def decode(self):
data = self.get_data().lstrip('URI:http://')
if data:
dict = xmlrpclib.loads(data)[0][0]
else:
dict = {}
self.lifeTime = dict.get("lifeTime", None)
self.delegate = dict.get("delegate", None)
privStr = dict.get("privileges", None)
if privStr:
self.privileges = Rights(string=privStr)
else:
self.privileges = None
gidCallerStr = dict.get("gidCaller", None)
if gidCallerStr:
self.gidCaller = GID(string=gidCallerStr)
else:
self.gidCaller = None
gidObjectStr = dict.get("gidObject", None)
if gidObjectStr:
self.gidObject = GID(string=gidObjectStr)
else:
self.gidObject = None
def verify(self, trusted_certs=None, schema=None, trusted_certs_required=True):
if not self.xml:
print "\n\n\n\n\n\n\n\n\n\n\n\n\n----------------------CRED\n\n\n\n\n\n\n\n\n\n\n\n\n"
print "not xml"
self.decode()
# validate against RelaxNG schema
if HAVELXML and not self.legacy:
if schema and os.path.exists(schema):
tree = etree.parse(StringIO(self.xml))
schema_doc = etree.parse(schema)
xmlschema = etree.XMLSchema(schema_doc)
if not xmlschema.validate(tree):
error = xmlschema.error_log.last_error
message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line)
raise CredentialNotVerifiable(message)
if trusted_certs_required and trusted_certs is None:
trusted_certs = []
# trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
trusted_cert_objects = []
ok_trusted_certs = []
# If caller explicitly passed in None that means skip cert chain validation.
# Strange and not typical
if trusted_certs is not None:
for f in trusted_certs:
try:
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
ok_trusted_certs.append(f)
except Exception, exc:
pass
trusted_certs = ok_trusted_certs
def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile):
"""
Return a delegated copy of this credential, delegated to the
specified gid's user.
"""
# get the gid of the object we are delegating
object_gid = self.get_gid_object()
object_hrn = object_gid.get_hrn()
# the hrn of the user who will be delegated to
delegee_gid = GID(filename=delegee_gidfile)
delegee_hrn = delegee_gid.get_hrn()
#user_key = Keypair(filename=keyfile)
#user_hrn = self.get_gid_caller().get_hrn()
subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn)
dcred = Credential(subject=subject_string)
dcred.set_gid_caller(delegee_gid)
dcred.set_gid_object(object_gid)
dcred.set_parent(self)
dcred.set_expiration(self.get_expiration())
dcred.set_privileges(self.get_privileges())
dcred.get_privileges().delegate_all_privileges(True)
#dcred.set_issuer_keys(keyfile, delegee_gidfile)
dcred.set_issuer_keys(caller_keyfile, caller_gidfile)
dcred.encode()
dcred.sign()
return dcred
def sign(self):
if not self.issuer_privkey:
return
if not self.issuer_gid:
return
doc = parseString(self.get_xml())
sigs = doc.getElementsByTagName("signatures")[0]
# Create the signature template to be signed
signature = Signature()
signature.set_refid(self.get_refid())
sdoc = parseString(signature.get_xml())
sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
sigs.appendChild(sig_ele)
self.xml = doc.toxml("utf-8")
# Split the issuer GID into multiple certificates if it's a chain
chain = GID(filename=self.issuer_gid)
gid_files = []
while chain:
gid_files.append(chain.save_to_random_tmp_file(False))
if chain.get_parent():
chain = chain.get_parent()
else:
chain = None
# Call out to xmlsec1 to sign it
ref = 'Sig_%s' % self.get_refid()
filename = self.save_to_random_tmp_file()
print "**********************************",'%s --sign --node-id "%s" --privkey-pem %s,%s %s' % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)
command='%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
% (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)
# print 'command',command
signed = os.popen(command).read()
print "*************************************",signed
os.remove(filename)
for gid_file in gid_files:
os.remove(gid_file)
self.xml = signed
# This is no longer a legacy credential
if self.legacy:
self.legacy = None
# Update signatures
self.decode()
def decode(self):
if not self.xml:
return
doc = parseString(self.xml)
sigs = []
signed_cred = doc.getElementsByTagName("signed-credential")
# Is this a signed-cred or just a cred?
if len(signed_cred) > 0:
creds = signed_cred[0].getElementsByTagName("credential")
signatures = signed_cred[0].getElementsByTagName("signatures")
if len(signatures) > 0:
sigs = signatures[0].getElementsByTagName("Signature")
else:
creds = doc.getElementsByTagName("credential")
if creds is None or len(creds) == 0:
# malformed cred file
raise CredentialNotVerifiable("Malformed XML: No credential tag found")
# Just take the first cred if there are more than one
cred = creds[0]
self.set_refid(cred.getAttribute("xml:id"))
self.set_expiration(utcparse(getTextNode(cred, "expires")))
# import traceback
# stack = traceback.extract_stack()
og = getTextNode(cred, "owner_gid")
# ABAC creds will have this be None and use this method
# if og is None:
# found = False
# for frame in stack:
# if 'super(ABACCredential, self).decode()' in frame:
# found = True
# break
# if not found:
# raise CredentialNotVerifiable("Malformed XML: No owner_gid found")
self.gidCaller = GID(string=og)
tg = getTextNode(cred, "target_gid")
# if tg is None:
# found = False
# for frame in stack:
# if 'super(ABACCredential, self).decode()' in frame:
# found = True
# break
# if not found:
# raise CredentialNotVerifiable("Malformed XML: No target_gid found")
self.gidObject = GID(string=tg)
# Process privileges
rlist = Rights()
priv_nodes = cred.getElementsByTagName("privileges")
if len(priv_nodes) > 0:
privs = priv_nodes[0]
for priv in privs.getElementsByTagName("privilege"):
kind = getTextNode(priv, "name")
deleg = str2bool(getTextNode(priv, "can_delegate"))
if kind == '*':
# Convert * into the default privileges for the credential's type
# Each inherits the delegatability from the * above
_ , type = urn_to_hrn(self.gidObject.get_urn())
rl = determine_rights(type, self.gidObject.get_urn())
for r in rl.rights:
r.delegate = deleg
rlist.add(r)
else:
rlist.add(Right(kind.strip(), deleg))
self.set_privileges(rlist)
# Is there a parent?
parent = cred.getElementsByTagName("parent")
if len(parent) > 0:
parent_doc = parent[0].getElementsByTagName("credential")[0]
parent_xml = parent_doc.toxml("utf-8")
if parent_xml is None or parent_xml.strip() == "":
raise CredentialNotVerifiable("Malformed XML: Had parent tag but it is empty")
self.parent = Credential(string=parent_xml)
self.updateRefID()
# Assign the signatures to the credentials
for sig in sigs:
Sig = Signature(string=sig.toxml("utf-8"))
for cur_cred in self.get_credential_list():
if cur_cred.get_refid() == Sig.get_refid():
cur_cred.set_signature(Sig)
class Signature(object):
def __init__(self, string=None):
self.refid = None
self.issuer_gid = None
self.xml = None
if string:
self.xml = string
self.decode()
def get_refid(self):
if not self.refid:
self.decode()
return self.refid
def get_xml(self):
if not self.xml:
self.encode()
return self.xml
def set_refid(self, id):
self.refid = id
def get_issuer_gid(self):
if not self.gid:
self.decode()
return self.gid
def set_issuer_gid(self, gid):
self.gid = gid
def decode(self):
try:
doc = parseString(self.xml)
except ExpatError,e:
raise
sig = doc.getElementsByTagName("Signature")[0]
ref_id = sig.getAttribute("xml:id").strip().strip("Sig_")
# The xml:id tag is optional, and could be in a
# Reference xml:id or Reference UID sub element instead
if not ref_id or ref_id == '':
reference = sig.getElementsByTagName('Reference')[0]
ref_id = reference.getAttribute('xml:id').strip().strip('Sig_')
if not ref_id or ref_id == '':
ref_id = reference.getAttribute('URI').strip().strip('#')
self.set_refid(ref_id)
keyinfos = sig.getElementsByTagName("X509Data")
gids = None
for keyinfo in keyinfos:
certs = keyinfo.getElementsByTagName("X509Certificate")
for cert in certs:
if len(cert.childNodes) > 0:
szgid = cert.childNodes[0].nodeValue
szgid = szgid.strip()
szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid
if gids is None:
gids = szgid
else:
gids += "\n" + szgid
if gids is None:
raise CredentialNotVerifiable("Malformed XML: No certificate found in signature")
self.set_issuer_gid(GID(string=gids))
help="filename of private key of signing user")
parser.add_option('--trusted_roots_directory',
help='Directory of trusted root certs')
parser.add_option('--create',
help="name of file of ABAC speaksfor cred to create")
parser.add_option(
'--useObject',
action='store_true',
default=False,
help=
'Use the ABACCredential object to create the credential (default False)'
)
options, args = parser.parse_args(sys.argv)
tool_gid = GID(filename=options.tool_cert_file)
if options.create:
if options.user_cert_file and options.user_key_file \
and options.ma_cert_file:
user_gid = GID(filename=options.user_cert_file)
ma_gid = GID(filename=options.ma_cert_file)
if options.useObject:
create_sign_abaccred(tool_gid, user_gid, ma_gid, \
options.user_key_file, \
options.create)
else:
create_speaks_for(tool_gid, user_gid, ma_gid, \
options.user_key_file, \
options.create)
else:
try:
uuidO = uuid.UUID(fields=uuidarg)
except:
try:
uuidO = uuid.UUID(bytes=uuidarg)
except:
try:
uuidO = uuid.UUID(bytes_le=uuidarg)
except:
pass
if uuidO is not None:
uuidI = uuidO.int
newgid = GID(create=True,
subject=subject,
uuid=uuidI,
urn=urn,
lifeDays=lifeDays)
if email:
newgid.set_email(email)
if public_key is None:
# create a new key pair
keys = Keypair(create=True)
else:
# use the specified public key file
keys = Keypair()
keys.load_pubkey_from_file(public_key)
newgid.set_pubkey(keys)
newgid.set_is_ca(ca)
