remove debug logging

[sfa.git] / sfa / trust / speaksfor_util.py

#----------------------------------------------------------------------\r
# Copyright (c) 2014 Raytheon BBN Technologies\r
#\r
# Permission is hereby granted, free of charge, to any person obtaining\r
# a copy of this software and/or hardware specification (the "Work") to\r
# deal in the Work without restriction, including without limitation the\r
# rights to use, copy, modify, merge, publish, distribute, sublicense,\r
# and/or sell copies of the Work, and to permit persons to whom the Work\r
# is furnished to do so, subject to the following conditions:\r
#\r
# The above copyright notice and this permission notice shall be\r
# included in all copies or substantial portions of the Work.\r
#\r
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS\r
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\r
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\r
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT\r
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,\r
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS\r
# IN THE WORK.\r
#----------------------------------------------------------------------\r
\r
import datetime\r
from dateutil import parser as du_parser, tz as du_tz\r
import optparse\r
import os\r
import subprocess\r
import sys\r
import tempfile\r
from xml.dom.minidom import *\r
from StringIO import StringIO\r
\r
from sfa.trust.certificate import Certificate\r
from sfa.trust.credential import Credential, signature_template, HAVELXML\r
from sfa.trust.abac_credential import ABACCredential, ABACElement\r
from sfa.trust.credential_factory import CredentialFactory\r
from sfa.trust.gid import GID\r
\r
# Routine to validate that a speaks-for credential \r
# says what it claims to say:\r
# It is a signed credential wherein the signer S is attesting to the\r
# ABAC statement:\r
# S.speaks_for(S)<-T Or "S says that T speaks for S"\r
\r
# Requires that openssl be installed and in the path\r
# create_speaks_for requires that xmlsec1 be on the path\r
\r
# Simple XML helper functions\r
\r
# Find the text associated with first child text node\r
def findTextChildValue(root):\r
    child = findChildNamed(root, '#text')\r
    if child: return str(child.nodeValue)\r
    return None\r
\r
# Find first child with given name\r
def findChildNamed(root, name):\r
    for child in root.childNodes:\r
        if child.nodeName == name:\r
            return child\r
    return None\r
\r
# Write a string to a tempfile, returning name of tempfile\r
def write_to_tempfile(str):\r
    str_fd, str_file = tempfile.mkstemp()\r
    if str:\r
        os.write(str_fd, str)\r
    os.close(str_fd)\r
    return str_file\r
\r
# Run a subprocess and return output\r
def run_subprocess(cmd, stdout, stderr):\r
    try:\r
        proc = subprocess.Popen(cmd, stdout=stdout, stderr=stderr)\r
        proc.wait()\r
        if stdout:\r
            output = proc.stdout.read()\r
        else:\r
            output = proc.returncode\r
        return output\r
    except Exception as e:\r
        raise Exception("Failed call to subprocess '%s': %s" % (" ".join(cmd), e))\r
\r
def get_cert_keyid(gid):\r
    """Extract the subject key identifier from the given certificate.\r
    Return they key id as lowercase string with no colon separators\r
    between pairs. The key id as shown in the text output of a\r
    certificate are in uppercase with colon separators.\r
\r
    """\r
    raw_key_id = gid.get_extension('subjectKeyIdentifier')\r
    # Raw has colons separating pairs, and all characters are upper case.\r
    # Remove the colons and convert to lower case.\r
    keyid = raw_key_id.replace(':', '').lower()\r
    return keyid\r
\r
# Pull the cert out of a list of certs in a PEM formatted cert string\r
def grab_toplevel_cert(cert):\r
    start_label = '-----BEGIN CERTIFICATE-----'\r
    if cert.find(start_label) > -1:\r
        start_index = cert.find(start_label) + len(start_label)\r
    else:\r
        start_index = 0\r
    end_label = '-----END CERTIFICATE-----'\r
    end_index = cert.find(end_label)\r
    first_cert = cert[start_index:end_index]\r
    pieces = first_cert.split('\n')\r
    first_cert = "".join(pieces)\r
    return first_cert\r
\r
# Validate that the given speaks-for credential represents the\r
# statement User.speaks_for(User)<-Tool for the given user and tool certs\r
# and was signed by the user\r
# Return: \r
#   Boolean indicating whether the given credential \r
#      is not expired \r
#      is an ABAC credential\r
#      was signed by the user associated with the speaking_for_urn\r
#      is verified by xmlsec1\r
#      asserts U.speaks_for(U)<-T ("user says that T may speak for user")\r
#      If schema provided, validate against schema\r
#      is trusted by given set of trusted roots (both user cert and tool cert)\r
#   String user certificate of speaking_for user if the above tests succeed\r
#      (None otherwise)\r
#   Error message indicating why the speaks_for call failed ("" otherwise)\r
def verify_speaks_for(cred, tool_gid, speaking_for_urn, \\r
                          trusted_roots, schema=None, logger=None):\r
\r
    # Credential has not expired\r
    if cred.expiration and cred.expiration < datetime.datetime.utcnow():\r
        return False, None, "ABAC Credential expired at %s (%s)" % (cred.expiration.isoformat(), cred.get_summary_tostring())\r
\r
    # Must be ABAC\r
    if cred.get_cred_type() != ABACCredential.ABAC_CREDENTIAL_TYPE:\r
        return False, None, "Credential not of type ABAC but %s" % cred.get_cred_type\r
\r
    if cred.signature is None or cred.signature.gid is None:\r
        return False, None, "Credential malformed: missing signature or signer cert. Cred: %s" % cred.get_summary_tostring()\r
    user_gid = cred.signature.gid\r
    user_urn = user_gid.get_urn()\r
\r
    # URN of signer from cert must match URN of 'speaking-for' argument\r
    if user_urn != speaking_for_urn:\r
        return False, None, "User URN from cred doesn't match speaking_for URN: %s != %s (cred %s)" % \\r
            (user_urn, speaking_for_urn, cred.get_summary_tostring())\r
\r
    tails = cred.get_tails()\r
    if len(tails) != 1: \r
        return False, None, "Invalid ABAC-SF credential: Need exactly 1 tail element, got %d (%s)" % \\r
            (len(tails), cred.get_summary_tostring())\r
\r
    user_keyid = get_cert_keyid(user_gid)\r
    tool_keyid = get_cert_keyid(tool_gid)\r
    subject_keyid = tails[0].get_principal_keyid()\r
\r
    head = cred.get_head()\r
    principal_keyid = head.get_principal_keyid()\r
    role = head.get_role()\r
\r
    # Credential must pass xmlsec1 verify\r
    cred_file = write_to_tempfile(cred.save_to_string())\r
    cert_args = []\r
    if trusted_roots:\r
        for x in trusted_roots:\r
            cert_args += ['--trusted-pem', x.filename]\r
    # FIXME: Why do we not need to specify the --node-id option as credential.py does?\r
    xmlsec1_args = [cred.xmlsec_path, '--verify'] + cert_args + [ cred_file]\r
    output = run_subprocess(xmlsec1_args, stdout=None, stderr=subprocess.PIPE)\r
    os.unlink(cred_file)\r
    if output != 0:\r
        # FIXME\r
        # xmlsec errors have a msg= which is the interesting bit.\r
        # But does this go to stderr or stdout? Do we have it here?\r
        mstart = verified.find("msg=")\r
        msg = ""\r
        if mstart > -1 and len(verified) > 4:\r
            mstart = mstart + 4\r
            mend = verified.find('\\', mstart)\r
            msg = verified[mstart:mend]\r
        if msg == "":\r
            msg = output\r
        return False, None, "ABAC credential failed to xmlsec1 verify: %s" % msg\r
\r
    # Must say U.speaks_for(U)<-T\r
    if user_keyid != principal_keyid or \\r
            tool_keyid != subject_keyid or \\r
            role != ('speaks_for_%s' % user_keyid):\r
        return False, None, "ABAC statement doesn't assert U.speaks_for(U)<-T (%s)" % cred.get_summary_tostring()\r
\r
    # If schema provided, validate against schema\r
    if HAVELXML and schema and os.path.exists(schema):\r
        from lxml import etree\r
        tree = etree.parse(StringIO(cred.xml))\r
        schema_doc = etree.parse(schema)\r
        xmlschema = etree.XMLSchema(schema_doc)\r
        if not xmlschema.validate(tree):\r
            error = xmlschema.error_log.last_error\r
            message = "%s: %s (line %s)" % (cred.get_summary_tostring(), error.message, error.line)\r
            return False, None, ("XML Credential schema invalid: %s" % message)\r
\r
    if trusted_roots:\r
        # User certificate must validate against trusted roots\r
        try:\r
            user_gid.verify_chain(trusted_roots)\r
        except Exception, e:\r
            return False, None, \\r
                "Cred signer (user) cert not trusted: %s" % e\r
\r
        # Tool certificate must validate against trusted roots\r
        try:\r
            tool_gid.verify_chain(trusted_roots)\r
        except Exception, e:\r
            return False, None, \\r
                "Tool cert not trusted: %s" % e\r
\r
    return True, user_gid, ""\r
\r
# Determine if this is a speaks-for context. If so, validate\r
# And return either the tool_cert (not speaks-for or not validated)\r
# or the user cert (validated speaks-for)\r
#\r
# credentials is a list of GENI-style credentials:\r
#  Either a cred string xml string, or Credential object of a tuple\r
#    [{'geni_type' : geni_type, 'geni_value : cred_value, \r
#      'geni_version' : version}]\r
# caller_gid is the raw X509 cert gid\r
# options is the dictionary of API-provided options\r
# trusted_roots is a list of Certificate objects from the system\r
#   trusted_root directory\r
# Optionally, provide an XML schema against which to validate the credential\r
def determine_speaks_for(logger, credentials, caller_gid, options, \\r
                             trusted_roots, schema=None):\r
    if options and 'geni_speaking_for' in options:\r
        speaking_for_urn = options['geni_speaking_for'].strip()\r
        for cred in credentials:\r
            # Skip things that aren't ABAC credentials\r
            if type(cred) == dict:\r
                if cred['geni_type'] != ABACCredential.ABAC_CREDENTIAL_TYPE: continue\r
                cred_value = cred['geni_value']\r
            elif isinstance(cred, Credential):\r
                if not isinstance(cred, ABACCredential):\r
                    continue\r
                else:\r
                    cred_value = cred\r
            else:\r
                if CredentialFactory.getType(cred) != ABACCredential.ABAC_CREDENTIAL_TYPE: continue\r
                cred_value = cred\r
\r
            # If the cred_value is xml, create the object\r
            if not isinstance(cred_value, ABACCredential):\r
                cred = CredentialFactory.createCred(cred_value)\r
\r
#            print "Got a cred to check speaksfor for: %s" % cred.get_summary_tostring()\r
#            #cred.dump(True, True)\r
#            print "Caller: %s" % caller_gid.dump_string(2, True)\r
            # See if this is a valid speaks_for\r
            is_valid_speaks_for, user_gid, msg = \\r
                verify_speaks_for(cred,\r
                                  caller_gid, speaking_for_urn, \\r
                                      trusted_roots, schema, logger=logger)\r
            logger.info(msg)\r
            if is_valid_speaks_for:\r
                return user_gid # speaks-for\r
            else:\r
                if logger:\r
                    logger.info("Got speaks-for option but not a valid speaks_for with this credential: %s" % msg)\r
                else:\r
                    print "Got a speaks-for option but not a valid speaks_for with this credential: " + msg\r
    return caller_gid # Not speaks-for\r
\r
# Create an ABAC Speaks For credential using the ABACCredential object and it's encode&sign methods\r
def create_sign_abaccred(tool_gid, user_gid, ma_gid, user_key_file, cred_filename, dur_days=365):\r
    print "Creating ABAC SpeaksFor using ABACCredential...\n"\r
    # Write out the user cert\r
    from tempfile import mkstemp\r
    ma_str = ma_gid.save_to_string()\r
    user_cert_str = user_gid.save_to_string()\r
    if not user_cert_str.endswith(ma_str):\r
        user_cert_str += ma_str\r
    fp, user_cert_filename = mkstemp(suffix='cred', text=True)\r
    fp = os.fdopen(fp, "w")\r
    fp.write(user_cert_str)\r
    fp.close()\r
\r
    # Create the cred\r
    cred = ABACCredential()\r
    cred.set_issuer_keys(user_key_file, user_cert_filename)\r
    tool_urn = tool_gid.get_urn()\r
    user_urn = user_gid.get_urn()\r
    user_keyid = get_cert_keyid(user_gid)\r
    tool_keyid = get_cert_keyid(tool_gid)\r
    cred.head = ABACElement(user_keyid, user_urn, "speaks_for_%s" % user_keyid)\r
    cred.tails.append(ABACElement(tool_keyid, tool_urn))\r
    cred.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(days=dur_days))\r
    cred.expiration = cred.expiration.replace(microsecond=0)\r
\r
    # Produce the cred XML\r
    cred.encode()\r
\r
    # Sign it\r
    cred.sign()\r
    # Save it\r
    cred.save_to_file(cred_filename)\r
    print "Created ABAC credential: '%s' in file %s" % \\r
            (cred.get_summary_tostring(), cred_filename)\r
\r
# FIXME: Assumes xmlsec1 is on path\r
# FIXME: Assumes signer is itself signed by an 'ma_gid' that can be trusted\r
def create_speaks_for(tool_gid, user_gid, ma_gid, \\r
                          user_key_file, cred_filename, dur_days=365):\r
    tool_urn = tool_gid.get_urn()\r
    user_urn = user_gid.get_urn()\r
\r
    header = '<?xml version="1.0" encoding="UTF-8"?>'\r
    reference = "ref0"\r
    signature_block = \\r
        '<signatures>\n' + \\r
        signature_template + \\r
        '</signatures>'\r
    template = header + '\n' + \\r
        '<signed-credential '\r
    template += 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.geni.net/resources/credential/2/credential.xsd" xsi:schemaLocation="http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd"'\r
    template += '>\n' + \\r
        '<credential xml:id="%s">\n' + \\r
        '<type>abac</type>\n' + \\r
        '<serial/>\n' +\\r
        '<owner_gid/>\n' + \\r
        '<owner_urn/>\n' + \\r
        '<target_gid/>\n' + \\r
        '<target_urn/>\n' + \\r
        '<uuid/>\n' + \\r
        '<expires>%s</expires>' +\\r
        '<abac>\n' + \\r
        '<rt0>\n' + \\r
        '<version>%s</version>\n' + \\r
        '<head>\n' + \\r
        '<ABACprincipal><keyid>%s</keyid><mnemonic>%s</mnemonic></ABACprincipal>\n' +\\r
        '<role>speaks_for_%s</role>\n' + \\r
        '</head>\n' + \\r
        '<tail>\n' +\\r
        '<ABACprincipal><keyid>%s</keyid><mnemonic>%s</mnemonic></ABACprincipal>\n' +\\r
        '</tail>\n' +\\r
        '</rt0>\n' + \\r
        '</abac>\n' + \\r
        '</credential>\n' + \\r
        signature_block + \\r
        '</signed-credential>\n'\r
\r
\r
    credential_duration = datetime.timedelta(days=dur_days)\r
    expiration = datetime.datetime.now(du_tz.tzutc()) + credential_duration\r
    expiration_str = expiration.strftime('%Y-%m-%dT%H:%M:%SZ') # FIXME: libabac can't handle .isoformat()\r
    version = "1.1"\r
\r
    user_keyid = get_cert_keyid(user_gid)\r
    tool_keyid = get_cert_keyid(tool_gid)\r
    unsigned_cred = template % (reference, expiration_str, version, \\r
                                    user_keyid, user_urn, user_keyid, tool_keyid, tool_urn, \\r
                                    reference, reference)\r
    unsigned_cred_filename = write_to_tempfile(unsigned_cred)\r
\r
    # Now sign the file with xmlsec1\r
    # xmlsec1 --sign --privkey-pem privkey.pem,cert.pem \r
    # --output signed.xml tosign.xml\r
    pems = "%s,%s,%s" % (user_key_file, user_gid.get_filename(),\r
                         ma_gid.get_filename())\r
    # FIXME: assumes xmlsec1 is on path\r
    cmd = ['xmlsec1',  '--sign',  '--privkey-pem', pems, \r
           '--output', cred_filename, unsigned_cred_filename]\r
\r
#    print " ".join(cmd)\r
    sign_proc_output = run_subprocess(cmd, stdout=subprocess.PIPE, stderr=None)\r
    if sign_proc_output == None:\r
        print "OUTPUT = %s" % sign_proc_output\r
    else:\r
        print "Created ABAC credential: '%s speaks_for %s' in file %s" % \\r
            (tool_urn, user_urn, cred_filename)\r
    os.unlink(unsigned_cred_filename)\r
\r
\r
# Test procedure\r
if __name__ == "__main__":\r
\r
    parser = optparse.OptionParser()\r
    parser.add_option('--cred_file', \r
                      help='Name of credential file')\r
    parser.add_option('--tool_cert_file', \r
                      help='Name of file containing tool certificate')\r
    parser.add_option('--user_urn', \r
                      help='URN of speaks-for user')\r
    parser.add_option('--user_cert_file', \r
                      help="filename of x509 certificate of signing user")\r
    parser.add_option('--ma_cert_file', \r
                      help="filename of x509 cert of MA that signed user cert")\r
    parser.add_option('--user_key_file', \r
                      help="filename of private key of signing user")\r
    parser.add_option('--trusted_roots_directory', \r
                      help='Directory of trusted root certs')\r
    parser.add_option('--create',\r
                      help="name of file of ABAC speaksfor cred to create")\r
    parser.add_option('--useObject', action='store_true', default=False,\r
                      help='Use the ABACCredential object to create the credential (default False)')\r
\r
    options, args = parser.parse_args(sys.argv)\r
\r
    tool_gid = GID(filename=options.tool_cert_file)\r
\r
    if options.create:\r
        if options.user_cert_file and options.user_key_file \\r
            and options.ma_cert_file:\r
            user_gid = GID(filename=options.user_cert_file)\r
            ma_gid = GID(filename=options.ma_cert_file)\r
            if options.useObject:\r
                create_sign_abaccred(tool_gid, user_gid, ma_gid, \\r
                                         options.user_key_file,  \\r
                                         options.create)\r
            else:\r
                create_speaks_for(tool_gid, user_gid, ma_gid, \\r
                                         options.user_key_file,  \\r
                                         options.create)\r
        else:\r
            print "Usage: --create cred_file " + \\r
                "--user_cert_file user_cert_file" + \\r
                " --user_key_file user_key_file --ma_cert_file ma_cert_file"\r
        sys.exit()\r
\r
    user_urn = options.user_urn\r
\r
    # Get list of trusted rootcerts\r
    if options.cred_file and not options.trusted_roots_directory:\r
        sys.exit("Must supply --trusted_roots_directory to validate a credential")\r
\r
    trusted_roots_directory = options.trusted_roots_directory\r
    trusted_roots = \\r
        [Certificate(filename=os.path.join(trusted_roots_directory, file)) \\r
             for file in os.listdir(trusted_roots_directory) \\r
             if file.endswith('.pem') and file != 'CATedCACerts.pem']\r
\r
    cred = open(options.cred_file).read()\r
\r
    creds = [{'geni_type' : ABACCredential.ABAC_CREDENTIAL_TYPE, 'geni_value' : cred, \r
              'geni_version' : '1'}]\r
    gid = determine_speaks_for(None, creds, tool_gid, \\r
                                   {'geni_speaking_for' : user_urn}, \\r
                                   trusted_roots)\r
\r
\r
    print 'SPEAKS_FOR = %s' % (gid != tool_gid)\r
    print "CERT URN = %s" % gid.get_urn()\r