def decode(self):
data = self.get_data().lstrip('URI:http://')
if data:
dict = xmlrpclib.loads(data)[0][0]
else:
dict = {}
self.lifeTime = dict.get("lifeTime", None)
self.delegate = dict.get("delegate", None)
privStr = dict.get("privileges", None)
if privStr:
self.privileges = Rights(string=privStr)
else:
self.privileges = None
gidCallerStr = dict.get("gidCaller", None)
if gidCallerStr:
self.gidCaller = GID(string=gidCallerStr)
else:
self.gidCaller = None
gidObjectStr = dict.get("gidObject", None)
if gidObjectStr:
self.gidObject = GID(string=gidObjectStr)
else:
self.gidObject = None
def decode(self):
data = self.get_data().lstrip('URI:http://')
if data:
dict = xmlrpclib.loads(data)[0][0]
else:
dict = {}
self.lifeTime = dict.get("lifeTime", None)
self.delegate = dict.get("delegate", None)
privStr = dict.get("privileges", None)
if privStr:
self.privileges = Rights(string = privStr)
else:
self.privileges = None
gidCallerStr = dict.get("gidCaller", None)
if gidCallerStr:
self.gidCaller = GID(string=gidCallerStr)
else:
self.gidCaller = None
gidObjectStr = dict.get("gidObject", None)
if gidObjectStr:
self.gidObject = GID(string=gidObjectStr)
else:
self.gidObject = None
def decode(self):
if not self.xml:
return
doc = parseString(self.xml)
sigs = []
signed_cred = doc.getElementsByTagName("signed-credential")
# Is this a signed-cred or just a cred?
if len(signed_cred) > 0:
creds = signed_cred[0].getElementsByTagName("credential")
signatures = signed_cred[0].getElementsByTagName("signatures")
if len(signatures) > 0:
sigs = signatures[0].getElementsByTagName("Signature")
else:
creds = doc.getElementsByTagName("credential")
if creds is None or len(creds) == 0:
# malformed cred file
raise CredentialNotVerifiable("Malformed XML: No credential tag found")
# Just take the first cred if there are more than one
cred = creds[0]
self.set_refid(cred.getAttribute("xml:id"))
self.set_expiration(utcparse(getTextNode(cred, "expires")))
# import traceback
# stack = traceback.extract_stack()
og = getTextNode(cred, "owner_gid")
# ABAC creds will have this be None and use this method
# if og is None:
# found = False
# for frame in stack:
# if 'super(ABACCredential, self).decode()' in frame:
# found = True
# break
# if not found:
# raise CredentialNotVerifiable("Malformed XML: No owner_gid found")
self.gidCaller = GID(string=og)
tg = getTextNode(cred, "target_gid")
# if tg is None:
# found = False
# for frame in stack:
# if 'super(ABACCredential, self).decode()' in frame:
# found = True
# break
# if not found:
# raise CredentialNotVerifiable("Malformed XML: No target_gid found")
self.gidObject = GID(string=tg)
# Process privileges
rlist = Rights()
priv_nodes = cred.getElementsByTagName("privileges")
if len(priv_nodes) > 0:
privs = priv_nodes[0]
for priv in privs.getElementsByTagName("privilege"):
kind = getTextNode(priv, "name")
deleg = str2bool(getTextNode(priv, "can_delegate"))
if kind == '*':
# Convert * into the default privileges for the credential's type
# Each inherits the delegatability from the * above
_ , type = urn_to_hrn(self.gidObject.get_urn())
rl = determine_rights(type, self.gidObject.get_urn())
for r in rl.rights:
r.delegate = deleg
rlist.add(r)
else:
rlist.add(Right(kind.strip(), deleg))
self.set_privileges(rlist)
# Is there a parent?
parent = cred.getElementsByTagName("parent")
if len(parent) > 0:
parent_doc = parent[0].getElementsByTagName("credential")[0]
parent_xml = parent_doc.toxml("utf-8")
if parent_xml is None or parent_xml.strip() == "":
raise CredentialNotVerifiable("Malformed XML: Had parent tag but it is empty")
self.parent = Credential(string=parent_xml)
self.updateRefID()
# Assign the signatures to the credentials
for sig in sigs:
Sig = Signature(string=sig.toxml("utf-8"))
for cur_cred in self.get_credential_list():
if cur_cred.get_refid() == Sig.get_refid():
cur_cred.set_signature(Sig)
def set_privileges(self, privs):
if isinstance(privs, str):
self.privileges = Rights(string = privs)
else:
self.privileges = privs
class CredentialLegacy(Certificate):
gidCaller = None
gidObject = None
lifeTime = None
privileges = None
delegate = False
##
# Create a Credential object
#
# @param create If true, create a blank x509 certificate
# @param subject If subject!=None, create an x509 cert with the subject name
# @param string If string!=None, load the credential from the string
# @param filename If filename!=None, load the credential from the file
def __init__(self, create=False, subject=None, string=None, filename=None):
Certificate.__init__(self, create, subject, string, filename)
##
# set the GID of the caller
#
# @param gid GID object of the caller
def set_gid_caller(self, gid):
self.gidCaller = gid
# gid origin caller is the caller's gid by default
self.gidOriginCaller = gid
##
# get the GID of the object
def get_gid_caller(self):
if not self.gidCaller:
self.decode()
return self.gidCaller
##
# set the GID of the object
#
# @param gid GID object of the object
def set_gid_object(self, gid):
self.gidObject = gid
##
# get the GID of the object
def get_gid_object(self):
if not self.gidObject:
self.decode()
return self.gidObject
##
# set the lifetime of this credential
#
# @param lifetime lifetime of credential
def set_lifetime(self, lifeTime):
self.lifeTime = lifeTime
##
# get the lifetime of the credential
def get_lifetime(self):
if not self.lifeTime:
self.decode()
return self.lifeTime
##
# set the delegate bit
#
# @param delegate boolean (True or False)
def set_delegate(self, delegate):
self.delegate = delegate
##
# get the delegate bit
def get_delegate(self):
if not self.delegate:
self.decode()
return self.delegate
##
# set the privileges
#
# @param privs either a comma-separated list of privileges of a Rights object
def set_privileges(self, privs):
if isinstance(privs, str):
self.privileges = Rights(string = privs)
else:
self.privileges = privs
##
# return the privileges as a Rights object
def get_privileges(self):
if not self.privileges:
self.decode()
return self.privileges
##
# determine whether the credential allows a particular operation to be
# performed
#
# @param op_name string specifying name of operation ("lookup", "update", etc)
def can_perform(self, op_name):
rights = self.get_privileges()
if not rights:
return False
return rights.can_perform(op_name)
##
# Encode the attributes of the credential into a string and store that
# string in the alt-subject-name field of the X509 object. This should be
# done immediately before signing the credential.
def encode(self):
dict = {"gidCaller": None,
"gidObject": None,
"lifeTime": self.lifeTime,
"privileges": None,
"delegate": self.delegate}
if self.gidCaller:
dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True)
if self.gidObject:
dict["gidObject"] = self.gidObject.save_to_string(save_parents=True)
if self.privileges:
dict["privileges"] = self.privileges.save_to_string()
str = xmlrpclib.dumps((dict,), allow_none=True)
self.set_data('URI:http://' + str)
##
# Retrieve the attributes of the credential from the alt-subject-name field
# of the X509 certificate. This is automatically done by the various
# get_* methods of this class and should not need to be called explicitly.
def decode(self):
data = self.get_data().lstrip('URI:http://')
if data:
dict = xmlrpclib.loads(data)[0][0]
else:
dict = {}
self.lifeTime = dict.get("lifeTime", None)
self.delegate = dict.get("delegate", None)
privStr = dict.get("privileges", None)
if privStr:
self.privileges = Rights(string = privStr)
else:
self.privileges = None
gidCallerStr = dict.get("gidCaller", None)
if gidCallerStr:
self.gidCaller = GID(string=gidCallerStr)
else:
self.gidCaller = None
gidObjectStr = dict.get("gidObject", None)
if gidObjectStr:
self.gidObject = GID(string=gidObjectStr)
else:
self.gidObject = None
##
# Verify that a chain of credentials is valid (see cert.py:verify). In
# addition to the checks for ordinary certificates, verification also
# ensures that the delegate bit was set by each parent in the chain. If
# a delegate bit was not set, then an exception is thrown.
#
# Each credential must be a subset of the rights of the parent.
def verify_chain(self, trusted_certs = None):
# do the normal certificate verification stuff
Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent delegated rights to the child
if not self.parent.get_delegate():
raise MissingDelegateBit(self.parent.get_subject())
# make sure the rights given to the child are a subset of the
# parents rights
if not self.parent.get_privileges().is_superset(self.get_privileges()):
raise ChildRightsNotSubsetOfParent(self.get_subject()
+ " " + self.parent.get_privileges().save_to_string()
+ " " + self.get_privileges().save_to_string())
return
##
# Dump the contents of a credential to stdout in human-readable format
#
# @param dump_parents If true, also dump the parent certificates
def dump(self, *args, **kwargs):
print self.dump_string(*args,**kwargs)
def dump_string(self, dump_parents=False):
result=""
result += "CREDENTIAL %s\n" % self.get_subject()
result += " privs: %s\n" % self.get_privileges().save_to_string()
gidCaller = self.get_gid_caller()
if gidCaller:
result += " gidCaller:\n"
gidCaller.dump(8, dump_parents)
gidObject = self.get_gid_object()
if gidObject:
result += " gidObject:\n"
result += gidObject.dump_string(8, dump_parents)
result += " delegate: %s" % self.get_delegate()
if self.parent and dump_parents:
result += "PARENT\n"
result += self.parent.dump_string(dump_parents)
return result
def set_privileges(self, privs):
if isinstance(privs, str):
self.privileges = Rights(string = privs)
else:
self.privileges = privs
class CredentialLegacy(Certificate):
gidCaller = None
gidObject = None
lifeTime = None
privileges = None
delegate = False
##
# Create a Credential object
#
# @param create If true, create a blank x509 certificate
# @param subject If subject!=None, create an x509 cert with the subject name
# @param string If string!=None, load the credential from the string
# @param filename If filename!=None, load the credential from the file
def __init__(self, create=False, subject=None, string=None, filename=None):
Certificate.__init__(self, create, subject, string, filename)
##
# set the GID of the caller
#
# @param gid GID object of the caller
def set_gid_caller(self, gid):
self.gidCaller = gid
# gid origin caller is the caller's gid by default
self.gidOriginCaller = gid
##
# get the GID of the object
def get_gid_caller(self):
if not self.gidCaller:
self.decode()
return self.gidCaller
##
# set the GID of the object
#
# @param gid GID object of the object
def set_gid_object(self, gid):
self.gidObject = gid
##
# get the GID of the object
def get_gid_object(self):
if not self.gidObject:
self.decode()
return self.gidObject
##
# set the lifetime of this credential
#
# @param lifetime lifetime of credential
def set_lifetime(self, lifeTime):
self.lifeTime = lifeTime
##
# get the lifetime of the credential
def get_lifetime(self):
if not self.lifeTime:
self.decode()
return self.lifeTime
##
# set the delegate bit
#
# @param delegate boolean (True or False)
def set_delegate(self, delegate):
self.delegate = delegate
##
# get the delegate bit
def get_delegate(self):
if not self.delegate:
self.decode()
return self.delegate
##
# set the privileges
#
# @param privs either a comma-separated list of privileges of a Rights object
def set_privileges(self, privs):
if isinstance(privs, str):
self.privileges = Rights(string=privs)
else:
self.privileges = privs
##
# return the privileges as a Rights object
def get_privileges(self):
if not self.privileges:
self.decode()
return self.privileges
##
# determine whether the credential allows a particular operation to be
# performed
#
# @param op_name string specifying name of operation ("lookup", "update", etc)
def can_perform(self, op_name):
rights = self.get_privileges()
if not rights:
return False
return rights.can_perform(op_name)
##
# Encode the attributes of the credential into a string and store that
# string in the alt-subject-name field of the X509 object. This should be
# done immediately before signing the credential.
def encode(self):
dict = {
"gidCaller": None,
"gidObject": None,
"lifeTime": self.lifeTime,
"privileges": None,
"delegate": self.delegate
}
if self.gidCaller:
dict["gidCaller"] = self.gidCaller.save_to_string(
save_parents=True)
if self.gidObject:
dict["gidObject"] = self.gidObject.save_to_string(
save_parents=True)
if self.privileges:
dict["privileges"] = self.privileges.save_to_string()
str = xmlrpclib.dumps((dict, ), allow_none=True)
self.set_data('URI:http://' + str)
##
# Retrieve the attributes of the credential from the alt-subject-name field
# of the X509 certificate. This is automatically done by the various
# get_* methods of this class and should not need to be called explicitly.
def decode(self):
data = self.get_data().lstrip('URI:http://')
if data:
dict = xmlrpclib.loads(data)[0][0]
else:
dict = {}
self.lifeTime = dict.get("lifeTime", None)
self.delegate = dict.get("delegate", None)
privStr = dict.get("privileges", None)
if privStr:
self.privileges = Rights(string=privStr)
else:
self.privileges = None
gidCallerStr = dict.get("gidCaller", None)
if gidCallerStr:
self.gidCaller = GID(string=gidCallerStr)
else:
self.gidCaller = None
gidObjectStr = dict.get("gidObject", None)
if gidObjectStr:
self.gidObject = GID(string=gidObjectStr)
else:
self.gidObject = None
##
# Verify that a chain of credentials is valid (see cert.py:verify). In
# addition to the checks for ordinary certificates, verification also
# ensures that the delegate bit was set by each parent in the chain. If
# a delegate bit was not set, then an exception is thrown.
#
# Each credential must be a subset of the rights of the parent.
def verify_chain(self, trusted_certs=None):
# do the normal certificate verification stuff
Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent delegated rights to the child
if not self.parent.get_delegate():
raise MissingDelegateBit(self.parent.get_subject())
# make sure the rights given to the child are a subset of the
# parents rights
if not self.parent.get_privileges().is_superset(
self.get_privileges()):
raise ChildRightsNotSubsetOfParent(
self.get_subject() + " " +
self.parent.get_privileges().save_to_string() + " " +
self.get_privileges().save_to_string())
return
##
# Dump the contents of a credential to stdout in human-readable format
#
# @param dump_parents If true, also dump the parent certificates
def dump(self, *args, **kwargs):
print self.dump_string(*args, **kwargs)
def dump_string(self, dump_parents=False):
result = ""
result += "CREDENTIAL %s\n" % self.get_subject()
result += " privs: %s\n" % self.get_privileges().save_to_string()
gidCaller = self.get_gid_caller()
if gidCaller:
result += " gidCaller:\n"
gidCaller.dump(8, dump_parents)
gidObject = self.get_gid_object()
if gidObject:
result += " gidObject:\n"
result += gidObject.dump_string(8, dump_parents)
result += " delegate: %s" % self.get_delegate()
if self.parent and dump_parents:
result += "PARENT\n"
result += self.parent.dump_string(dump_parents)
return result
