Issue GENI-NSF#854. Update to SFA 3.1-18 as of June 11, 2015 (from 3.…

…1-9 of May 2014).

This update includes:
* drop legacy credential support
* invoke xmlxec using subprocess and use the return code to measure success
* rename methods for printing pretty certs and creds
* rename the inner cert in the Certificate

This merge is not a complete replace of what we had with the latest from SFA, as the
latest from SFA does not have ABAC credential support, support multiple certs in the credential signature,
support utf-8 credentials, or include many of our error checks.

src/delegateSliceCred.py

@@ -235,12 +235,12 @@ def naiveUTC(dt):
     delegee_cert = GID(filename=opts.delegeegid)
 
     # confirm cert hasn't expired
-    if owner_cert.cert.has_expired():
-        sys.exit("Cred owner %s cert has expired at %s - cannot delegate" % (owner_cert.cert.get_subject(), owner_cert.cert.get_notAfter()))
+    if owner_cert.x509.has_expired():
+        sys.exit("Cred owner %s cert has expired at %s - cannot delegate" % (owner_cert.x509.get_subject(), owner_cert.x509.get_notAfter()))
 
     # confirm cert to delegate to hasn't expired
-    if delegee_cert.cert.has_expired():
-        sys.exit("Delegee %s cert has expired at %s - cannot delegate" % (delegee_cert.cert.get_subject(), delegee_cert.cert.get_notAfter()))
+    if delegee_cert.x509.has_expired():
+        sys.exit("Delegee %s cert has expired at %s - cannot delegate" % (delegee_cert.x509.get_subject(), delegee_cert.x509.get_notAfter()))
 
     if len(root_objects) > 0:
         try:
@@ -315,7 +315,7 @@ def naiveUTC(dt):
     if opts.debug:
         dcred.dump(True)
     else:
-        logger.info("Created delegated credential %s", dcred.get_summary_tostring())
+        logger.info("Created delegated credential %s", dcred.pretty_cred())
 
     # Save the result to a file
     bad = u'!"#%\'()*+,-./:;<=>?@[\]^_`{|}~'

src/gcf/geni/util/cred_util.py

@@ -268,7 +268,7 @@ def verify(self, gid, credentials, target_urn, privileges):
             if cred.get_cred_type() == cred.SFA_CREDENTIAL_TYPE:
                 cS = cred.get_gid_caller().get_urn()
             elif cred.get_cred_type() == ABACCredential.ABAC_CREDENTIAL_TYPE:
-                cS = cred.get_summary_tostring()
+                cS = cred.pretty_cred()
             else:
                 cS = "Unknown credential type %s" % cred.get_cred_type()
 

src/gcf/geni/util/speaksfor_util.py

@@ -138,26 +138,26 @@ def verify_speaks_for(cred, tool_gid, speaking_for_urn, \
 
     # Credential has not expired
     if cred.expiration and cred.expiration < datetime.datetime.utcnow():
-        return False, None, "ABAC Credential expired at %s (%s)" % (cred.expiration.isoformat(), cred.get_summary_tostring())
+        return False, None, "ABAC Credential expired at %s (%s)" % (cred.expiration.isoformat(), cred.pretty_cred())
 
     # Must be ABAC
     if cred.get_cred_type() != ABACCredential.ABAC_CREDENTIAL_TYPE:
         return False, None, "Credential not of type ABAC but %s" % cred.get_cred_type
 
     if cred.signature is None or cred.signature.gid is None:
-        return False, None, "Credential malformed: missing signature or signer cert. Cred: %s" % cred.get_summary_tostring()
+        return False, None, "Credential malformed: missing signature or signer cert. Cred: %s" % cred.pretty_cred()
     user_gid = cred.signature.gid
     user_urn = user_gid.get_urn()
 
     # URN of signer from cert must match URN of 'speaking-for' argument
     if user_urn != speaking_for_urn:
         return False, None, "User URN from cred doesn't match speaking_for URN: %s != %s (cred %s)" % \
-            (user_urn, speaking_for_urn, cred.get_summary_tostring())
+            (user_urn, speaking_for_urn, cred.pretty_cred())
 
     tails = cred.get_tails()
     if len(tails) != 1: 
         return False, None, "Invalid ABAC-SF credential: Need exactly 1 tail element, got %d (%s)" % \
-            (len(tails), cred.get_summary_tostring())
+            (len(tails), cred.pretty_cred())
 
     user_keyid = get_cert_keyid(user_gid)
     tool_keyid = get_cert_keyid(tool_gid)
@@ -195,7 +195,7 @@ def verify_speaks_for(cred, tool_gid, speaking_for_urn, \
     if user_keyid != principal_keyid or \
             tool_keyid != subject_keyid or \
             role != ('speaks_for_%s' % user_keyid):
-        return False, None, "ABAC statement doesn't assert U.speaks_for(U)<-T (%s)" % cred.get_summary_tostring()
+        return False, None, "ABAC statement doesn't assert U.speaks_for(U)<-T (%s)" % cred.pretty_cred()
 
     # If schema provided, validate against schema
     if HAVELXML and schema and os.path.exists(schema):
@@ -205,7 +205,7 @@ def verify_speaks_for(cred, tool_gid, speaking_for_urn, \
         xmlschema = etree.XMLSchema(schema_doc)
         if not xmlschema.validate(tree):
             error = xmlschema.error_log.last_error
-            message = "%s: %s (line %s)" % (cred.get_summary_tostring(), error.message, error.line)
+            message = "%s: %s (line %s)" % (cred.pretty_cred(), error.message, error.line)
             return False, None, ("XML Credential schema invalid: %s" % message)
 
     if trusted_roots:
@@ -222,7 +222,7 @@ def verify_speaks_for(cred, tool_gid, speaking_for_urn, \
         except Exception, e:
             if user_gid.get_issuer() == tool_gid.get_issuer() and user_gid.get_parent() and not tool_gid.get_parent():
                 if logger:
-                    logger.debug("Tool cert didn't verify (%s). Adding tool issuer (%s) as parent (taken from user_gid)", e, user_gid.get_parent().get_printable_subject())
+                    logger.debug("Tool cert didn't verify (%s). Adding tool issuer (%s) as parent (taken from user_gid)", e, user_gid.get_parent().pretty_cert())
                 tool_gid.set_parent(user_gid.get_parent())
                 try:
                     tool_gid.verify_chain(trusted_roots)
@@ -270,7 +270,7 @@ def determine_speaks_for(logger, credentials, caller_gid, options, \
             if not isinstance(cred_value, ABACCredential):
                 cred = CredentialFactory.createCred(cred_value)
 
-#            print "Got a cred to check speaksfor for: %s" % cred.get_summary_tostring()
+#            print "Got a cred to check speaksfor for: %s" % cred.pretty_cred()
 #            #cred.dump(True, True)
 #            print "Caller: %s" % caller_gid.dump_string(2, True)
 
@@ -323,7 +323,7 @@ def create_sign_abaccred(tool_gid, user_gid, ma_gid, user_key_file, cred_filenam
     # Save it
     cred.save_to_file(cred_filename)
     print "Created ABAC credential: '%s' in file %s" % \
-            (cred.get_summary_tostring(), cred_filename)
+            (cred.pretty_cred(), cred_filename)
 
 # FIXME: Assumes xmlsec1 is on path
 # FIXME: Assumes signer is itself signed by an 'ma_gid' that can be trusted

src/gcf/omnilib/util/handler_utils.py

@@ -940,7 +940,7 @@ def _is_user_cert_expired(handler):
     except Exception, e:
         handler.logger.debug("Failed to create GID from %s: %s",
                              handler.framework.config['cert'], e)
-    if usergid and usergid.cert.has_expired():
+    if usergid and usergid.x509.has_expired():
         return True
     return False
 

src/gcf/sfa/README.txt

@@ -7,16 +7,16 @@ directory is subject to the PlanetLab license (see "License"
 below). There are a small number of modifications to the code. These
 modifications are documented in the "Modifications" section below.
 
-This code is based on revision 2947b0cb620ce8beb4c8c9bfe25adeadcbf1829f
-(May 23rd, 2014, tag sfa-3.1-9 ) of the master branch of the
+This code is based on revision 468d984409e02e84d15eb35d3eb464f6a3059dd8
+(June 11th, 2015, tag sfa-3.1-18 ) of the master branch of the
 PlanetLab Git repository (git.planet-lab.org/git/sfa.git).
 
 License
 =======
 http://git.planet-lab.org/?p=sfa.git;a=blob_plain;f=LICENSE.txt;hb=HEAD
 
-Copyright (c) 2008-2014 Board of Trustees, Princeton University
-Copyright (c) 2010-2014 INRIA, Institut National d'Informatique et Automatique
+Copyright (c) 2008-2015 Board of Trustees, Princeton University
+Copyright (c) 2010-2015 INRIA, Institut National d'Informatique et Automatique
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and/or hardware specification (the "Work") to

src/gcf/sfa/trust/abac_credential.py

@@ -23,8 +23,9 @@
 
 from __future__ import absolute_import
 
-from .credential import Credential, append_sub
+from .credential import Credential, append_sub, DEFAULT_CREDENTIAL_LIFETIME
 from ..util.sfalogging import logger
+from ..util.sfatime import SFATIME_FORMAT
 
 from StringIO import StringIO
 from xml.dom.minidom import Document, parseString
@@ -163,7 +164,7 @@ def dump_string(self, dump_parents=False, show_xml=False):
         filename=self.get_filename()
         if filename: result += "Filename %s\n"%filename
         if self.expiration:
-            result +=  "\texpiration: %s \n" % self.expiration.isoformat()
+            result +=  "\texpiration: %s \n" % self.expiration.strftime(SFATIME_FORMAT)
 
         result += "\tHead: %s\n" % self.get_head() 
         for tail in self.get_tails():
@@ -186,7 +187,7 @@ def dump_string(self, dump_parents=False, show_xml=False):
 
     # sounds like this should be __repr__ instead ??
     # Produce the ABAC assertion. Something like [ABAC cred: Me.role<-You] or similar
-    def get_summary_tostring(self):
+    def pretty_cred(self):
         result = "[ABAC cred: " + str(self.get_head())
         for tail in self.get_tails():
             result += "<-%s" % str(tail)
@@ -259,7 +260,7 @@ def encode(self):
         if self.expiration.tzinfo is not None and self.expiration.tzinfo.utcoffset(self.expiration) is not None:
             # TZ aware. Make sure it is UTC
             self.expiration = self.expiration.astimezone(tz.tzutc())
-        append_sub(doc, cred, "expires", self.expiration.strftime('%Y-%m-%dT%H:%M:%SZ')) # RFC3339
+        append_sub(doc, cred, "expires", self.expiration.strftime(SFATIME_FORMAT)) # RFC3339
 
         abac = doc.createElement("abac")
         rt0 = doc.createElement("rt0")