def decode(self): data = self.get_data().lstrip('URI:http://') if data: dict = xmlrpclib.loads(data)[0][0] else: dict = {} self.lifeTime = dict.get("lifeTime", None) self.delegate = dict.get("delegate", None) privStr = dict.get("privileges", None) if privStr: self.privileges = Rights(string=privStr) else: self.privileges = None gidCallerStr = dict.get("gidCaller", None) if gidCallerStr: self.gidCaller = GID(string=gidCallerStr) else: self.gidCaller = None gidObjectStr = dict.get("gidObject", None) if gidObjectStr: self.gidObject = GID(string=gidObjectStr) else: self.gidObject = None
def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile): """ Return a delegated copy of this credential, delegated to the specified gid's user. """ # get the gid of the object we are delegating object_gid = self.get_gid_object() object_hrn = object_gid.get_hrn() # the hrn of the user who will be delegated to delegee_gid = GID(filename=delegee_gidfile) delegee_hrn = delegee_gid.get_hrn() #user_key = Keypair(filename=keyfile) #user_hrn = self.get_gid_caller().get_hrn() subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn) dcred = Credential(subject=subject_string) dcred.set_gid_caller(delegee_gid) dcred.set_gid_object(object_gid) dcred.set_parent(self) dcred.set_expiration(self.get_expiration()) dcred.set_privileges(self.get_privileges()) dcred.get_privileges().delegate_all_privileges(True) #dcred.set_issuer_keys(keyfile, delegee_gidfile) dcred.set_issuer_keys(caller_keyfile, caller_gidfile) dcred.encode() dcred.sign() return dcred
def authenticateGid(self, gidStr, argList, requestHash=None): gid = GID(string = gidStr) self.validateGid(gid) # request_hash is optional if requestHash: self.verifyGidRequestHash(gid, requestHash, argList) return gid
def decode(self): data = self.get_data() if data: dict = xmlrpclib.loads(self.get_data()[4:])[0][0] else: dict = {} self.attributes = dict.get("attributes", {}) self.rspec = dict.get("rspec", {}) self.delegate = dict.get("delegate", False) gidCallerStr = dict.get("gidCaller", None) if gidCallerStr: self.gidCaller = GID(string=gidCallerStr) else: self.gidCaller = None gidObjectStr = dict.get("gidObject", None) if gidObjectStr: self.gidObject = GID(string=gidObjectStr) else: self.gidObject = None
def sign(self): if not self.issuer_privkey: print "Cannot sign credential (no private key)" return if not self.issuer_gid: print "Cannot sign credential (no issuer gid)" return doc = parseString(self.get_xml()) sigs = doc.getElementsByTagName("signatures")[0] # Create the signature template to be signed signature = Signature() signature.set_refid(self.get_refid()) sdoc = parseString(signature.get_xml()) sig_ele = doc.importNode( sdoc.getElementsByTagName("Signature")[0], True) sigs.appendChild(sig_ele) self.xml = doc.toxml() # Split the issuer GID into multiple certificates if it's a chain chain = GID(filename=self.issuer_gid) gid_files = [] while chain: gid_files.append(chain.save_to_random_tmp_file(False)) if chain.get_parent(): chain = chain.get_parent() else: chain = None # Call out to xmlsec1 to sign it ref = 'Sig_%s' % self.get_refid() filename = self.save_to_random_tmp_file() command='%s --sign --node-id "%s" --privkey-pem %s,%s %s' \ % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename) # print 'command',command signed = os.popen(command).read() os.remove(filename) for gid_file in gid_files: os.remove(gid_file) self.xml = signed # This is no longer a legacy credential if self.legacy: self.legacy = None # Update signatures self.decode()
def create_gid(self, xrn, uuid, pkey, CA=False, email=None): hrn, type = urn_to_hrn(xrn) if not type: type = 'authority' parent_hrn = get_authority(hrn) # Using hrn_to_urn() here to make sure the urn is in the right format # If xrn was a hrn instead of a urn, then the gid's urn will be # of type None urn = hrn_to_urn(hrn, type) subject = self.get_subject(hrn) if not subject: subject = hrn gid = GID(subject=subject, uuid=uuid, hrn=hrn, urn=urn, email=email) # is this a CA cert if hrn == self.config.SFA_INTERFACE_HRN or not parent_hrn: # root or sub authority gid.set_intermediate_ca(True) elif type and 'authority' in type: # authority type gid.set_intermediate_ca(False) elif CA: gid.set_intermediate_ca(True) else: gid.set_intermediate_ca(False) # set issuer if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion gid.set_issuer(pkey, subject) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) parent_gid = parent_auth_info.get_gid_object() gid.set_issuer(parent_auth_info.get_pkey_object(), parent_gid.get_extended_subject()) gid.set_parent(parent_auth_info.get_gid_object()) gid.set_pubkey(pkey) gid.encode() gid.sign() return gid
class Signature(object): def __init__(self, string=None): self.refid = None self.issuer_gid = None self.xml = None if string: self.xml = string self.decode() def get_refid(self): if not self.refid: self.decode() return self.refid def get_xml(self): if not self.xml: self.encode() return self.xml def set_refid(self, id): self.refid = id def get_issuer_gid(self): if not self.gid: self.decode() return self.gid def set_issuer_gid(self, gid): self.gid = gid def decode(self): try: doc = parseString(self.xml) except ExpatError, e: raise e sig = doc.getElementsByTagName("Signature")[0] self.set_refid(sig.getAttribute("xml:id").strip("Sig_")) keyinfo = sig.getElementsByTagName("X509Data")[0] szgid = getTextNode(keyinfo, "X509Certificate") szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid self.set_issuer_gid(GID(string=szgid))
def verify(self, trusted_certs=None, schema=None, trusted_certs_required=True): if not self.xml: self.decode() # validate against RelaxNG schema if HAVELXML and not self.legacy: if schema and os.path.exists(schema): tree = etree.parse(StringIO(self.xml)) schema_doc = etree.parse(schema) xmlschema = etree.XMLSchema(schema_doc) #except Exception as e: # print e if not xmlschema: #.validate(tree): error = xmlschema.error_log.last_error message = "%s: %s (line %s)" % ( self.get_summary_tostring(), error.message, error.line) raise CredentialNotVerifiable(message) if trusted_certs_required and trusted_certs is None: trusted_certs = [] # trusted_cert_objects = [GID(filename=f) for f in trusted_certs] trusted_cert_objects = [] ok_trusted_certs = [] # If caller explicitly passed in None that means skip cert chain validation. # Strange and not typical if trusted_certs is not None: for f in trusted_certs: try: # Failures here include unreadable files # or non PEM files trusted_cert_objects.append(GID(filename=f)) ok_trusted_certs.append(f) except Exception, exc: print "Failed to load trusted cert from %s: %r" % (f, exc) trusted_certs = ok_trusted_certs
def get_gid_object(self): if not self.gid_object: self.gid_object = GID(filename=self.gid_filename) return self.gid_object
def get_list(self): print 'self.get_file_list():',self.get_file_list() gid_list = [GID(filename=cert_file) for cert_file in self.get_file_list()] return gid_list
def decode(self): if not self.xml: return doc = parseString(self.xml) sigs = [] signed_cred = doc.getElementsByTagName("signed-credential") # Is this a signed-cred or just a cred? if len(signed_cred) > 0: creds = signed_cred[0].getElementsByTagName("credential") signatures = signed_cred[0].getElementsByTagName("signatures") if len(signatures) > 0: sigs = signatures[0].getElementsByTagName("Signature") else: creds = doc.getElementsByTagName("credential") if creds is None or len(creds) == 0: # malformed cred file raise CredentialNotVerifiable( "Malformed XML: No credential tag found") # Just take the first cred if there are more than one cred = creds[0] self.set_refid(cred.getAttribute("xml:id")) self.set_expiration(utcparse(getTextNode(cred, "expires"))) self.gidCaller = GID(string=getTextNode(cred, "owner_gid")) self.gidObject = GID(string=getTextNode(cred, "target_gid")) # Process privileges privs = cred.getElementsByTagName("privileges")[0] rlist = Rights() for priv in privs.getElementsByTagName("privilege"): kind = getTextNode(priv, "name") deleg = str2bool(getTextNode(priv, "can_delegate")) if kind == '*': # Convert * into the default privileges for the credential's type # Each inherits the delegatability from the * above _, type = urn_to_hrn(self.gidObject.get_urn()) rl = determine_rights(type, self.gidObject.get_urn()) for r in rl.rights: r.delegate = deleg rlist.add(r) else: rlist.add(Right(kind.strip(), deleg)) self.set_privileges(rlist) # Is there a parent? parent = cred.getElementsByTagName("parent") if len(parent) > 0: parent_doc = parent[0].getElementsByTagName("credential")[0] parent_xml = parent_doc.toxml() self.parent = Credential(string=parent_xml) self.updateRefID() # Assign the signatures to the credentials for sig in sigs: Sig = Signature(string=sig.toxml()) for cur_cred in self.get_credential_list(): if cur_cred.get_refid() == Sig.get_refid(): cur_cred.set_signature(Sig)