Context Navigation

source: fedd/federation/authorizer.py @ d064566

compt_changes

Last change on this file since d064566 was d064566, checked in by Ted Faber <faber@…>, 12 years ago
Updates, initial checkin
Property mode set to `100644`
File size: 17.9 KB

Rev	Line
[3f6bc5f]	1	#/usr/local/bin/python
	2
[5c0d244]	3	from tempfile import mkstemp
	4	from subprocess import call
[3bf0b3c]	5	from threading import Lock
	6
[dee164e]	7	from string import join, hexdigits
[547aa3b]	8
[6bedbdba]	9	from deter import fedid
[a31b94d]	10	from remote_service import service_caller
	11	from service_error import service_error
[353db8c]	12	from util import abac_pem_type, abac_split_cert
[e83f2f2]	13	from proof import proof
[3f6bc5f]	14
[3bf0b3c]	15
[5c0d244]	16	import ABAC
[cbe0570]	17	import Creddy
[5c0d244]	18	import pickle
	19
[a31b94d]	20	import sys
[c573278]	21	import os, os.path
[3bf0b3c]	22	import re
[d064566]	23	import fcntl
[a31b94d]	24
	25	class authorizer_base:
[3f6bc5f]	26	"""
[a31b94d]	27	Classes based on this one keep track of authorization attributes for the
	28	various modules running. This base class holds some utility functions that
	29	they all potentially use.
[3f6bc5f]	30	"""
[a31b94d]	31
[3f6bc5f]	32	# general error exception for badly formed names.
	33	class bad_name(RuntimeError): pass
[5c0d244]	34	# difficulty creating an attribute
	35	class attribute_error(RuntimeError): pass
[3f6bc5f]	36
	37	@staticmethod
	38	def auth_name(name):
	39	"""
	40	Helper to convert a non-unicode local name to a unicode string. Mixed
	41	representations can needlessly confuse the authorizer.
	42	"""
	43	if isinstance(name, basestring):
	44	if not isinstance(name, unicode): return unicode(name)
	45	else: return name
	46	else: return name
	47
[a31b94d]	48	@staticmethod
	49	def valid_name(name):
[3f6bc5f]	50	"""
	51	Ensure that the given name is valid. A valid name can either be a
	52	triple of strings and fedids representing one of our generalized Emulab
	53	names or a single fedid. Compound names can include wildcards (None)
	54	and must anchor to a fedid at their highest level (unless they're all
	55	None)
	56
	57	This either returns True or throws an exception. More an assertion
	58	than a function.
	59	"""
	60	if isinstance(name, tuple) and len(name) == 3:
	61	for n in name:
	62	if n:
	63	if not (isinstance(n, basestring) or isinstance(n, fedid)):
[a31b94d]	64	raise authorizer_base.bad_name(
	65	"names must be either a triple or a fedid")
[3f6bc5f]	66	for n in name:
	67	if n:
	68	if isinstance(n, fedid):
	69	return True
	70	else:
[a31b94d]	71	raise authorizer_base.bad_name(
	72	"Compound names must be " + \
[3f6bc5f]	73	"rooted in fedids: %s" % str(name))
	74
	75	return True
	76	elif isinstance(name, fedid):
	77	return True
	78	else:
[a31b94d]	79	raise authorizer_base.bad_name(
	80	"Names must be a triple or a fedid (%s)" % name)
	81
	82
	83	class authorizer(authorizer_base):
	84	"""
	85	This class keeps track of authorization attributes for the various modules
	86	running. When it gets smarter it will be the basis for a real
	87	attribute-based authentication system.
	88	"""
	89	def __init__(self, def_attr="testbed"):
	90	self.attrs = { }
	91	self.globals=set()
[3f6bc5f]	92
	93	def set_attribute(self, name, attr):
	94	"""
	95	Attach attr to name. Multiple attrs can be attached.
	96	"""
	97	self.valid_name(name)
	98	if isinstance(name, tuple):
	99	aname = tuple([ self.auth_name(n) for n in name])
	100	else:
	101	aname = self.auth_name(name)
	102
	103	if not self.attrs.has_key(aname):
	104	self.attrs[aname] = set()
	105	self.attrs[aname].add(attr)
	106
	107	def unset_attribute(self, name, attr):
	108	"""
	109	Remove an attribute from name
	110	"""
	111	self.valid_name(name)
	112	if isinstance(name, tuple):
	113	aname = tuple([ self.auth_name(n) for n in name])
	114	else:
	115	aname = self.auth_name(name)
	116
	117	attrs = self.attrs.get(aname, None)
	118	if attrs: attrs.discard(attr)
	119
[e83f2f2]	120	def check_attribute(self, name, attr, with_proof=False):
[3f6bc5f]	121	"""
[05191a6]	122	Return True if name has attr (or if attr is global). Tuple names match
	123	any tuple name that matches all names present and has None entries in
	124	other fileds. For tuple names True implies that there is a matching
	125	tuple name with the attribute.
[3f6bc5f]	126	"""
	127	def tup(tup, i, p):
	128	mask = 1 << i
	129	if p & mask : return authorizer.auth_name(tup[i])
	130	else: return None
	131
	132	self.valid_name(name)
[05191a6]	133	if attr in self.globals:
[e83f2f2]	134	if with_proof: return True, proof("me", name, attr)
	135	else: return True
[3f6bc5f]	136
	137	if isinstance(name, tuple):
	138	for p in range(0,8):
	139	lookup = ( tup(name, 0, p), tup(name,1, p), tup(name,2,p))
	140	if self.attrs.has_key(lookup):
	141	if attr in self.attrs[lookup]:
[e83f2f2]	142	if with_proof: return True, proof("me", name, attr)
	143	else: return True
	144	# Drop through
	145	if with_proof: return False, proof("me", name, attr)
	146	else: return False
[3f6bc5f]	147	else:
[e83f2f2]	148	if with_proof:
	149	return attr in self.attrs.get(self.auth_name(name), set()), \
	150	proof("me", name, attr)
	151	else:
	152	return attr in self.attrs.get(self.auth_name(name), set())
[3f6bc5f]	153
[05191a6]	154	def set_global_attribute(self, attr):
	155	"""
	156	Set a global attribute. All names, even those otherwise unknown to the
	157	authorizer have this attribute.
	158	"""
	159	self.globals.add(attr)
	160
	161	def unset_global_attribute(self, attr):
	162	"""
	163	Remove a global attribute
	164	"""
	165
	166	self.globals.discard(attr)
[3f6bc5f]	167
[7206e5a]	168	def import_credentials(self, file_list=None, data_list=None):
	169	return False
	170
[358e0b8]	171	def __str__(self):
	172	rv = ""
	173	rv += "attrs %s\n" % self.attrs
	174	rv += "globals %s" % self.globals
	175	return rv
	176
[5c0d244]	177	def clone(self):
	178	rv = authorizer()
	179	rv.attrs = self.attrs.copy()
	180	rv.globals = self.globals.copy()
	181	return rv
	182
[822d31b]	183	def save(self, fn=None):
	184	if fn:
	185	f = open(fn, "w")
	186	pickle.dump(self, f)
	187	f.close()
	188
	189	def load(self, fn=None):
	190	if fn:
	191	f = open(fn, "r")
	192	a = pickle.load(f)
	193	f.close()
	194	self.attrs = a.attrs
	195	self.globals = a.globals
[5c0d244]	196
	197
[a31b94d]	198	class abac_authorizer(authorizer_base):
	199	"""
	200	Use the ABAC authorization system to make attribute decisions.
	201	"""
	202
[7206e5a]	203	clean_attr_re = re.compile('[^A-Za-z0-9_]+')
[5097195]	204	clean_prefix_attr_re = re.compile('^_+')
[27d964d]	205	cred_file_re = re.compile('.*\.der$')
[09b1e9d]	206	bad_name = authorizer_base.bad_name
	207	attribute_error = authorizer_base.attribute_error
[6e63513]	208	class no_file_error(RuntimeError): pass
	209	class bad_cert_error(RuntimeError): pass
[27d964d]	210
[d064566]	211	def __init__(self, certs=None, me=None, key=None, load=None, save=None,
	212	update=None):
[cbe0570]	213	self.creddy_id = None
[2628e5d]	214	self.globals = set()
	215	self.lock = Lock()
[a31b94d]	216	self.me = me
[353db8c]	217	self.save_dir = load or save
[36f642f]	218	self.local_files = False
[d064566]	219	self.update_dir = os.path.abspath(update)
[c573278]	220	if self.save_dir:
	221	self.save_dir = os.path.abspath(self.save_dir)
[353db8c]	222	# If the me parameter is a combination certificate, split it into the
	223	# abac_authorizer save directory (if any) for use with creddy.
[6e63513]	224	if self.me is not None and abac_pem_type(self.me) == 'both':
[353db8c]	225	if self.save_dir:
[e65150a]	226	keyfile="%s/key.pem" % self.save_dir
	227	certfile = "%s/cert.pem" % self.save_dir
	228
	229	# Clear a spot for the new key and cert files.
	230	for fn in (keyfile, certfile):
	231	if os.access(fn, os.F_OK):
	232	os.unlink(fn)
	233
	234	self.key, self.me = abac_split_cert(self.me, keyfile, certfile)
[36f642f]	235	self.local_files = True
[cbe0570]	236	self.init_libcreddy_id()
[353db8c]	237	else:
[6e63513]	238	raise abac_authorizer.bad_cert_error("Combination " + \
	239	"certificate and nowhere to split it");
[353db8c]	240	else:
	241	self.key = key
[5c0d244]	242	self.context = ABAC.Context()
[3bf0b3c]	243	if me:
	244	self.fedid = fedid(file=self.me)
[547aa3b]	245	rv = self.context.load_id_file(self.me)
	246	if rv != 0:
	247	raise abac_authorizer.bad_name(
[8cf2c507]	248	'Cannot load identity from %s' % me)
[09b1e9d]	249	else:
	250	self.fedid = None
[3bf0b3c]	251
[2628e5d]	252	if isinstance(certs, basestring):
	253	certs = [ certs ]
	254
[5c0d244]	255	for dir in certs or []:
	256	self.context.load_directory(dir)
	257
[7206e5a]	258	if load:
	259	self.load(load)
[2628e5d]	260
[cbe0570]	261	def init_libcreddy_id(self):
	262	self.creddy_id = None
	263	try:
	264	self.creddy_id = Creddy.ID(self.me)
	265	except:
[5f51dc1]	266	raise abac_authorizer.bad_cert_error('Cannot load cert %s' \
[cbe0570]	267	% self.me)
	268
	269	try:
	270	self.creddy_id.load_privkey(self.key)
	271	except:
	272	self.creddy_id = None
	273	raise abac_authorized_bad_cert_error('Cannot load key %s' \
	274	% self.key)
	275
	276
	277
[8cf2c507]	278	# Modify the pickling operations so that the context and lock are not
	279	# pickled
	280
	281	def __getstate__(self):
	282	d = self.__dict__.copy()
	283	del d['lock']
	284	del d['context']
[cbe0570]	285	del d['creddy_id']
[8cf2c507]	286	return d
	287
	288	def __setstate__(self, d):
	289	# Import everything from the pickle dict (except what we excluded in
	290	# __getstate__)
	291	self.__dict__.update(d)
	292	# Initialize the unpicklables
	293	self.context = ABAC.Context()
	294	self.lock = Lock()
	295
[27d964d]	296	@staticmethod
	297	def clean_attr(attr):
[e982b92]	298	'''
	299	Convert anything not in A-Z_ into an _ and make sure that the string
	300	begins with a non-_. Convert to s string to keep swig happy.
	301	'''
[5097195]	302	a = abac_authorizer.clean_attr_re.sub('_', attr)
[e982b92]	303	return str(abac_authorizer.clean_prefix_attr_re.sub('', a))
[27d964d]	304
[dee164e]	305
[7206e5a]	306	def import_credentials(self, file_list=None, data_list=None):
[9be06f0]	307	'''
	308	Import a list of credentials. Be careful about dependencies and only
	309	use one logic loop. if files are given, append them to the list of
	310	chunks and then try to read each chunk as an ID and then the failed
	311	ones as attributes.
	312	'''
	313	if file_list:
	314	if data_list is None: data_list = []
	315	for fn in file_list:
[cf7bc45]	316	# Try to parse file as a Creddy ID, so we can import PEM files
	317	try:
	318	cid = Creddy.ID(fn)
	319	data_list.append(cid.cert_chunk())
	320	continue
	321	except:
	322	# Not an ID
	323	pass
[9be06f0]	324	try:
	325	f = open(fn, 'r')
	326	data_list.append(f.read())
	327	f.close()
	328	except EnvironmentError, e:
	329	# Ignore unreadable files
	330	pass
	331	# Now one way or another data_list is ready
[7206e5a]	332	if data_list:
[860c360]	333	rv = []
[9be06f0]	334	attr_list = [ ]
	335	for d in data_list:
	336	if self.context.load_id_chunk(d) != ABAC.ABAC_CERT_SUCCESS:
	337	attr_list.append(d)
	338	else:
[860c360]	339	rv.append(True)
[9be06f0]	340
	341	for d in attr_list:
	342	v = self.context.load_attribute_chunk(d)
[860c360]	343	rv.append(v == ABAC.ABAC_CERT_SUCCESS)
	344	return all(rv)
[7206e5a]	345	else:
	346	return False
	347
	348	def import_credential(self, file=None, data=None):
	349	if data:
[725c55d]	350	if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
	351	return self.context.load_attribute_chunk(data) == \
	352	ABAC.ABAC_CERT_SUCCESS
	353	else:
	354	return True
[7206e5a]	355	elif file:
	356	if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
	357	return self.context.load_attribute_file(file) == \
	358	ABAC.ABAC_CERT_SUCCESS
	359	else:
	360	return True
	361	else:
	362	return False
	363
[5c0d244]	364	def set_attribute(self, name=None, attr=None, cert=None):
	365	if name and attr:
	366	if isinstance(name, tuple):
[09b1e9d]	367	raise abac_authorizer.bad_name(
	368	"ABAC doesn't understand three-names")
[7206e5a]	369	# Convert non-string attributes to strings
	370	if not isinstance(attr, basestring):
	371	attr = "%s" % attr
[dee164e]	372
[cbe0570]	373	if self.creddy_id:
[5c0d244]	374	# Create a credential and insert it into context
	375	# This will simplify when we have libcreddy
	376	try:
[cbe0570]	377	attrcert = Creddy.Attribute(self.creddy_id,
	378	self.clean_attr(attr), 3600 * 24 * 365 * 10)
	379	attrcert.principal("%s" % name)
	380	attrcert.bake()
	381	except:
[e982b92]	382	raise abac_authorizer.bad_cert_error(
[cbe0570]	383	"Cannot create attribute cert")
	384	self.lock.acquire()
	385	# load it to context and remove the file
	386	rv = self.context.load_attribute_chunk(attrcert.cert_chunk())
	387	self.lock.release()
	388	return rv
[a31b94d]	389	else:
[09b1e9d]	390	raise abac_authorizer.attribute_error(
[5c0d244]	391	"Identity and key not specified on creation")
	392	elif cert:
	393	# Insert this credential into the context
[3bf0b3c]	394	self.lock.acquire()
[cbe0570]	395	rv = self.context.load_attribute_chunk(cert)
[3bf0b3c]	396	self.lock.release()
[cbe0570]	397	return rv
[a31b94d]	398	else:
[09b1e9d]	399	raise abac_authorizer.attribute_error(
	400	"Neither name/attr nor cert is set")
[a31b94d]	401
[1fc09db]	402	def unset_attribute(self, name, attr):
	403	if isinstance(name, tuple):
[09b1e9d]	404	raise abac_authorizer.bad_name(
	405	"ABAC doesn't understand three-names")
[7206e5a]	406	# Convert non-string attributes to strings
	407	if not isinstance(attr, basestring):
	408	attr = "%s" % attr
[27d964d]	409	cattr = self.clean_attr(attr)
[1fc09db]	410	self.lock.acquire()
	411	ctxt = ABAC.Context()
	412	ids = set()
	413	for c in self.context.credentials():
	414	h = c.head()
	415	t = c.tail()
	416	if h.is_role() and t.is_principal():
	417	if t.principal() == '%s' % name and \
	418	h.principal() == '%s' % self.fedid and \
[27d964d]	419	h.role_name() == cattr:
[1fc09db]	420	continue
	421
	422	id = c.issuer_cert()
	423	if id not in ids:
	424	ctxt.load_id_chunk(id)
	425	ids.add(id)
	426	ctxt.load_attribute_chunk(c.attribute_cert())
	427	self.context = ctxt
	428	self.lock.release()
	429
[dee164e]	430	@staticmethod
	431	def starts_with_fedid(attr):
	432	"""
	433	Return true if the first 40 characters of the string are hex digits
	434	followed by a dot. False otherwise. Used in check_attribute.
	435	"""
	436	if attr.find('.') == 40:
	437	return all([ x in hexdigits for x in attr[0:40]])
	438	else:
	439	return False
	440
[1fc09db]	441
[e83f2f2]	442	def check_attribute(self, name, attr, with_proof=False):
[a31b94d]	443	if isinstance(name, tuple):
[09b1e9d]	444	raise abac_authorizer.bad_name(
	445	"ABAC doesn't understand three-names")
[5c0d244]	446	else:
[7206e5a]	447	# Convert non-string attributes to strings
	448	if not isinstance(attr, basestring):
	449	attr = "%s" % attr
[dee164e]	450	# Attributes that start with a fedid only have the part of the
	451	# attribute after the dot cleaned. Others are completely cleaned
	452	# and have the owner fedid attached.
	453	if self.starts_with_fedid(attr):
[27d964d]	454	r, a = attr.split('.',1)
[25f66c3]	455	a = "%s.%s" % ( r, self.clean_attr(a))
[dee164e]	456	else:
	457	a = "%s.%s" % (self.fedid, self.clean_attr(attr))
	458
	459	a = str(a)
	460	n = str("%s" % name)
[3bf0b3c]	461
	462	self.lock.acquire()
[dee164e]	463	# Sigh. Unicode vs swig and swig seems to lose. Make sure
	464	# everything we pass into ABAC is a str not a unicode.
[e83f2f2]	465	rv, p = self.context.query(a, n)
[5c0d244]	466	# XXX delete soon
[e83f2f2]	467	if not rv and attr in self.globals:
	468	rv = True
	469	p = None
[3bf0b3c]	470	self.lock.release()
[e83f2f2]	471	if with_proof: return rv, proof(self.fedid, name, a, p)
	472	else: return rv
[a31b94d]	473
	474	def set_global_attribute(self, attr):
	475	"""
	476	Set a global attribute. All names, even those otherwise unknown to the
	477	authorizer have this attribute.
	478	"""
[3bf0b3c]	479	self.lock.acquire()
[27d964d]	480	self.globals.add(self.clean_attr(attr))
[3bf0b3c]	481	self.lock.release()
[a31b94d]	482
	483	def unset_global_attribute(self, attr):
	484	"""
	485	Remove a global attribute
	486	"""
	487
[3bf0b3c]	488	self.lock.acquire()
[27d964d]	489	self.globals.discard(self.clean_attr(attr))
[3bf0b3c]	490	self.lock.release()
[a31b94d]	491
[5c0d244]	492	def clone(self):
[3bf0b3c]	493	self.lock.acquire()
[5c0d244]	494	rv = abac_authorizer(me=self.me, key=self.key)
	495	rv.globals = self.globals.copy()
	496	rv.context = ABAC.Context(self.context)
[3bf0b3c]	497	self.lock.release()
[5c0d244]	498	return rv
	499
[36f642f]	500	def copy_file(self, src, dest, mode=0600):
	501	'''
	502	Copy src to dest with file mode mode. May raise exceptions on file ops
	503	'''
[52131d3]	504	same_file = False
	505	try:
	506	ss = os.stat(src)
	507	ds = os.stat(dest)
	508
	509	if ds.st_ino == ss.st_ino: same_file = True
	510	except EnvironmentError:
	511	pass
[a55f2f9]	512
[52131d3]	513	if not same_file:
[a55f2f9]	514	d = open(dest, 'w')
	515	s = open(src, 'r')
	516	d.write(s.read())
	517	s.close()
	518	d.close()
[36f642f]	519	os.chmod(dest, mode)
	520
	521
	522
[7206e5a]	523	def save(self, dir=None):
[3bf0b3c]	524	self.lock.acquire()
[7206e5a]	525	if dir:
[c573278]	526	self.save_dir = os.path.abspath(dir)
[7206e5a]	527	else:
	528	dir = self.save_dir
	529	if dir is None:
	530	self.lock.release()
	531	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	532	try:
	533	if not os.access(dir, os.F_OK):
	534	os.mkdir(dir)
[09b1e9d]	535
[36f642f]	536	# if self.key and self.me were split, copy the split files into the
	537	# new directory.
	538	if self.local_files:
	539	self.copy_file(self.key, '%s/key.pem' % dir)
	540	self.copy_file(self.me, '%s/cert.pem' % dir)
	541	# Point the key and me members to the new locations for
	542	# pickling
	543	hold_key = self.key
	544	hold_me = self.me
	545	self.key = '%s/key.pem' % dir
	546	self.me = '%s/cert.pem' % dir
	547
[09b1e9d]	548	f = open("%s/state" % dir, "w")
	549	pickle.dump(self, f)
[5c0d244]	550	f.close()
[3bf0b3c]	551
[36f642f]	552	if self.local_files:
	553	self.key = hold_key
	554	self.me = hold_me
	555
[3bf0b3c]	556	if not os.access("%s/certs" %dir, os.F_OK):
	557	os.mkdir("%s/certs" % dir)
[09b1e9d]	558
[8cf2c507]	559	# Clear the certs subdir
[3bf0b3c]	560	for fn in [ f for f in os.listdir("%s/certs" % dir) \
[27d964d]	561	if abac_authorizer.cred_file_re.match(f)]:
[3bf0b3c]	562	os.unlink('%s/certs/%s' % (dir, fn))
[8cf2c507]	563
	564	# Save the context
[3bf0b3c]	565	ii = 0
	566	ai = 0
[8cf2c507]	567	seenid = set()
	568	seenattr = set()
[3bf0b3c]	569	for c in self.context.credentials():
	570	id = c.issuer_cert()
	571	attr = c.attribute_cert()
	572	# NB: file naming conventions matter here. The trailing_ID and
	573	# _attr are required by ABAC.COntext.load_directory()
[7206e5a]	574	if id and id not in seenid:
[effd4f6]	575	f = open("%s/certs/ID_%05d_ID.der" % (dir, ii), "w")
[7206e5a]	576	f.write(id)
[3bf0b3c]	577	f.close()
	578	ii += 1
[7206e5a]	579	seenid.add(id)
	580	if attr and attr not in seenattr:
[effd4f6]	581	f = open("%s/certs/attr_%05d_attr.der" % (dir, ai), "w")
[7206e5a]	582	f.write(attr)
[3bf0b3c]	583	f.close()
	584	ai += 1
[7206e5a]	585	seenattr.add(attr)
[3bf0b3c]	586	except EnvironmentError, e:
[8cf2c507]	587	self.lock.release()
[3bf0b3c]	588	raise e
	589	except pickle.PickleError, e:
[8cf2c507]	590	self.lock.release()
[3bf0b3c]	591	raise e
	592	self.lock.release()
[5c0d244]	593
[7206e5a]	594	def load(self, dir=None):
[3bf0b3c]	595	self.lock.acquire()
[7206e5a]	596	if dir:
	597	self.save_dir = dir
	598	else:
	599	dir = self.save_dir
	600	if dir is None:
	601	self.lock.release()
	602	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	603	try:
[09b1e9d]	604	if os.access("%s/state" % dir, os.R_OK):
	605	f = open("%s/state" % dir, "r")
	606	st = pickle.load(f)
[3bf0b3c]	607	f.close()
[353db8c]	608	# Copy the useful attributes from the pickled state
[09b1e9d]	609	for a in ('globals', 'key', 'me', 'cert', 'fedid'):
	610	setattr(self, a, getattr(st, a, None))
	611
	612	# Initialize the new context with the new identity
[3bf0b3c]	613	self.context = ABAC.Context()
[09b1e9d]	614	if self.me:
	615	self.context.load_id_file(self.me)
[cbe0570]	616	if self.key:
	617	self.init_libcreddy_id()
[3bf0b3c]	618	self.context.load_directory("%s/certs" % dir)
[7206e5a]	619	self.save_dir = dir
[3bf0b3c]	620	except EnvironmentError, e:
	621	self.lock.release()
	622	raise e
	623	except pickle.PickleError, e:
	624	self.lock.release()
	625	raise e
	626	self.lock.release()
	627
[547aa3b]	628	@staticmethod
	629	def encode_credential(c):
	630	return '%s <- %s' % (c.head().string(), c.tail().string())
	631
	632	def get_creds_for_principal(self, fid):
	633	look_for = set(["%s" % fid])
	634	found_attrs = set()
	635	next_look = set()
	636	found = set([])
	637
	638	self.lock.acquire()
	639	while look_for:
	640	for c in self.context.credentials():
	641	tail = c.tail()
	642	# XXX: This needs to be more aggressive for linked stuff
	643	if tail.string() in look_for and c not in found:
	644	found.add(c)
	645	next_look.add(c.head().string())
	646
	647	look_for = next_look
	648	next_look = set()
[c573278]	649	self.lock.release()
[547aa3b]	650
	651	return found
	652
[d064566]	653	def update(self):
	654	rv = False
	655	if update_dir is None: return True
	656	lf = None
	657	files = []
	658	try:
	659	lf = open('%s/lock' % self.update_dir, 'r')
	660	except EnvironmentError, e:
	661	return rv
	662	try:
	663	fcntl.flock(lf, fcntl.LOCK_EX)
	664	files = os.listdir(update_dir)
	665	rv = self.import_credentials(file_list=files)
	666	try:
	667	for fn in files:
	668	os.remove(fn)
	669	except EnvironmentError, e:
	670	# failure to clear the update directory is no biggie
	671	pass
	672	rv = True
	673	finally:
	674	fcntl.flock(fl, fcntl.LOCK_UN)
	675	return rv
	676
	677
	678
	679
[3bf0b3c]	680	def __str__(self):
	681
	682	self.lock.acquire()
	683	rv = "%s" % self.fedid
[85f5d11]	684	add = join([abac_authorizer.encode_credential(c)
[547aa3b]	685	for c in self.context.credentials()], '\n');
[85f5d11]	686	if add: rv += "\n%s" % add
[3bf0b3c]	687	self.lock.release()
	688	return rv
[5c0d244]	689

Note: See TracBrowser for help on using the repository browser.

Download in other formats: