1 | #!/usr/local/bin/python |
---|
2 | |
---|
3 | import ABAC |
---|
4 | import Creddy |
---|
5 | |
---|
6 | import os |
---|
7 | import re |
---|
8 | import copy |
---|
9 | import base64 |
---|
10 | |
---|
11 | from tempfile import mkdtemp |
---|
12 | from shutil import rmtree |
---|
13 | |
---|
14 | class proof: |
---|
15 | def __init__(self, name, prover, role, principal, creds): |
---|
16 | self.name = name |
---|
17 | self.prover = prover |
---|
18 | self.role = role |
---|
19 | self.principal = principal |
---|
20 | self.ctxt = ABAC.Context() |
---|
21 | self.keyid_to_cn = { } |
---|
22 | self.cn_to_keyid = { } |
---|
23 | attrs = [] |
---|
24 | try: |
---|
25 | d = mkdtemp() |
---|
26 | print d |
---|
27 | for c in creds: |
---|
28 | cc = self.pem_to_der(c) |
---|
29 | succ = self.ctxt.load_id_chunk(cc) |
---|
30 | if succ == ABAC.ABAC_CERT_SUCCESS: |
---|
31 | try: |
---|
32 | fn = os.path.join(d, 'file.pem') |
---|
33 | f = open(fn, 'w') |
---|
34 | f.write(cc) |
---|
35 | f.close() |
---|
36 | cid = Creddy.ID(fn) |
---|
37 | base_cn = cn = re.sub('_ID.pem$','',cid.cert_filename()) |
---|
38 | i = 0 |
---|
39 | while cn in self.cn_to_keyid: |
---|
40 | cn = '%s%03d' % (base_cn, i) |
---|
41 | i += 1 |
---|
42 | self.cn_to_keyid[cn] = cid.keyid() |
---|
43 | self.keyid_to_cn[cid.keyid()] = cn |
---|
44 | except EnvironmentError, e: |
---|
45 | print >>sys.stderr, '%s: %s' % (e.filename, e.strerror) |
---|
46 | else: |
---|
47 | attrs.append(cc) |
---|
48 | for c in attrs: |
---|
49 | self.ctxt.load_attribute_chunk(c) |
---|
50 | finally: |
---|
51 | rmtree(d) |
---|
52 | |
---|
53 | |
---|
54 | @staticmethod |
---|
55 | def pem_to_der(c): |
---|
56 | pat = '-----BEGIN CERTIFICATE-----(.*)-----END CERTIFICATE' |
---|
57 | m = re.match(pat, c, re.DOTALL) |
---|
58 | if m: return base64.b64decode(m.group(1)) |
---|
59 | else: return c |
---|
60 | |
---|
61 | def replace_keyids(self, s): |
---|
62 | for k, v in self.keyid_to_cn.items(): |
---|
63 | s = re.sub(k, v, s) |
---|
64 | return s |
---|
65 | |
---|
66 | def __str__(self): |
---|
67 | s = 'Name: %s\n' % self.name |
---|
68 | s += 'Prover: %s\n' % self.prover |
---|
69 | s += 'Principal: %s\n' % self.principal |
---|
70 | s += 'Role: %s\n' % self.role |
---|
71 | s += 'Creds: \n' |
---|
72 | for c in self.ctxt.credentials(): |
---|
73 | s += self.replace_keyids( |
---|
74 | '%s <- %s\n' % ( c.head().string(), c.tail().string())) |
---|
75 | return s |
---|
76 | |
---|
77 | def read_proofs(fn): |
---|
78 | proofs = {} |
---|
79 | try: |
---|
80 | f = open(fn, 'r') |
---|
81 | creds = [] |
---|
82 | i = 0 |
---|
83 | for line in f: |
---|
84 | line = line.strip() |
---|
85 | if line == '<proof>': |
---|
86 | prover = None |
---|
87 | principal = None |
---|
88 | role = None |
---|
89 | creds = [] |
---|
90 | elif line == '</proof>' : |
---|
91 | proofs[name] = proof(name, prover, role, principal, creds) |
---|
92 | i += 1 |
---|
93 | |
---|
94 | m = re.match('<comment>(.*)</comment>', line) |
---|
95 | if m is not None: |
---|
96 | name = m.group(1) |
---|
97 | |
---|
98 | m = re.match('<principal>([0-9a-f]+)</principal>', line) |
---|
99 | if m is not None: |
---|
100 | principal = m.group(1) |
---|
101 | |
---|
102 | m = re.match('<prover>([0-9a-f]+)</prover>', line) |
---|
103 | if m is not None: |
---|
104 | prover = m.group(1) |
---|
105 | |
---|
106 | m = re.match('<attribute>(.*)</attribute>', line) |
---|
107 | if m is not None: |
---|
108 | role = m.group(1) |
---|
109 | |
---|
110 | m = re.match('<credential>(.*)</credential>', line) |
---|
111 | if m is not None: |
---|
112 | creds.append(base64.b64decode(m.group(1))) |
---|
113 | f.close() |
---|
114 | except EnvironmentError, e: |
---|
115 | return None |
---|
116 | return proofs |
---|
117 | |
---|
118 | def interpret_proof(p): |
---|
119 | print p |
---|
120 | roles = set() |
---|
121 | principals = set() |
---|
122 | goals = set() |
---|
123 | attrs = set() |
---|
124 | ok, proof = p.ctxt.query(p.role, p.principal) |
---|
125 | for c in p.ctxt.credentials(): |
---|
126 | if c.head().is_principal(): principals.add(c.head().string()) |
---|
127 | else: roles.add(c.head().string()) |
---|
128 | if c.tail().is_principal(): principals.add(c.tail().string()) |
---|
129 | else: roles.add(c.tail().string()) |
---|
130 | |
---|
131 | |
---|
132 | for r in roles: |
---|
133 | ok, proof = p.ctxt.query(p.role, r) |
---|
134 | if ok : |
---|
135 | goals.add(r) |
---|
136 | ok, proof = p.ctxt.query(r, p.principal) |
---|
137 | if ok: |
---|
138 | attrs.add(r) |
---|
139 | |
---|
140 | acting_for = [] |
---|
141 | for r in attrs: |
---|
142 | m =re.match('([^\.]+)\\.acting_for', r) |
---|
143 | if m: |
---|
144 | acting_for.append(m.group(1)) |
---|
145 | split_goals = [ [s.strip() for s in g.split('&')] for g in goals ] |
---|
146 | |
---|
147 | plans = [] |
---|
148 | for sg in split_goals: |
---|
149 | p = [] |
---|
150 | for g in sg: |
---|
151 | if g.endswith('acting_for'): |
---|
152 | a = g[:-len('.acting_for')] |
---|
153 | if len(acting_for) > 0: |
---|
154 | p.append('add %s to %s' % (a, acting_for[0])) |
---|
155 | else: |
---|
156 | p.append('must get %s delegated to %s' % (a, principal)) |
---|
157 | else: |
---|
158 | p.append('add %s to %s' % (g, principal)) |
---|
159 | plans.append('\n'.join(p)) |
---|
160 | |
---|
161 | return plans |
---|
162 | |
---|
163 | |
---|
164 | proofs = read_proofs('./auth.log') |
---|
165 | print proofs |
---|
166 | #interpret_proof(proofs['New (create) succeeded at 2012-07-06 15:24:21.122101']) |
---|
167 | plans = interpret_proof(proofs['Create failed at 2012-07-06 15:24:25.648260']) |
---|
168 | |
---|
169 | for p in plans: |
---|
170 | print '---' |
---|
171 | print p |
---|