Changeset c573278 for fedd

Timestamp:

Nov 24, 2010 3:45:50 PM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

725c55d

Parents:

de7cb08

Message:

Checkpoint. Still lots to do

Location:

fedd

Files:

• cert_to_fedid.py (added)
• fedd_create.py (modified) (6 diffs)
• fedd_to_abac.py (modified) (3 diffs)
• federation/authorizer.py (modified) (5 diffs)
• federation/client_lib.py (modified) (2 diffs)
• federation/emulab_access.py (modified) (2 diffs)
• federation/experiment_control.py (modified) (14 diffs)
• federation/util.py (modified) (1 diff)
• init_abac_authorizer.py (modified) (2 diffs)

fedd/fedd_create.py

@@ -4 +4 @@
 import re
 import subprocess
+
+import ABAC
 
 from string import join
@@ -12 +14 @@
         wrangle_standard_options, do_rpc, get_experiment_names, save_certfile,\
         get_abac_certs
-from federation.util import abac_split_cert
+from federation.util import abac_split_cert, abac_context_to_creds
 
 class fedd_create_opts(client_opts):
@@ -101 +103 @@
     value if the filename in which the certificate was stored.
     '''
-
     certfile = keyfile = None
     expid = "%s" % fedid
@@ -110 +111 @@
     try:
         keyfile, certfile = abac_split_cert(cert)
-        print "%s %s" % (keyfile, certfile)
 
         rv = 0
-        if name: fn = '%s/%s_attr.der' % (dir, name)
-        else: fn = '%s/%s_attr.der' % (dir, expid)
+        if name: 
+            fn ='%s/%s_attr.der' % (dir, name) 
+            id_fn = '%s/%s_id.pem' % (dir, name)
+        else: 
+            fn = '%s/%s_attr.der' % (dir, expid)
+            id_fn = '%s/%s_id.pem' % (dir, expid)
 
         cmd = [creddy, '--attribute', '--issuer=%s' % certfile, 
@@ -122 +126 @@
         if not debug:
             if subprocess.call(cmd) != 0:
-                return None
+                return []
         else:
             print join(cmd)
-            return None
-
-        f = open(fn, 'r')
-        rv = f.read()
-        f.close()
-        return rv
+            return []
+
+        context = ABAC.Context()
+        if context.load_id_file(certfile) != ABAC.ABAC_CERT_SUCCESS or \
+                context.load_attribute_file(fn) != ABAC.ABAC_CERT_SUCCESS:
+            return []
+        ids, attrs = abac_context_to_creds(context)
+
+        return ids + attrs
+
 
     finally:
@@ -236 +244 @@
 if e_fedid and opts.delegate:
     try:
-        cred = delegate(e_fedid, cert, opts.abac_dir, name=opts.exp_name)
-        if cred:
-            acerts.append(cred)
+        creds = delegate(e_fedid, cert, opts.abac_dir, name=opts.exp_name)
+        if creds:
+            acerts.extend(creds)
     except EnvironmentError, e:
         sys.exit("Cannot delegate rights %s: %s" % (e.filename, e.strerror));

fedd/fedd_to_abac.py

@@ -10 +10 @@
 from string import join
 from optparse import OptionParser
+
+from federation.util import abac_pem_type, abac_split_cert
 
 class Parser(OptionParser):
@@ -46 +48 @@
 parser = Parser()
 opts, args = parser.parse_args()
+cert, key = None, None
+delete_certs = False
 
-if any([ x is None for x in (opts.cert, opts.dir, opts.key)]):
-    print >>sys.stderr, "Need all of --dir, --cert, and --key to create certs"
-    print >>sys.stderr, "Reverting to debug mode"
-    debug = True
-else:
-    debug = opts.debug
 
-if opts.cert and not os.access(opts.cert, os.R_OK):
-    sys.exit('Cannot read %s (certificate file)' % opts.cert)
 
-if opts.key and not os.access(opts.key, os.R_OK):
-    sys.exit('Cannot read %s (key file)' % opts.key)
+if opts.key:
+    if os.access(opts.key, os.R_OK): key = opts.key
+    else: sys.exit('Cannot read %s (key file)' % opts.key)
 
 if opts.dir:
@@ -73 +70 @@
             sys.exit('%s is not writable' % opts.dir)
 
+if opts.cert:
+    if os.access(opts.cert, os.R_OK):
+        if not key:
+            if abac_pem_type(opts.cert) == 'both':
+                key, cert = abac_split_cert(opts.cert)
+                delete_certs = True
+        else:
+            cert = opts.cert
+    else:
+        sys.exit('Cannot read %s (certificate file)' % opts.cert)
+
+if any([ x is None for x in (cert, opts.dir, key)]):
+    print >>sys.stderr, "Need output dir, certificate and key to make creds"
+    print >>sys.stderr, "Reverting to debug mode"
+    debug = True
+else:
+    debug = opts.debug
 
 roles = { }
+try:
+    for fn in args:
+        try:
+            f = open(fn, "r")
+            for l in f:
+                id = None
+                for r in (comment_re, single_re, double_re):
+                    m = r.match(l)
+                    if m: 
+                        if m.groups():
+                            g = m.groups()
+                            id = g[0]
+                            r = [ bad_role.sub('_', x) for x in g[1:] ]
+                        break
+                else:
+                    print 'Unmatched line: %s' % l 
+                if id:
+                    # New and create are implicit.  >sigh<
+                    r.extend(('new', 'create'))
+                    if id in roles: roles[id].add_roles(r)
+                    else: roles[id] = identity(r[0], r)
 
-for fn in args:
-    try:
-        f = open(fn, "r")
-        for l in f:
-            id = None
-            for r in (comment_re, single_re, double_re):
-                m = r.match(l)
-                if m: 
-                    if m.groups():
-                        g = m.groups()
-                        id = g[0]
-                        r = [ bad_role.sub('_', x) for x in g[1:] ]
-                    break
+        except EnvironmentError, e:
+            print >>sys.stderr, 'Cannot open file (%s): %s' % \
+                    (e.filename, e.strerror)
+
+    if not roles:
+        print >>sys.stderr, "No roles found.  Did you specify a configuration?"
+
+    for k, id in roles.items():
+        for i, r in enumerate(id.roles):
+            cmd = ['creddy', '--attribute', 
+                    '--issuer=%s' % (cert or 'cert_file'),
+                    '--key=%s' % (key or 'key_file'), '--role=%s' % r,
+                    '--subject-id=%s' % k,
+                    '--out=%s/%s%03d_attr.der' % \
+                            (opts.dir or 'new_cert_dir', id.name, i)]
+            if debug:
+                print join(cmd)
             else:
-                print 'Unmatched line: %s' % l 
-            if id:
-                # New and create are implicit.  >sigh<
-                r.extend(('new', 'create'))
-                if id in roles: roles[id].add_roles(r)
-                else: roles[id] = identity(r[0], r)
-
-    except EnvironmentError, e:
-        print >>sys.stderr, 'Cannot open file (%s): %e' % e
-
-if not roles:
-    print >>sys.stderr, "No roles found.  Did you specify a configuration?"
-
-for k, id in roles.items():
-    for i, r in enumerate(id.roles):
-        cmd = ['creddy', '--attribute', 
-                '--issuer=%s' % (opts.cert or 'cert_file'),
-                '--key=%s' % (opts.key or 'key_file'), '--role=%s' % r,
-                '--subject-id=%s' % k,
-                '--out=%s/%s%03d_attr.der' % \
-                        (opts.dir or 'new_cert_dir', id.name, i)]
-        if debug:
-            print join(cmd)
-        else:
-            rv =  subprocess.call(cmd)
-            if rv != 0:
-                sys.exit('%s failed: %d' % (join(cmd), rv))
-
+                rv =  subprocess.call(cmd)
+                if rv != 0:
+                    sys.exit('%s failed: %d' % (join(cmd), rv))
+finally:
+    if delete_certs:
+        if cert: os.unlink(cert)
+        if key: os.unlink(key)

fedd/federation/authorizer.py

@@ -18 +18 @@
 
 import sys
-import os
+import os, os.path
 import re
 
@@ -201 +201 @@
         self.me = me
         self.save_dir = load or save
+        if self.save_dir:
+            self.save_dir = os.path.abspath(self.save_dir)
         # If the me parameter is a combination certificate, split it into the
         # abac_authorizer save directory (if any) for use with creddy.
@@ -246 +248 @@
     def import_credential(self, file=None, data=None):
         if data:
-            if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
-                return self.context.load_attribute_chunk(data) == \
-                        ABAC.ABAC_CERT_SUCCESS
-            else:
-                return True
+            rv = self.context.load_id_chunk(data)
+            print "id %d" % rv
+            if rv == ABAC.ABAC_CERT_SUCCESS: return True
+            rv = self.context.load_attribute_chunk(data)
+            print "attr %d" % rv
+            return rv == ABAC.ABAC_CERT_SUCCESS
+            #if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
+        #       return self.context.load_attribute_chunk(data) == \
+        #               ABAC.ABAC_CERT_SUCCESS
+            ##else:
+        #       return True
         elif file:
             if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
@@ -388 +396 @@
         self.lock.acquire()
         if dir:
-            self.save_dir = dir
+            self.save_dir = os.path.abspath(dir)
         else:
             dir = self.save_dir
@@ -503 +511 @@
             look_for = next_look
             next_look = set()
+        self.lock.release()
         
         return found

fedd/federation/client_lib.py

@@ -84 +84 @@
 
 def get_user_cert():
-    cert = os.path.expanduser("~/.ssl/emulab.pem")
-    if not os.access(cert, os.R_OK):
-        cert = None
+    for c in ("~/.ssl/fedid.pem", "~/.ssl/emulab.pem"):
+        cert = os.path.expanduser(c)
+        if os.access(cert, os.R_OK):
+            break
+        else:
+            cert = None
     return cert
 
@@ -102 +105 @@
             f.close()
     return rv
-
 
 def wrangle_standard_options(opts):

fedd/federation/emulab_access.py

@@ -335 +335 @@
         # Check every attribute that we know how to map and take the first
         # success.
+        print "%s" %self.auth
         for attr in (self.access.keys()):
             if self.auth.check_attribute(fid, attr):
@@ -482 +483 @@
             raise service_error(service_error.req, "No request!?")
 
+        alog = open("./auth.log", 'w')
+        print >>alog, self.auth
+        print >> alog, "after"
+        if self.auth.import_credentials(
+                data_list=req.get('abac_credential', [])):
+            self.auth.save()
+        print >>alog, self.auth
+        alog.close()
 
         if self.auth_type == "legacy":

fedd/federation/experiment_control.py

@@ -20 +20 @@
 from threading import Lock, Thread, Condition
 from subprocess import call, Popen, PIPE
+from string import join
 
 from urlparse import urlparse
@@ -1127 +1128 @@
     def allocate_resources(self, allocated, masters, eid, expid, 
             tbparams, top, topo, tmpdir, alloc_log=None, log_collector=None, 
-            attrs=None, connInfo={}, tbmap=None):
+            attrs=None, connInfo={}, tbmap=None, expcert=None):
 
         started = { }           # Testbeds where a sub-experiment started 
@@ -1142 +1143 @@
         threads = [ ]
         starters = [ ]
+
+        if expcert:
+            cert = expcert
+            pw = None
+        else:
+            cert = self.cert_file
+            pw = self.cert_pw
 
         for tb in allocated.keys():
@@ -1167 +1175 @@
 
             s = self.start_segment(log=log, debug=self.debug,
-                    testbed=tb, cert_file=self.cert_file,
-                    cert_pwd=self.cert_pwd, trusted_certs=self.trusted_certs,
+                    testbed=tb, cert_file=cert,
+                    cert_pwd=pw, trusted_certs=self.trusted_certs,
                     caller=self.call_StartSegment,
                     log_collector=log_collector)
@@ -1432 +1440 @@
 
     def get_abac_access_to_testbeds(self, testbeds, fid, allocated, 
-            tbparams, masters, tbmap):
+            tbparams, masters, tbmap, expid=None, expcert=None):
         for tb in testbeds:
-            self.get_abac_access(tb, tbparams, fid, masters, tbmap)
+            self.get_abac_access(tb, tbparams, fid, masters, tbmap, expid,
+                    expcert)
             allocated[tb] = 1
 
-    def get_abac_access(self, tb, tbparams,fid, masters, tbmap):
+    def get_abac_access(self, tb, tbparams,fid, masters, tbmap, expid=None, expcert=None):
         """
         Get access to testbed through fedd and set the parameters for that tb
@@ -1471 +1480 @@
         creds = set()
         keys = set()
-        for c in self.auth.get_creds_for_principal(fid):
+        certs = self.auth.get_creds_for_principal(fid)
+        if expid:
+            print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
+                    for c in self.auth.get_creds_for_principal(expid)])
+            certs.update(self.auth.get_creds_for_principal(expid))
+        for c in certs:
             keys.add(c.issuer_cert())
             creds.add(c.attribute_cert())
         creds = list(keys) + list(creds)
+
+        if expcert: cert, pw = expcert, None
+        else: cert, pw = self.cert_file, self.cert_pw
 
         # Request credentials
@@ -1512 +1529 @@
             r = { 'RequestAccessResponseBody' : r }
         else:
-            r = self.call_RequestAccess(uri, req, 
-                    self.cert_file, self.cert_pwd, self.trusted_certs)
+            r = self.call_RequestAccess(uri, req, cert, pw, self.trusted_certs)
 
         tbparam[tb] = { 
@@ -1653 +1669 @@
         if self.auth.import_credentials(data_list=req.get('credential', [])):
             self.auth.save()
-        
+
         if not self.auth.check_attribute(fid, 'new'):
             raise service_error(service_error.access, "New access denied")
@@ -1747 +1763 @@
             raise service_error(service_error.req, "No request?")
 
+        print "%s" % expid
+        print 'creds ',
+        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
+                for c in self.auth.get_creds_for_principal(expid)])
         # Import information from the requester
         if self.auth.import_credentials(data_list=req.get('credential', [])):
             self.auth.save()
 
+        print 'creds ',
+        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
+                for c in self.auth.get_creds_for_principal(expid)])
         self.check_experiment_access(fid, key)
 
@@ -1808 +1831 @@
                 elif not eid and e.has_key('localname'):
                     eid = e['localname']
+            if 'experimentAccess' in self.state[key] and \
+                    'X509' in self.state[key]['experimentAccess']:
+                expcert = self.state[key]['experimentAccess']['X509']
+            else:
+                expcert = None
         self.state_lock.release()
 
@@ -1813 +1841 @@
             raise service_error(service_error.internal, 
                     "Cannot find local experiment info!?")
+
+        # make a protected copy of the access certificate so the experiment
+        # controller can act as the experiment principal.  mkstemp is the most
+        # secure way to do that and the file is in a directory created by
+        # mkdtemp.  expcert enters the if as the contents of the file and
+        # leaves is as the filename in which the cert is stored.  All this goes
+        # away when the tempfiles are cleared.
+        if expcert:
+            try:
+                certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir)
+                f = os.fdopen(certf, 'w')
+                print >> f, expcert
+                f.close()
+                expcert = certfn
+            except EnvironmentError, e:
+                raise service_error(service_error.internal, 
+                        "Cannot create temp cert file?")
 
         try: 
@@ -1909 +1954 @@
             elif self.auth_type == 'abac':
                 self.get_abac_access_to_testbeds(testbeds, fid, allocated, 
-                        tbparams, masters, tbmap)
+                        tbparams, masters, tbmap, expid, expcert)
             else:
                 raise service_error(service_error.internal, 
@@ -1955 +2000 @@
             # Now get access to the dynamic testbeds (those added above)
             for tb in [ t for t in topo if t not in allocated]:
+                #XXX: ABAC
                 self.get_access(tb, None, tbparams, access_user, masters, tbmap)
                 allocated[tb] = 1
@@ -2053 +2099 @@
                 args=(allocated, masters, eid, expid, tbparams, 
                     top, topo, tmpdir, alloc_log, alloc_collector, attrs,
-                    connInfo, tbmap),
+                    connInfo, tbmap, expcert),
                 name=eid)
         t.start()

fedd/federation/util.py

@@ -351 +351 @@
     return rkeyfile, rcertfile
 
+def abac_context_to_creds(context):
+    """
+    Pull all the credentials out of the context and return 2  lists of the
+    underlying credentials in an exportable format, IDs and attributes.
+    There are no duplicates in the lists.
+    """
+    ids, attrs = set(), set()
+    # This should be a one-iteration loop
+    for c in context.credentials():
+        ids.add(c.issuer_cert())
+        attrs.add(c.attribute_cert())
+
+    return list(ids), list(attrs)
+
 def find_pickle_problem(o, st=None):
     """

fedd/init_abac_authorizer.py

@@ -2 +2 @@
 
 import sys
+import os, os.path
 
 from optparse import OptionParser
@@ -21 +22 @@
     parser.print_help()
     sys.exit(1)
+
+try:
+    for path, dirs, files in os.walk(opts.out_dir, topdown=False):
+        for f in files: os.unlink(os.path.join(path, f))
+        for d in dirs: os.rmdir(os.path.join(path, d))
+except EnvironmentError, e:
+    sys.exit("Can't remove %s: %s" % ( e.filename, e.strerror))
+
 try:
     a = abac_authorizer(key=opts.key, me=opts.cert, certs=opts.policy,