Context Navigation

source: fedd/federation/authorizer.py @ e15435c

axis_examplecompt_changesinfo-ops

Last change on this file since e15435c was e83f2f2, checked in by Ted Faber <faber@…>, 14 years ago
Move proofs around. Lots of changes, including fault handling.
Property mode set to `100644`
File size: 15.1 KB

Rev	Line
[3f6bc5f]	1	#/usr/local/bin/python
	2
[5c0d244]	3	from tempfile import mkstemp
	4	from subprocess import call
[3bf0b3c]	5	from threading import Lock
	6
[dee164e]	7	from string import join, hexdigits
[547aa3b]	8
[3f6bc5f]	9	from fedid import fedid
[a31b94d]	10	from remote_service import service_caller
	11	from service_error import service_error
[353db8c]	12	from util import abac_pem_type, abac_split_cert
[e83f2f2]	13	from proof import proof
[3f6bc5f]	14
[3bf0b3c]	15
[5c0d244]	16	import ABAC
	17	import pickle
	18
[a31b94d]	19	import sys
[c573278]	20	import os, os.path
[3bf0b3c]	21	import re
[a31b94d]	22
	23	class authorizer_base:
[3f6bc5f]	24	"""
[a31b94d]	25	Classes based on this one keep track of authorization attributes for the
	26	various modules running. This base class holds some utility functions that
	27	they all potentially use.
[3f6bc5f]	28	"""
[a31b94d]	29
[3f6bc5f]	30	# general error exception for badly formed names.
	31	class bad_name(RuntimeError): pass
[5c0d244]	32	# difficulty creating an attribute
	33	class attribute_error(RuntimeError): pass
[3f6bc5f]	34
	35	@staticmethod
	36	def auth_name(name):
	37	"""
	38	Helper to convert a non-unicode local name to a unicode string. Mixed
	39	representations can needlessly confuse the authorizer.
	40	"""
	41	if isinstance(name, basestring):
	42	if not isinstance(name, unicode): return unicode(name)
	43	else: return name
	44	else: return name
	45
[a31b94d]	46	@staticmethod
	47	def valid_name(name):
[3f6bc5f]	48	"""
	49	Ensure that the given name is valid. A valid name can either be a
	50	triple of strings and fedids representing one of our generalized Emulab
	51	names or a single fedid. Compound names can include wildcards (None)
	52	and must anchor to a fedid at their highest level (unless they're all
	53	None)
	54
	55	This either returns True or throws an exception. More an assertion
	56	than a function.
	57	"""
	58	if isinstance(name, tuple) and len(name) == 3:
	59	for n in name:
	60	if n:
	61	if not (isinstance(n, basestring) or isinstance(n, fedid)):
[a31b94d]	62	raise authorizer_base.bad_name(
	63	"names must be either a triple or a fedid")
[3f6bc5f]	64	for n in name:
	65	if n:
	66	if isinstance(n, fedid):
	67	return True
	68	else:
[a31b94d]	69	raise authorizer_base.bad_name(
	70	"Compound names must be " + \
[3f6bc5f]	71	"rooted in fedids: %s" % str(name))
	72
	73	return True
	74	elif isinstance(name, fedid):
	75	return True
	76	else:
[a31b94d]	77	raise authorizer_base.bad_name(
	78	"Names must be a triple or a fedid (%s)" % name)
	79
	80
	81	class authorizer(authorizer_base):
	82	"""
	83	This class keeps track of authorization attributes for the various modules
	84	running. When it gets smarter it will be the basis for a real
	85	attribute-based authentication system.
	86	"""
	87	def __init__(self, def_attr="testbed"):
	88	self.attrs = { }
	89	self.globals=set()
[3f6bc5f]	90
	91	def set_attribute(self, name, attr):
	92	"""
	93	Attach attr to name. Multiple attrs can be attached.
	94	"""
	95	self.valid_name(name)
	96	if isinstance(name, tuple):
	97	aname = tuple([ self.auth_name(n) for n in name])
	98	else:
	99	aname = self.auth_name(name)
	100
	101	if not self.attrs.has_key(aname):
	102	self.attrs[aname] = set()
	103	self.attrs[aname].add(attr)
	104
	105	def unset_attribute(self, name, attr):
	106	"""
	107	Remove an attribute from name
	108	"""
	109	self.valid_name(name)
	110	if isinstance(name, tuple):
	111	aname = tuple([ self.auth_name(n) for n in name])
	112	else:
	113	aname = self.auth_name(name)
	114
	115	attrs = self.attrs.get(aname, None)
	116	if attrs: attrs.discard(attr)
	117
[e83f2f2]	118	def check_attribute(self, name, attr, with_proof=False):
[3f6bc5f]	119	"""
[05191a6]	120	Return True if name has attr (or if attr is global). Tuple names match
	121	any tuple name that matches all names present and has None entries in
	122	other fileds. For tuple names True implies that there is a matching
	123	tuple name with the attribute.
[3f6bc5f]	124	"""
	125	def tup(tup, i, p):
	126	mask = 1 << i
	127	if p & mask : return authorizer.auth_name(tup[i])
	128	else: return None
	129
	130	self.valid_name(name)
[05191a6]	131	if attr in self.globals:
[e83f2f2]	132	if with_proof: return True, proof("me", name, attr)
	133	else: return True
[3f6bc5f]	134
	135	if isinstance(name, tuple):
	136	for p in range(0,8):
	137	lookup = ( tup(name, 0, p), tup(name,1, p), tup(name,2,p))
	138	if self.attrs.has_key(lookup):
	139	if attr in self.attrs[lookup]:
[e83f2f2]	140	if with_proof: return True, proof("me", name, attr)
	141	else: return True
	142	# Drop through
	143	if with_proof: return False, proof("me", name, attr)
	144	else: return False
[3f6bc5f]	145	else:
[e83f2f2]	146	if with_proof:
	147	return attr in self.attrs.get(self.auth_name(name), set()), \
	148	proof("me", name, attr)
	149	else:
	150	return attr in self.attrs.get(self.auth_name(name), set())
[3f6bc5f]	151
[05191a6]	152	def set_global_attribute(self, attr):
	153	"""
	154	Set a global attribute. All names, even those otherwise unknown to the
	155	authorizer have this attribute.
	156	"""
	157	self.globals.add(attr)
	158
	159	def unset_global_attribute(self, attr):
	160	"""
	161	Remove a global attribute
	162	"""
	163
	164	self.globals.discard(attr)
[3f6bc5f]	165
[7206e5a]	166	def import_credentials(self, file_list=None, data_list=None):
	167	return False
	168
[358e0b8]	169	def __str__(self):
	170	rv = ""
	171	rv += "attrs %s\n" % self.attrs
	172	rv += "globals %s" % self.globals
	173	return rv
	174
[5c0d244]	175	def clone(self):
	176	rv = authorizer()
	177	rv.attrs = self.attrs.copy()
	178	rv.globals = self.globals.copy()
	179	return rv
	180
[822d31b]	181	def save(self, fn=None):
	182	if fn:
	183	f = open(fn, "w")
	184	pickle.dump(self, f)
	185	f.close()
	186
	187	def load(self, fn=None):
	188	if fn:
	189	f = open(fn, "r")
	190	a = pickle.load(f)
	191	f.close()
	192	self.attrs = a.attrs
	193	self.globals = a.globals
[5c0d244]	194
	195
[a31b94d]	196	class abac_authorizer(authorizer_base):
	197	"""
	198	Use the ABAC authorization system to make attribute decisions.
	199	"""
	200
[7206e5a]	201	clean_attr_re = re.compile('[^A-Za-z0-9_]+')
[27d964d]	202	cred_file_re = re.compile('.*\.der$')
[09b1e9d]	203	bad_name = authorizer_base.bad_name
	204	attribute_error = authorizer_base.attribute_error
[6e63513]	205	class no_file_error(RuntimeError): pass
	206	class bad_cert_error(RuntimeError): pass
[27d964d]	207
[353db8c]	208	def __init__(self, certs=None, me=None, key=None, load=None, save=None):
[5c0d244]	209	self.creddy = '/usr/local/bin/creddy'
[2628e5d]	210	self.globals = set()
	211	self.lock = Lock()
[a31b94d]	212	self.me = me
[353db8c]	213	self.save_dir = load or save
[c573278]	214	if self.save_dir:
	215	self.save_dir = os.path.abspath(self.save_dir)
[353db8c]	216	# If the me parameter is a combination certificate, split it into the
	217	# abac_authorizer save directory (if any) for use with creddy.
[6e63513]	218	if self.me is not None and abac_pem_type(self.me) == 'both':
[353db8c]	219	if self.save_dir:
[e65150a]	220	keyfile="%s/key.pem" % self.save_dir
	221	certfile = "%s/cert.pem" % self.save_dir
	222
	223	# Clear a spot for the new key and cert files.
	224	for fn in (keyfile, certfile):
	225	if os.access(fn, os.F_OK):
	226	os.unlink(fn)
	227
	228	self.key, self.me = abac_split_cert(self.me, keyfile, certfile)
[353db8c]	229	else:
[6e63513]	230	raise abac_authorizer.bad_cert_error("Combination " + \
	231	"certificate and nowhere to split it");
[353db8c]	232	else:
	233	self.key = key
[5c0d244]	234	self.context = ABAC.Context()
[3bf0b3c]	235	if me:
	236	self.fedid = fedid(file=self.me)
[547aa3b]	237	rv = self.context.load_id_file(self.me)
	238	if rv != 0:
	239	raise abac_authorizer.bad_name(
[8cf2c507]	240	'Cannot load identity from %s' % me)
[09b1e9d]	241	else:
	242	self.fedid = None
[3bf0b3c]	243
[2628e5d]	244	if isinstance(certs, basestring):
	245	certs = [ certs ]
	246
[5c0d244]	247	for dir in certs or []:
	248	self.context.load_directory(dir)
	249
[7206e5a]	250	if load:
	251	self.load(load)
[2628e5d]	252
[8cf2c507]	253	# Modify the pickling operations so that the context and lock are not
	254	# pickled
	255
	256	def __getstate__(self):
	257	d = self.__dict__.copy()
	258	del d['lock']
	259	del d['context']
	260	return d
	261
	262	def __setstate__(self, d):
	263	# Import everything from the pickle dict (except what we excluded in
	264	# __getstate__)
	265	self.__dict__.update(d)
	266	# Initialize the unpicklables
	267	self.context = ABAC.Context()
	268	self.lock = Lock()
	269
[27d964d]	270	@staticmethod
	271	def clean_attr(attr):
	272	return abac_authorizer.clean_attr_re.sub('_', attr)
	273
[dee164e]	274
[7206e5a]	275	def import_credentials(self, file_list=None, data_list=None):
	276	if data_list:
	277	return any([self.import_credential(data=d) for d in data_list])
	278	elif file_list:
	279	return any([self.import_credential(file=f) for f in file_list])
	280	else:
	281	return False
	282
	283	def import_credential(self, file=None, data=None):
	284	if data:
[725c55d]	285	if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
	286	return self.context.load_attribute_chunk(data) == \
	287	ABAC.ABAC_CERT_SUCCESS
	288	else:
	289	return True
[7206e5a]	290	elif file:
	291	if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
	292	return self.context.load_attribute_file(file) == \
	293	ABAC.ABAC_CERT_SUCCESS
	294	else:
	295	return True
	296	else:
	297	return False
	298
[5c0d244]	299	def set_attribute(self, name=None, attr=None, cert=None):
	300	if name and attr:
	301	if isinstance(name, tuple):
[09b1e9d]	302	raise abac_authorizer.bad_name(
	303	"ABAC doesn't understand three-names")
[7206e5a]	304	# Convert non-string attributes to strings
	305	if not isinstance(attr, basestring):
	306	attr = "%s" % attr
[dee164e]	307
[5c0d244]	308	if self.me and self.key:
	309	# Create a credential and insert it into context
	310	# This will simplify when we have libcreddy
	311	try:
	312	# create temp file
	313	f, fn = mkstemp()
[3bf0b3c]	314	os.close(f)
[5c0d244]	315	except EnvironmentError, e:
[09b1e9d]	316	raise abac_authorizer.attribute_error(
[5c0d244]	317	"Cannot create temp file: %s" %e)
	318
	319	# Create the attribute certificate with creddy
[3bf0b3c]	320	cmd = [self.creddy, '--attribute', '--issuer=%s' % self.me,
[27d964d]	321	'--key=%s' % self.key, '--role=%s' % self.clean_attr(attr),
[3bf0b3c]	322	'--subject-id=%s' % name, '--out=%s' % fn]
	323	rv = call(cmd)
[5c0d244]	324	if rv == 0:
[3bf0b3c]	325	self.lock.acquire()
[5c0d244]	326	# load it to context and remove the file
[3bf0b3c]	327	rv = self.context.load_attribute_file(fn)
	328	self.lock.release()
[5c0d244]	329	os.unlink(fn)
	330	else:
	331	os.unlink(fn)
[09b1e9d]	332	raise abac_authorizer.attribute_error(
	333	"creddy returned %s" % rv)
[a31b94d]	334	else:
[09b1e9d]	335	raise abac_authorizer.attribute_error(
[5c0d244]	336	"Identity and key not specified on creation")
	337	elif cert:
	338	# Insert this credential into the context
[3bf0b3c]	339	self.lock.acquire()
[5c0d244]	340	self.context.load_attribute_chunk(cert)
[3bf0b3c]	341	self.lock.release()
[a31b94d]	342	else:
[09b1e9d]	343	raise abac_authorizer.attribute_error(
	344	"Neither name/attr nor cert is set")
[a31b94d]	345
[1fc09db]	346	def unset_attribute(self, name, attr):
	347	if isinstance(name, tuple):
[09b1e9d]	348	raise abac_authorizer.bad_name(
	349	"ABAC doesn't understand three-names")
[7206e5a]	350	# Convert non-string attributes to strings
	351	if not isinstance(attr, basestring):
	352	attr = "%s" % attr
[27d964d]	353	cattr = self.clean_attr(attr)
[1fc09db]	354	self.lock.acquire()
	355	ctxt = ABAC.Context()
	356	ids = set()
	357	for c in self.context.credentials():
	358	h = c.head()
	359	t = c.tail()
	360	if h.is_role() and t.is_principal():
	361	if t.principal() == '%s' % name and \
	362	h.principal() == '%s' % self.fedid and \
[27d964d]	363	h.role_name() == cattr:
[1fc09db]	364	continue
	365
	366	id = c.issuer_cert()
	367	if id not in ids:
	368	ctxt.load_id_chunk(id)
	369	ids.add(id)
	370	ctxt.load_attribute_chunk(c.attribute_cert())
	371	self.context = ctxt
	372	self.lock.release()
	373
[dee164e]	374	@staticmethod
	375	def starts_with_fedid(attr):
	376	"""
	377	Return true if the first 40 characters of the string are hex digits
	378	followed by a dot. False otherwise. Used in check_attribute.
	379	"""
	380	if attr.find('.') == 40:
	381	return all([ x in hexdigits for x in attr[0:40]])
	382	else:
	383	return False
	384
[1fc09db]	385
[e83f2f2]	386	def check_attribute(self, name, attr, with_proof=False):
[a31b94d]	387	if isinstance(name, tuple):
[09b1e9d]	388	raise abac_authorizer.bad_name(
	389	"ABAC doesn't understand three-names")
[5c0d244]	390	else:
[7206e5a]	391	# Convert non-string attributes to strings
	392	if not isinstance(attr, basestring):
	393	attr = "%s" % attr
[dee164e]	394	# Attributes that start with a fedid only have the part of the
	395	# attribute after the dot cleaned. Others are completely cleaned
	396	# and have the owner fedid attached.
	397	if self.starts_with_fedid(attr):
[27d964d]	398	r, a = attr.split('.',1)
[25f66c3]	399	a = "%s.%s" % ( r, self.clean_attr(a))
[dee164e]	400	else:
	401	a = "%s.%s" % (self.fedid, self.clean_attr(attr))
	402
	403	a = str(a)
	404	n = str("%s" % name)
[3bf0b3c]	405
	406	self.lock.acquire()
[dee164e]	407	# Sigh. Unicode vs swig and swig seems to lose. Make sure
	408	# everything we pass into ABAC is a str not a unicode.
[e83f2f2]	409	rv, p = self.context.query(a, n)
[5c0d244]	410	# XXX delete soon
[e83f2f2]	411	if not rv and attr in self.globals:
	412	rv = True
	413	p = None
[3bf0b3c]	414	self.lock.release()
[e83f2f2]	415	if with_proof: return rv, proof(self.fedid, name, a, p)
	416	else: return rv
[a31b94d]	417
	418	def set_global_attribute(self, attr):
	419	"""
	420	Set a global attribute. All names, even those otherwise unknown to the
	421	authorizer have this attribute.
	422	"""
[3bf0b3c]	423	self.lock.acquire()
[27d964d]	424	self.globals.add(self.clean_attr(attr))
[3bf0b3c]	425	self.lock.release()
[a31b94d]	426
	427	def unset_global_attribute(self, attr):
	428	"""
	429	Remove a global attribute
	430	"""
	431
[3bf0b3c]	432	self.lock.acquire()
[27d964d]	433	self.globals.discard(self.clean_attr(attr))
[3bf0b3c]	434	self.lock.release()
[a31b94d]	435
[5c0d244]	436	def clone(self):
[3bf0b3c]	437	self.lock.acquire()
[5c0d244]	438	rv = abac_authorizer(me=self.me, key=self.key)
	439	rv.globals = self.globals.copy()
	440	rv.context = ABAC.Context(self.context)
[3bf0b3c]	441	self.lock.release()
[5c0d244]	442	return rv
	443
[7206e5a]	444	def save(self, dir=None):
[3bf0b3c]	445	self.lock.acquire()
[7206e5a]	446	if dir:
[c573278]	447	self.save_dir = os.path.abspath(dir)
[7206e5a]	448	else:
	449	dir = self.save_dir
	450	if dir is None:
	451	self.lock.release()
	452	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	453	try:
	454	if not os.access(dir, os.F_OK):
	455	os.mkdir(dir)
[09b1e9d]	456
	457	f = open("%s/state" % dir, "w")
	458	pickle.dump(self, f)
[5c0d244]	459	f.close()
[3bf0b3c]	460
	461	if not os.access("%s/certs" %dir, os.F_OK):
	462	os.mkdir("%s/certs" % dir)
[09b1e9d]	463
[8cf2c507]	464	# Clear the certs subdir
[3bf0b3c]	465	for fn in [ f for f in os.listdir("%s/certs" % dir) \
[27d964d]	466	if abac_authorizer.cred_file_re.match(f)]:
[3bf0b3c]	467	os.unlink('%s/certs/%s' % (dir, fn))
[8cf2c507]	468
	469	# Save the context
[3bf0b3c]	470	ii = 0
	471	ai = 0
[8cf2c507]	472	seenid = set()
	473	seenattr = set()
[3bf0b3c]	474	for c in self.context.credentials():
	475	id = c.issuer_cert()
	476	attr = c.attribute_cert()
	477	# NB: file naming conventions matter here. The trailing_ID and
	478	# _attr are required by ABAC.COntext.load_directory()
[7206e5a]	479	if id and id not in seenid:
[3bf0b3c]	480	f = open("%s/certs/ID_%03d_ID.der" % (dir, ii), "w")
[7206e5a]	481	f.write(id)
[3bf0b3c]	482	f.close()
	483	ii += 1
[7206e5a]	484	seenid.add(id)
	485	if attr and attr not in seenattr:
[3bf0b3c]	486	f = open("%s/certs/attr_%03d_attr.der" % (dir, ai), "w")
[7206e5a]	487	f.write(attr)
[3bf0b3c]	488	f.close()
	489	ai += 1
[7206e5a]	490	seenattr.add(attr)
[3bf0b3c]	491	except EnvironmentError, e:
[8cf2c507]	492	self.lock.release()
[3bf0b3c]	493	raise e
	494	except pickle.PickleError, e:
[8cf2c507]	495	self.lock.release()
[3bf0b3c]	496	raise e
	497	self.lock.release()
[5c0d244]	498
[7206e5a]	499	def load(self, dir=None):
[3bf0b3c]	500	self.lock.acquire()
[7206e5a]	501	if dir:
	502	self.save_dir = dir
	503	else:
	504	dir = self.save_dir
	505	if dir is None:
	506	self.lock.release()
	507	raise abac_authorizer.no_file_error("No load directory specified")
[3bf0b3c]	508	try:
[09b1e9d]	509	if os.access("%s/state" % dir, os.R_OK):
	510	f = open("%s/state" % dir, "r")
	511	st = pickle.load(f)
[3bf0b3c]	512	f.close()
[353db8c]	513	# Copy the useful attributes from the pickled state
[09b1e9d]	514	for a in ('globals', 'key', 'me', 'cert', 'fedid'):
	515	setattr(self, a, getattr(st, a, None))
	516
	517	# Initialize the new context with the new identity
[3bf0b3c]	518	self.context = ABAC.Context()
[09b1e9d]	519	if self.me:
	520	self.context.load_id_file(self.me)
[3bf0b3c]	521	self.context.load_directory("%s/certs" % dir)
[7206e5a]	522	self.save_dir = dir
[3bf0b3c]	523	except EnvironmentError, e:
	524	self.lock.release()
	525	raise e
	526	except pickle.PickleError, e:
	527	self.lock.release()
	528	raise e
	529	self.lock.release()
	530
[547aa3b]	531	@staticmethod
	532	def encode_credential(c):
	533	return '%s <- %s' % (c.head().string(), c.tail().string())
	534
	535	def get_creds_for_principal(self, fid):
	536	look_for = set(["%s" % fid])
	537	found_attrs = set()
	538	next_look = set()
	539	found = set([])
	540
	541	self.lock.acquire()
	542	while look_for:
	543	for c in self.context.credentials():
	544	tail = c.tail()
	545	# XXX: This needs to be more aggressive for linked stuff
	546	if tail.string() in look_for and c not in found:
	547	found.add(c)
	548	next_look.add(c.head().string())
	549
	550	look_for = next_look
	551	next_look = set()
[c573278]	552	self.lock.release()
[547aa3b]	553
	554	return found
	555
[3bf0b3c]	556	def __str__(self):
	557
	558	self.lock.acquire()
	559	rv = "%s" % self.fedid
[85f5d11]	560	add = join([abac_authorizer.encode_credential(c)
[547aa3b]	561	for c in self.context.credentials()], '\n');
[85f5d11]	562	if add: rv += "\n%s" % add
[3bf0b3c]	563	self.lock.release()
	564	return rv
[5c0d244]	565

Note: See TracBrowser for help on using the repository browser.

Download in other formats: