1 | #!/usr/local/bin/python |
---|
2 | |
---|
3 | import os, sys |
---|
4 | import subprocess |
---|
5 | import tempfile |
---|
6 | import logging |
---|
7 | |
---|
8 | from M2Crypto import SSL, X509, EVP |
---|
9 | from pyasn1.codec.der import decoder |
---|
10 | |
---|
11 | from xmlrpclib import Binary |
---|
12 | |
---|
13 | |
---|
14 | # The version of M2Crypto on users is pretty old and doesn't have all the |
---|
15 | # features that are useful. The legacy code is somewhat more brittle than the |
---|
16 | # main line, but will work. |
---|
17 | if "as_der" not in dir(EVP.PKey): |
---|
18 | from asn1_raw import get_key_bits_from_file, get_key_bits_from_cert |
---|
19 | legacy = True |
---|
20 | else: |
---|
21 | legacy = False |
---|
22 | |
---|
23 | class fedd_ssl_context(SSL.Context): |
---|
24 | """ |
---|
25 | Simple wrapper around an M2Crypto.SSL.Context to initialize it for fedd. |
---|
26 | """ |
---|
27 | def __init__(self, my_cert, trusted_certs=None, password=None): |
---|
28 | """ |
---|
29 | construct a fedd_ssl_context |
---|
30 | |
---|
31 | @param my_cert: PEM file with my certificate in it |
---|
32 | @param trusted_certs: PEM file with trusted certs in it (optional) |
---|
33 | """ |
---|
34 | SSL.Context.__init__(self) |
---|
35 | |
---|
36 | # load_cert takes a callback to get a password, not a password, so if |
---|
37 | # the caller provided a password, this creates a nonce callback using a |
---|
38 | # lambda form. |
---|
39 | if password != None and not callable(password): |
---|
40 | # This is cute. password = lambda *args: password produces a |
---|
41 | # function object that returns itself rather than one that returns |
---|
42 | # the object itself. This is because password is an object |
---|
43 | # reference and after the assignment it's a lambda. So we assign |
---|
44 | # to a temp. |
---|
45 | pwd = password |
---|
46 | password =lambda *args: pwd |
---|
47 | |
---|
48 | if password != None: |
---|
49 | self.load_cert(my_cert, callback=password) |
---|
50 | else: |
---|
51 | self.load_cert(my_cert) |
---|
52 | if trusted_certs != None: self.load_verify_locations(trusted_certs) |
---|
53 | self.set_verify(SSL.verify_peer, 10) |
---|
54 | |
---|
55 | class fedid: |
---|
56 | """ |
---|
57 | Wrapper around the federated ID from an X509 certificate. |
---|
58 | """ |
---|
59 | HASHSIZE=20 |
---|
60 | def __init__(self, bits=None, hexstr=None, cert=None, file=None): |
---|
61 | if bits != None: |
---|
62 | self.set_bits(bits) |
---|
63 | elif hexstr != None: |
---|
64 | self.set_hexstr(hexstr) |
---|
65 | elif cert != None: |
---|
66 | self.set_cert(cert) |
---|
67 | elif file != None: |
---|
68 | self.set_file(file) |
---|
69 | else: |
---|
70 | self.buf = None |
---|
71 | |
---|
72 | def __hash__(self): |
---|
73 | return hash(self.buf) |
---|
74 | |
---|
75 | def __eq__(self, other): |
---|
76 | if isinstance(other, type(self)): |
---|
77 | return self.buf == other.buf |
---|
78 | elif isinstance(other, type(str())): |
---|
79 | return self.buf == other; |
---|
80 | else: |
---|
81 | return False |
---|
82 | |
---|
83 | def __ne__(self, other): return not self.__eq__(other) |
---|
84 | |
---|
85 | def __str__(self): |
---|
86 | if self.buf != None: |
---|
87 | return str().join([ "%02x" % ord(x) for x in self.buf]) |
---|
88 | else: return "" |
---|
89 | |
---|
90 | def __repr__(self): |
---|
91 | return "fedid(hexstr='%s')" % self.__str__() |
---|
92 | |
---|
93 | def pack_soap(self): |
---|
94 | return self.buf |
---|
95 | |
---|
96 | def pack_xmlrpc(self): |
---|
97 | return self.buf |
---|
98 | |
---|
99 | def digest_bits(self, bits): |
---|
100 | """Internal function. Compute the fedid from bits and store in buf""" |
---|
101 | d = EVP.MessageDigest('sha1') |
---|
102 | d.update(bits) |
---|
103 | self.buf = d.final() |
---|
104 | |
---|
105 | |
---|
106 | def set_hexstr(self, hexstr): |
---|
107 | h = hexstr.replace(':','') |
---|
108 | self.buf= str().join([chr(int(h[i:i+2],16)) \ |
---|
109 | for i in range(0,2*fedid.HASHSIZE,2)]) |
---|
110 | |
---|
111 | def get_hexstr(self): |
---|
112 | """Return the hexstring representation of the fedid""" |
---|
113 | return __str__(self) |
---|
114 | |
---|
115 | def set_bits(self, bits): |
---|
116 | """Set the fedid to bits(a 160 bit buffer)""" |
---|
117 | self.buf = bits |
---|
118 | |
---|
119 | def get_bits(self): |
---|
120 | """Get the 160 bit buffer from the fedid""" |
---|
121 | return self.buf |
---|
122 | |
---|
123 | def set_file(self, file): |
---|
124 | """Get the fedid from a certificate file |
---|
125 | |
---|
126 | Calculate the SHA1 hash over the bit string of the public key as |
---|
127 | defined in RFC3280. |
---|
128 | """ |
---|
129 | self.buf = None |
---|
130 | if legacy: self.digest_bits(get_key_bits_from_file(file)) |
---|
131 | else: self.set_cert(X509.load_cert(file)) |
---|
132 | |
---|
133 | def set_cert(self, cert): |
---|
134 | """Get the fedid from a certificate. |
---|
135 | |
---|
136 | Calculate the SHA1 hash over the bit string of the public key as |
---|
137 | defined in RFC3280. |
---|
138 | """ |
---|
139 | |
---|
140 | self.buf = None |
---|
141 | if (cert != None): |
---|
142 | if legacy: |
---|
143 | self.digest_bits(get_key_bits_from_cert(cert)) |
---|
144 | else: |
---|
145 | b = [] |
---|
146 | k = cert.get_pubkey() |
---|
147 | |
---|
148 | # Getting the key was easy, but getting the bit string of the |
---|
149 | # key requires a side trip through ASN.1 |
---|
150 | dec = decoder.decode(k.as_der()) |
---|
151 | |
---|
152 | # kv is a tuple of the bits in the key. The loop below |
---|
153 | # recombines these into bytes and then into a buffer for the |
---|
154 | # SSL digest function. |
---|
155 | kv = dec[0].getComponentByPosition(1) |
---|
156 | for i in range(0, len(kv), 8): |
---|
157 | v = 0 |
---|
158 | for j in range(0, 8): |
---|
159 | v = (v << 1) + kv[i+j] |
---|
160 | b.append(v) |
---|
161 | # The comprehension turns b from a list of bytes into a buffer |
---|
162 | # (string) of bytes |
---|
163 | self.digest_bits(str().join([chr(x) for x in b])) |
---|
164 | |
---|
165 | def pack_id(id): |
---|
166 | """ |
---|
167 | Return a dictionary with the field name set by the id type. Handy for |
---|
168 | creating dictionaries to be converted to messages. |
---|
169 | """ |
---|
170 | if isinstance(id, type(fedid())): return { 'fedid': id } |
---|
171 | elif id.startswith("http:") or id.startswith("https:"): return { 'uri': id } |
---|
172 | else: return { 'localname': id} |
---|
173 | |
---|
174 | def unpack_id(id): |
---|
175 | """return id as a type determined by the key""" |
---|
176 | if id.has_key("fedid"): return fedid(id["fedid"]) |
---|
177 | else: |
---|
178 | for k in ("localname", "uri", "kerberosUsername"): |
---|
179 | if id.has_key(k): return id[k] |
---|
180 | return None |
---|
181 | |
---|
182 | def pack_soap(container, name, contents): |
---|
183 | """ |
---|
184 | Convert the dictionary in contents into a tree of ZSI classes. |
---|
185 | |
---|
186 | The holder classes are constructed from factories in container and assigned |
---|
187 | to either the element or attribute name. This is used to recursively |
---|
188 | create the SOAP message. |
---|
189 | """ |
---|
190 | if getattr(contents, "__iter__", None) != None: |
---|
191 | attr =getattr(container, "new_%s" % name, None) |
---|
192 | if attr: obj = attr() |
---|
193 | else: |
---|
194 | raise TypeError("%s does not have a new_%s attribute" % \ |
---|
195 | (container, name)) |
---|
196 | for e, v in contents.iteritems(): |
---|
197 | assign = getattr(obj, "set_element_%s" % e, None) or \ |
---|
198 | getattr(obj, "set_attribute_%s" % e, None) |
---|
199 | if isinstance(v, type(dict())): |
---|
200 | assign(pack_soap(obj, e, v)) |
---|
201 | elif getattr(v, "__iter__", None) != None: |
---|
202 | assign([ pack_soap(obj, e, val ) for val in v]) |
---|
203 | elif getattr(v, "pack_soap", None) != None: |
---|
204 | assign(v.pack_soap()) |
---|
205 | else: |
---|
206 | assign(v) |
---|
207 | return obj |
---|
208 | else: return contents |
---|
209 | |
---|
210 | def unpack_soap(element): |
---|
211 | """ |
---|
212 | Convert a tree of ZSI SOAP classes intro a hash. The inverse of pack_soap |
---|
213 | |
---|
214 | Elements or elements that are empty are ignored. |
---|
215 | """ |
---|
216 | methods = [ m for m in dir(element) \ |
---|
217 | if m.startswith("get_element") or m.startswith("get_attribute")] |
---|
218 | if len(methods) > 0: |
---|
219 | rv = { } |
---|
220 | for m in methods: |
---|
221 | if m.startswith("get_element_"): n = m.replace("get_element_","",1) |
---|
222 | else: n = m.replace("get_attribute_", "", 1) |
---|
223 | sub = getattr(element, m)() |
---|
224 | if sub != None: |
---|
225 | if isinstance(sub, basestring): |
---|
226 | rv[n] = sub |
---|
227 | elif getattr(sub, "__iter__", None) != None: |
---|
228 | if len(sub) > 0: rv[n] = [unpack_soap(e) for e in sub] |
---|
229 | else: |
---|
230 | rv[n] = unpack_soap(sub) |
---|
231 | return rv |
---|
232 | else: |
---|
233 | return element |
---|
234 | def apply_to_tags(e, map): |
---|
235 | """ |
---|
236 | Map is an iterable of ordered pairs (tuples) that map a key to a function. |
---|
237 | This function walks the given message and replaces any object with a key in |
---|
238 | the map with the result of applying that function to the object. |
---|
239 | """ |
---|
240 | dict_type = type(dict()) |
---|
241 | list_type = type(list()) |
---|
242 | str_type = type(str()) |
---|
243 | |
---|
244 | if isinstance(e, dict_type): |
---|
245 | for k in e.keys(): |
---|
246 | for tag, fcn in map: |
---|
247 | if k == tag: |
---|
248 | if isinstance(e[k], list_type): |
---|
249 | e[k] = [ fcn(b) for b in e[k]] |
---|
250 | else: |
---|
251 | e[k] = fcn(e[k]) |
---|
252 | elif isinstance(e[k], dict_type): |
---|
253 | apply_to_tags(e[k], map) |
---|
254 | elif isinstance(e[k], list_type): |
---|
255 | for ee in e[k]: |
---|
256 | apply_to_tags(ee, map) |
---|
257 | # Other types end the recursion - they should be leaves |
---|
258 | return e |
---|
259 | |
---|
260 | # These are all just specializations of apply_to_tags |
---|
261 | def fedids_to_obj(e, tags=('fedid',)): |
---|
262 | """ |
---|
263 | Turn the fedids in a message that are encoded as bitstrings into fedid |
---|
264 | objects. |
---|
265 | """ |
---|
266 | map = [ (t, lambda x: fedid(bits=x)) for t in tags] |
---|
267 | return apply_to_tags(e, map) |
---|
268 | |
---|
269 | def encapsulate_binaries(e, tags): |
---|
270 | """Walk through a message and encapsulate any dictionary entries in |
---|
271 | tags into a binary object.""" |
---|
272 | |
---|
273 | def to_binary(o): |
---|
274 | pack = getattr(o, 'pack_xmlrpc', None) |
---|
275 | if callable(pack): return Binary(pack()) |
---|
276 | else: return Binary(o) |
---|
277 | |
---|
278 | map = [ (t, to_binary) for t in tags] |
---|
279 | return apply_to_tags(e, map) |
---|
280 | |
---|
281 | def decapsulate_binaries(e, tags): |
---|
282 | """Walk through a message and encapsulate any dictionary entries in |
---|
283 | tags into a binary object.""" |
---|
284 | |
---|
285 | map = [ (t, lambda x: x.data) for t in tags] |
---|
286 | return apply_to_tags(e, map) |
---|
287 | #end of tag specializations |
---|
288 | |
---|
289 | def strip_unicode(obj): |
---|
290 | """Walk through a message and convert all strings to non-unicode strings""" |
---|
291 | if isinstance(obj, dict): |
---|
292 | for k in obj.keys(): |
---|
293 | obj[k] = strip_unicode(obj[k]) |
---|
294 | return obj |
---|
295 | elif isinstance(obj, basestring): |
---|
296 | return str(obj) |
---|
297 | elif getattr(obj, "__iter__", None): |
---|
298 | return [ strip_unicode(x) for x in obj] |
---|
299 | else: |
---|
300 | return obj |
---|
301 | |
---|
302 | def make_unicode(obj): |
---|
303 | """Walk through a message and convert all strings to unicode""" |
---|
304 | if isinstance(obj, dict): |
---|
305 | for k in obj.keys(): |
---|
306 | obj[k] = make_unicode(obj[k]) |
---|
307 | return obj |
---|
308 | elif isinstance(obj, basestring): |
---|
309 | return unicode(obj) |
---|
310 | elif getattr(obj, "__iter__", None): |
---|
311 | return [ make_unicode(x) for x in obj] |
---|
312 | else: |
---|
313 | return obj |
---|
314 | |
---|
315 | |
---|
316 | def generate_fedid(subj, bits=2048, log=None, dir=None, trace=sys.stderr): |
---|
317 | """ |
---|
318 | Create a new certificate and derive a fedid from it. |
---|
319 | |
---|
320 | The fedid and the certificate are returned as a tuple. |
---|
321 | """ |
---|
322 | |
---|
323 | keypath = None |
---|
324 | certpath = None |
---|
325 | try: |
---|
326 | try: |
---|
327 | kd, keypath = tempfile.mkstemp(dir=dir, prefix="key", |
---|
328 | suffix=".pem") |
---|
329 | cd, certpath = tempfile.mkstemp(dir=dir, prefix="cert", |
---|
330 | suffix=".pem") |
---|
331 | |
---|
332 | cmd = ["/usr/bin/openssl", "req", "-text", "-newkey", |
---|
333 | "rsa:%d" % bits, "-keyout", keypath, "-nodes", |
---|
334 | "-subj", "/CN=%s" % subj, "-x509", "-days", "30", |
---|
335 | "-out", certpath] |
---|
336 | |
---|
337 | if log: |
---|
338 | log.debug("[generate_fedid] %s" % " ".join(cmd)) |
---|
339 | |
---|
340 | if trace: call_out = trace |
---|
341 | else: |
---|
342 | call_out = open("/dev/null", "w") |
---|
343 | |
---|
344 | rv = subprocess.call(cmd, stdout=call_out, stderr=call_out) |
---|
345 | log.debug("rv = %d" % rv) |
---|
346 | if rv == 0: |
---|
347 | cert = "" |
---|
348 | for p in (certpath, keypath): |
---|
349 | f = open(p) |
---|
350 | for line in f: |
---|
351 | cert += line |
---|
352 | |
---|
353 | fid = fedid(file=certpath) |
---|
354 | return (fid, cert) |
---|
355 | else: |
---|
356 | return (None, None) |
---|
357 | except IOError, e: |
---|
358 | raise e |
---|
359 | finally: |
---|
360 | if keypath: os.remove(keypath) |
---|
361 | if certpath: os.remove(certpath) |
---|
362 | |
---|
363 | |
---|
364 | def make_soap_handler(typecode, method, constructor, body_name): |
---|
365 | """ |
---|
366 | Generate the handler code to unpack and pack SOAP requests and responses |
---|
367 | and call the given method. |
---|
368 | |
---|
369 | The code to decapsulate and encapsulate parameters encoded in SOAP is the |
---|
370 | same modulo a few parameters. This is basically a stub compiler for |
---|
371 | calling a fedd service trhough a soap interface. The parameters are the |
---|
372 | typecode of the request parameters, the method to call (usually a bound |
---|
373 | instance of a method on a fedd service providing class), the constructor of |
---|
374 | a response packet and the name of the body element of that packet. The |
---|
375 | handler takes a ParsedSoap object (the request) and returns an instance of |
---|
376 | the class created by constructor containing the response. Failures of the |
---|
377 | constructor or badly created constructors will result in None being |
---|
378 | returned. |
---|
379 | """ |
---|
380 | def handler(ps, fid): |
---|
381 | req = ps.Parse(typecode) |
---|
382 | |
---|
383 | msg = method(fedids_to_obj(unpack_soap(req)), fid) |
---|
384 | |
---|
385 | resp = constructor() |
---|
386 | set_element = getattr(resp, "set_element_%s" % body_name, None) |
---|
387 | if set_element and callable(set_element): |
---|
388 | try: |
---|
389 | set_element(pack_soap(resp, body_name, msg)) |
---|
390 | return resp |
---|
391 | except (NameError, TypeError): |
---|
392 | return None |
---|
393 | else: |
---|
394 | return None |
---|
395 | |
---|
396 | return handler |
---|
397 | |
---|
398 | def make_xmlrpc_handler(method, body_name): |
---|
399 | """ |
---|
400 | Generate the handler code to unpack and pack SOAP requests and responses |
---|
401 | and call the given method. |
---|
402 | |
---|
403 | The code to marshall and unmarshall XMLRPC parameters to and from a fedd |
---|
404 | service is largely the same. This helper creates such a handler. The |
---|
405 | parameters are the method name, and the name of the body struct that |
---|
406 | contains the response. A handler is created that takes the params response |
---|
407 | from an xmlrpclib.loads on the incoming rpc and a fedid and responds with |
---|
408 | a hash representing the struct ro be returned to the other side. On error |
---|
409 | None is returned. Fedid fields are decapsulated from binary and converted |
---|
410 | to fedid objects on input and encapsulated as Binaries on output. |
---|
411 | """ |
---|
412 | def handler(params, fid): |
---|
413 | decap_fedids = (('fedid', lambda x: fedid(bits=x.data)),) |
---|
414 | |
---|
415 | #p = decapsulate_binaries(params[0], input_binaries) |
---|
416 | p = apply_to_tags(params[0], decap_fedids) |
---|
417 | msg = method(p, fid) |
---|
418 | |
---|
419 | if msg != None: |
---|
420 | return encapsulate_binaries({ body_name: msg }, ('fedid',)) |
---|
421 | else: |
---|
422 | return None |
---|
423 | |
---|
424 | return handler |
---|
425 | |
---|
426 | |
---|
427 | def set_log_level(config, sect, log): |
---|
428 | """ Set the logging level to the value passed in sect of config.""" |
---|
429 | # The getattr sleight of hand finds the logging level constant |
---|
430 | # corrersponding to the string. We're a little paranoid to avoid user |
---|
431 | # mayhem. |
---|
432 | if config.has_option(sect, "log_level"): |
---|
433 | level_str = config.get(sect, "log_level") |
---|
434 | try: |
---|
435 | level = int(getattr(logging, level_str.upper(), -1)) |
---|
436 | |
---|
437 | if logging.DEBUG <= level <= logging.CRITICAL: |
---|
438 | log.setLevel(level) |
---|
439 | else: |
---|
440 | log.error("Bad experiment_log value: %s" % level_str) |
---|
441 | |
---|
442 | except ValueError: |
---|
443 | log.error("Bad experiment_log value: %s" % level_str) |
---|
444 | |
---|