Ignore:
Timestamp:
Jan 15, 2011 5:52:15 PM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
aaf7f41
Parents:
ac15159 (diff), 944b746 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
git-author:
Ted Faber <faber@…> (01/15/11 17:51:40)
git-committer:
Ted Faber <faber@…> (01/15/11 17:52:15)
Message:

merge from current

File:
1 edited

Legend:

Unmodified
Added
Removed

  • fedd/federation/authorizer.py

    rac15159 r0a49bd7  
    11#/usr/local/bin/python
    22
    3 from string import join
    43from tempfile import mkstemp
    54from subprocess import call
     
    1211from service_error import service_error
    1312from util import abac_pem_type, abac_split_cert
     13from proof import proof
    1414
    1515
     
    116116        if attrs: attrs.discard(attr)
    117117
    118     def check_attribute(self, name, attr):
     118    def check_attribute(self, name, attr, with_proof=False):
    119119        """
    120120        Return True if name has attr (or if attr is global).  Tuple names match
     
    130130        self.valid_name(name)
    131131        if attr in self.globals:
    132             return True
     132            if with_proof: return True, proof("me", name, attr)
     133            else: return True
    133134
    134135        if isinstance(name, tuple):
     
    137138                if self.attrs.has_key(lookup):
    138139                    if attr in self.attrs[lookup]:
    139                         return True
    140         else:
    141             return  attr in self.attrs.get(self.auth_name(name), set())
     140                        if with_proof: return True, proof("me", name, attr)
     141                        else: return True
     142                # Drop through
     143                if with_proof: return False, proof("me", name, attr)
     144                else: return False
     145        else:
     146            if with_proof:
     147                return attr in self.attrs.get(self.auth_name(name), set()), \
     148                        proof("me", name, attr)
     149            else:
     150                return attr in self.attrs.get(self.auth_name(name), set())
    142151
    143152    def set_global_attribute(self, attr):
     
    209218        if self.me is not None and abac_pem_type(self.me) == 'both':
    210219            if self.save_dir:
    211                 self.key, self.me = abac_split_cert(self.me,
    212                         keyfile="%s/key.pem" % self.save_dir,
    213                         certfile = "%s/cert.pem" % self.save_dir)
     220                keyfile="%s/key.pem" % self.save_dir
     221                certfile = "%s/cert.pem" % self.save_dir
     222
     223                # Clear a spot for the new key and cert files.
     224                for fn in (keyfile, certfile):
     225                    if os.access(fn, os.F_OK):
     226                        os.unlink(fn)
     227
     228                self.key, self.me = abac_split_cert(self.me, keyfile, certfile)
    214229            else:
    215230                raise abac_authorizer.bad_cert_error("Combination " + \
     
    223238            if rv != 0:
    224239                raise abac_authorizer.bad_name(
    225                         'Cannot load identity from %s' % me.cert)
     240                        'Cannot load identity from %s' % me)
    226241        else:
    227242            self.fedid = None
     
    235250        if load:
    236251            self.load(load)
     252
     253    # Modify the pickling operations so that the context and lock are not
     254    # pickled
     255
     256    def __getstate__(self):
     257        d = self.__dict__.copy()
     258        del d['lock']
     259        del d['context']
     260        return d
     261
     262    def __setstate__(self, d):
     263        # Import everything from the pickle dict (except what we excluded in
     264        # __getstate__)
     265        self.__dict__.update(d)
     266        # Initialize the unpicklables
     267        self.context = ABAC.Context()
     268        self.lock = Lock()
    237269
    238270    @staticmethod
     
    352384
    353385
    354     def check_attribute(self, name, attr):
    355         # XXX proof soon
     386    def check_attribute(self, name, attr, with_proof=False):
    356387        if isinstance(name, tuple):
    357388            raise abac_authorizer.bad_name(
     
    376407            # Sigh. Unicode vs swig and swig seems to lose.  Make sure
    377408            # everything we pass into ABAC is a str not a unicode.
    378             rv, proof = self.context.query(a, n)
     409            rv, p = self.context.query(a, n)
    379410            # XXX delete soon
    380             if not rv and attr in self.globals: rv = True
    381             self.lock.release()
    382 
    383             return rv
     411            if not rv and attr in self.globals:
     412                rv = True
     413                p = None
     414            self.lock.release()
     415            if with_proof: return rv, proof(self.fedid, name, a, p)
     416            else: return rv
    384417
    385418    def set_global_attribute(self, attr):
     
    421454            if not os.access(dir, os.F_OK):
    422455                os.mkdir(dir)
    423             # These are unpicklable, so set them aside
    424             context = self.context
    425             lock = self.lock
    426             self.context = None
    427             self.lock = None
    428456
    429457            f = open("%s/state" % dir, "w")
     
    433461            if not os.access("%s/certs" %dir, os.F_OK):
    434462                os.mkdir("%s/certs" % dir)
    435             seenid = set()
    436             seenattr = set()
    437 
    438             #restore unpicklable state
    439             self.context = context
    440             self.lock = lock
    441             #remove old certs
     463
     464            # Clear the certs subdir
    442465            for fn in [ f for f in os.listdir("%s/certs" % dir) \
    443466                    if abac_authorizer.cred_file_re.match(f)]:
    444467                os.unlink('%s/certs/%s' % (dir, fn))
     468
     469            # Save the context
    445470            ii = 0
    446471            ai = 0
     472            seenid = set()
     473            seenattr = set()
    447474            for c in self.context.credentials():
    448475                id = c.issuer_cert()
     
    463490                    seenattr.add(attr)
    464491        except EnvironmentError, e:
    465             # If we've mislaid self.lock, release lock (they're the same object)
    466             if self.lock: self.lock.release()
    467             elif lock: lock.release()
     492            self.lock.release()
    468493            raise e
    469494        except pickle.PickleError, e:
    470             # If we've mislaid self.lock, release lock (they're the same object)
    471             if self.lock: self.lock.release()
    472             elif lock: lock.release()
     495            self.lock.release()
    473496            raise e
    474497        self.lock.release()
Note: See TracChangeset for help on using the changeset viewer.