Beispiel #1
def get_username_from_cert(cert_string):
        gid = GID(string=cert_string)
        # extract the URN in the subjectAltName
        urn_str = gid.get_urn()
        logger.debug("URN: %s" % urn_str)
        logger.warn("Failed to get certificate from string.")
        return cert_string
        urn = URN(urn=str(urn_str))
    except ValueError:
        return cert_string
    # check if this user is one of ours
    home_urn = get_user_urn(urn.getName())
    if home_urn == urn.urn_string():
        username = urn.getName()
        username = urn_to_username(urn.urn_string())
    logger.debug("Returning username %s" % username)
    return username
Beispiel #2
def CreateSlice(user_cert, urn_req=None):
    # Is this user allowed to create a slice?
    # first get the user with this cert
    username = get_username_from_cert(user_cert)
    except User.DoesNotExist:
        raise Exception("Unknown user %s." % username)
    if urn_req:
        # check the requested URN
        urn = URN(urn=urn_req)
        # make sure that we would generate the same urn if using the
        # same name (i.e. authority is the same...)
        urn_gen = get_slice_urn(urn.getName())
        if urn_gen != urn_req:
            raise BadURNException(
                "The requested URN is not one that would be generated"
                " by this clearinghouse. Requested was %s, but generated"
                " is %s" % (urn_req, urn_gen)
        # Generate a unique URN for the slice
        urn_req = create_slice_urn()
        slice_gid = create_x509_cert(urn_req)[0]
    except Exception as exc:
        logger.error("Could not create slice. Error\n %s"
                     % traceback.format_exc())
        raise Exception("Failed to create slice %s." % urn_req)

    # Now get the user GID which will have permissions on this slice.
    # It doesnt have the chain but should be signed
    # by this CHs cert, which should also be a trusted
    # root at any federated AM. So everyone can verify it as is.
    # Note that if a user from a different CH (installed
    # as trusted by this CH for some reason) called this method,
    # that user would be used here - and can still get a valid slice
        user_gid = gid.GID(string=user_cert)
    except Exception, exc:
        logger.error("CreateSlice failed to create user_gid from SSL client cert: %s", traceback.format_exc())
        raise Exception("Failed to create slice %s. Cant get user GID from SSL client certificate." % urn_req, exc)
Beispiel #3
def urn_to_username(urn):
    """Create a valid username from a URN.
    This creates the username by taking the authority part of
    the URN, and the name part of the URN and joining them with "@".
    Any characters other than letters, digits, '@', '-', '_', '+', and '.'
    are replace with '_'.
    e.g. "urn:publicid:IDN+stanford:expedient%26+user+jnaous" becomes 
    The authority part of the URN is truncated to 155 characters, and the
    name part is truncated to 100 characters.
    @param urn: a urn to turn into a username
    @type urn: C{str}
    @return: a valid username
    @rtype: C{str}

    invalid_chars_re = re.compile(r"[^\w@+.-]")

    urn = URN(urn=str(urn))
    auth = urn.getAuthority()
    auth = auth.split("//")
    auth = ".".join(auth)
    if len(auth) > 150:
        auth = auth[:150]

    name = urn.getName()
    if len(name) > 100:
        name = name[:100]

    username = name + "@" + auth

    # replace all invalid chars with _
    username = invalid_chars_re.sub("_", username)

    assert (len(username) <= 255)

    return username
def urn_to_username(urn):
    """Create a valid username from a URN.
    This creates the username by taking the authority part of
    the URN, and the name part of the URN and joining them with "@".
    Any characters other than letters, digits, '@', '-', '_', '+', and '.'
    are replace with '_'.
    e.g. "urn:publicid:IDN+stanford:expedient%26+user+jnaous" becomes 
    The authority part of the URN is truncated to 155 characters, and the
    name part is truncated to 100 characters.
    @param urn: a urn to turn into a username
    @type urn: C{str}
    @return: a valid username
    @rtype: C{str}
    invalid_chars_re = re.compile(r"[^\w@+.-]")
    urn = URN(urn=str(urn))
    auth = urn.getAuthority()
    auth = auth.split("//")
    auth = ".".join(auth)
    if len(auth) > 150:
        auth = auth[:150]
    name = urn.getName()
    if len(name) > 100:
        name =name[:100]
    username = name + "@" + auth
    # replace all invalid chars with _
    username = invalid_chars_re.sub("_", username)
    assert(len(username) <= 255)
    return username
Beispiel #5
def create_cert(urn, issuer_key=None, issuer_cert=None, intermediate=False):
    '''Create a new certificate and return it and the associated keys.
    If issuer cert and key are given, they sign the certificate. Otherwise
    it is a self-signed certificate. 
    If intermediate then mark this 
    as an intermediate CA certificate (can sign).
    Certificate URN must be supplied.
    CN of the cert will be dotted notation from the URN.
    # Note the below throws a ValueError if it wasnt a valid URN
    c_urn = URN(urn=urn)
    dotted = '%s.%s.%s' % (c_urn.getAuthority(), c_urn.getType(), c_urn.getName())

    newgid = GID(create=True, subject=dotted[:64],
    keys = Keypair(create=True)
    if intermediate:
        # This cert will be able to sign certificates
    if issuer_key and issuer_cert:
        # the given issuer will issue this cert
        if isinstance(issuer_key,str):
            issuer_key = Keypair(filename=issuer_key)
        if isinstance(issuer_cert,str):
            issuer_cert = GID(filename=issuer_cert)
        newgid.set_issuer(issuer_key, cert=issuer_cert)
        # create a self-signed cert
        newgid.set_issuer(keys, subject=dotted)

    return newgid, keys