- Timestamp:
- Dec 1, 2010 5:23:19 PM (14 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- de86b35
- Parents:
- 5c3d542
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/access_to_abac.py
r5c3d542 rd894c21 4 4 import re 5 5 import subprocess 6 import os.path 6 7 7 8 from string import join 9 from optparse import OptionParser, OptionValueError 10 from tempfile import mkdtemp 11 8 12 from federation.fedid import fedid 13 from federation.authorizer import abac_authorizer 9 14 from federation.util import abac_split_cert, abac_pem_type 10 from optparse import OptionParser, OptionValueError11 15 12 16 … … 179 183 # internal plug-ins have no local attributes. 180 184 def parse_internal(l, creds, me, to_id, p, gp, gu, lr): pass 185 186 187 def parse_access(fn, mapper): 188 """ 189 Parse the access file, calling out to the mapper to parse specific 190 credential types. Mappers are above this code. 191 """ 192 creds = set() 193 to_id = { } 194 f = open(fn, "r") 195 for i, l in enumerate(f): 196 try: 197 if comment_re.match(l): 198 continue 199 else: 200 m = line_re.match(l) 201 if m: 202 p, da = m.group(1, 4) 203 gp, gu = m.group(2, 3) 204 if gp == '<any>': gp = None 205 if gu == '<any>': gu = None 206 207 creds.add(credential(me, da, 208 [attribute(p, x, delegation_link) \ 209 for x in (gp, gu) \ 210 if x is not None])) 211 if m.group(5) and mapper: 212 mapper(m.group(5), creds, me, to_id, p, gp, gu, 213 delegation_link) 214 else: 215 raise parse_error('Syntax error') 216 except parse_error, e: 217 f.close() 218 raise parse_error('Error on line %d of %s: %s' % \ 219 (i, fn, e.message)) 220 f.close() 221 222 return creds, to_id 223 181 224 182 225 … … 233 276 help='do not accept delegated attributes with the ' +\ 234 277 'acting_for linking role') 278 self.add_option('--auth', action='store_true', dest='create_auth', 279 default=False, help='create a full ABAC authorizer') 235 280 self.add_option('--debug', action='store_true', dest='debug', 236 281 default=False, help='Just print actions') … … 273 318 raise credential_error("%s: %d" % (join(cmd), rv)) 274 319 320 def clear_dir(dir): 321 for path, dirs, files in os.walk(dir, topdown=False): 322 for f in files: os.unlink(os.path.join(path, f)) 323 for d in dirs: os.rmdir(os.path.join(path, d)) 324 275 325 # Regular expressions and parts thereof for parsing 276 326 comment_re = re.compile('^\s*#|^$') … … 290 340 cert, key = None, None 291 341 delete_certs = False 342 delete_creds = False 292 343 293 344 if opts.file: … … 315 366 sys.exit('%s is not writable' % opts.dir) 316 367 368 if opts.create_auth: 369 creds_dir = mkdtemp() 370 delete_creds = True 371 auth_dir = opts.dir 372 else: 373 creds_dir = opts.dir 374 auth_dir = None 375 317 376 if opts.delegate: delegation_link = 'acting_for' 318 377 else: delegation_link = None … … 341 400 # Do the parsing 342 401 for fn in args: 343 creds = set()344 to_id = { }345 402 try: 346 f = open(fn, "r") 347 for i, l in enumerate(f): 348 try: 349 if comment_re.match(l): 350 continue 351 else: 352 m = line_re.match(l) 353 if m: 354 p, da = m.group(1, 4) 355 gp, gu = m.group(2, 3) 356 if gp == '<any>': gp = None 357 if gu == '<any>': gu = None 358 359 creds.add(credential(me, da, 360 [attribute(p, x, delegation_link) \ 361 for x in (gp, gu) \ 362 if x is not None])) 363 if m.group(5) and mapper: 364 mapper(m.group(5), creds, me, to_id, p, gp, gu, 365 delegation_link) 366 else: 367 raise parse_error('Syntax error') 368 except parse_error, e: 369 f.close() 370 raise parse_error('Error on line %d of %s: %s' % \ 371 (i, fn, e.message)) 372 373 f.close() 403 creds, to_id = parse_access(fn, mapper) 374 404 except parse_error, e: 375 405 print >> sys.stderr, "%s" % e … … 386 416 try: 387 417 create_creds([c for c in creds if c.principal == me], 388 cert, key, opts.dir, opts.debug)418 cert, key, creds_dir, opts.debug) 389 419 except credential_error, e: 390 420 sys.exit('Credential creation failed: %s' % e) 391 421 else: 392 print >>sys.stderr, 'Cannot create credentials. Missing parameter' 422 print >>sys.stderr, 'Cannot create credentials. ' + \ 423 'Missing parameter' 393 424 394 425 # Local map output … … 403 434 print >>f, "%s -> (%s)" % ( a, join(k, ', ')) 404 435 except EnvironmentError, e: 405 sys.exit("Cannot open %s: %s" % (e.filename or '!?', e.strerror)) 436 sys.exit("Cannot open %s: %s" % (e.filename or '!?', 437 e.strerror)) 438 439 # Create an authorizer if requested. 440 if opts.create_auth: 441 clear_dir(auth_dir) 442 try: 443 # Pass in the options rather than the potentially split key 444 # because abac_authorizer will split it and store it 445 # internally. The opts.cert may get split twice, but we won't 446 # lose one. 447 a = abac_authorizer(key=opts.key, me=opts.cert, 448 certs=creds_dir, save=auth_dir) 449 a.save(auth_dir) 450 except EnvironmentError, e: 451 sys.exit("Can't create or write %s: %s" % (e.filename, e.strerror)) 452 except abac_authorizer.bad_cert_error, e: 453 sys.exit("Error creating authorizer: %s" % e) 454 406 455 finally: 407 if delete_certs: 408 if cert: os.unlink(cert) 409 if key: os.unlink(key) 456 try: 457 if delete_certs: 458 if cert: os.unlink(cert) 459 if key: os.unlink(key) 460 if delete_creds and creds_dir: 461 clear_dir(creds_dir) 462 os.rmdir(creds_dir) 463 except EnvironmentError, e: 464 sys.exit("Can't remove %s: %s" % ( e.filename, e.strerror))
Note: See TracChangeset
for help on using the changeset viewer.