Context Navigation

authorizer.py

Revision 860c36082f9c6da565718b04179a46f2107241b0, 17.3 KB (checked in by Ted Faber <faber@…>, 3 weeks ago)
Report a correct value for imports. Note that failing to import all credentials is not necessarily a problem.
Property mode set to `100644`

Line
1	#/usr/local/bin/python
2
3	from tempfile import mkstemp
4	from subprocess import call
5	from threading import Lock
6
7	from string import join, hexdigits
8
9	from deter import fedid
10	from remote_service import service_caller
11	from service_error import service_error
12	from util import abac_pem_type, abac_split_cert
13	from proof import proof
14
15
16	import ABAC
17	import Creddy
18	import pickle
19
20	import sys
21	import os, os.path
22	import re
23
24	class authorizer_base:
25	"""
26	Classes based on this one keep track of authorization attributes for the
27	various modules running. This base class holds some utility functions that
28	they all potentially use.
29	"""
30
31	# general error exception for badly formed names.
32	class bad_name(RuntimeError): pass
33	# difficulty creating an attribute
34	class attribute_error(RuntimeError): pass
35
36	@staticmethod
37	def auth_name(name):
38	"""
39	Helper to convert a non-unicode local name to a unicode string. Mixed
40	representations can needlessly confuse the authorizer.
41	"""
42	if isinstance(name, basestring):
43	if not isinstance(name, unicode): return unicode(name)
44	else: return name
45	else: return name
46
47	@staticmethod
48	def valid_name(name):
49	"""
50	Ensure that the given name is valid. A valid name can either be a
51	triple of strings and fedids representing one of our generalized Emulab
52	names or a single fedid. Compound names can include wildcards (None)
53	and must anchor to a fedid at their highest level (unless they're all
54	None)
55
56	This either returns True or throws an exception. More an assertion
57	than a function.
58	"""
59	if isinstance(name, tuple) and len(name) == 3:
60	for n in name:
61	if n:
62	if not (isinstance(n, basestring) or isinstance(n, fedid)):
63	raise authorizer_base.bad_name(
64	"names must be either a triple or a fedid")
65	for n in name:
66	if n:
67	if isinstance(n, fedid):
68	return True
69	else:
70	raise authorizer_base.bad_name(
71	"Compound names must be " + \
72	"rooted in fedids: %s" % str(name))
73
74	return True
75	elif isinstance(name, fedid):
76	return True
77	else:
78	raise authorizer_base.bad_name(
79	"Names must be a triple or a fedid (%s)" % name)
80
81
82	class authorizer(authorizer_base):
83	"""
84	This class keeps track of authorization attributes for the various modules
85	running. When it gets smarter it will be the basis for a real
86	attribute-based authentication system.
87	"""
88	def __init__(self, def_attr="testbed"):
89	self.attrs = { }
90	self.globals=set()
91
92	def set_attribute(self, name, attr):
93	"""
94	Attach attr to name. Multiple attrs can be attached.
95	"""
96	self.valid_name(name)
97	if isinstance(name, tuple):
98	aname = tuple([ self.auth_name(n) for n in name])
99	else:
100	aname = self.auth_name(name)
101
102	if not self.attrs.has_key(aname):
103	self.attrs[aname] = set()
104	self.attrs[aname].add(attr)
105
106	def unset_attribute(self, name, attr):
107	"""
108	Remove an attribute from name
109	"""
110	self.valid_name(name)
111	if isinstance(name, tuple):
112	aname = tuple([ self.auth_name(n) for n in name])
113	else:
114	aname = self.auth_name(name)
115
116	attrs = self.attrs.get(aname, None)
117	if attrs: attrs.discard(attr)
118
119	def check_attribute(self, name, attr, with_proof=False):
120	"""
121	Return True if name has attr (or if attr is global). Tuple names match
122	any tuple name that matches all names present and has None entries in
123	other fileds. For tuple names True implies that there is a matching
124	tuple name with the attribute.
125	"""
126	def tup(tup, i, p):
127	mask = 1 << i
128	if p & mask : return authorizer.auth_name(tup[i])
129	else: return None
130
131	self.valid_name(name)
132	if attr in self.globals:
133	if with_proof: return True, proof("me", name, attr)
134	else: return True
135
136	if isinstance(name, tuple):
137	for p in range(0,8):
138	lookup = ( tup(name, 0, p), tup(name,1, p), tup(name,2,p))
139	if self.attrs.has_key(lookup):
140	if attr in self.attrs[lookup]:
141	if with_proof: return True, proof("me", name, attr)
142	else: return True
143	# Drop through
144	if with_proof: return False, proof("me", name, attr)
145	else: return False
146	else:
147	if with_proof:
148	return attr in self.attrs.get(self.auth_name(name), set()), \
149	proof("me", name, attr)
150	else:
151	return attr in self.attrs.get(self.auth_name(name), set())
152
153	def set_global_attribute(self, attr):
154	"""
155	Set a global attribute. All names, even those otherwise unknown to the
156	authorizer have this attribute.
157	"""
158	self.globals.add(attr)
159
160	def unset_global_attribute(self, attr):
161	"""
162	Remove a global attribute
163	"""
164
165	self.globals.discard(attr)
166
167	def import_credentials(self, file_list=None, data_list=None):
168	return False
169
170	def __str__(self):
171	rv = ""
172	rv += "attrs %s\n" % self.attrs
173	rv += "globals %s" % self.globals
174	return rv
175
176	def clone(self):
177	rv = authorizer()
178	rv.attrs = self.attrs.copy()
179	rv.globals = self.globals.copy()
180	return rv
181
182	def save(self, fn=None):
183	if fn:
184	f = open(fn, "w")
185	pickle.dump(self, f)
186	f.close()
187
188	def load(self, fn=None):
189	if fn:
190	f = open(fn, "r")
191	a = pickle.load(f)
192	f.close()
193	self.attrs = a.attrs
194	self.globals = a.globals
195
196
197	class abac_authorizer(authorizer_base):
198	"""
199	Use the ABAC authorization system to make attribute decisions.
200	"""
201
202	clean_attr_re = re.compile('[^A-Za-z0-9_]+')
203	clean_prefix_attr_re = re.compile('^_+')
204	cred_file_re = re.compile('.*\.der$')
205	bad_name = authorizer_base.bad_name
206	attribute_error = authorizer_base.attribute_error
207	class no_file_error(RuntimeError): pass
208	class bad_cert_error(RuntimeError): pass
209
210	def __init__(self, certs=None, me=None, key=None, load=None, save=None):
211	self.creddy_id = None
212	self.globals = set()
213	self.lock = Lock()
214	self.me = me
215	self.save_dir = load or save
216	self.local_files = False
217	if self.save_dir:
218	self.save_dir = os.path.abspath(self.save_dir)
219	# If the me parameter is a combination certificate, split it into the
220	# abac_authorizer save directory (if any) for use with creddy.
221	if self.me is not None and abac_pem_type(self.me) == 'both':
222	if self.save_dir:
223	keyfile="%s/key.pem" % self.save_dir
224	certfile = "%s/cert.pem" % self.save_dir
225
226	# Clear a spot for the new key and cert files.
227	for fn in (keyfile, certfile):
228	if os.access(fn, os.F_OK):
229	os.unlink(fn)
230
231	self.key, self.me = abac_split_cert(self.me, keyfile, certfile)
232	self.local_files = True
233	self.init_libcreddy_id()
234	else:
235	raise abac_authorizer.bad_cert_error("Combination " + \
236	"certificate and nowhere to split it");
237	else:
238	self.key = key
239	self.context = ABAC.Context()
240	if me:
241	self.fedid = fedid(file=self.me)
242	rv = self.context.load_id_file(self.me)
243	if rv != 0:
244	raise abac_authorizer.bad_name(
245	'Cannot load identity from %s' % me)
246	else:
247	self.fedid = None
248
249	if isinstance(certs, basestring):
250	certs = [ certs ]
251
252	for dir in certs or []:
253	self.context.load_directory(dir)
254
255	if load:
256	self.load(load)
257
258	def init_libcreddy_id(self):
259	self.creddy_id = None
260	try:
261	self.creddy_id = Creddy.ID(self.me)
262	except:
263	raise abac_authorizer.bad_cert_error('Cannot load cert %s' \
264	% self.me)
265
266	try:
267	self.creddy_id.load_privkey(self.key)
268	except:
269	self.creddy_id = None
270	raise abac_authorized_bad_cert_error('Cannot load key %s' \
271	% self.key)
272
273
274
275	# Modify the pickling operations so that the context and lock are not
276	# pickled
277
278	def __getstate__(self):
279	d = self.__dict__.copy()
280	del d['lock']
281	del d['context']
282	del d['creddy_id']
283	return d
284
285	def __setstate__(self, d):
286	# Import everything from the pickle dict (except what we excluded in
287	# __getstate__)
288	self.__dict__.update(d)
289	# Initialize the unpicklables
290	self.context = ABAC.Context()
291	self.lock = Lock()
292
293	@staticmethod
294	def clean_attr(attr):
295	'''
296	Convert anything not in A-Z_ into an _ and make sure that the string
297	begins with a non-_. Convert to s string to keep swig happy.
298	'''
299	a = abac_authorizer.clean_attr_re.sub('_', attr)
300	return str(abac_authorizer.clean_prefix_attr_re.sub('', a))
301
302
303	def import_credentials(self, file_list=None, data_list=None):
304	'''
305	Import a list of credentials. Be careful about dependencies and only
306	use one logic loop. if files are given, append them to the list of
307	chunks and then try to read each chunk as an ID and then the failed
308	ones as attributes.
309	'''
310	if file_list:
311	if data_list is None: data_list = []
312	for fn in file_list:
313	# Try to parse file as a Creddy ID, so we can import PEM files
314	try:
315	cid = Creddy.ID(fn)
316	data_list.append(cid.cert_chunk())
317	continue
318	except:
319	# Not an ID
320	pass
321	try:
322	f = open(fn, 'r')
323	data_list.append(f.read())
324	f.close()
325	except EnvironmentError, e:
326	# Ignore unreadable files
327	pass
328	# Now one way or another data_list is ready
329	if data_list:
330	rv = []
331	attr_list = [ ]
332	for d in data_list:
333	if self.context.load_id_chunk(d) != ABAC.ABAC_CERT_SUCCESS:
334	attr_list.append(d)
335	else:
336	rv.append(True)
337
338	for d in attr_list:
339	v = self.context.load_attribute_chunk(d)
340	rv.append(v == ABAC.ABAC_CERT_SUCCESS)
341	return all(rv)
342	else:
343	return False
344
345	def import_credential(self, file=None, data=None):
346	if data:
347	if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
348	return self.context.load_attribute_chunk(data) == \
349	ABAC.ABAC_CERT_SUCCESS
350	else:
351	return True
352	elif file:
353	if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
354	return self.context.load_attribute_file(file) == \
355	ABAC.ABAC_CERT_SUCCESS
356	else:
357	return True
358	else:
359	return False
360
361	def set_attribute(self, name=None, attr=None, cert=None):
362	if name and attr:
363	if isinstance(name, tuple):
364	raise abac_authorizer.bad_name(
365	"ABAC doesn't understand three-names")
366	# Convert non-string attributes to strings
367	if not isinstance(attr, basestring):
368	attr = "%s" % attr
369
370	if self.creddy_id:
371	# Create a credential and insert it into context
372	# This will simplify when we have libcreddy
373	try:
374	attrcert = Creddy.Attribute(self.creddy_id,
375	self.clean_attr(attr), 3600 * 24 * 365 * 10)
376	attrcert.principal("%s" % name)
377	attrcert.bake()
378	except:
379	raise abac_authorizer.bad_cert_error(
380	"Cannot create attribute cert")
381	self.lock.acquire()
382	# load it to context and remove the file
383	rv = self.context.load_attribute_chunk(attrcert.cert_chunk())
384	self.lock.release()
385	return rv
386	else:
387	raise abac_authorizer.attribute_error(
388	"Identity and key not specified on creation")
389	elif cert:
390	# Insert this credential into the context
391	self.lock.acquire()
392	rv = self.context.load_attribute_chunk(cert)
393	self.lock.release()
394	return rv
395	else:
396	raise abac_authorizer.attribute_error(
397	"Neither name/attr nor cert is set")
398
399	def unset_attribute(self, name, attr):
400	if isinstance(name, tuple):
401	raise abac_authorizer.bad_name(
402	"ABAC doesn't understand three-names")
403	# Convert non-string attributes to strings
404	if not isinstance(attr, basestring):
405	attr = "%s" % attr
406	cattr = self.clean_attr(attr)
407	self.lock.acquire()
408	ctxt = ABAC.Context()
409	ids = set()
410	for c in self.context.credentials():
411	h = c.head()
412	t = c.tail()
413	if h.is_role() and t.is_principal():
414	if t.principal() == '%s' % name and \
415	h.principal() == '%s' % self.fedid and \
416	h.role_name() == cattr:
417	continue
418
419	id = c.issuer_cert()
420	if id not in ids:
421	ctxt.load_id_chunk(id)
422	ids.add(id)
423	ctxt.load_attribute_chunk(c.attribute_cert())
424	self.context = ctxt
425	self.lock.release()
426
427	@staticmethod
428	def starts_with_fedid(attr):
429	"""
430	Return true if the first 40 characters of the string are hex digits
431	followed by a dot. False otherwise. Used in check_attribute.
432	"""
433	if attr.find('.') == 40:
434	return all([ x in hexdigits for x in attr[0:40]])
435	else:
436	return False
437
438
439	def check_attribute(self, name, attr, with_proof=False):
440	if isinstance(name, tuple):
441	raise abac_authorizer.bad_name(
442	"ABAC doesn't understand three-names")
443	else:
444	# Convert non-string attributes to strings
445	if not isinstance(attr, basestring):
446	attr = "%s" % attr
447	# Attributes that start with a fedid only have the part of the
448	# attribute after the dot cleaned. Others are completely cleaned
449	# and have the owner fedid attached.
450	if self.starts_with_fedid(attr):
451	r, a = attr.split('.',1)
452	a = "%s.%s" % ( r, self.clean_attr(a))
453	else:
454	a = "%s.%s" % (self.fedid, self.clean_attr(attr))
455
456	a = str(a)
457	n = str("%s" % name)
458
459	self.lock.acquire()
460	# Sigh. Unicode vs swig and swig seems to lose. Make sure
461	# everything we pass into ABAC is a str not a unicode.
462	rv, p = self.context.query(a, n)
463	# XXX delete soon
464	if not rv and attr in self.globals:
465	rv = True
466	p = None
467	self.lock.release()
468	if with_proof: return rv, proof(self.fedid, name, a, p)
469	else: return rv
470
471	def set_global_attribute(self, attr):
472	"""
473	Set a global attribute. All names, even those otherwise unknown to the
474	authorizer have this attribute.
475	"""
476	self.lock.acquire()
477	self.globals.add(self.clean_attr(attr))
478	self.lock.release()
479
480	def unset_global_attribute(self, attr):
481	"""
482	Remove a global attribute
483	"""
484
485	self.lock.acquire()
486	self.globals.discard(self.clean_attr(attr))
487	self.lock.release()
488
489	def clone(self):
490	self.lock.acquire()
491	rv = abac_authorizer(me=self.me, key=self.key)
492	rv.globals = self.globals.copy()
493	rv.context = ABAC.Context(self.context)
494	self.lock.release()
495	return rv
496
497	def copy_file(self, src, dest, mode=0600):
498	'''
499	Copy src to dest with file mode mode. May raise exceptions on file ops
500	'''
501	same_file = False
502	try:
503	ss = os.stat(src)
504	ds = os.stat(dest)
505
506	if ds.st_ino == ss.st_ino: same_file = True
507	except EnvironmentError:
508	pass
509
510	if not same_file:
511	d = open(dest, 'w')
512	s = open(src, 'r')
513	d.write(s.read())
514	s.close()
515	d.close()
516	os.chmod(dest, mode)
517
518
519
520	def save(self, dir=None):
521	self.lock.acquire()
522	if dir:
523	self.save_dir = os.path.abspath(dir)
524	else:
525	dir = self.save_dir
526	if dir is None:
527	self.lock.release()
528	raise abac_authorizer.no_file_error("No load directory specified")
529	try:
530	if not os.access(dir, os.F_OK):
531	os.mkdir(dir)
532
533	# if self.key and self.me were split, copy the split files into the
534	# new directory.
535	if self.local_files:
536	self.copy_file(self.key, '%s/key.pem' % dir)
537	self.copy_file(self.me, '%s/cert.pem' % dir)
538	# Point the key and me members to the new locations for
539	# pickling
540	hold_key = self.key
541	hold_me = self.me
542	self.key = '%s/key.pem' % dir
543	self.me = '%s/cert.pem' % dir
544
545	f = open("%s/state" % dir, "w")
546	pickle.dump(self, f)
547	f.close()
548
549	if self.local_files:
550	self.key = hold_key
551	self.me = hold_me
552
553	if not os.access("%s/certs" %dir, os.F_OK):
554	os.mkdir("%s/certs" % dir)
555
556	# Clear the certs subdir
557	for fn in [ f for f in os.listdir("%s/certs" % dir) \
558	if abac_authorizer.cred_file_re.match(f)]:
559	os.unlink('%s/certs/%s' % (dir, fn))
560
561	# Save the context
562	ii = 0
563	ai = 0
564	seenid = set()
565	seenattr = set()
566	for c in self.context.credentials():
567	id = c.issuer_cert()
568	attr = c.attribute_cert()
569	# NB: file naming conventions matter here. The trailing_ID and
570	# _attr are required by ABAC.COntext.load_directory()
571	if id and id not in seenid:
572	f = open("%s/certs/ID_%05d_ID.der" % (dir, ii), "w")
573	f.write(id)
574	f.close()
575	ii += 1
576	seenid.add(id)
577	if attr and attr not in seenattr:
578	f = open("%s/certs/attr_%05d_attr.der" % (dir, ai), "w")
579	f.write(attr)
580	f.close()
581	ai += 1
582	seenattr.add(attr)
583	except EnvironmentError, e:
584	self.lock.release()
585	raise e
586	except pickle.PickleError, e:
587	self.lock.release()
588	raise e
589	self.lock.release()
590
591	def load(self, dir=None):
592	self.lock.acquire()
593	if dir:
594	self.save_dir = dir
595	else:
596	dir = self.save_dir
597	if dir is None:
598	self.lock.release()
599	raise abac_authorizer.no_file_error("No load directory specified")
600	try:
601	if os.access("%s/state" % dir, os.R_OK):
602	f = open("%s/state" % dir, "r")
603	st = pickle.load(f)
604	f.close()
605	# Copy the useful attributes from the pickled state
606	for a in ('globals', 'key', 'me', 'cert', 'fedid'):
607	setattr(self, a, getattr(st, a, None))
608
609	# Initialize the new context with the new identity
610	self.context = ABAC.Context()
611	if self.me:
612	self.context.load_id_file(self.me)
613	if self.key:
614	self.init_libcreddy_id()
615	self.context.load_directory("%s/certs" % dir)
616	self.save_dir = dir
617	except EnvironmentError, e:
618	self.lock.release()
619	raise e
620	except pickle.PickleError, e:
621	self.lock.release()
622	raise e
623	self.lock.release()
624
625	@staticmethod
626	def encode_credential(c):
627	return '%s <- %s' % (c.head().string(), c.tail().string())
628
629	def get_creds_for_principal(self, fid):
630	look_for = set(["%s" % fid])
631	found_attrs = set()
632	next_look = set()
633	found = set([])
634
635	self.lock.acquire()
636	while look_for:
637	for c in self.context.credentials():
638	tail = c.tail()
639	# XXX: This needs to be more aggressive for linked stuff
640	if tail.string() in look_for and c not in found:
641	found.add(c)
642	next_look.add(c.head().string())
643
644	look_for = next_look
645	next_look = set()
646	self.lock.release()
647
648	return found
649
650	def __str__(self):
651
652	self.lock.acquire()
653	rv = "%s" % self.fedid
654	add = join([abac_authorizer.encode_credential(c)
655	for c in self.context.credentials()], '\n');
656	if add: rv += "\n%s" % add
657	self.lock.release()
658	return rv
659

Note: See TracBrowser for help on using the browser.

Context Navigation

root/fedd/federation/authorizer.py

Download in other formats: