Changeset c573278


Ignore:
Timestamp:
Nov 24, 2010 3:45:50 PM (9 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
725c55d
Parents:
de7cb08
Message:

Checkpoint. Still lots to do

Location:
fedd
Files:
1 added
8 edited

Legend:

Unmodified
Added
Removed
  • fedd/fedd_create.py

    r6e63513 rc573278  
    44import re
    55import subprocess
     6
     7import ABAC
    68
    79from string import join
     
    1214        wrangle_standard_options, do_rpc, get_experiment_names, save_certfile,\
    1315        get_abac_certs
    14 from federation.util import abac_split_cert
     16from federation.util import abac_split_cert, abac_context_to_creds
    1517
    1618class fedd_create_opts(client_opts):
     
    101103    value if the filename in which the certificate was stored.
    102104    '''
    103 
    104105    certfile = keyfile = None
    105106    expid = "%s" % fedid
     
    110111    try:
    111112        keyfile, certfile = abac_split_cert(cert)
    112         print "%s %s" % (keyfile, certfile)
    113113
    114114        rv = 0
    115         if name: fn = '%s/%s_attr.der' % (dir, name)
    116         else: fn = '%s/%s_attr.der' % (dir, expid)
     115        if name:
     116            fn ='%s/%s_attr.der' % (dir, name)
     117            id_fn = '%s/%s_id.pem' % (dir, name)
     118        else:
     119            fn = '%s/%s_attr.der' % (dir, expid)
     120            id_fn = '%s/%s_id.pem' % (dir, expid)
    117121
    118122        cmd = [creddy, '--attribute', '--issuer=%s' % certfile,
     
    122126        if not debug:
    123127            if subprocess.call(cmd) != 0:
    124                 return None
     128                return []
    125129        else:
    126130            print join(cmd)
    127             return None
    128 
    129         f = open(fn, 'r')
    130         rv = f.read()
    131         f.close()
    132         return rv
     131            return []
     132
     133        context = ABAC.Context()
     134        if context.load_id_file(certfile) != ABAC.ABAC_CERT_SUCCESS or \
     135                context.load_attribute_file(fn) != ABAC.ABAC_CERT_SUCCESS:
     136            return []
     137        ids, attrs = abac_context_to_creds(context)
     138
     139        return ids + attrs
     140
    133141
    134142    finally:
     
    236244if e_fedid and opts.delegate:
    237245    try:
    238         cred = delegate(e_fedid, cert, opts.abac_dir, name=opts.exp_name)
    239         if cred:
    240             acerts.append(cred)
     246        creds = delegate(e_fedid, cert, opts.abac_dir, name=opts.exp_name)
     247        if creds:
     248            acerts.extend(creds)
    241249    except EnvironmentError, e:
    242250        sys.exit("Cannot delegate rights %s: %s" % (e.filename, e.strerror));
  • fedd/fedd_to_abac.py

    r547aa3b rc573278  
    1010from string import join
    1111from optparse import OptionParser
     12
     13from federation.util import abac_pem_type, abac_split_cert
    1214
    1315class Parser(OptionParser):
     
    4648parser = Parser()
    4749opts, args = parser.parse_args()
     50cert, key = None, None
     51delete_certs = False
    4852
    49 if any([ x is None for x in (opts.cert, opts.dir, opts.key)]):
    50     print >>sys.stderr, "Need all of --dir, --cert, and --key to create certs"
    51     print >>sys.stderr, "Reverting to debug mode"
    52     debug = True
    53 else:
    54     debug = opts.debug
    5553
    56 if opts.cert and not os.access(opts.cert, os.R_OK):
    57     sys.exit('Cannot read %s (certificate file)' % opts.cert)
    5854
    59 if opts.key and not os.access(opts.key, os.R_OK):
    60     sys.exit('Cannot read %s (key file)' % opts.key)
     55if opts.key:
     56    if os.access(opts.key, os.R_OK): key = opts.key
     57    else: sys.exit('Cannot read %s (key file)' % opts.key)
    6158
    6259if opts.dir:
     
