Changeset 5529264


Ignore:
Timestamp:
Mar 26, 2012 6:01:37 PM (8 years ago)
Author:
Ted Faber <faber@…>
Branches:
compt_changes, master
Children:
3bcb2eb
Parents:
406f3b5
Message:

Add commands for delegated federated users

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/access_to_abac.py

    r406f3b5 r5529264  
    280280                help='do not accept delegated attributes with the ' +\
    281281                        'acting_for linking role')
     282        self.add_option('--fed-root', dest='root',
     283                help='add a rule to accept federated users from facilities ' +\
     284                        'recognized by ROOT.  This is a certificate file')
     285        self.add_option('--fed-tuple', dest='ftuple',
     286                help='a tuple into which to map federated ' + \
     287                        'users about which we know nothing else.')
    282288        self.add_option('--no_auth', action='store_false', dest='create_auth',
    283289                default=True, help='do not create a full ABAC authorizer')
     
    392398    cert = None
    393399
     400fed_to_id =  { }
     401if any((opts.root, opts.ftuple)) and not all ((opts.root, opts.ftuple)):
     402    sys.exit('Either both or neither of --fed-root and ' + \
     403            '--fed-project must be specified')
     404elif opts.root:
     405    try:
     406        root_fedid = fedid(file=opts.root)
     407    except EnvironmentError, e:
     408        sys.exit('Bad --root: %s (%s)' % (e.strerror, e.filename or '?!'))
     409
     410    fed_tuple = tuple(opts.ftuple.split(','))
     411    fed_someuser_cred = \
     412            credential(me, 'some_feduser',
     413                    [attribute(root_fedid.get_hexstr(),
     414                        'fedfacility', 'feduser')])
     415    fed_user_cred = \
     416            credential(me, 'default_feduser',
     417                    [attribute(me.get_hexstr(),
     418                        'some_feduser', 'acting_for')])
     419    fed_access_cred = \
     420            credential(me, 'access',
     421                    [attribute(me.get_hexstr(), 'default_feduser')])
     422   
     423    fed_to_id[fed_tuple] = [fed_user_cred]
     424
     425else:
     426    # No fed-root or fed-tuple
     427    fed_access_cred = None
     428    fed_user_cred = None
     429    fed_someuser_cred = None
     430   
    394431# The try block makes sure that credentials split into tmp files are deleted
    395432try:
     
    401438            print >> sys.stderr, "%s" % e
    402439            continue
    403 
    404440        except EnvironmentError, e:
    405441            print >>sys.stderr, "File error %s: %s" % \
     
    409445        # Credential output
    410446        if opts.create_creds:
     447            if fed_access_cred and fed_user_cred and fed_someuser_cred:
     448                creds.add(fed_access_cred)
     449                creds.add(fed_user_cred)
     450                creds.add(fed_someuser_cred)
    411451            if all([cert, key, opts.dir]):
    412452                try:
     
    426466                else:
    427467                    f = sys.stdout
    428                 for k, c in to_id.items():
     468                for k, c in to_id.items() + fed_to_id.items():
    429469                    # Keys are either a single string or a tuple of them; join
    430470                    # the tuples into a comma-separated string.
Note: See TracChangeset for help on using the changeset viewer.