source: tools/suggest/suggest.py @ af36abb

#!/usr/local/bin/python

import ABAC
import Creddy

import os
import re
import copy
import base64

from tempfile import mkdtemp
from shutil import rmtree

class proof:
    def __init__(self, name, prover, role, principal, creds):
        self.name = name
        self.prover = prover
        self.role = role
        self.principal = principal
        self.ctxt = ABAC.Context()
        self.keyid_to_cn = { }
        self.cn_to_keyid = { }
        attrs = []
        try:
            d = mkdtemp()
            print d
            for c in creds:
                cc = self.pem_to_der(c)
                succ = self.ctxt.load_id_chunk(cc) 
                if succ == ABAC.ABAC_CERT_SUCCESS: 
                    try:
                        fn = os.path.join(d, 'file.pem')
                        f = open(fn, 'w')
                        f.write(cc)
                        f.close()
                        cid = Creddy.ID(fn)
                        base_cn = cn = re.sub('_ID.pem$','',cid.cert_filename())
                        i = 0
                        while cn in self.cn_to_keyid:
                            cn = '%s%03d' % (base_cn, i)
                            i += 1
                        self.cn_to_keyid[cn] = cid.keyid()
                        self.keyid_to_cn[cid.keyid()] = cn
                    except EnvironmentError, e:
                        print >>sys.stderr, '%s: %s' % (e.filename, e.strerror)
                else:
                    attrs.append(cc)
            for c in attrs:
                self.ctxt.load_attribute_chunk(c) 
        finally:
            rmtree(d)


    @staticmethod
    def pem_to_der(c):
        pat = '-----BEGIN CERTIFICATE-----(.*)-----END CERTIFICATE'
        m = re.match(pat, c, re.DOTALL)
        if m: return base64.b64decode(m.group(1))
        else: return c

    def replace_keyids(self, s):
        for k, v in self.keyid_to_cn.items():
            s = re.sub(k, v, s)
        return s

    def __str__(self):
        s = 'Name: %s\n' % self.name
        s += 'Prover: %s\n' % self.prover
        s += 'Principal: %s\n' % self.principal
        s += 'Role: %s\n' % self.role
        s += 'Creds: \n'
        for c in self.ctxt.credentials():
            s += self.replace_keyids(
                    '%s <- %s\n' % ( c.head().string(), c.tail().string()))
        return s

def read_proofs(fn):
    proofs = {}
    try:
        f = open(fn, 'r')
        creds = []
        i = 0
        for line in f:
            line = line.strip()
            if line == '<proof>':
                prover = None
                principal = None
                role = None
                creds = []
            elif line == '</proof>' :
                proofs[name] = proof(name, prover, role, principal, creds)
                i += 1
           
            m = re.match('<comment>(.*)</comment>', line)
            if m is not None:
                name = m.group(1)

            m = re.match('<principal>([0-9a-f]+)</principal>', line)
            if m is not None:
                principal = m.group(1)

            m = re.match('<prover>([0-9a-f]+)</prover>', line)
            if m is not None:
                prover = m.group(1)

            m = re.match('<attribute>(.*)</attribute>', line)
            if m is not None:
                role = m.group(1)

            m = re.match('<credential>(.*)</credential>', line)
            if m is not None:
                creds.append(base64.b64decode(m.group(1)))
        f.close()
    except EnvironmentError, e:
        return None
    return proofs

def interpret_proof(p):
    print  p
    roles = set()
    principals = set()
    goals = set()
    attrs = set()
    ok, proof = p.ctxt.query(p.role, p.principal)
    for c in p.ctxt.credentials():
        if c.head().is_principal(): principals.add(c.head().string())
        else: roles.add(c.head().string())
        if c.tail().is_principal(): principals.add(c.tail().string())
        else: roles.add(c.tail().string())

    
    for r in roles:
        ok, proof =  p.ctxt.query(p.role, r)
        if ok :
            goals.add(r)
        ok, proof = p.ctxt.query(r, p.principal)
        if ok:
            attrs.add(r)

    acting_for = []
    for r in attrs:
        m =re.match('([^\.]+)\\.acting_for', r)
        if m:
            acting_for.append(m.group(1))
    split_goals = [ [s.strip() for s in g.split('&')] for g in goals ]

    plans = []
    for sg in split_goals:
        p = []
        for g in sg:
            if g.endswith('acting_for'):
                a = g[:-len('.acting_for')]
                if len(acting_for) > 0:
                    p.append('add %s to %s' % (a, acting_for[0]))
                else:
                    p.append('must get %s delegated to %s' % (a, principal))
            else:
                p.append('add %s to %s' % (g, principal))
        plans.append('\n'.join(p))

    return plans


proofs = read_proofs('./auth.log')
print proofs
#interpret_proof(proofs['New (create) succeeded at 2012-07-06 15:24:21.122101'])
plans = interpret_proof(proofs['Create failed at 2012-07-06 15:24:25.648260'])

for p in plans:
    print '---'
    print p