    7370            sys.exit('%s is not writable' % opts.dir)
    7471
     72if opts.cert:
     73    if os.access(opts.cert, os.R_OK):
     74        if not key:
     75            if abac_pem_type(opts.cert) == 'both':
     76                key, cert = abac_split_cert(opts.cert)
     77                delete_certs = True
     78        else:
     79            cert = opts.cert
     80    else:
     81        sys.exit('Cannot read %s (certificate file)' % opts.cert)
     82
     83if any([ x is None for x in (cert, opts.dir, key)]):
     84    print >>sys.stderr, "Need output dir, certificate and key to make creds"
     85    print >>sys.stderr, "Reverting to debug mode"
     86    debug = True
     87else:
     88    debug = opts.debug
    7589
    7690roles = { }
     91try:
     92    for fn in args:
     93        try:
     94            f = open(fn, "r")
     95            for l in f:
     96                id = None
     97                for r in (comment_re, single_re, double_re):
     98                    m = r.match(l)
     99                    if m:
     100                        if m.groups():
     101                            g = m.groups()
     102                            id = g[0]
     103                            r = [ bad_role.sub('_', x) for x in g[1:] ]
     104                        break
     105                else:
     106                    print 'Unmatched line: %s' % l
     107                if id:
     108                    # New and create are implicit.  >sigh<
     109                    r.extend(('new', 'create'))
     110                    if id in roles: roles[id].add_roles(r)
     111                    else: roles[id] = identity(r[0], r)
    77112
    78 for fn in args:
    79     try:
    80         f = open(fn, "r")
    81         for l in f:
    82             id = None
    83             for r in (comment_re, single_re, double_re):
    84                 m = r.match(l)
    85                 if m:
    86                     if m.groups():
    87                         g = m.groups()
    88                         id = g[0]
    89                         r = [ bad_role.sub('_', x) for x in g[1:] ]
    90                     break
     113        except EnvironmentError, e:
     114            print >>sys.stderr, 'Cannot open file (%s): %s' % \
     115                    (e.filename, e.strerror)
     116
     117    if not roles:
     118        print >>sys.stderr, "No roles found.  Did you specify a configuration?"
     119
     120    for k, id in roles.items():
     121        for i, r in enumerate(id.roles):
     122            cmd = ['creddy', '--attribute',
     123                    '--issuer=%s' % (cert or 'cert_file'),
     124                    '--key=%s' % (key or 'key_file'), '--role=%s' % r,
     125                    '--subject-id=%s' % k,
     126                    '--out=%s/%s%03d_attr.der' % \
     127                            (opts.dir or 'new_cert_dir', id.name, i)]
     128            if debug:
     129                print join(cmd)
    91130            else:
    92                 print 'Unmatched line: %s' % l
    93             if id:
    94                 # New and create are implicit.  >sigh<
    95                 r.extend(('new', 'create'))
    96                 if id in roles: roles[id].add_roles(r)
    97                 else: roles[id] = identity(r[0], r)
    98 
    99     except EnvironmentError, e:
    100         print >>sys.stderr, 'Cannot open file (%s): %e' % e
    101 
    102 if not roles:
    103     print >>sys.stderr, "No roles found.  Did you specify a configuration?"
    104 
    105 for k, id in roles.items():
    106     for i, r in enumerate(id.roles):
    107         cmd = ['creddy', '--attribute',
    108                 '--issuer=%s' % (opts.cert or 'cert_file'),
    109                 '--key=%s' % (opts.key or 'key_file'), '--role=%s' % r,
    110                 '--subject-id=%s' % k,
    111                 '--out=%s/%s%03d_attr.der' % \
    112                         (opts.dir or 'new_cert_dir', id.name, i)]
    113         if debug:
    114             print join(cmd)
    115         else:
    116             rv =  subprocess.call(cmd)
    117             if rv != 0:
    118                 sys.exit('%s failed: %d' % (join(cmd), rv))
    119 
     131                rv =  subprocess.call(cmd)
     132                if rv != 0:
     133                    sys.exit('%s failed: %d' % (join(cmd), rv))
     134finally:
     135    if delete_certs:
     136        if cert: os.unlink(cert)
     137        if key: os.unlink(key)
  • fedd/federation/authorizer.py

    r25f66c3 rc573278  
    1818
    1919import sys
    20 import os
     20import os, os.path
    2121import re
    2222
     
    201201        self.me = me
    202202        self.save_dir = load or save
     203        if self.save_dir:
     204            self.save_dir = os.path.abspath(self.save_dir)
    203205        # If the me parameter is a combination certificate, split it into the
    204206        # abac_authorizer save directory (if any) for use with creddy.
     
    246248    def import_credential(self, file=None, data=None):
    247249        if data:
    248             if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
    249                 return self.context.load_attribute_chunk(data) == \
    250                         ABAC.ABAC_CERT_SUCCESS
    251             else:
    252                 return True
     250            rv = self.context.load_id_chunk(data)
     251            print "id %d" % rv
     252            if rv == ABAC.ABAC_CERT_SUCCESS: return True
     253            rv = self.context.load_attribute_chunk(data)
     254            print "attr %d" % rv
     255            return rv == ABAC.ABAC_CERT_SUCCESS
     256            #if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
     257        #       return self.context.load_attribute_chunk(data) == \
     258        #               ABAC.ABAC_CERT_SUCCESS
     259            ##else:
     260        #       return True
    253261        elif file:
    254262            if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
     
    388396        self.lock.acquire()
    389397        if dir:
    390             self.save_dir = dir
     398            self.save_dir = os.path.abspath(dir)
    391399        else:
    392400            dir = self.save_dir
     
    503511            look_for = next_look
    504512            next_look = set()
     513        self.lock.release()
    505514       
    506515        return found
  • fedd/federation/client_lib.py

    r3ff5e2a rc573278  
    8484
    8585def get_user_cert():
    86     cert = os.path.expanduser("~/.ssl/emulab.pem")
    87     if not os.access(cert, os.R_OK):
    88         cert = None
     86    for c in ("~/.ssl/fedid.pem", "~/.ssl/emulab.pem"):
     87        cert = os.path.expanduser(c)
     88        if os.access(cert, os.R_OK):
     89            break
     90        else:
     91            cert = None
    8992    return cert
    9093
     
    102105            f.close()
    103106    return rv
    104 
    105107
    106108def wrangle_standard_options(opts):
  • fedd/federation/emulab_access.py

    r6e63513 rc573278  
    335335        # Check every attribute that we know how to map and take the first
    336336        # success.
     337        print "%s" %self.auth
    337338        for attr in (self.access.keys()):
    338339            if self.auth.check_attribute(fid, attr):
     
    482483            raise service_error(service_error.req, "No request!?")
    483484
     485        alog = open("./auth.log", 'w')
     486        print >>alog, self.auth
     487        print >> alog, "after"
     488        if self.auth.import_credentials(
     489                data_list=req.get('abac_credential', [])):
     490            self.auth.save()
     491        print >>alog, self.auth
     492        alog.close()
    484493
    485494        if self.auth_type == "legacy":
  • fedd/federation/experiment_control.py

    r6e63513 rc573278  
    2020from threading import Lock, Thread, Condition
    2121from subprocess import call, Popen, PIPE
     22from string import join
    2223
    2324from urlparse import urlparse
     
    11271128    def allocate_resources(self, allocated, masters, eid, expid,
    11281129            tbparams, top, topo, tmpdir, alloc_log=None, log_collector=None,
    1129             attrs=None, connInfo={}, tbmap=None):
     1130            attrs=None, connInfo={}, tbmap=None, expcert=None):
    11301131
    11311132        started = { }           # Testbeds where a sub-experiment started
     
    11421143        threads = [ ]
    11431144        starters = [ ]
     1145
     1146        if expcert:
     1147            cert = expcert
     1148            pw = None
     1149        else:
     1150            cert = self.cert_file
     1151            pw = self.cert_pw
    11441152
    11451153        for tb in allocated.keys():
     
    11671175
    11681176            s = self.start_segment(log=log, debug=self.debug,
    1169                     testbed=tb, cert_file=self.cert_file,
    1170                     cert_pwd=self.cert_pwd, trusted_certs=self.trusted_certs,
     1177                    testbed=tb, cert_file=cert,
     1178                    cert_pwd=pw, trusted_certs=self.trusted_certs,
    11711179                    caller=self.call_StartSegment,
    11721180                    log_collector=log_collector)
     
    14321440
    14331441    def get_abac_access_to_testbeds(self, testbeds, fid, allocated,
    1434             tbparams, masters, tbmap):
     1442            tbparams, masters, tbmap, expid=None, expcert=None):
    14351443        for tb in testbeds:
    1436             self.get_abac_access(tb, tbparams, fid, masters, tbmap)
     1444            self.get_abac_access(tb, tbparams, fid, masters, tbmap, expid,
     1445                    expcert)
    14371446            allocated[tb] = 1
    14381447
    1439     def get_abac_access(self, tb, tbparams,fid, masters, tbmap):
     1448    def get_abac_access(self, tb, tbparams,fid, masters, tbmap, expid=None, expcert=None):
    14401449        """
    14411450        Get access to testbed through fedd and set the parameters for that tb
     
    14711480        creds = set()
    14721481        keys = set()
    1473         for c in self.auth.get_creds_for_principal(fid):
     1482        certs = self.auth.get_creds_for_principal(fid)
     1483        if expid:
     1484            print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
     1485                    for c in self.auth.get_creds_for_principal(expid)])
     1486            certs.update(self.auth.get_creds_for_principal(expid))
     1487        for c in certs:
    14741488            keys.add(c.issuer_cert())
    14751489            creds.add(c.attribute_cert())
    14761490        creds = list(keys) + list(creds)
     1491
     1492        if expcert: cert, pw = expcert, None
     1493        else: cert, pw = self.cert_file, self.cert_pw
    14771494
    14781495        # Request credentials
     
    15121529            r = { 'RequestAccessResponseBody' : r }
    15131530        else:
    1514             r = self.call_RequestAccess(uri, req,
    1515                     self.cert_file, self.cert_pwd, self.trusted_certs)
     1531            r = self.call_RequestAccess(uri, req, cert, pw, self.trusted_certs)
    15161532
    15171533        tbparam[tb] = {
     
    16531669        if self.auth.import_credentials(data_list=req.get('credential', [])):
    16541670            self.auth.save()
    1655        
     1671
    16561672        if not self.auth.check_attribute(fid, 'new'):
    16571673            raise service_error(service_error.access, "New access denied")
     
    17471763            raise service_error(service_error.req, "No request?")
    17481764
     1765        print "%s" % expid
     1766        print 'creds ',
     1767        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
     1768                for c in self.auth.get_creds_for_principal(expid)])
    17491769        # Import information from the requester
    17501770        if self.auth.import_credentials(data_list=req.get('credential', [])):
    17511771            self.auth.save()
    17521772
     1773        print 'creds ',
     1774        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
     1775                for c in self.auth.get_creds_for_principal(expid)])
    17531776        self.check_experiment_access(fid, key)
    17541777
     
    18081831                elif not eid and e.has_key('localname'):
    18091832                    eid = e['localname']
     1833            if 'experimentAccess' in self.state[key] and \
     1834                    'X509' in self.state[key]['experimentAccess']:
     1835                expcert = self.state[key]['experimentAccess']['X509']
     1836            else:
     1837                expcert = None
    18101838        self.state_lock.release()
    18111839
     
    18131841            raise service_error(service_error.internal,
    18141842                    "Cannot find local experiment info!?")
     1843
     1844        # make a protected copy of the access certificate so the experiment
     1845        # controller can act as the experiment principal.  mkstemp is the most
     1846        # secure way to do that and the file is in a directory created by
     1847        # mkdtemp.  expcert enters the if as the contents of the file and
     1848        # leaves is as the filename in which the cert is stored.  All this goes
     1849        # away when the tempfiles are cleared.
     1850        if expcert:
     1851            try:
     1852                certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir)
     1853                f = os.fdopen(certf, 'w')
     1854                print >> f, expcert
     1855                f.close()
     1856                expcert = certfn
     1857            except EnvironmentError, e:
     1858                raise service_error(service_error.internal,
     1859                        "Cannot create temp cert file?")
    18151860
    18161861        try:
     
    19091954            elif self.auth_type == 'abac':
    19101955                self.get_abac_access_to_testbeds(testbeds, fid, allocated,
    1911                         tbparams, masters, tbmap)
     1956                        tbparams, masters, tbmap, expid, expcert)
    19121957            else:
    19131958                raise service_error(service_error.internal,
     
    19552000            # Now get access to the dynamic testbeds (those added above)
    19562001            for tb in [ t for t in topo if t not in allocated]:
     2002                #XXX: ABAC
    19572003                self.get_access(tb, None, tbparams, access_user, masters, tbmap)
    19582004                allocated[tb] = 1
     
    20532099                args=(allocated, masters, eid, expid, tbparams,
    20542100                    top, topo, tmpdir, alloc_log, alloc_collector, attrs,
    2055                     connInfo, tbmap),
     2101                    connInfo, tbmap, expcert),
    20562102                name=eid)
    20572103        t.start()
  • fedd/federation/util.py

    re62245e rc573278  
    351351    return rkeyfile, rcertfile
    352352
     353def abac_context_to_creds(context):
     354    """
     355    Pull all the credentials out of the context and return 2  lists of the
     356    underlying credentials in an exportable format, IDs and attributes.
     357    There are no duplicates in the lists.
     358    """
     359    ids, attrs = set(), set()
     360    # This should be a one-iteration loop
     361    for c in context.credentials():
     362        ids.add(c.issuer_cert())
     363        attrs.add(c.attribute_cert())
     364
     365    return list(ids), list(attrs)
     366
    353367def find_pickle_problem(o, st=None):
    354368    """
  • fedd/init_abac_authorizer.py

    r6e63513 rc573278  
    22
    33import sys
     4import os, os.path
    45
    56from optparse import OptionParser
     
    2122    parser.print_help()
    2223    sys.exit(1)
     24
     25try:
     26    for path, dirs, files in os.walk(opts.out_dir, topdown=False):
     27        for f in files: os.unlink(os.path.join(path, f))
     28        for d in dirs: os.rmdir(os.path.join(path, d))
     29except EnvironmentError, e:
     30    sys.exit("Can't remove %s: %s" % ( e.filename, e.strerror))
     31
    2332try:
    2433    a = abac_authorizer(key=opts.key, me=opts.cert, certs=opts.policy,
Note: See TracChangeset for help on using the changeset viewer.