Context Navigation

source: fedd/federation/authorizer.py @ 9216970

compt_changes

Last change on this file since 9216970 was 6bedbdba, checked in by Ted Faber <faber@…>, 13 years ago
Split topdl and fedid out to different packages. Add differential installs
Property mode set to `100644`
File size: 16.4 KB

Rev	Line
[3f6bc5f]	1	#/usr/local/bin/python
	2
[5c0d244]	3	from tempfile import mkstemp
	4	from subprocess import call
[3bf0b3c]	5	from threading import Lock
	6
[dee164e]	7	from string import join, hexdigits
[547aa3b]	8
[6bedbdba]	9	from deter import fedid
[a31b94d]	10	from remote_service import service_caller
	11	from service_error import service_error
[353db8c]	12	from util import abac_pem_type, abac_split_cert
[e83f2f2]	13	from proof import proof
[3f6bc5f]	14
[3bf0b3c]	15
[5c0d244]	16	import ABAC
[cbe0570]	17	import Creddy
[5c0d244]	18	import pickle
	19
[a31b94d]	20	import sys
[c573278]	21	import os, os.path
[3bf0b3c]	22	import re
[a31b94d]	23
	24	class authorizer_base:
[3f6bc5f]	25	"""
[a31b94d]	26	Classes based on this one keep track of authorization attributes for the
	27	various modules running. This base class holds some utility functions that
	28	they all potentially use.
[3f6bc5f]	29	"""
[a31b94d]	30
[3f6bc5f]	31	# general error exception for badly formed names.
	32	class bad_name(RuntimeError): pass
[5c0d244]	33	# difficulty creating an attribute
	34	class attribute_error(RuntimeError): pass
[3f6bc5f]	35
	36	@staticmethod
	37	def auth_name(name):
	38	"""
	39	Helper to convert a non-unicode local name to a unicode string. Mixed
	40	representations can needlessly confuse the authorizer.
	41	"""
	42	if isinstance(name, basestring):
	43	if not isinstance(name, unicode): return unicode(name)
	44	else: return name
	45	else: return name
	46
[a31b94d]	47	@staticmethod
	48	def valid_name(name):
[3f6bc5f]	49	"""
	50	Ensure that the given name is valid. A valid name can either be a
	51	triple of strings and fedids representing one of our generalized Emulab
	52	names or a single fedid. Compound names can include wildcards (None)
	53	and must anchor to a fedid at their highest level (unless they're all
	54	None)
	55
	56	This either returns True or throws an exception. More an assertion
	57	than a function.
	58	"""
	59	if isinstance(name, tuple) and len(name) == 3:
	60	for n in name:
	61	if n:
	62	if not (isinstance(n, basestring) or isinstance(n, fedid)):
[a31b94d]	63	raise authorizer_base.bad_name(
	64	"names must be either a triple or a fedid")
[3f6bc5f]	65	for n in name:
	66	if n:
	67	if isinstance(n, fedid):
	68	return True
	69	else:
[a31b94d]	70	raise authorizer_base.bad_name(
	71	"Compound names must be " + \
[3f6bc5f]	72	"rooted in fedids: %s" % str(name))
	73
	74	return True
	75	elif isinstance(name, fedid):
	76	return True
	77	else:
[a31b94d]	78	raise authorizer_base.bad_name(
	79	"Names must be a triple or a fedid (%s)" % name)
	80
	81
	82	class authorizer(authorizer_base):
	83	"""
	84	This class keeps track of authorization attributes for the various modules
	85	running. When it gets smarter it will be the basis for a real
	86	attribute-based authentication system.
	87	"""
	88	def __init__(self, def_attr="testbed"):
	89	self.attrs = { }
	90	self.globals=set()
[3f6bc5f]	91
	92	def set_attribute(self, name, attr):
	93	"""
	94	Attach attr to name. Multiple attrs can be attached.
	95	"""
	96	self.valid_name(name)
	97	if isinstance(name, tuple):
	98	aname = tuple([ self.auth_name(n) for n in name])
	99	else:
	100	aname = self.auth_name(name)
	101
	102	if not self.attrs.has_key(aname):
	103	self.attrs[aname] = set()
	104	self.attrs[aname].add(attr)
	105
	106	def unset_attribute(self, name, attr):
	107	"""
	108	Remove an attribute from name
	109	"""
	110	self.valid_name(name)
	111	if isinstance(name, tuple):
	112	aname = tuple([ self.auth_name(n) for n in name])
	113	else:
	114	aname = self.auth_name(name)
	115
	116	attrs = self.attrs.get(aname, None)
	117	if attrs: attrs.discard(attr)
	118
[e83f2f2]	119	def check_attribute(self, name, attr, with_proof=False):
[3f6bc5f]	120	"""
[05191a6]	121	Return True if name has attr (or if attr is global). Tuple names match
	122	any tuple name that matches all names present and has None entries in
	123	other fileds. For tuple names True implies that there is a matching
	124	tuple name with the attribute.
[3f6bc5f]	125	"""
	126	def tup(tup, i, p):
	127	mask = 1 << i
	128	if p & mask : return authorizer.auth_name(tup[i])
	129	else: return None
	130
	131	self.valid_name(name)
[05191a6]	132	if attr in self.globals:
[e83f2f2]	133	if with_proof: return True, proof("me", name, attr)
	134	else: return True
[3f6bc5f]	135
	136	if isinstance(name, tuple):
	137	for p in range(0,8):
	138	lookup = ( tup(name, 0, p), tup(name,1, p), tup(name,2,p))
	139	if self.attrs.has_key(lookup):
	140	if attr in self.attrs[lookup]:
[e83f2f2]	141	if with_proof: return True, proof("me", name, attr)
	142	else: return True
	143	# Drop through
	144	if with_proof: return False, proof("me", name, attr)
	145	else: return False
[3f6bc5f]	146	else:
[e83f2f2]	147	if with_proof:
	148	return attr in self.attrs.get(self.auth_name(name), set()), \
	149	proof("me", name, attr)
	150	else:
	151	return attr in self.attrs.get(self.auth_name(name), set())
[3f6bc5f]	152
[05191a6]	153	def set_global_attribute(self, attr):
	154	"""
	155	Set a global attribute. All names, even those otherwise unknown to the
	156	authorizer have this attribute.
	157	"""
	158	self.globals.add(attr)
	159
	160	def unset_global_attribute(self, attr):
	161	"""
	162	Remove a global attribute
	163	"""
	164
	165	self.globals.discard(attr)
[3f6bc5f]	166
[7206e5a]	167	def import_credentials(self, file_list=None, data_list=None):
	168	return False
	169
[358e0b8]	170	def __str__(self):
	171	rv = ""
	172	rv += "attrs %s\n" % self.attrs
	173	rv += "globals %s" % self.globals
	174	return rv
	175
[5c0d244]	176	def clone(self):
	177	rv = authorizer()
	178	rv.attrs = self.attrs.copy()
	179	rv.globals = self.globals.copy()
	180	return rv
	181
[822d31b]	182	def save(self, fn=None):
	183	if fn:
	184	f = open(fn, "w")
	185	pickle.dump(self, f)
	186	f.close()
	187
	188	def load(self, fn=None):
	189	if fn:
	190	f = open(fn, "r")
	191	a = pickle.load(f)
	192	f.close()
	193	self.attrs = a.attrs
	194	self.globals = a.globals
[5c0d244]	195
	196
[a31b94d]	197	class abac_authorizer(authorizer_base):
	198	"""
	199	Use the ABAC authorization system to make attribute decisions.
	200	"""
	201
[7206e5a]	202	clean_attr_re = re.compile('[^A-Za-z0-9_]+')
[5097195]	203	clean_prefix_attr_re = re.compile('^_+')
[27d964d]	204	cred_file_re = re.compile('.*\.der$')
[09b1e9d]	205	bad_name = authorizer_base.bad_name
	206	attribute_error = authorizer_base.attribute_error
[6e63513]	207	class no_file_error(RuntimeError): pass
	208	class bad_cert_error(RuntimeError): pass
[27d964d]	209
[353db8c]	210	def __init__(self, certs=None, me=None, key=None, load=None, save=None):
[cbe0570]	211	self.creddy_id = None
[2628e5d]	212	self.globals = set()
	213	self.lock = Lock()
[a31b94d]	214	self.me = me
[353db8c]	215	self.save_dir = load or save
[36f642f]	216	self.local_files = False
[c573278]	217	if self.save_dir:
	218	self.save_dir = os.path.abspath(self.save_dir)
[353db8c]	219	# If the me parameter is a combination certificate, split it into the
	220	# abac_authorizer save directory (if any) for use with creddy.
[6e63513]	221	if self.me is not None and abac_pem_type(self.me) == 'both':
[353db8c]	222	if self.save_dir:
[e65150a]	223	keyfile="%s/key.pem" % self.save_dir
	224	certfile = "%s/cert.pem" % self.save_dir
	225
	226	# Clear a spot for the new key and cert files.
	227	for fn in (keyfile, certfile):
	228	if os.access(fn, os.F_OK):
	229	os.unlink(fn)
	230
	231	self.key, self.me = abac_split_cert(self.me, keyfile, certfile)
[36f642f]	232	self.local_files = True
[cbe0570]	233	self.init_libcreddy_id()
[353db8c]	234	else:
[6e63513]	235	raise abac_authorizer.bad_cert_error("Combination " + \
	236	"certificate and nowhere to split it");
[353db8c]	237	else:
	238	self.key = key
[5c0d244]	239	self.context = ABAC.Context()
[3bf0b3c]	240	if me:
	241	self.fedid = fedid(file=self.me)
[547aa3b]	242	rv = self.context.load_id_file(self.me)
	243	if rv != 0:
	244	raise abac_authorizer.bad_name(
[8cf2c507]	245	'Cannot load identity from %s' % me)
[09b1e9d]	246	else:
	247	self.fedid = None
[3bf0b3c]	248
[2628e5d]	249	if isinstance(certs, basestring):
	250	certs = [ certs ]
	251
[5c0d244]	252	for dir in certs or []:
	253	self.context.load_directory(dir)
	254
[7206e5a]	255	if load:
	256	self.load(load)
[2628e5d]	257
[cbe0570]	258	def init_libcreddy_id(self):
	259	self.creddy_id = None
	260	try:
	261	self.creddy_id = Creddy.ID(self.me)
	262	except:
[5f51dc1]	263	raise abac_authorizer.bad_cert_error('Cannot load cert %s' \
[cbe0570]	264	% self.me)
	265
	266	try:
	267	self.creddy_id.load_privkey(self.key)
	268	except:
	269	self.creddy_id = None
	270	raise abac_authorized_bad_cert_error('Cannot load key %s' \
	271	% self.key)
	272
	273
	274
[8cf2c507]	275	# Modify the pickling operations so that the context and lock are not
	276	# pickled
	277
	278	def __getstate__(self):
	279	d = self.__dict__.copy()
	280	del d['lock']
	281	del d['context']
[cbe0570]	282	del d['creddy_id']
[8cf2c507]	283	return d
	284
	285	def __setstate__(self, d):
	286	# Import everything from the pickle dict (except what we excluded in
	287	# __getstate__)
	288	self.__dict__.update(d)
	289	# Initialize the unpicklables
	290	self.context = ABAC.Context()
	291	self.lock = Lock()
	292
[27d964d]	293	@staticmethod
	294	def clean_attr(attr):
[e982b92]	295	'''
	296	Convert anything not in A-Z_ into an _ and make sure that the string
	297	begins with a non-_. Convert to s string to keep swig happy.
	298	'''
[5097195]	299	a = abac_authorizer.clean_attr_re.sub('_', attr)
[e982b92]	300	return str(abac_authorizer.clean_prefix_attr_re.sub('', a))
[27d964d]	301
[dee164e]	302
[7206e5a]	303	def import_credentials(self, file_list=None, data_list=None):
	304	if data_list:
	305	return any([self.import_credential(data=d) for d in data_list])
	306	elif file_list:
	307	return any([self.import_credential(file=f) for f in file_list])
	308	else:
	309	return False
	310
	311	def import_credential(self, file=None, data=None):
	312	if data:
[725c55d]	313	if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
	314	return self.context.load_attribute_chunk(data) == \
	315	ABAC.ABAC_CERT_SUCCESS
	316	else:
	317	return True
[7206e5a]	318	elif file:
	319	if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
	320	return self.context.load_attribute_file(file) == \
	321	ABAC.ABAC_CERT_SUCCESS
	322	else:
	323	return True
	324	else:
	325	return False
	326
[5c0d244]	327	def set_attribute(self, name=None, attr=None, cert=None):
	328	if name and attr:
	329	if isinstance(name, tuple):
[09b1e9d]	330	raise abac_authorizer.bad_name(
	331	"ABAC doesn't understand three-names")
[7206e5a]	332	# Convert non-string attributes to strings
	333	if not isinstance(attr, basestring):
	334	attr = "%s" % attr
[dee164e]	335
[cbe0570]	336	if self.creddy_id:
[5c0d244]	337	# Create a credential and insert it into context
	338	# This will simplify when we have libcreddy
	339	try:
[cbe0570]	340	attrcert = Creddy.Attribute(self.creddy_id,
	341	self.clean_attr(attr), 3600 * 24 * 365 * 10)
	342	attrcert.principal("%s" % name)
	343	attrcert.bake()
	344	except:
[e982b92]	345	raise abac_authorizer.bad_cert_error(
[cbe0570]	346	"Cannot create attribute cert")
	347	self.lock.acquire()
	348	# load it to context and remove the file
	349	rv = self.context.load_attribute_chunk(attrcert.cert_chunk())
	350	self.lock.release()
	351	return rv
[a31b94d]	352	else:
[09b1e9d]	353	raise abac_authorizer.attribute_error(
[5c0d244]	354	"Identity and key not specified on creation")
	355	elif cert:
	356	# Insert this credential into the context
[3bf0b3c]	357	self.lock.acquire()
[cbe0570]	358	rv = self.context.load_attribute_chunk(cert)
[3bf0b3c]	359	self.lock.release()
[cbe0570]	360	return rv
[a31b94d]	361	else:
[09b1e9d]	362	raise abac_authorizer.attribute_error(
	363	"Neither name/attr nor cert is set")
[a31b94d]	364
[1fc09db]	365	def unset_attribute(self, name, attr):
	366	if isinstance(name, tuple):
[09b1e9d]	367	raise abac_authorizer.bad_name(
	368	"ABAC doesn't understand three-names")
[7206e5a]	369	# Convert non-string attributes to strings
	370	if not isinstance(attr, basestring):
	371	attr = "%s" % attr
[27d964d]	372	cattr = self.clean_attr(attr)
[1fc09db]	373	self.lock.acquire()
	374	ctxt = ABAC.Context()
	375	ids = set()
	376	for c in self.context.credentials():
	377	h = c.head()
	378	t = c.tail()
	379	if h.is_role() and t.is_principal():
	380	if t.principal() == '%s' % name and \
	381	h.principal() == '%s' % self.fedid and \
[27d964d]	382	h.role_name() == cattr:
[1fc09db]	383	continue
	384
	385	id = c.issuer_cert()
	386	if id not in ids:
	387	ctxt.load_id_chunk(id)
	388	ids.add(id)
	389	ctxt.load_attribute_chunk(c.attribute_cert())
	390	self.context = ctxt
	391	self.lock.release()
	392
[dee164e]	393	@staticmethod
	394	def starts_with_fedid(attr):
	395	"""
	396	Return true if the first 40 characters of the string are hex digits
	397	followed by a dot. False otherwise. Used in check_attribute.
	398	"""
	399	if attr.find('.') == 40:
	400	return all([ x in hexdigits for x in attr[0:40]])
	401	else:
	402	return False
	403
[1fc09db]	404
[e83f2f2]	405	def check_attribute(self, name, attr, with_proof=False):
[a31b94d]	406	if isinstance(name, tuple):
[09b1e9d]	407	raise abac_authorizer.bad_name(
	408	"ABAC doesn't understand three-names")
[5c0d244]	409	else:
[7206e5a]	410	# Convert non-string attributes to strings
	411	if not isinstance(attr, basestring):
	412	attr = "%s" % attr
[dee164e]	413	# Attributes that start with a fedid only have the part of the
	414	# attribute after the dot cleaned. Others are completely cleaned
	415	# and have the owner fedid attached.
