Changeset af25848

Timestamp:

Sep 15, 2010 2:25:01 AM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

87c0fc1

Parents:

5a721ed

Message:

Comments

File:

• fedd/access_to_abac.py (modified) (18 diffs)

fedd/access_to_abac.py

@@ -8 +8 @@
 
 class attribute:
+    '''
+    Encapculate a principal/attribute pair.
+    '''
     def __init__(self, p, a):
         self.principal = p
@@ -13 +16 @@
 
     def __str__(self):
-        return "%s.%s" % (self.principal, self.attr)
+        if self.attr:
+            return "%s.%s" % (self.principal, self.attr)
+        else:
+            return "%s" % self.principal
 
 class credential:
+    '''
+    A Credential, that is the requisites (as attributes) and the assigned
+    attribute (as principal, attr).   If req is iterable, the requirements are
+    an intersection/conjunction.
+    '''
     def __init__(self, p, a, req):
         self.principal = p
@@ -31 +42 @@
             return "%s.%s <- %s" % (self.principal, self.attr, self.req)
 
+# Mappinng generation functiona and the access parser throw these when there is
+# a parsing problem.
 class parse_error(RuntimeError): pass
 
+# Functions to parse the individual access maps as well as an overall function
+# to parse generic ones.  The specific ones create a credential to local
+# attributes mapping and the global one creates the access policy credentials.
+
+#  All the local parsing functions get the unparsed remainder of the line
+#  (after the three-name and the attribute it maps to), the credential list to
+#  add the new ABAC credential(s) that will be mapped into the loacl
+#  credentials, the fedid of this entity, a dict mapping the local credentials
+#  to ABAC credentials that are required to exercise those local rights and the
+#  three-name (p, gp, gu) that is being mapped.
 def parse_emulab(l, creds, me, to_id, p, gp, gu):
+    '''
+    Parse the emulab (project, allocation_user, access_user) format.  Access
+    users are deprecates and allocation users used for both.  This fuction
+    collapses them.
+    '''
     right_side_str = '\s*,\s*\(\s*%s\s*,\s*%s\s*,\s*%s\s*\)' % \
             (id_same_str, id_same_str,id_same_str)
@@ -40 +68 @@
     if m:
         project, user = m.group(1,2)
+        # Resolve "<same>"s in project and user
         if project == '<same>':
             if gp  is not None:
@@ -50 +79 @@
             else:
                 raise parse_error("User cannot be decisively mapped: %s" % l)
+
+        # Create a semi-mnemonic name for the destination credential (the one
+        # that will be mapped to the local attributes
         if project and user:
             a = 'project_%s_user_%s' % (project, user)
@@ -59 +91 @@
             raise parse_error("No mapping for %s/%s!?" % (gp, gu))
 
+        # Store the creds and map entries
         c = credential(me, a, 
                 [attribute(p, x) for x in (gp, gu) if x is not None])
@@ -69 +102 @@
 
 def parse_protogeni(l, creds, me, to_id, p, gp, gu):
+    '''
+    Parse the protoGENI (cert, user, user_key, cert_pw) format.
+    '''
     right_side_str = '\s*,\s*\(\s*(%s)\s*,\s*(%s)\s*,\s*(%s)\s*,\s*(%s)\s*\)' \
             % (path_str, id_str, path_str, id_str)
@@ -75 +111 @@
     if m:
         cert, user, key, pw = m.group(1,2,3,4)
+        # The credential is formed from just the path (with / mapped to _) and
+        # the username.
         acert = re.sub('/', '_', cert)
 
         a = "cert_%s_user_%s" % (acert, user)
+
+        # Store em
         c = credential(me, a, 
                 [attribute(p, x) for x in (gp, gu) if x is not None])
@@ -89 +129 @@
 
 def parse_dragon(l, creds, me, to_id, p, gp, gu):
+    '''
+    Parse the dragon (repository_name) version.
+    '''
     right_side_str = '\s*,\s*\(\s*(%s)\s*\)' % \
             (id_str)
@@ -103 +146 @@
         raise parse_error("Badly formatted local mapping: %s" % l)
 
-parse_skel = parse_dragon
-
+def parse_skel(l, creds, me, to_id, p, gp, gu):
+    '''
+    Parse the skeleton (local_attr) version.
+    '''
+    right_side_str = '\s*,\s*\(\s*(%s)\s*\)' % \
+            (id_str)
+
+    m = re.match(right_side_str, l)
+    if m:
+        lattr = m.group(1)
+        c = credential(me, 'lattr_%s' % lattr, 
+                [attribute(p, x) for x in (gp, gu) if x is not None])
+        creds.add(c)
+        if lattr in to_id: to_id[lattr].append(c)
+        else: to_id[lattr] = [ c ]
+    else:
+        raise parse_error("Badly formatted local mapping: %s" % l)
+
+# internal plug-ins have no local attributes.
 def parse_internal(l, creds, me, to_id, p, gp, gu): pass
 
 
 class access_opts(OptionParser):
+    '''
+    Parse the options for this program.  Most are straightforward, but the
+    mapper uses a callback to convert from a string to a local mapper function.
+    '''
+    # Valid mappers
     mappers = { 
             'emulab': parse_emulab, 
@@ -149 +214 @@
 
 def create_creds(creds, cert, key, dir, creddy='/usr/local/bin/creddy'):
+    '''
+    Make the creddy calls to create the attributes from the list of credential
+    objects in the creds parameter.
+    '''
     def attrs(r):
+        '''
+        Convert an attribute into creddy --subject-id and --subject-role
+        parameters
+        '''
         if r.principal and r.attr:
             return ['--subject-id=%s' % r.principal, 
@@ -158 +231 @@
             raise parse_error('Attribute without a principal?')
 
+    # main line of create_creds
     for i, c in enumerate(creds):
         cmd = [creddy, '--attribute', '--issuer=%s' % cert, '--key=%s' % key,
@@ -165 +239 @@
         print " ".join(cmd)
 
+# Regular expressions and parts thereof for parsing
 comment_re = re.compile('^\s*#|^$')
 fedid_str = 'fedid:([0-9a-fA-F]{40})'
@@ -179 +254 @@
 opts, args = p.parse_args()
 
+# Validate arguments
 if len(args) < 1:
     sys.exit('No filenames given to parse')
@@ -202 +278 @@
 mapper = opts.mapper
 
+# Do the parsing
 for fn in args:
     creds = set()
@@ -227 +304 @@
                         raise parse_error('Syntax error')
             except parse_error, e:
+                f.close()
                 raise parse_error('Error on line %d of %s: %s' % \
                         (i, fn, e.message))
@@ -240 +318 @@
         continue
 
+    # Credential output
     if opts.create_creds:
         if all([opts.cert, opts.key, opts.dir]):
@@ -247 +326 @@
             print >>sys.stderr, 'Cannot create credentials.  Missing parameter'
 
+    # Local map output
     if not opts.quiet:
         for k, c in to_id.items():