def verify(self, trusted_certs=None, schema=None, trusted_certs_required=True):
if not self.xml:
self.decode()
# validate against RelaxNG schema
if HAVELXML and not self.legacy:
if schema and os.path.exists(schema):
tree = etree.parse(StringIO(self.xml))
schema_doc = etree.parse(schema)
xmlschema = etree.XMLSchema(schema_doc)
if not xmlschema.validate(tree):
error = xmlschema.error_log.last_error
message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line)
raise CredentialNotVerifiable(message)
if trusted_certs_required and trusted_certs is None:
trusted_certs = []
# trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
trusted_cert_objects = []
ok_trusted_certs = []
# If caller explicitly passed in None that means skip cert chain validation.
# Strange and not typical
if trusted_certs is not None:
for f in trusted_certs:
try:
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
ok_trusted_certs.append(f)
except Exception, exc:
logger.error("Failed to load trusted cert from %s: %r" % (f, exc))
trusted_certs = ok_trusted_certs
def verify(self, trusted_certs=None, schema=None, trusted_certs_required=True):
if not self.xml:
self.decode()
# validate against RelaxNG schema
if HAVELXML and not self.legacy:
if schema and os.path.exists(schema):
tree = etree.parse(StringIO(self.xml))
schema_doc = etree.parse(schema)
xmlschema = etree.XMLSchema(schema_doc)
if not xmlschema.validate(tree):
error = xmlschema.error_log.last_error
message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line)
raise CredentialNotVerifiable(message)
if trusted_certs_required and trusted_certs is None:
trusted_certs = []
# trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
trusted_cert_objects = []
ok_trusted_certs = []
# If caller explicitly passed in None that means skip cert chain validation.
# Strange and not typical
if trusted_certs is not None:
for f in trusted_certs:
try:
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
ok_trusted_certs.append(f)
except Exception, exc:
logger.error("Failed to load trusted cert from %s: %r" % (f, exc))
trusted_certs = ok_trusted_certs
def utcparse(input):
""" Translate a string into a time using dateutil.parser.parse but make sure it's in UTC time and strip
the timezone, so that it's compatible with normal datetime.datetime objects.
For safety this can also handle inputs that are either timestamps, or datetimes
"""
# prepare the input for the checks below by
# casting strings ('1327098335') to ints
if isinstance(input, StringTypes):
try:
input = int(input)
except ValueError:
pass
if isinstance (input, datetime.datetime):
logger.warn ("argument to utcparse already a datetime - doing nothing")
return input
elif isinstance (input, StringTypes):
t = dateutil.parser.parse(input)
if t.utcoffset() is not None:
t = t.utcoffset() + t.replace(tzinfo=None)
# the above line is wrong: you need to substract the utcoffset, not add it!
# a better way is: t = t.astimezone(pytz.utc) #only works if not naive
raise RuntimeException('unfixed bug in code triggered')
return t
elif isinstance (input, (int,float,long)):
return datetime.datetime.fromtimestamp(input)
else:
logger.error("Unexpected type in utcparse [%s]"%type(input))
def utcparse(input):
""" Translate a string into a time using dateutil.parser.parse but make sure it's in UTC time and strip
the timezone, so that it's compatible with normal datetime.datetime objects.
For safety this can also handle inputs that are either timestamps, or datetimes
"""
# prepare the input for the checks below by
# casting strings ('1327098335') to ints
if isinstance(input, StringTypes):
try:
input = int(input)
except ValueError:
pass
if isinstance (input, datetime.datetime):
logger.warn ("argument to utcparse already a datetime - doing nothing")
return input
elif isinstance (input, StringTypes):
t = dateutil.parser.parse(input)
if t.utcoffset() is not None:
t = t.utcoffset() + t.replace(tzinfo=None)
return t
elif isinstance (input, (int,float,long)):
return datetime.datetime.fromtimestamp(input)
else:
logger.error("Unexpected type in utcparse [%s]"%type(input))
def utcparse(input):
""" Translate a string into a time using dateutil.parser.parse but make sure it's in UTC time and strip
the timezone, so that it's compatible with normal datetime.datetime objects.
For safety this can also handle inputs that are either timestamps, or datetimes
"""
# prepare the input for the checks below by
# casting strings ('1327098335') to ints
if isinstance(input, StringTypes):
try:
input = int(input)
except ValueError:
pass
if isinstance(input, datetime.datetime):
logger.warn("argument to utcparse already a datetime - doing nothing")
return input
elif isinstance(input, StringTypes):
t = dateutil.parser.parse(input)
if t.utcoffset() is not None:
t = t.utcoffset() + t.replace(tzinfo=None)
return t
elif isinstance(input, (int, float, long)):
return datetime.datetime.fromtimestamp(input)
else:
logger.error("Unexpected type in utcparse [%s]" % type(input))
def set_expiration(self, expiration):
if isinstance(expiration, (int, float)):
self.expiration = datetime.datetime.fromtimestamp(expiration)
elif isinstance (expiration, datetime.datetime):
self.expiration = expiration
elif isinstance (expiration, StringTypes):
self.expiration = utcparse (expiration)
else:
logger.error ("unexpected input type in Credential.set_expiration")
def set_expiration(self, expiration):
if isinstance(expiration, (int, float)):
self.expiration = datetime.datetime.fromtimestamp(expiration)
elif isinstance(expiration, datetime.datetime):
self.expiration = expiration
elif isinstance(expiration, StringTypes):
self.expiration = utcparse(expiration)
else:
logger.error("unexpected input type in Credential.set_expiration")
def set_expiration(self, expiration):
if isinstance(expiration, (int, float)):
self.expiration = datetime.datetime.utcfromtimestamp(expiration).replace(tzinfo=pytz.utc)
elif isinstance (expiration, datetime.datetime):
self.expiration = expiration
if self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(self.expiration) is None:
raise ValueError('set_expiration called with expire time missing timezone info')
elif isinstance (expiration, StringTypes):
self.expiration = dateutil.parser.parse(expiration)
if self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(self.expiration) is None:
raise ExpireTimezoneError('set_expiration callled with String expire time missing timezone info: "{0}"'.format(expiration))
else:
logger.error ("unexpected input type in Credential.set_expiration")
raise ValueError('unexpected input type in Credential.set_expiration', expiration)
if not isinstance (self.expiration, datetime.datetime):
logger.error('credential.py bug: set_expiration finished with credential is not datetime. It is {0}'.format(self.expiration.__class__))
raise RuntimeError('credential.py bug: set_expiration finished with credential that is not datetime')
if self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(self.expiration) is None:
logger.error('credential.py bug: set_expiration finished with credential that has expire time missing timezone info')
raise RuntimeError('credential.py bug: set_expiration finished with credential that has expire time missing timezone info')
if t.utcoffset() is not None:
#force timezone to UTC without changing time
t = t.astimezone(pytz.utc)
def set_expiration(self, expiration):
if isinstance(expiration, (int, float)):
self.expiration = datetime.datetime.utcfromtimestamp(expiration).replace(tzinfo=pytz.utc)
elif isinstance (expiration, datetime.datetime):
self.expiration = expiration
if self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(self.expiration) is None:
raise ValueError('set_expiration called with expire time missing timezone info')
elif isinstance (expiration, StringTypes):
self.expiration = dateutil.parser.parse(expiration)
if self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(self.expiration) is None:
raise ExpireTimezoneError('set_expiration callled with String expire time missing timezone info: "{0}"'.format(expiration))
else:
logger.error ("unexpected input type in Credential.set_expiration")
raise ValueError('unexpected input type in Credential.set_expiration', expiration)
if not isinstance (self.expiration, datetime.datetime):
logger.error('credential.py bug: set_expiration finished with credential is not datetime. It is {0}'.format(self.expiration.__class__))
raise RuntimeError('credential.py bug: set_expiration finished with credential that is not datetime')
if self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(self.expiration) is None:
logger.error('credential.py bug: set_expiration finished with credential that has expire time missing timezone info')
raise RuntimeError('credential.py bug: set_expiration finished with credential that has expire time missing timezone info')
if t.utcoffset() is not None:
#force timezone to UTC without changing time
t = t.astimezone(pytz.utc)
def encode(self):
# Create the XML document
doc = Document()
signed_cred = doc.createElement("signed-credential")
# Declare namespaces
# Note that credential/policy.xsd are really the PG schemas
# in a PL namespace.
# Note that delegation of credentials between the 2 only really works
# cause those schemas are identical.
# Also note these PG schemas talk about PG tickets and CM policies.
signed_cred.setAttribute("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance")
signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.planet-lab.org/resources/sfa/credential.xsd")
signed_cred.setAttribute("xsi:schemaLocation", "http://www.planet-lab.org/resources/sfa/ext/policy/1 http://www.planet-lab.org/resources/sfa/ext/policy/1/policy.xsd")
# PG says for those last 2:
# signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd")
# signed_cred.setAttribute("xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd")
doc.appendChild(signed_cred)
# Fill in the <credential> bit
cred = doc.createElement("credential")
cred.setAttribute("xml:id", self.get_refid())
signed_cred.appendChild(cred)
append_sub(doc, cred, "type", "privilege")
append_sub(doc, cred, "serial", "8")
append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
append_sub(doc, cred, "uuid", "")
#was: if not self.expiration:
#was: self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
if not self.expiration:
logger.error('credential.py usage bug: credential was created without expire')
raise RuntimeError('credential.py usage bug: credential was created without expire')
if (not isinstance (self.expiration, datetime.datetime)) or self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(self.expiration) is None:
#credential.py bug because set_expiration should have handled this
logger.error('credential.py bug: credential was has expire time missing timezone info')
raise RuntimeError('credential.py bug: credential was has expire time missing timezone info')
else:
self.expiration = self.expiration.replace(microsecond=0)
append_sub(doc, cred, "expires", pyrfc3339.generate(self.expiration))
#was: append_sub(doc, cred, "expires", self.expiration.isoformat())
privileges = doc.createElement("privileges")
cred.appendChild(privileges)
if self.privileges:
rights = self.get_privileges()
for right in rights.rights:
priv = doc.createElement("privilege")
append_sub(doc, priv, "name", right.kind)
append_sub(doc, priv, "can_delegate", str(right.delegate).lower())
privileges.appendChild(priv)
# Add the parent credential if it exists
if self.parent:
sdoc = parseString(self.parent.get_xml())
# If the root node is a signed-credential (it should be), then
# get all its attributes and attach those to our signed_cred
# node.
# Specifically, PG and PLadd attributes for namespaces (which is reasonable),
# and we need to include those again here or else their signature
# no longer matches on the credential.
# We expect three of these, but here we copy them all:
# signed_cred.setAttribute("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance")
# and from PG (PL is equivalent, as shown above):
# signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd")
# signed_cred.setAttribute("xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd")
# HOWEVER!
# PL now also declares these, with different URLs, so
# the code notices those attributes already existed with
# different values, and complains.
# This happens regularly on delegation now that PG and
# PL both declare the namespace with different URLs.
# If the content ever differs this is a problem,
# but for now it works - different URLs (values in the attributes)
# but the same actual schema, so using the PG schema
# on delegated-to-PL credentials works fine.
# Note: you could also not copy attributes
# which already exist. It appears that both PG and PL
# will actually validate a slicecred with a parent
# signed using PG namespaces and a child signed with PL
# namespaces over the whole thing. But I don't know
# if that is a bug in xmlsec1, an accident since
# the contents of the schemas are the same,
# or something else, but it seems odd. And this works.
parentRoot = sdoc.documentElement
if parentRoot.tagName == "signed-credential" and parentRoot.hasAttributes():
for attrIx in range(0, parentRoot.attributes.length):
attr = parentRoot.attributes.item(attrIx)
# returns the old attribute of same name that was
# on the credential
# Below throws InUse exception if we forgot to clone the attribute first
oldAttr = signed_cred.setAttributeNode(attr.cloneNode(True))
if oldAttr and oldAttr.value != attr.value:
msg = "Delegating cred from owner %s to %s over %s:\n - Replaced attribute %s value '%s' with '%s'" % (self.parent.gidCaller.get_urn(), self.gidCaller.get_urn(), self.gidObject.get_urn(), oldAttr.name, oldAttr.value, attr.value)
logger.warn(msg)
#raise CredentialNotVerifiable("Can't encode new valid delegated credential: %s" % msg)
p_cred = doc.importNode(sdoc.getElementsByTagName("credential")[0], True)
p = doc.createElement("parent")
p.appendChild(p_cred)
cred.appendChild(p)
# done handling parent credential
# Create the <signatures> tag
signatures = doc.createElement("signatures")
signed_cred.appendChild(signatures)
# Add any parent signatures
if self.parent:
for cur_cred in self.get_credential_list()[1:]:
sdoc = parseString(cur_cred.get_signature().get_xml())
ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
signatures.appendChild(ele)
# Get the finished product
self.xml = doc.toxml()
def encode(self):
# Create the XML document
doc = Document()
signed_cred = doc.createElement("signed-credential")
# Declare namespaces
# Note that credential/policy.xsd are really the PG schemas
# in a PL namespace.
# Note that delegation of credentials between the 2 only really works
# cause those schemas are identical.
# Also note these PG schemas talk about PG tickets and CM policies.
signed_cred.setAttribute("xmlns:xsi",
"http://www.w3.org/2001/XMLSchema-instance")
signed_cred.setAttribute(
"xsi:noNamespaceSchemaLocation",
"http://www.planet-lab.org/resources/sfa/credential.xsd")
signed_cred.setAttribute(
"xsi:schemaLocation",
"http://www.planet-lab.org/resources/sfa/ext/policy/1 http://www.planet-lab.org/resources/sfa/ext/policy/1/policy.xsd"
)
# PG says for those last 2:
# signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd")
# signed_cred.setAttribute("xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd")
doc.appendChild(signed_cred)
# Fill in the <credential> bit
cred = doc.createElement("credential")
cred.setAttribute("xml:id", self.get_refid())
signed_cred.appendChild(cred)
append_sub(doc, cred, "type", "privilege")
append_sub(doc, cred, "serial", "8")
append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
append_sub(doc, cred, "uuid", "")
#was: if not self.expiration:
#was: self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
if not self.expiration:
logger.error(
'credential.py usage bug: credential was created without expire'
)
raise RuntimeError(
'credential.py usage bug: credential was created without expire'
)
if (
not isinstance(self.expiration, datetime.datetime)
) or self.expiration.tzinfo is None or self.expiration.tzinfo.utcoffset(
self.expiration) is None:
#credential.py bug because set_expiration should have handled this
logger.error(
'credential.py bug: credential was has expire time missing timezone info'
)
raise RuntimeError(
'credential.py bug: credential was has expire time missing timezone info'
)
else:
self.expiration = self.expiration.replace(microsecond=0)
append_sub(doc, cred, "expires",
pyrfc3339.generate(self.expiration))
#was: append_sub(doc, cred, "expires", self.expiration.isoformat())
privileges = doc.createElement("privileges")
cred.appendChild(privileges)
if self.privileges:
rights = self.get_privileges()
for right in rights.rights:
priv = doc.createElement("privilege")
append_sub(doc, priv, "name", right.kind)
append_sub(doc, priv, "can_delegate",
str(right.delegate).lower())
privileges.appendChild(priv)
# Add the parent credential if it exists
if self.parent:
sdoc = parseString(self.parent.get_xml())
# If the root node is a signed-credential (it should be), then
# get all its attributes and attach those to our signed_cred
# node.
# Specifically, PG and PLadd attributes for namespaces (which is reasonable),
# and we need to include those again here or else their signature
# no longer matches on the credential.
# We expect three of these, but here we copy them all:
# signed_cred.setAttribute("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance")
# and from PG (PL is equivalent, as shown above):
# signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd")
# signed_cred.setAttribute("xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd")
# HOWEVER!
# PL now also declares these, with different URLs, so
# the code notices those attributes already existed with
# different values, and complains.
# This happens regularly on delegation now that PG and
# PL both declare the namespace with different URLs.
# If the content ever differs this is a problem,
# but for now it works - different URLs (values in the attributes)
# but the same actual schema, so using the PG schema
# on delegated-to-PL credentials works fine.
# Note: you could also not copy attributes
# which already exist. It appears that both PG and PL
# will actually validate a slicecred with a parent
# signed using PG namespaces and a child signed with PL
# namespaces over the whole thing. But I don't know
# if that is a bug in xmlsec1, an accident since
# the contents of the schemas are the same,
# or something else, but it seems odd. And this works.
parentRoot = sdoc.documentElement
if parentRoot.tagName == "signed-credential" and parentRoot.hasAttributes(
):
for attrIx in range(0, parentRoot.attributes.length):
attr = parentRoot.attributes.item(attrIx)
# returns the old attribute of same name that was
# on the credential
# Below throws InUse exception if we forgot to clone the attribute first
oldAttr = signed_cred.setAttributeNode(
attr.cloneNode(True))
if oldAttr and oldAttr.value != attr.value:
msg = "Delegating cred from owner %s to %s over %s:\n - Replaced attribute %s value '%s' with '%s'" % (
self.parent.gidCaller.get_urn(),
self.gidCaller.get_urn(), self.gidObject.get_urn(),
oldAttr.name, oldAttr.value, attr.value)
logger.warn(msg)
#raise CredentialNotVerifiable("Can't encode new valid delegated credential: %s" % msg)
p_cred = doc.importNode(
sdoc.getElementsByTagName("credential")[0], True)
p = doc.createElement("parent")
p.appendChild(p_cred)
cred.appendChild(p)
# done handling parent credential
# Create the <signatures> tag
signatures = doc.createElement("signatures")
signed_cred.appendChild(signatures)
# Add any parent signatures
if self.parent:
for cur_cred in self.get_credential_list()[1:]:
sdoc = parseString(cur_cred.get_signature().get_xml())
ele = doc.importNode(
sdoc.getElementsByTagName("Signature")[0], True)
signatures.appendChild(ele)
# Get the finished product
self.xml = doc.toxml()