From 43f67380dd3b5038c3d956f17c9fab5b245c567c Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Tue, 3 Jun 2014 17:06:24 +0200 Subject: [PATCH] more cleanup on timestamps - issue with short-lived credentials still present though --- sfa/trust/abac_credential.py | 7 ++++--- sfa/trust/credential.py | 23 ++++++++++------------- sfa/trust/speaksfor_util.py | 6 ++++-- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/sfa/trust/abac_credential.py b/sfa/trust/abac_credential.py index fdb68299..407f405f 100644 --- a/sfa/trust/abac_credential.py +++ b/sfa/trust/abac_credential.py @@ -21,8 +21,9 @@ # IN THE WORK. #---------------------------------------------------------------------- -from sfa.trust.credential import Credential, append_sub +from sfa.trust.credential import Credential, append_sub, DEFAULT_CREDENTIAL_LIFETIME from sfa.util.sfalogging import logger +from sfa.util.sfatime import SFATIME_FORMAT from StringIO import StringIO from xml.dom.minidom import Document, parseString @@ -161,7 +162,7 @@ class ABACCredential(Credential): filename=self.get_filename() if filename: result += "Filename %s\n"%filename if self.expiration: - result += "\texpiration: %s \n" % self.expiration.isoformat() + result += "\texpiration: %s \n" % self.expiration.strftime(SFATIME_FORMAT) result += "\tHead: %s\n" % self.get_head() for tail in self.get_tails(): @@ -257,7 +258,7 @@ class ABACCredential(Credential): if self.expiration.tzinfo is not None and self.expiration.tzinfo.utcoffset(self.expiration) is not None: # TZ aware. Make sure it is UTC self.expiration = self.expiration.astimezone(tz.tzutc()) - append_sub(doc, cred, "expires", self.expiration.strftime('%Y-%m-%dT%H:%M:%SZ')) # RFC3339 + append_sub(doc, cred, "expires", self.expiration.strftime(SFATIME_FORMAT)) # RFC3339 abac = doc.createElement("abac") rt0 = doc.createElement("rt0") diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index bc3b353a..c9bc4e5b 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -44,13 +44,14 @@ from xml.parsers.expat import ExpatError from sfa.util.faults import CredentialNotVerifiable, ChildRightsNotSubsetOfParent from sfa.util.sfalogging import logger -from sfa.util.sfatime import utcparse +from sfa.util.sfatime import utcparse, SFATIME_FORMAT from sfa.trust.rights import Right, Rights, determine_rights from sfa.trust.gid import GID from sfa.util.xrn import urn_to_hrn, hrn_authfor_hrn # 31 days, in seconds -DEFAULT_CREDENTIAL_LIFETIME = 86400 * 31 +DEFAULT_CREDENTIAL_LIFETIME = 2 * 3600 +#DEFAULT_CREDENTIAL_LIFETIME = 86400 * 31 # TODO: @@ -364,15 +365,11 @@ class Credential(object): # Expiration: an absolute UTC time of expiration (as either an int or string or datetime) # def set_expiration(self, expiration): - if isinstance(expiration, (int, float)): - self.expiration = datetime.datetime.fromtimestamp(expiration) - elif isinstance (expiration, datetime.datetime): - self.expiration = expiration - elif isinstance (expiration, StringTypes): - self.expiration = utcparse (expiration) + expiration_datetime = utcparse (expiration) + if expiration_datetime is not None: + self.expiration = expiration_datetime else: - logger.error ("unexpected input type in Credential.set_expiration") - + logger.error ("unexpected input %s in Credential.set_expiration"%expiration) ## # get the lifetime of the credential (always in datetime format) @@ -461,7 +458,7 @@ class Credential(object): logger.debug("Creating credential valid for %s s"%DEFAULT_CREDENTIAL_LIFETIME) self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME)) self.expiration = self.expiration.replace(microsecond=0) - append_sub(doc, cred, "expires", self.expiration.isoformat()) + append_sub(doc, cred, "expires", self.expiration.strftime(SFATIME_FORMAT)) privileges = doc.createElement("privileges") cred.appendChild(privileges) @@ -802,7 +799,7 @@ class Credential(object): # make sure it is not expired if self.get_expiration() < datetime.datetime.utcnow(): - raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.isoformat())) + raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.strftime(SFATIME_FORMAT))) # Verify the signatures filename = self.save_to_random_tmp_file() @@ -1064,7 +1061,7 @@ class Credential(object): self.get_signature().get_issuer_gid().dump(8, dump_parents) if self.expiration: - print " expiration:", self.expiration.isoformat() + print " expiration:", self.expiration.strftime(SFATIME_FORMAT) gidObject = self.get_gid_object() if gidObject: diff --git a/sfa/trust/speaksfor_util.py b/sfa/trust/speaksfor_util.py index 9a3b3c3d..2c56a47c 100644 --- a/sfa/trust/speaksfor_util.py +++ b/sfa/trust/speaksfor_util.py @@ -31,6 +31,8 @@ import tempfile from xml.dom.minidom import * from StringIO import StringIO +from sfa.util.sfatime import SFATIME_FORMAT + from sfa.trust.certificate import Certificate from sfa.trust.credential import Credential, signature_template, HAVELXML from sfa.trust.abac_credential import ABACCredential, ABACElement @@ -129,7 +131,7 @@ def verify_speaks_for(cred, tool_gid, speaking_for_urn, # Credential has not expired if cred.expiration and cred.expiration < datetime.datetime.utcnow(): - return False, None, "ABAC Credential expired at %s (%s)" % (cred.expiration.isoformat(), cred.get_summary_tostring()) + return False, None, "ABAC Credential expired at %s (%s)" % (cred.expiration.strftime(SFATIME_FORMAT), cred.get_summary_tostring()) # Must be ABAC if cred.get_cred_type() != ABACCredential.ABAC_CREDENTIAL_TYPE: @@ -349,7 +351,7 @@ def create_speaks_for(tool_gid, user_gid, ma_gid, \ credential_duration = datetime.timedelta(days=dur_days) expiration = datetime.datetime.utcnow() + credential_duration - expiration_str = expiration.strftime('%Y-%m-%dT%H:%M:%SZ') # FIXME: libabac can't handle .isoformat() + expiration_str = expiration.strftime(SFATIME_FORMAT) version = "1.1" user_keyid = get_cert_keyid(user_gid) -- 2.43.0