Context Navigation

source: fedd/fedd_util.py @ c922f23

axis_examplecompt_changesinfo-opsversion-1.30version-2.00version-3.01version-3.02

Last change on this file since c922f23 was c922f23, checked in by Ted Faber <faber@…>, 15 years ago
Start the move to unified service calling routines
Property mode set to `100644`
File size: 16.1 KB

Line
1	#!/usr/local/bin/python
2
3	import os, sys
4	import subprocess
5	import tempfile
6	import logging
7	import copy
8
9	from M2Crypto import SSL, X509, EVP
10	from M2Crypto.m2xmlrpclib import SSL_Transport
11	import M2Crypto.httpslib
12	from pyasn1.codec.der import decoder
13
14	from fedd_services import *
15	from fedd_internal_services import *
16	from service_error import *
17	from xmlrpclib import ServerProxy, dumps, loads, Fault, Error, Binary
18
19
20	# The version of M2Crypto on users is pretty old and doesn't have all the
21	# features that are useful. The legacy code is somewhat more brittle than the
22	# main line, but will work.
23	if "as_der" not in dir(EVP.PKey):
24	from asn1_raw import get_key_bits_from_file, get_key_bits_from_cert
25	legacy = True
26	else:
27	legacy = False
28
29	class fedd_ssl_context(SSL.Context):
30	"""
31	Simple wrapper around an M2Crypto.SSL.Context to initialize it for fedd.
32	"""
33	def __init__(self, my_cert, trusted_certs=None, password=None):
34	"""
35	construct a fedd_ssl_context
36
37	@param my_cert: PEM file with my certificate in it
38	@param trusted_certs: PEM file with trusted certs in it (optional)
39	"""
40	SSL.Context.__init__(self)
41
42	# load_cert takes a callback to get a password, not a password, so if
43	# the caller provided a password, this creates a nonce callback using a
44	# lambda form.
45	if password != None and not callable(password):
46	# This is cute. password = lambda *args: password produces a
47	# function object that returns itself rather than one that returns
48	# the object itself. This is because password is an object
49	# reference and after the assignment it's a lambda. So we assign
50	# to a temp.
51	pwd = password
52	password =lambda *args: pwd
53
54	if password != None:
55	self.load_cert(my_cert, callback=password)
56	else:
57	self.load_cert(my_cert)
58	if trusted_certs != None: self.load_verify_locations(trusted_certs)
59	self.set_verify(SSL.verify_peer, 10)
60
61	class fedid:
62	"""
63	Wrapper around the federated ID from an X509 certificate.
64	"""
65	HASHSIZE=20
66	def __init__(self, bits=None, hexstr=None, cert=None, file=None):
67	if bits != None:
68	self.set_bits(bits)
69	elif hexstr != None:
70	self.set_hexstr(hexstr)
71	elif cert != None:
72	self.set_cert(cert)
73	elif file != None:
74	self.set_file(file)
75	else:
76	self.buf = None
77
78	def __hash__(self):
79	return hash(self.buf)
80
81	def __eq__(self, other):
82	if isinstance(other, type(self)):
83	return self.buf == other.buf
84	elif isinstance(other, type(str())):
85	return self.buf == other;
86	else:
87	return False
88
89	def __ne__(self, other): return not self.__eq__(other)
90
91	def __str__(self):
92	if self.buf != None:
93	return str().join([ "%02x" % ord(x) for x in self.buf])
94	else: return ""
95
96	def __repr__(self):
97	return "fedid(hexstr='%s')" % self.__str__()
98
99	def pack_soap(self):
100	return self.buf
101
102	def pack_xmlrpc(self):
103	return self.buf
104
105	def digest_bits(self, bits):
106	"""Internal function. Compute the fedid from bits and store in buf"""
107	d = EVP.MessageDigest('sha1')
108	d.update(bits)
109	self.buf = d.final()
110
111
112	def set_hexstr(self, hexstr):
113	h = hexstr.replace(':','')
114	self.buf= str().join([chr(int(h[i:i+2],16)) \
115	for i in range(0,2*fedid.HASHSIZE,2)])
116
117	def get_hexstr(self):
118	"""Return the hexstring representation of the fedid"""
119	return __str__(self)
120
121	def set_bits(self, bits):
122	"""Set the fedid to bits(a 160 bit buffer)"""
123	self.buf = bits
124
125	def get_bits(self):
126	"""Get the 160 bit buffer from the fedid"""
127	return self.buf
128
129	def set_file(self, file):
130	"""Get the fedid from a certificate file
131
132	Calculate the SHA1 hash over the bit string of the public key as
133	defined in RFC3280.
134	"""
135	self.buf = None
136	if legacy: self.digest_bits(get_key_bits_from_file(file))
137	else: self.set_cert(X509.load_cert(file))
138
139	def set_cert(self, cert):
140	"""Get the fedid from a certificate.
141
142	Calculate the SHA1 hash over the bit string of the public key as
143	defined in RFC3280.
144	"""
145
146	self.buf = None
147	if (cert != None):
148	if legacy:
149	self.digest_bits(get_key_bits_from_cert(cert))
150	else:
151	b = []
152	k = cert.get_pubkey()
153
154	# Getting the key was easy, but getting the bit string of the
155	# key requires a side trip through ASN.1
156	dec = decoder.decode(k.as_der())
157
158	# kv is a tuple of the bits in the key. The loop below
159	# recombines these into bytes and then into a buffer for the
160	# SSL digest function.
161	kv = dec[0].getComponentByPosition(1)
162	for i in range(0, len(kv), 8):
163	v = 0
164	for j in range(0, 8):
165	v = (v << 1) + kv[i+j]
166	b.append(v)
167	# The comprehension turns b from a list of bytes into a buffer
168	# (string) of bytes
169	self.digest_bits(str().join([chr(x) for x in b]))
170
171	def pack_id(id):
172	"""
173	Return a dictionary with the field name set by the id type. Handy for
174	creating dictionaries to be converted to messages.
175	"""
176	if isinstance(id, type(fedid())): return { 'fedid': id }
177	elif id.startswith("http:") or id.startswith("https:"): return { 'uri': id }
178	else: return { 'localname': id}
179
180	def unpack_id(id):
181	"""return id as a type determined by the key"""
182	if id.has_key("fedid"): return fedid(id["fedid"])
183	else:
184	for k in ("localname", "uri", "kerberosUsername"):
185	if id.has_key(k): return id[k]
186	return None
187
188	def pack_soap(container, name, contents):
189	"""
190	Convert the dictionary in contents into a tree of ZSI classes.
191
192	The holder classes are constructed from factories in container and assigned
193	to either the element or attribute name. This is used to recursively
194	create the SOAP message.
195	"""
196	if getattr(contents, "__iter__", None) != None:
197	attr =getattr(container, "new_%s" % name, None)
198	if attr: obj = attr()
199	else:
200	raise TypeError("%s does not have a new_%s attribute" % \
201	(container, name))
202	for e, v in contents.iteritems():
203	assign = getattr(obj, "set_element_%s" % e, None) or \
204	getattr(obj, "set_attribute_%s" % e, None)
205	if isinstance(v, type(dict())):
206	assign(pack_soap(obj, e, v))
207	elif getattr(v, "__iter__", None) != None:
208	assign([ pack_soap(obj, e, val ) for val in v])
209	elif getattr(v, "pack_soap", None) != None:
210	assign(v.pack_soap())
211	else:
212	assign(v)
213	return obj
214	else: return contents
215
216	def unpack_soap(element):
217	"""
218	Convert a tree of ZSI SOAP classes intro a hash. The inverse of pack_soap
219
220	Elements or elements that are empty are ignored.
221	"""
222	methods = [ m for m in dir(element) \
223	if m.startswith("get_element") or m.startswith("get_attribute")]
224	if len(methods) > 0:
225	rv = { }
226	for m in methods:
227	if m.startswith("get_element_"): n = m.replace("get_element_","",1)
228	else: n = m.replace("get_attribute_", "", 1)
229	sub = getattr(element, m)()
230	if sub != None:
231	if isinstance(sub, basestring):
232	rv[n] = sub
233	elif getattr(sub, "__iter__", None) != None:
234	if len(sub) > 0: rv[n] = [unpack_soap(e) for e in sub]
235	else:
236	rv[n] = unpack_soap(sub)
237	return rv
238	else:
239	return element
240	def apply_to_tags(e, map):
241	"""
242	Map is an iterable of ordered pairs (tuples) that map a key to a function.
243	This function walks the given message and replaces any object with a key in
244	the map with the result of applying that function to the object.
245	"""
246	dict_type = type(dict())
247	list_type = type(list())
248	str_type = type(str())
249
250	if isinstance(e, dict_type):
251	for k in e.keys():
252	for tag, fcn in map:
253	if k == tag:
254	if isinstance(e[k], list_type):
255	e[k] = [ fcn(b) for b in e[k]]
256	else:
257	e[k] = fcn(e[k])
258	elif isinstance(e[k], dict_type):
259	apply_to_tags(e[k], map)
260	elif isinstance(e[k], list_type):
261	for ee in e[k]:
262	apply_to_tags(ee, map)
263	# Other types end the recursion - they should be leaves
264	return e
265
266	# These are all just specializations of apply_to_tags
267	def fedids_to_obj(e, tags=('fedid',)):
268	"""
269	Turn the fedids in a message that are encoded as bitstrings into fedid
270	objects.
271	"""
272	map = [ (t, lambda x: fedid(bits=x)) for t in tags]
273	return apply_to_tags(e, map)
274
275	def encapsulate_binaries(e, tags):
276	"""Walk through a message and encapsulate any dictionary entries in
277	tags into a binary object."""
278
279	def to_binary(o):
280	pack = getattr(o, 'pack_xmlrpc', None)
281	if callable(pack): return Binary(pack())
282	else: return Binary(o)
283
284	map = [ (t, to_binary) for t in tags]
285	return apply_to_tags(e, map)
286
287	def decapsulate_binaries(e, tags):
288	"""Walk through a message and encapsulate any dictionary entries in
289	tags into a binary object."""
290
291	map = [ (t, lambda x: x.data) for t in tags]
292	return apply_to_tags(e, map)
293	#end of tag specializations
294
295	def strip_unicode(obj):
296	"""Walk through a message and convert all strings to non-unicode strings"""
297	if isinstance(obj, dict):
298	for k in obj.keys():
299	obj[k] = strip_unicode(obj[k])
300	return obj
301	elif isinstance(obj, basestring):
302	return str(obj)
303	elif getattr(obj, "__iter__", None):
304	return [ strip_unicode(x) for x in obj]
305	else:
306	return obj
307
308	def make_unicode(obj):
309	"""Walk through a message and convert all strings to unicode"""
310	if isinstance(obj, dict):
311	for k in obj.keys():
312	obj[k] = make_unicode(obj[k])
313	return obj
314	elif isinstance(obj, basestring):
315	return unicode(obj)
316	elif getattr(obj, "__iter__", None):
317	return [ make_unicode(x) for x in obj]
318	else:
319	return obj
320
321
322	def generate_fedid(subj, bits=2048, log=None, dir=None, trace=sys.stderr):
323	"""
324	Create a new certificate and derive a fedid from it.
325
326	The fedid and the certificate are returned as a tuple.
327	"""
328
329	keypath = None
330	certpath = None
331	try:
332	try:
333	kd, keypath = tempfile.mkstemp(dir=dir, prefix="key",
334	suffix=".pem")
335	cd, certpath = tempfile.mkstemp(dir=dir, prefix="cert",
336	suffix=".pem")
337
338	cmd = ["/usr/bin/openssl", "req", "-text", "-newkey",
339	"rsa:%d" % bits, "-keyout", keypath, "-nodes",
340	"-subj", "/CN=%s" % subj, "-x509", "-days", "30",
341	"-out", certpath]
342
343	if log:
344	log.debug("[generate_fedid] %s" % " ".join(cmd))
345
346	if trace: call_out = trace
347	else:
348	call_out = open("/dev/null", "w")
349
350	rv = subprocess.call(cmd, stdout=call_out, stderr=call_out)
351	log.debug("rv = %d" % rv)
352	if rv == 0:
353	cert = ""
354	for p in (certpath, keypath):
355	f = open(p)
356	for line in f:
357	cert += line
358
359	fid = fedid(file=certpath)
360	return (fid, cert)
361	else:
362	return (None, None)
363	except IOError, e:
364	raise e
365	finally:
366	if keypath: os.remove(keypath)
367	if certpath: os.remove(certpath)
368
369
370	def make_soap_handler(typecode, method, constructor, body_name):
371	"""
372	Generate the handler code to unpack and pack SOAP requests and responses
373	and call the given method.
374
375	The code to decapsulate and encapsulate parameters encoded in SOAP is the
376	same modulo a few parameters. This is basically a stub compiler for
377	calling a fedd service trhough a soap interface. The parameters are the
378	typecode of the request parameters, the method to call (usually a bound
379	instance of a method on a fedd service providing class), the constructor of
380	a response packet and the name of the body element of that packet. The
381	handler takes a ParsedSoap object (the request) and returns an instance of
382	the class created by constructor containing the response. Failures of the
383	constructor or badly created constructors will result in None being
384	returned.
385	"""
386	def handler(ps, fid):
387	req = ps.Parse(typecode)
388
389	msg = method(fedids_to_obj(unpack_soap(req)), fid)
390
391	resp = constructor()
392	set_element = getattr(resp, "set_element_%s" % body_name, None)
393	if set_element and callable(set_element):
394	try:
395	set_element(pack_soap(resp, body_name, msg))
396	return resp
397	except (NameError, TypeError):
398	return None
399	else:
400	return None
401
402	return handler
403
404	def make_xmlrpc_handler(method, body_name):
405	"""
406	Generate the handler code to unpack and pack SOAP requests and responses
407	and call the given method.
408
409	The code to marshall and unmarshall XMLRPC parameters to and from a fedd
410	service is largely the same. This helper creates such a handler. The
411	parameters are the method name, and the name of the body struct that
412	contains the response. A handler is created that takes the params response
413	from an xmlrpclib.loads on the incoming rpc and a fedid and responds with
414	a hash representing the struct ro be returned to the other side. On error
415	None is returned. Fedid fields are decapsulated from binary and converted
416	to fedid objects on input and encapsulated as Binaries on output.
417	"""
418	def handler(params, fid):
419	decap_fedids = (('fedid', lambda x: fedid(bits=x.data)),)
420
421	p = apply_to_tags(params[0], decap_fedids)
422	msg = method(p, fid)
423
424	if msg != None:
425	return make_unicode(encapsulate_binaries({ body_name: msg }, ('fedid',)))
426	else:
427	return None
428
429	return handler
430
431	def make_service_callers(service_name, port_name, request_message,
432	request_body_name):
433
434	def call_xmlrpc_service(self, url, req, cert_file=None, cert_pwd=None,
435	trusted_certs=None):
436	"""Send an XMLRPC request. """
437	decap_fedids = (('fedid', lambda x: fedid(bits=x.data)),)
438
439	# No retry loop here. Proxy servers must correctly authenticate
440	# themselves without help
441	try:
442	ctx = fedd_ssl_context(cert_file, trusted_certs, password=cert_pwd)
443	except SSL.SSLError:
444	raise service_error(service_error.server_config,
445	"Server certificates misconfigured")
446
447	# Of all the dumbass things. The XMLRPC library in use here won't
448	# properly encode unicode strings, so we make a copy of req with the
449	# unicode objects converted. We also convert the url to a basic string
450	# if it isn't one already.
451	r = strip_unicode(copy.deepcopy(req))
452	url = str(url)
453
454	transport = SSL_Transport(ctx)
455	port = ServerProxy(url, transport=transport)
456	try:
457	remote_method = getattr(port, service_name, None)
458	resp = remote_method(encapsulate_binaries({ request_body_name: r},
459	('fedid',)))
460	except Fault, f:
461	raise service_error(None, f.faultString, f.faultCode)
462	except Error, e:
463	raise service_error(service_error.proxy,
464	"Remote XMLRPC Fault: %s" % e)
465
466	return apply_to_tags(resp, decap_fedids)
467
468	def call_soap_service(self, url, req, loc_const, cert_file=None, cert_pwd=None,
469	trusted_certs=None):
470	"""
471	Send req on to the real destination in dt and return the response
472
473	Req is just the requestType object. This function re-wraps it. It
474	also rethrows any faults.
475	"""
476	# No retry loop here. Proxy servers must correctly authenticate
477	# themselves without help
478	try:
479	ctx = fedd_ssl_context(cert_file, trusted_certs, password=cert_pwd)
480	except SSL.SSLError:
481	raise service_error(service_error.server_config,
482	"Server certificates misconfigured")
483
484	loc = loc_const()
485	get_port = getattr(loc, port_name, None)
486	if not get_port:
487	raise service_error(service_error.internal,
488	"Cannot get port %s from locator" % port_name)
489	port = get_port(url,
490	transport=M2Crypto.httpslib.HTTPSConnection,
491	transdict={ 'ssl_context' : ctx })
492	remote_method = getattr(port, service_name, None)
493	if not remote_method:
494	raise service_error(service_error.internal,
495	"Cannot get service from SOAP port")
496
497	# Reconstruct the full request message
498	msg = request_message()
499	set_element = getattr(msg, "set_element_%s" % request_body_name, None)
500	if not set_element:
501	raise service_error(service_error.internal,
502	"Cannot get element setting method for %s" % \
503	request_body_name)
504	set_element(pack_soap(msg, request_body_name, req))
505	try:
506	resp = remote_method(msg)
507	except ZSI.ParseException, e:
508	raise service_error(service_error.proxy,
509	"Bad format message (XMLRPC??): %s" %
510	str(e))
511	r = unpack_soap(resp)
512	return r
513
514	return (call_soap_service, call_xmlrpc_service)
515
516	def set_log_level(config, sect, log):
517	""" Set the logging level to the value passed in sect of config."""
518	# The getattr sleight of hand finds the logging level constant
519	# corrersponding to the string. We're a little paranoid to avoid user
520	# mayhem.
521	if config.has_option(sect, "log_level"):
522	level_str = config.get(sect, "log_level")
523	try:
524	level = int(getattr(logging, level_str.upper(), -1))
525
526	if logging.DEBUG <= level <= logging.CRITICAL:
527	log.setLevel(level)
528	else:
529	log.error("Bad experiment_log value: %s" % level_str)
530
531	except ValueError:
532	log.error("Bad experiment_log value: %s" % level_str)
533

Note: See TracBrowser for help on using the repository browser.

Download in other formats: