Context Navigation

source: fedd/federation/util.py @ 9252414

axis_examplecompt_changesinfo-ops

Last change on this file since 9252414 was c573278, checked in by Ted Faber <faber@…>, 14 years ago
Checkpoint. Still lots to do
Property mode set to `100644`
File size: 11.5 KB

Line
1	#!/usr/local/bin/python
2
3	import re
4	import os
5	import string
6	import logging
7	import pickle
8
9	import httplib
10
11	from socket import sslerror
12	from tempfile import mkstemp
13
14	from M2Crypto import SSL
15	from M2Crypto.SSL import SSLError
16	from fedid import fedid
17	from service_error import service_error
18	from urlparse import urlparse
19
20
21	# If this is an old enough version of M2Crypto.SSL that has an
22	# ssl_verify_callback that doesn't allow 0-length signed certs, create a
23	# version of that callback that does. This is edited from the original in
24	# M2Crypto.SSL.cb. This version also elides the printing to stderr.
25	if not getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca', None):
26	from M2Crypto.SSL.Context import map
27	from M2Crypto import m2
28
29	def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
30	unknown_issuer = [
31	m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
32	m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
33	m2.X509_V_ERR_CERT_UNTRUSTED,
34	m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
35	]
36	ssl_ctx = map()[ssl_ctx_ptr]
37
38	if errnum in unknown_issuer:
39	if ssl_ctx.get_allow_unknown_ca():
40	ok = 1
41	# CRL checking goes here...
42	if ok:
43	if ssl_ctx.get_verify_depth() >= errdepth:
44	ok = 1
45	else:
46	ok = 0
47	return ok
48	else:
49	def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
50	raise ValueError("This should never be called")
51
52	class fedd_ssl_context(SSL.Context):
53	"""
54	Simple wrapper around an M2Crypto.SSL.Context to initialize it for fedd.
55	"""
56	def __init__(self, my_cert, trusted_certs=None, password=None):
57	"""
58	construct a fedd_ssl_context
59
60	@param my_cert: PEM file with my certificate in it
61	@param trusted_certs: PEM file with trusted certs in it (optional)
62	"""
63	SSL.Context.__init__(self)
64
65	# load_cert takes a callback to get a password, not a password, so if
66	# the caller provided a password, this creates a nonce callback using a
67	# lambda form.
68	if password != None and not callable(password):
69	# This is cute. password = lambda *args: password produces a
70	# function object that returns itself rather than one that returns
71	# the object itself. This is because password is an object
72	# reference and after the assignment it's a lambda. So we assign
73	# to a temp.
74	pwd = str(password)
75	password =lambda *args: pwd
76
77	# The calls to str below (and above) are because the underlying SSL
78	# stuff is intolerant of unicode.
79	if password != None:
80	self.load_cert(str(my_cert), callback=password)
81	else:
82	self.load_cert(str(my_cert))
83
84	# If no trusted certificates are specified, allow unknown CAs.
85	if trusted_certs:
86	self.load_verify_locations(trusted_certs)
87	self.set_verify(SSL.verify_peer, 10)
88	else:
89	# More legacy code. Recent versions of M2Crypto express the
90	# allow_unknown_ca option through a callback turned to allow it.
91	# Older versions use a standard callback that respects the
92	# attribute. This should work under both regines.
93	callb = getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca',
94	ssl_verify_callback)
95	self.set_allow_unknown_ca(True)
96	self.set_verify(SSL.verify_peer, 10, callback=callb)
97
98	def read_simple_accessdb(fn, auth, mask=[]):
99	"""
100	Read a simple access database. Each line is a fedid (of the form
101	fedid:hexstring) and a comma separated list of atributes to be assigned to
102	it. This parses out the fedids and adds the attributes to the authorizer.
103	comments (preceded with a #) and blank lines are ignored. Exceptions (e.g.
104	file exceptions and ValueErrors from badly parsed lines) are propagated.
105	"""
106
107	rv = [ ]
108	lineno = 0
109	fedid_line = re.compile("fedid:([" + string.hexdigits + "]+)\s+" +\
110	"(\w+\s(,\s\w+)*)")
111
112	# If a single string came in, make it a list
113	if isinstance(mask, basestring): mask = [ mask ]
114
115	f = open(fn, 'r')
116	for line in f:
117	lineno += 1
118	line = line.strip()
119	if line.startswith('#') or len(line) == 0:
120	continue
121	m = fedid_line.match(line)
122	if m :
123	fid = fedid(hexstr=m.group(1))
124	for a in [ a.strip() for a in m.group(2).split(",") \
125	if not mask or a.strip() in mask ]:
126	auth.set_attribute(fid, a.strip())
127	else:
128	raise ValueError("Badly formatted line in accessdb: %s line %d" %\
129	(fn, lineno))
130	f.close()
131	return rv
132
133
134	def pack_id(id):
135	"""
136	Return a dictionary with the field name set by the id type. Handy for
137	creating dictionaries to be converted to messages.
138	"""
139	if isinstance(id, fedid): return { 'fedid': id }
140	elif id.startswith("http:") or id.startswith("https:"): return { 'uri': id }
141	else: return { 'localname': id}
142
143	def unpack_id(id):
144	"""return id as a type determined by the key"""
145	for k in ("localname", "fedid", "uri", "kerberosUsername"):
146	if id.has_key(k): return id[k]
147	return None
148
149	def set_log_level(config, sect, log):
150	""" Set the logging level to the value passed in sect of config."""
151	# The getattr sleight of hand finds the logging level constant
152	# corrersponding to the string. We're a little paranoid to avoid user
153	# mayhem.
154	if config.has_option(sect, "log_level"):
155	level_str = config.get(sect, "log_level")
156	try:
157	level = int(getattr(logging, level_str.upper(), -1))
158
159	if logging.DEBUG <= level <= logging.CRITICAL:
160	log.setLevel(level)
161	else:
162	log.error("Bad experiment_log value: %s" % level_str)
163
164	except ValueError:
165	log.error("Bad experiment_log value: %s" % level_str)
166
167	def copy_file(src, dest, size=1024):
168	"""
169	Exceedingly simple file copy. Throws an EnvironmentError if there's a problem.
170	"""
171	s = open(src,'r')
172	d = open(dest, 'w')
173
174	buf = s.read(size)
175	while buf != "":
176	d.write(buf)
177	buf = s.read(size)
178	s.close()
179	d.close()
180
181	def get_url(url, cf, destdir, fn=None, max_retries=5):
182	"""
183	Get data from a federated data store. This presents the client cert/fedid
184	to the http server. We retry up to max_retries times.
185	"""
186	po = urlparse(url)
187	if not fn:
188	fn = po.path.rpartition('/')[2]
189	retries = 0
190	ok = False
191	failed_exception = None
192	while not ok and retries < 5:
193	try:
194	conn = httplib.HTTPSConnection(po.hostname, port=po.port,
195	cert_file=cf, key_file=cf)
196	conn.putrequest('GET', po.path)
197	conn.endheaders()
198	response = conn.getresponse()
199
200	lf = open("%s/%s" % (destdir, fn), "w")
201	buf = response.read(4096)
202	while buf:
203	lf.write(buf)
204	buf = response.read(4096)
205	lf.close()
206	ok = True
207	except EnvironmentError, e:
208	failed_excpetion = e
209	retries += 1
210	except httplib.HTTPException, e:
211	failed_exception = e
212	retries += 1
213	except sslerror, e:
214	failed_exception = e
215	retries += 1
216	except SSLError, e:
217	failed_exception = e
218	retries += 1
219
220	if retries > 5 and failed_exception:
221	raise failed_excpetion
222
223	# Functions to manipulate composite testbed names
224	def testbed_base(tb):
225	"""
226	Simple code to get the base testebd name.
227	"""
228	i = tb.find('/')
229	if i == -1: return tb
230	else: return tb[0:i]
231
232	def testbed_suffix(tb):
233	"""
234	Simple code to get a testbed suffix, if nay. No suffix returns None.
235	"""
236	i = tb.find('/')
237	if i != -1: return tb[i+1:]
238	else: return None
239
240	def split_testbed(tb):
241	"""
242	Return a testbed and a suffix as a tuple. No suffix returns None for that
243	field
244	"""
245
246	i = tb.find('/')
247	if i != -1: return (tb[0:i], tb[i+1:])
248	else: return (tb, None)
249
250	def join_testbed(base, suffix=None):
251	"""
252	Build a testbed with suffix. If base is itself a tuple, combine them,
253	otherwise combine the two.
254	"""
255	if isinstance(base, tuple):
256	if len(base) == 2:
257	return '/'.join(base)
258	else:
259	raise RuntimeError("Too many tuple elements for join_testbed")
260	else:
261	if suffix:
262	return '/'.join((base, suffix))
263	else:
264	return base
265
266	def abac_pem_type(cert):
267	key_re = re.compile('\s*-----BEGIN RSA PRIVATE KEY-----$')
268	cert_re = re.compile('\s*-----BEGIN CERTIFICATE-----$')
269	type = None
270
271	f = open(cert, 'r')
272	for line in f:
273	if key_re.match(line):
274	if type is None: type = 'key'
275	elif type == 'cert': type = 'both'
276	elif cert_re.match(line):
277	if type is None: type = 'cert'
278	elif type == 'key': type = 'both'
279	if type == 'both': break
280	f.close()
281	return type
282
283	def abac_split_cert(cert, keyfile=None, certfile=None):
284	"""
285	Split the certificate file in cert into a certificate file and a key file
286	in cf and kf respectively. The ABAC tools generally cannot handle combined
287	certificates/keys. If kf anc cf are given, they are used, otherwise tmp
288	files are created. Created tmp files must be deleted. Problems opening or
289	writing files will cause exceptions.
290	"""
291	class diversion:
292	'''
293	Wraps up the reqular expression to start and end a diversion, as well as
294	the open file that gets the lines. If fd is passed in, use that system
295	file (probably from a mkstemp. Otherwise open the given filename.
296	'''
297	def __init__(self, start, end, fn=None, fd=None):
298	self.start = re.compile(start)
299	self.end = re.compile(end)
300
301	if not fd:
302	# Open the file securely with minimal permissions. NB file
303	# cannot exist before this call.
304	fd = os.open(fn,
305	(os.O_WRONLY \| os.O_CREAT \| os.O_TRUNC \| os.O_EXCL), 0600)
306
307	self.f = os.fdopen(fd, 'w')
308
309	def close(self):
310	self.f.close()
311
312	if not keyfile:
313	kf, rkeyfile = mkstemp(suffix=".pem")
314	else:
315	kf, rkeyfile = None, keyfile
316
317	if not certfile:
318	cf, rcertfile = mkstemp(suffix=".pem")
319	else:
320	cf, rcertfile = None, certfile
321
322	# Initialize the diversions
323	divs = [diversion(s, e, fn=pfn, fd=pfd ) for s, e, pfn, pfd in (
324	('\s*-----BEGIN RSA PRIVATE KEY-----$',
325	'\s*-----END RSA PRIVATE KEY-----$',
326	keyfile, kf),
327	('\s*-----BEGIN CERTIFICATE-----$',
328	'\s*-----END CERTIFICATE-----$',
329	certfile, cf))]
330
331	# walk through the file, beginning a diversion when a start regexp
332	# matches until the end regexp matches. While in the two regexps,
333	# print each line to the open diversion file (including the two
334	# matches).
335	active = None
336	f = open(cert, 'r')
337	for l in f:
338	if active:
339	if active.end.match(l):
340	print >>active.f, l,
341	active = None
342	else:
343	for d in divs:
344	if d.start.match(l):
345	active = d
346	break
347	if active: print >>active.f, l,
348
349	# This is probably unnecessary. Close all the diversion files.
350	for d in divs: d.close()
351	return rkeyfile, rcertfile
352
353	def abac_context_to_creds(context):
354	"""
355	Pull all the credentials out of the context and return 2 lists of the
356	underlying credentials in an exportable format, IDs and attributes.
357	There are no duplicates in the lists.
358	"""
359	ids, attrs = set(), set()
360	# This should be a one-iteration loop
361	for c in context.credentials():
362	ids.add(c.issuer_cert())
363	attrs.add(c.attribute_cert())
364
365	return list(ids), list(attrs)
366
367	def find_pickle_problem(o, st=None):
368	"""
369	Debugging routine to figure out what doesn't pickle from a dict full of
370	dicts and lists. It tries to walk down the lists and dicts and pickle each
371	atom. If something fails to pickle, it prints an approximation of a stack
372	trace through the data structure.
373	"""
374	if st is None: st = [ ]
375
376	if isinstance(o, dict):
377	for k, i in o.items():
378	st.append(k)
379	find_pickle_problem(i, st)
380	st.pop()
381	elif isinstance(o, list):
382	st.append('list')
383	for i in o:
384	find_pickle_problem(i, st)
385	st.pop()
386	else:
387	try:
388	pickle.dumps(o)
389	except pickle.PicklingError, e:
390	print >>sys.stderr, "<PicklingError>"
391	print >>sys.stderr, st
392	print >>sys.stderr, o
393	print >>sys.stderr, e
394	print >>sys.stderr, "</PicklingError>"
395

Note: See TracBrowser for help on using the repository browser.

Download in other formats: