[af36abb] | 1 | #!/usr/local/bin/python |
---|
| 2 | |
---|
| 3 | import ABAC |
---|
| 4 | import Creddy |
---|
| 5 | |
---|
| 6 | import os |
---|
| 7 | import re |
---|
| 8 | import copy |
---|
| 9 | import base64 |
---|
| 10 | |
---|
| 11 | from tempfile import mkdtemp |
---|
| 12 | from shutil import rmtree |
---|
| 13 | |
---|
| 14 | class proof: |
---|
| 15 | def __init__(self, name, prover, role, principal, creds): |
---|
| 16 | self.name = name |
---|
| 17 | self.prover = prover |
---|
| 18 | self.role = role |
---|
| 19 | self.principal = principal |
---|
| 20 | self.ctxt = ABAC.Context() |
---|
| 21 | self.keyid_to_cn = { } |
---|
| 22 | self.cn_to_keyid = { } |
---|
| 23 | attrs = [] |
---|
| 24 | try: |
---|
| 25 | d = mkdtemp() |
---|
| 26 | for c in creds: |
---|
| 27 | cc = self.pem_to_der(c) |
---|
| 28 | succ = self.ctxt.load_id_chunk(cc) |
---|
| 29 | if succ == ABAC.ABAC_CERT_SUCCESS: |
---|
| 30 | try: |
---|
| 31 | fn = os.path.join(d, 'file.pem') |
---|
| 32 | f = open(fn, 'w') |
---|
| 33 | f.write(cc) |
---|
| 34 | f.close() |
---|
| 35 | cid = Creddy.ID(fn) |
---|
| 36 | base_cn = cn = re.sub('_ID.pem$','',cid.cert_filename()) |
---|
| 37 | i = 0 |
---|
| 38 | while cn in self.cn_to_keyid: |
---|
| 39 | cn = '%s%03d' % (base_cn, i) |
---|
| 40 | i += 1 |
---|
| 41 | self.cn_to_keyid[cn] = cid.keyid() |
---|
| 42 | self.keyid_to_cn[cid.keyid()] = cn |
---|
| 43 | except EnvironmentError, e: |
---|
| 44 | print >>sys.stderr, '%s: %s' % (e.filename, e.strerror) |
---|
| 45 | else: |
---|
| 46 | attrs.append(cc) |
---|
| 47 | for c in attrs: |
---|
| 48 | self.ctxt.load_attribute_chunk(c) |
---|
| 49 | finally: |
---|
| 50 | rmtree(d) |
---|
| 51 | |
---|
| 52 | |
---|
| 53 | @staticmethod |
---|
| 54 | def pem_to_der(c): |
---|
| 55 | pat = '-----BEGIN CERTIFICATE-----(.*)-----END CERTIFICATE' |
---|
| 56 | m = re.match(pat, c, re.DOTALL) |
---|
| 57 | if m: return base64.b64decode(m.group(1)) |
---|
| 58 | else: return c |
---|
| 59 | |
---|
| 60 | def replace_keyids(self, s): |
---|
| 61 | for k, v in self.keyid_to_cn.items(): |
---|
| 62 | s = re.sub(k, v, s) |
---|
| 63 | return s |
---|
| 64 | |
---|
| 65 | def __str__(self): |
---|
| 66 | s = 'Name: %s\n' % self.name |
---|
| 67 | s += 'Prover: %s\n' % self.prover |
---|
| 68 | s += 'Principal: %s\n' % self.principal |
---|
| 69 | s += 'Role: %s\n' % self.role |
---|
| 70 | s += 'Creds: \n' |
---|
| 71 | for c in self.ctxt.credentials(): |
---|
| 72 | s += self.replace_keyids( |
---|
| 73 | '%s <- %s\n' % ( c.head().string(), c.tail().string())) |
---|
| 74 | return s |
---|
| 75 | |
---|
| 76 | def read_proofs(fn): |
---|
[a7bffcd] | 77 | proofs = [] |
---|
[af36abb] | 78 | try: |
---|
| 79 | f = open(fn, 'r') |
---|
| 80 | creds = [] |
---|
| 81 | for line in f: |
---|
| 82 | line = line.strip() |
---|
| 83 | if line == '<proof>': |
---|
| 84 | prover = None |
---|
| 85 | principal = None |
---|
| 86 | role = None |
---|
| 87 | creds = [] |
---|
| 88 | elif line == '</proof>' : |
---|
[a7bffcd] | 89 | p = proof(name, prover, role, principal, creds) |
---|
| 90 | ok, pp = p.ctxt.query(role, principal) |
---|
| 91 | if not ok: proofs.append(p) |
---|
[af36abb] | 92 | |
---|
| 93 | m = re.match('<comment>(.*)</comment>', line) |
---|
| 94 | if m is not None: |
---|
| 95 | name = m.group(1) |
---|
| 96 | |
---|
| 97 | m = re.match('<principal>([0-9a-f]+)</principal>', line) |
---|
| 98 | if m is not None: |
---|
| 99 | principal = m.group(1) |
---|
| 100 | |
---|
| 101 | m = re.match('<prover>([0-9a-f]+)</prover>', line) |
---|
| 102 | if m is not None: |
---|
| 103 | prover = m.group(1) |
---|
| 104 | |
---|
| 105 | m = re.match('<attribute>(.*)</attribute>', line) |
---|
| 106 | if m is not None: |
---|
| 107 | role = m.group(1) |
---|
| 108 | |
---|
| 109 | m = re.match('<credential>(.*)</credential>', line) |
---|
| 110 | if m is not None: |
---|
| 111 | creds.append(base64.b64decode(m.group(1))) |
---|
| 112 | f.close() |
---|
| 113 | except EnvironmentError, e: |
---|
| 114 | return None |
---|
| 115 | return proofs |
---|
| 116 | |
---|
| 117 | def interpret_proof(p): |
---|
| 118 | roles = set() |
---|
[a7bffcd] | 119 | direct_roles = {} |
---|
| 120 | groles = set() |
---|
[af36abb] | 121 | principals = set() |
---|
| 122 | goals = set() |
---|
| 123 | attrs = set() |
---|
| 124 | ok, proof = p.ctxt.query(p.role, p.principal) |
---|
| 125 | for c in p.ctxt.credentials(): |
---|
[a7bffcd] | 126 | role = c.tail() |
---|
| 127 | if role.is_principal(): |
---|
| 128 | if role.string() != p.principal: |
---|
| 129 | principals.add(role.string()) |
---|
| 130 | else: |
---|
| 131 | assigner, r = c.head().string().split('.') |
---|
| 132 | direct_roles[r] = assigner |
---|
| 133 | else: |
---|
| 134 | r = role.string() |
---|
| 135 | for s in r.split('&'): |
---|
| 136 | roles.add(s.strip()) |
---|
| 137 | groles.add(r) |
---|
| 138 | |
---|
| 139 | role = c.head() |
---|
| 140 | roles.add(role.string()) |
---|
| 141 | groles.add(role.string()) |
---|
| 142 | |
---|
| 143 | for r in groles: |
---|
[af36abb] | 144 | ok, proof = p.ctxt.query(p.role, r) |
---|
| 145 | if ok : |
---|
| 146 | goals.add(r) |
---|
[a7bffcd] | 147 | for r in roles: |
---|
[af36abb] | 148 | ok, proof = p.ctxt.query(r, p.principal) |
---|
| 149 | if ok: |
---|
| 150 | attrs.add(r) |
---|
| 151 | |
---|
| 152 | split_goals = [ [s.strip() for s in g.split('&')] for g in goals ] |
---|
| 153 | plans = [] |
---|
| 154 | for sg in split_goals: |
---|
| 155 | p = [] |
---|
| 156 | for g in sg: |
---|
[a7bffcd] | 157 | if g.count('.') == 2: |
---|
| 158 | # linking role |
---|
| 159 | pr, rr, lr = g.split('.') |
---|
| 160 | if lr in direct_roles: |
---|
| 161 | p.append('add %s.%s to %s' % (pr, rr, direct_roles[lr])) |
---|
[af36abb] | 162 | else: |
---|
[a7bffcd] | 163 | p.append('someone with %s.%s must delegate %s to %s' % \ |
---|
| 164 | (pr, rr, lr, p.principal)) |
---|
| 165 | elif g.count('.') == 1: |
---|
[af36abb] | 166 | p.append('add %s to %s' % (g, principal)) |
---|
| 167 | plans.append('\n'.join(p)) |
---|
| 168 | |
---|
[a7bffcd] | 169 | return plans |
---|
[af36abb] | 170 | |
---|
| 171 | |
---|
| 172 | proofs = read_proofs('./auth.log') |
---|
[a7bffcd] | 173 | plans = interpret_proof(proofs[0]) |
---|
| 174 | for p in proofs: |
---|
| 175 | plans = interpret_proof(p) |
---|
| 176 | print "%s needs to have %s" % (p.principal, p.role) |
---|
| 177 | print "accompilsh this by: " |
---|
| 178 | first = True |
---|
| 179 | for pl in plans: |
---|
| 180 | if not first: print '---' |
---|
| 181 | else: first = False |
---|
| 182 | print pl |
---|