	416	if self.starts_with_fedid(attr):
[27d964d]	417	r, a = attr.split('.',1)
[25f66c3]	418	a = "%s.%s" % ( r, self.clean_attr(a))
[dee164e]	419	else:
	420	a = "%s.%s" % (self.fedid, self.clean_attr(attr))
	421
	422	a = str(a)
	423	n = str("%s" % name)
[3bf0b3c]	424
	425	self.lock.acquire()
[dee164e]	426	# Sigh. Unicode vs swig and swig seems to lose. Make sure
	427	# everything we pass into ABAC is a str not a unicode.
[e83f2f2]	428	rv, p = self.context.query(a, n)
[5c0d244]	429	# XXX delete soon
[e83f2f2]	430	if not rv and attr in self.globals:
	431	rv = True
	432	p = None
[3bf0b3c]	433	self.lock.release()
[e83f2f2]	434	if with_proof: return rv, proof(self.fedid, name, a, p)
	435	else: return rv
[a31b94d]	436
	437	def set_global_attribute(self, attr):
	438	"""
	439	Set a global attribute. All names, even those otherwise unknown to the
	440	authorizer have this attribute.
	441	"""
[3bf0b3c]	442	self.lock.acquire()
[27d964d]	443	self.globals.add(self.clean_attr(attr))
[3bf0b3c]	444	self.lock.release()
[a31b94d]	445
	446	def unset_global_attribute(self, attr):
	447	"""
	448	Remove a global attribute
	449	"""
	450
[3bf0b3c]	451	self.lock.acquire()
[27d964d]	452	self.globals.discard(self.clean_attr(attr))
[3bf0b3c]	453	self.lock.release()
[a31b94d]	454
[5c0d244]	455	def clone(self):
[3bf0b3c]	456	self.lock.acquire()
[5c0d244]	457	rv = abac_authorizer(me=self.me, key=self.key)
	458	rv.globals = self.globals.copy()
	459	rv.context = ABAC.Context(self.context)
[3bf0b3c]	460	self.lock.release()
[5c0d244]	461	return rv
	462
[36f642f]	463	def copy_file(self, src, dest, mode=0600):
	464	'''
	465	Copy src to dest with file mode mode. May raise exceptions on file ops
	466	'''
[52131d3]	467	same_file = False
	468	try:
	469	ss = os.stat(src)
	470	ds = os.stat(dest)
	471
	472	if ds.st_ino == ss.st_ino: same_file = True
	473	except EnvironmentError:
	474	pass
[a55f2f9]	475
[52131d3]	476	if not same_file:
[a55f2f9]	477	d = open(dest, 'w')
	478	s = open(src, 'r')
	479	d.write(s.read())
	480	s.close()
	481	d.close()
[36f642f]	482	os.chmod(dest, mode)
	483
	484
	485
[7206e5a]	486	def save(self, dir=None):
[3bf0b3c]	487	self.lock.acquire()
[7206e5a]	488	if dir:
[c573278]	489	self.save_dir = os.path.abspath(dir)
[7206e5a]	490	else:
	491	dir = self.save_dir
	492	if dir is None:
	493	self.lock.release()
	494	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	495	try:
	496	if not os.access(dir, os.F_OK):
	497	os.mkdir(dir)
[09b1e9d]	498
[36f642f]	499	# if self.key and self.me were split, copy the split files into the
	500	# new directory.
	501	if self.local_files:
	502	self.copy_file(self.key, '%s/key.pem' % dir)
	503	self.copy_file(self.me, '%s/cert.pem' % dir)
	504	# Point the key and me members to the new locations for
	505	# pickling
	506	hold_key = self.key
	507	hold_me = self.me
	508	self.key = '%s/key.pem' % dir
	509	self.me = '%s/cert.pem' % dir
	510
[09b1e9d]	511	f = open("%s/state" % dir, "w")
	512	pickle.dump(self, f)
[5c0d244]	513	f.close()
[3bf0b3c]	514
[36f642f]	515	if self.local_files:
	516	self.key = hold_key
	517	self.me = hold_me
	518
[3bf0b3c]	519	if not os.access("%s/certs" %dir, os.F_OK):
	520	os.mkdir("%s/certs" % dir)
[09b1e9d]	521
[8cf2c507]	522	# Clear the certs subdir
[3bf0b3c]	523	for fn in [ f for f in os.listdir("%s/certs" % dir) \
[27d964d]	524	if abac_authorizer.cred_file_re.match(f)]:
[3bf0b3c]	525	os.unlink('%s/certs/%s' % (dir, fn))
[8cf2c507]	526
	527	# Save the context
[3bf0b3c]	528	ii = 0
	529	ai = 0
[8cf2c507]	530	seenid = set()
	531	seenattr = set()
[3bf0b3c]	532	for c in self.context.credentials():
	533	id = c.issuer_cert()
	534	attr = c.attribute_cert()
	535	# NB: file naming conventions matter here. The trailing_ID and
	536	# _attr are required by ABAC.COntext.load_directory()
[7206e5a]	537	if id and id not in seenid:
[3bf0b3c]	538	f = open("%s/certs/ID_%03d_ID.der" % (dir, ii), "w")
[7206e5a]	539	f.write(id)
[3bf0b3c]	540	f.close()
	541	ii += 1
[7206e5a]	542	seenid.add(id)
	543	if attr and attr not in seenattr:
[3bf0b3c]	544	f = open("%s/certs/attr_%03d_attr.der" % (dir, ai), "w")
[7206e5a]	545	f.write(attr)
[3bf0b3c]	546	f.close()
	547	ai += 1
[7206e5a]	548	seenattr.add(attr)
[3bf0b3c]	549	except EnvironmentError, e:
[8cf2c507]	550	self.lock.release()
[3bf0b3c]	551	raise e
	552	except pickle.PickleError, e:
[8cf2c507]	553	self.lock.release()
[3bf0b3c]	554	raise e
	555	self.lock.release()
[5c0d244]	556
[7206e5a]	557	def load(self, dir=None):
[3bf0b3c]	558	self.lock.acquire()
[7206e5a]	559	if dir:
	560	self.save_dir = dir
	561	else:
	562	dir = self.save_dir
	563	if dir is None:
	564	self.lock.release()
	565	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	566	try:
[09b1e9d]	567	if os.access("%s/state" % dir, os.R_OK):
	568	f = open("%s/state" % dir, "r")
	569	st = pickle.load(f)
[3bf0b3c]	570	f.close()
[353db8c]	571	# Copy the useful attributes from the pickled state
[09b1e9d]	572	for a in ('globals', 'key', 'me', 'cert', 'fedid'):
	573	setattr(self, a, getattr(st, a, None))
	574
	575	# Initialize the new context with the new identity
[3bf0b3c]	576	self.context = ABAC.Context()
[09b1e9d]	577	if self.me:
	578	self.context.load_id_file(self.me)
[cbe0570]	579	if self.key:
	580	self.init_libcreddy_id()
[3bf0b3c]	581	self.context.load_directory("%s/certs" % dir)
[7206e5a]	582	self.save_dir = dir
[3bf0b3c]	583	except EnvironmentError, e:
	584	self.lock.release()
	585	raise e
	586	except pickle.PickleError, e:
	587	self.lock.release()
	588	raise e
	589	self.lock.release()
	590
[547aa3b]	591	@staticmethod
	592	def encode_credential(c):
	593	return '%s <- %s' % (c.head().string(), c.tail().string())
	594
	595	def get_creds_for_principal(self, fid):
	596	look_for = set(["%s" % fid])
	597	found_attrs = set()
	598	next_look = set()
	599	found = set([])
	600
	601	self.lock.acquire()
	602	while look_for:
	603	for c in self.context.credentials():
	604	tail = c.tail()
	605	# XXX: This needs to be more aggressive for linked stuff
	606	if tail.string() in look_for and c not in found:
	607	found.add(c)
	608	next_look.add(c.head().string())
	609
	610	look_for = next_look
	611	next_look = set()
[c573278]	612	self.lock.release()
[547aa3b]	613
	614	return found
	615
[3bf0b3c]	616	def __str__(self):
	617
	618	self.lock.acquire()
	619	rv = "%s" % self.fedid
[85f5d11]	620	add = join([abac_authorizer.encode_credential(c)
[547aa3b]	621	for c in self.context.credentials()], '\n');
[85f5d11]	622	if add: rv += "\n%s" % add
[3bf0b3c]	623	self.lock.release()
	624	return rv
[5c0d244]	625

Note: See TracBrowser for help on using the repository browser.

Download in other formats: