[chopwood] / operation.py

### -*-python-*-
###
### Operations and policy switch
###
### (c) 2013 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This file is part of Chopwood: a password-changing service.
###
### Chopwood is free software; you can redistribute it and/or modify
### it under the terms of the GNU Affero General Public License as
### published by the Free Software Foundation; either version 3 of the
### License, or (at your option) any later version.
###
### Chopwood is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU Affero General Public License for more details.
###
### You should have received a copy of the GNU Affero General Public
### License along with Chopwood; if not, see
### <http://www.gnu.org/licenses/>.

import os as OS

import config as CONF; CFG = CONF.CFG
import util as U

### The objective here is to be able to insert a policy layer between the UI,
### which is where the user makes requests to change a bunch of accounts, and
### the backends, which make requested changes without thinking too much
### about whether they're a good idea.
###
### Here, we convert between (nearly) user-level /requests/, which involve
### doing things to multiple service/user pairs, and /operations/, which
### represent a single change to be made to a particular service.  (This is
### slightly nontrivial in the case of reset requests, since the intended
### semantics may be that the services are all assigned the /same/ random
### password.)

###--------------------------------------------------------------------------
### Operation protocol.

## An operation deals with a single service/user pair.  The protocol works
## like this.  The constructor is essentially passive, storing information
## about the operation but not actually performing it.  The `perform' method
## attempts to perform the operation, and stores information about the
## outcome in attributes:
##
## error        Either `None' or an `ExpectedError' instance indicating what
##              went wrong.
##
## result       Either `None' or a string providing additional information
##              about the successful completion of the operation.
##
## svc          The service object on which the operation was attempted.
##
## user         The user name on which the operation was attempted.

class BaseOperation (object):
  """
  Base class for individual operations.

  This is where the basic operation protocol is implemented.  Subclasses
  should store any additional attributes necessary during initialization, and
  implement a method `_perform' which takes no parameters, performs the
  operation, and returns any necessary result.
  """

  def __init__(me, svc, user, *args, **kw):
    """Initialize the operation, storing the SVC and USER in attributes."""
    super(BaseOperation, me).__init__(*args, **kw)
    me.svc = svc
    me.user = user

  def perform(me):
    """Perform the operation, and return whether it was successful."""

    ## Set up the `result' and `error' slots here, rather than earlier, to
    ## catch callers referencing them too early.
    me.result = me.error = None

    ## Perform the operation, and stash the result.
    ok = True
    try:
      try: me.result = me._perform()
      except (IOError, OSError), e: raise U.ExpectedError, (500, str(e))
    except U.ExpectedError, e:
      me.error = e
      ok = False

    ## Done.
    return ok
CONF.export('BaseOperation')

class SetOperation (BaseOperation):
  """Operation to set a given password on an account."""
  def __init__(me, svc, user, passwd, *args, **kw):
    super(SetOperation, me).__init__(svc, user, *args, **kw)
    me.passwd = passwd
  def _perform(me):
    me.svc.setpasswd(me.user, me.passwd)
CONF.export('SetOperation')

class ClearOperation (BaseOperation):
  """Operation to clear a password from an account, preventing logins."""
  def _perform(me):
    me.svc.clearpasswd(me.user)
CONF.export('ClearOperation')

class FailOperation (BaseOperation):
  """A fake operation which just raises an exception."""
  def __init__(me, svc, user, exc):
    me.svc = svc
    me.uesr = user
    me.exc = exc
  def perform(me):
    me.result = None
    me.error = me.exc
    return False
CONF.export('FailOperation')

###--------------------------------------------------------------------------
### Requests.

## A request object represents a single user-level operation targetted at
## multiple services.  The user might be known under a different alias by
## each service, so requests operate on service/user pairs, bundled in an
## `acct' object.
##
## Request methods are as follows.
##
## check()      Verify that the request complies with policy.  Note that
##              checking that any particular user has authority over the
##              necessary accounts has already been done.  One might want to
##              check that the passwords are sufficiently long and
##              complicated (though that rapidly becomes problematic, and I
##              don't really recommend it) or that particular services are or
##              aren't processed at the same time.
##
## perform()    Actually perform the request.  A list of completed operation
##              objects is left in the `ops' attribute.
##
## Performing the operation may leave additional information in attributes.
## The `INFO' class attribute contains a dictionary mapping attribute names
## to human-readable descriptions of this additional information.
##
## Note that the request object has a fairly free hand in choosing how to
## implement the request in terms of operations.  In particular, it might
## process additional services.  Callers must not assume that they can
## predict what the resulting operations list will look like.

class acct (U.struct):
  """A simple pairing of a service SVC and USER name."""
  __slots__ = ['svc', 'user']

class BaseRequest (object):
  """
  Base class for requests, provides basic protocol.  In particular, it
  provides an empty `INFO' map, a trivial `check' method, and the obvious
  `perform' method which assumes that the `ops' list has already been
  constructed.
  """
  INFO = {}
  def check(me):
    """
    Check the request to make sure we actually want to proceed.
    """
    pass
  def makeop(me, optype, svc, user, **kw):
    """
    Hook for making operations.  A policy class can substitute a
    `FailOperation' to partially disallow a request.
    """
    return optype(svc, user, **kw)
  def perform(me):
    """
    Perform the queued-up operations.
    """
    for op in me.ops: op.perform()
    return me.ops
CONF.export('BaseRequest', ExpectedError = U.ExpectedError)

class SetRequest (BaseRequest):
  """
  Request to set the password for the given ACCTS to NEW.

  The new password is kept in the object's `new' attribute for easy
  inspection.  The `check' method ensures that the password is not empty, but
  imposes no other policy restrictions.
  """
  def __init__(me, accts, new):
    me.new = new
    me.ops = [me.makeop(SetOperation, acct.svc, acct.user, passwd = new)
              for acct in accts]
  def check(me):
    if me.new == '':
      raise U.ExpectedError, (400, "Empty password not permitted")
    super(SetRequest, me).check()
CONF.export('SetRequest')

class ResetRequest (BaseRequest):
  """
  Request to set the password for the given ACCTS to something new but
  nonspeific.  The new password is generated based on a number of class
  attributes which subclasses can usefully override.

  ENCODING      Encoding to apply to random data.

  PWBYTES       Number of random bytes to collect.

  Alternatively, subclasses can override the `pwgen' method.
  """

  ## Password generation parameters.
  PWBYTES = 16
  ENCODING = 'base32'

  ## Additional information.
  INFO = dict(new = 'New password')

  def __init__(me, accts):
    me.new = me.pwgen()
    me.ops = [me.makeop(SetOperation, acct.svc, acct.user, passwd = me.new)
              for acct in accts]

  def pwgen(me):
    return U.ENCODINGS[me.ENCODING].encode(OS.urandom(me.PWBYTES)) \
           .rstrip('=')
CONF.export('ResetRequest')

class ClearRequest (BaseRequest):
  """
  Request to clear the password for the given ACCTS.
  """
  def __init__(me, accts):
    me.ops = [me.makeop(ClearOperation, acct.svc, acct.user)
              for acct in accts]
CONF.export('ClearRequest')

###--------------------------------------------------------------------------
### Master policy switch.

class polswitch (U.struct):
  __slots__ = ['set', 'reset', 'clear']

CONF.DEFAULTS.update(

  ## Map a request type `set', `reset', or `clear', to the appropriate
  ## request class.
  RQCLASS = polswitch(None, None, None),

  ## Alternatively, set this to a mixin class to apply common policy to all
  ## the kinds of requests.
  RQMIXIN = None)

@CONF.hook
def set_policy_classes():
  for op, base in [('set', SetRequest),
                   ('reset', ResetRequest),
                   ('clear', ClearRequest)]:
    if getattr(CFG.RQCLASS, op): continue
    if CFG.RQMIXIN:
      cls = type('Custom%sPolicy' % op.title(), (base, CFG.RQMIXIN), {})
    else:
      cls = base
    setattr(CFG.RQCLASS, op, cls)

## Outcomes.

class outcome (U.struct):
  __slots__ = ['rc', 'nwin', 'nlose']
  OK = 0
  PARTIAL = 1
  FAIL = 2
  NOTHING = 3

class info (U.struct):
  __slots__ = ['desc', 'value']

def operate(op, accts, *args, **kw):
  """
  Perform a request through the policy switch.

  The operation may be one of `set', `reset' or `clear'.  An instance of the
  appropriate request class is constructed, and additional arguments are
  passed directly to the request class constructor; the request is checked
  for policy compliance; and then performed.

  The return values are:

    * an `outcome' object holding the general outcome, and a count of the
      winning and losing operations;

    * a list of `info' objects holding additional information from the
      request;

    * the request object itself; and

    * a list of the individual operation objects.
  """
  rq = getattr(CFG.RQCLASS, op)(accts, *args, **kw)
  rq.check()
  ops = rq.perform()
  nwin = nlose = 0
  for o in ops:
    if o.error: nlose += 1
    else: nwin += 1
  if nwin:
    if nlose: rc = outcome.PARTIAL
    else: rc = outcome.OK
  else:
    if nlose: rc = outcome.FAIL
    else: rc = outcome.NOTHING
  ii = [info(v, getattr(rq, k)) for k, v in rq.INFO.iteritems()]
  return outcome(rc, nwin, nlose), ii, rq, ops

###----- That's all, folks --------------------------------------------------
Commit	Line	Data
a2916c06 MW	1	### --python--
	2	###
	3	### Operations and policy switch
	4	###
	5	### (c) 2013 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This file is part of Chopwood: a password-changing service.
	11	###
	12	### Chopwood is free software; you can redistribute it and/or modify
	13	### it under the terms of the GNU Affero General Public License as
	14	### published by the Free Software Foundation; either version 3 of the
	15	### License, or (at your option) any later version.
	16	###
	17	### Chopwood is distributed in the hope that it will be useful,
	18	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	### GNU Affero General Public License for more details.
	21	###
	22	### You should have received a copy of the GNU Affero General Public
	23	### License along with Chopwood; if not, see
	24	### <http://www.gnu.org/licenses/>.
	25
	26	import os as OS
	27
	28	import config as CONF; CFG = CONF.CFG
	29	import util as U
	30
	31	### The objective here is to be able to insert a policy layer between the UI,
	32	### which is where the user makes requests to change a bunch of accounts, and
	33	### the backends, which make requested changes without thinking too much
	34	### about whether they're a good idea.
	35	###
	36	### Here, we convert between (nearly) user-level /requests/, which involve
	37	### doing things to multiple service/user pairs, and /operations/, which
	38	### represent a single change to be made to a particular service. (This is
	39	### slightly nontrivial in the case of reset requests, since the intended
	40	### semantics may be that the services are all assigned the /same/ random
	41	### password.)
	42
	43	###--------------------------------------------------------------------------
	44	### Operation protocol.
	45
	46	## An operation deals with a single service/user pair. The protocol works
	47	## like this. The constructor is essentially passive, storing information
	48	## about the operation but not actually performing it. The `perform' method
	49	## attempts to perform the operation, and stores information about the
	50	## outcome in attributes:
	51	##
	52	## error Either `None' or an `ExpectedError' instance indicating what
	53	## went wrong.
	54	##
	55	## result Either `None' or a string providing additional information
	56	## about the successful completion of the operation.
	57	##
	58	## svc The service object on which the operation was attempted.
	59	##
	60	## user The user name on which the operation was attempted.
	61
	62	class BaseOperation (object):
	63	"""
	64	Base class for individual operations.
65
66	This is where the basic operation protocol is implemented. Subclasses
67	should store any additional attributes necessary during initialization, and
68	implement a method `_perform' which takes no parameters, performs the
69	operation, and returns any necessary result.
70	"""
71
72	def __init__(me, svc, user, args, *kw):
73	"""Initialize the operation, storing the SVC and USER in attributes."""
74	super(BaseOperation, me).__init__(args, *kw)
75	me.svc = svc
76	me.user = user
77
78	def perform(me):
79	"""Perform the operation, and return whether it was successful."""
80
81	## Set up the `result' and `error' slots here, rather than earlier, to
82	## catch callers referencing them too early.
83	me.result = me.error = None
84
85	## Perform the operation, and stash the result.
86	ok = True
87	try:
88	try: me.result = me._perform()
89	except (IOError, OSError), e: raise U.ExpectedError, (500, str(e))
90	except U.ExpectedError, e:
91	me.error = e
92	ok = False
93
94	## Done.
95	return ok
96	CONF.export('BaseOperation')
97
98	class SetOperation (BaseOperation):
99	"""Operation to set a given password on an account."""
100	def __init__(me, svc, user, passwd, args, *kw):
101	super(SetOperation, me).__init__(svc, user, args, *kw)
102	me.passwd = passwd
103	def _perform(me):
104	me.svc.setpasswd(me.user, me.passwd)
105	CONF.export('SetOperation')
106
107	class ClearOperation (BaseOperation):
108	"""Operation to clear a password from an account, preventing logins."""
109	def _perform(me):
110	me.svc.clearpasswd(me.user)
111	CONF.export('ClearOperation')
112
113	class FailOperation (BaseOperation):
114	"""A fake operation which just raises an exception."""
115	def __init__(me, svc, user, exc):
116	me.svc = svc
117	me.uesr = user
118	me.exc = exc
119	def perform(me):
120	me.result = None
121	me.error = me.exc
122	return False
123	CONF.export('FailOperation')
124
125	###--------------------------------------------------------------------------
126	### Requests.
127
128	## A request object represents a single user-level operation targetted at
129	## multiple services. The user might be known under a different alias by
130	## each service, so requests operate on service/user pairs, bundled in an
131	## `acct' object.
132	##
133	## Request methods are as follows.
134	##
135	## check() Verify that the request complies with policy. Note that
136	## checking that any particular user has authority over the
137	## necessary accounts has already been done. One might want to
138	## check that the passwords are sufficiently long and
139	## complicated (though that rapidly becomes problematic, and I
140	## don't really recommend it) or that particular services are or
141	## aren't processed at the same time.
142	##
143	## perform() Actually perform the request. A list of completed operation
144	## objects is left in the `ops' attribute.
145	##
146	## Performing the operation may leave additional information in attributes.
147	## The `INFO' class attribute contains a dictionary mapping attribute names
148	## to human-readable descriptions of this additional information.
149	##
150	## Note that the request object has a fairly free hand in choosing how to
151	## implement the request in terms of operations. In particular, it might
152	## process additional services. Callers must not assume that they can
153	## predict what the resulting operations list will look like.
154
155	class acct (U.struct):
156	"""A simple pairing of a service SVC and USER name."""
157	__slots__ = ['svc', 'user']
158
159	class BaseRequest (object):
160	"""
161	Base class for requests, provides basic protocol. In particular, it
162	provides an empty `INFO' map, a trivial `check' method, and the obvious
163	`perform' method which assumes that the `ops' list has already been
164	constructed.
165	"""
166	INFO = {}
167	def check(me):
168	"""
169	Check the request to make sure we actually want to proceed.
170	"""
171	pass
172	def makeop(me, optype, svc, user, **kw):
173	"""
174	Hook for making operations. A policy class can substitute a
175	`FailOperation' to partially disallow a request.
176	"""
177	return optype(svc, user, **kw)
178	def perform(me):
179	"""
180	Perform the queued-up operations.
181	"""
182	for op in me.ops: op.perform()
183	return me.ops
184	CONF.export('BaseRequest', ExpectedError = U.ExpectedError)
185
186	class SetRequest (BaseRequest):
187	"""
188	Request to set the password for the given ACCTS to NEW.
189
190	The new password is kept in the object's `new' attribute for easy
191	inspection. The `check' method ensures that the password is not empty, but
192	imposes no other policy restrictions.
193	"""
194	def __init__(me, accts, new):
195	me.new = new
196	me.ops = [me.makeop(SetOperation, acct.svc, acct.user, passwd = new)
197	for acct in accts]
198	def check(me):
199	if me.new == '':
200	raise U.ExpectedError, (400, "Empty password not permitted")
201	super(SetRequest, me).check()
202	CONF.export('SetRequest')
203
204	class ResetRequest (BaseRequest):
205	"""
206	Request to set the password for the given ACCTS to something new but
207	nonspeific. The new password is generated based on a number of class
208	attributes which subclasses can usefully override.
209
210	ENCODING Encoding to apply to random data.
211
212	PWBYTES Number of random bytes to collect.
213
214	Alternatively, subclasses can override the `pwgen' method.
215	"""
216
217	## Password generation parameters.
218	PWBYTES = 16
219	ENCODING = 'base32'
220
221	## Additional information.
222	INFO = dict(new = 'New password')
223
224	def __init__(me, accts):
225	me.new = me.pwgen()
226	me.ops = [me.makeop(SetOperation, acct.svc, acct.user, passwd = me.new)
227	for acct in accts]
228
229	def pwgen(me):
230	return U.ENCODINGS[me.ENCODING].encode(OS.urandom(me.PWBYTES)) \
231	.rstrip('=')
232	CONF.export('ResetRequest')
233
234	class ClearRequest (BaseRequest):
235	"""
236	Request to clear the password for the given ACCTS.
237	"""
238	def __init__(me, accts):
239	me.ops = [me.makeop(ClearOperation, acct.svc, acct.user)
240	for acct in accts]
241	CONF.export('ClearRequest')
242
243	###--------------------------------------------------------------------------
244	### Master policy switch.
245
246	class polswitch (U.struct):
247	__slots__ = ['set', 'reset', 'clear']
248
249	CONF.DEFAULTS.update(
250
251	## Map a request type `set', `reset', or `clear', to the appropriate
252	## request class.
253	RQCLASS = polswitch(None, None, None),
254
255	## Alternatively, set this to a mixin class to apply common policy to all
256	## the kinds of requests.
257	RQMIXIN = None)
258
259	@CONF.hook
260	def set_policy_classes():
261	for op, base in [('set', SetRequest),
262	('reset', ResetRequest),
263	('clear', ClearRequest)]:
264	if getattr(CFG.RQCLASS, op): continue
265	if CFG.RQMIXIN:
266	cls = type('Custom%sPolicy' % op.title(), (base, CFG.RQMIXIN), {})
267	else:
268	cls = base
269	setattr(CFG.RQCLASS, op, cls)
270
271	## Outcomes.
272
273	class outcome (U.struct):
274	__slots__ = ['rc', 'nwin', 'nlose']
275	OK = 0
276	PARTIAL = 1
277	FAIL = 2
278	NOTHING = 3
279
280	class info (U.struct):
281	__slots__ = ['desc', 'value']
282
283	def operate(op, accts, args, *kw):
284	"""
285	Perform a request through the policy switch.
286
287	The operation may be one of `set', `reset' or `clear'. An instance of the
288	appropriate request class is constructed, and additional arguments are
289	passed directly to the request class constructor; the request is checked
290	for policy compliance; and then performed.
291
292	The return values are:
293
294	* an `outcome' object holding the general outcome, and a count of the
295	winning and losing operations;
296
297	* a list of `info' objects holding additional information from the
298	request;
299
300	* the request object itself; and
301
302	* a list of the individual operation objects.
303	"""
304	rq = getattr(CFG.RQCLASS, op)(accts, args, *kw)
305	rq.check()
306	ops = rq.perform()
307	nwin = nlose = 0
308	for o in ops:
309	if o.error: nlose += 1
310	else: nwin += 1
311	if nwin:
312	if nlose: rc = outcome.PARTIAL
313	else: rc = outcome.OK
314	else:
315	if nlose: rc = outcome.FAIL
316	else: rc = outcome.NOTHING
317	ii = [info(v, getattr(rq, k)) for k, v in rq.INFO.iteritems()]
318	return outcome(rc, nwin, nlose), ii, rq, ops
319
320	###----- That's all, folks --------------------------------------------------