def handle_sf_cred(self, user, xml_cred): try: # XX: libabac segfaults on the GENI abac creds for some reason # XX: will use ABACCredential instead #tmpctx = ABAC.Context() #tmpctx.load_id_chunk(user.cert_chunk()) #ret = tmpctx.load_attribute_chunk(xml_cred) #if ret < 0: # raise AbacError("Could not read the speaks-for cert given client cert") sf_cred = ABACCredential(string=xml_cred) # also can't verify abac creds...sigh #sf_cred.verify(trusted_certs=[settings.SSL_OPTIONS['ca_certs']]) #print sf_cred.dump_string() sf_cert = sf_cred.get_signature().get_issuer_gid().save_to_string() sf_user = ABAC.ID_chunk(sf_cert) sf_req = sf_cred.get_tails()[0] except Exception, e: raise AbacError("Could not read the speaks-for cert: %s" % e)
def create_sign_abaccred(tool_gid, user_gid, ma_gid, user_key_file, cred_filename, dur_days=365): print "Creating ABAC SpeaksFor using ABACCredential...\n" # Write out the user cert from tempfile import mkstemp ma_str = ma_gid.save_to_string() user_cert_str = user_gid.save_to_string() if not user_cert_str.endswith(ma_str): user_cert_str += ma_str fp, user_cert_filename = mkstemp(suffix='cred', text=True) fp = os.fdopen(fp, "w") fp.write(user_cert_str) fp.close() # Create the cred cred = ABACCredential() cred.set_issuer_keys(user_key_file, user_cert_filename) tool_urn = tool_gid.get_urn() user_urn = user_gid.get_urn() user_keyid = get_cert_keyid(user_gid) tool_keyid = get_cert_keyid(tool_gid) cred.head = ABACElement(user_keyid, user_urn, "speaks_for_%s" % user_keyid) cred.tails.append(ABACElement(tool_keyid, tool_urn)) cred.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(days=dur_days)) cred.expiration = cred.expiration.replace(microsecond=0) # Produce the cred XML cred.encode() # Sign it cred.sign() # Save it cred.save_to_file(cred_filename) print "Created ABAC credential: '%s' in file %s" % \ (cred.get_summary_tostring(), cred_filename)