From 7c982c37858ad4500fc4c1b71896e2f6efe4a065 Mon Sep 17 00:00:00 2001
From: Josh Karlin <jkarlin@bbn.com>
Date: Fri, 8 Oct 2010 11:14:48 -0400
Subject: [PATCH] changed credential set_lifetime to be in absolute time, not
 relative.  Fixed registry_manager_pl to set credential expiration time on
 GetCredential

---
 sfa/client/sfi.py                    |  4 +--
 sfa/managers/aggregate_manager_pl.py |  2 +-
 sfa/managers/registry_manager_pl.py  |  2 ++
 sfa/methods/RenewSliver.py           |  2 +-
 sfa/trust/credential.py              | 45 ++++++++++++++--------------
 tests/testCred.py                    |  8 ++---
 6 files changed, 33 insertions(+), 30 deletions(-)

diff --git a/sfa/client/sfi.py b/sfa/client/sfi.py
index f7eecb3d..e149b0fe 100755
--- a/sfa/client/sfi.py
+++ b/sfa/client/sfi.py
@@ -404,8 +404,8 @@ class Sfi:
         if (os.path.isfile(file)):
             credential = Credential(filename=file)
             # make sure it isnt expired 
-            if not credential.get_lifetime or \
-               datetime.datetime.today() < credential.get_lifetime():
+            if not credential.get_expiration or \
+               datetime.datetime.today() < credential.get_expiration():
                 return credential
         return None 
  
diff --git a/sfa/managers/aggregate_manager_pl.py b/sfa/managers/aggregate_manager_pl.py
index a2b4f585..01e6b41e 100644
--- a/sfa/managers/aggregate_manager_pl.py
+++ b/sfa/managers/aggregate_manager_pl.py
@@ -58,7 +58,7 @@ def __get_registry_objects(slice_xrn, creds, users):
         reg_objects['site'] = site
 
         slice = {}
-        slice['expires'] = int(time.mktime(Credential(string=creds[0]).get_lifetime().timetuple()))
+        slice['expires'] = int(time.mktime(Credential(string=creds[0]).get_expiration().timetuple()))
         slice['hrn'] = hrn
         slice['name'] = hrn_to_pl_slicename(hrn)
         slice['url'] = hrn
diff --git a/sfa/managers/registry_manager_pl.py b/sfa/managers/registry_manager_pl.py
index f5f4b48f..4c54e5f1 100644
--- a/sfa/managers/registry_manager_pl.py
+++ b/sfa/managers/registry_manager_pl.py
@@ -66,6 +66,8 @@ def get_credential(api, xrn, type, is_self=False):
     #new_cred.set_pubkey(object_gid.get_pubkey())
     new_cred.set_privileges(rights)
     new_cred.get_privileges().delegate_all_privileges(True)
+    if 'expires' in record:
+        new_cred.set_expiration(int(record['expires']))
     auth_kind = "authority,ma,sa"
     # Parent not necessary, verify with certs
     #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
diff --git a/sfa/methods/RenewSliver.py b/sfa/methods/RenewSliver.py
index ce753fe4..c337bc06 100644
--- a/sfa/methods/RenewSliver.py
+++ b/sfa/methods/RenewSliver.py
@@ -31,7 +31,7 @@ class RenewSliver(Method):
 
         # Validate that the time does not go beyond the credential's expiration time
         requested_time = parse(expiration_time)
-        if requested_time > Credential(string=valid_creds[0]).get_lifetime():
+        if requested_time > Credential(string=valid_creds[0]).get_expiration():
             raise InsufficientRights('SliverStatus: Credential expires before requested expiration time')
        
         manager = self.api.get_interface_manager()
diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index 4971cdd0..c09f1bf9 100644
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -43,8 +43,8 @@ from sfa.trust.rights import Right, Rights
 from sfa.trust.gid import GID
 from sfa.util.namespace import *
 
-# Two years, in seconds 
-DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2
+# 2 weeks, in seconds 
+DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14
 
 
 # TODO:
@@ -256,10 +256,9 @@ class Credential(object):
         self.gidObject = legacy.get_gid_object()
         lifetime = legacy.get_lifetime()
         if not lifetime:
-            # Default to two years
-            self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
+            self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
         else:
-            self.set_lifetime(int(lifetime))
+            self.set_expiration(int(lifetime))
         self.lifeTime = legacy.get_lifetime()
         self.set_privileges(legacy.get_privileges())
         self.get_privileges().delegate_all_privileges(legacy.get_delegate())
@@ -314,28 +313,30 @@ class Credential(object):
             self.decode()
         return self.gidObject
 
+
+            
     ##
-    # set the lifetime of this credential
-    #
-    # @param lifetime lifetime of credential
-    # . if lifeTime is a datetime object, it is used for the expiration time
-    # . if lifeTime is an integer value, it is considered the number of seconds
-    #   remaining before expiration
-
-    def set_lifetime(self, lifeTime):
-        if isinstance(lifeTime, int):
-            self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow()
+    # Expiration: an absolute UTC time of expiration (as either an int or datetime)
+    # 
+    def set_expiration(self, expiration):
+        if isinstance(expiration, int):
+            self.expiration = datetime.datetime.fromtimestamp(expiration)
         else:
-            self.expiration = lifeTime
+            self.expiration = expiration
+            
 
     ##
     # get the lifetime of the credential (in datetime format)
 
-    def get_lifetime(self):
+    def get_expiration(self):
         if not self.expiration:
             self.decode()
         return self.expiration
 
+    ##
+    # For legacy sake
+    def get_lifetime(self):
+        return self.get_expiration()
  
     ##
     # set the privileges
@@ -398,7 +399,7 @@ class Credential(object):
         append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
         append_sub(doc, cred, "uuid", "")
         if not self.expiration:
-            self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
+            self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(DEFAULT_CREDENTIAL_LIFETIME))
         self.expiration = self.expiration.replace(microsecond=0)
         append_sub(doc, cred, "expires", self.expiration.isoformat())
         privileges = doc.createElement("privileges")
@@ -581,7 +582,7 @@ class Credential(object):
         
 
         self.set_refid(cred.getAttribute("xml:id"))
-        self.set_lifetime(parse(getTextNode(cred, "expires")))
+        self.set_expiration(parse(getTextNode(cred, "expires")))
         self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
         self.gidObject = GID(string=getTextNode(cred, "target_gid"))   
 
@@ -673,7 +674,7 @@ class Credential(object):
             return True
         
         # make sure it is not expired
-        if self.get_lifetime() < datetime.datetime.utcnow():
+        if self.get_expiration() < datetime.datetime.utcnow():
             raise CredentialNotVerifiable("Credential expired at %s" % self.expiration.isoformat())
 
         # Verify the signatures
@@ -781,7 +782,7 @@ class Credential(object):
             raise CredentialNotVerifiable("Target gid not equal between parent and child")
 
         # make sure my expiry time is <= my parent's
-        if not parent_cred.get_lifetime() >= self.get_lifetime():
+        if not parent_cred.get_expiration() >= self.get_expiration():
             raise CredentialNotVerifiable("Delegated credential expires after parent")
 
         # make sure my signer is the parent's caller
@@ -814,7 +815,7 @@ class Credential(object):
         dcred.set_gid_caller(delegee_gid)
         dcred.set_gid_object(object_gid)
         dcred.set_parent(self)
-        dcred.set_lifetime(self.get_lifetime())
+        dcred.set_expiration(self.get_expiration())
         dcred.set_privileges(self.get_privileges())
         dcred.get_privileges().delegate_all_privileges(True)
         #dcred.set_issuer_keys(keyfile, delegee_gidfile)
diff --git a/tests/testCred.py b/tests/testCred.py
index 32fac4af..5a563d65 100755
--- a/tests/testCred.py
+++ b/tests/testCred.py
@@ -32,7 +32,7 @@ class TestCred(unittest.TestCase):
       cred.set_gid_object(gidObject)
       self.assertEqual(cred.get_gid_object().get_subject(), gidObject.get_subject())
 
-      cred.set_lifetime(lifeTime)
+      cred.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=lifeTime))
       
       cred.set_privileges(rights)
       self.assertEqual(cred.get_privileges().save_to_string(), rights)
@@ -81,7 +81,7 @@ class TestCred(unittest.TestCase):
       cred = Credential()
       cred.set_gid_caller(gidCaller)
       cred.set_gid_object(gidObject)
-      cred.set_lifetime(3600)
+      cred.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=3600))
       cred.set_privileges("embed:1, bind:1")
       cred.encode()
 
@@ -103,7 +103,7 @@ class TestCred(unittest.TestCase):
       delegated.set_gid_caller(gidDelegatee)
       delegated.set_gid_object(gidObject)      
       delegated.set_parent(cred)
-      delegated.set_lifetime(600)
+      delegated.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=600))
       delegated.set_privileges("embed:1, bind:1")
       gidCaller.save_to_file("/tmp/caller_gid")
       ckeys.save_to_file("/tmp/caller_pkey")      
@@ -120,7 +120,7 @@ class TestCred(unittest.TestCase):
       backup = Credential(string=delegated.get_xml())
 
       # Test that verify catches an incorrect lifetime      
-      delegated.set_lifetime(6000)
+      delegated.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=6000))
       delegated.encode()
       delegated.sign()
       try:
-- 
2.43.0