Changeset 5a721ed for fedd/access_to_abac.py

Timestamp:

Sep 15, 2010 1:45:58 AM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

af25848

Parents:

9cce15a

Message:

Basic function pending creddy updates.

File:

• fedd/access_to_abac.py (modified) (6 diffs)

fedd/access_to_abac.py

@@ -62 +62 @@
                 [attribute(p, x) for x in (gp, gu) if x is not None])
         creds.add(c)
-        if a in to_id: to_id[a].append(c)
-        else: to_id[a] = [ c ]
+        if (project, user) in to_id: to_id[(project,user)].append(c)
+        else: to_id[(project,user)] = [ c ]
     else:
         raise parse_error("Badly formatted local mapping: %s" % l)
 
+
+def parse_protogeni(l, creds, me, to_id, p, gp, gu):
+    right_side_str = '\s*,\s*\(\s*(%s)\s*,\s*(%s)\s*,\s*(%s)\s*,\s*(%s)\s*\)' \
+            % (path_str, id_str, path_str, id_str)
+
+    m = re.match(right_side_str, l)
+    if m:
+        cert, user, key, pw = m.group(1,2,3,4)
+        acert = re.sub('/', '_', cert)
+
+        a = "cert_%s_user_%s" % (acert, user)
+        c = credential(me, a, 
+                [attribute(p, x) for x in (gp, gu) if x is not None])
+        creds.add(c)
+        if (cert, user, key, pw) in to_id: 
+            to_id[(cert, user, key, pw)].append(c)
+        else: 
+            to_id[(cert, user, key, pw)] = [ c ]
+    else:
+        raise parse_error("Badly formatted local mapping: %s" % l)
 
 def parse_dragon(l, creds, me, to_id, p, gp, gu):
@@ -94 +114 @@
             'internal': parse_internal,
             'skel': parse_skel,
+            'protogeni': parse_protogeni,
             }
 
@@ -110 +131 @@
         self.add_option('--key', dest='key', default=None,
                 help='key for the certificate')
+        self.add_option('--dir', dest='dir', default=None,
+                help='Output directory for credentials')
         self.add_option('--type', action='callback', nargs=1, type='str',
                 callback=access_opts.parse_mapper, 
@@ -116 +139 @@
                         ", ".join(access_opts.mappers.keys()) + \
                         'Omit for generic parsing.')
+        self.add_option('--quiet', dest='quiet', action='store_true', 
+                default=False,
+                help='Do not print credential to local attribute map')
+        self.add_option('--create-creds', action='store_true', 
+                dest='create_creds', default=False,
+                help='create credentials for rules.  Requires ' + \
+                        '--cert, --key, and --dir to be given.')
         self.set_defaults(mapper=None)
 
-
+def create_creds(creds, cert, key, dir, creddy='/usr/local/bin/creddy'):
+    def attrs(r):
+        if r.principal and r.attr:
+            return ['--subject-id=%s' % r.principal, 
+                    '--subject-role=%s' %r.attr]
+        elif r.principal:
+            return ['--subject-id=%s' % r.prinicpal]
+        else:
+            raise parse_error('Attribute without a principal?')
+
+    for i, c in enumerate(creds):
+        cmd = [creddy, '--attribute', '--issuer=%s' % cert, '--key=%s' % key,
+                '--role=%s' % c.attr, '--out=%s/cred%d' % (dir, i)]
+        for r in c.req:
+            cmd.extend(attrs(r))
+        print " ".join(cmd)
 
 comment_re = re.compile('^\s*#|^$')
 fedid_str = 'fedid:([0-9a-fA-F]{40})'
 id_str = '[a-zA-Z][\w_-]*'
+path_str = '[a-zA-Z_/\.-]+'
 id_any_str = '(%s|<any>)' % id_str
 id_same_str = '(%s|<same>)' % id_str
@@ -144 +190 @@
     print >>sys.stderr, 'No --cert, using dummy fedid'
     me = fedid(hexstr='0123456789012345678901234567890123456789')
+
+if opts.key and not os.access(opts.key, os.R_OK):
+    sys.exit('Cannot read key (%s)' % opts.key)
+
+if opts.dir:
+    if not os.path.isdir(opts.dir):
+        sys.exit('%s is not a directory' % opts.dir)
+    elif not os.access(opts.dir, os.W_OK):
+        sys.exit('%s is not writable' % opts.dir)
 
 mapper = opts.mapper
@@ -185 +240 @@
         continue
 
-    for c in creds:
-        print "%s" % c
-
-    for k, c in to_id.items():
-        print "%s: %s" % ( k , ", ".join(set(["%s.%s" % (x.principal, x.attr) \
-                for x in c])))
+    if opts.create_creds:
+        if all([opts.cert, opts.key, opts.dir]):
+            create_creds([c for c in creds if c.principal == me],
+                    opts.cert, opts.key, opts.dir)
+        else:
+            print >>sys.stderr, 'Cannot create credentials.  Missing parameter'
+
+    if not opts.quiet:
+        for k, c in to_id.items():
+            for a in set(["%s.%s" % (x.principal, x.attr) for x in c]):
+                print "%s -> (%s)" % ( a, ", ".join(k))