AccessGrid.Security.CertificateManager.CertificateManager

Package AccessGrid :: Package Security :: Module CertificateManager :: Class CertificateManager

[show private | hide private]

Type CertificateManager

object --+
         |
        CertificateManager

A CertificateManager manages the certificates for a user.

It uses a CertificateRepository instance to maintain the certificates.
The repository keeps its certificates in a single large pool; however,
it provides a mechanism by which the user of the repository can
tag certificates with metadata. The certificate manager uses this
tagging mechanism to distinguish between a user's identity
certificates and the user's set of trusted CA certificates.

We accomplish this by defining a metadata tag for each certificate
imported: AG.CertificateManager.certType is the key; the value is
"identity" or "trustedCA".

The user's default identity is marked in the repository as well with
the metadat AG.CertificateManager.isDefaultIdentity, values 0/1. This default
is then returned by the call

    repo.FindCertificatesWithMetadata("AG.CertificateManager.isDefaultIdentity",
                                       "1")

The repo doesn't ensure that multiple certs get set to default; that
is up to this code.

This certificate manager will not use the system trusted CA directory
directly; it maintains a local cache of trusted CA certs in the
repository. Since OpenSSL and the Globus library expect these certificates
to have a particular file layout, the certificate manager will regenerate
this cache from the certificates in teh repository each time the set of
trusted CA certificates  in the repo changes. This set of certificates can
be determined by the call

    repo.FindCertificatesWithMetadata("AG.CertificateManager.certType",
                                       "trustedCA")

Globus proxies are also stored in the repository's space. Since they do
not have unique serial numbers, they are stored in filespace provided
for users with each certificate:

    certDesc = defaultCert
    proxyPath = certDesc.GetFilePath("globus_proxy")
    CreateGlobusProxy(certDesc.GetCertPath(),
                      certDesc.GetKeyPath(),
                      proxyPath)


Initialization
--------------
    
We will assume that if the repository  is not already present 
that we've not run this app before and must therefore initialize
the repository. It may be the case that the user has run an earlier
version of the AG software and therefore has an AG2.0-style certificate
repository already in place. We will ignore this, and initialize directly
from globus state. It is not likely at this stage of the game that
users already have a lot of new state built up in that repository.

Runtime configuration
---------------------

When an app starts up, we will need to do the following things
to initialize the user's environment to work properly with the Globus
toolkit:

    Set up the user's environment to point at the
    appropriate local settings by modifying os.environ.

    Determine if a valid proxy is in place. If not,
    call grid-proxy-init to create one.

We also support a mechanism for determining if the
existing proxy will expire soon, and provide a way
to as the user for a renewal of it.

Instance variables
------------------

userInterface       Reference to the UI object responsbile
                    for manipulations on this manager.

userProfileDir      Location of the per-user profile directory
                    for the user of this manager.

repoPath            Location of the certificate repository used by this mgr.

Method Summary
	`__init__(self, userProfileDir, userInterface)` CertificateManager constructor.
	`CheckConfiguration(self)` Perform a sanity check on the security execution environment
	`CheckRequestedCertificate(self, req, token, server, proxyHost, proxyPort)` Check the server to see if the given request has been granted.
	`CheckValidity(self, cert)` Check a certificate for validity.
	`CreateProxy(self)`
	`CreateProxyCertificate(self, passphrase, bits, hours)` Create a globus proxy.
	`GetCACerts(self)`
	`GetCertificatePath(self, cert)` Return the certification path for cert.
	`GetCertificateRepository(self)`
	`GetDefaultIdentity(self)`
	`GetDefaultIdentityCerts(self)`
	`GetGlobusConfig(self)`
	`GetGlobusProxyCert(self)` Perform some exhaustive checks to see if there is a valid globus proxy in place.
	`GetIdentityCerts(self)`
	`GetPendingRequests(self)` Return a list of the certificate requests in the repository for which we don't have a certificate, and for which the metadata AG.CertificateManager.requestToken is set.
	`GetProxyPath(self)`
	`GetUserInterface(self)`
	`HaveValidProxy(self)` Return true if there is a valid proxy for the current identity.
	`ImportCACertificatePEM(self, repo, cert)`
	`ImportIdentityCertificatePEM(self, repo, userCert, userKey, passphraseCB)`
	`ImportIdentityCertificateX509(self, repo, certObj, pkeyObj, passphraseCB)`
	`ImportRequestedCertificate(self, userCert)`
	`InitEnvironment(self)` Configure the process environment to correspond to the chosen configuration.
	`InitEnvironmentStandard(self)`
	`InitEnvironmentWithCert(self, certFile, keyFile)` Set up the cert mgr to run with the specified cert and file.
	`InitEnvironmentWithDN(self, dn)` Set up the cert mgr to run with the specified DN as the default for this instance.
	`InitializeRepository(self)` Initiailize the cert repository as we don't already have one.
	`InitRepoFromGlobus(self, repo)` Initialize the given repository from the Globus cert state.
	`IsDefaultIdentityCert(self, c)`
	`IsIdentityCert(self, c)`
	`SetDefaultIdentity(self, certDesc)` Make the identity represented by certDesc the default identity.
	`SetTemporaryDefaultIdentity(self, useDefaultDN, useCertFile, useKeyFile)` Set the default identity to use for this instance of the certificate manager.
	`VerifyCertificatePath(self, cert)` Verify that we have CA certificates for the issuing chain of this cert.
Inherited from object
	`__delattr__(...)` x.__delattr__('name') <==> del x.name
	`__getattribute__(...)` x.__getattribute__('name') <==> x.name
	`__hash__(x)` x.__hash__() <==> hash(x)
	`__new__(T, S, ...)` T.__new__(S, ...) -> a new object with type S, a subtype of T
	`__reduce__(...)` helper for pickle
	`__reduce_ex__(...)` helper for pickle
	`__repr__(x)` x.__repr__() <==> repr(x)
	`__setattr__(...)` x.__setattr__('name', value) <==> x.name = value
	`__str__(x)` x.__str__() <==> str(x)

Class Variable Summary
`list`	`__slots__` = `['userInterface', 'userProfileDir', 'certRep...`
`member_descriptor`	`caDir` = `<member 'caDir' of 'CertificateManager' objects>`
`member_descriptor`	`certRepo` = `<member 'certRepo' of 'CertificateManager' ob...`
`member_descriptor`	`certRepoPath` = `<member 'certRepoPath' of 'CertificateMan...`
`member_descriptor`	`defaultIdentity` = `<member 'defaultIdentity' of 'Certific...`
`member_descriptor`	`globusConfig` = `<member 'globusConfig' of 'CertificateMan...`
`member_descriptor`	`issuedGlobusWarning` = `<member 'issuedGlobusWarning' of '...`
`member_descriptor`	`proxyPath` = `<member 'proxyPath' of 'CertificateManager' ...`
`member_descriptor`	`useCertFile` = `<member 'useCertFile' of 'CertificateManag...`
`member_descriptor`	`useDefaultDN` = `<member 'useDefaultDN' of 'CertificateMan...`
`member_descriptor`	`useKeyFile` = `<member 'useKeyFile' of 'CertificateManager...`
`member_descriptor`	`userInterface` = `<member 'userInterface' of 'CertificateM...`
`member_descriptor`	`userProfileDir` = `<member 'userProfileDir' of 'Certificat...`

Method Details

init(self, userProfileDir, userInterface)
(Constructor)

CertificateManager constructor.

userProfileDir - directory in which this user's profile information is kept. The CM uses this directory to store the certificate repository.

userInterface - the CMUserInterface object through which interactions with the user are managed.

Overrides:: __builtin__.object.__init__

CheckConfiguration(self)

Perform a sanity check on the security execution environment

CheckRequestedCertificate(self, req, token, server, proxyHost=None, proxyPort=None)

Check the server to see if the given request has been granted. Return a tuple of (success, msg). If successful, success=1 and msg is the granted certificate. If not successful, success=0 and msg is an error message.

CheckValidity(self, cert)

Check a certificate for validity.

Return "Expired", "OK", "Not yet valid", "Invalid CA Chain", "Missing private key"

CreateProxyCertificate(self, passphrase, bits, hours)

Create a globus proxy.

GetCertificatePath(self, cert)

Return the certification path for cert.

GetGlobusProxyCert(self)

Perform some exhaustive checks to see if there is a valid globus proxy in place.

This is similar to _VerifyGlobusProxy() above, but does not do validity checking. It is here for the purposes of returning the proxy info to the user (for the cert mgr interface), expired or not.

GetPendingRequests(self)

Return a list of the certificate requests in the repository for which we don't have a certificate, and for which the metadata AG.CertificateManager.requestToken is set.

Return is actually a list of tuples (certReqDescriptor, requestToken, serverURL, creationDate)

HaveValidProxy(self)

Return true if there is a valid proxy for the current identity.

InitEnvironment(self)

Configure the process environment to correspond to the chosen
configuration.

This method does not attempt to remedy any problems in the
configuration; rather, if the situation is not to its liking,
it raises an exception telling the caller what the problem
is. It is safe to reinvoke this method as needed.

If self.useDefaultDN is set, use the given DN to be the default
for this instance of the class.

If self.useCertFile is set, use that certificate as the default.

Otherwise,

If there are no identity certificates present, raise the
NoCertificates exception.

If there is exactly one identity certificate, mark it as the
default certificate.

If there are more than one identity certificates and none is
marked default, or more than one is marked default, raise the
NoDefaultIdentity exception.

Examine the default identity certificate.

If it has an encrypted private key, check for the existence of
a Globus proxy for the cert. If one does not exist, raise the
ProxyExpired exception.

Otherwise, set the following environment variables:

    X509_USER_PROXY: user proxy cert
    X509_CERT_DIR: location of trusted CA certificates

If the default identity certificate has an unencrypted private key,
we can use it directly. Set the following environment variables:

    X509_USER_CERT: user's certificate
    X509_USER_KEY: user's private key
    X509_RUN_AS_SERVER: set to override any lingering proxy
                        cert setting


This method sets self.defaultIdentity as a side effect. It
should be viewed as the current appropriate mechanism for
setting defaultIdentity.

InitEnvironmentWithCert(self, certFile, keyFile)

Set up the cert mgr to run with the specified cert and file. Do not modify the default identity keys in the repository.

InitEnvironmentWithDN(self, dn)

Set up the cert mgr to run with the specified DN as the default for this instance. Do not modify the default identity keys in the repository.

InitializeRepository(self)

Initiailize the cert repository as we don't already have one.

We need to first create a new repository (by passing create=1 to the constructor).

Then we need to grope about in the system for the location of any existing certificates, both user identity and trusted CA.

InitRepoFromGlobus(self, repo)

Initialize the given repository from the Globus cert state.

If we cannot find an identity certificate, do a callback on the user interface when we're done with the rest of the initialization so that the user has an opportunity to request a certificate.

If we cannot find any globus state, callback to the user interface for that as well. That's a harder problem to solve, but it's not up to us down here.

SetDefaultIdentity(self, certDesc)

Make the identity represented by certDesc the default identity.

This only affects the cert repository; a followup call to InitEnvironment is necessary to effect the change in the environment.

Parameters:: certDesc - certificate which is to be the default.
(type=CertificateDescriptor)

SetTemporaryDefaultIdentity(self, useDefaultDN=None, useCertFile=None, useKeyFile=None)

Set the default identity to use for this instance of the certificate manager.

VerifyCertificatePath(self, cert)

Verify that we have CA certificates for the issuing chain of this cert.

Class Variable Details

slots

Type:: list
Value:: ['userInterface', 'userProfileDir', 'certRepoPath', 'certRepo', 'caDir', 'proxyPath', 'defaultIdentity', 'issuedGlobusWarning', ...

caDir

Type:: member_descriptor
Value:: <member 'caDir' of 'CertificateManager' objects>

certRepo

Type:: member_descriptor
Value:: <member 'certRepo' of 'CertificateManager' objects>

certRepoPath

Type:: member_descriptor
Value:: <member 'certRepoPath' of 'CertificateManager' objects>

defaultIdentity

Type:: member_descriptor
Value:: <member 'defaultIdentity' of 'CertificateManager' objects>

globusConfig

Type:: member_descriptor
Value:: <member 'globusConfig' of 'CertificateManager' objects>

issuedGlobusWarning

Type:: member_descriptor
Value:: <member 'issuedGlobusWarning' of 'CertificateManager' objects>

proxyPath

Type:: member_descriptor
Value:: <member 'proxyPath' of 'CertificateManager' objects>

useCertFile

Type:: member_descriptor
Value:: <member 'useCertFile' of 'CertificateManager' objects>

useDefaultDN

Type:: member_descriptor
Value:: <member 'useDefaultDN' of 'CertificateManager' objects>

useKeyFile

Type:: member_descriptor
Value:: <member 'useKeyFile' of 'CertificateManager' objects>

userInterface

Type:: member_descriptor
Value:: <member 'userInterface' of 'CertificateManager' objects>

userProfileDir

Type:: member_descriptor
Value:: <member 'userProfileDir' of 'CertificateManager' objects>

Generated by Epydoc 2.1 on Thu Apr 14 16:39:28 2005

http://epydoc.sf.net