Changeset 353db8c for fedd/federation

Timestamp:

Nov 23, 2010 5:00:48 PM (13 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

6e63513

Parents:

3ff5e2a

Message:

Vairous ABAC tweaks, mostly concerned with making key splitting less visible.

Location:

fedd/federation

Files:

• authorizer.py (modified) (4 diffs)
• util.py (modified) (2 diffs)

fedd/federation/authorizer.py

@@ -11 +11 @@
 from remote_service import service_caller
 from service_error import service_error
+from util import abac_pem_type, abac_split_cert
 
 
@@ -192 +193 @@
     attribute_error = authorizer_base.attribute_error
     class no_file(RuntimeError): pass
-
-    def __init__(self, certs=None, me=None, key=None, load=None):
+    class bad_cert(RuntimeError): pass
+
+    def __init__(self, certs=None, me=None, key=None, load=None, save=None):
         self.creddy = '/usr/local/bin/creddy'
         self.globals = set()
         self.lock = Lock()
         self.me = me
-        self.key = key
+        self.save_dir = load or save
+        # If the me parameter is a combination certificate, split it into the
+        # abac_authorizer save directory (if any) for use with creddy.
+        if abac_pem_type(self.me) == 'both':
+            if self.save_dir:
+                self.key, self.me = abac_split_cert(self.me,
+                        keyfile="%s/key.pem" % self.save_dir, 
+                        certfile = "%s/cert.pem" % self.save_dir)
+            else:
+                raise abac_authorizer.bad_cert("Combination certificate " + \
+                        "and nowhere to split it");
+        else:
+            self.key = key
         self.context = ABAC.Context()
         if me:
@@ -216 +230 @@
 
         if load:
-            self.save_dir = load
             self.load(load)
-        else:
-            self.save_dir = None
 
     @staticmethod
@@ -453 +464 @@
                 st = pickle.load(f)
                 f.close()
-                # Cpoy the useful attributes from the pickled state
+                # Copy the useful attributes from the pickled state
                 for a in ('globals', 'key', 'me', 'cert', 'fedid'):
                     setattr(self, a, getattr(st, a, None))

fedd/federation/util.py

@@ -2 +2 @@
 
 import re
+import os
 import string
 import logging
@@ -262 +263 @@
             return base
 
+def abac_pem_type(cert):
+    key_re = re.compile('\s*-----BEGIN RSA PRIVATE KEY-----$')
+    cert_re = re.compile('\s*-----BEGIN CERTIFICATE-----$') 
+    type = None
+    f = open(cert, 'r')
+    for line in f:
+        if key_re.match(line):
+            if type is None: type = 'key'
+            elif type == 'cert': type = 'both'
+        elif cert_re.match(line):
+            if type is None: type = 'cert'
+            elif type == 'key': type = 'both'
+        if type == 'both': break
+    f.close()
+    return type
+
+def abac_split_cert(cert, keyfile=None, certfile=None):
+    """
+    Split the certificate file in cert into a certificate file and a key file
+    in cf and kf respectively.  The ABAC tools generally cannot handle combined
+    certificates/keys.  If kf anc cf are given, they are used, otherwise tmp
+    files are created.  Created tmp files must be deleted.  Problems opening or
+    writing files will cause exceptions.
+    """
+    class diversion:
+        '''
+        Wraps up the reqular expression to start and end a diversion, as well as
+        the open file that gets the lines.
+        '''
+        def __init__(self, start, end, fn):
+            self.start = re.compile(start)
+            self.end = re.compile(end)
+            # Open the file securely with minimal permissions. NB file cannot
+            # exist before this call.
+            self.f = os.fdopen(os.open(fn,
+                (os.O_WRONLY | os.O_CREAT | os.O_TRUNC | os.O_EXCL), 0600),
+                'w')
+
+        def close(self):
+            self.f.close()
+
+    if not keyfile:
+        f, keyfile = mkstemp(suffix=".pem")
+        os.close(f);
+    if not certfile:
+        f, certfile = mkstemp(suffix=".pem")
+        os.close(f);
+
+    # Initialize the diversions
+    divs = [diversion(s, e, fn) for s, e,fn in (
+        ('\s*-----BEGIN RSA PRIVATE KEY-----$', 
+            '\s*-----END RSA PRIVATE KEY-----$',
+            keyfile),
+        ('\s*-----BEGIN CERTIFICATE-----$', 
+            '\s*-----END CERTIFICATE-----$',
+            certfile))]
+
+    # walk through the file, beginning a diversion when a start regexp
+    # matches until the end regexp matches.  While in the two regexps,
+    # print each line to the open diversion file (including the two
+    # matches).
+    active = None
+    f = open(cert, 'r')
+    for l in f:
+        if active:
+            if active.end.match(l):
+                print >>active.f, l,
+                active = None
+        else:
+            for d in divs:
+                if d.start.match(l):
+                    active = d
+                    break
+        if active: print >>active.f, l,
+
+    # This is probably unnecessary.  Close all the diversion files.
+    for d in divs: d.close()
+    return keyfile, certfile
+
 def find_pickle_problem(o, st=None):
     """