Context Navigation

source: fedd/federation/authorizer.py @ 4692a16

axis_examplecompt_changesinfo-ops

Last change on this file since 4692a16 was 822d31b, checked in by Ted Faber <faber@…>, 14 years ago
fix legacy mode
Property mode set to `100644`
File size: 13.9 KB

Rev	Line
[3f6bc5f]	1	#/usr/local/bin/python
	2
[3bf0b3c]	3	from string import join
[5c0d244]	4	from tempfile import mkstemp
	5	from subprocess import call
[3bf0b3c]	6	from threading import Lock
	7
[547aa3b]	8	from string import join
	9
[3f6bc5f]	10	from fedid import fedid
[a31b94d]	11	from remote_service import service_caller
	12	from service_error import service_error
[353db8c]	13	from util import abac_pem_type, abac_split_cert
[3f6bc5f]	14
[3bf0b3c]	15
[5c0d244]	16	import ABAC
	17	import pickle
	18
[a31b94d]	19	import sys
[c573278]	20	import os, os.path
[3bf0b3c]	21	import re
[a31b94d]	22
	23	class authorizer_base:
[3f6bc5f]	24	"""
[a31b94d]	25	Classes based on this one keep track of authorization attributes for the
	26	various modules running. This base class holds some utility functions that
	27	they all potentially use.
[3f6bc5f]	28	"""
[a31b94d]	29
[3f6bc5f]	30	# general error exception for badly formed names.
	31	class bad_name(RuntimeError): pass
[5c0d244]	32	# difficulty creating an attribute
	33	class attribute_error(RuntimeError): pass
[3f6bc5f]	34
	35	@staticmethod
	36	def auth_name(name):
	37	"""
	38	Helper to convert a non-unicode local name to a unicode string. Mixed
	39	representations can needlessly confuse the authorizer.
	40	"""
	41	if isinstance(name, basestring):
	42	if not isinstance(name, unicode): return unicode(name)
	43	else: return name
	44	else: return name
	45
[a31b94d]	46	@staticmethod
	47	def valid_name(name):
[3f6bc5f]	48	"""
	49	Ensure that the given name is valid. A valid name can either be a
	50	triple of strings and fedids representing one of our generalized Emulab
	51	names or a single fedid. Compound names can include wildcards (None)
	52	and must anchor to a fedid at their highest level (unless they're all
	53	None)
	54
	55	This either returns True or throws an exception. More an assertion
	56	than a function.
	57	"""
	58	if isinstance(name, tuple) and len(name) == 3:
	59	for n in name:
	60	if n:
	61	if not (isinstance(n, basestring) or isinstance(n, fedid)):
[a31b94d]	62	raise authorizer_base.bad_name(
	63	"names must be either a triple or a fedid")
[3f6bc5f]	64	for n in name:
	65	if n:
	66	if isinstance(n, fedid):
	67	return True
	68	else:
[a31b94d]	69	raise authorizer_base.bad_name(
	70	"Compound names must be " + \
[3f6bc5f]	71	"rooted in fedids: %s" % str(name))
	72
	73	return True
	74	elif isinstance(name, fedid):
	75	return True
	76	else:
[a31b94d]	77	raise authorizer_base.bad_name(
	78	"Names must be a triple or a fedid (%s)" % name)
	79
	80
	81	class authorizer(authorizer_base):
	82	"""
	83	This class keeps track of authorization attributes for the various modules
	84	running. When it gets smarter it will be the basis for a real
	85	attribute-based authentication system.
	86	"""
	87	def __init__(self, def_attr="testbed"):
	88	self.attrs = { }
	89	self.globals=set()
[3f6bc5f]	90
	91	def set_attribute(self, name, attr):
	92	"""
	93	Attach attr to name. Multiple attrs can be attached.
	94	"""
	95	self.valid_name(name)
	96	if isinstance(name, tuple):
	97	aname = tuple([ self.auth_name(n) for n in name])
	98	else:
	99	aname = self.auth_name(name)
	100
	101	if not self.attrs.has_key(aname):
	102	self.attrs[aname] = set()
	103	self.attrs[aname].add(attr)
	104
	105	def unset_attribute(self, name, attr):
	106	"""
	107	Remove an attribute from name
	108	"""
	109	self.valid_name(name)
	110	if isinstance(name, tuple):
	111	aname = tuple([ self.auth_name(n) for n in name])
	112	else:
	113	aname = self.auth_name(name)
	114
	115	attrs = self.attrs.get(aname, None)
	116	if attrs: attrs.discard(attr)
	117
	118	def check_attribute(self, name, attr):
	119	"""
[05191a6]	120	Return True if name has attr (or if attr is global). Tuple names match
	121	any tuple name that matches all names present and has None entries in
	122	other fileds. For tuple names True implies that there is a matching
	123	tuple name with the attribute.
[3f6bc5f]	124	"""
	125	def tup(tup, i, p):
	126	mask = 1 << i
	127	if p & mask : return authorizer.auth_name(tup[i])
	128	else: return None
	129
	130	self.valid_name(name)
[05191a6]	131	if attr in self.globals:
	132	return True
[3f6bc5f]	133
	134	if isinstance(name, tuple):
	135	for p in range(0,8):
	136	lookup = ( tup(name, 0, p), tup(name,1, p), tup(name,2,p))
	137	if self.attrs.has_key(lookup):
	138	if attr in self.attrs[lookup]:
	139	return True
	140	else:
	141	return attr in self.attrs.get(self.auth_name(name), set())
	142
[05191a6]	143	def set_global_attribute(self, attr):
	144	"""
	145	Set a global attribute. All names, even those otherwise unknown to the
	146	authorizer have this attribute.
	147	"""
	148	self.globals.add(attr)
	149
	150	def unset_global_attribute(self, attr):
	151	"""
	152	Remove a global attribute
	153	"""
	154
	155	self.globals.discard(attr)
[3f6bc5f]	156
[7206e5a]	157	def import_credentials(self, file_list=None, data_list=None):
	158	return False
	159
[358e0b8]	160	def __str__(self):
	161	rv = ""
	162	rv += "attrs %s\n" % self.attrs
	163	rv += "globals %s" % self.globals
	164	return rv
	165
[5c0d244]	166	def clone(self):
	167	rv = authorizer()
	168	rv.attrs = self.attrs.copy()
	169	rv.globals = self.globals.copy()
	170	return rv
	171
[822d31b]	172	def save(self, fn=None):
	173	if fn:
	174	f = open(fn, "w")
	175	pickle.dump(self, f)
	176	f.close()
	177
	178	def load(self, fn=None):
	179	if fn:
	180	f = open(fn, "r")
	181	a = pickle.load(f)
	182	f.close()
	183	self.attrs = a.attrs
	184	self.globals = a.globals
[5c0d244]	185
	186
[a31b94d]	187	class abac_authorizer(authorizer_base):
	188	"""
	189	Use the ABAC authorization system to make attribute decisions.
	190	"""
	191
[7206e5a]	192	clean_attr_re = re.compile('[^A-Za-z0-9_]+')
[27d964d]	193	cred_file_re = re.compile('.*\.der$')
[09b1e9d]	194	bad_name = authorizer_base.bad_name
	195	attribute_error = authorizer_base.attribute_error
[6e63513]	196	class no_file_error(RuntimeError): pass
	197	class bad_cert_error(RuntimeError): pass
[27d964d]	198
[353db8c]	199	def __init__(self, certs=None, me=None, key=None, load=None, save=None):
[5c0d244]	200	self.creddy = '/usr/local/bin/creddy'
[2628e5d]	201	self.globals = set()
	202	self.lock = Lock()
[a31b94d]	203	self.me = me
[353db8c]	204	self.save_dir = load or save
[c573278]	205	if self.save_dir:
	206	self.save_dir = os.path.abspath(self.save_dir)
[353db8c]	207	# If the me parameter is a combination certificate, split it into the
	208	# abac_authorizer save directory (if any) for use with creddy.
[6e63513]	209	if self.me is not None and abac_pem_type(self.me) == 'both':
[353db8c]	210	if self.save_dir:
	211	self.key, self.me = abac_split_cert(self.me,
	212	keyfile="%s/key.pem" % self.save_dir,
	213	certfile = "%s/cert.pem" % self.save_dir)
	214	else:
[6e63513]	215	raise abac_authorizer.bad_cert_error("Combination " + \
	216	"certificate and nowhere to split it");
[353db8c]	217	else:
	218	self.key = key
[5c0d244]	219	self.context = ABAC.Context()
[3bf0b3c]	220	if me:
	221	self.fedid = fedid(file=self.me)
[547aa3b]	222	rv = self.context.load_id_file(self.me)
	223	if rv != 0:
	224	raise abac_authorizer.bad_name(
	225	'Cannot load identity from %s' % me.cert)
[09b1e9d]	226	else:
	227	self.fedid = None
[3bf0b3c]	228
[2628e5d]	229	if isinstance(certs, basestring):
	230	certs = [ certs ]
	231
[5c0d244]	232	for dir in certs or []:
	233	self.context.load_directory(dir)
	234
[7206e5a]	235	if load:
	236	self.load(load)
[2628e5d]	237
[27d964d]	238	@staticmethod
	239	def clean_attr(attr):
	240	return abac_authorizer.clean_attr_re.sub('_', attr)
	241
[7206e5a]	242	def import_credentials(self, file_list=None, data_list=None):
	243	if data_list:
	244	return any([self.import_credential(data=d) for d in data_list])
	245	elif file_list:
	246	return any([self.import_credential(file=f) for f in file_list])
	247	else:
	248	return False
	249
	250	def import_credential(self, file=None, data=None):
	251	if data:
[725c55d]	252	if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
	253	return self.context.load_attribute_chunk(data) == \
	254	ABAC.ABAC_CERT_SUCCESS
	255	else:
	256	return True
[7206e5a]	257	elif file:
	258	if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
	259	return self.context.load_attribute_file(file) == \
	260	ABAC.ABAC_CERT_SUCCESS
	261	else:
	262	return True
	263	else:
	264	return False
	265
[5c0d244]	266	def set_attribute(self, name=None, attr=None, cert=None):
	267	if name and attr:
	268	if isinstance(name, tuple):
[09b1e9d]	269	raise abac_authorizer.bad_name(
	270	"ABAC doesn't understand three-names")
[7206e5a]	271	# Convert non-string attributes to strings
	272	if not isinstance(attr, basestring):
	273	attr = "%s" % attr
[5c0d244]	274	if self.me and self.key:
	275	# Create a credential and insert it into context
	276	# This will simplify when we have libcreddy
	277	try:
	278	# create temp file
	279	f, fn = mkstemp()
[3bf0b3c]	280	os.close(f)
[5c0d244]	281	except EnvironmentError, e:
[09b1e9d]	282	raise abac_authorizer.attribute_error(
[5c0d244]	283	"Cannot create temp file: %s" %e)
	284
	285	# Create the attribute certificate with creddy
[3bf0b3c]	286	cmd = [self.creddy, '--attribute', '--issuer=%s' % self.me,
[27d964d]	287	'--key=%s' % self.key, '--role=%s' % self.clean_attr(attr),
[3bf0b3c]	288	'--subject-id=%s' % name, '--out=%s' % fn]
	289	rv = call(cmd)
[5c0d244]	290	if rv == 0:
[3bf0b3c]	291	self.lock.acquire()
[5c0d244]	292	# load it to context and remove the file
[3bf0b3c]	293	rv = self.context.load_attribute_file(fn)
	294	self.lock.release()
[5c0d244]	295	os.unlink(fn)
	296	else:
	297	os.unlink(fn)
[09b1e9d]	298	raise abac_authorizer.attribute_error(
	299	"creddy returned %s" % rv)
[a31b94d]	300	else:
[09b1e9d]	301	raise abac_authorizer.attribute_error(
[5c0d244]	302	"Identity and key not specified on creation")
	303	elif cert:
	304	# Insert this credential into the context
[3bf0b3c]	305	self.lock.acquire()
[5c0d244]	306	self.context.load_attribute_chunk(cert)
[3bf0b3c]	307	self.lock.release()
[a31b94d]	308	else:
[09b1e9d]	309	raise abac_authorizer.attribute_error(
	310	"Neither name/attr nor cert is set")
[a31b94d]	311
[1fc09db]	312	def unset_attribute(self, name, attr):
	313	if isinstance(name, tuple):
[09b1e9d]	314	raise abac_authorizer.bad_name(
	315	"ABAC doesn't understand three-names")
[7206e5a]	316	# Convert non-string attributes to strings
	317	if not isinstance(attr, basestring):
	318	attr = "%s" % attr
[27d964d]	319	cattr = self.clean_attr(attr)
[1fc09db]	320	self.lock.acquire()
	321	ctxt = ABAC.Context()
	322	ids = set()
	323	for c in self.context.credentials():
	324	h = c.head()
	325	t = c.tail()
	326	if h.is_role() and t.is_principal():
	327	if t.principal() == '%s' % name and \
	328	h.principal() == '%s' % self.fedid and \
[27d964d]	329	h.role_name() == cattr:
[1fc09db]	330	continue
	331
	332	id = c.issuer_cert()
	333	if id not in ids:
	334	ctxt.load_id_chunk(id)
	335	ids.add(id)
	336	ctxt.load_attribute_chunk(c.attribute_cert())
	337	self.context = ctxt
	338	self.lock.release()
	339
	340
[a31b94d]	341	def check_attribute(self, name, attr):
[5c0d244]	342	# XXX proof soon
[a31b94d]	343	if isinstance(name, tuple):
[09b1e9d]	344	raise abac_authorizer.bad_name(
	345	"ABAC doesn't understand three-names")
[5c0d244]	346	else:
[7206e5a]	347	# Convert non-string attributes to strings
	348	if not isinstance(attr, basestring):
	349	attr = "%s" % attr
[3bf0b3c]	350	# Naked attributes are attested by this principal
[27d964d]	351	if attr.find('.') == -1:
	352	a = "%s.%s" % (self.fedid, self.clean_attr(attr))
	353	else:
	354	r, a = attr.split('.',1)
[25f66c3]	355	a = "%s.%s" % ( r, self.clean_attr(a))
[3bf0b3c]	356
	357	self.lock.acquire()
[7206e5a]	358	rv, proof = self.context.query(a, "%s" % name)
[5c0d244]	359	# XXX delete soon
[3bf0b3c]	360	if not rv and attr in self.globals: rv = True
	361	self.lock.release()
	362
	363	return rv
[a31b94d]	364
	365	def set_global_attribute(self, attr):
	366	"""
	367	Set a global attribute. All names, even those otherwise unknown to the
	368	authorizer have this attribute.
	369	"""
[3bf0b3c]	370	self.lock.acquire()
[27d964d]	371	self.globals.add(self.clean_attr(attr))
[3bf0b3c]	372	self.lock.release()
[a31b94d]	373
	374	def unset_global_attribute(self, attr):
	375	"""
	376	Remove a global attribute
	377	"""
	378
[3bf0b3c]	379	self.lock.acquire()
[27d964d]	380	self.globals.discard(self.clean_attr(attr))
[3bf0b3c]	381	self.lock.release()
[a31b94d]	382
[5c0d244]	383	def clone(self):
[3bf0b3c]	384	self.lock.acquire()
[5c0d244]	385	rv = abac_authorizer(me=self.me, key=self.key)
	386	rv.globals = self.globals.copy()
	387	rv.context = ABAC.Context(self.context)
[3bf0b3c]	388	self.lock.release()
[5c0d244]	389	return rv
	390
[7206e5a]	391	def save(self, dir=None):
[3bf0b3c]	392	self.lock.acquire()
[7206e5a]	393	if dir:
[c573278]	394	self.save_dir = os.path.abspath(dir)
[7206e5a]	395	else:
	396	dir = self.save_dir
	397	if dir is None:
	398	self.lock.release()
	399	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	400	try:
	401	if not os.access(dir, os.F_OK):
	402	os.mkdir(dir)
[09b1e9d]	403	# These are unpicklable, so set them aside
	404	context = self.context
	405	lock = self.lock
	406	self.context = None
	407	self.lock = None
	408
	409	f = open("%s/state" % dir, "w")
	410	pickle.dump(self, f)
[5c0d244]	411	f.close()
[3bf0b3c]	412
	413	if not os.access("%s/certs" %dir, os.F_OK):
	414	os.mkdir("%s/certs" % dir)
[7206e5a]	415	seenid = set()
	416	seenattr = set()
[09b1e9d]	417
	418	#restore unpicklable state
	419	self.context = context
	420	self.lock = lock
[3bf0b3c]	421	#remove old certs
	422	for fn in [ f for f in os.listdir("%s/certs" % dir) \
[27d964d]	423	if abac_authorizer.cred_file_re.match(f)]:
[3bf0b3c]	424	os.unlink('%s/certs/%s' % (dir, fn))
	425	ii = 0
	426	ai = 0
	427	for c in self.context.credentials():
	428	id = c.issuer_cert()
	429	attr = c.attribute_cert()
	430	# NB: file naming conventions matter here. The trailing_ID and
	431	# _attr are required by ABAC.COntext.load_directory()
[7206e5a]	432	if id and id not in seenid:
[3bf0b3c]	433	f = open("%s/certs/ID_%03d_ID.der" % (dir, ii), "w")
[7206e5a]	434	f.write(id)
[3bf0b3c]	435	f.close()
	436	ii += 1
[7206e5a]	437	seenid.add(id)
	438	if attr and attr not in seenattr:
[3bf0b3c]	439	f = open("%s/certs/attr_%03d_attr.der" % (dir, ai), "w")
[7206e5a]	440	f.write(attr)
[3bf0b3c]	441	f.close()
	442	ai += 1
[7206e5a]	443	seenattr.add(attr)
[3bf0b3c]	444	except EnvironmentError, e:
[09b1e9d]	445	# If we've mislaid self.lock, release lock (they're the same object)
	446	if self.lock: self.lock.release()
	447	elif lock: lock.release()
[3bf0b3c]	448	raise e
	449	except pickle.PickleError, e:
[09b1e9d]	450	# If we've mislaid self.lock, release lock (they're the same object)
	451	if self.lock: self.lock.release()
	452	elif lock: lock.release()
[3bf0b3c]	453	raise e
	454	self.lock.release()
[5c0d244]	455
[7206e5a]	456	def load(self, dir=None):
[3bf0b3c]	457	self.lock.acquire()
[7206e5a]	458	if dir:
	459	self.save_dir = dir
	460	else:
	461	dir = self.save_dir
	462	if dir is None:
	463	self.lock.release()
	464	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	465	try:
[09b1e9d]	466	if os.access("%s/state" % dir, os.R_OK):
	467	f = open("%s/state" % dir, "r")
	468	st = pickle.load(f)
[3bf0b3c]	469	f.close()
[353db8c]	470	# Copy the useful attributes from the pickled state
[09b1e9d]	471	for a in ('globals', 'key', 'me', 'cert', 'fedid'):
	472	setattr(self, a, getattr(st, a, None))
	473
	474	# Initialize the new context with the new identity
[3bf0b3c]	475	self.context = ABAC.Context()
[09b1e9d]	476	if self.me:
	477	self.context.load_id_file(self.me)
[3bf0b3c]	478	self.context.load_directory("%s/certs" % dir)
[7206e5a]	479	self.save_dir = dir
[3bf0b3c]	480	except EnvironmentError, e:
	481	self.lock.release()
	482	raise e
	483	except pickle.PickleError, e:
	484	self.lock.release()
	485	raise e
	486	self.lock.release()
	487
[547aa3b]	488	@staticmethod
	489	def encode_credential(c):
	490	return '%s <- %s' % (c.head().string(), c.tail().string())
	491
	492	def get_creds_for_principal(self, fid):
	493	look_for = set(["%s" % fid])
	494	found_attrs = set()
	495	next_look = set()
	496	found = set([])
	497
	498	self.lock.acquire()
	499	while look_for:
	500	for c in self.context.credentials():
	501	tail = c.tail()
	502	# XXX: This needs to be more aggressive for linked stuff
	503	if tail.string() in look_for and c not in found:
	504	found.add(c)
	505	next_look.add(c.head().string())
	506
	507	look_for = next_look
	508	next_look = set()
[c573278]	509	self.lock.release()
[547aa3b]	510
	511	return found
	512
[3bf0b3c]	513	def __str__(self):
	514
	515	self.lock.acquire()
	516	rv = "%s" % self.fedid
[85f5d11]	517	add = join([abac_authorizer.encode_credential(c)
[547aa3b]	518	for c in self.context.credentials()], '\n');
[85f5d11]	519	if add: rv += "\n%s" % add
[3bf0b3c]	520	self.lock.release()
	521	return rv
[5c0d244]	522

Note: See TracBrowser for help on using the repository browser.

Download in other formats: