Context Navigation

source: fedd/federation/authorizer.py @ 9be06f0

compt_changes

Last change on this file since 9be06f0 was 9be06f0, checked in by Ted Faber <faber@…>, 12 years ago
Be more principled about loading credentials
Property mode set to `100644`
File size: 17.1 KB

Line
1	#/usr/local/bin/python
2
3	from tempfile import mkstemp
4	from subprocess import call
5	from threading import Lock
6
7	from string import join, hexdigits
8
9	from deter import fedid
10	from remote_service import service_caller
11	from service_error import service_error
12	from util import abac_pem_type, abac_split_cert
13	from proof import proof
14
15
16	import ABAC
17	import Creddy
18	import pickle
19
20	import sys
21	import os, os.path
22	import re
23
24	class authorizer_base:
25	"""
26	Classes based on this one keep track of authorization attributes for the
27	various modules running. This base class holds some utility functions that
28	they all potentially use.
29	"""
30
31	# general error exception for badly formed names.
32	class bad_name(RuntimeError): pass
33	# difficulty creating an attribute
34	class attribute_error(RuntimeError): pass
35
36	@staticmethod
37	def auth_name(name):
38	"""
39	Helper to convert a non-unicode local name to a unicode string. Mixed
40	representations can needlessly confuse the authorizer.
41	"""
42	if isinstance(name, basestring):
43	if not isinstance(name, unicode): return unicode(name)
44	else: return name
45	else: return name
46
47	@staticmethod
48	def valid_name(name):
49	"""
50	Ensure that the given name is valid. A valid name can either be a
51	triple of strings and fedids representing one of our generalized Emulab
52	names or a single fedid. Compound names can include wildcards (None)
53	and must anchor to a fedid at their highest level (unless they're all
54	None)
55
56	This either returns True or throws an exception. More an assertion
57	than a function.
58	"""
59	if isinstance(name, tuple) and len(name) == 3:
60	for n in name:
61	if n:
62	if not (isinstance(n, basestring) or isinstance(n, fedid)):
63	raise authorizer_base.bad_name(
64	"names must be either a triple or a fedid")
65	for n in name:
66	if n:
67	if isinstance(n, fedid):
68	return True
69	else:
70	raise authorizer_base.bad_name(
71	"Compound names must be " + \
72	"rooted in fedids: %s" % str(name))
73
74	return True
75	elif isinstance(name, fedid):
76	return True
77	else:
78	raise authorizer_base.bad_name(
79	"Names must be a triple or a fedid (%s)" % name)
80
81
82	class authorizer(authorizer_base):
83	"""
84	This class keeps track of authorization attributes for the various modules
85	running. When it gets smarter it will be the basis for a real
86	attribute-based authentication system.
87	"""
88	def __init__(self, def_attr="testbed"):
89	self.attrs = { }
90	self.globals=set()
91
92	def set_attribute(self, name, attr):
93	"""
94	Attach attr to name. Multiple attrs can be attached.
95	"""
96	self.valid_name(name)
97	if isinstance(name, tuple):
98	aname = tuple([ self.auth_name(n) for n in name])
99	else:
100	aname = self.auth_name(name)
101
102	if not self.attrs.has_key(aname):
103	self.attrs[aname] = set()
104	self.attrs[aname].add(attr)
105
106	def unset_attribute(self, name, attr):
107	"""
108	Remove an attribute from name
109	"""
110	self.valid_name(name)
111	if isinstance(name, tuple):
112	aname = tuple([ self.auth_name(n) for n in name])
113	else:
114	aname = self.auth_name(name)
115
116	attrs = self.attrs.get(aname, None)
117	if attrs: attrs.discard(attr)
118
119	def check_attribute(self, name, attr, with_proof=False):
120	"""
121	Return True if name has attr (or if attr is global). Tuple names match
122	any tuple name that matches all names present and has None entries in
123	other fileds. For tuple names True implies that there is a matching
124	tuple name with the attribute.
125	"""
126	def tup(tup, i, p):
127	mask = 1 << i
128	if p & mask : return authorizer.auth_name(tup[i])
129	else: return None
130
131	self.valid_name(name)
132	if attr in self.globals:
133	if with_proof: return True, proof("me", name, attr)
134	else: return True
135
136	if isinstance(name, tuple):
137	for p in range(0,8):
138	lookup = ( tup(name, 0, p), tup(name,1, p), tup(name,2,p))
139	if self.attrs.has_key(lookup):
140	if attr in self.attrs[lookup]:
141	if with_proof: return True, proof("me", name, attr)
142	else: return True
143	# Drop through
144	if with_proof: return False, proof("me", name, attr)
145	else: return False
146	else:
147	if with_proof:
148	return attr in self.attrs.get(self.auth_name(name), set()), \
149	proof("me", name, attr)
150	else:
151	return attr in self.attrs.get(self.auth_name(name), set())
152
153	def set_global_attribute(self, attr):
154	"""
155	Set a global attribute. All names, even those otherwise unknown to the
156	authorizer have this attribute.
157	"""
158	self.globals.add(attr)
159
160	def unset_global_attribute(self, attr):
161	"""
162	Remove a global attribute
163	"""
164
165	self.globals.discard(attr)
166
167	def import_credentials(self, file_list=None, data_list=None):
168	return False
169
170	def __str__(self):
171	rv = ""
172	rv += "attrs %s\n" % self.attrs
173	rv += "globals %s" % self.globals
174	return rv
175
176	def clone(self):
177	rv = authorizer()
178	rv.attrs = self.attrs.copy()
179	rv.globals = self.globals.copy()
180	return rv
181
182	def save(self, fn=None):
183	if fn:
184	f = open(fn, "w")
185	pickle.dump(self, f)
186	f.close()
187
188	def load(self, fn=None):
189	if fn:
190	f = open(fn, "r")
191	a = pickle.load(f)
192	f.close()
193	self.attrs = a.attrs
194	self.globals = a.globals
195
196
197	class abac_authorizer(authorizer_base):
198	"""
199	Use the ABAC authorization system to make attribute decisions.
200	"""
201
202	clean_attr_re = re.compile('[^A-Za-z0-9_]+')
203	clean_prefix_attr_re = re.compile('^_+')
204	cred_file_re = re.compile('.*\.der$')
205	bad_name = authorizer_base.bad_name
206	attribute_error = authorizer_base.attribute_error
207	class no_file_error(RuntimeError): pass
208	class bad_cert_error(RuntimeError): pass
209
210	def __init__(self, certs=None, me=None, key=None, load=None, save=None):
211	self.creddy_id = None
212	self.globals = set()
213	self.lock = Lock()
214	self.me = me
215	self.save_dir = load or save
216	self.local_files = False
217	if self.save_dir:
218	self.save_dir = os.path.abspath(self.save_dir)
219	# If the me parameter is a combination certificate, split it into the
220	# abac_authorizer save directory (if any) for use with creddy.
221	if self.me is not None and abac_pem_type(self.me) == 'both':
222	if self.save_dir:
223	keyfile="%s/key.pem" % self.save_dir
224	certfile = "%s/cert.pem" % self.save_dir
225
226	# Clear a spot for the new key and cert files.
227	for fn in (keyfile, certfile):
228	if os.access(fn, os.F_OK):
229	os.unlink(fn)
230
231	self.key, self.me = abac_split_cert(self.me, keyfile, certfile)
232	self.local_files = True
233	self.init_libcreddy_id()
234	else:
235	raise abac_authorizer.bad_cert_error("Combination " + \
236	"certificate and nowhere to split it");
237	else:
238	self.key = key
239	self.context = ABAC.Context()
240	if me:
241	self.fedid = fedid(file=self.me)
242	rv = self.context.load_id_file(self.me)
243	if rv != 0:
244	raise abac_authorizer.bad_name(
245	'Cannot load identity from %s' % me)
246	else:
247	self.fedid = None
248
249	if isinstance(certs, basestring):
250	certs = [ certs ]
251
252	for dir in certs or []:
253	self.context.load_directory(dir)
254
255	if load:
256	self.load(load)
257
258	def init_libcreddy_id(self):
259	self.creddy_id = None
260	try:
261	self.creddy_id = Creddy.ID(self.me)
262	except:
263	raise abac_authorizer.bad_cert_error('Cannot load cert %s' \
264	% self.me)
265
266	try:
267	self.creddy_id.load_privkey(self.key)
268	except:
269	self.creddy_id = None
270	raise abac_authorized_bad_cert_error('Cannot load key %s' \
271	% self.key)
272
273
274
275	# Modify the pickling operations so that the context and lock are not
276	# pickled
277
278	def __getstate__(self):
279	d = self.__dict__.copy()
280	del d['lock']
281	del d['context']
282	del d['creddy_id']
283	return d
284
285	def __setstate__(self, d):
286	# Import everything from the pickle dict (except what we excluded in
287	# __getstate__)
288	self.__dict__.update(d)
289	# Initialize the unpicklables
290	self.context = ABAC.Context()
291	self.lock = Lock()
292
293	@staticmethod
294	def clean_attr(attr):
295	'''
296	Convert anything not in A-Z_ into an _ and make sure that the string
297	begins with a non-_. Convert to s string to keep swig happy.
298	'''
299	a = abac_authorizer.clean_attr_re.sub('_', attr)
300	return str(abac_authorizer.clean_prefix_attr_re.sub('', a))
301
302
303	def import_credentials(self, file_list=None, data_list=None):
304	'''
305	Import a list of credentials. Be careful about dependencies and only
306	use one logic loop. if files are given, append them to the list of
307	chunks and then try to read each chunk as an ID and then the failed
308	ones as attributes.
309	'''
310	if file_list:
311	if data_list is None: data_list = []
312	for fn in file_list:
313	try:
314	f = open(fn, 'r')
315	data_list.append(f.read())
316	f.close()
317	except EnvironmentError, e:
318	# Ignore unreadable files
319	pass
320	# Now one way or another data_list is ready
321	if data_list:
322	rv = False
323	attr_list = [ ]
324	for d in data_list:
325	if self.context.load_id_chunk(d) != ABAC.ABAC_CERT_SUCCESS:
326	attr_list.append(d)
327	else:
328	rv = True
329
330	for d in attr_list:
331	v = self.context.load_attribute_chunk(d)
332	if v == ABAC.ABAC_CERT_SUCCESS:
333	rv = True
334	return rv
335	else:
336	return False
337
338	def import_credential(self, file=None, data=None):
339	if data:
340	if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
341	return self.context.load_attribute_chunk(data) == \
342	ABAC.ABAC_CERT_SUCCESS
343	else:
344	return True
345	elif file:
346	if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
347	return self.context.load_attribute_file(file) == \
348	ABAC.ABAC_CERT_SUCCESS
349	else:
350	return True
351	else:
352	return False
353
354	def set_attribute(self, name=None, attr=None, cert=None):
355	if name and attr:
356	if isinstance(name, tuple):
357	raise abac_authorizer.bad_name(
358	"ABAC doesn't understand three-names")
359	# Convert non-string attributes to strings
360	if not isinstance(attr, basestring):
361	attr = "%s" % attr
362
363	if self.creddy_id:
364	# Create a credential and insert it into context
365	# This will simplify when we have libcreddy
366	try:
367	attrcert = Creddy.Attribute(self.creddy_id,
368	self.clean_attr(attr), 3600 * 24 * 365 * 10)
369	attrcert.principal("%s" % name)
370	attrcert.bake()
371	except:
372	raise abac_authorizer.bad_cert_error(
373	"Cannot create attribute cert")
374	self.lock.acquire()
375	# load it to context and remove the file
376	rv = self.context.load_attribute_chunk(attrcert.cert_chunk())
377	self.lock.release()
378	return rv
379	else:
380	raise abac_authorizer.attribute_error(
381	"Identity and key not specified on creation")
382	elif cert:
383	# Insert this credential into the context
384	self.lock.acquire()
385	rv = self.context.load_attribute_chunk(cert)
386	self.lock.release()
387	return rv
388	else:
389	raise abac_authorizer.attribute_error(
390	"Neither name/attr nor cert is set")
391
392	def unset_attribute(self, name, attr):
393	if isinstance(name, tuple):
394	raise abac_authorizer.bad_name(
395	"ABAC doesn't understand three-names")
396	# Convert non-string attributes to strings
397	if not isinstance(attr, basestring):
398	attr = "%s" % attr
399	cattr = self.clean_attr(attr)
400	self.lock.acquire()
401	ctxt = ABAC.Context()
402	ids = set()
403	for c in self.context.credentials():
404	h = c.head()
405	t = c.tail()
406	if h.is_role() and t.is_principal():
407	if t.principal() == '%s' % name and \
408	h.principal() == '%s' % self.fedid and \
409	h.role_name() == cattr:
410	continue
411
412	id = c.issuer_cert()
413	if id not in ids:
414	ctxt.load_id_chunk(id)
415	ids.add(id)
416	ctxt.load_attribute_chunk(c.attribute_cert())
417	self.context = ctxt
418	self.lock.release()
419
420	@staticmethod
421	def starts_with_fedid(attr):
422	"""
423	Return true if the first 40 characters of the string are hex digits
424	followed by a dot. False otherwise. Used in check_attribute.
425	"""
426	if attr.find('.') == 40:
427	return all([ x in hexdigits for x in attr[0:40]])
428	else:
429	return False
430
431
432	def check_attribute(self, name, attr, with_proof=False):
433	if isinstance(name, tuple):
434	raise abac_authorizer.bad_name(
435	"ABAC doesn't understand three-names")
436	else:
437	# Convert non-string attributes to strings
438	if not isinstance(attr, basestring):
439	attr = "%s" % attr
440	# Attributes that start with a fedid only have the part of the
441	# attribute after the dot cleaned. Others are completely cleaned
442	# and have the owner fedid attached.
443	if self.starts_with_fedid(attr):
444	r, a = attr.split('.',1)
445	a = "%s.%s" % ( r, self.clean_attr(a))
446	else:
447	a = "%s.%s" % (self.fedid, self.clean_attr(attr))
448
449	a = str(a)
450	n = str("%s" % name)
451
452	self.lock.acquire()
453	# Sigh. Unicode vs swig and swig seems to lose. Make sure
454	# everything we pass into ABAC is a str not a unicode.
455	rv, p = self.context.query(a, n)
456	# XXX delete soon
457	if not rv and attr in self.globals:
458	rv = True
459	p = None
460	self.lock.release()
461	if with_proof: return rv, proof(self.fedid, name, a, p)
462	else: return rv
463
464	def set_global_attribute(self, attr):
465	"""
466	Set a global attribute. All names, even those otherwise unknown to the
467	authorizer have this attribute.
468	"""
469	self.lock.acquire()
470	self.globals.add(self.clean_attr(attr))
471	self.lock.release()
472
473	def unset_global_attribute(self, attr):
474	"""
475	Remove a global attribute
476	"""
477
478	self.lock.acquire()
479	self.globals.discard(self.clean_attr(attr))
480	self.lock.release()
481
482	def clone(self):
483	self.lock.acquire()
484	rv = abac_authorizer(me=self.me, key=self.key)
485	rv.globals = self.globals.copy()
486	rv.context = ABAC.Context(self.context)
487	self.lock.release()
488	return rv
489
490	def copy_file(self, src, dest, mode=0600):
491	'''
492	Copy src to dest with file mode mode. May raise exceptions on file ops
493	'''
494	same_file = False
495	try:
496	ss = os.stat(src)
497	ds = os.stat(dest)
498
499	if ds.st_ino == ss.st_ino: same_file = True
500	except EnvironmentError:
501	pass
502
503	if not same_file:
504	d = open(dest, 'w')
505	s = open(src, 'r')
506	d.write(s.read())
507	s.close()
508	d.close()
509	os.chmod(dest, mode)
510
511
512
513	def save(self, dir=None):
514	self.lock.acquire()
515	if dir:
516	self.save_dir = os.path.abspath(dir)
517	else:
518	dir = self.save_dir
519	if dir is None:
520	self.lock.release()
521	raise abac_authorizer.no_file_error("No load directory specified")
522	try:
523	if not os.access(dir, os.F_OK):
524	os.mkdir(dir)
525
526	# if self.key and self.me were split, copy the split files into the
527	# new directory.
528	if self.local_files:
529	self.copy_file(self.key, '%s/key.pem' % dir)
530	self.copy_file(self.me, '%s/cert.pem' % dir)
531	# Point the key and me members to the new locations for
532	# pickling
533	hold_key = self.key
534	hold_me = self.me
535	self.key = '%s/key.pem' % dir
536	self.me = '%s/cert.pem' % dir
537
538	f = open("%s/state" % dir, "w")
539	pickle.dump(self, f)
540	f.close()
541
542	if self.local_files:
543	self.key = hold_key
544	self.me = hold_me
545
546	if not os.access("%s/certs" %dir, os.F_OK):
547	os.mkdir("%s/certs" % dir)
548
549	# Clear the certs subdir
550	for fn in [ f for f in os.listdir("%s/certs" % dir) \
551	if abac_authorizer.cred_file_re.match(f)]:
552	os.unlink('%s/certs/%s' % (dir, fn))
553
554	# Save the context
555	ii = 0
556	ai = 0
557	seenid = set()
558	seenattr = set()
559	for c in self.context.credentials():
560	id = c.issuer_cert()
561	attr = c.attribute_cert()
562	# NB: file naming conventions matter here. The trailing_ID and
563	# _attr are required by ABAC.COntext.load_directory()
564	if id and id not in seenid:
565	f = open("%s/certs/ID_%05d_ID.der" % (dir, ii), "w")
566	f.write(id)
567	f.close()
568	ii += 1
569	seenid.add(id)
570	if attr and attr not in seenattr:
571	f = open("%s/certs/attr_%05d_attr.der" % (dir, ai), "w")
572	f.write(attr)
573	f.close()
574	ai += 1
575	seenattr.add(attr)
576	except EnvironmentError, e:
577	self.lock.release()
578	raise e
579	except pickle.PickleError, e:
580	self.lock.release()
581	raise e
582	self.lock.release()
583
584	def load(self, dir=None):
585	self.lock.acquire()
586	if dir:
587	self.save_dir = dir
588	else:
589	dir = self.save_dir
590	if dir is None:
591	self.lock.release()
592	raise abac_authorizer.no_file_error("No load directory specified")
593	try:
594	if os.access("%s/state" % dir, os.R_OK):
595	f = open("%s/state" % dir, "r")
596	st = pickle.load(f)
597	f.close()
598	# Copy the useful attributes from the pickled state
599	for a in ('globals', 'key', 'me', 'cert', 'fedid'):
600	setattr(self, a, getattr(st, a, None))
601
602	# Initialize the new context with the new identity
603	self.context = ABAC.Context()
604	if self.me:
605	self.context.load_id_file(self.me)
606	if self.key:
607	self.init_libcreddy_id()
608	self.context.load_directory("%s/certs" % dir)
609	self.save_dir = dir
610	except EnvironmentError, e:
611	self.lock.release()
612	raise e
613	except pickle.PickleError, e:
614	self.lock.release()
615	raise e
616	self.lock.release()
617
618	@staticmethod
619	def encode_credential(c):
620	return '%s <- %s' % (c.head().string(), c.tail().string())
621
622	def get_creds_for_principal(self, fid):
623	look_for = set(["%s" % fid])
624	found_attrs = set()
625	next_look = set()
626	found = set([])
627
628	self.lock.acquire()
629	while look_for:
630	for c in self.context.credentials():
631	tail = c.tail()
632	# XXX: This needs to be more aggressive for linked stuff
633	if tail.string() in look_for and c not in found:
634	found.add(c)
635	next_look.add(c.head().string())
636
637	look_for = next_look
638	next_look = set()
639	self.lock.release()
640
641	return found
642
643	def __str__(self):
644
645	self.lock.acquire()
646	rv = "%s" % self.fedid
647	add = join([abac_authorizer.encode_credential(c)
648	for c in self.context.credentials()], '\n');
649	if add: rv += "\n%s" % add
650	self.lock.release()
651	return rv
652

Note: See TracBrowser for help on using the repository browser.

Download in other formats: