#!/usr/local/bin/python import os,sys from BaseHTTPServer import BaseHTTPRequestHandler from ZSI import * from M2Crypto import SSL from M2Crypto.m2xmlrpclib import SSL_Transport from M2Crypto.SSL.SSLServer import SSLServer import M2Crypto.httpslib import xmlrpclib import re import string import subprocess import tempfile import copy from fedd_services import * from fedd_util import * from fedd_allocate_project import * from fedd_create_experiment import * import parse_detail from service_error import * class fedd_proj: """ The implementation of access control based on mapping users to projects. Users can be mapped to existing projects or have projects created dynamically. This implements both direct requests and proxies. """ # Attributes that can be parsed from the configuration file bool_attrs = ("dynamic_projects", "project_priority", "create_debug") emulab_attrs = ("boss", "ops", "domain", "fileserver", "eventserver") id_attrs = ("testbed", "cert_file", "cert_pwd", "trusted_certs", "proxy", "proxy_cert_file", "proxy_cert_pwd", "proxy_trusted_certs", "dynamic_projects_url", "dynamic_projects_cert_file", "dynamic_projects_cert_pwd", "dynamic_projects_trusted_certs", "create_experiment_cert_file", "create_experiment_cert_pwd", "create_experiment_trusted_certs", "federation_script_dir", "ssh_pubkey_file") # Used by the SOAP caller soap_namespaces = ('http://www.isi.edu/faber/fedd.wsdl', 'http://www.isi.edu/faber/fedd_internal.wsdl') soap_methods = {\ 'RequestAccess': 'soap_RequestAccess',\ 'Create' : 'soap_Create',\ } xmlrpc_methods = { \ 'RequestAccess': 'xmlrpc_RequestAccess', 'Create': 'xmlrpc_Create', } class access_project: """ A project description used to grant access to this testbed. The description includes a name and a list of node types to which the project will be granted access. """ def __init__(self, name, nt): self.name = name self.node_types = list(nt) def __repr__(self): if len(self.node_types) > 0: return "access_proj('%s', ['%s'])" % \ (self.name, str("','").join(self.node_types)) else: return "access_proj('%s', [])" % self.name # Used to report errors parsing the configuration files, not in providing # service class parse_error(RuntimeError): pass def __init__(self, config=None): """ Initializer. Parses a configuration if one is given. """ # Create instance attributes from the static lists for a in fedd_proj.bool_attrs: setattr(self, a, False) for a in fedd_proj.emulab_attrs + fedd_proj.id_attrs: setattr(self, a, None) # Other attributes self.attrs = {} self.access = {} self.fedid_category = {} self.fedid_default = "user" self.restricted = [] self.create_debug = False # Read the configuration if config != None: self.read_config(config) # Certs are promoted from the generic to the specific, so without a # specific proxy certificate, the main certificates are used for proxy # interactions. If no dynamic project certificates, then proxy certs # are used, and if none of those the main certs. # init proxy certs if self.proxy_cert_file == None: self.proxy_cert_file = self.cert_file self.proxy_cert_pwd = self.cert_pwd if self.proxy_trusted_certs == None: self.proxy_trusted_certs = self.trusted_certs # init dynamic project certs if self.dynamic_projects_cert_file == None: self.dynamic_projects_cert_file = self.proxy_cert_file self.dynamic_projects_cert_pwd = self.proxy_cert_pwd if self.dynamic_projects_trusted_certs == None: self.dynamic_projects_trusted_certs = self.proxy_trusted_certs proj_certs = (self.dynamic_projects_cert_file, self.dynamic_projects_trusted_certs, self.dynamic_projects_cert_pwd) # Initialize create experiment certs if not self.create_experiment_cert_file: self.create_experiment_cert_file = self.proxy_cert_file self.create_experiment_cert_pwd = self.proxy_cert_pwd if self.create_experiment_trusted_certs == None: self.create_experiment_trusted_certs = self.proxy_trusted_certs if self.dynamic_projects_url == None: self.allocate_project = \ fedd_allocate_project_local(self.dynamic_projects, self.dynamic_projects_url, proj_certs) fedd_proj.soap_methods['AllocateProject'] = 'soap_AllocateProject' else: self.allocate_project = \ fedd_allocate_project_remote(self.dynamic_projects, self.dynamic_projects_url, proj_certs) create_kwargs = { } if self.federation_script_dir: create_kwargs['scripts_dir'] = self.federation_script_dir if self.ssh_pubkey_file: create_kwargs['ssh_pubkey_file'] = self.ssh_pubkey_file if self.create_experiment_cert_file: create_kwargs['cert_file'] = self.create_experiment_cert_file if self.create_experiment_cert_pwd: create_kwargs['cert_pwd'] = self.create_experiment_cert_pwd if self.create_experiment_trusted_certs: create_kwargs['trusted_certs'] = \ self.create_experiment_trusted_certs self.create_experiment = fedd_create_experiment_local( tbmap = { 'deter':'https://users.isi.deterlab.net:23235', 'emulab':'https://users.isi.deterlab.net:23236', 'ucb':'https://users.isi.deterlab.net:23237', }, trace_file=sys.stderr, debug=self.create_debug, **create_kwargs ) def dump_state(self): """ Dump the state read from a configuration file. Mostly for debugging. """ for a in fedd_proj.bool_attrs: print "%s: %s" % (a, getattr(self, a )) for a in fedd_proj.emulab_attrs + fedd_proj.id_attrs: print "%s: %s" % (a, getattr(self, a)) for k, v in self.attrs.iteritems(): print "%s %s" % (k, v) print "Access DB:" for k, v in self.access.iteritems(): print "%s %s" % (k, v) print "Trust DB:" for k, v in self.fedid_category.iteritems(): print "%s %s" % (k, v) print "Restricted: %s" % str(',').join(sorted(self.restricted)) def get_users(self, obj): """ Return a list of the IDs of the users in dict """ if obj.has_key('user'): return [ unpack_id(u['userID']) \ for u in obj['user'] if u.has_key('userID') ] else: return None def strip_unicode(self, obj): """Loosly de-unicode an object""" if isinstance(obj, dict): for k in obj.keys(): obj[k] = self.strip_unicode(obj[k]) return obj elif isinstance(obj, basestring): return str(obj) elif getattr(obj, "__iter__", None): return [ self.strip_unicode(x) for x in obj] else: return obj def proxy_xmlrpc_request(self, dt, req): """Send an XMLRPC proxy request. Called if the SOAP RPC fails""" # No retry loop here. Proxy servers must correctly authenticate # themselves without help try: ctx = fedd_ssl_context(self.proxy_cert_file, self.proxy_trusted_certs, password=self.proxy_cert_pwd) except SSL.SSLError: raise service_error(service_error.server_config, "Server certificates misconfigured") # Of all the dumbass things. The XMLRPC library in use here won't # properly encode unicode strings, so we make a copy of req with the # unicode objects converted. We also convert the destination testbed # to a basic string if it isn't one already. if isinstance(dt, str): url = dt else: url = str(dt) r = copy.deepcopy(req) self.strip_unicode(r) transport = SSL_Transport(ctx) port = xmlrpclib.ServerProxy(url, transport=transport) # Reconstruct the full request message try: resp = port.RequestAccess( { "RequestAccessRequestBody": r}) resp, method = xmlrpclib.loads(resp) except xmlrpclib.Fault, f: se = service_error(None, f.faultString, f.faultCode) raise se except xmlrpclib.Error, e: raise service_error(service_error.proxy, "Remote XMLRPC Fault: %s" % e) if resp[0].has_key('RequestAccessResponseBody'): return resp[0]['RequestAccessResponseBody'] else: raise service_error(service_error.proxy, "Bad proxy response") def proxy_request(self, dt, req): """ Send req on to the real destination in dt and return the response Req is just the requestType object. This function re-wraps it. It also rethrows any faults. """ # No retry loop here. Proxy servers must correctly authenticate # themselves without help try: ctx = fedd_ssl_context(self.proxy_cert_file, self.proxy_trusted_certs, password=self.proxy_cert_pwd) except SSL.SSLError: raise service_error(service_error.server_config, "Server certificates misconfigured") loc = feddServiceLocator(); port = loc.getfeddPortType(dt, transport=M2Crypto.httpslib.HTTPSConnection, transdict={ 'ssl_context' : ctx }) # Reconstruct the full request message msg = RequestAccessRequestMessage() msg.set_element_RequestAccessRequestBody( pack_soap(msg, "RequestAccessRequestBody", req)) try: resp = port.RequestAccess(msg) except ZSI.ParseException, e: raise service_error(service_error.proxy, "Bad format message (XMLRPC??): %s" % str(e)) r = unpack_soap(resp) if r.has_key('RequestAccessResponseBody'): return r['RequestAccessResponseBody'] else: raise service_error(service_error.proxy, "Bad proxy response") def permute_wildcards(self, a, p): """Return a copy of a with various fields wildcarded. The bits of p control the wildcards. A set bit is a wildcard replacement with the lowest bit being user then project then testbed. """ if p & 1: user = [""] else: user = a[2] if p & 2: proj = "" else: proj = a[1] if p & 4: tb = "" else: tb = a[0] return (tb, proj, user) def find_access(self, search): """ Search the access DB for a match on this tuple. Return the matching access tuple and the user that matched. NB, if the initial tuple fails to match we start inserting wildcards in an order determined by self.project_priority. Try the list of users in order (when wildcarded, there's only one user in the list). """ if self.project_priority: perm = (0, 1, 2, 3, 4, 5, 6, 7) else: perm = (0, 2, 1, 3, 4, 6, 5, 7) for p in perm: s = self.permute_wildcards(search, p) # s[2] is None on an anonymous, unwildcarded request if s[2] != None: for u in s[2]: if self.access.has_key((s[0], s[1], u)): return (self.access[(s[0], s[1], u)], u) else: if self.access.has_key(s): return (self.access[s], None) return None, None def lookup_access(self, req, fid): """ Determine the allowed access for this request. Return the access and which fields are dynamic. The fedid is needed to construct the request """ # Search keys tb = None project = None user = None # Return values rp = fedd_proj.access_project(None, ()) ru = None principal_type = self.fedid_category.get(fid, self.fedid_default) if principal_type == "testbed": tb = fid if req.has_key('project'): p = req['project'] if p.has_key('name'): project = unpack_id(p['name']) user = self.get_users(p) else: user = self.get_users(req) # Now filter by prinicpal type if principal_type == "user": if user != None: fedids = [ u for u in user if isinstance(u, type(fid))] if len(fedids) > 1: raise service_error(service_error.req, "User asserting multiple fedids") elif len(fedids) == 1 and fedids[0] != fid: raise service_error(service_error.req, "User asserting different fedid") project = None tb = None elif principal_type == "project": if isinstance(project, type(fid)) and fid != project: raise service_error(service_error.req, "Project asserting different fedid") tb = None # Ready to look up access found, user_match = self.find_access((tb, project, user)) if found == None: raise service_error(service_error.access, "Access denied") # resolve and in found dyn_proj = False dyn_user = False if found[0].name == "": if project != None: rp.name = project else : raise service_error(\ service_error.server_config, "Project matched when no project given") elif found[0].name == "": rp.name = None dyn_proj = True else: rp.name = found[0].name rp.node_types = found[0].node_types; if found[1] == "": if user_match == "": if user != None: ru = user[0] else: raise service_error(\ service_error.server_config, "Matched on anonymous request") else: ru = user_match elif found[1] == "": ru = None dyn_user = True return (rp, ru), (dyn_user, dyn_proj) def build_response(self, alloc_id, ap): """ Create the SOAP response. Build the dictionary description of the response and use fedd_utils.pack_soap to create the soap message. NB that alloc_id is a fedd_services_types.IDType_Holder pulled from the incoming message. ap is the allocate project message returned from a remote project allocation (even if that allocation was done locally). """ # Because alloc_id is already a fedd_services_types.IDType_Holder, # there's no need to repack it msg = { 'allocID': alloc_id, 'emulab': { 'domain': self.domain, 'boss': self.boss, 'ops': self.ops, 'fileServer': self.fileserver, 'eventServer': self.eventserver, 'project': ap['project'] }, } if len(self.attrs) > 0: msg['emulab']['fedAttr'] = \ [ { 'attribute': x, 'value' : y } \ for x,y in self.attrs.iteritems()] return msg def RequestAccess(self, req, fid): if req.has_key('RequestAccessRequestBody'): req = req['RequestAccessRequestBody'] else: raise service_error(service_error.req, "No request!?") if req.has_key('destinationTestbed'): dt = unpack_id(req['destinationTestbed']) if dt == None or dt == self.testbed: # Request for this fedd found, dyn = self.lookup_access(req, fid) restricted = None ap = None # Check for access to restricted nodes if req.has_key('resources') and req['resources'].has_key('node'): resources = req['resources'] restricted = [ t for n in resources['node'] \ if n.has_key('hardware') \ for t in n['hardware'] \ if t in self.restricted ] inaccessible = [ t for t in restricted \ if t not in found[0].node_types] if len(inaccessible) > 0: raise service_error(service_error.access, "Access denied (nodetypes %s)" % \ str(', ').join(inaccessible)) ssh = [ x['sshPubkey'] \ for x in req['access'] if x.has_key('sshPubkey')] if len(ssh) > 0: if dyn[1]: # Compose the dynamic project request # (only dynamic, dynamic currently allowed) preq = { 'AllocateProjectRequestBody': \ { 'project' : {\ 'user': [ \ { 'access': [ { 'sshPubkey': s } ] } \ for s in ssh ] \ }\ }\ } if restricted != None and len(restricted) > 0: preq['AllocateProjectRequestBody']['resources'] = \ [ {'node': { 'hardware' : [ h ] } } \ for h in restricted ] ap = self.allocate_project.dynamic_project(preq) else: # XXX ssh key additions ap = { 'project': \ { 'name' : { 'username' : found[0].name },\ 'user' : [ {\ 'userID': { 'username' : found[1] }, \ 'access': [ { 'sshPubkey': s } for s in ssh]}\ ]\ }\ } else: raise service_error(service_error.req, "SSH access parameters required") resp = self.build_response(req['allocID'], ap) return resp else: p_fault = None # Any SOAP failure (sent unless XMLRPC works) try: # Proxy the request using SOAP return self.proxy_request(dt, req) except service_error, e: if e.code == service_error.proxy: p_fault = None else: raise except ZSI.FaultException, f: p_fault = f.fault.detail[0] # If we could not get a valid SOAP response to the request above, # try the same address using XMLRPC and let any faults flow back # out. if p_fault == None: return self.proxy_xmlrpc_request(dt, req) else: # Build the fault body = p_fault.get_element_FeddFaultBody() if body != None: raise service_error(body.get_element_code(), body.get_element_desc()); else: raise service_error(\ service_error.proxy, "Undefined fault from proxy??"); def soap_AllocateProject(self, ps, fid): req = ps.Parse(AllocateProjectRequestMessage.typecode) msg = self.allocate_project.dynamic_project(unpack_soap(req), fedid) resp = AllocateProjectResponseMessage() resp.set_element_AllocateProjectResponseBody( pack_soap(resp, "AllocateProjectResponseBody", msg)) return resp def soap_RequestAccess(self, ps, fid): req = ps.Parse(RequestAccessRequestMessage.typecode) msg = self.RequestAccess(unpack_soap(req), fedid) resp = RequestAccessResponseMessage() resp.set_element_RequestAccessResponseBody( pack_soap(resp, "RequestAccessResponseBody", msg)) return resp def soap_Create(self, ps, fid): req = ps.Parse(CreateRequestMessage.typecode) msg = self.create_experiment.create_experiment(unpack_soap(req), fedid) resp = CreateResponseMessage() resp.set_element_CreateResponseBody( pack_soap(resp, "CreateResponseBody", msg)) return resp def xmlrpc_RequestAccess(self, params, fid): msg = self.RequestAccess(params[0], fedid) if msg != None: return xmlrpclib.dumps(({ "RequestAccessResponseBody": msg },)) else: raise service_error(service_error.internal, "No response generated?!"); def xmlrpc_RequestAccess(self, params, fid): msg = self.create_experiment.create_experiment(params[0], fedid) if msg != None: return xmlrpclib.dumps(({ "CreateResponseBody": msg },)) else: raise service_error(service_error.internal, "No response generated?!"); def read_trust(self, trust): """ Read a trust file that splits fedids into testbeds, users or projects Format is: [type] fedid fedid default: type """ lineno = 0; cat = None cat_re = re.compile("\[(user|testbed|project)\]$", re.IGNORECASE) fedid_re = re.compile("[" + string.hexdigits + "]+$") default_re = re.compile("default:\s*(user|testbed|project)$", re.IGNORECASE) f = open(trust, "r") for line in f: lineno += 1 line = line.strip() if len(line) == 0 or line.startswith("#"): continue # Category line m = cat_re.match(line) if m != None: cat = m.group(1).lower() continue # Fedid line m = fedid_re.match(line) if m != None: if cat != None: self.fedid_category[fedid(hexstr=m.string)] = cat else: raise fedd_proj.parse_error(\ "Bad fedid in trust file (%s) line: %d" % \ (trust, lineno)) continue # default line m = default_re.match(line) if m != None: self.fedid_default = m.group(1).lower() continue # Nothing matched - bad line, raise exception f.close() raise fedd_proj.parse_error(\ "Unparsable line in trustfile %s line %d" % (trust, lineno)) f.close() def read_config(self, config): """ Read a configuration file and set internal parameters. The format is more complex than one might hope. The basic format is attribute value pairs separated by colons(:) on a signle line. The attributes in bool_attrs, emulab_attrs and id_attrs can all be set directly using the name: value syntax. E.g. boss: hostname sets self.boss to hostname. In addition, there are access lines of the form (tb, proj, user) -> (aproj, auser) that map the first tuple of names to the second for access purposes. Names in the key (left side) can include " or " to act as wildcards or to require the fields to be empty. Similarly aproj or auser can be or indicating that either the matching key is to be used or a dynamic user or project will be created. These names can also be federated IDs (fedid's) if prefixed with fedid:. Finally, the aproj can be followed with a colon-separated list of node types to which that project has access (or will have access if dynamic). Testbed attributes outside the forms above can be given using the format attribute: name value: value. The name is a single word and the value continues to the end of the line. Empty lines and lines startin with a # are ignored. Parsing errors result in a parse_error exception being raised. """ lineno=0 name_expr = "["+string.ascii_letters + string.digits + "\.\-_]+" fedid_expr = "fedid:[" + string.hexdigits + "]+" key_name = "(||"+fedid_expr + "|"+ name_expr + ")" access_proj = "((?::" + name_expr +")*|"+ \ "" + "(?::" + name_expr + ")*|" + \ fedid_expr + "(?::" + name_expr + ")*|" + \ name_expr + "(?::" + name_expr + ")*)" access_name = "(||" + fedid_expr + "|"+ name_expr + ")" bool_re = re.compile('(' + '|'.join(fedd_proj.bool_attrs) + '):\s+(true|false)', re.IGNORECASE) string_re = re.compile( "(" + \ '|'.join(fedd_proj.emulab_attrs + fedd_proj.id_attrs) + \ '):\s*(.*)', re.IGNORECASE) attr_re = re.compile('attribute:\s*([\._\-a-z0-9]+)\s+value:\s*(.*)', re.IGNORECASE) access_re = re.compile('\('+key_name+'\s*,\s*'+key_name+'\s*,\s*'+ key_name+'\s*\)\s*->\s*\('+access_proj + '\s*,\s*' + access_name + '\s*\)', re.IGNORECASE) trustfile_re = re.compile("trustfile:\s*(.*)", re.IGNORECASE) restricted_re = re.compile("restricted:\s*(.*)", re.IGNORECASE) def parse_name(n): if n.startswith('fedid:'): return fedid(n[len('fedid:'):]) else: return n f = open(config, "r"); for line in f: lineno += 1 line = line.strip(); if len(line) == 0 or line.startswith('#'): continue # Boolean attribute line m = bool_re.match(line); if m != None: attr, val = m.group(1,2) setattr(self, attr.lower(), bool(val.lower() == "true")) continue # String attribute line m = string_re.match(line) if m != None: attr, val = m.group(1,2) setattr(self, attr.lower(), val) continue # Extended (attribute: x value: y) attribute line m = attr_re.match(line) if m != None: attr, val = m.group(1,2) self.attrs[attr] = val continue # Access line (t, p, u) -> (ap, au) line m = access_re.match(line) if m != None: access_key = tuple([ parse_name(x) for x in m.group(1,2,3)]) aps = m.group(4).split(":"); if aps[0] == 'fedid:': del aps[0] aps[0] = fedid(hexstr=aps[0]) au = m.group(5) if au.startswith("fedid:"): au = fedid(hexstr=aus[len("fedid:"):]) access_val = (fedd_proj.access_project(aps[0], aps[1:]), au) self.access[access_key] = access_val continue # Trustfile inclusion m = trustfile_re.match(line) if m != None: self.read_trust(m.group(1)) continue # Restricted node types m = restricted_re.match(line) if m != None: self.restricted.append(m.group(1)) continue # Nothing matched to here: unknown line - raise exception f.close() raise fedd_proj.parse_error("Unknown statement at line %d of %s" % \ (lineno, config)) f.close() def soap_dispatch(self, method, req, fid): if fedd_proj.soap_methods.has_key(method): try: return getattr(self, fedd_proj.soap_methods[method])(req, fid) except service_error, e: de = ns0.faultType_Def( (ns0.faultType_Def.schema, "FeddFaultBody")).pyclass() de._code=e.code de._errstr=e.code_string() de._desc=e.desc if e.is_server_error(): raise Fault(Fault.Server, e.code_string(), detail=de) else: raise Fault(Fault.Client, e.code_string(), detail=de) else: raise Fault(Fault.Client, "Unknown method: %s" % method) def xmlrpc_dispatch(self, method, req, fid): if fedd_proj.xmlrpc_methods.has_key(method): try: return getattr(self, fedd_proj.xmlrpc_methods[method])(req, fid) except service_error, e: raise xmlrpclib.Fault(e.code_string(), e.desc) else: raise xmlrpclib.Fault(100, "Unknown method: %s" % method) def new_feddservice(configfile): return fedd_proj(configfile)