Changeset 0a49bd7 for fedd/federation/authorizer.py
- Timestamp:
- Jan 15, 2011 5:52:15 PM (13 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- aaf7f41
- Parents:
- ac15159 (diff), 944b746 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - git-author:
- Ted Faber <faber@…> (01/15/11 17:51:40)
- git-committer:
- Ted Faber <faber@…> (01/15/11 17:52:15)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/authorizer.py
rac15159 r0a49bd7 1 1 #/usr/local/bin/python 2 2 3 from string import join4 3 from tempfile import mkstemp 5 4 from subprocess import call … … 12 11 from service_error import service_error 13 12 from util import abac_pem_type, abac_split_cert 13 from proof import proof 14 14 15 15 … … 116 116 if attrs: attrs.discard(attr) 117 117 118 def check_attribute(self, name, attr ):118 def check_attribute(self, name, attr, with_proof=False): 119 119 """ 120 120 Return True if name has attr (or if attr is global). Tuple names match … … 130 130 self.valid_name(name) 131 131 if attr in self.globals: 132 return True 132 if with_proof: return True, proof("me", name, attr) 133 else: return True 133 134 134 135 if isinstance(name, tuple): … … 137 138 if self.attrs.has_key(lookup): 138 139 if attr in self.attrs[lookup]: 139 return True 140 else: 141 return attr in self.attrs.get(self.auth_name(name), set()) 140 if with_proof: return True, proof("me", name, attr) 141 else: return True 142 # Drop through 143 if with_proof: return False, proof("me", name, attr) 144 else: return False 145 else: 146 if with_proof: 147 return attr in self.attrs.get(self.auth_name(name), set()), \ 148 proof("me", name, attr) 149 else: 150 return attr in self.attrs.get(self.auth_name(name), set()) 142 151 143 152 def set_global_attribute(self, attr): … … 209 218 if self.me is not None and abac_pem_type(self.me) == 'both': 210 219 if self.save_dir: 211 self.key, self.me = abac_split_cert(self.me, 212 keyfile="%s/key.pem" % self.save_dir, 213 certfile = "%s/cert.pem" % self.save_dir) 220 keyfile="%s/key.pem" % self.save_dir 221 certfile = "%s/cert.pem" % self.save_dir 222 223 # Clear a spot for the new key and cert files. 224 for fn in (keyfile, certfile): 225 if os.access(fn, os.F_OK): 226 os.unlink(fn) 227 228 self.key, self.me = abac_split_cert(self.me, keyfile, certfile) 214 229 else: 215 230 raise abac_authorizer.bad_cert_error("Combination " + \ … … 223 238 if rv != 0: 224 239 raise abac_authorizer.bad_name( 225 'Cannot load identity from %s' % me .cert)240 'Cannot load identity from %s' % me) 226 241 else: 227 242 self.fedid = None … … 235 250 if load: 236 251 self.load(load) 252 253 # Modify the pickling operations so that the context and lock are not 254 # pickled 255 256 def __getstate__(self): 257 d = self.__dict__.copy() 258 del d['lock'] 259 del d['context'] 260 return d 261 262 def __setstate__(self, d): 263 # Import everything from the pickle dict (except what we excluded in 264 # __getstate__) 265 self.__dict__.update(d) 266 # Initialize the unpicklables 267 self.context = ABAC.Context() 268 self.lock = Lock() 237 269 238 270 @staticmethod … … 352 384 353 385 354 def check_attribute(self, name, attr): 355 # XXX proof soon 386 def check_attribute(self, name, attr, with_proof=False): 356 387 if isinstance(name, tuple): 357 388 raise abac_authorizer.bad_name( … … 376 407 # Sigh. Unicode vs swig and swig seems to lose. Make sure 377 408 # everything we pass into ABAC is a str not a unicode. 378 rv, p roof= self.context.query(a, n)409 rv, p = self.context.query(a, n) 379 410 # XXX delete soon 380 if not rv and attr in self.globals: rv = True 381 self.lock.release() 382 383 return rv 411 if not rv and attr in self.globals: 412 rv = True 413 p = None 414 self.lock.release() 415 if with_proof: return rv, proof(self.fedid, name, a, p) 416 else: return rv 384 417 385 418 def set_global_attribute(self, attr): … … 421 454 if not os.access(dir, os.F_OK): 422 455 os.mkdir(dir) 423 # These are unpicklable, so set them aside424 context = self.context425 lock = self.lock426 self.context = None427 self.lock = None428 456 429 457 f = open("%s/state" % dir, "w") … … 433 461 if not os.access("%s/certs" %dir, os.F_OK): 434 462 os.mkdir("%s/certs" % dir) 435 seenid = set() 436 seenattr = set() 437 438 #restore unpicklable state 439 self.context = context 440 self.lock = lock 441 #remove old certs 463 464 # Clear the certs subdir 442 465 for fn in [ f for f in os.listdir("%s/certs" % dir) \ 443 466 if abac_authorizer.cred_file_re.match(f)]: 444 467 os.unlink('%s/certs/%s' % (dir, fn)) 468 469 # Save the context 445 470 ii = 0 446 471 ai = 0 472 seenid = set() 473 seenattr = set() 447 474 for c in self.context.credentials(): 448 475 id = c.issuer_cert() … … 463 490 seenattr.add(attr) 464 491 except EnvironmentError, e: 465 # If we've mislaid self.lock, release lock (they're the same object) 466 if self.lock: self.lock.release() 467 elif lock: lock.release() 492 self.lock.release() 468 493 raise e 469 494 except pickle.PickleError, e: 470 # If we've mislaid self.lock, release lock (they're the same object) 471 if self.lock: self.lock.release() 472 elif lock: lock.release() 495 self.lock.release() 473 496 raise e 474 497 self.lock.release()
Note: See TracChangeset
for help on using the changeset viewer.