Changeset bfbaa85 for fedd

Timestamp:

Apr 6, 2012 9:56:22 AM (12 years ago)

Author:

Ted Faber <faber@…>

Branches:

compt_changes, master

Children:

effd4f6

Parents:

e1ede1ac

Message:

Allow update of access controller policy

File:

• fedd/access_to_abac.py (modified) (7 diffs)

fedd/access_to_abac.py

@@ -276 +276 @@
                 type='str', action='callback', callback=self.expand_file,
                 help='File for the attribute to local authorization data')
+        self.add_option('--update', action='store_const', const=True,
+                dest='update_authorizer', default=False, 
+                help='Add the generated policy to an existing authorizer')
         self.add_option('--no-delegate', action='store_false', dest='delegate',
                 default=True,
@@ -292 +295 @@
         self.set_defaults(mapper=None)
 
-def create_creds(creds, cert, key, dir, debug=False, 
-        creddy='/usr/local/bin/creddy'):
+def create_creds(creds, cert, key, dir, debug=False):
     '''
     Make the the attributes from the list of credential
     objects in the creds parameter.
     '''
+    cfiles = []
     for i, c in enumerate(creds):
         cid = Creddy.ID(cert)
@@ -312 +315 @@
                 raise parse_error('Attribute without a principal?')
         cattr.bake()
-        cattr.write_name('%s/cred%d_attr.der' % (dir, i))
+        fn = '%s/cred%d_attr.der' % (dir, i)
+        cattr.write_name(fn)
+        cfiles.append(fn)
+    return cfiles
+
 
 def clear_dir(dir):
@@ -428 +435 @@
     fed_user_cred = None
     fed_someuser_cred = None
+
+credfiles = []
     
 # The try block makes sure that credentials split into tmp files are deleted
@@ -451 +460 @@
             if all([cert, key, opts.dir]):
                 try:
-                    create_creds([c for c in creds if c.principal == me],
+                    credfiles = create_creds(
+                            [c for c in creds if c.principal == me],
                             cert, key, creds_dir, opts.debug)
                 except credential_error, e:
@@ -480 +490 @@
         # Create an authorizer if requested.
         if opts.create_auth:
-            clear_dir(auth_dir)
             try:
                 # Pass in the options rather than the potentially split key
@@ -486 +495 @@
                 # internally.  The opts.cert may get split twice, but we won't
                 # lose one.
-                a = abac_authorizer(key=opts.key, me=opts.cert, 
-                        certs=creds_dir, save=auth_dir)
-                a.save(auth_dir)
+                if opts.update_authorizer:
+                    operation = 'updat'
+                    a = abac_authorizer(load=auth_dir)
+                    a.import_credentials(file_list=credfiles)
+                    a.save()
+                else:
+                    clear_dir(auth_dir)
+                    operation = 'creat'
+                    a = abac_authorizer(key=opts.key, me=opts.cert, 
+                            certs=creds_dir, save=auth_dir)
+                    a.save(auth_dir)
             except EnvironmentError, e:
                 sys.exit("Can't create or write %s: %s" % \
                         (e.filename, e.strerror))
             except abac_authorizer.bad_cert_error, e:
-                sys.exit("Error creating authorizer: %s" % e)
+                sys.exit("Error %sing authorizer: %s" % (operation, e))
 
 finally: