Context Navigation

authorizer.py @ a7c0bcb

axis_examplecompt_changesinfo-ops

Last change on this file since a7c0bcb was dee164e, checked in by Ted Faber <faber@…>, 14 years ago

Looks like internal works now.

Had to add default entries to the access list to accomodate that, and discovered that ABAC requires strings - not unicode.

Moved lookup_access into the aceess class as most should be able to use it directly now.

Property mode set to 100644

File size: 14.5 KB

Rev	Line
[3f6bc5f]	1	#/usr/local/bin/python
	2
[3bf0b3c]	3	from string import join
[5c0d244]	4	from tempfile import mkstemp
	5	from subprocess import call
[3bf0b3c]	6	from threading import Lock
	7
[dee164e]	8	from string import join, hexdigits
[547aa3b]	9
[3f6bc5f]	10	from fedid import fedid
[a31b94d]	11	from remote_service import service_caller
	12	from service_error import service_error
[353db8c]	13	from util import abac_pem_type, abac_split_cert
[3f6bc5f]	14
[3bf0b3c]	15
[5c0d244]	16	import ABAC
	17	import pickle
	18
[a31b94d]	19	import sys
[c573278]	20	import os, os.path
[3bf0b3c]	21	import re
[a31b94d]	22
	23	class authorizer_base:
[3f6bc5f]	24	"""
[a31b94d]	25	Classes based on this one keep track of authorization attributes for the
	26	various modules running. This base class holds some utility functions that
	27	they all potentially use.
[3f6bc5f]	28	"""
[a31b94d]	29
[3f6bc5f]	30	# general error exception for badly formed names.
	31	class bad_name(RuntimeError): pass
[5c0d244]	32	# difficulty creating an attribute
	33	class attribute_error(RuntimeError): pass
[3f6bc5f]	34
	35	@staticmethod
	36	def auth_name(name):
	37	"""
	38	Helper to convert a non-unicode local name to a unicode string. Mixed
	39	representations can needlessly confuse the authorizer.
	40	"""
	41	if isinstance(name, basestring):
	42	if not isinstance(name, unicode): return unicode(name)
	43	else: return name
	44	else: return name
	45
[a31b94d]	46	@staticmethod
	47	def valid_name(name):
[3f6bc5f]	48	"""
	49	Ensure that the given name is valid. A valid name can either be a
	50	triple of strings and fedids representing one of our generalized Emulab
	51	names or a single fedid. Compound names can include wildcards (None)
	52	and must anchor to a fedid at their highest level (unless they're all
	53	None)
	54
	55	This either returns True or throws an exception. More an assertion
	56	than a function.
	57	"""
	58	if isinstance(name, tuple) and len(name) == 3:
	59	for n in name:
	60	if n:
	61	if not (isinstance(n, basestring) or isinstance(n, fedid)):
[a31b94d]	62	raise authorizer_base.bad_name(
	63	"names must be either a triple or a fedid")
[3f6bc5f]	64	for n in name:
	65	if n:
	66	if isinstance(n, fedid):
	67	return True
	68	else:
[a31b94d]	69	raise authorizer_base.bad_name(
	70	"Compound names must be " + \
[3f6bc5f]	71	"rooted in fedids: %s" % str(name))
	72
	73	return True
	74	elif isinstance(name, fedid):
	75	return True
	76	else:
[a31b94d]	77	raise authorizer_base.bad_name(
	78	"Names must be a triple or a fedid (%s)" % name)
	79
	80
	81	class authorizer(authorizer_base):
	82	"""
	83	This class keeps track of authorization attributes for the various modules
	84	running. When it gets smarter it will be the basis for a real
	85	attribute-based authentication system.
	86	"""
	87	def __init__(self, def_attr="testbed"):
	88	self.attrs = { }
	89	self.globals=set()
[3f6bc5f]	90
	91	def set_attribute(self, name, attr):
	92	"""
	93	Attach attr to name. Multiple attrs can be attached.
	94	"""
	95	self.valid_name(name)
	96	if isinstance(name, tuple):
	97	aname = tuple([ self.auth_name(n) for n in name])
	98	else:
	99	aname = self.auth_name(name)
	100
	101	if not self.attrs.has_key(aname):
	102	self.attrs[aname] = set()
	103	self.attrs[aname].add(attr)
	104
	105	def unset_attribute(self, name, attr):
	106	"""
	107	Remove an attribute from name
	108	"""
	109	self.valid_name(name)
	110	if isinstance(name, tuple):
	111	aname = tuple([ self.auth_name(n) for n in name])
	112	else:
	113	aname = self.auth_name(name)
	114
	115	attrs = self.attrs.get(aname, None)
	116	if attrs: attrs.discard(attr)
	117
	118	def check_attribute(self, name, attr):
	119	"""
[05191a6]	120	Return True if name has attr (or if attr is global). Tuple names match
	121	any tuple name that matches all names present and has None entries in
	122	other fileds. For tuple names True implies that there is a matching
	123	tuple name with the attribute.
[3f6bc5f]	124	"""
	125	def tup(tup, i, p):
	126	mask = 1 << i
	127	if p & mask : return authorizer.auth_name(tup[i])
	128	else: return None
	129
	130	self.valid_name(name)
[05191a6]	131	if attr in self.globals:
	132	return True
[3f6bc5f]	133
	134	if isinstance(name, tuple):
	135	for p in range(0,8):
	136	lookup = ( tup(name, 0, p), tup(name,1, p), tup(name,2,p))
	137	if self.attrs.has_key(lookup):
	138	if attr in self.attrs[lookup]:
	139	return True
	140	else:
	141	return attr in self.attrs.get(self.auth_name(name), set())
	142
[05191a6]	143	def set_global_attribute(self, attr):
	144	"""
	145	Set a global attribute. All names, even those otherwise unknown to the
	146	authorizer have this attribute.
	147	"""
	148	self.globals.add(attr)
	149
	150	def unset_global_attribute(self, attr):
	151	"""
	152	Remove a global attribute
	153	"""
	154
	155	self.globals.discard(attr)
[3f6bc5f]	156
[7206e5a]	157	def import_credentials(self, file_list=None, data_list=None):
	158	return False
	159
[358e0b8]	160	def __str__(self):
	161	rv = ""
	162	rv += "attrs %s\n" % self.attrs
	163	rv += "globals %s" % self.globals
	164	return rv
	165
[5c0d244]	166	def clone(self):
	167	rv = authorizer()
	168	rv.attrs = self.attrs.copy()
	169	rv.globals = self.globals.copy()
	170	return rv
	171
[822d31b]	172	def save(self, fn=None):
	173	if fn:
	174	f = open(fn, "w")
	175	pickle.dump(self, f)
	176	f.close()
	177
	178	def load(self, fn=None):
	179	if fn:
	180	f = open(fn, "r")
	181	a = pickle.load(f)
	182	f.close()
	183	self.attrs = a.attrs
	184	self.globals = a.globals
[5c0d244]	185
	186
[a31b94d]	187	class abac_authorizer(authorizer_base):
	188	"""
	189	Use the ABAC authorization system to make attribute decisions.
	190	"""
	191
[7206e5a]	192	clean_attr_re = re.compile('[^A-Za-z0-9_]+')
[27d964d]	193	cred_file_re = re.compile('.*\.der$')
[09b1e9d]	194	bad_name = authorizer_base.bad_name
	195	attribute_error = authorizer_base.attribute_error
[6e63513]	196	class no_file_error(RuntimeError): pass
	197	class bad_cert_error(RuntimeError): pass
[27d964d]	198
[353db8c]	199	def __init__(self, certs=None, me=None, key=None, load=None, save=None):
[5c0d244]	200	self.creddy = '/usr/local/bin/creddy'
[2628e5d]	201	self.globals = set()
	202	self.lock = Lock()
[a31b94d]	203	self.me = me
[353db8c]	204	self.save_dir = load or save
[c573278]	205	if self.save_dir:
	206	self.save_dir = os.path.abspath(self.save_dir)
[353db8c]	207	# If the me parameter is a combination certificate, split it into the
	208	# abac_authorizer save directory (if any) for use with creddy.
[6e63513]	209	if self.me is not None and abac_pem_type(self.me) == 'both':
[353db8c]	210	if self.save_dir:
	211	self.key, self.me = abac_split_cert(self.me,
	212	keyfile="%s/key.pem" % self.save_dir,
	213	certfile = "%s/cert.pem" % self.save_dir)
	214	else:
[6e63513]	215	raise abac_authorizer.bad_cert_error("Combination " + \
	216	"certificate and nowhere to split it");
[353db8c]	217	else:
	218	self.key = key
[5c0d244]	219	self.context = ABAC.Context()
[3bf0b3c]	220	if me:
	221	self.fedid = fedid(file=self.me)
[547aa3b]	222	rv = self.context.load_id_file(self.me)
	223	if rv != 0:
	224	raise abac_authorizer.bad_name(
	225	'Cannot load identity from %s' % me.cert)
[09b1e9d]	226	else:
	227	self.fedid = None
[3bf0b3c]	228
[2628e5d]	229	if isinstance(certs, basestring):
	230	certs = [ certs ]
	231
[5c0d244]	232	for dir in certs or []:
	233	self.context.load_directory(dir)
	234
[7206e5a]	235	if load:
	236	self.load(load)
[2628e5d]	237
[27d964d]	238	@staticmethod
	239	def clean_attr(attr):
	240	return abac_authorizer.clean_attr_re.sub('_', attr)
	241
[dee164e]	242
[7206e5a]	243	def import_credentials(self, file_list=None, data_list=None):
	244	if data_list:
	245	return any([self.import_credential(data=d) for d in data_list])
	246	elif file_list:
	247	return any([self.import_credential(file=f) for f in file_list])
	248	else:
	249	return False
	250
	251	def import_credential(self, file=None, data=None):
	252	if data:
[725c55d]	253	if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
	254	return self.context.load_attribute_chunk(data) == \
	255	ABAC.ABAC_CERT_SUCCESS
	256	else:
	257	return True
[7206e5a]	258	elif file:
	259	if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
	260	return self.context.load_attribute_file(file) == \
	261	ABAC.ABAC_CERT_SUCCESS
	262	else:
	263	return True
	264	else:
	265	return False
	266
[5c0d244]	267	def set_attribute(self, name=None, attr=None, cert=None):
	268	if name and attr:
	269	if isinstance(name, tuple):
[09b1e9d]	270	raise abac_authorizer.bad_name(
	271	"ABAC doesn't understand three-names")
[7206e5a]	272	# Convert non-string attributes to strings
	273	if not isinstance(attr, basestring):
	274	attr = "%s" % attr
[dee164e]	275
[5c0d244]	276	if self.me and self.key:
	277	# Create a credential and insert it into context
	278	# This will simplify when we have libcreddy
	279	try:
	280	# create temp file
	281	f, fn = mkstemp()
[3bf0b3c]	282	os.close(f)
[5c0d244]	283	except EnvironmentError, e:
[09b1e9d]	284	raise abac_authorizer.attribute_error(
[5c0d244]	285	"Cannot create temp file: %s" %e)
	286
	287	# Create the attribute certificate with creddy
[3bf0b3c]	288	cmd = [self.creddy, '--attribute', '--issuer=%s' % self.me,
[27d964d]	289	'--key=%s' % self.key, '--role=%s' % self.clean_attr(attr),
[3bf0b3c]	290	'--subject-id=%s' % name, '--out=%s' % fn]
	291	rv = call(cmd)
[5c0d244]	292	if rv == 0:
[3bf0b3c]	293	self.lock.acquire()
[5c0d244]	294	# load it to context and remove the file
[3bf0b3c]	295	rv = self.context.load_attribute_file(fn)
	296	self.lock.release()
[5c0d244]	297	os.unlink(fn)
	298	else:
	299	os.unlink(fn)
[09b1e9d]	300	raise abac_authorizer.attribute_error(
	301	"creddy returned %s" % rv)
[a31b94d]	302	else:
[09b1e9d]	303	raise abac_authorizer.attribute_error(
[5c0d244]	304	"Identity and key not specified on creation")
	305	elif cert:
	306	# Insert this credential into the context
[3bf0b3c]	307	self.lock.acquire()
[5c0d244]	308	self.context.load_attribute_chunk(cert)
[3bf0b3c]	309	self.lock.release()
[a31b94d]	310	else:
[09b1e9d]	311	raise abac_authorizer.attribute_error(
	312	"Neither name/attr nor cert is set")
[a31b94d]	313
[1fc09db]	314	def unset_attribute(self, name, attr):
	315	if isinstance(name, tuple):
[09b1e9d]	316	raise abac_authorizer.bad_name(
	317	"ABAC doesn't understand three-names")
[7206e5a]	318	# Convert non-string attributes to strings
	319	if not isinstance(attr, basestring):
	320	attr = "%s" % attr
