# HG changeset patch # User toml@xxxxxxxxxxxxxxxxxxxxx # Node ID db5feb4ccc139017454bab0200ebbda988ef033f # Parent bdcb115c667a12a5514517456639142c1273b0f1 Addition of the xensec_gen tool, a web-based tool to aid in the creation/generation of security policy files for the Xen ACM security architecture. diff -r bdcb115c667a -r db5feb4ccc13 tools/security/Makefile --- a/tools/security/Makefile Sat Dec 10 23:20:08 2005 +++ b/tools/security/Makefile Mon Dec 12 19:10:23 2005 @@ -35,7 +35,7 @@ SRCS_GETD = get_decision.c OBJS_GETD := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD))) -ACM_INST_TOOLS = xensec_tool xensec_xml2bin +ACM_INST_TOOLS = xensec_tool xensec_xml2bin xensec_gen ACM_NOINST_TOOLS = get_decision ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD) ACM_SCRIPTS = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh @@ -43,6 +43,12 @@ ACM_CONFIG_DIR = /etc/xen/acm-security ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies ACM_SCRIPT_DIR = $(ACM_CONFIG_DIR)/scripts + +ACM_INST_HTML = python/xensec_gen/index.html +ACM_INST_CGI = python/xensec_gen/cgi-bin/policy.cgi \ + python/xensec_gen/cgi-bin/policylabel.cgi +ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen +ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin ACM_SCHEMA = security_policy.xsd ACM_EXAMPLES = null chwall ste chwall_ste @@ -65,6 +71,15 @@ done $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR) $(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR) + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SECGEN_HTMLDIR) + $(INSTALL_DATA) -p $(ACM_INST_HTML) $(DESTDIR)$(ACM_SECGEN_HTMLDIR) + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SECGEN_CGIDIR) + $(INSTALL_PROG) -p $(ACM_INST_CGI) $(DESTDIR)$(ACM_SECGEN_CGIDIR) +ifndef XEN_PYTHON_NATIVE_INSTALL + python python/setup.py install --home="$(DESTDIR)/usr" +else + python python/setup.py install --root="$(DESTDIR)" +endif else all: @@ -72,22 +87,27 @@ endif build: mk-symlinks $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS) + python python/setup.py build chmod 700 $(ACM_SCRIPTS) xensec_tool: $(OBJS_TOOL) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ xensec_xml2bin: $(OBJS_XML2BIN) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ get_decision: $(OBJS_GETD) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + +xensec_gen: xensec_gen.py + cp -f $^ $@ clean: $(RM) $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS) $(RM) $(ACM_OBJS) $(RM) $(PROG_DEPS) $(RM) -r xen + $(RM) -r build mrproper: clean diff -r bdcb115c667a -r db5feb4ccc13 tools/security/example.txt --- a/tools/security/example.txt Sat Dec 10 23:20:08 2005 +++ b/tools/security/example.txt Mon Dec 12 19:10:23 2005 @@ -271,3 +271,112 @@ If you keep to the security policy schema, then you can use all the tools described above. Refer to install.txt to install it. + +You can hand-edit the xml files to create your policy or you can use the +xensec_gen utility. + + +5. Generating policy files using xensec_gen: +============================================ + +The xensec_gen utility starts a web-server that can be used to generate the +XML policy files needed to create a policy. + +By default, xensec_gen runs as a daemon and listens on port 7777 for HTTP +requests. The xensec_gen command supports command line options to change the +listen port, run in the foreground, and a few others. Type 'xensec_gen -h' +to see the full list of options available. + +Once the xensec_gen utility is running, point a browser at the host and port +on which the utility is running (e.g. http://localhost:7777/). You will be +presented with a web page that allows you to create or modify the XML policy +files: + + - The Security Policy section allows you to create or modify a policy + definition file + + - The Security Policy Labeling section allows you to create or modify a + label template definition file + + Security Policy: + ---------------- + The Security Policy section allows you to modify an existing policy definition + file or create a new policy definition file. To modify an existing policy + definition, enter the full path to the existing file (the "Browse" button can + be used to aid in this) in the Policy File entry field. To create a new + policy definition file leave the Policy File entry field blank. At this point + click the "Create" button to begin modifying or creating your policy definition. + + You will then be presented with a web page that will allow you to create either + Simple Type Enforcement types or Chinese Wall types or both. + + As an example: + - To add a Simple Type Enforcement type: + - Enter the name of a new type under the Simple Type Enforcement Types + section in the entry field above the "New" button. + - Click the "New" button and the type will be added to the list of defined + Simple Type Enforcement types. + - To remove a Simple Type Enforcement type: + - Click on the type to be removed in the list of defined Simple Type + Enforcement types. + - Click the "Delete" button to remove the type. + + Follow the same process to add Chinese Wall types. If you define Chinese Wall + types you need to define at least one Chinese Wall Conflict Set. The Chinese + Wall Conflict Set will allow you to add Chinese Wall types from the list of + defined Chinese Wall types. + + To create your policy definition file, click on the "Generate XML" button on + the top of the page. This will present you with a dialog box to save the + generated XML file on your system. The default name will be security_policy.xml + which you should change to follow the policy file naming conventions based on + the policy name that you choose to use. + + To get a feel for the tool, you could use one of the example policy definition + files from /etc/xen/acm-security/policies as input. + + + Security Policy Labeling: + ------------------------- + The Security Policy Labeling section allows you to modify an existing label + template definition file or create a new label template definition file. To + modify an existing label template definition, enter the full path to the + existing file (the "Browse" button can be used to aid in this) in the Policy + Labeling File entry field. Whether creating a new label template definition + file or modifying an existing one, you will need to specify the policy + definition file that is or will be associated with this label template + definition file. At this point click the "Create" button to begin modifying + or creating your label template definition file. + + You will then be presented with a web page that will allow you to create labels + for classes of virtual machines. The input policy definition file will provide + the available types (Simple Type Enforcement and/or Chinese Wall) that can be + assigned to a virtual machine class. + + As an example: + - To add a Virtual Machine class (the name entered will become the label + that will be used to identify the class): + - Enter the name of a new class under the Virtual Machine Classes section + in the entry field above the "New" button. + - Click the "New" button and the class will be added to the table of defined + Virtual Machine classes. + - To remove a Virtual Machine class: + - Click the "Delete" link associated with the class in the table of Virtual + Machine classes. + + Once you have defined one or more Virtual Machine classes, you will be able to + add any of the defined Simple Type Enforcement types or Chinese Wall types to a + particular Virtual Machine. + + You must also define which Virtual Machine class is to be associated with the + bootstrap domain (or Dom0 domain). By default, the first Virtual Machine class + created will be associated as the bootstrap domain. + + To create your label template definition file, click on the "Generate XML" button + on the top of the page. This will present you with a dialog box to save the + generated XML file on your system. The default name will be + security_label_template.xml which you should change to follow the policy file + naming conventions based on the policy name that you choose to use. + + To get a feel for the tool, you could use one of the example policy definition + and label template definition files from /etc/xen/acm-security/policies as input. diff -r bdcb115c667a -r db5feb4ccc13 tools/security/python/setup.py --- /dev/null Sat Dec 10 23:20:08 2005 +++ b/tools/security/python/setup.py Mon Dec 12 19:10:23 2005 @@ -0,0 +1,30 @@ +#!/usr/bin/python +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, +# or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +from distutils.core import setup +import os + +# This setup script is invoked from the parent directory, so base +# everything as if executing from there. +XEN_ROOT = "../.." + +setup(name = 'xensec_gen', + version = '3.0', + description = 'Xen XML Security Policy Generator', + package_dir = { 'xen' : 'python' }, + packages = ['xen.xensec_gen'], + ) diff -r bdcb115c667a -r db5feb4ccc13 tools/security/python/xensec_gen/cgi-bin/policy.cgi --- /dev/null Sat Dec 10 23:20:08 2005 +++ b/tools/security/python/xensec_gen/cgi-bin/policy.cgi Mon Dec 12 19:10:23 2005 @@ -0,0 +1,1325 @@ +#!/usr/bin/python +# +# The Initial Developer of the Original Code is International +# Business Machines Corporation. Portions created by IBM +# Corporation are Copyright (C) 2005 International Business +# Machines Corporation. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, +# or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import os +import cgi +import cgitb; cgitb.enable( ) +import time +import xml.dom.minidom +import xml.sax +import xml.sax.handler +from StringIO import StringIO +from sets import Set + +def getSavedData( ): + global formData, policyXml, formVariables, formCSNames + global templateCSMTypes, templateCSMDel, templateCSMType, templateCSMAdd + global allCSMTypes + + # Process the XML upload policy file + if formData.has_key( 'i_policy' ): + dataList = formData.getlist( 'i_policy' ) + if len( dataList ) > 0: + policyXml = dataList[0] + + # Process all the hidden input variables (if present) + for formVar in formVariables: + if formVar[2] == '': + continue + + if formData.has_key( formVar[2] ): + dataList = formData.getlist( formVar[2] ) + if len( dataList ) > 0: + if isinstance( formVar[1], list ): + exec 'formVar[1] = ' + dataList[0] + else: + formVar[1] = dataList[0] + + # The form can contain any number of "Conflict Sets" + # so update the list of form variables to include + # each conflict set (hidden input variable) + for csName in formCSNames[1]: + newCS( csName ) + if formData.has_key( allCSMTypes[csName][2] ): + dataList = formData.getlist( allCSMTypes[csName][2] ) + if len( dataList ) > 0: + exec 'allCSMTypes[csName][1] = ' + dataList[0] + +def getCurrentTime( ): + return time.strftime( '%Y-%m-%d %H:%M:%S', time.localtime( ) ) + +def getName( domNode ): + nameNodes = domNode.getElementsByTagName( 'Name' ) + if len( nameNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + name = '' + for childNode in nameNodes[0].childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + name = name + childNode.data + + return name + +def getDate( domNode ): + dateNodes = domNode.getElementsByTagName( 'Date' ) + if len( dateNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + date = '' + for childNode in dateNodes[0].childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + date = date + childNode.data + + return date + +def getSteTypes( domNode, missingIsError = 0 ): + steNodes = domNode.getElementsByTagName( 'SimpleTypeEnforcementTypes' ) + if len( steNodes ) == 0: + if missingIsError == 1: + formatXmlError( '"" tag is missing' ) + return None + else: + return [] + + return getTypes( steNodes[0] ) + +def getChWTypes( domNode, missingIsError = 0 ): + chwNodes = domNode.getElementsByTagName( 'ChineseWallTypes' ) + if len( chwNodes ) == 0: + if missingIsError == 1: + formatXmlError( '"" tag is missing' ) + return None + else: + return [] + + return getTypes( chwNodes[0] ) + +def getTypes( domNode ): + types = [] + + domNodes = domNode.getElementsByTagName( 'Type' ) + if len( domNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + for domNode in domNodes: + typeText = '' + for childNode in domNode.childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + typeText = typeText + childNode.data + + if typeText == '': + formatXmlError( 'No text associated with the "" tag' ) + return None + + types.append( typeText ) + + return types + +def formatXmlError( msg, xml = '', lineNum = -1, colNum = -1 ): + global xmlMessages, xmlError + + xmlError = 1 + addMsg = cgi.escape( msg ) + + if lineNum != -1: + sio = StringIO( xml ) + for xmlLine in sio: + lineNum = lineNum - 1 + if lineNum == 0: + break; + + addMsg += '
' + cgi.escape( xmlLine.rstrip( ) )
+
+		if colNum != -1:
+			errLine = ''
+			for i in range( colNum ):
+				errLine = errLine + '-'
+
+			addMsg += '\n' + errLine + '^'
+
+		addMsg += '
' + + xmlMessages.append( addMsg ) + +def formatXmlGenError( msg ): + global xmlMessages, xmlIncomplete + + xmlIncomplete = 1 + xmlMessages.append( cgi.escape( msg ) ) + +def parseXml( xmlInput ): + global xmlMessages, xmlError, xmlLine, xmlColumn + + xmlParser = xml.sax.make_parser( ) + try: + domDoc = xml.dom.minidom.parseString( xmlInput, xmlParser ) + + except xml.sax.SAXParseException, xmlErr: + msg = '' + msg = msg + 'XML parsing error occurred at line ' + msg = msg + `xmlErr.getLineNumber( )` + msg = msg + ', column ' + msg = msg + `xmlErr.getColumnNumber( )` + msg = msg + ': reason = "' + msg = msg + xmlErr.getMessage( ) + msg = msg + '"' + formatXmlError( msg, xmlInput, xmlErr.getLineNumber( ), xmlErr.getColumnNumber( ) ) + return None + + except xml.sax.SAXException, xmlErr: + msg = '' + msg = msg + 'XML Parsing error: ' + `xmlErr` + formatXmlError( msg, xmlInput, xmlErr.getLineNumber( ), xmlErr.getColumnNumber( ) ) + return None + + return domDoc + +def parsePolicyXml( ): + global policyXml + global formPolicyName, formPolicyDate, formPolicyOrder + global formSteTypes, formChWallTypes + global allCSMTypes + + domDoc = parseXml( policyXml ) + if domDoc == None: + return + + domRoot = domDoc.documentElement + domHeaders = domRoot.getElementsByTagName( 'PolicyHeader' ) + if len( domHeaders ) == 0: + msg = '' + msg = msg + '"" tag is missing.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + pName = getName( domHeaders[0] ) + if pName == None: + msg = '' + msg = msg + 'Error processing the Policy header information.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + formPolicyName[1] = pName + + pDate = getDate( domHeaders[0] ) + if pDate == None: + msg = '' + msg = msg + 'Error processing the Policy header information.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + formPolicyDate[1] = pDate + + pOrder = '' + domStes = domRoot.getElementsByTagName( 'SimpleTypeEnforcement' ) + if len( domStes ) > 0: + if domStes[0].hasAttribute( 'priority' ): + if domStes[0].getAttribute( 'priority' ) != 'PrimaryPolicyComponent': + msg = '' + msg = msg + 'Error processing the "" tag.\n' + msg = msg + 'The "priority" attribute value is not valid.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + pOrder = 'v_Ste' + + steTypes = getSteTypes( domStes[0], 1 ) + if steTypes == None: + msg = '' + msg = msg + 'Error processing the SimpleTypeEnforcement types.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + formSteTypes[1] = steTypes + + domChWalls = domRoot.getElementsByTagName( 'ChineseWall' ) + if len( domChWalls ) > 0: + if domChWalls[0].hasAttribute( 'priority' ): + if domChWalls[0].getAttribute( 'priority' ) != 'PrimaryPolicyComponent': + msg = '' + msg = msg + 'Error processing the "" tag.\n' + msg = msg + 'The "priority" attribute value is not valid.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + if pOrder != '': + msg = '' + msg = msg + 'Error processing the "" tag.\n' + msg = msg + 'The "priority" attribute has been previously specified.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + pOrder = 'v_ChWall' + + chwTypes = getChWTypes( domChWalls[0], 1 ) + if chwTypes == None: + msg = '' + msg = msg + 'Error processing the ChineseWall types.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + formChWallTypes[1] = chwTypes + + csNodes = domChWalls[0].getElementsByTagName( 'ConflictSets' ) + if len( csNodes ) == 0: + msg = '' + msg = msg + 'Required "" tag missing.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + cNodes = csNodes[0].getElementsByTagName( 'Conflict' ) + if len( cNodes ) == 0: + msg = '' + msg = msg + 'Required "" tag missing.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + for cNode in cNodes: + csName = cNode.getAttribute( 'name' ) + newCS( csName, 1 ) + + csMemberList = getTypes( cNode ) + if csMemberList == None: + msg = '' + msg = msg + 'Error processing the Conflict Set members.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + + # Verify the conflict set members are valid types + ctSet = Set( formChWallTypes[1] ) + csSet = Set( csMemberList ) + if not csSet.issubset( ctSet ): + msg = '' + msg = msg + 'Error processing Conflict Set "' + csName + '".\n' + msg = msg + 'Members of the conflict set are not valid ' + msg = msg + 'Chinese Wall types.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + + allCSMTypes[csName][1] = csMemberList + + if pOrder != '': + formPolicyOrder[1] = pOrder + else: + if (len( domStes ) > 0) or (len( domChWalls ) > 0): + msg = '' + msg = msg + 'The "priority" attribute has not been specified.\n' + msg = msg + 'It must be specified on one of the access control types.\n' + msg = msg + 'Please validate the Policy file used.' + formatXmlError( msg ) + return + +def modFormTemplate( formTemplate, suffix ): + formVar = [x for x in formTemplate] + + if formVar[2] != '': + formVar[2] = formVar[2] + suffix + if formVar[3] != '': + formVar[3] = formVar[3] + suffix + if (formVar[0] != 'button') and (formVar[4] != ''): + formVar[4] = formVar[4] + suffix + + return formVar; + +def removeDups( curList ): + newList = [] + curSet = Set( curList ) + for x in curSet: + newList.append( x ) + newList.sort( ) + + return newList + +def newCS( csName, addToList = 0 ): + global formCSNames + global templateCSDel, allCSDel + global templateCSMTypes, templateCSMDel, templateCSMType, templateCSMAdd + global allCSMTypes, allCSMDel, allCSMType, allCSMAdd + + csSuffix = '_' + csName + + # Make sure we have an actual name and check one of the 'all' + # variables to be sure it hasn't been previously defined + if (len( csName ) > 0) and (not allCSMTypes.has_key( csName )): + allCSDel[csName] = modFormTemplate( templateCSDel, csSuffix ) + allCSMTypes[csName] = modFormTemplate( templateCSMTypes, csSuffix ) + allCSMDel[csName] = modFormTemplate( templateCSMDel, csSuffix ) + allCSMType[csName] = modFormTemplate( templateCSMType, csSuffix ) + allCSMAdd[csName] = modFormTemplate( templateCSMAdd, csSuffix ) + if addToList == 1: + formCSNames[1].append( csName ) + formCSNames[1] = removeDups( formCSNames[1] ) + +def updateInfo( ): + global formData, formPolicyName, formPolicyDate, formPolicyOrder + + if formData.has_key( formPolicyName[3] ): + formPolicyName[1] = formData[formPolicyName[3]].value + elif formData.has_key( formPolicyUpdate[3] ): + formPolicyName[1] = '' + + if formData.has_key( formPolicyDate[3] ): + formPolicyDate[1] = formData[formPolicyDate[3]].value + elif formData.has_key( formPolicyUpdate[3] ): + formPolicyDate[1] = '' + + if formData.has_key( formPolicyOrder[3] ): + formPolicyOrder[1] = formData[formPolicyOrder[3]].value + +def addSteType( ): + global formData, formSteType, formSteTypes + + if (formData.has_key( formDefaultButton[3] )) or (formData.has_key( formSteAdd[3] )): + if formData.has_key( formSteType[3] ): + type = formData[formSteType[3]].value + type = type.strip( ) + if len( type ) > 0: + formSteTypes[1].append( type ) + formSteTypes[1] = removeDups( formSteTypes[1] ) + + +def delSteType( ): + global formData, formSteTypes + + if formData.has_key( formSteTypes[3] ): + typeList = formData.getlist( formSteTypes[3] ) + for type in typeList: + type = type.strip( ) + formSteTypes[1].remove( type ) + +def addChWallType( ): + global formData, formChWallType, formChWallTypes + + if (formData.has_key( formDefaultButton[3] )) or (formData.has_key( formChWallAdd[3] )): + if formData.has_key( formChWallType[3] ): + type = formData[formChWallType[3]].value + type = type.strip( ) + if len( type ) > 0: + formChWallTypes[1].append( type ) + formChWallTypes[1] = removeDups( formChWallTypes[1] ) + +def delChWallType( ): + global formData, formChWallTypes + + if formData.has_key( formChWallTypes[3] ): + typeList = formData.getlist( formChWallTypes[3] ) + for type in typeList: + type = type.strip( ) + formChWallTypes[1].remove( type ) + +def addCS( ): + global formData, formCSNames + + if (formData.has_key( formDefaultButton[3] )) or (formData.has_key( formCSAdd[3] )): + if formData.has_key( formCSName[3] ): + csName = formData[formCSName[3]].value + csName = csName.strip( ) + newCS( csName, 1 ) + +def delCS( csName ): + global formData, formCSNames, allCSDel + global allCSMTypes, allCSMDel, allCSMType, allCSMAdd + + csName = csName.strip( ) + formCSNames[1].remove( csName ) + del allCSDel[csName] + del allCSMTypes[csName] + del allCSMDel[csName] + del allCSMType[csName] + del allCSMAdd[csName] + +def addCSMember( csName ): + global formData, allCSMType, allCSMTypes + + formVar = allCSMType[csName] + if formData.has_key( formVar[3] ): + csmList = formData.getlist( formVar[3] ) + formVar = allCSMTypes[csName] + for csm in csmList: + csm = csm.strip( ) + formVar[1].append( csm ) + formVar[1] = removeDups( formVar[1] ) + +def delCSMember( csName ): + global formData, allCSMTypes + + formVar = allCSMTypes[csName] + if formData.has_key( formVar[3] ): + csmList = formData.getlist( formVar[3] ) + for csm in csmList: + csm = csm.strip( ) + formVar[1].remove( csm ) + +def processRequest( ): + global policyXml + global formData, formPolicyUpdate + global formSteAdd, formSteDel + global formChWallAdd, formChWallDel + global formCSAdd, allCSDel + global formCSNames, allCSMAdd, allCSMDel + + if policyXml != '': + parsePolicyXml( ) + + # Allow the updating of the header information whenever + # an action is performed + updateInfo( ) + + # Allow the adding of types/sets if the user has hit the + # enter key when attempting to add a type/set + addSteType( ) + addChWallType( ) + addCS( ) + + if formData.has_key( formSteDel[3] ): + delSteType( ) + + elif formData.has_key( formChWallDel[3] ): + delChWallType( ) + + else: + for csName in formCSNames[1]: + if formData.has_key( allCSDel[csName][3] ): + delCS( csName ) + continue + + if formData.has_key( allCSMAdd[csName][3] ): + addCSMember( csName ) + + elif formData.has_key( allCSMDel[csName][3] ): + delCSMember( csName ) + +def makeName( name, suffix='' ): + rName = name + if suffix != '': + rName = rName + '_' + suffix + + return rName + +def makeNameAttr( name, suffix='' ): + return 'name="' + makeName( name, suffix ) + '"' + +def makeValue( value, suffix='' ): + rValue = value + + if isinstance( value, list ): + rValue = '[' + for val in value: + rValue = rValue + '\'' + val + if suffix != '': + rValue = rValue + '_' + suffix + rValue = rValue + '\',' + rValue = rValue + ']' + + else: + if suffix != '': + rValue = rValue + '_' + suffix + + return rValue + +def makeValueAttr( value, suffix='' ): + return 'value="' + makeValue( value, suffix ) + '"' + +def sendHtmlFormVar( formVar, attrs='' ): + nameAttr = '' + valueAttr = '' + htmlText = '' + + if formVar[0] == 'text': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + valueAttr = makeValueAttr( formVar[1] ) + + print '' + + elif formVar[0] == 'list': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + + print '' + for option in formVar[1]: + print '' + print '' + + elif formVar[0] == 'button': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + if formVar[4] != '': + valueAttr = makeValueAttr( formVar[4] ) + + print '' + + elif formVar[0] == 'radiobutton': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + valueAttr = makeValueAttr( formVar[4][rb_select] ) + htmlText = formVar[5][rb_select] + if formVar[4][rb_select] == formVar[1]: + checked = 'checked' + else: + checked = '' + + print '', htmlText + + elif formVar[0] == 'radiobutton-all': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + buttonVals = formVar[4] + buttonTexts = formVar[5] + for i, buttonVal in enumerate( buttonVals ): + htmlText = '' + addAttrs = '' + checked = '' + + valueAttr = makeValueAttr( buttonVal ) + if formVar[5] != '': + htmlText = formVar[5][i] + if attrs != '': + addAttrs = attrs[i] + if buttonVal == formVar[1]: + checked = 'checked' + + print '', htmlText, '
' + + if formVar[2] != '': + nameAttr = makeNameAttr( formVar[2] ) + valueAttr = makeValueAttr( formVar[1] ) + print '' + +def sendHtmlHeaders( ): + # HTML headers + print 'Content-Type: text/html' + print + +def sendPolicyHtml( ): + global xmlError, xmlIncomplete, xmlMessages, formXmlGen + + print '' + + print '' + + sendHtmlHead( ) + + print '' + + # An input XML file was specified that had errors, output the + # error information + if xmlError == 1: + print '

' + print 'An error has been encountered while processing the input ' + print 'XML file:' + print '

    ' + for msg in xmlMessages: + print '
  • ' + print msg + print '
' + print '' + print '' + return + + # When attempting to generate the XML output, all required data was not + # present, output the error information + if xmlIncomplete == 1: + print '

' + print 'An error has been encountered while validating the data' + print 'required for the output XML file:' + print '

    ' + for msg in xmlMessages: + print '
  • ' + print msg + print '
' + print '' + print '' + return + + print '
' + print '
' + print '' + print ' ' + print ' ' + print ' ' + + print ' ' + print ' ' + print ' ' + + # Policy header + print ' ' + print ' ' + print ' ' + + # Separator + print ' ' + + # Policy (types) + print ' ' + print ' ' + print ' ' + + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
' + sendHtmlFormVar( formDefaultButton, 'class="hidden"' ) + print '
' + sendHtmlFormVar( formXmlGen ) + print '
' + print '
' + sendPHeaderHtml( ) + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
' + sendPSteHtml( ) + print '  ' + sendPChWallHtml( ) + print '
' + print '
' + print '
' + print '
' + + print '' + + print '' + +def sendHtmlHead( ): + global headTitle + + print '' + print '' + print '', headTitle, '' + print '' + +def sendPHeaderHtml( ): + global formPolicyName, formPolicyDate, formPolicyOrder, formPolicyUpdate + + # Policy header definition + print '' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
Policy Information
Name:' + sendHtmlFormVar( formPolicyName, 'class="full"' ) + print '
Date:' + sendHtmlFormVar( formPolicyDate, 'class="full"' ) + print '
Primary Policy:' + sendHtmlFormVar( formPolicyOrder ) + print '
' + sendHtmlFormVar( formPolicyUpdate ) + print '
' + print ' (The Policy Information is updated whenever an action is performed' + print ' or it can be updated separately using the "Update" button)' + print '
' + +def sendPSteHtml( ): + global formSteTypes, formSteDel, formSteType, formSteAdd + + # Simple Type Enforcement... + print '' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
Simple Type Enforcement Types
' + sendHtmlFormVar( formSteTypes, 'class="full" size="4" multiple' ) + print '
' + sendHtmlFormVar( formSteDel, 'class="full"' ) + print ' ' + print ' Delete the type(s) selected above' + print '
' + sendHtmlFormVar( formSteType, 'class="full"' ) + print '
' + sendHtmlFormVar( formSteAdd, 'class="full"' ) + print ' ' + print ' Create a new type with the above name' + print '
' + +def sendPChWallHtml( ): + global formChWallTypes, formChWallDel, formChWallType, formChWallAdd + global formCSNames, formCSName, formCSAdd, allCSDel + global allCSMTypes, allCSMDel, allCSMType, allCSMAdd + + # Chinese Wall... + print '' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + + # Chinese Wall Conflict Sets... + print ' ' + print ' ' + print ' ' + if len( formCSNames[1] ) > 0: + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + for csName in formCSNames[1]: + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + + print '
