Changeset 353db8c for fedd/fedd_create.py

Timestamp:

Nov 23, 2010 5:00:48 PM (13 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

6e63513

Parents:

3ff5e2a

Message:

Vairous ABAC tweaks, mostly concerned with making key splitting less visible.

File:

• fedd/fedd_create.py (modified) (12 diffs)

fedd/fedd_create.py

@@ -6 +6 @@
 from federation.remote_service import service_caller
 from federation.client_lib import client_opts, exit_with_fault, RPCException, \
-        wrangle_standard_options, do_rpc, get_experiment_names, save_certfile
+        wrangle_standard_options, do_rpc, get_experiment_names, save_certfile,
+        get_abac_certs
+from federation.util import abac_split_cert
 
 class fedd_create_opts(client_opts):
@@ -32 +34 @@
                 help="Explicit map from testbed label to URI - " + \
                         "deter:https://users.isi.deterlab/net:13232")
+        self.add_option('--gen_cert', action='store_true', dest='gen_cert',
+                default=False,
+                help='generate a cert to which to delegate rights')
+        self.add_option('--delegate', action='store_true', dest='generate',
+                help='Delegate rights to a generated cert (default)')
+        self.add_option('--no-delegate', action='store_true', dest='generate',
+                help='Do not delegate rights to a generated cert')
+
+        self.set_defaults('delegate'=True)
 
 def parse_service(svc):
@@ -78 +89 @@
             }
 
+def delegate(fedid, cert, dir, name=None, debug=False, 
+        creddy='/usr/local/bin/creddy'):
+    '''
+    Make the creddy call to create an attribute delegating rights to the new
+    experiment.  The cert parameter points to a conventional cert & key combo,
+    which we split out into tempfiles, which we delete on return.  The return
+    value if the filename in which the certificate was stored.
+    '''
+
+    certfile = keyfile = None
+    expid = "%s" % fedid
+
+    # Trim the "fedid:"
+    if expid.startswith("fedid:"): expid = expid[6:]
+
+    try:
+        keyfile, certfile = abac_split(cert)
+
+        rv = 0
+        if name: fn = '%s/%s_attr.der' % (dir, name)
+        else: fn = '%s/%s_attr.der' % (dir, expid)
+
+        cmd = [creddy, '--attribute', '--issuer=%s' % certfile, 
+                '--key=%s' % keyfile,
+                '--role=acting_for', '--subject-id=%s' % expid, 
+                '--out=%s' % fn ]
+        if debug:
+            print join(cmd)
+            return fn
+        else:
+            if subprocess.call(cmd) == 0: return fn
+            else: return None
+    finally:
+        if keyfile: os.unlink(keyfile)
+        if certfile: os.unlink(certfile)
+
 # Main line
 service_re = re.compile('^\\s*#\\s*SERVICE:\\s*([\\S]+)')
@@ -83 +130 @@
 (opts, args) = parser.parse_args()
 
-
+# Option processing
 cert, fid, url = wrangle_standard_options(opts)
 
@@ -97 +144 @@
 out_certfile = opts.out_certfile
 
+# If there is no abac directory in which to store a delegated credential, don't
+# delegate.
+if not opts.abac_dir and opts.delegate:
+    opts.delegate = False
+
+# Load ABAC certs
+if opts.abac_dir:
+    try:
+        acerts = get_abac_certs(opts.abac_dir)
+    except EnvironmentError, e:
+        sys.exit('%s: %s' % (e.filename, e.strerror))
+
 # Fill in services
 svcs = []
@@ -102 +161 @@
     svcs.append(project_export_service(opts.master, opts.project))
 svcs.extend([ parse_service(s) for s in opts.service])
+
 # Parse all the strings that we can pull out of the file using the service_re.
 svcs.extend([parse_service(service_re.match(l).group(1)) \
@@ -117 +177 @@
     print >>sys.stderr, "Warning:Neither master/project nor services requested"
 
-
+# Construct the New experiment request
 msg = { }
+
+
+# Generate a certificate if requested and put it into the message
+if opts.gen_cert:
+    expid, expcert = generate_fedid(opts.exp_name or 'dummy')
+    msg['experimentAccess'] = { 'X509': expcert }
+else:
+    expid = expcert = None
 
 if opts.exp_name:
     msg['experimentID'] = { 'localname': opts.exp_name }
 
+if acerts:
+    msg['credential'] = acerts
+
 if opts.debug > 1: print >>sys.stderr, msg
 
+# The New call
 try:
     resp_dict = do_rpc(msg, 
@@ -138 +210 @@
 if opts.debug > 1: print >>sys.stderr, resp_dict
 
+# Save the experiment ID certificate if we need it
 try:
     save_certfile(opts.out_certfile, resp_dict.get('experimentAccess', None))
@@ -147 +220 @@
     e_local = "serialize"
 
+# If delegation is requested and we have a target, make the delegation, and add
+# the credential to acerts.
+if e_fedid and opts.delegate:
+    new_cert_fn = delegate(e_fedid, cert, key, dir, opts.exp_name)
+    if new_cert_fn is not None:
+        try:
+            f = open(new_cert_fn, 'r')
+            acerts.add(f.read())
+            f.close()
+        except EnvironmentError, e:
+            sys.exit("Cannot read delegation cert in %s: %s" % \
+                    (e.filename, e.strerror));
+    else:
+        sys.exit("Cannot delegate rights to new experiment: %s/%s" %\
+                (expid, opts.exp_name))
+
+# Construct the Create message
 msg = { 'experimentdescription': { 'ns2description': exp_desc }, }
 
@@ -159 +249 @@
     sys.exit("New did not return an experiment ID??")
 
+if acerts:
+    msg['credential'] = acerts
+
 if tbmap:
     msg['testbedmap'] = [ { 'testbed': t, 'uri': u } for t, u in tbmap.items() ]
@@ -164 +257 @@
 if opts.debug > 1: print >>sys.stderr, msg
 
+# make the call
 try:
     resp_dict = do_rpc(msg, 
@@ -177 +271 @@
 if opts.debug > 1: print >>sys.stderr, resp_dict
 
+# output
 e_fedid, e_local = get_experiment_names(resp_dict.get('experimentID', None))
 st = resp_dict.get('experimentStatus', None)