Context Navigation

source: fedd/fedd_to_abac.py @ cedf721

axis_examplecompt_changesinfo-ops

Last change on this file since cedf721 was 2e46f35, checked in by mikeryan <mikeryan@…>, 14 years ago
switch to /usr/bin/env python to run python
Property mode set to `100755`
File size: 6.0 KB

Rev	Line
[2e46f35]	1	#!/usr/bin/env python
[87c0fc1]	2
	3	import sys
	4	import re
	5
	6	import os
	7	import os.path
	8	import subprocess
[e65150a]	9	from tempfile import mkdtemp
[87c0fc1]	10
	11	from string import join
	12
[e65150a]	13	from federation.authorizer import abac_authorizer
[62f3dd9]	14	from federation.util import abac_pem_type, abac_split_cert, file_expanding_opts
[c573278]	15
[62f3dd9]	16	class Parser(file_expanding_opts):
[87c0fc1]	17	def __init__(self):
[62f3dd9]	18	file_expanding_opts.__init__(self)
[87c0fc1]	19	self.add_option('--cert', dest='cert', default=None,
[62f3dd9]	20	action='callback', callback=self.expand_file, type='str',
[87c0fc1]	21	help='my fedid as an X.509 certificate')
	22	self.add_option('--key', dest='key', default=None,
[62f3dd9]	23	action='callback', callback=self.expand_file, type='str',
[87c0fc1]	24	help='key for the certificate')
	25	self.add_option('--dir', dest='dir', default=None,
[62f3dd9]	26	action='callback', callback=self.expand_file, type='str',
[87c0fc1]	27	help='Output directory for credentials')
[f938d66]	28	self.add_option('--make_dir', action='store_true', dest='make_dir',
[87c0fc1]	29	default=False, help='Create the --dir directory')
	30	self.add_option('--debug', action='store_true', dest='debug',
	31	default=False, help='Just print the creddy commands')
[e65150a]	32	self.add_option('--policy_only', action='store_const', const=False,
	33	dest='make_authorizer', default=True,
	34	help='Only create the directory of certs, " + \
	35	"do not create an authorizer')
	36	self.add_option('--update', action='store_const', const=True,
	37	dest='update_authorizer', default=False,
	38	help='Add the generated policy to an existing authorizer')
[87c0fc1]	39
	40	class identity:
	41	def __init__(self, name, roles=None):
	42	self.name = name
	43	if roles: self.roles = set(roles)
	44
	45	def add_roles(self, roles):
	46	self.roles \|= set(roles)
	47
	48	def __str__(self):
	49	return "%s: %s" % (self.name, join(self.roles, ', '))
	50
[e65150a]	51	def clear_dir(dir):
	52	for path, dirs, files in os.walk(dir, topdown=False):
	53	for f in files: os.unlink(os.path.join(path, f))
	54	for d in dirs: os.rmdir(os.path.join(path, d))
	55
	56	def parse_configs(files):
	57	"""
	58	Step through each file pulling the roles out of the database lines, if any,
	59	and creating (or appending to) identity objects, one identity in a dict for
	60	each fedid. Return that dict. May raise an exception when file
	61	difficulties occur.
	62	"""
	63	comment_re = re.compile('^\s*#\|^$')
	64	fedid_str = 'fedid:([0-9a-fA-F]{40})'
	65	id_str = '[a-zA-Z][\w_-]*'
	66	single_re = re.compile('\s%s\s->\s*(%s)' % (fedid_str, id_str))
	67	double_re = re.compile('\s%s\s->\s\((%s)\s,\s*(%s)\)' % \
	68	(fedid_str, id_str, id_str))
	69	bad_role = re.compile('[^a-zA-Z0-9_]+')
	70
	71	roles = { }
	72
	73	for fn in files:
	74	f = open(fn, "r")
	75	for l in f:
	76	id = None
	77	for r in (comment_re, single_re, double_re):
	78	m = r.match(l)
	79	if m:
	80	# NB, the comment_re has no groups
	81	if m.groups():
	82	g = m.groups()
	83	id = g[0]
	84	r = [ bad_role.sub('_', x) for x in g[1:] ]
	85	break
	86	else:
	87	print 'Unmatched line: %s' % l
	88
	89	if id:
	90	# New and create are implicit. >sigh<
	91	r.extend(('new', 'create'))
	92	if id in roles: roles[id].add_roles(r)
	93	else: roles[id] = identity(r[0], r)
	94
	95	return roles
	96
	97	def make_credentials(roles, cert, key, creds_dir, debug):
	98	"""
	99	From the dict of identities, indexed by fedid, call creddy to create the
	100	ABAC certificates. Return a list of the created files. If debug is true,
	101	just print the creddy commands.
	102	"""
	103	credfiles = []
	104	for k, id in roles.items():
	105	for i, r in enumerate(id.roles):
	106	cf = '%s/%s%03d_attr.der' % \
	107	(creds_dir or 'new_cert_dir', id.name, i)
	108	cmd = ['creddy', '--attribute',
	109	'--issuer=%s' % (cert or 'cert_file'),
	110	'--key=%s' % (key or 'key_file'), '--role=%s' % r,
	111	'--subject-id=%s' % k, '--out=%s' % cf ]
	112	if debug:
	113	print join(cmd)
	114	else:
	115	rv = subprocess.call(cmd)
	116	if rv != 0:
	117	raise RuntimeError('%s failed: %d' % (join(cmd), rv))
	118	else:
	119	credfiles.append(cf)
	120	return credfiles
[87c0fc1]	121
	122	parser = Parser()
	123	opts, args = parser.parse_args()
[c573278]	124	cert, key = None, None
	125	delete_certs = False
[87c0fc1]	126
[e65150a]	127	if not opts.make_authorizer and opts.update_authorizer:
	128	sys.exit('--policy_only and --update are in conflict. Pick one.')
[87c0fc1]	129
[c573278]	130	if opts.key:
	131	if os.access(opts.key, os.R_OK): key = opts.key
	132	else: sys.exit('Cannot read %s (key file)' % opts.key)
[87c0fc1]	133
[e65150a]	134	if opts.make_authorizer:
	135	creds_dir = mkdtemp()
	136	delete_creds = True
	137	else:
	138	creds_dir = opts.dir
	139	delete_creds = False
	140
[c573278]	141	if opts.cert:
	142	if os.access(opts.cert, os.R_OK):
	143	if not key:
	144	if abac_pem_type(opts.cert) == 'both':
	145	key, cert = abac_split_cert(opts.cert)
	146	delete_certs = True
	147	else:
	148	cert = opts.cert
	149	else:
	150	sys.exit('Cannot read %s (certificate file)' % opts.cert)
[87c0fc1]	151
[c573278]	152	if any([ x is None for x in (cert, opts.dir, key)]):
	153	print >>sys.stderr, "Need output dir, certificate and key to make creds"
	154	print >>sys.stderr, "Reverting to debug mode"
	155	debug = True
	156	else:
	157	debug = opts.debug
[87c0fc1]	158
[dcffcc6]	159	if opts.dir:
	160	if opts.make_dir:
	161	if not os.path.isdir(opts.dir) and not debug:
	162	try:
	163	os.mkdir(opts.dir, 0755)
	164	except EnvironmentError, e:
	165	sys.exit('Could not make %s: %s' % (opts.dir, e))
	166	else:
	167	if not os.path.isdir(opts.dir):
	168	sys.exit('%s is not a directory' % opts.dir)
	169	elif not os.access(opts.dir, os.W_OK):
	170	sys.exit('%s is not writable' % opts.dir)
	171
	172
[c573278]	173	try:
[e65150a]	174	roles = parse_configs(args)
[c573278]	175	if not roles:
	176	print >>sys.stderr, "No roles found. Did you specify a configuration?"
	177
[e65150a]	178	try:
	179	credfiles = make_credentials(roles, cert, key, creds_dir, debug)
	180
	181	if opts.make_authorizer:
[c573278]	182	if debug:
[e65150a]	183	print >>sys.stderr, 'Debug mode, no authorizer created'
	184	elif opts.update_authorizer:
	185	operation = 'updat'
	186	a = abac_authorizer(load=opts.dir)
	187	a.import_credentials(file_list=credfiles)
	188	a.save()
[87c0fc1]	189	else:
[e65150a]	190	operation = 'creat'
	191	a = abac_authorizer(key=opts.key, me=opts.cert,
	192	certs=creds_dir, save=opts.dir)
	193	a.save()
	194	except EnvironmentError, e:
	195	sys.exit("Can't create or write %s: %s" % (e.filename,
	196	e.strerror))
	197	except abac_authorizer.bad_cert_error, e:
	198	sys.exit("Error %sing authorizer: %s" % (op, e))
	199	except RuntimeError, e:
	200	sys.exit('%s' % e)
	201
[c573278]	202	finally:
	203	if delete_certs:
	204	if cert: os.unlink(cert)
	205	if key: os.unlink(key)
[e65150a]	206	if delete_creds:
	207	clear_dir(creds_dir)
	208	os.rmdir(creds_dir)

Note: See TracBrowser for help on using the repository browser.

Download in other formats: