add debug trace when invoking xmlsec1
Thierry Parmentelat [Tue, 20 Jan 2015 08:03:11 +0000 (09:03 +0100)]
+ miscell reformatting for narrower text

sfa/client/sfaclientlib.py
sfa/trust/auth.py
sfa/trust/credential.py

index 78f6f48..bc4a1d1 100644 (file)
@@ -121,7 +121,7 @@ class SfaClientBootstrap:
     ######################################## *_produce methods
     ### step1
     # unconditionnally create a self-signed certificate
-    def self_signed_cert_produce (self,output):
+    def self_signed_cert_produce (self, output):
         self.assert_private_key()
         private_key_filename = self.private_key_filename()
         keypair=Keypair(filename=private_key_filename)
@@ -131,7 +131,7 @@ class SfaClientBootstrap:
         self_signed.sign ()
         self_signed.save_to_file (output)
         self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
-                              (self.hrn,output))
+                              (self.hrn, output))
         return output
 
     ### step2 
@@ -142,7 +142,8 @@ class SfaClientBootstrap:
         certificate_filename = self.self_signed_cert_filename()
         certificate_string = self.plain_read (certificate_filename)
         self.assert_private_key()
-        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+        registry_proxy = SfaServerProxy (self.registry_url,
+                                         self.private_key_filename(),
                                          certificate_filename)
         try:
             credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
@@ -316,10 +317,14 @@ class SfaClientBootstrap:
             raise IOError,"Missing %s file %s"%(kind,filename)
         return True
         
-    def assert_private_key (self): return self.assert_filename (self.private_key_filename(),"private key")
-    def assert_self_signed_cert (self): return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate")
-    def assert_my_credential (self): return self.assert_filename (self.my_credential_filename(),"user's credential")
-    def assert_my_gid (self): return self.assert_filename (self.my_gid_filename(),"user's GID")
+    def assert_private_key (self):
+        return self.assert_filename (self.private_key_filename(),"private key")
+    def assert_self_signed_cert (self):
+        return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate")
+    def assert_my_credential (self):
+        return self.assert_filename (self.my_credential_filename(),"user's credential")
+    def assert_my_gid (self):
+        return self.assert_filename (self.my_gid_filename(),"user's GID")
 
 
     # decorator to make up the other methods
index 59ca4c2..2120a80 100644 (file)
@@ -4,9 +4,10 @@
 import sys
 from types import StringTypes
 
-from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \
-    BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, Forbidden, \
-    BadArgs
+from sfa.util.faults import InsufficientRights, MissingCallerGID, \
+    MissingTrustedRoots, PermissionError, BadRequestHash, \
+    ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \
+    Forbidden, BadArgs
 from sfa.util.sfalogging import logger
 from sfa.util.config import Config
 from sfa.util.xrn import Xrn, get_authority
@@ -34,10 +35,13 @@ class Auth:
         self.load_trusted_certs()
 
     def load_trusted_certs(self):
-        self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
-        self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
+        self.trusted_cert_list = \
+            TrustedRoots(self.config.get_trustedroots_dir()).get_list()
+        self.trusted_cert_file_list = \
+            TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
 
-    # this convenience methods extracts speaking_for_xrn from the passed options using 'geni_speaking_for'
+    # this convenience methods extracts speaking_for_xrn
+    # from the passed options using 'geni_speaking_for'
     def checkCredentialsSpeaksFor (self, *args, **kwds):
         if 'options' not in kwds:
             logger.error ("checkCredentialsSpeaksFor was not passed options=options")
@@ -62,7 +66,8 @@ class Auth:
                 error="checkCredentials: expected a string, received %s"%(type(cred))
             else:
                 cred_obj=Credential(string=cred)
-                logger.info("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+                logger.info("failed to validate credential - dump=%s"%\
+                            cred_obj.dump_string(dump_parents=True))
                 error = sys.exc_info()[:2]
             return error
 
@@ -76,7 +81,7 @@ class Auth:
         if not isinstance(xrns, list):
             xrns = [xrns]
 
-        slice_xrns = Xrn.filter_type(xrns, 'slice')
+        slice_xrns  = Xrn.filter_type(xrns, 'slice')
         sliver_xrns = Xrn.filter_type(xrns, 'sliver')
 
         # we are not able to validate slivers in the traditional way so 
@@ -122,7 +127,7 @@ class Auth:
         
     def check(self, credential, operation, hrn = None):
         """
-        Check the credential against the peer cert (callerGID included 
+        Check the credential against the peer cert (callerGID) included 
         in the credential matches the caller that is connected to the 
         HTTPS connection, check if the credential was signed by a 
         trusted cert and check if the credential is allowed to perform 
@@ -152,7 +157,8 @@ class Auth:
                 raise InsufficientRights(operation)
 
         if self.trusted_cert_list:
-            self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
+            self.client_cred.verify(self.trusted_cert_file_list,
+                                    self.config.SFA_CREDENTIAL_SCHEMA)
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
        
@@ -168,7 +174,7 @@ class Auth:
 
     def check_ticket(self, ticket):
         """
-        Check if the tickt was signed by a trusted cert
+        Check if the ticket was signed by a trusted cert
         """
         if self.trusted_cert_list:
             client_ticket = SfaTicket(string=ticket)
@@ -315,7 +321,8 @@ class Auth:
         rl = Rights()
         type = reg_record.type
 
-        logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
+        logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%\
+                     (reg_record, caller_hrn))
 
         if type == 'slice':
             # researchers in the slice are in the DB as-is
index 9d0fd28..f4f192d 100644 (file)
@@ -798,7 +798,9 @@ class Credential(object):
 
         # make sure it is not expired
         if self.get_expiration() < datetime.datetime.utcnow():
-            raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.strftime(SFATIME_FORMAT)))
+            raise CredentialNotVerifiable("Credential %s expired at %s" % \
+                                          (self.get_summary_tostring(),
+                                           self.expiration.strftime(SFATIME_FORMAT)))
 
         # Verify the signatures
         filename = self.save_to_random_tmp_file()
@@ -826,10 +828,11 @@ class Credential(object):
             if trusted_certs is None:
                 break
 
-#            print "Doing %s --verify --node-id '%s' %s %s 2>&1" % \
-#                (self.xmlsec_path, ref, cert_args, filename)
-            verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
-                            % (self.xmlsec_path, ref, cert_args, filename)).read()
+            command = '{} --verify --node-id "{}" {} {} 2>&1'.\
+                      format(self.xmlsec_path, ref, cert_args, filename)
+            logger.debug("Running '{}'".format(command))
+            verified = os.popen(command).read()
+            logger.debug("xmlsec command returned {}".format(verified))
             if not verified.strip().startswith("OK"):
                 # xmlsec errors have a msg= which is the interesting bit.
                 mstart = verified.find("msg=")
@@ -838,7 +841,10 @@ class Credential(object):
                     mstart = mstart + 4
                     mend = verified.find('\\', mstart)
                     msg = verified[mstart:mend]
-                raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip()))
+                raise CredentialNotVerifiable("xmlsec1 error verifying cred %s"
+                                              "using Signature ID %s: %s %s" % \
+                                              (self.get_summary_tostring(),
+                                               ref, msg, verified.strip()))
         os.remove(filename)
 
         # Verify the parents (delegation)