[27d964d]	321	cattr = self.clean_attr(attr)
[1fc09db]	322	self.lock.acquire()
	323	ctxt = ABAC.Context()
	324	ids = set()
	325	for c in self.context.credentials():
	326	h = c.head()
	327	t = c.tail()
	328	if h.is_role() and t.is_principal():
	329	if t.principal() == '%s' % name and \
	330	h.principal() == '%s' % self.fedid and \
[27d964d]	331	h.role_name() == cattr:
[1fc09db]	332	continue
	333
	334	id = c.issuer_cert()
	335	if id not in ids:
	336	ctxt.load_id_chunk(id)
	337	ids.add(id)
	338	ctxt.load_attribute_chunk(c.attribute_cert())
	339	self.context = ctxt
	340	self.lock.release()
	341
[dee164e]	342	@staticmethod
	343	def starts_with_fedid(attr):
	344	"""
	345	Return true if the first 40 characters of the string are hex digits
	346	followed by a dot. False otherwise. Used in check_attribute.
	347	"""
	348	if attr.find('.') == 40:
	349	return all([ x in hexdigits for x in attr[0:40]])
	350	else:
	351	return False
	352
[1fc09db]	353
[a31b94d]	354	def check_attribute(self, name, attr):
[5c0d244]	355	# XXX proof soon
[a31b94d]	356	if isinstance(name, tuple):
[09b1e9d]	357	raise abac_authorizer.bad_name(
	358	"ABAC doesn't understand three-names")
[5c0d244]	359	else:
[7206e5a]	360	# Convert non-string attributes to strings
	361	if not isinstance(attr, basestring):
	362	attr = "%s" % attr
[dee164e]	363	# Attributes that start with a fedid only have the part of the
	364	# attribute after the dot cleaned. Others are completely cleaned
	365	# and have the owner fedid attached.
	366	if self.starts_with_fedid(attr):
[27d964d]	367	r, a = attr.split('.',1)
[25f66c3]	368	a = "%s.%s" % ( r, self.clean_attr(a))
[dee164e]	369	else:
	370	a = "%s.%s" % (self.fedid, self.clean_attr(attr))
	371
	372	a = str(a)
	373	n = str("%s" % name)
[3bf0b3c]	374
	375	self.lock.acquire()
[dee164e]	376	# Sigh. Unicode vs swig and swig seems to lose. Make sure
	377	# everything we pass into ABAC is a str not a unicode.
	378	rv, proof = self.context.query(a, n)
[5c0d244]	379	# XXX delete soon
[3bf0b3c]	380	if not rv and attr in self.globals: rv = True
	381	self.lock.release()
	382
	383	return rv
[a31b94d]	384
	385	def set_global_attribute(self, attr):
	386	"""
	387	Set a global attribute. All names, even those otherwise unknown to the
	388	authorizer have this attribute.
	389	"""
[3bf0b3c]	390	self.lock.acquire()
[27d964d]	391	self.globals.add(self.clean_attr(attr))
[3bf0b3c]	392	self.lock.release()
[a31b94d]	393
	394	def unset_global_attribute(self, attr):
	395	"""
	396	Remove a global attribute
	397	"""
	398
[3bf0b3c]	399	self.lock.acquire()
[27d964d]	400	self.globals.discard(self.clean_attr(attr))
[3bf0b3c]	401	self.lock.release()
[a31b94d]	402
[5c0d244]	403	def clone(self):
[3bf0b3c]	404	self.lock.acquire()
[5c0d244]	405	rv = abac_authorizer(me=self.me, key=self.key)
	406	rv.globals = self.globals.copy()
	407	rv.context = ABAC.Context(self.context)
[3bf0b3c]	408	self.lock.release()
[5c0d244]	409	return rv
	410
[7206e5a]	411	def save(self, dir=None):
[3bf0b3c]	412	self.lock.acquire()
[7206e5a]	413	if dir:
[c573278]	414	self.save_dir = os.path.abspath(dir)
[7206e5a]	415	else:
	416	dir = self.save_dir
	417	if dir is None:
	418	self.lock.release()
	419	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	420	try:
	421	if not os.access(dir, os.F_OK):
	422	os.mkdir(dir)
[09b1e9d]	423	# These are unpicklable, so set them aside
	424	context = self.context
	425	lock = self.lock
	426	self.context = None
	427	self.lock = None
	428
	429	f = open("%s/state" % dir, "w")
	430	pickle.dump(self, f)
[5c0d244]	431	f.close()
[3bf0b3c]	432
	433	if not os.access("%s/certs" %dir, os.F_OK):
	434	os.mkdir("%s/certs" % dir)
[7206e5a]	435	seenid = set()
	436	seenattr = set()
[09b1e9d]	437
	438	#restore unpicklable state
	439	self.context = context
	440	self.lock = lock
[3bf0b3c]	441	#remove old certs
	442	for fn in [ f for f in os.listdir("%s/certs" % dir) \
[27d964d]	443	if abac_authorizer.cred_file_re.match(f)]:
[3bf0b3c]	444	os.unlink('%s/certs/%s' % (dir, fn))
	445	ii = 0
	446	ai = 0
	447	for c in self.context.credentials():
	448	id = c.issuer_cert()
	449	attr = c.attribute_cert()
	450	# NB: file naming conventions matter here. The trailing_ID and
	451	# _attr are required by ABAC.COntext.load_directory()
[7206e5a]	452	if id and id not in seenid:
[3bf0b3c]	453	f = open("%s/certs/ID_%03d_ID.der" % (dir, ii), "w")
[7206e5a]	454	f.write(id)
[3bf0b3c]	455	f.close()
	456	ii += 1
[7206e5a]	457	seenid.add(id)
	458	if attr and attr not in seenattr:
[3bf0b3c]	459	f = open("%s/certs/attr_%03d_attr.der" % (dir, ai), "w")
[7206e5a]	460	f.write(attr)
[3bf0b3c]	461	f.close()
	462	ai += 1
[7206e5a]	463	seenattr.add(attr)
[3bf0b3c]	464	except EnvironmentError, e:
[09b1e9d]	465	# If we've mislaid self.lock, release lock (they're the same object)
	466	if self.lock: self.lock.release()
	467	elif lock: lock.release()
[3bf0b3c]	468	raise e
	469	except pickle.PickleError, e:
[09b1e9d]	470	# If we've mislaid self.lock, release lock (they're the same object)
	471	if self.lock: self.lock.release()
	472	elif lock: lock.release()
[3bf0b3c]	473	raise e
	474	self.lock.release()
[5c0d244]	475
[7206e5a]	476	def load(self, dir=None):
[3bf0b3c]	477	self.lock.acquire()
[7206e5a]	478	if dir:
	479	self.save_dir = dir
	480	else:
	481	dir = self.save_dir
	482	if dir is None:
	483	self.lock.release()
	484	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	485	try:
[09b1e9d]	486	if os.access("%s/state" % dir, os.R_OK):
	487	f = open("%s/state" % dir, "r")
	488	st = pickle.load(f)
[3bf0b3c]	489	f.close()
[353db8c]	490	# Copy the useful attributes from the pickled state
[09b1e9d]	491	for a in ('globals', 'key', 'me', 'cert', 'fedid'):
	492	setattr(self, a, getattr(st, a, None))
	493
	494	# Initialize the new context with the new identity
[3bf0b3c]	495	self.context = ABAC.Context()
[09b1e9d]	496	if self.me:
	497	self.context.load_id_file(self.me)
[3bf0b3c]	498	self.context.load_directory("%s/certs" % dir)
[7206e5a]	499	self.save_dir = dir
[3bf0b3c]	500	except EnvironmentError, e:
	501	self.lock.release()
	502	raise e
	503	except pickle.PickleError, e:
	504	self.lock.release()
	505	raise e
	506	self.lock.release()
	507
[547aa3b]	508	@staticmethod
	509	def encode_credential(c):
	510	return '%s <- %s' % (c.head().string(), c.tail().string())
	511
	512	def get_creds_for_principal(self, fid):
	513	look_for = set(["%s" % fid])
	514	found_attrs = set()
	515	next_look = set()
	516	found = set([])
	517
	518	self.lock.acquire()
	519	while look_for:
	520	for c in self.context.credentials():
	521	tail = c.tail()
	522	# XXX: This needs to be more aggressive for linked stuff
	523	if tail.string() in look_for and c not in found:
	524	found.add(c)
	525	next_look.add(c.head().string())
	526
	527	look_for = next_look
	528	next_look = set()
[c573278]	529	self.lock.release()
[547aa3b]	530
	531	return found
	532
[3bf0b3c]	533	def __str__(self):
	534
	535	self.lock.acquire()
	536	rv = "%s" % self.fedid
[85f5d11]	537	add = join([abac_authorizer.encode_credential(c)
[547aa3b]	538	for c in self.context.credentials()], '\n');
[85f5d11]	539	if add: rv += "\n%s" % add
[3bf0b3c]	540	self.lock.release()
	541	return rv
[5c0d244]	542

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: fedd/federation/authorizer.py @ a7c0bcb

Download in other formats: