예제 #1
0
    def decode(self):
        data = self.get_data().lstrip('URI:http://')

        if data:
            dict = xmlrpclib.loads(data)[0][0]
        else:
            dict = {}

        self.lifeTime = dict.get("lifeTime", None)
        self.delegate = dict.get("delegate", None)

        privStr = dict.get("privileges", None)
        if privStr:
            self.privileges = Rights(string=privStr)
        else:
            self.privileges = None

        gidCallerStr = dict.get("gidCaller", None)
        if gidCallerStr:
            self.gidCaller = GID(string=gidCallerStr)
        else:
            self.gidCaller = None

        gidObjectStr = dict.get("gidObject", None)
        if gidObjectStr:
            self.gidObject = GID(string=gidObjectStr)
        else:
            self.gidObject = None
예제 #2
0
    def decode(self):
        data = self.get_data().lstrip('URI:http://')
        
        if data:
            dict = xmlrpclib.loads(data)[0][0]
        else:
            dict = {}

        self.lifeTime = dict.get("lifeTime", None)
        self.delegate = dict.get("delegate", None)

        privStr = dict.get("privileges", None)
        if privStr:
            self.privileges = Rights(string = privStr)
        else:
            self.privileges = None

        gidCallerStr = dict.get("gidCaller", None)
        if gidCallerStr:
            self.gidCaller = GID(string=gidCallerStr)
        else:
            self.gidCaller = None

        gidObjectStr = dict.get("gidObject", None)
        if gidObjectStr:
            self.gidObject = GID(string=gidObjectStr)
        else:
            self.gidObject = None
예제 #3
0
    def decode(self):
        if not self.xml:
            return
        doc = parseString(self.xml)
        sigs = []
        signed_cred = doc.getElementsByTagName("signed-credential")

        # Is this a signed-cred or just a cred?
        if len(signed_cred) > 0:
            creds = signed_cred[0].getElementsByTagName("credential")
            signatures = signed_cred[0].getElementsByTagName("signatures")
            if len(signatures) > 0:
                sigs = signatures[0].getElementsByTagName("Signature")
        else:
            creds = doc.getElementsByTagName("credential")
        
        if creds is None or len(creds) == 0:
            # malformed cred file
            raise CredentialNotVerifiable("Malformed XML: No credential tag found")

        # Just take the first cred if there are more than one
        cred = creds[0]

        self.set_refid(cred.getAttribute("xml:id"))
        self.set_expiration(utcparse(getTextNode(cred, "expires")))

#        import traceback
#        stack = traceback.extract_stack()

        og = getTextNode(cred, "owner_gid")
        # ABAC creds will have this be None and use this method
#        if og is None:
#            found = False
#            for frame in stack:
#                if 'super(ABACCredential, self).decode()' in frame:
#                    found = True
#                    break
#            if not found:
#                raise CredentialNotVerifiable("Malformed XML: No owner_gid found")
        self.gidCaller = GID(string=og)
        tg = getTextNode(cred, "target_gid")
#        if tg is None:
#            found = False
#            for frame in stack:
#                if 'super(ABACCredential, self).decode()' in frame:
#                    found = True
#                    break
#            if not found:
#                raise CredentialNotVerifiable("Malformed XML: No target_gid found")
        self.gidObject = GID(string=tg)

        # Process privileges
        rlist = Rights()
        priv_nodes = cred.getElementsByTagName("privileges")
        if len(priv_nodes) > 0:
            privs = priv_nodes[0]
            for priv in privs.getElementsByTagName("privilege"):
                kind = getTextNode(priv, "name")
                deleg = str2bool(getTextNode(priv, "can_delegate"))
                if kind == '*':
                    # Convert * into the default privileges for the credential's type
                    # Each inherits the delegatability from the * above
                    _ , type = urn_to_hrn(self.gidObject.get_urn())
                    rl = determine_rights(type, self.gidObject.get_urn())
                    for r in rl.rights:
                        r.delegate = deleg
                        rlist.add(r)
                else:
                    rlist.add(Right(kind.strip(), deleg))
        self.set_privileges(rlist)


        # Is there a parent?
        parent = cred.getElementsByTagName("parent")
        if len(parent) > 0:
            parent_doc = parent[0].getElementsByTagName("credential")[0]
            parent_xml = parent_doc.toxml("utf-8")
            if parent_xml is None or parent_xml.strip() == "":
                raise CredentialNotVerifiable("Malformed XML: Had parent tag but it is empty")
            self.parent = Credential(string=parent_xml)
            self.updateRefID()

        # Assign the signatures to the credentials
        for sig in sigs:
            Sig = Signature(string=sig.toxml("utf-8"))

            for cur_cred in self.get_credential_list():
                if cur_cred.get_refid() == Sig.get_refid():
                    cur_cred.set_signature(Sig)
예제 #4
0
 def set_privileges(self, privs):
     if isinstance(privs, str):
         self.privileges = Rights(string = privs)
     else:
         self.privileges = privs        
예제 #5
0
class CredentialLegacy(Certificate):
    gidCaller = None
    gidObject = None
    lifeTime = None
    privileges = None
    delegate = False

    ##
    # Create a Credential object
    #
    # @param create If true, create a blank x509 certificate
    # @param subject If subject!=None, create an x509 cert with the subject name
    # @param string If string!=None, load the credential from the string
    # @param filename If filename!=None, load the credential from the file

    def __init__(self, create=False, subject=None, string=None, filename=None):
        Certificate.__init__(self, create, subject, string, filename)

    ##
    # set the GID of the caller
    #
    # @param gid GID object of the caller

    def set_gid_caller(self, gid):
        self.gidCaller = gid
        # gid origin caller is the caller's gid by default
        self.gidOriginCaller = gid

    ##
    # get the GID of the object

    def get_gid_caller(self):
        if not self.gidCaller:
            self.decode()
        return self.gidCaller

    ##
    # set the GID of the object
    #
    # @param gid GID object of the object

    def set_gid_object(self, gid):
        self.gidObject = gid

    ##
    # get the GID of the object

    def get_gid_object(self):
        if not self.gidObject:
            self.decode()
        return self.gidObject

    ##
    # set the lifetime of this credential
    #
    # @param lifetime lifetime of credential

    def set_lifetime(self, lifeTime):
        self.lifeTime = lifeTime

    ##
    # get the lifetime of the credential

    def get_lifetime(self):
        if not self.lifeTime:
            self.decode()
        return self.lifeTime

    ##
    # set the delegate bit
    #
    # @param delegate boolean (True or False)

    def set_delegate(self, delegate):
        self.delegate = delegate

    ##
    # get the delegate bit

    def get_delegate(self):
        if not self.delegate:
            self.decode()
        return self.delegate

    ##
    # set the privileges
    #
    # @param privs either a comma-separated list of privileges of a Rights object

    def set_privileges(self, privs):
        if isinstance(privs, str):
            self.privileges = Rights(string = privs)
        else:
            self.privileges = privs

    ##
    # return the privileges as a Rights object

    def get_privileges(self):
        if not self.privileges:
            self.decode()
        return self.privileges

    ##
    # determine whether the credential allows a particular operation to be
    # performed
    #
    # @param op_name string specifying name of operation ("lookup", "update", etc)

    def can_perform(self, op_name):
        rights = self.get_privileges()
        if not rights:
            return False
        return rights.can_perform(op_name)

    ##
    # Encode the attributes of the credential into a string and store that
    # string in the alt-subject-name field of the X509 object. This should be
    # done immediately before signing the credential.

    def encode(self):
        dict = {"gidCaller": None,
                "gidObject": None,
                "lifeTime": self.lifeTime,
                "privileges": None,
                "delegate": self.delegate}
        if self.gidCaller:
            dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True)
        if self.gidObject:
            dict["gidObject"] = self.gidObject.save_to_string(save_parents=True)
        if self.privileges:
            dict["privileges"] = self.privileges.save_to_string()
        str = xmlrpclib.dumps((dict,), allow_none=True)
        self.set_data('URI:http://' + str)

    ##
    # Retrieve the attributes of the credential from the alt-subject-name field
    # of the X509 certificate. This is automatically done by the various
    # get_* methods of this class and should not need to be called explicitly.

    def decode(self):
        data = self.get_data().lstrip('URI:http://')
        
        if data:
            dict = xmlrpclib.loads(data)[0][0]
        else:
            dict = {}

        self.lifeTime = dict.get("lifeTime", None)
        self.delegate = dict.get("delegate", None)

        privStr = dict.get("privileges", None)
        if privStr:
            self.privileges = Rights(string = privStr)
        else:
            self.privileges = None

        gidCallerStr = dict.get("gidCaller", None)
        if gidCallerStr:
            self.gidCaller = GID(string=gidCallerStr)
        else:
            self.gidCaller = None

        gidObjectStr = dict.get("gidObject", None)
        if gidObjectStr:
            self.gidObject = GID(string=gidObjectStr)
        else:
            self.gidObject = None

    ##
    # Verify that a chain of credentials is valid (see cert.py:verify). In
    # addition to the checks for ordinary certificates, verification also
    # ensures that the delegate bit was set by each parent in the chain. If
    # a delegate bit was not set, then an exception is thrown.
    #
    # Each credential must be a subset of the rights of the parent.

    def verify_chain(self, trusted_certs = None):
        # do the normal certificate verification stuff
        Certificate.verify_chain(self, trusted_certs)

        if self.parent:
            # make sure the parent delegated rights to the child
            if not self.parent.get_delegate():
                raise MissingDelegateBit(self.parent.get_subject())

            # make sure the rights given to the child are a subset of the
            # parents rights
            if not self.parent.get_privileges().is_superset(self.get_privileges()):
                raise ChildRightsNotSubsetOfParent(self.get_subject() 
                                                   + " " + self.parent.get_privileges().save_to_string()
                                                   + " " + self.get_privileges().save_to_string())

        return

    ##
    # Dump the contents of a credential to stdout in human-readable format
    #
    # @param dump_parents If true, also dump the parent certificates

    def dump(self, *args, **kwargs):
        print self.dump_string(*args,**kwargs)

    def dump_string(self, dump_parents=False):
        result=""
        result += "CREDENTIAL %s\n" % self.get_subject()

        result += "      privs: %s\n" % self.get_privileges().save_to_string()

        gidCaller = self.get_gid_caller()
        if gidCaller:
            result += "  gidCaller:\n"
            gidCaller.dump(8, dump_parents)

        gidObject = self.get_gid_object()
        if gidObject:
            result += "  gidObject:\n"
            result += gidObject.dump_string(8, dump_parents)

        result += "   delegate: %s" % self.get_delegate()

        if self.parent and dump_parents:
            result += "PARENT\n"
            result += self.parent.dump_string(dump_parents)

        return result
예제 #6
0
 def set_privileges(self, privs):
     if isinstance(privs, str):
         self.privileges = Rights(string = privs)
     else:
         self.privileges = privs
예제 #7
0
class CredentialLegacy(Certificate):
    gidCaller = None
    gidObject = None
    lifeTime = None
    privileges = None
    delegate = False

    ##
    # Create a Credential object
    #
    # @param create If true, create a blank x509 certificate
    # @param subject If subject!=None, create an x509 cert with the subject name
    # @param string If string!=None, load the credential from the string
    # @param filename If filename!=None, load the credential from the file

    def __init__(self, create=False, subject=None, string=None, filename=None):
        Certificate.__init__(self, create, subject, string, filename)

    ##
    # set the GID of the caller
    #
    # @param gid GID object of the caller

    def set_gid_caller(self, gid):
        self.gidCaller = gid
        # gid origin caller is the caller's gid by default
        self.gidOriginCaller = gid

    ##
    # get the GID of the object

    def get_gid_caller(self):
        if not self.gidCaller:
            self.decode()
        return self.gidCaller

    ##
    # set the GID of the object
    #
    # @param gid GID object of the object

    def set_gid_object(self, gid):
        self.gidObject = gid

    ##
    # get the GID of the object

    def get_gid_object(self):
        if not self.gidObject:
            self.decode()
        return self.gidObject

    ##
    # set the lifetime of this credential
    #
    # @param lifetime lifetime of credential

    def set_lifetime(self, lifeTime):
        self.lifeTime = lifeTime

    ##
    # get the lifetime of the credential

    def get_lifetime(self):
        if not self.lifeTime:
            self.decode()
        return self.lifeTime

    ##
    # set the delegate bit
    #
    # @param delegate boolean (True or False)

    def set_delegate(self, delegate):
        self.delegate = delegate

    ##
    # get the delegate bit

    def get_delegate(self):
        if not self.delegate:
            self.decode()
        return self.delegate

    ##
    # set the privileges
    #
    # @param privs either a comma-separated list of privileges of a Rights object

    def set_privileges(self, privs):
        if isinstance(privs, str):
            self.privileges = Rights(string=privs)
        else:
            self.privileges = privs

    ##
    # return the privileges as a Rights object

    def get_privileges(self):
        if not self.privileges:
            self.decode()
        return self.privileges

    ##
    # determine whether the credential allows a particular operation to be
    # performed
    #
    # @param op_name string specifying name of operation ("lookup", "update", etc)

    def can_perform(self, op_name):
        rights = self.get_privileges()
        if not rights:
            return False
        return rights.can_perform(op_name)

    ##
    # Encode the attributes of the credential into a string and store that
    # string in the alt-subject-name field of the X509 object. This should be
    # done immediately before signing the credential.

    def encode(self):
        dict = {
            "gidCaller": None,
            "gidObject": None,
            "lifeTime": self.lifeTime,
            "privileges": None,
            "delegate": self.delegate
        }
        if self.gidCaller:
            dict["gidCaller"] = self.gidCaller.save_to_string(
                save_parents=True)
        if self.gidObject:
            dict["gidObject"] = self.gidObject.save_to_string(
                save_parents=True)
        if self.privileges:
            dict["privileges"] = self.privileges.save_to_string()
        str = xmlrpclib.dumps((dict, ), allow_none=True)
        self.set_data('URI:http://' + str)

    ##
    # Retrieve the attributes of the credential from the alt-subject-name field
    # of the X509 certificate. This is automatically done by the various
    # get_* methods of this class and should not need to be called explicitly.

    def decode(self):
        data = self.get_data().lstrip('URI:http://')

        if data:
            dict = xmlrpclib.loads(data)[0][0]
        else:
            dict = {}

        self.lifeTime = dict.get("lifeTime", None)
        self.delegate = dict.get("delegate", None)

        privStr = dict.get("privileges", None)
        if privStr:
            self.privileges = Rights(string=privStr)
        else:
            self.privileges = None

        gidCallerStr = dict.get("gidCaller", None)
        if gidCallerStr:
            self.gidCaller = GID(string=gidCallerStr)
        else:
            self.gidCaller = None

        gidObjectStr = dict.get("gidObject", None)
        if gidObjectStr:
            self.gidObject = GID(string=gidObjectStr)
        else:
            self.gidObject = None

    ##
    # Verify that a chain of credentials is valid (see cert.py:verify). In
    # addition to the checks for ordinary certificates, verification also
    # ensures that the delegate bit was set by each parent in the chain. If
    # a delegate bit was not set, then an exception is thrown.
    #
    # Each credential must be a subset of the rights of the parent.

    def verify_chain(self, trusted_certs=None):
        # do the normal certificate verification stuff
        Certificate.verify_chain(self, trusted_certs)

        if self.parent:
            # make sure the parent delegated rights to the child
            if not self.parent.get_delegate():
                raise MissingDelegateBit(self.parent.get_subject())

            # make sure the rights given to the child are a subset of the
            # parents rights
            if not self.parent.get_privileges().is_superset(
                    self.get_privileges()):
                raise ChildRightsNotSubsetOfParent(
                    self.get_subject() + " " +
                    self.parent.get_privileges().save_to_string() + " " +
                    self.get_privileges().save_to_string())

        return

    ##
    # Dump the contents of a credential to stdout in human-readable format
    #
    # @param dump_parents If true, also dump the parent certificates

    def dump(self, *args, **kwargs):
        print self.dump_string(*args, **kwargs)

    def dump_string(self, dump_parents=False):
        result = ""
        result += "CREDENTIAL %s\n" % self.get_subject()

        result += "      privs: %s\n" % self.get_privileges().save_to_string()

        gidCaller = self.get_gid_caller()
        if gidCaller:
            result += "  gidCaller:\n"
            gidCaller.dump(8, dump_parents)

        gidObject = self.get_gid_object()
        if gidObject:
            result += "  gidObject:\n"
            result += gidObject.dump_string(8, dump_parents)

        result += "   delegate: %s" % self.get_delegate()

        if self.parent and dump_parents:
            result += "PARENT\n"
            result += self.parent.dump_string(dump_parents)

        return result