Chinese Wall Types
' + sendHtmlFormVar( formChWallTypes, 'class="full" size="4" multiple' ) + print '
' + sendHtmlFormVar( formChWallDel, 'class="full"' ) + print ' ' + print ' Delete the type(s) selected above' + print '
' + sendHtmlFormVar( formChWallType, 'class="full"' ) + print '
' + sendHtmlFormVar( formChWallAdd, 'class="full"' ) + print ' ' + print ' Create a new type with the above name' + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
Chinese Wall Conflict Sets
' + sendHtmlFormVar( formCSName, 'class="full"' ) + sendHtmlFormVar( formCSNames ) + print '
' + sendHtmlFormVar( formCSAdd, 'class="full"' ) + print ' ' + print ' Create a new conflict set with the above name' + print '
' + print '
' + print '  ' + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + for i, csName in enumerate( formCSNames[1] ): + print ' ' + print ' ' + print ' ' + print '
NameActions
' + csName + '' + print ' Edit' + formVar = allCSDel[csName] + sendHtmlFormVar( formVar, 'class="link"' ) + print '
' + print '
Conflict Set: ' + csName + '
' + formVar = allCSMTypes[csName]; + sendHtmlFormVar( formVar, 'class="full" size="4" multiple"' ) + print '
' + formVar = allCSMDel[csName] + sendHtmlFormVar( formVar, 'class="full"' ) + print ' ' + print ' Delete the type(s) selected above' + print '
' + ctSet = Set( formChWallTypes[1] ) + csSet = Set( allCSMTypes[csName][1] ) + formVar = allCSMType[csName] + formVar[1] = [] + for chwallType in ctSet.difference( csSet ): + formVar[1].append( chwallType ) + formVar[1].sort( ) + sendHtmlFormVar( formVar, 'class="full" size="2" multiple' ) + print '
' + formVar = allCSMAdd[csName] + sendHtmlFormVar( formVar, 'class="full"' ) + print ' ' + print ' Add the type(s) selected above' + print '
' + +def checkXmlData( ): + global xmlIncomplete + + # Validate the Policy Header requirements + if ( len( formPolicyName[1] ) > 0 ) or ( len( formPolicyDate[1] ) > 0 ): + if ( len( formPolicyName[1] ) == 0 ) or ( len( formPolicyDate[1] ) == 0 ): + msg = '' + msg = msg + 'The XML policy schema requires that the Policy ' + msg = msg + 'Information Name and Date fields both have values ' + msg = msg + 'or both not have values.' + formatXmlGenError( msg ) + + if formPolicyOrder[1] == 'v_ChWall': + if len( formChWallTypes[1] ) == 0: + msg = '' + msg = msg + 'You have specified the primary policy to be ' + msg = msg + 'Chinese Wall but have not created any Chinese ' + msg = msg + 'Wall types. Please create some Chinese Wall ' + msg = msg + 'types or change the primary policy.' + formatXmlGenError( msg ) + + if formPolicyOrder[1] == 'v_Ste': + if len( formSteTypes[1] ) == 0: + msg = '' + msg = msg + 'You have specified the primary policy to be ' + msg = msg + 'Simple Type Enforcement but have not created ' + msg = msg + 'any Simple Type Enforcement types. Please create ' + msg = msg + 'some Simple Type Enforcement types or change the ' + msg = msg + 'primary policy.' + formatXmlGenError( msg ) + + # Validate the Chinese Wall required data + if len( formChWallTypes[1] ) > 0: + if len( formCSNames[1] ) == 0: + msg = '' + msg = msg + 'The XML policy schema for the Chinese Wall ' + msg = msg + 'requires at least one Conflict Set be defined.' + formatXmlGenError( msg ) + +def sendXmlHeaders( ): + # HTML headers + print 'Content-Type: text/xml' + print 'Content-Disposition: attachment; filename=security_policy.xml' + print + +def sendPolicyXml( ): + print '' + + print '' + + # Policy header + sendPHeaderXml( ) + + # Policy (types) + sendPSteXml( ) + sendPChWallXml( ) + + print '' + +def sendPHeaderXml( ): + global formPolicyName, formPolicyDate + + # Policy header definition + if ( len( formPolicyName[1] ) > 0 ) or ( len( formPolicyDate[1] ) > 0 ): + print '' + print ' ' + formPolicyName[1] + '' + print ' ' + formPolicyDate[1] + '' + print '' + +def sendPSteXml( ): + global formPolicyOrder, formSteTypes + + # Simple Type Enforcement... + if len( formSteTypes[1] ) == 0: + return + + if formPolicyOrder[1] == 'v_Ste': + print '' + else: + print '' + + print ' ' + for steType in formSteTypes[1]: + print ' ' + steType + '' + print ' ' + + print '' + +def sendPChWallXml( ): + global formPolicyOrder, formChWallTypes + global formCSNames, allCSMTypes + + # Chinese Wall... + if len( formChWallTypes[1] ) == 0: + return + + if formPolicyOrder[1] == 'v_ChWall': + print '' + else: + print '' + + print ' ' + for chWallType in formChWallTypes[1]: + print ' ' + chWallType + '' + print ' ' + + # Chinese Wall Conflict Sets... + print ' ' + for cs in formCSNames[1]: + formVar = allCSMTypes[cs] + if len( formVar[1] ) == 0: + continue + print ' ' + for csm in formVar[1]: + print ' ' + csm + '' + print ' ' + print ' ' + + print '' + + +# Set up initial HTML variables +headTitle = 'Xen Policy Generation' + +# Form variables +# The format of these variables is as follows: +# [ p0, p1, p2, p3, p4, p5 ] +# p0 = input type +# p1 = the current value of the variable +# p2 = the hidden input name attribute +# p3 = the name attribute +# p4 = the value attribute +# p5 = text to associate with the tag +formPolicyName = [ 'text', + '', + 'h_policyName', + 'i_policyName', + '', + '', + ] +formPolicyDate = [ 'text', + getCurrentTime( ), + 'h_policyDate', + 'i_policyDate', + '', + '', + ] +formPolicyOrder = [ 'radiobutton-all', + 'v_ChWall', + 'h_policyOrder', + 'i_policyOrder', + [ 'v_Ste', 'v_ChWall' ], + [ 'Simple Type Enforcement', 'Chinese Wall' ], + ] +formPolicyUpdate = [ 'button', + '', + '', + 'i_PolicyUpdate', + 'Update', + '', + ] + +formSteTypes = [ 'list', + [], + 'h_steTypes', + 'i_steTypes', + '', + '', + ] +formSteDel = [ 'button', + '', + '', + 'i_steDel', + 'Delete', + '', + ] +formSteType = [ 'text', + '', + '', + 'i_steType', + '', + '', + ] +formSteAdd = [ 'button', + '', + '', + 'i_steAdd', + 'New', + '', + ] + +formChWallTypes = [ 'list', + [], + 'h_chwallTypes', + 'i_chwallTypes', + '', + '', + ] +formChWallDel = [ 'button', + '', + '', + 'i_chwallDel', + 'Delete', + '', + ] +formChWallType = [ 'text', + '', + '', + 'i_chwallType', + '', + '', + ] +formChWallAdd = [ 'button', + '', + '', + 'i_chwallAdd', + 'New', + '', + ] + +formCSNames = [ '', + [], + 'h_csNames', + '', + '', + '', + ] +formCSName = [ 'text', + '', + '', + 'i_csName', + '', + '', + ] +formCSAdd = [ 'button', + '', + '', + 'i_csAdd', + 'New', + '', + ] + +formXmlGen = [ 'button', + '', + '', + 'i_xmlGen', + 'Generate XML', + '', + ] + +formDefaultButton = [ 'button', + '', + '', + 'i_defaultButton', + '.', + '', + ] + +# This is a set of templates used for each conflict set +# Each conflict set is initially assigned these templates, +# then each form attribute value is changed to append +# "_conflict-set-name" for uniqueness +templateCSDel = [ 'button', + '', + '', + 'i_csDel', + 'Delete', + '', + ] +allCSDel = {}; + +templateCSMTypes = [ 'list', + [], + 'h_csmTypes', + 'i_csmTypes', + '', + '', + ] +templateCSMDel = [ 'button', + '', + '', + 'i_csmDel', + 'Delete', + '', + ] +templateCSMType = [ 'list', + [], + '', + 'i_csmType', + '', + '', + ] +templateCSMAdd = [ 'button', + '', + '', + 'i_csmAdd', + 'Add', + '', + ] +allCSMTypes = {}; +allCSMDel = {}; +allCSMType = {}; +allCSMAdd = {}; + +# A list of all form variables used for saving info across requests +formVariables = [ formPolicyName, + formPolicyDate, + formPolicyOrder, + formSteTypes, + formChWallTypes, + formCSNames, + ] + +policyXml = '' +xmlError = 0 +xmlIncomplete = 0 +xmlMessages = [] + + +# Extract any form data +formData = cgi.FieldStorage( ) + +# Process the form +getSavedData( ) +processRequest( ) + +if formData.has_key( formXmlGen[3] ): + # Generate and send the XML file + checkXmlData( ) + + if xmlIncomplete == 0: + sendXmlHeaders( ) + sendPolicyXml( ) + +if (not formData.has_key( formXmlGen[3] )) or (xmlIncomplete == 1 ): + # Send HTML to continue processing the form + sendHtmlHeaders( ) + sendPolicyHtml( ) diff -r bdcb115c667a -r db5feb4ccc13 tools/security/python/xensec_gen/cgi-bin/policylabel.cgi --- /dev/null Sat Dec 10 23:20:08 2005 +++ b/tools/security/python/xensec_gen/cgi-bin/policylabel.cgi Mon Dec 12 19:10:23 2005 @@ -0,0 +1,1396 @@ +#!/usr/bin/python +# +# The Initial Developer of the Original Code is International +# Business Machines Corporation. Portions created by IBM +# Corporation are Copyright (C) 2005 International Business +# Machines Corporation. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, +# or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import os +import cgi +import cgitb; cgitb.enable( ) +import time +import xml.dom.minidom +import xml.sax +import xml.sax.handler +from StringIO import StringIO +from sets import Set + +def getSavedData( ): + global formData, policyXml, policyLabelXml + global formVariables, formVmNames + global allVmChWs, allVmStes + + # Process the XML upload policy file + if formData.has_key( 'i_policy' ): + dataList = formData.getlist( 'i_policy' ) + if len( dataList ) > 0: + policyXml = dataList[0].strip( ) + + # The XML upload policy file must be specified at the start + if formData.has_key( 'i_policyLabelCreate' ): + if policyXml == '': + msg = '' + msg = msg + 'A Policy file was not supplied. A Policy file ' + msg = msg + 'must be supplied in order to successfully create ' + msg = msg + 'a Policy Labeling file.' + formatXmlError( msg ) + + # Process the XML upload policy label file + if formData.has_key( 'i_policyLabel' ): + dataList = formData.getlist( 'i_policyLabel' ) + if len( dataList ) > 0: + policyLabelXml = dataList[0].strip( ) + + # Process all the hidden input variables (if present) + for formVar in formVariables: + if formVar[2] == '': + continue + + if formData.has_key( formVar[2] ): + dataList = formData.getlist( formVar[2] ) + if len( dataList ) > 0: + if isinstance( formVar[1], list ): + exec 'formVar[1] = ' + dataList[0] + else: + formVar[1] = dataList[0] + + # The form can contain any number of "Virtual Machines" + # so update the list of form variables to include + # each virtual machine (hidden input variable) + for vmName in formVmNames[1]: + newVm( vmName ) + + vmFormVar = allVmChWs[vmName] + if (vmFormVar[2] != '') and formData.has_key( vmFormVar[2] ): + dataList = formData.getlist( vmFormVar[2] ) + if len( dataList ) > 0: + if isinstance( vmFormVar[1], list ): + exec 'vmFormVar[1] = ' + dataList[0] + else: + vmFormVar[1] = dataList[0] + + vmFormVar = allVmStes[vmName] + if (vmFormVar[2] != '') and formData.has_key( vmFormVar[2] ): + dataList = formData.getlist( vmFormVar[2] ) + if len( dataList ) > 0: + if isinstance( vmFormVar[1], list ): + exec 'vmFormVar[1] = ' + dataList[0] + else: + vmFormVar[1] = dataList[0] + +def getCurrentTime( ): + return time.strftime( '%Y-%m-%d %H:%M:%S', time.localtime( ) ) + +def getName( domNode ): + nameNodes = domNode.getElementsByTagName( 'Name' ) + if len( nameNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + name = '' + for childNode in nameNodes[0].childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + name = name + childNode.data + + return name + +def getDate( domNode ): + dateNodes = domNode.getElementsByTagName( 'Date' ) + if len( dateNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + date = '' + for childNode in dateNodes[0].childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + date = date + childNode.data + + return date + +def getDefUrl( domNode ): + domNodes = domNode.getElementsByTagName( 'PolicyName' ) + if len( domNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + urlNodes = domNode.getElementsByTagName( 'Url' ) + if len( urlNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + url = '' + for childNode in urlNodes[0].childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + url = url + childNode.data + + return url + +def getDefRef( domNode ): + domNodes = domNode.getElementsByTagName( 'PolicyName' ) + if len( domNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + refNodes = domNode.getElementsByTagName( 'Reference' ) + if len( refNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + ref = '' + for childNode in refNodes[0].childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + ref = ref + childNode.data + + return ref + +def getSteTypes( domNode, missingIsError = 0 ): + steNodes = domNode.getElementsByTagName( 'SimpleTypeEnforcementTypes' ) + if len( steNodes ) == 0: + if missingIsError == 1: + formatXmlError( '"" tag is missing' ) + return None + else: + return [] + + return getTypes( steNodes[0] ) + +def getChWTypes( domNode, missingIsError = 0 ): + chwNodes = domNode.getElementsByTagName( 'ChineseWallTypes' ) + if len( chwNodes ) == 0: + if missingIsError == 1: + formatXmlError( '"" tag is missing' ) + return None + else: + return [] + + return getTypes( chwNodes[0] ) + +def getTypes( domNode ): + types = [] + + domNodes = domNode.getElementsByTagName( 'Type' ) + if len( domNodes ) == 0: + formatXmlError( '"" tag is missing' ) + return None + + for domNode in domNodes: + typeText = '' + for childNode in domNode.childNodes: + if childNode.nodeType == xml.dom.Node.TEXT_NODE: + typeText = typeText + childNode.data + + if typeText == '': + formatXmlError( 'No text associated with the "" tag' ) + return None + + types.append( typeText ) + + return types + +def formatXmlError( msg, xml = '', lineNum = -1, colNum = -1 ): + global xmlMessages, xmlError + + xmlError = 1 + addMsg = cgi.escape( msg ) + + if lineNum != -1: + sio = StringIO( xml ) + for xmlLine in sio: + lineNum = lineNum - 1 + if lineNum == 0: + break; + + addMsg += '
' + cgi.escape( xmlLine.rstrip( ) )
+
+		if colNum != -1:
+			errLine = ''
+			for i in range( colNum ):
+				errLine = errLine + '-'
+
+			addMsg += '\n' + errLine + '^'
+
+		addMsg += '
' + + xmlMessages.append( addMsg ) + +def formatXmlGenError( msg ): + global xmlMessages, xmlIncomplete + + xmlIncomplete = 1 + xmlMessages.append( cgi.escape( msg ) ) + +def parseXml( xmlInput ): + global xmlMessages, xmlError, xmlLine, xmlColumn + + xmlParser = xml.sax.make_parser( ) + try: + domDoc = xml.dom.minidom.parseString( xmlInput, xmlParser ) + + except xml.sax.SAXParseException, xmlErr: + msg = '' + msg = msg + 'XML parsing error occurred at line ' + msg = msg + `xmlErr.getLineNumber( )` + msg = msg + ', column ' + msg = msg + `xmlErr.getColumnNumber( )` + msg = msg + ': reason = "' + msg = msg + xmlErr.getMessage( ) + msg = msg + '"' + formatXmlError( msg, xmlInput, xmlErr.getLineNumber( ), xmlErr.getColumnNumber( ) ) + return None + + except xml.sax.SAXException, xmlErr: + msg = '' + msg = msg + 'XML Parsing error: ' + `xmlErr` + formatXmlError( msg, xmlInput, xmlErr.getLineNumber( ), xmlErr.getColumnNumber( ) ) + return None + + return domDoc + +def parsePolicyXml( ): + global policyXml + global formSteTypes, formChWallTypes + + domDoc = parseXml( policyXml ) + if domDoc == None: + return + + domRoot = domDoc.documentElement + domNodes = domRoot.getElementsByTagName( 'SimpleTypeEnforcement' ) + if len( domNodes ) > 0: + steTypes = getSteTypes( domNodes[0], 1 ) + if steTypes == None: + msg = '' + msg = msg + 'Error processing the SimpleTypeEnforcement types.\n' + msg = msg + 'Please validate the Policy Definition file used.' + formatXmlError( msg ) + return + + formSteTypes[1] = steTypes + + domNodes = domRoot.getElementsByTagName( 'ChineseWall' ) + if len( domNodes ) > 0: + chwTypes = getChWTypes( domNodes[0], 1 ) + if chwTypes == None: + msg = '' + msg = msg + 'Error processing the ChineseWall types.\n' + msg = msg + 'Please validate the Policy Definition file used.' + formatXmlError( msg ) + return + + formChWallTypes[1] = chwTypes + +def parsePolicyLabelXml( ): + global policyLabelXml + + domDoc = parseXml( policyLabelXml ) + if domDoc == None: + return + + domRoot = domDoc.documentElement + domHeaders = domRoot.getElementsByTagName( 'LabelHeader' ) + if len( domHeaders ) == 0: + msg = '' + msg = msg + '"" tag is missing.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + return + + pName = getName( domHeaders[0] ) + if pName == None: + msg = '' + msg = msg + 'Error processing the Policy Labeling header information.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + return + + formPolicyLabelName[1] = pName + + pDate = getDate( domHeaders[0] ) + if pDate == None: + msg = '' + msg = msg + 'Error processing the Policy Labeling header information.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + return + + formPolicyLabelDate[1] = pDate + + pUrl = getDefUrl( domHeaders[0] ) + if pUrl == None: + msg = '' + msg = msg + 'Error processing the Policy Labeling header information.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + return + + formPolicyUrl[1] = pUrl + + pRef = getDefRef( domHeaders[0] ) + if pRef == None: + msg = '' + msg = msg + 'Error processing the Policy Labeling header information.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + return + + formPolicyRef[1] = pRef + + domSubjects = domRoot.getElementsByTagName( 'SubjectLabels' ) + if len( domSubjects ) > 0: + formVmNameDom0[1] = domSubjects[0].getAttribute( 'bootstrap' ) + domNodes = domSubjects[0].getElementsByTagName( 'VirtualMachineLabel' ) + for domNode in domNodes: + vmName = getName( domNode ) + if vmName == None: + msg = '' + msg = msg + 'Error processing the VirtualMachineLabel name.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + continue + + steTypes = getSteTypes( domNode ) + if steTypes == None: + msg = '' + msg = msg + 'Error processing the SimpleTypeEnforcement types.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + return + + chwTypes = getChWTypes( domNode ) + if chwTypes == None: + msg = '' + msg = msg + 'Error processing the ChineseWall types.\n' + msg = msg + 'Please validate the Policy Labeling file used.' + formatXmlError( msg ) + return + + newVm( vmName, 1 ) + allVmStes[vmName][1] = steTypes + allVmChWs[vmName][1] = chwTypes + +def removeDups( curList ): + newList = [] + curSet = Set( curList ) + for x in curSet: + newList.append( x ) + newList.sort( ) + + return newList + +def newVm( vmName, addToList = 0 ): + global formVmNames + global templateVmDel, allVmDel, templateVmDom0, allVmDom0 + global templateVmChWs, templateVmChWDel, templateVmChW, templateVmChWAdd + global allVmChWs, allVmChWDel, allVmChWType, allVmChWAdd + global templateVmStes, templateVmSteDel, templateVmSte, templateVmSteAdd + global allVmStes, allVmSteDel, allVmSteType, allVmSteAdd + + # Make sure we have an actual name and check one of the 'all' + # variables to be sure it hasn't been previously defined + if (len( vmName ) > 0) and (not allVmDom0.has_key( vmName )): + vmSuffix = '_' + vmName + allVmDom0[vmName] = modFormTemplate( templateVmDom0, vmSuffix ) + allVmDel[vmName] = modFormTemplate( templateVmDel, vmSuffix ) + allVmChWs[vmName] = modFormTemplate( templateVmChWs, vmSuffix ) + allVmChWDel[vmName] = modFormTemplate( templateVmChWDel, vmSuffix ) + allVmChW[vmName] = modFormTemplate( templateVmChW, vmSuffix ) + allVmChWAdd[vmName] = modFormTemplate( templateVmChWAdd, vmSuffix ) + allVmStes[vmName] = modFormTemplate( templateVmStes, vmSuffix ) + allVmSteDel[vmName] = modFormTemplate( templateVmSteDel, vmSuffix ) + allVmSte[vmName] = modFormTemplate( templateVmSte, vmSuffix ) + allVmSteAdd[vmName] = modFormTemplate( templateVmSteAdd, vmSuffix ) + if addToList == 1: + formVmNames[1].append( vmName ) + formVmNames[1] = removeDups( formVmNames[1] ) + +def updateInfo( ): + global formData, formPolicyLabelName, formPolicyLabelDate + global formPolicyUrl, formPolicyRef + + if formData.has_key( formPolicyLabelName[3] ): + formPolicyLabelName[1] = formData[formPolicyLabelName[3]].value + elif formData.has_key( formPolicyLabelUpdate[3] ): + formPolicyLabelName[1] = '' + + if formData.has_key( formPolicyLabelDate[3] ): + formPolicyLabelDate[1] = formData[formPolicyLabelDate[3]].value + elif formData.has_key( formPolicyLabelUpdate[3] ): + formPolicyLabelDate[1] = '' + + if formData.has_key( formPolicyUrl[3] ): + formPolicyUrl[1] = formData[formPolicyUrl[3]].value + elif formData.has_key( formPolicyLabelUpdate[3] ): + formPolicyUrl[1] = '' + + if formData.has_key( formPolicyRef[3] ): + formPolicyRef[1] = formData[formPolicyRef[3]].value + elif formData.has_key( formPolicyLabelUpdate[3] ): + formPolicyRef[1] = '' + +def addVm( ): + global formData, fromVmName, formVmNames, formVmNameDom0 + + if (formData.has_key( formDefaultButton[3] )) or (formData.has_key( formVmAdd[3] )): + if formData.has_key( formVmName[3] ): + vmName = formData[formVmName[3]].value + vmName = vmName.strip( ) + newVm( vmName, 1 ) + if formVmNameDom0[1] == '': + formVmNameDom0[1] = vmName + +def delVm( vmName ): + global formVmNames, formVmNameDom0 + global allVmDel, allVmDom0 + global allVmChWs, allVmChWDel, allVmChWType, allVmChWAdd + global allVmStes, allVmSteDel, allVmSteType, allVmSteAdd + + vmName = vmName.strip( ) + formVmNames[1].remove( vmName ) + del allVmDom0[vmName] + del allVmDel[vmName] + del allVmChWs[vmName] + del allVmChWDel[vmName] + del allVmChW[vmName] + del allVmChWAdd[vmName] + del allVmStes[vmName] + del allVmSteDel[vmName] + del allVmSte[vmName] + del allVmSteAdd[vmName] + + if formVmNameDom0[1] == vmName: + if len( formVmNames[1] ) > 0: + formVmNameDom0[1] = formVmNames[1][0] + else: + formVmNameDom0[1] = '' + +def makeVmDom0( vmName ): + global formVmNameDom0 + + vmName = vmName.strip( ) + formVmNameDom0[1] = vmName + +def addVmChW( chwName ): + global formData, allVmChW, allVmChWs + + formVar = allVmChW[chwName] + if formData.has_key( formVar[3] ): + chwList = formData.getlist( formVar[3] ) + formVar = allVmChWs[chwName] + for chw in chwList: + chw = chw.strip( ) + formVar[1].append( chw ) + formVar[1] = removeDups( formVar[1] ) + +def delVmChW( chwName ): + global formData, allVmChWs + + formVar = allVmChWs[chwName] + if formData.has_key( formVar[3] ): + chwList = formData.getlist( formVar[3] ) + for chw in chwList: + chw = chw.strip( ) + formVar[1].remove( chw ) + +def addVmSte( steName ): + global formData, allVmSte, allVmStes + + formVar = allVmSte[steName] + if formData.has_key( formVar[3] ): + steList = formData.getlist( formVar[3] ) + formVar = allVmStes[steName] + for ste in steList: + ste = ste.strip( ) + formVar[1].append( ste ) + formVar[1] = removeDups( formVar[1] ) + +def delVmSte( steName ): + global formData, allVmStes + + formVar = allVmStes[steName] + if formData.has_key( formVar[3] ): + steList = formData.getlist( formVar[3] ) + for ste in steList: + ste = ste.strip( ) + formVar[1].remove( ste ) + +def processRequest( ): + global formData, policyXml, policyLabelXml, formPolicyLabelUpdate + global formVmAdd + global formVmNames, allVmDel, allVmDom0 + global allVmChWAdd, allVmChWDel, allVmSteAdd, allVmSteDel + + if policyXml != '': + parsePolicyXml( ) + + if policyLabelXml != '': + parsePolicyLabelXml( ) + + # Allow the updating of the header information whenever + # an action is performed + updateInfo( ) + + # Allow the adding of labels if the user has hit the + # enter key when attempting to add a type/set + addVm( ) + + for vmName in formVmNames[1]: + if formData.has_key( allVmDel[vmName][3] ): + delVm( vmName ) + continue + + if formData.has_key( allVmDom0[vmName][3] ): + makeVmDom0( vmName ) + + if formData.has_key( allVmChWAdd[vmName][3] ): + addVmChW( vmName ) + + elif formData.has_key( allVmChWDel[vmName][3] ): + delVmChW( vmName ) + + elif formData.has_key( allVmSteAdd[vmName][3] ): + addVmSte( vmName ) + + elif formData.has_key( allVmSteDel[vmName][3] ): + delVmSte( vmName ) + +def modFormTemplate( formTemplate, suffix ): + formVar = [x for x in formTemplate] + + if formVar[2] != '': + formVar[2] = formVar[2] + suffix + if formVar[3] != '': + formVar[3] = formVar[3] + suffix + if (formVar[0] != 'button') and (formVar[4] != ''): + formVar[4] = formVar[4] + suffix + + return formVar; + +def makeName( name, suffix='' ): + rName = name + if suffix != '': + rName = rName + '_' + suffix + + return rName + +def makeNameAttr( name, suffix='' ): + return 'name="' + makeName( name, suffix ) + '"' + +def makeValue( value, suffix='' ): + rValue = value + + if isinstance( value, list ): + rValue = '[' + for val in value: + rValue = rValue + '\'' + val + if suffix != '': + rValue = rValue + '_' + suffix + rValue = rValue + '\',' + rValue = rValue + ']' + + else: + if suffix != '': + rValue = rValue + '_' + suffix + + return rValue + +def makeValueAttr( value, suffix='' ): + return 'value="' + makeValue( value, suffix ) + '"' + +def sendHtmlFormVar( formVar, attrs='', rb_select=0 ): + nameAttr = '' + valueAttr = '' + htmlText = '' + + if formVar[0] == 'text': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + valueAttr = makeValueAttr( formVar[1] ) + + print '' + + elif formVar[0] == 'list': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + + print '' + for option in formVar[1]: + print '' + print '' + + elif formVar[0] == 'button': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + if formVar[4] != '': + valueAttr = makeValueAttr( formVar[4] ) + + print '' + + elif formVar[0] == 'radiobutton': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + valueAttr = makeValueAttr( formVar[4][rb_select] ) + htmlText = formVar[5][rb_select] + if formVar[4][rb_select] == formVar[1]: + checked = 'checked' + else: + checked = '' + + print '', htmlText + + elif formVar[0] == 'radiobutton-all': + if formVar[3] != '': + nameAttr = makeNameAttr( formVar[3] ) + buttonVals = formVar[4] + for i, buttonVal in enumerate( buttonVals ): + htmlText = '' + addAttrs = '' + checked = '' + + valueAttr = makeValueAttr( buttonVal ) + if formVar[5] != '': + htmlText = formVar[5][i] + if attrs != '': + addAttrs = attrs[i] + if buttonVal == formVar[1]: + checked = 'checked' + + print '', htmlText + + if ( formVar[2] != '' ) and ( rb_select == 0 ): + nameAttr = makeNameAttr( formVar[2] ) + valueAttr = makeValueAttr( formVar[1] ) + print '' + +def sendHtmlHeaders( ): + # HTML headers + print 'Content-Type: text/html' + print + +def sendPolicyLabelHtml( ): + global xmlError, xmlIncomplete, xmlMessages, formXmlGen + global formVmNameDom0, formSteTypes, formChWallTypes + + print '' + + print '' + + sendHtmlHead( ) + + print '' + + # An input XML file was specified that had errors, output the + # error information + if xmlError == 1: + print '

' + print 'An error has been encountered while processing the input' + print 'XML file:' + print '

    ' + for msg in xmlMessages: + print '
  • ' + print msg + print '
' + print '' + print '' + return + + # When attempting to generate the XML output, all required data was not + # present, output the error information + if xmlIncomplete == 1: + print '

' + print 'An error has been encountered while validating the data' + print 'required for the output XML file:' + print '

    ' + for msg in xmlMessages: + print '
  • ' + print msg + print '
' + print '' + print '' + return + + print '
' + print '
' + print '' + print ' ' + print ' ' + print ' ' + + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + + # Policy Labeling header + print ' ' + print ' ' + print ' ' + + # Separator + print ' ' + print ' ' + print ' ' + + # Policy Labels (vms) + print ' ' + print ' ' + print ' ' + + print '
' + sendHtmlFormVar( formDefaultButton, 'class="hidden"' ) + print '
' + sendHtmlFormVar( formXmlGen ) + print '
' + sendPLHeaderHtml( ) + print '
' + print '
' + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print '
' + sendPLSubHtml( ) + print '
' + print '
' + + # Send some data that needs to be available across sessions + sendHtmlFormVar( formVmNameDom0 ) + sendHtmlFormVar( formSteTypes ) + sendHtmlFormVar( formChWallTypes ) + + print '
' + print '
' + + print '' + + print '' + +def sendHtmlHead( ): + global headTitle + + print '' + print '' + print '', headTitle, '' + print '' + +def sendPLHeaderHtml( ): + global formPolicyLabelName, formPolicyLabelDate + global formPolicyUrl, formPolicyRef + global formPolicyLabelUpdate + + # Policy Labeling header definition + print '' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
Policy Labeling Information
Name:' + sendHtmlFormVar( formPolicyLabelName, 'class="full"' ) + print '
Date:' + sendHtmlFormVar( formPolicyLabelDate, 'class="full"' ) + print '
Policy URL:' + sendHtmlFormVar( formPolicyUrl, 'class="full"' ) + print '
Policy Reference:' + sendHtmlFormVar( formPolicyRef, 'class="full"' ) + print '
' + sendHtmlFormVar( formPolicyLabelUpdate ) + print '
' + print ' (The Policy Labeling Information is updated whenever an action is performed' + print ' or it can be updated separately using the "Update" button)' + print '
' + +def sendPLSubHtml( ): + global formVmNames, formVmDel, formVmName, formVmAdd + global allVmDel, allVmDom0 + global allVmChWs, allVmChWDel, allVmChW, allVmChWAdd + global allVmStes, allVmSteDel, allVmSte, allVmSteAdd + global formSteTypes, formChWallTypes + + print '' + print ' ' + print ' ' + print ' ' + + # Virtual Machines... + print ' ' + print ' ' + print ' ' + if len( formVmNames[1] ) > 0: + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + for vmName in formVmNames[1]: + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
Virtual Machine Classes
' + sendHtmlFormVar( formVmName, 'class="full"' ) + sendHtmlFormVar( formVmNames ) + print '  
' + sendHtmlFormVar( formVmAdd, 'class="full"' ) + print ' ' + print ' Create a new VM class with the above name' + print '
' + print '
' + print '  ' + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + for i, vmName in enumerate( formVmNames[1] ): + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
Dom 0?NameActions
' + if formVmNameDom0[1] == vmName: + print 'Yes' + else: + print ' ' + print ' ' + vmName + '' + print ' Edit' + formVar = allVmDel[vmName] + sendHtmlFormVar( formVar, 'class="link"' ) + formVar = allVmDom0[vmName] + sendHtmlFormVar( formVar, 'class="link"' ) + print '
' + print '
' + print '
' + print '
' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
' + print ' Virtual Machine Class: ' + vmName + '' + print '
Simple Type Enforcement Types Chinese Wall Types
' + formVar = allVmStes[vmName]; + sendHtmlFormVar( formVar, 'class="full" size="4" multiple"' ) + print '  ' + formVar = allVmChWs[vmName]; + sendHtmlFormVar( formVar, 'class="full" size="4" multiple"' ) + print '
' + formVar = allVmSteDel[vmName]; + sendHtmlFormVar( formVar, 'class="full"' ) + print ' ' + print ' Delete the type(s) selected above' + print '  ' + formVar = allVmChWDel[vmName]; + sendHtmlFormVar( formVar, 'class="full"' ) + print ' ' + print ' Delete the type(s) selected above' + print '
' + stSet = Set( formSteTypes[1] ) + vmSet = Set( allVmStes[vmName][1] ) + formVar = allVmSte[vmName] + formVar[1] = [] + for steType in stSet.difference( vmSet ): + formVar[1].append( steType ) + formVar[1].sort( ) + sendHtmlFormVar( formVar, 'class="full" size="2" multiple"' ) + print '  ' + ctSet = Set( formChWallTypes[1] ) + vmSet = Set( allVmChWs[vmName][1] ) + formVar = allVmChW[vmName] + formVar[1] = [] + for chwallType in ctSet.difference( vmSet ): + formVar[1].append( chwallType ) + formVar[1].sort( ) + sendHtmlFormVar( formVar, 'class="full" size="2" multiple"' ) + print '
' + formVar = allVmSteAdd[vmName]; + sendHtmlFormVar( formVar, 'class="full"' ) + print ' ' + print ' Add the type(s) selected above' + print '  ' + formVar = allVmChWAdd[vmName]; + sendHtmlFormVar( formVar, 'class="full"' ) + print ' ' + print ' Add the type(s) selected above' + print '
' + print '
' + +def sendPLObjHtml( ): + + # Resources... + print '' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print ' ' + print '
Resources
' + #sendHtmlFormVar( formVmNames, 'class="full" size="4" multiple"' ) + print ' ' + #sendHtmlFormVar( formVmDel, 'class="full"' ) + print '
' + #sendHtmlFormVar( formVmName, 'class="full"' ) + print ' ' + #sendHtmlFormVar( formVmAdd, 'class="full"' ) + print '
' + +def checkXmlData( ): + global xmlIncomplete + + # Validate the Policy Label Header requirements + if ( len( formPolicyLabelName[1] ) == 0 ) or \ + ( len( formPolicyLabelDate[1] ) == 0 ) or \ + ( len( formPolicyUrl[1] ) == 0 ) or \ + ( len( formPolicyRef[1] ) == 0 ): + msg = '' + msg = msg + 'The XML policy label schema requires that the Policy ' + msg = msg + 'Labeling Information Name, Date, Policy URL and ' + msg = msg + 'Policy Reference fields all have values.' + formatXmlGenError( msg ) + +def sendXmlHeaders( ): + # HTML headers + print 'Content-Type: text/xml' + print 'Content-Disposition: attachment; filename=security_label_template.xml' + print + +def sendPolicyLabelXml( ): + print '' + + print '' + + # Policy Labeling header + sendPLHeaderXml( ) + + # Policy Labels (subjects and objects) + sendPLSubXml( ) + #sendPLObjXml( ) + + print '' + +def sendPLHeaderXml( ): + global formPolicyLabelName, formPolicyLabelDate + global formPolicyUrl, formPolicyRef + + # Policy Labeling header definition + print '' + print ' ' + formPolicyLabelName[1] + '' + print ' ' + formPolicyLabelDate[1] + '' + print ' ' + print ' ' + formPolicyUrl[1] + '' + print ' ' + formPolicyRef[1] + '' + print ' ' + print '' + +def sendPLSubXml( ): + global formVmNames, allVmChWs, allVmStes + + # Virtual machines... + if len( formVmNames[1] ) == 0: + return + + print '' + for vmName in formVmNames[1]: + print ' ' + print ' ' + vmName + '' + formVar = allVmStes[vmName] + if len( formVar[1] ) > 0: + print ' ' + for ste in formVar[1]: + print ' ' + ste + '' + print ' ' + + formVar = allVmChWs[vmName] + if len( formVar[1] ) > 0: + print ' ' + for chw in formVar[1]: + print ' ' + chw + '' + print ' ' + + print ' ' + + print '' + + +# Set up initial HTML variables +headTitle = 'Xen Policy Labeling Generation' + +# Form variables +# The format of these variables is as follows: +# [ p0, p1, p2, p3, p4, p5 ] +# p0 = input type +# p1 = the current value of the variable +# p2 = the hidden input name attribute +# p3 = the name attribute +# p4 = the value attribute +# p5 = text to associate with the tag +formPolicyLabelName = [ 'text', + '', + 'h_policyLabelName', + 'i_policyLabelName', + '', + '', + ] +formPolicyLabelDate = [ 'text', + getCurrentTime( ), + 'h_policyLabelDate', + 'i_policyLabelDate', + '', + '', + ] +formPolicyUrl = [ 'text', + '', + 'h_policyUrl', + 'i_policyUrl', + '', + '', + ] +formPolicyRef = [ 'text', + '', + 'h_policyRef', + 'i_policyRef', + '', + '', + ] +formPolicyLabelUpdate = [ 'button', + '', + '', + 'i_PolicyLabelUpdate', + 'Update', + '', + ] + +formVmNames = [ '', + [], + 'h_vmNames', + '', + '', + '', + ] +formVmDel = [ 'button', + '', + '', + 'i_vmDel', + 'Delete', + '', + ] +formVmName = [ 'text', + '', + '', + 'i_vmName', + '', + '', + ] +formVmAdd = [ 'button', + '', + '', + 'i_vmAdd', + 'New', + '', + ] + +formVmNameDom0 = [ '', + '', + 'h_vmDom0', + '', + '', + '', + ] + +formXmlGen = [ 'button', + '', + '', + 'i_xmlGen', + 'Generate XML', + '', + ] + +formDefaultButton = [ 'button', + '', + '', + 'i_defaultButton', + '.', + '', + ] + +formSteTypes = [ '', + [], + 'h_steTypes', + '', + '', + '', + ] +formChWallTypes = [ '', + [], + 'h_chwallTypes', + '', + '', + '', + ] + +# This is a set of templates used for each virtual machine +# Each virtual machine is initially assigned these templates, +# then each form attribute value is changed to append +# "_virtual-machine-name" for uniqueness. +templateVmDel = [ 'button', + '', + '', + 'i_vmDel', + 'Delete', + '', + ] +templateVmDom0 = [ 'button', + '', + '', + 'i_vmDom0', + 'SetDom0', + '', + ] +allVmDel = {}; +allVmDom0 = {}; + +templateVmChWs = [ 'list', + [], + 'h_vmChWs', + 'i_vmChWs', + '', + '', + ] +templateVmChWDel = [ 'button', + '', + '', + 'i_vmChWDel', + 'Delete', + '', + ] +templateVmChW = [ 'list', + [], + '', + 'i_vmChW', + '', + '', + ] +templateVmChWAdd = [ 'button', + '', + '', + 'i_vmChWAdd', + 'Add', + '', + ] +allVmChWs = {}; +allVmChWDel = {}; +allVmChW = {}; +allVmChWAdd = {}; + +templateVmStes = [ 'list', + [], + 'h_vmStes', + 'i_vmStes', + '', + '', + ] +templateVmSteDel = [ 'button', + '', + '', + 'i_vmSteDel', + 'Delete', + '', + ] +templateVmSte = [ 'list', + [], + '', + 'i_vmSte', + '', + '', + ] +templateVmSteAdd = [ 'button', + '', + '', + 'i_vmSteAdd', + 'Add', + '', + ] +allVmStes = {}; +allVmSteDel = {}; +allVmSte = {}; +allVmSteAdd = {}; + +# A list of all form variables used for saving info across requests +formVariables = [ formPolicyLabelName, + formPolicyLabelDate, + formPolicyUrl, + formPolicyRef, + formVmNames, + formVmNameDom0, + formSteTypes, + formChWallTypes, + ] + +policyXml = '' +policyLabelXml = '' +xmlError = 0 +xmlIncomplete = 0 +xmlMessages = [] + + +# Extract any form data +formData = cgi.FieldStorage( ) + +# Process the form +getSavedData( ) +processRequest( ) + +if formData.has_key( formXmlGen[3] ): + # Generate and send the XML file + checkXmlData( ) + + if xmlIncomplete == 0: + sendXmlHeaders( ) + sendPolicyLabelXml( ) + +if (not formData.has_key( formXmlGen[3] )) or (xmlIncomplete == 1 ): + # Send HTML to continue processing the form + sendHtmlHeaders( ) + sendPolicyLabelHtml( ) diff -r bdcb115c667a -r db5feb4ccc13 tools/security/python/xensec_gen/index.html --- /dev/null Sat Dec 10 23:20:08 2005 +++ b/tools/security/python/xensec_gen/index.html Mon Dec 12 19:10:23 2005 @@ -0,0 +1,126 @@ + + + + + + + + + + Xen Security Policy Tool + + + +

Xen Security Policy Generation Tool

+ +
+
+ + + + + + + + + + + + + + + + + + + + + +
+ Security Policy + + To generate a new Xen Security Policy leave the + "Policy File" entry field + empty and click the "Create" button.
+ To modify an existing Xen Security Policy enter the + file name containing the policy in the + "Policy File" entry field + and click the "Create" button.
+
+ Policy File: + + +
+ +
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Security Policy Labeling + + To generate or edit the Xen Security Policy Labeling you must + specify the name of + an existing Xen Security Policy file in the + "Policy File" entry field.
+ To generate new Xen Security Policy Labeling leave the + "Policy Labeling File" entry field + empty and click the "Create" button.
+ To modify existing Xen Security Policy Labeling enter the + file name containing the labeling in the + "Policy Labeling File" entry field + and click the "Create" button.
+
+ Policy File: + + +
+ Policy Labeling File: + + +
+ +
+
+
+ + diff -r bdcb115c667a -r db5feb4ccc13 tools/security/python/xensec_gen/main.py --- /dev/null Sat Dec 10 23:20:08 2005 +++ b/tools/security/python/xensec_gen/main.py Mon Dec 12 19:10:23 2005 @@ -0,0 +1,185 @@ +#!/usr/bin/python +# +# The Initial Developer of the Original Code is International +# Business Machines Corporation. Portions created by IBM +# Corporation are Copyright (C) 2005 International Business +# Machines Corporation. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, +# or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +"""Xen security policy generation aid +""" + +import os +import pwd +import grp +import sys +import getopt +import BaseHTTPServer +import CGIHTTPServer + + +gHttpPort = 7777 +gHttpDir = '/var/lib/xensec_gen' +gLogFile = '/var/log/xensec_gen.log' +gUser = 'nobody' +gGroup = 'nobody' + +def usage( ): + print >>sys.stderr, 'Usage: ' + sys.argv[0] + ' [OPTIONS]' + print >>sys.stderr, ' OPTIONS:' + print >>sys.stderr, ' -p, --httpport' + print >>sys.stderr, ' The port on which the http server is to listen' + print >>sys.stderr, ' (default: ' + str( gHttpPort ) + ')' + print >>sys.stderr, ' -d, --httpdir' + print >>sys.stderr, ' The directory where the http server is to serve pages from' + print >>sys.stderr, ' (default: ' + gHttpDir + ')' + print >>sys.stderr, ' -l, --logfile' + print >>sys.stderr, ' The file in which to log messages generated by this command' + print >>sys.stderr, ' (default: ' + gLogFile + ')' + print >>sys.stderr, ' -u, --user' + print >>sys.stderr, ' The user under which this command is to run. This parameter' + print >>sys.stderr, ' is only used when invoked under the "root" user' + print >>sys.stderr, ' (default: ' + gUser + ')' + print >>sys.stderr, ' -g, --group' + print >>sys.stderr, ' The group under which this command is to run. This parameter' + print >>sys.stderr, ' is only used when invoked under the "root" user' + print >>sys.stderr, ' (default: ' + gGroup + ')' + print >>sys.stderr, ' -f' + print >>sys.stderr, ' Run the command in the foreground. The logfile option will be' + print >>sys.stderr, ' ignored and all output will be directed to stdout and stderr.' + print >>sys.stderr, ' -h, --help' + print >>sys.stderr, ' Display the command usage information' + +def runServer( aServerPort, + aServerClass = BaseHTTPServer.HTTPServer, + aHandlerClass = CGIHTTPServer.CGIHTTPRequestHandler ): + serverAddress = ( '', aServerPort ) + httpd = aServerClass( serverAddress, aHandlerClass ) + httpd.serve_forever( ) + +def daemonize( aHttpDir, aLogFile, aUser, aGroup, aFork = 'true' ): + # Do some pre-daemon activities + os.umask( 027 ) + if os.getuid( ) == 0: + # If we are running as root, we will change that + uid = pwd.getpwnam( aUser )[2] + gid = grp.getgrnam( aGroup )[2] + + if aFork == 'true': + # Change the owner of the log file to the user/group + # under which the daemon is to run + flog = open( aLogFile, 'a' ) + flog.close( ) + os.chown( aLogFile, uid, gid ) + + # Change the uid/gid of the process + os.setgid( gid ) + os.setuid( uid ) + + # Change to the HTTP directory + os.chdir( aHttpDir ) + + if aFork == 'true': + # Do first fork + try: + pid = os.fork( ) + if pid: + # Parent process + return pid + + except OSError, e: + raise Exception, e + + # First child process, create a new session + os.setsid( ) + + # Do second fork + try: + pid = os.fork( ) + if pid: + # Parent process + os._exit( 0 ) + + except OSError, e: + raise Exception, e + + # Reset stdin/stdout/stderr + fin = open( '/dev/null', 'r' ) + flog = open( aLogFile, 'a' ) + os.dup2( fin.fileno( ), sys.stdin.fileno( ) ) + os.dup2( flog.fileno( ), sys.stdout.fileno( ) ) + os.dup2( flog.fileno( ), sys.stderr.fileno( ) ) + +def main( ): + httpPort = gHttpPort + httpDir = gHttpDir + logFile = gLogFile + user = gUser + group = gGroup + doFork = 'true' + + shortOpts = 'd:p:l:u:g:fh' + longOpts = [ 'httpdir=', 'httpport=', 'logfile=', 'user=', 'group=', 'help' ] + try: + opts, args = getopt.getopt( sys.argv[1:], shortOpts, longOpts ) + + except getopt.GetoptError, e: + print >>sys.stderr, e + usage( ) + sys.exit( ) + + if len( args ) != 0: + print >>sys.stderr, 'Error: command arguments are not supported' + usage( ) + sys.exit( ) + + for opt, opt_value in opts: + if opt in ( '-h', '--help' ): + usage( ) + sys.exit( ) + + if opt in ( '-d', '--httpdir' ): + httpDir = opt_value + + if opt in ( '-p', '--httpport' ): + try: + httpPort = int( opt_value ) + except: + print >>sys.stderr, 'Error: HTTP port is not valid' + usage( ) + sys.exit( ) + + if opt in ( '-l', '--logfile' ): + logFile = opt_value + + if opt in ( '-u', '--user' ): + user = opt_value + + if opt in ( '-g', '--group' ): + group = opt_value + + if opt in ( '-f' ): + doFork = 'false' + + pid = daemonize( httpDir, logFile, user, group, doFork ) + if pid > 0: + sys.exit( ) + + runServer( httpPort ) + +if __name__ == '__main__': + main( ) diff -r bdcb115c667a -r db5feb4ccc13 tools/security/xensec_gen.py --- /dev/null Sat Dec 10 23:20:08 2005 +++ b/tools/security/xensec_gen.py Mon Dec 12 19:10:23 2005 @@ -0,0 +1,26 @@ +#!/usr/bin/python +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, +# or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys + +# Add fallback path for non-native python path installs if needed +sys.path.append( '/usr/lib/python' ) +sys.path.append( '/usr/lib64/python' ) + +from xen.xensec_gen import main + +main.main( )