#!/usr/local/bin/python
import gtk
import gobject
import ABAC
import Creddy
import sys, os
import re
import copy
import base64
import ConfigParser
from tempfile import mkdtemp
from shutil import rmtree
class proof:
def __init__(self, name, prover, role, principal, creds):
self.name = name
self.prover = prover
self.role = role
self.principal = principal
self.ctxt = ABAC.Context()
self.keyid_to_cn = { }
self.cn_to_keyid = { }
attrs = []
try:
d = mkdtemp()
for c in creds:
cc = self.pem_to_der(c)
succ = self.ctxt.load_id_chunk(cc)
if succ == ABAC.ABAC_CERT_SUCCESS:
try:
fn = os.path.join(d, 'file.pem')
f = open(fn, 'w')
f.write(cc)
f.close()
cid = Creddy.ID(fn)
base_cn = cn = re.sub('_ID.pem$','',cid.cert_filename())
i = 0
while cn in self.cn_to_keyid:
cn = '%s%03d' % (base_cn, i)
i += 1
self.cn_to_keyid[cn] = cid.keyid()
self.keyid_to_cn[cid.keyid()] = cn
except EnvironmentError, e:
print >>sys.stderr, '%s: %s' % (e.filename, e.strerror)
else:
attrs.append(cc)
for c in attrs:
self.ctxt.load_attribute_chunk(c)
finally:
rmtree(d)
@staticmethod
def pem_to_der(c):
pat = '-----BEGIN CERTIFICATE-----(.*)-----END CERTIFICATE'
m = re.match(pat, c, re.DOTALL)
if m: return base64.b64decode(m.group(1))
else: return c
def replace_keyids(self, s):
for k, v in self.keyid_to_cn.items():
s = re.sub(k, v, s)
return s
def __str__(self):
s = 'Name: %s\n' % self.name
s += 'Prover: %s\n' % self.prover
s += 'Principal: %s\n' % self.principal
s += 'Role: %s\n' % self.role
s += 'Creds: \n'
for c in self.ctxt.credentials():
s += self.replace_keyids(
'%s <- %s\n' % ( c.head().string(), c.tail().string()))
return s
class window(gtk.Window):
'''
The main GUI class. It presents the various TreeViews and menus to
save/load/add, to add credentials, identities and actions and to change the
policy translation variable. It keeps its current size and location in the
.abac_policy_tool.cfg file in the user's home.
'''
# Definition of the menus
ui_def = '''
'''
# Path to the configuration
cfg_path = os.path.join(os.path.expanduser('~'), '.abac_proof_explainer.cfg')
@staticmethod
def wrapit(widget):
'''
Put widget into a ScrolledWindow with automatic scrollbars on both
directions, and return the ScrolledWindow.
'''
sw = gtk.ScrolledWindow()
sw.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
sw.add(widget)
return sw
def translate_keyids(self, s):
for k, n in self.key_to_name:
s = re.sub(k, n, s)
return s
def makeListView(self, l, title):
lm = gtk.ListStore(gobject.TYPE_STRING)
tv = gtk.TreeView(lm)
tv.append_column(gtk.TreeViewColumn(title,
gtk.CellRendererText(), text=0))
for v in l:
lm.append((self.translate_keyids(v),))
return tv
def report_error(self, message):
'''
Put a MessageDialog up with the given message. This is a member method
so that it can be centered on the window.
'''
md = gtk.MessageDialog(self, gtk.DIALOG_MODAL,
gtk.MESSAGE_ERROR, gtk.BUTTONS_CLOSE,
message)
md.run()
md.destroy()
def __init__(self, fn):
'''
Initialize all the GTK hooks for menus, put the various TreeViews up
(connected to the policy) and read teh configuration for current
position.
'''
gtk.Window.__init__(self, gtk.WINDOW_TOPLEVEL)
self.key_to_name = []
try:
f = open('./names', 'r')
for l in f:
m = re.match('(\\S+)\s+(\\S+)', l)
if m:
self.key_to_name.append((m.group(1), m.group(2)))
f.close()
except EnvironmentError:
pass
self.set_title('ABAC Policy Tool')
self.connect('destroy', self.quit)
self.connect('show', self.shown)
self.connect('configure-event', self.changed)
self.pos = (0,0)
self.size = (500, 500)
self.read_config()
self.proofs = []
# Make the Menus real
ui = gtk.UIManager()
ag = gtk.ActionGroup('action')
ag.add_actions((
('FileMenu', None, 'File'),
('FileQuit', gtk.STOCK_QUIT, None, None, None, self.quit),
))
# load and append call the same method with different user data -
# whether to clear current policy or not.
ag.add_actions((
('FileLoad', gtk.STOCK_OPEN, None, None, None, self.load),
), True)
ui.insert_action_group(ag, -1)
ui.add_ui_from_string(window.ui_def)
# Put it all together and show it.
mb = ui.get_widget('ui/menubar')
vb = gtk.VBox()
vb.pack_start(mb, False, False, 0)
#vb.pack_start(nb, True, True, 0)
self.add(vb)
if fn is not None:
self.read_proofs(fn)
# XXX multiple proofs
self.get_child().add(self.interpret_proof(self.proofs[0]))
self.show_all()
def quit(self, widget=None, data=None):
'''
Called from File->Quit in the menu. Save location/size and exit
'''
self.save_config()
gtk.main_quit()
def load(self, widget=None, data=None):
'''
Called to either load or append to the loaded policy. data is the
clearit parameter to the load call. Other than that, just put up a
requester and do the thing.
'''
d = gtk.FileChooserDialog('Load file', self,
gtk.FILE_CHOOSER_ACTION_OPEN, (
gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL,
gtk.STOCK_OK, gtk.RESPONSE_OK))
d.set_select_multiple(False)
d.set_current_folder('.')
d.set_do_overwrite_confirmation(True)
rv = d.run()
d.hide()
if rv == gtk.RESPONSE_OK:
self.read_proofs(d.get_filename())
# XXX multiple proofs
self.get_child().add(self.interpret_proof(self.proofs[0]))
self.show_all()
d.destroy()
def shown(self, w):
'''
Handles an event where the window appears. Move to the saved position
and size.
'''
self.move(*self.pos)
self.resize(*self.size)
def changed(self, w, e):
'''
Handles an event where the window changes (resizes or moves). Remember
the size and position.
'''
self.pos = self.get_position()
self.size = self.get_size()
def get_intpair(self, sect, opt):
'''
Utility to pull a pair of integers from a configuration file. The size
and position are thsi kind of data, so this is used a couple places.
'''
if not self.cfg.has_section(sect):
self.cfg.add_section(sect)
if self.cfg.has_option(sect, opt):
try:
return [int(x) for x in self.cfg.get(sect, opt).split(',', 1)]
except ValueError:
return None
else:
return None
def read_config(self):
'''
Get the saved size and position from the config file, if any
'''
self.cfg = ConfigParser.SafeConfigParser()
self.cfg.read(window.cfg_path)
self.pos = self.get_intpair('geom', 'pos') or ( 0, 0)
self.size = self.get_intpair('geom', 'size') or ( 500, 500)
def save_config(self):
'''
Save the current postion to the default config file.
'''
self.cfg.set('geom', 'pos', '%d,%d' % self.pos)
self.cfg.set('geom', 'size', '%d,%d' % self.size)
try:
f = open(window.cfg_path, 'w')
self.cfg.write(f)
f.close()
except EnvironmentError, e:
pass
def read_proofs(self, fn):
self.proofs = []
try:
f = open(fn, 'r')
creds = []
for line in f:
line = line.strip()
if line == '':
prover = None
principal = None
role = None
creds = []
elif line == '' :
p = proof(name, prover, role, principal, creds)
ok, pp = p.ctxt.query(role, principal)
if not ok: self.proofs.append(p)
m = re.match('(.*)', line)
if m is not None:
name = m.group(1)
m = re.match('([0-9a-f]+)', line)
if m is not None:
principal = m.group(1)
m = re.match('([0-9a-f]+)', line)
if m is not None:
prover = m.group(1)
m = re.match('(.*)', line)
if m is not None:
role = m.group(1)
m = re.match('(.*)', line)
if m is not None:
creds.append(base64.b64decode(m.group(1)))
f.close()
except EnvironmentError, e:
self.report_error("Cannot open %s: %s" % (e.filename, e.strerror))
return
def interpret_proof(self, p):
roles = set()
direct_roles = {}
groles = set()
principals = set()
goals = set()
attrs = set()
ok, proof = p.ctxt.query(p.role, p.principal)
for c in p.ctxt.credentials():
role = c.tail()
if role.is_principal():
if role.string() != p.principal:
principals.add(role.string())
else:
assigner, r = c.head().string().split('.')
direct_roles[r] = assigner
else:
r = role.string()
for s in r.split('&'):
roles.add(s.strip())
groles.add(r)
role = c.head()
roles.add(role.string())
groles.add(role.string())
for r in groles:
ok, proof = p.ctxt.query(p.role, r)
if ok :
goals.add(r)
for r in roles:
ok, proof = p.ctxt.query(r, p.principal)
if ok:
attrs.add(r)
split_goals = [ [s.strip() for s in g.split('&')] for g in goals ]
plans = []
for sg in split_goals:
pl = []
for g in sg:
if g in attrs:
continue
if g.count('.') == 2:
# linking role
pr, rr, lr = g.split('.')
if lr in direct_roles:
pl.append('add %s to %s' % (direct_roles[lr], rr))
else:
pl.append('someone with %s.%s must delegate %s to %s' % \
(pr, rr, lr, p.principal))
elif g.count('.') == 1:
pl.append('add %s to %s' % (g, principal))
plans.append('\n'.join(pl))
vb = gtk.VBox()
vb.set_border_width(20)
vb.pack_start(
self.wrapit(
self.makeListView([p.prover], "Entity Blocking Access")
), True, True,0)
vb.pack_start(
self.wrapit(
self.makeListView(plans, "Suggested Actions")
), True, True,0)
vb.pack_start(
self.wrapit(
self.makeListView(goals, "Required Slice Attributes")
), True, True,0)
vb.pack_start(
self.wrapit(
self.makeListView(attrs, "Slice Attributes Present")
), True, True,0)
vb.show_all()
return vb
if len(sys.argv) > 1:
fn = sys.argv[1]
else:
fn = None
w = window(fn)
gtk.main()