-
Lisa Velden authored
and use one-element tuplesfor string formatting Signed-off-by:
Lisa Velden <velden@google.com> Signed-off-by:
Petr Pudlak <pudlak@google.com> Reviewed-by:
20d94d3b
serializer.py 11.34 KiB
#
#
# Copyright (C) 2007, 2008, 2014 Google Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"""Serializer abstraction module
This module introduces a simple abstraction over the serialization
backend (currently json).
"""
# pylint: disable=C0103
# C0103: Invalid name, since pylint doesn't see that Dump points to a
# function and not a constant
import re
# Python 2.6 and above contain a JSON module based on simplejson. Unfortunately
# the standard library version is significantly slower than the external
# module. While it should be better from at least Python 3.2 on (see Python
# issue 7451), for now Ganeti needs to work well with older Python versions
# too.
import simplejson
from ganeti import errors
from ganeti import utils
from ganeti import constants
_RE_EOLSP = re.compile("[ \t]+$", re.MULTILINE)
def DumpJson(data, private_encoder=None):
"""Serialize a given object.
@param data: the data to serialize
@return: the string representation of data
@param private_encoder: specify L{serializer.EncodeWithPrivateFields} if you
require the produced JSON to also contain private
parameters. Otherwise, they will encode to null.
"""
if private_encoder is None:
# Do not leak private fields by default.
private_encoder = EncodeWithoutPrivateFields
encoded = simplejson.dumps(data, default=private_encoder)
txt = _RE_EOLSP.sub("", encoded)
if not txt.endswith("\n"):
txt += "\n"
return txt
def LoadJson(txt):
"""Unserialize data from a string.
@param txt: the json-encoded form
@return: the original data
@raise JSONDecodeError: if L{txt} is not a valid JSON document
"""
values = simplejson.loads(txt)
# Hunt and seek for Private fields and wrap them.
WrapPrivateValues(values)
return values
def WrapPrivateValues(json):
"""Crawl a JSON decoded structure for private values and wrap them.
@param json: the json-decoded value to protect.
"""
# This function used to be recursive. I use this list to avoid actual
# recursion, however, since this is a very high-traffic area.
todo = [json]
while todo:
data = todo.pop()
if isinstance(data, list): # Array
for item in data:
todo.append(item)
elif isinstance(data, dict): # Object
# This is kind of a kludge, but the only place where we know what should
# be protected is in ganeti.opcodes, and not in a way that is helpful to
# us, especially in such a high traffic method; on the other hand, the
# Haskell `py_compat_fields` test should complain whenever this check
# does not protect fields properly.
for field in data:
value = data[field]
if field in constants.PRIVATE_PARAMETERS_BLACKLIST:
if not field.endswith("_cluster"):
data[field] = PrivateDict(value)
elif data[field] is not None:
for os in data[field]:
value[os] = PrivateDict(value[os])
else:
todo.append(value)
else: # Values
pass
def DumpSignedJson(data, key, salt=None, key_selector=None,
private_encoder=None):
"""Serialize a given object and authenticate it.
@param data: the data to serialize
@param key: shared hmac key
@param key_selector: name/id that identifies the key (in case there are
multiple keys in use, e.g. in a multi-cluster environment)
@param private_encoder: see L{DumpJson}
@return: the string representation of data signed by the hmac key
"""
txt = DumpJson(data, private_encoder=private_encoder)
if salt is None:
salt = ""
signed_dict = {
"msg": txt,
"salt": salt,
}
if key_selector:
signed_dict["key_selector"] = key_selector
else:
key_selector = ""
signed_dict["hmac"] = utils.Sha1Hmac(key, txt, salt=salt + key_selector)
return DumpJson(signed_dict)
def LoadSignedJson(txt, key):
"""Verify that a given message was signed with the given key, and load it.
@param txt: json-encoded hmac-signed message
@param key: the shared hmac key or a callable taking one argument (the key
selector), which returns the hmac key belonging to the key selector.
Typical usage is to pass a reference to the get method of a dict.
@rtype: tuple of original data, string
@return: original data, salt
@raises errors.SignatureError: if the message signature doesn't verify
"""
signed_dict = LoadJson(txt)
WrapPrivateValues(signed_dict)
if not isinstance(signed_dict, dict):
raise errors.SignatureError("Invalid external message")
try:
msg = signed_dict["msg"]
salt = signed_dict["salt"]
hmac_sign = signed_dict["hmac"]
except KeyError:
raise errors.SignatureError("Invalid external message")
if callable(key):
# pylint: disable=E1103
key_selector = signed_dict.get("key_selector", None)
hmac_key = key(key_selector)
if not hmac_key:
raise errors.SignatureError("No key with key selector '%s' found" %
key_selector)
else:
key_selector = ""
hmac_key = key
if not utils.VerifySha1Hmac(hmac_key, msg, hmac_sign,
salt=salt + key_selector):
raise errors.SignatureError("Invalid Signature")
return LoadJson(msg), salt
def LoadAndVerifyJson(raw, verify_fn):
"""Parses and verifies JSON data.
@type raw: string
@param raw: Input data in JSON format
@type verify_fn: callable
@param verify_fn: Verification function, usually from L{ht}
@return: De-serialized data
"""
try:
data = LoadJson(raw)
except Exception, err:
raise errors.ParseError("Can't parse input data: %s" % err)
if not verify_fn(data):
raise errors.ParseError("Data does not match expected format: %s" %
verify_fn)
return data
Dump = DumpJson
Load = LoadJson
DumpSigned = DumpSignedJson
LoadSigned = LoadSignedJson
class Private(object):
"""Wrap a value so it is hard to leak it accidentally.
>>> x = Private("foo")
>>> print "Value: %s" % x
Value: <redacted>
>>> print "Value: {0}".format(x)
Value: <redacted>
>>> x.upper() == "FOO"
True
"""
def __init__(self, item, descr="redacted"):
if isinstance(item, Private):
raise ValueError("Attempted to nest Private values.")
self._item = item
self._descr = descr
def Get(self):
"Return the wrapped value."
return self._item
def __str__(self):
return "<%s>" % (self._descr, )
def __repr__(self):
return "Private(?, descr=%r)" % (self._descr, )
# pylint: disable=W0212
# If it doesn't access _item directly, the call will go through __getattr__
# because this class defines __slots__ and "item" is not in it.
# OTOH, if we do add it there, we'd risk shadowing an "item" attribute.
def __eq__(self, other):
if isinstance(other, Private):
return self._item == other._item
else:
return self._item == other
def __hash__(self):
return hash(self._item)
def __format__(self, *_1, **_2):
return self.__str__()
def __getattr__(self, attr):
return Private(getattr(self._item, attr),
descr="%s.%s" % (self._descr, attr))
def __call__(self, *args, **kwargs):
return Private(self._item(*args, **kwargs),
descr="%s()" % (self._descr, ))
# pylint: disable=R0201
# While this could get away with being a function, it needs to be a method.
# Required by the copy.deepcopy function used by FillDict.
def __getnewargs__(self):
return tuple()
def __nonzero__(self):
return bool(self._item)
# Get in the way of Pickle by implementing __slots__ but not __getstate__
# ...and get a performance boost, too.
__slots__ = ["_item", "_descr"]
class PrivateDict(dict):
"""A dictionary that turns its values to private fields.
>>> PrivateDict()
{}
>>> supersekkrit = PrivateDict({"password": "foobar"})
>>> print supersekkrit["password"]
<password>
>>> supersekkrit["password"].Get()
'foobar'
>>> supersekkrit.GetPrivate("password")
'foobar'
>>> supersekkrit["user"] = "eggspam"
>>> supersekkrit.Unprivate()
{'password': 'foobar', 'user': 'eggspam'}
"""
def __init__(self, data=None):
dict.__init__(self)
self.update(data)
def __setitem__(self, item, value):
if not isinstance(value, Private):
if not isinstance(item, dict):
value = Private(value, descr=item)
else:
value = PrivateDict(value)
dict.__setitem__(self, item, value)
# The actual conversion to Private containers is done by __setitem__
# copied straight from cpython/Lib/UserDict.py
# Copyright (c) 2001-2014 Python Software Foundation; All Rights Reserved
def update(self, other=None, **kwargs):
# Make progressively weaker assumptions about "other"
if other is None:
pass
elif hasattr(other, 'iteritems'): # iteritems saves memory and lookups
for k, v in other.iteritems():
self[k] = v
elif hasattr(other, 'keys'):
for k in other.keys():
self[k] = other[k]
else:
for k, v in other:
self[k] = v
if kwargs:
self.update(kwargs)
def GetPrivate(self, *args):
"""Like dict.get, but extracting the value in the process.
Arguments are semantically equivalent to ``dict.get``
>>> PrivateDict({"foo": "bar"}).GetPrivate("foo")
'bar'
>>> PrivateDict({"foo": "bar"}).GetPrivate("baz", "spam")
'spam'
"""
if len(args) == 1:
key, = args
return self[key].Get()
elif len(args) == 2:
key, default = args
if key not in self:
return default
else:
return self[key].Get()
else:
raise TypeError("GetPrivate() takes 2 arguments (%d given)" % len(args))
def Unprivate(self):
"""Turn this dict of Private() values to a dict of values.
>>> PrivateDict({"foo": "bar"}).Unprivate()
{'foo': 'bar'}
@rtype: dict
"""
returndict = {}
for key in self:
returndict[key] = self[key].Get()
return returndict
def EncodeWithoutPrivateFields(obj):
if isinstance(obj, Private):
return None
raise TypeError(repr(obj) + " is not JSON serializable")
def EncodeWithPrivateFields(obj):
if isinstance(obj, Private):
return obj.Get()
raise TypeError(repr(obj) + " is not JSON serializable")