Class: GP::Proxy

Inherits:

Object

• Object
• GP::Proxy

Defined in:

lib/grid-proxy/proxy.rb

Constant Summary

CERT_START =

'-----BEGIN CERTIFICATE-----'

Instance Attribute Summary

• #proxy_payload ⇒ Object readonly

  Returns the value of attribute proxy_payload.

Instance Method Summary

• #initialize(proxy_payload, username_prefix = 'plg') ⇒ Proxy constructor

  A new instance of Proxy.

• #proxycert ⇒ Object
• #proxykey ⇒ Object
• #revoked?(crl_payload) ⇒ Boolean
• #usercert ⇒ Object
• #username ⇒ Object
• #valid?(ca_cert_payload, crl_payload = nil) ⇒ Boolean
• #verify!(ca_cert_payload, crl_payload = nil) ⇒ Object

Constructor Details

#initialize(proxy_payload, username_prefix = 'plg') ⇒ Proxy

Returns a new instance of Proxy.

# File 'lib/grid-proxy/proxy.rb', line 7

def initialize(proxy_payload, username_prefix = 'plg')
  @proxy_payload = proxy_payload
  @username_prefix = username_prefix
end

Instance Attribute Details

#proxy_payload ⇒ Object (readonly)

Returns the value of attribute proxy_payload.

# File 'lib/grid-proxy/proxy.rb', line 5

def proxy_payload
  @proxy_payload
end

Instance Method Details

#proxycert ⇒ Object

# File 'lib/grid-proxy/proxy.rb', line 12

def proxycert
  @proxycert ||= cert_for_element(1)
end

#proxykey ⇒ Object

# File 'lib/grid-proxy/proxy.rb', line 16

def proxykey
  begin
    @proxykey ||= OpenSSL::PKey.read(proxy_element(1))
  rescue
    nil
  end
end

#revoked?(crl_payload) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/grid-proxy/proxy.rb', line 62

def revoked?(crl_payload)
  # crl should to be verified with ca cert
  # crl(crl_payload).verify()

  #check for usercert serial in list of all revoked certs
  revoked_cert = crl(crl_payload).revoked().detect do |revoked|
    revoked.serial == usercert.serial
  end

  return revoked_cert != nil ? true : false

end

#usercert ⇒ Object

# File 'lib/grid-proxy/proxy.rb', line 24

def usercert
  @usercert ||= cert_for_element(2)
end

#username ⇒ Object

# File 'lib/grid-proxy/proxy.rb', line 75

def username
  username_entry = usercert.subject.to_a.detect do |el|
    el[0] == 'CN' && el[1].start_with?(@username_prefix)
  end

  username_entry ? username_entry[1] : nil
end

#valid?(ca_cert_payload, crl_payload = nil) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/grid-proxy/proxy.rb', line 53

def valid?(ca_cert_payload, crl_payload = nil)
  begin
    verify! ca_cert_payload, crl_payload
    true
  rescue GP::ProxyValidationError
    false
  end
end

#verify!(ca_cert_payload, crl_payload = nil) ⇒ Object

Raises:

• (GP::ProxyValidationError)

# File 'lib/grid-proxy/proxy.rb', line 28

def verify!(ca_cert_payload, crl_payload = nil)
  now = Time.now
  raise GP::ProxyValidationError.new('Proxy is not valid yet') if now < proxycert.not_before
  raise GP::ProxyValidationError.new('Proxy expired') if now > proxycert.not_after
  raise GP::ProxyValidationError.new('Usercert not signed with trusted certificate') unless ca_cert_payload && usercert.verify(cert(ca_cert_payload).public_key)
  raise GP::ProxyValidationError.new('Proxy not signed with user certificate') unless proxycert.verify(usercert.public_key)

  proxycert_issuer = proxycert.issuer.to_s
  proxycert_subject = proxycert.subject.to_s

  raise GP::ProxyValidationError.new('Proxy and user cert mismatch') unless proxycert_issuer == usercert.subject.to_s
  raise GP::ProxyValidationError.new("Proxy subject must begin with the issuer") unless proxycert_subject.to_s.index(proxycert_issuer) == 0
  raise GP::ProxyValidationError.new("Couldn't find '/CN=' in DN, not a proxy") unless proxycert_subject.to_s[proxycert_issuer.size, proxycert_subject.to_s.size].to_s.include?('/CN=')

  raise GP::ProxyValidationError.new("Private proxy key missing") unless proxykey
  raise GP::ProxyValidationError.new("Private proxy key and cert mismatch") unless proxycert.check_private_key(proxykey)

  raise GP::ProxyValidationError.new("User cert was revoked") if crl_payload != nil and revoked? crl_payload

  if now < usercert.not_before || now > usercert.not_after
    raise GP::ProxyValidationError.
          new('Proxy signed by outdated certificate')
  end
end