1 # Thierry Parmentelat -- INRIA
3 # a minimal library for writing "lightweight" SFA clients
8 import sfa.util.sfalogging
10 # what we use on GID actually is inherited from Certificate
11 #from sfa.trust.gid import GID
12 from sfa.trust.certificate import Keypair, Certificate
13 # what we need in the Credential class essentially amounts to saving the incoming result
14 # in a file as the output from the registry already is under xml format
15 #from sfa.trust.credential import Credential
17 import sfa.client.sfaprotocol as sfaprotocol
21 def __init__ (self, url, keyfile, certfile, verbose=False, timeout=None):
24 self.certfile=certfile
27 # an instance of xmlrpclib.ServerProxy
28 self.serverproxy=sfaprotocol.server_proxy \
29 (self.url, self.keyfile, self.certfile, self.timeout, self.verbose)
31 # this is python magic to return the code to run when
32 # SfaServerProxy receives a method call
33 # so essentially we send the same method with identical arguments
34 # to the server_proxy object
35 def __getattr__(self, name):
36 def func(*args, **kwds):
37 return getattr(self.serverproxy, name)(*args, **kwds)
41 # a helper class to implement the bootstrapping of crypto. material
42 # assuming we are starting from scratch on the client side
43 # what's needed to complete a full slice creation cycle
45 # (*) a local private key
46 # (*) the corresp. public key in the registry
47 # (**) step1: a self-signed certificate
48 # default filename is <hrn>.sscert
49 # (**) step2: a user credential
50 # obtained at the registry with GetSelfCredential
51 # using the self-signed certificate as the SSL cert
52 # default filename is <hrn>.user.cred
53 # (**) step3: a registry-provided certificate (i.e. a GID)
54 # obtained at the registry using Resolve
55 # using the step2 credential as credential
56 # default filename is <hrn>.user.gid
58 # from that point on, the GID can/should be used as the SSL cert for anything
59 # a new (slice) credential would be needed for slice operations and can be
60 # obtained at the registry through GetCredential
62 # xxx todo should protect against write file permissions
63 # xxx todo review exceptions
64 class SfaClientBootstrap:
66 # xxx todo should account for verbose and timeout that the proxy offers
67 def __init__ (self, user_hrn, registry_url, dir=None, logger=None):
69 self.registry_url=registry_url
70 if dir is None: dir="."
73 print 'special case for logger'
74 logger = sfa.util.sfalogging.logger
77 #################### public interface
79 # xxx should that be called in the constructor ?
80 # typically user_private_key is ~/.ssh/id_rsa
81 def init_private_key_if_missing (self, user_private_key):
82 private_key_filename=self.private_key_filename()
83 if not os.path.isfile (private_key_filename):
84 key=self.plain_read(user_private_key)
85 self.plain_write(private_key_filename, key)
86 os.chmod(private_key_filename,os.stat(user_private_key).st_mode)
87 self.logger.debug("SfaClientBootstrap: Copied private key from %s into %s"%\
88 (user_private_key,private_key_filename))
90 # make sure we have the GID at hand
91 def bootstrap_gid (self):
92 if self.any_certificate_filename() is None:
93 self.get_self_signed_cert()
97 def server_proxy (self, url):
98 return SfaServerProxy (url, self.private_key_filename(), self.gid_filename())
100 def get_credential_string (self):
101 return self.plain_read (self.get_credential())
103 # more to come to get credentials about other objects (authority/slice)
105 #################### private details
107 def fullpath (self, file): return os.path.join (self.dir,file)
109 def fullpath_format(self,format): return self.fullpath (format%self.hrn)
111 def private_key_filename (self):
112 return self.fullpath_format ("%s.pkey")
113 def self_signed_cert_filename (self):
114 return self.fullpath_format ("%s.sscert")
115 def credential_filename (self):
116 return self.fullpath_format ("%s.user.cred")
117 def gid_filename (self):
118 return self.fullpath_format ("%s.user.gid")
120 # optimizing dependencies
121 # originally we used classes GID or Credential or Certificate
123 # return Credential(filename=self.get_credential()).save_to_string()
124 # but in order to make it simpler to other implementations/languages..
125 def plain_read (self, filename):
126 infile=file(filename,"r")
131 def plain_write (self, filename, contents):
132 outfile=file(filename,"w")
133 result=outfile.write(contents)
137 def check_private_key (self):
138 if not os.path.isfile (self.private_key_filename()):
139 raise Exception,"No such file %s"%self.private_key_filename()
142 # get any certificate
143 # rationale for this method, once we have the gid, it's actually safe
144 # to remove the .sscert
145 def any_certificate_filename (self):
146 attempts=[ self.gid_filename(), self.self_signed_cert_filename() ]
147 for attempt in attempts:
148 if os.path.isfile (attempt): return attempt
153 def create_self_signed_certificate (self,output):
154 self.check_private_key()
155 private_key_filename = self.private_key_filename()
156 keypair=Keypair(filename=private_key_filename)
157 self_signed = Certificate (subject = self.hrn)
158 self_signed.set_pubkey (keypair)
159 self_signed.set_issuer (keypair, self.hrn)
161 self_signed.save_to_file (output)
162 self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
166 def get_self_signed_cert (self):
167 self_signed_cert_filename = self.self_signed_cert_filename()
168 if os.path.isfile (self_signed_cert_filename):
169 return self_signed_cert_filename
170 return self.create_self_signed_certificate(self_signed_cert_filename)
174 def retrieve_credential (self, output):
175 self.check_private_key()
176 certificate_filename = self.any_certificate_filename()
177 certificate_string = self.plain_read (certificate_filename)
178 registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
179 certificate_filename)
180 credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
181 self.plain_write (output, credential_string)
182 self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
185 def get_credential (self):
186 credential_filename = self.credential_filename ()
187 if os.path.isfile(credential_filename):
188 return credential_filename
189 return self.retrieve_credential (credential_filename)
193 def retrieve_gid (self, hrn, type, output):
194 self.check_private_key()
195 certificate_filename = self.any_certificate_filename()
196 registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
197 certificate_filename)
198 credential_string=self.plain_read (self.get_credential())
199 records = registry_proxy.Resolve (hrn, credential_string)
200 records=[record for record in records if record['type']==type]
203 raise Exception, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url)
205 self.plain_write (output, record['gid'])
206 self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
210 gid_filename=self.gid_filename()
211 if os.path.isfile(gid_filename):
213 return self.retrieve_gid(self.hrn, "user", gid_filename)