformed cred file + raise CredentialNotVerifiable("Malformed XML: No credential tag found") + + # Just take the first cred if there are more than one + cred = creds[0] self.set_refid(cred.getAttribute("xml:id")) self.set_expiration(utcparse(getTextNode(cred, "expires"))) @@ -765,7 +780,7 @@ class Credential(object): xmlschema = etree.XMLSchema(schema_doc) if not xmlschema.validate(tree): error = xmlschema.error_log.last_error - message = "%s (line %s)" % (error.message, error.line) + message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line) raise CredentialNotVerifiable(message) if trusted_certs_required and trusted_certs is None: @@ -798,7 +813,7 @@ class Credential(object): # make sure it is not expired if self.get_expiration() < datetime.datetime.utcnow(): - raise CredentialNotVerifiable("Credential expired at %s" % self.expiration.isoformat()) + raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.isoformat())) # Verify the signatures filename = self.save_to_random_tmp_file() @@ -838,7 +853,7 @@ class Credential(object): mstart = mstart + 4 mend = verified.find('\\', mstart) msg = verified[mstart:mend] - raise CredentialNotVerifiable("xmlsec1 error verifying cred using Signature ID %s: %s %s" % (ref, msg, verified.strip())) + raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip())) os.remove(filename) # Verify the parents (delegation) @@ -944,23 +959,23 @@ class Credential(object): # make sure the rights given to the child are a subset of the # parents rights (and check delegate bits) if not parent_cred.get_privileges().is_superset(self.get_privileges()): - raise ChildRightsNotSubsetOfParent(("Parent cred ref %s rights " % self.parent.get_refid()) + - self.parent.get_privileges().save_to_string() + (" not superset of delegated cred ref %s rights " % self.get_refid()) + + raise ChildRightsNotSubsetOfParent(("Parent cred ref %s rights " % parent_cred.get_refid()) + + self.parent.get_privileges().save_to_string() + (" not superset of delegated cred %s ref %s rights " % (self.get_summary_tostring(), self.get_refid())) + self.get_privileges().save_to_string()) # make sure my target gid is the same as the parent's if not parent_cred.get_gid_object().save_to_string() == \ self.get_gid_object().save_to_string(): - raise CredentialNotVerifiable("Target gid not equal between parent and child") + raise CredentialNotVerifiable("Delegated cred %s: Target gid not equal between parent and child. Parent %s" % (self.get_summary_tostring(), parent_cred.get_summary_tostring())) # make sure my expiry time is <= my parent's if not parent_cred.get_expiration() >= self.get_expiration(): - raise CredentialNotVerifiable("Delegated credential expires after parent") + raise CredentialNotVerifiable("Delegated credential %s expires after parent %s" % (self.get_summary_tostring(), parent_cred.get_summary_tostring())) # make sure my signer is the parent's caller if not parent_cred.get_gid_caller().save_to_string(False) == \ self.get_signature().get_issuer_gid().save_to_string(False): - raise CredentialNotVerifiable("Delegated credential not signed by parent caller") + raise CredentialNotVerifiable("Delegated credential %s not signed by parent %s's caller" % (self.get_summary_tostring(), parent_cred.get_summary_tostring())) # Recurse if parent_cred.parent: diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py index b327c0cb..a7b2e71d 100644 --- a/sfa/trust/gid.py +++ b/sfa/trust/gid.py @@ -212,7 +212,7 @@ class GID(Certificate): if self.parent: # make sure the parent's hrn is a prefix of the child's hrn if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()): - raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) + raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) # Parent must also be an authority (of some type) to sign a GID # There are multiple types of authority - accept them all here -- 2.43.0