--- /dev/null
+#----------------------------------------------------------------------\r
+# Copyright (c) 2014 Raytheon BBN Technologies\r
+#\r
+# Permission is hereby granted, free of charge, to any person obtaining\r
+# a copy of this software and/or hardware specification (the "Work") to\r
+# deal in the Work without restriction, including without limitation the\r
+# rights to use, copy, modify, merge, publish, distribute, sublicense,\r
+# and/or sell copies of the Work, and to permit persons to whom the Work\r
+# is furnished to do so, subject to the following conditions:\r
+#\r
+# The above copyright notice and this permission notice shall be\r
+# included in all copies or substantial portions of the Work.\r
+#\r
+# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS\r
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\r
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\r
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT\r
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,\r
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r
+# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS\r
+# IN THE WORK.\r
+#----------------------------------------------------------------------\r
+\r
+from sfa.trust.credential import Credential, append_sub\r
+from sfa.util.sfalogging import logger\r
+\r
+from StringIO import StringIO\r
+from xml.dom.minidom import Document, parseString\r
+\r
+HAVELXML = False\r
+try:\r
+ from lxml import etree\r
+ HAVELXML = True\r
+except:\r
+ pass\r
+\r
+# This module defines a subtype of sfa.trust,credential.Credential\r
+# called an ABACCredential. An ABAC credential is a signed statement\r
+# asserting a role representing the relationship between a subject and target\r
+# or between a subject and a class of targets (all those satisfying a role).\r
+#\r
+# An ABAC credential is like a normal SFA credential in that it has\r
+# a validated signature block and is checked for expiration. \r
+# It does not, however, have 'privileges'. Rather it contains a 'head' and\r
+# list of 'tails' of elements, each of which represents a principal and\r
+# role.\r
+\r
+# A special case of an ABAC credential is a speaks_for credential. Such\r
+# a credential is simply an ABAC credential in form, but has a single \r
+# tail and fixed role 'speaks_for'. In ABAC notation, it asserts\r
+# AGENT.speaks_for(AGENT)<-CLIENT, or "AGENT asserts that CLIENT may speak\r
+# for AGENT". The AGENT in this case is the head and the CLIENT is the\r
+# tail and 'speaks_for_AGENT' is the role on the head. These speaks-for\r
+# Credentials are used to allow a tool to 'speak as' itself but be recognized\r
+# as speaking for an individual and be authorized to the rights of that\r
+# individual and not to the rights of the tool itself.\r
+\r
+# For more detail on the semantics and syntax and expected usage patterns\r
+# of ABAC credentials, see http://groups.geni.net/geni/wiki/TIEDABACCredential.\r
+\r
+\r
+# An ABAC element contains a principal (keyid and optional mnemonic)\r
+# and optional role and linking_role element\r
+class ABACElement:\r
+ def __init__(self, principal_keyid, principal_mnemonic=None, \\r
+ role=None, linking_role=None):\r
+ self._principal_keyid = principal_keyid\r
+ self._principal_mnemonic = principal_mnemonic\r
+ self._role = role\r
+ self._linking_role = linking_role\r
+\r
+ def get_principal_keyid(self): return self._principal_keyid\r
+ def get_principal_mnemonic(self): return self._principal_mnemonic\r
+ def get_role(self): return self._role\r
+ def get_linking_role(self): return self._linking_role\r
+\r
+ def __str__(self):\r
+ ret = self._principal_keyid\r
+ if self._principal_mnemonic:\r
+ ret = "%s (%s)" % (self._principal_mnemonic, self._principal_keyid)\r
+ if self._linking_role:\r
+ ret += ".%s" % self._linking_role\r
+ if self._role:\r
+ ret += ".%s" % self._role\r
+ return ret\r
+\r
+# Subclass of Credential for handling ABAC credentials\r
+# They have a different cred_type (geni_abac vs. geni_sfa)\r
+# and they have a head and tail and role (as opposed to privileges)\r
+class ABACCredential(Credential):\r
+\r
+ ABAC_CREDENTIAL_TYPE = 'geni_abac'\r
+\r
+ def __init__(self, create=False, subject=None, \r
+ string=None, filename=None):\r
+ self.head = None # An ABACElemenet\r
+ self.tails = [] # List of ABACElements\r
+ super(ABACCredential, self).__init__(create=create, \r
+ subject=subject, \r
+ string=string, \r
+ filename=filename)\r
+ self.cred_type = ABACCredential.ABAC_CREDENTIAL_TYPE\r
+\r
+ def get_head(self) : \r
+ if not self.head: \r
+ self.decode()\r
+ return self.head\r
+\r
+ def get_tails(self) : \r
+ if len(self.tails) == 0:\r
+ self.decode()\r
+ return self.tails\r
+\r
+ def decode(self):\r
+ super(ABACCredential, self).decode()\r
+ # Pull out the ABAC-specific info\r
+ doc = parseString(self.xml)\r
+ rt0s = doc.getElementsByTagName('rt0')\r
+ if len(rt0s) != 1:\r
+ raise CredentialNotVerifiable("ABAC credential had no rt0 element")\r
+ rt0_root = rt0s[0]\r
+ heads = self._get_abac_elements(rt0_root, 'head')\r
+ if len(heads) != 1:\r
+ raise CredentialNotVerifiable("ABAC credential should have exactly 1 head element, had %d" % len(heads))\r
+\r
+ self.head = heads[0]\r
+ self.tails = self._get_abac_elements(rt0_root, 'tail')\r
+\r
+ def _get_abac_elements(self, root, label):\r
+ abac_elements = []\r
+ elements = root.getElementsByTagName(label)\r
+ for elt in elements:\r
+ keyids = elt.getElementsByTagName('keyid')\r
+ if len(keyids) != 1:\r
+ raise CredentialNotVerifiable("ABAC credential element '%s' should have exactly 1 keyid, had %d." % (label, len(keyids)))\r
+ keyid_elt = keyids[0]\r
+ keyid = keyid_elt.childNodes[0].nodeValue.strip()\r
+\r
+ mnemonic = None\r
+ mnemonic_elts = elt.getElementsByTagName('mnemonic')\r
+ if len(mnemonic_elts) > 0:\r
+ mnemonic = mnemonic_elts[0].childNodes[0].nodeValue.strip()\r
+\r
+ role = None\r
+ role_elts = elt.getElementsByTagName('role')\r
+ if len(role_elts) > 0:\r
+ role = role_elts[0].childNodes[0].nodeValue.strip()\r
+\r
+ linking_role = None\r
+ linking_role_elts = elt.getElementsByTagName('linking_role')\r
+ if len(linking_role_elts) > 0:\r
+ linking_role = linking_role_elts[0].childNodes[0].nodeValue.strip()\r
+\r
+ abac_element = ABACElement(keyid, mnemonic, role, linking_role)\r
+ abac_elements.append(abac_element)\r
+\r
+ return abac_elements\r
+\r
+ def dump_string(self, dump_parents=False, show_xml=False):\r
+ result = "ABAC Credential\n"\r
+ filename=self.get_filename()\r
+ if filename: result += "Filename %s\n"%filename\r
+ if self.expiration:\r
+ result += "\texpiration: %s \n" % self.expiration.isoformat()\r
+\r
+ result += "\tHead: %s\n" % self.get_head() \r
+ for tail in self.get_tails():\r
+ result += "\tTail: %s\n" % tail\r
+ if self.get_signature():\r
+ result += " gidIssuer:\n"\r
+ result += self.get_signature().get_issuer_gid().dump_string(8, dump_parents)\r
+ if show_xml and HAVELXML:\r
+ try:\r
+ tree = etree.parse(StringIO(self.xml))\r
+ aside = etree.tostring(tree, pretty_print=True)\r
+ result += "\nXML:\n\n"\r
+ result += aside\r
+ result += "\nEnd XML\n"\r
+ except:\r
+ import traceback\r
+ print "exc. Credential.dump_string / XML"\r
+ traceback.print_exc()\r
+ return result\r
+\r
+ # sounds like this should be __repr__ instead ??\r
+ # Produce the ABAC assertion. Something like [ABAC cred: Me.role<-You] or similar\r
+ def get_summary_tostring(self):\r
+ result = "[ABAC cred: " + str(self.get_head())\r
+ for tail in self.get_tails():\r
+ result += "<-%s" % str(tail)\r
+ result += "]"\r
+ return result\r
+\r
+ def createABACElement(self, doc, tagName, abacObj):\r
+ kid = abacObj.get_principal_keyid()\r
+ mnem = abacObj.get_principal_mnemonic() # may be None\r
+ role = abacObj.get_role() # may be None\r
+ link = abacObj.get_linking_role() # may be None\r
+ ele = doc.createElement(tagName)\r
+ prin = doc.createElement('ABACprincipal')\r
+ ele.appendChild(prin)\r
+ append_sub(doc, prin, "keyid", kid)\r
+ if mnem:\r
+ append_sub(doc, prin, "mnemonic", mnem)\r
+ if role:\r
+ append_sub(doc, ele, "role", role)\r
+ if link:\r
+ append_sub(doc, ele, "linking_role", link)\r
+ return ele\r
+\r
+ ##\r
+ # Encode the attributes of the credential into an XML string\r
+ # This should be done immediately before signing the credential.\r
+ # WARNING:\r
+ # In general, a signed credential obtained externally should\r
+ # not be changed else the signature is no longer valid. So, once\r
+ # you have loaded an existing signed credential, do not call encode() or sign() on it.\r
+\r
+ def encode(self):\r
+ # Create the XML document\r
+ doc = Document()\r
+ signed_cred = doc.createElement("signed-credential")\r
+\r
+# Declare namespaces\r
+# Note that credential/policy.xsd are really the PG schemas\r
+# in a PL namespace.\r
+# Note that delegation of credentials between the 2 only really works\r
+# cause those schemas are identical.\r
+# Also note these PG schemas talk about PG tickets and CM policies.\r
+ signed_cred.setAttribute("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance")\r
+ signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.geni.net/resources/credential/2/credential.xsd")\r
+ signed_cred.setAttribute("xsi:schemaLocation", "http://www.planet-lab.org/resources/sfa/ext/policy/1 http://www.planet-lab.org/resources/sfa/ext/policy/1/policy.xsd")\r
+\r
+# PG says for those last 2:\r
+# signed_cred.setAttribute("xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd")\r
+# signed_cred.setAttribute("xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd")\r
+\r
+ doc.appendChild(signed_cred)\r
+\r
+ # Fill in the <credential> bit\r
+ cred = doc.createElement("credential")\r
+ cred.setAttribute("xml:id", self.get_refid())\r
+ signed_cred.appendChild(cred)\r
+ append_sub(doc, cred, "type", "abac")\r
+\r
+ # Stub fields\r
+ append_sub(doc, cred, "serial", "8")\r
+ append_sub(doc, cred, "owner_gid", '')\r
+ append_sub(doc, cred, "owner_urn", '')\r
+ append_sub(doc, cred, "target_gid", '')\r
+ append_sub(doc, cred, "target_urn", '')\r
+ append_sub(doc, cred, "uuid", "")\r
+\r
+ if not self.expiration:\r
+ self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))\r
+ self.expiration = self.expiration.replace(microsecond=0)\r
+ if self.expiration.tzinfo is not None and self.expiration.tzinfo.utcoffset(self.expiration) is not None:\r
+ # TZ aware. Make sure it is UTC\r
+ self.expiration = self.expiration.astimezone(tz.tzutc())\r
+ append_sub(doc, cred, "expires", self.expiration.strftime('%Y-%m-%dT%H:%M:%SZ')) # RFC3339\r
+\r
+ abac = doc.createElement("abac")\r
+ rt0 = doc.createElement("rt0")\r
+ abac.appendChild(rt0)\r
+ cred.appendChild(abac)\r
+ append_sub(doc, rt0, "version", "1.1")\r
+ head = self.createABACElement(doc, "head", self.get_head())\r
+ rt0.appendChild(head)\r
+ for tail in self.get_tails():\r
+ tailEle = self.createABACElement(doc, "tail", tail)\r
+ rt0.appendChild(tailEle)\r
+\r
+ # Create the <signatures> tag\r
+ signatures = doc.createElement("signatures")\r
+ signed_cred.appendChild(signatures)\r
+\r
+ # Get the finished product\r
+ self.xml = doc.toxml("utf-8")\r
--- /dev/null
+#----------------------------------------------------------------------\r
+# Copyright (c) 2014 Raytheon BBN Technologies\r
+#\r
+# Permission is hereby granted, free of charge, to any person obtaining\r
+# a copy of this software and/or hardware specification (the "Work") to\r
+# deal in the Work without restriction, including without limitation the\r
+# rights to use, copy, modify, merge, publish, distribute, sublicense,\r
+# and/or sell copies of the Work, and to permit persons to whom the Work\r
+# is furnished to do so, subject to the following conditions:\r
+#\r
+# The above copyright notice and this permission notice shall be\r
+# included in all copies or substantial portions of the Work.\r
+#\r
+# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS\r
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\r
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\r
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT\r
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,\r
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r
+# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS\r
+# IN THE WORK.\r
+#----------------------------------------------------------------------\r
+\r
+from sfa.util.sfalogging import logger\r
+from sfa.trust.credential import Credential\r
+from sfa.trust.abac_credential import ABACCredential\r
+\r
+import json\r
+import re\r
+\r
+# Factory for creating credentials of different sorts by type.\r
+# Specifically, this factory can create standard SFA credentials\r
+# and ABAC credentials from XML strings based on their identifying content\r
+\r
+class CredentialFactory:\r
+\r
+ UNKNOWN_CREDENTIAL_TYPE = 'geni_unknown'\r
+\r
+ # Static Credential class method to determine the type of a credential\r
+ # string depending on its contents\r
+ @staticmethod\r
+ def getType(credString):\r
+ credString_nowhitespace = re.sub('\s', '', credString)\r
+ if credString_nowhitespace.find('<type>abac</type>') > -1:\r
+ return ABACCredential.ABAC_CREDENTIAL_TYPE\r
+ elif credString_nowhitespace.find('<type>privilege</type>') > -1:\r
+ return Credential.SFA_CREDENTIAL_TYPE\r
+ else:\r
+ st = credString_nowhitespace.find('<type>')\r
+ end = credString_nowhitespace.find('</type>', st)\r
+ return credString_nowhitespace[st + len('<type>'):end]\r
+# return CredentialFactory.UNKNOWN_CREDENTIAL_TYPE\r
+\r
+ # Static Credential class method to create the appropriate credential\r
+ # (SFA or ABAC) depending on its type\r
+ @staticmethod\r
+ def createCred(credString=None, credFile=None):\r
+ if not credString and not credFile:\r
+ raise Exception("CredentialFactory.createCred called with no argument")\r
+ if credFile:\r
+ try:\r
+ credString = open(credFile).read()\r
+ except Exception, e:\r
+ logger.info("Error opening credential file %s: %s" % credFile, e)\r
+ return None\r
+\r
+ # Try to treat the file as JSON, getting the cred_type from the struct\r
+ try:\r
+ credO = json.loads(credString, encoding='ascii')\r
+ if credO.has_key('geni_value') and credO.has_key('geni_type'):\r
+ cred_type = credO['geni_type']\r
+ credString = credO['geni_value']\r
+ except Exception, e:\r
+ # It wasn't a struct. So the credString is XML. Pull the type directly from the string\r
+ logger.debug("Credential string not JSON: %s" % e)\r
+ cred_type = CredentialFactory.getType(credString)\r
+\r
+ if cred_type == Credential.SFA_CREDENTIAL_TYPE:\r
+ try:\r
+ cred = Credential(string=credString)\r
+ return cred\r
+ except Exception, e:\r
+ if credFile:\r
+ msg = "credString started: %s" % credString[:50]\r
+ raise Exception("%s not a parsable SFA credential: %s. " % (credFile, e) + msg)\r
+ else:\r
+ raise Exception("SFA Credential not parsable: %s. Cred start: %s..." % (e, credString[:50]))\r
+\r
+ elif cred_type == ABACCredential.ABAC_CREDENTIAL_TYPE:\r
+ try:\r
+ cred = ABACCredential(string=credString)\r
+ return cred\r
+ except Exception, e:\r
+ if credFile:\r
+ raise Exception("%s not a parsable ABAC credential: %s" % (credFile, e))\r
+ else:\r
+ raise Exception("ABAC Credential not parsable: %s. Cred start: %s..." % (e, credString[:50]))\r
+ else:\r
+ raise Exception("Unknown credential type '%s'" % cred_type)\r
+\r
+if __name__ == "__main__":\r
+ c2 = open('/tmp/sfa.xml').read()\r
+ cred1 = CredentialFactory.createCred(credFile='/tmp/cred.xml')\r
+ cred2 = CredentialFactory.createCred(credString=c2)\r
+\r
+ print "C1 = %s" % cred1\r
+ print "C2 = %s" % cred2\r
+ c1s = cred1.dump_string()\r
+ print "C1 = %s" % c1s\r
+# print "C2 = %s" % cred2.dump_string()\r
--- /dev/null
+#----------------------------------------------------------------------\r
+# Copyright (c) 2014 Raytheon BBN Technologies\r
+#\r
+# Permission is hereby granted, free of charge, to any person obtaining\r
+# a copy of this software and/or hardware specification (the "Work") to\r
+# deal in the Work without restriction, including without limitation the\r
+# rights to use, copy, modify, merge, publish, distribute, sublicense,\r
+# and/or sell copies of the Work, and to permit persons to whom the Work\r
+# is furnished to do so, subject to the following conditions:\r
+#\r
+# The above copyright notice and this permission notice shall be\r
+# included in all copies or substantial portions of the Work.\r
+#\r
+# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS\r
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\r
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\r
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT\r
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,\r
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r
+# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS\r
+# IN THE WORK.\r
+#----------------------------------------------------------------------\r
+\r
+import datetime\r
+from dateutil import parser as du_parser, tz as du_tz\r
+import optparse\r
+import os\r
+import subprocess\r
+import sys\r
+import tempfile\r
+from xml.dom.minidom import *\r
+from StringIO import StringIO\r
+\r
+from sfa.trust.certificate import Certificate\r
+from sfa.trust.credential import Credential, signature_template, HAVELXML\r
+from sfa.trust.abac_credential import ABACCredential, ABACElement\r
+from sfa.trust.credential_factory import CredentialFactory\r
+from sfa.trust.gid import GID\r
+\r
+# Routine to validate that a speaks-for credential \r
+# says what it claims to say:\r
+# It is a signed credential wherein the signer S is attesting to the\r
+# ABAC statement:\r
+# S.speaks_for(S)<-T Or "S says that T speaks for S"\r
+\r
+# Requires that openssl be installed and in the path\r
+# create_speaks_for requires that xmlsec1 be on the path\r
+\r
+# Simple XML helper functions\r
+\r
+# Find the text associated with first child text node\r
+def findTextChildValue(root):\r
+ child = findChildNamed(root, '#text')\r
+ if child: return str(child.nodeValue)\r
+ return None\r
+\r
+# Find first child with given name\r
+def findChildNamed(root, name):\r
+ for child in root.childNodes:\r
+ if child.nodeName == name:\r
+ return child\r
+ return None\r
+\r
+# Write a string to a tempfile, returning name of tempfile\r
+def write_to_tempfile(str):\r
+ str_fd, str_file = tempfile.mkstemp()\r
+ if str:\r
+ os.write(str_fd, str)\r
+ os.close(str_fd)\r
+ return str_file\r
+\r
+# Run a subprocess and return output\r
+def run_subprocess(cmd, stdout, stderr):\r
+ try:\r
+ proc = subprocess.Popen(cmd, stdout=stdout, stderr=stderr)\r
+ proc.wait()\r
+ if stdout:\r
+ output = proc.stdout.read()\r
+ else:\r
+ output = proc.returncode\r
+ return output\r
+ except Exception as e:\r
+ raise Exception("Failed call to subprocess '%s': %s" % (" ".join(cmd), e))\r
+\r
+def get_cert_keyid(gid):\r
+ """Extract the subject key identifier from the given certificate.\r
+ Return they key id as lowercase string with no colon separators\r
+ between pairs. The key id as shown in the text output of a\r
+ certificate are in uppercase with colon separators.\r
+\r
+ """\r
+ raw_key_id = gid.get_extension('subjectKeyIdentifier')\r
+ # Raw has colons separating pairs, and all characters are upper case.\r
+ # Remove the colons and convert to lower case.\r
+ keyid = raw_key_id.replace(':', '').lower()\r
+ return keyid\r
+\r
+# Pull the cert out of a list of certs in a PEM formatted cert string\r
+def grab_toplevel_cert(cert):\r
+ start_label = '-----BEGIN CERTIFICATE-----'\r
+ if cert.find(start_label) > -1:\r
+ start_index = cert.find(start_label) + len(start_label)\r
+ else:\r
+ start_index = 0\r
+ end_label = '-----END CERTIFICATE-----'\r
+ end_index = cert.find(end_label)\r
+ first_cert = cert[start_index:end_index]\r
+ pieces = first_cert.split('\n')\r
+ first_cert = "".join(pieces)\r
+ return first_cert\r
+\r
+# Validate that the given speaks-for credential represents the\r
+# statement User.speaks_for(User)<-Tool for the given user and tool certs\r
+# and was signed by the user\r
+# Return: \r
+# Boolean indicating whether the given credential \r
+# is not expired \r
+# is an ABAC credential\r
+# was signed by the user associated with the speaking_for_urn\r
+# is verified by xmlsec1\r
+# asserts U.speaks_for(U)<-T ("user says that T may speak for user")\r
+# If schema provided, validate against schema\r
+# is trusted by given set of trusted roots (both user cert and tool cert)\r
+# String user certificate of speaking_for user if the above tests succeed\r
+# (None otherwise)\r
+# Error message indicating why the speaks_for call failed ("" otherwise)\r
+def verify_speaks_for(cred, tool_gid, speaking_for_urn, \\r
+ trusted_roots, schema=None, logger=None):\r
+\r
+ # Credential has not expired\r
+ if cred.expiration and cred.expiration < datetime.datetime.utcnow():\r
+ return False, None, "ABAC Credential expired at %s (%s)" % (cred.expiration.isoformat(), cred.get_summary_tostring())\r
+\r
+ # Must be ABAC\r
+ if cred.get_cred_type() != ABACCredential.ABAC_CREDENTIAL_TYPE:\r
+ return False, None, "Credential not of type ABAC but %s" % cred.get_cred_type\r
+\r
+ if cred.signature is None or cred.signature.gid is None:\r
+ return False, None, "Credential malformed: missing signature or signer cert. Cred: %s" % cred.get_summary_tostring()\r
+ user_gid = cred.signature.gid\r
+ user_urn = user_gid.get_urn()\r
+\r
+ # URN of signer from cert must match URN of 'speaking-for' argument\r
+ if user_urn != speaking_for_urn:\r
+ return False, None, "User URN from cred doesn't match speaking_for URN: %s != %s (cred %s)" % \\r
+ (user_urn, speaking_for_urn, cred.get_summary_tostring())\r
+\r
+ tails = cred.get_tails()\r
+ if len(tails) != 1: \r
+ return False, None, "Invalid ABAC-SF credential: Need exactly 1 tail element, got %d (%s)" % \\r
+ (len(tails), cred.get_summary_tostring())\r
+\r
+ user_keyid = get_cert_keyid(user_gid)\r
+ tool_keyid = get_cert_keyid(tool_gid)\r
+ subject_keyid = tails[0].get_principal_keyid()\r
+\r
+ head = cred.get_head()\r
+ principal_keyid = head.get_principal_keyid()\r
+ role = head.get_role()\r
+\r
+ logger.info('user keyid: %s' % user_keyid) \r
+ logger.info('principal keyid: %s' % principal_keyid) \r
+ logger.info('tool keyid: %s' % tool_keyid) \r
+ logger.info('subject keyid: %s' % subject_keyid) \r
+ logger.info('role: %s' % role) \r
+ logger.info('user gid: %s' % user_gid.dump_string())\r
+ f = open('/tmp/speaksfor/tool.gid', 'w')\r
+ f.write(tool_gid.dump_string())\r
+ f.close() \r
+\r
+ # Credential must pass xmlsec1 verify\r
+ cred_file = write_to_tempfile(cred.save_to_string())\r
+ cert_args = []\r
+ if trusted_roots:\r
+ for x in trusted_roots:\r
+ cert_args += ['--trusted-pem', x.filename]\r
+ # FIXME: Why do we not need to specify the --node-id option as credential.py does?\r
+ xmlsec1_args = [cred.xmlsec_path, '--verify'] + cert_args + [ cred_file]\r
+ output = run_subprocess(xmlsec1_args, stdout=None, stderr=subprocess.PIPE)\r
+ os.unlink(cred_file)\r
+ if output != 0:\r
+ # FIXME\r
+ # xmlsec errors have a msg= which is the interesting bit.\r
+ # But does this go to stderr or stdout? Do we have it here?\r
+ mstart = verified.find("msg=")\r
+ msg = ""\r
+ if mstart > -1 and len(verified) > 4:\r
+ mstart = mstart + 4\r
+ mend = verified.find('\\', mstart)\r
+ msg = verified[mstart:mend]\r
+ if msg == "":\r
+ msg = output\r
+ return False, None, "ABAC credential failed to xmlsec1 verify: %s" % msg\r
+\r
+ # Must say U.speaks_for(U)<-T\r
+ if user_keyid != principal_keyid or \\r
+ tool_keyid != subject_keyid or \\r
+ role != ('speaks_for_%s' % user_keyid):\r
+ return False, None, "ABAC statement doesn't assert U.speaks_for(U)<-T (%s)" % cred.get_summary_tostring()\r
+\r
+ # If schema provided, validate against schema\r
+ if HAVELXML and schema and os.path.exists(schema):\r
+ from lxml import etree\r
+ tree = etree.parse(StringIO(cred.xml))\r
+ schema_doc = etree.parse(schema)\r
+ xmlschema = etree.XMLSchema(schema_doc)\r
+ if not xmlschema.validate(tree):\r
+ error = xmlschema.error_log.last_error\r
+ message = "%s: %s (line %s)" % (cred.get_summary_tostring(), error.message, error.line)\r
+ return False, None, ("XML Credential schema invalid: %s" % message)\r
+\r
+ if trusted_roots:\r
+ # User certificate must validate against trusted roots\r
+ try:\r
+ user_gid.verify_chain(trusted_roots)\r
+ except Exception, e:\r
+ return False, None, \\r
+ "Cred signer (user) cert not trusted: %s" % e\r
+\r
+ # Tool certificate must validate against trusted roots\r
+ try:\r
+ tool_gid.verify_chain(trusted_roots)\r
+ except Exception, e:\r
+ return False, None, \\r
+ "Tool cert not trusted: %s" % e\r
+\r
+ return True, user_gid, ""\r
+\r
+# Determine if this is a speaks-for context. If so, validate\r
+# And return either the tool_cert (not speaks-for or not validated)\r
+# or the user cert (validated speaks-for)\r
+#\r
+# credentials is a list of GENI-style credentials:\r
+# Either a cred string xml string, or Credential object of a tuple\r
+# [{'geni_type' : geni_type, 'geni_value : cred_value, \r
+# 'geni_version' : version}]\r
+# caller_gid is the raw X509 cert gid\r
+# options is the dictionary of API-provided options\r
+# trusted_roots is a list of Certificate objects from the system\r
+# trusted_root directory\r
+# Optionally, provide an XML schema against which to validate the credential\r
+def determine_speaks_for(logger, credentials, caller_gid, options, \\r
+ trusted_roots, schema=None):\r
+ logger.info(options)\r
+ logger.info("geni speaking for:%s " % 'geni_speaking_for' in options) \r
+ if options and 'geni_speaking_for' in options:\r
+ speaking_for_urn = options['geni_speaking_for'].strip()\r
+ for cred in credentials:\r
+ # Skip things that aren't ABAC credentials\r
+ if type(cred) == dict:\r
+ if cred['geni_type'] != ABACCredential.ABAC_CREDENTIAL_TYPE: continue\r
+ cred_value = cred['geni_value']\r
+ elif isinstance(cred, Credential):\r
+ if not isinstance(cred, ABACCredential):\r
+ continue\r
+ else:\r
+ cred_value = cred\r
+ else:\r
+ if CredentialFactory.getType(cred) != ABACCredential.ABAC_CREDENTIAL_TYPE: continue\r
+ cred_value = cred\r
+\r
+ # If the cred_value is xml, create the object\r
+ if not isinstance(cred_value, ABACCredential):\r
+ cred = CredentialFactory.createCred(cred_value)\r
+\r
+# print "Got a cred to check speaksfor for: %s" % cred.get_summary_tostring()\r
+# #cred.dump(True, True)\r
+# print "Caller: %s" % caller_gid.dump_string(2, True)\r
+ logger.info(cred.dump_string())\r
+ f = open('/tmp/speaksfor/%s.cred' % cred, 'w')\r
+ f.write(cred.xml)\r
+ f.close()\r
+ # See if this is a valid speaks_for\r
+ is_valid_speaks_for, user_gid, msg = \\r
+ verify_speaks_for(cred,\r
+ caller_gid, speaking_for_urn, \\r
+ trusted_roots, schema, logger=logger)\r
+ logger.info(msg)\r
+ if is_valid_speaks_for:\r
+ return user_gid # speaks-for\r
+ else:\r
+ if logger:\r
+ logger.info("Got speaks-for option but not a valid speaks_for with this credential: %s" % msg)\r
+ else:\r
+ print "Got a speaks-for option but not a valid speaks_for with this credential: " + msg\r
+ return caller_gid # Not speaks-for\r
+\r
+# Create an ABAC Speaks For credential using the ABACCredential object and it's encode&sign methods\r
+def create_sign_abaccred(tool_gid, user_gid, ma_gid, user_key_file, cred_filename, dur_days=365):\r
+ print "Creating ABAC SpeaksFor using ABACCredential...\n"\r
+ # Write out the user cert\r
+ from tempfile import mkstemp\r
+ ma_str = ma_gid.save_to_string()\r
+ user_cert_str = user_gid.save_to_string()\r
+ if not user_cert_str.endswith(ma_str):\r
+ user_cert_str += ma_str\r
+ fp, user_cert_filename = mkstemp(suffix='cred', text=True)\r
+ fp = os.fdopen(fp, "w")\r
+ fp.write(user_cert_str)\r
+ fp.close()\r
+\r
+ # Create the cred\r
+ cred = ABACCredential()\r
+ cred.set_issuer_keys(user_key_file, user_cert_filename)\r
+ tool_urn = tool_gid.get_urn()\r
+ user_urn = user_gid.get_urn()\r
+ user_keyid = get_cert_keyid(user_gid)\r
+ tool_keyid = get_cert_keyid(tool_gid)\r
+ cred.head = ABACElement(user_keyid, user_urn, "speaks_for_%s" % user_keyid)\r
+ cred.tails.append(ABACElement(tool_keyid, tool_urn))\r
+ cred.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(days=dur_days))\r
+ cred.expiration = cred.expiration.replace(microsecond=0)\r
+\r
+ # Produce the cred XML\r
+ cred.encode()\r
+\r
+ # Sign it\r
+ cred.sign()\r
+ # Save it\r
+ cred.save_to_file(cred_filename)\r
+ print "Created ABAC credential: '%s' in file %s" % \\r
+ (cred.get_summary_tostring(), cred_filename)\r
+\r
+# FIXME: Assumes xmlsec1 is on path\r
+# FIXME: Assumes signer is itself signed by an 'ma_gid' that can be trusted\r
+def create_speaks_for(tool_gid, user_gid, ma_gid, \\r
+ user_key_file, cred_filename, dur_days=365):\r
+ tool_urn = tool_gid.get_urn()\r
+ user_urn = user_gid.get_urn()\r
+\r
+ header = '<?xml version="1.0" encoding="UTF-8"?>'\r
+ reference = "ref0"\r
+ signature_block = \\r
+ '<signatures>\n' + \\r
+ signature_template + \\r
+ '</signatures>'\r
+ template = header + '\n' + \\r
+ '<signed-credential '\r
+ template += 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.geni.net/resources/credential/2/credential.xsd" xsi:schemaLocation="http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd"'\r
+ template += '>\n' + \\r
+ '<credential xml:id="%s">\n' + \\r
+ '<type>abac</type>\n' + \\r
+ '<serial/>\n' +\\r
+ '<owner_gid/>\n' + \\r
+ '<owner_urn/>\n' + \\r
+ '<target_gid/>\n' + \\r
+ '<target_urn/>\n' + \\r
+ '<uuid/>\n' + \\r
+ '<expires>%s</expires>' +\\r
+ '<abac>\n' + \\r
+ '<rt0>\n' + \\r
+ '<version>%s</version>\n' + \\r
+ '<head>\n' + \\r
+ '<ABACprincipal><keyid>%s</keyid><mnemonic>%s</mnemonic></ABACprincipal>\n' +\\r
+ '<role>speaks_for_%s</role>\n' + \\r
+ '</head>\n' + \\r
+ '<tail>\n' +\\r
+ '<ABACprincipal><keyid>%s</keyid><mnemonic>%s</mnemonic></ABACprincipal>\n' +\\r
+ '</tail>\n' +\\r
+ '</rt0>\n' + \\r
+ '</abac>\n' + \\r
+ '</credential>\n' + \\r
+ signature_block + \\r
+ '</signed-credential>\n'\r
+\r
+\r
+ credential_duration = datetime.timedelta(days=dur_days)\r
+ expiration = datetime.datetime.now(du_tz.tzutc()) + credential_duration\r
+ expiration_str = expiration.strftime('%Y-%m-%dT%H:%M:%SZ') # FIXME: libabac can't handle .isoformat()\r
+ version = "1.1"\r
+\r
+ user_keyid = get_cert_keyid(user_gid)\r
+ tool_keyid = get_cert_keyid(tool_gid)\r
+ unsigned_cred = template % (reference, expiration_str, version, \\r
+ user_keyid, user_urn, user_keyid, tool_keyid, tool_urn, \\r
+ reference, reference)\r
+ unsigned_cred_filename = write_to_tempfile(unsigned_cred)\r
+\r
+ # Now sign the file with xmlsec1\r
+ # xmlsec1 --sign --privkey-pem privkey.pem,cert.pem \r
+ # --output signed.xml tosign.xml\r
+ pems = "%s,%s,%s" % (user_key_file, user_gid.get_filename(),\r
+ ma_gid.get_filename())\r
+ # FIXME: assumes xmlsec1 is on path\r
+ cmd = ['xmlsec1', '--sign', '--privkey-pem', pems, \r
+ '--output', cred_filename, unsigned_cred_filename]\r
+\r
+# print " ".join(cmd)\r
+ sign_proc_output = run_subprocess(cmd, stdout=subprocess.PIPE, stderr=None)\r
+ if sign_proc_output == None:\r
+ print "OUTPUT = %s" % sign_proc_output\r
+ else:\r
+ print "Created ABAC credential: '%s speaks_for %s' in file %s" % \\r
+ (tool_urn, user_urn, cred_filename)\r
+ os.unlink(unsigned_cred_filename)\r
+\r
+\r
+# Test procedure\r
+if __name__ == "__main__":\r
+\r
+ parser = optparse.OptionParser()\r
+ parser.add_option('--cred_file', \r
+ help='Name of credential file')\r
+ parser.add_option('--tool_cert_file', \r
+ help='Name of file containing tool certificate')\r
+ parser.add_option('--user_urn', \r
+ help='URN of speaks-for user')\r
+ parser.add_option('--user_cert_file', \r
+ help="filename of x509 certificate of signing user")\r
+ parser.add_option('--ma_cert_file', \r
+ help="filename of x509 cert of MA that signed user cert")\r
+ parser.add_option('--user_key_file', \r
+ help="filename of private key of signing user")\r
+ parser.add_option('--trusted_roots_directory', \r
+ help='Directory of trusted root certs')\r
+ parser.add_option('--create',\r
+ help="name of file of ABAC speaksfor cred to create")\r
+ parser.add_option('--useObject', action='store_true', default=False,\r
+ help='Use the ABACCredential object to create the credential (default False)')\r
+\r
+ options, args = parser.parse_args(sys.argv)\r
+\r
+ tool_gid = GID(filename=options.tool_cert_file)\r
+\r
+ if options.create:\r
+ if options.user_cert_file and options.user_key_file \\r
+ and options.ma_cert_file:\r
+ user_gid = GID(filename=options.user_cert_file)\r
+ ma_gid = GID(filename=options.ma_cert_file)\r
+ if options.useObject:\r
+ create_sign_abaccred(tool_gid, user_gid, ma_gid, \\r
+ options.user_key_file, \\r
+ options.create)\r
+ else:\r
+ create_speaks_for(tool_gid, user_gid, ma_gid, \\r
+ options.user_key_file, \\r
+ options.create)\r
+ else:\r
+ print "Usage: --create cred_file " + \\r
+ "--user_cert_file user_cert_file" + \\r
+ " --user_key_file user_key_file --ma_cert_file ma_cert_file"\r
+ sys.exit()\r
+\r
+ user_urn = options.user_urn\r
+\r
+ # Get list of trusted rootcerts\r
+ if options.cred_file and not options.trusted_roots_directory:\r
+ sys.exit("Must supply --trusted_roots_directory to validate a credential")\r
+\r
+ trusted_roots_directory = options.trusted_roots_directory\r
+ trusted_roots = \\r
+ [Certificate(filename=os.path.join(trusted_roots_directory, file)) \\r
+ for file in os.listdir(trusted_roots_directory) \\r
+ if file.endswith('.pem') and file != 'CATedCACerts.pem']\r
+\r
+ cred = open(options.cred_file).read()\r
+\r
+ creds = [{'geni_type' : ABACCredential.ABAC_CREDENTIAL_TYPE, 'geni_value' : cred, \r
+ 'geni_version' : '1'}]\r
+ gid = determine_speaks_for(None, creds, tool_gid, \\r
+ {'geni_speaking_for' : user_urn}, \\r
+ trusted_roots)\r
+\r
+\r
+ print 'SPEAKS_FOR = %s' % (gid != tool_gid)\r
+ print "CERT URN = %s" % gid.get_urn()\r
git://git.onelab.eu / sfa.git / commitdiff