1 # Thierry Parmentelat -- INRIA
3 # a minimal library for writing "lightweight" SFA clients
7 # this library should probably check for the expiration date of the various
8 # certificates and automatically retrieve fresh ones when expired
12 from datetime import datetime
13 from sfa.util.xrn import Xrn
15 import sfa.util.sfalogging
16 # importing sfa.utils.faults does pull a lot of stuff
17 # OTOH it's imported from Certificate anyways, so..
18 from sfa.util.faults import RecordNotFound
20 from sfa.client.sfaserverproxy import SfaServerProxy
22 # see optimizing dependencies below
23 from sfa.trust.certificate import Keypair, Certificate
24 from sfa.trust.credential import Credential
25 from sfa.trust.gid import GID
27 # a helper class to implement the bootstrapping of crypto. material
28 # assuming we are starting from scratch on the client side
29 # what's needed to complete a full slice creation cycle
31 # (*) a local private key
32 # (*) the corresp. public key in the registry
33 # (**) step1: a self-signed certificate
34 # default filename is <hrn>.sscert
35 # (**) step2: a user credential
36 # obtained at the registry with GetSelfCredential
37 # using the self-signed certificate as the SSL cert
38 # default filename is <hrn>.user.cred
39 # (**) step3: a registry-provided certificate (i.e. a GID)
40 # obtained at the registry using Resolve
41 # using the step2 credential as credential
42 # default filename is <hrn>.user.gid
44 # From that point on, the GID is used as the SSL certificate
45 # and the following can be done
47 # (**) retrieve a slice (or authority) credential
48 # obtained at the registry with GetCredential
49 # using the (step2) user-credential as credential
50 # default filename is <hrn>.<type>.cred
51 # (**) retrieve a slice (or authority) GID
52 # obtained at the registry with Resolve
53 # using the (step2) user-credential as credential
54 # default filename is <hrn>.<type>.cred
57 ########## Implementation notes
61 # this implementation is designed as a guideline for
62 # porting to other languages
64 # the decision to go for decorators aims at focusing
65 # on the core of what needs to be done when everything
66 # works fine, and to take caching and error management
69 # for non-pythonic developers, it should be enough to
70 # implement the bulk of this code, namely the _produce methods
71 # and to add caching and error management by whichever means
72 # is available, including inline
74 # (*) self-signed certificates
76 # still with other languages in mind, we've tried to keep the
77 # dependencies to the rest of the code as low as possible
79 # however this still relies on the sfa.trust.certificate module
80 # for the initial generation of a self-signed-certificate that
81 # is associated to the user's ssh-key
82 # (for user-friendliness, and for smooth operations with planetlab,
83 # the usage model is to reuse an existing keypair)
85 # there might be a more portable, i.e. less language-dependant way, to
86 # implement this step by exec'ing the openssl command.
87 # a known successful attempt at this approach that worked
88 # for Java is documented below
89 # http://nam.ece.upatras.gr/fstoolkit/trac/wiki/JavaSFAClient
93 class SfaClientException (Exception): pass
95 class SfaClientBootstrap:
97 # dir is mandatory but defaults to '.'
98 def __init__ (self, user_hrn, registry_url, dir=None,
99 verbose=False, timeout=None, logger=None):
101 self.registry_url=registry_url
102 if dir is None: dir="."
106 # default for the logger is to use the global sfa logger
108 logger = sfa.util.sfalogging.logger
111 ######################################## *_produce methods
113 # unconditionnally create a self-signed certificate
114 def self_signed_cert_produce (self,output):
115 self.assert_private_key()
116 private_key_filename = self.private_key_filename()
117 keypair=Keypair(filename=private_key_filename)
118 self_signed = Certificate (subject = self.hrn)
119 self_signed.set_pubkey (keypair)
120 self_signed.set_issuer (keypair, self.hrn)
122 self_signed.save_to_file (output)
123 self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
128 # unconditionnally retrieve my credential (GetSelfCredential)
129 # we always use the self-signed-cert as the SSL cert
130 def my_credential_produce (self, output):
131 self.assert_self_signed_cert()
132 certificate_filename = self.self_signed_cert_filename()
133 certificate_string = self.plain_read (certificate_filename)
134 self.assert_private_key()
135 registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
136 certificate_filename)
138 credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
140 # some urns hrns may replace non hierarchy delimiters '.' with an '_' instead of escaping the '.'
141 hrn = Xrn(self.hrn).get_hrn().replace('\.', '_')
142 credential_string=registry_proxy.GetSelfCredential (certificate_string, hrn, "user")
143 self.plain_write (output, credential_string)
144 self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
148 # unconditionnally retrieve my GID - use the general form
149 def my_gid_produce (self,output):
150 return self.gid_produce (output, self.hrn, "user")
152 ### retrieve any credential (GetCredential) unconditionnal form
153 # we always use the GID as the SSL cert
154 def credential_produce (self, output, hrn, type):
156 certificate_filename = self.my_gid_filename()
157 self.assert_private_key()
158 registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
159 certificate_filename)
160 self.assert_my_credential()
161 my_credential_string = self.my_credential_string()
162 credential_string=registry_proxy.GetCredential (my_credential_string, hrn, type)
163 self.plain_write (output, credential_string)
164 self.logger.debug("SfaClientBootstrap: Wrote result of GetCredential in %s"%output)
167 def slice_credential_produce (self, output, hrn):
168 return self.credential_produce (output, hrn, "slice")
170 def authority_credential_produce (self, output, hrn):
171 return self.credential_produce (output, hrn, "authority")
173 ### retrieve any gid (Resolve) - unconditionnal form
174 # use my GID when available as the SSL cert, otherwise the self-signed
175 def gid_produce (self, output, hrn, type ):
178 certificate_filename = self.my_gid_filename()
180 self.assert_self_signed_cert()
181 certificate_filename = self.self_signed_cert_filename()
183 self.assert_private_key()
184 registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
185 certificate_filename)
186 credential_string=self.plain_read (self.my_credential())
187 records = registry_proxy.Resolve (hrn, credential_string)
188 records=[record for record in records if record['type']==type]
190 raise RecordNotFound, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url)
192 self.plain_write (output, record['gid'])
193 self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
197 # Returns True if credential file is valid. Otherwise return false.
198 def validate_credential(self, filename):
200 cred = Credential(filename=filename)
201 # check if credential is expires
202 if cred.get_expiration() < datetime.now():
207 #################### public interface
209 # return my_gid, run all missing steps in the bootstrap sequence
210 def bootstrap_my_gid (self):
211 self.self_signed_cert()
215 # once we've bootstrapped we can use this object to issue any other SFA call
217 def server_proxy (self, url):
219 return SfaServerProxy (url, self.private_key_filename(), self.my_gid_filename(),
220 verbose=self.verbose, timeout=self.timeout)
222 # now in some cases the self-signed is enough
223 def server_proxy_simple (self, url):
224 self.assert_self_signed_cert()
225 return SfaServerProxy (url, self.private_key_filename(), self.self_signed_cert_filename(),
226 verbose=self.verbose, timeout=self.timeout)
228 # this method can optionnally be invoked to ensure proper
229 # installation of the private key that belongs to this user
230 # installs private_key in working dir with expected name -- preserve mode
231 # typically user_private_key would be ~/.ssh/id_rsa
232 # xxx should probably check the 2 files are identical
233 def init_private_key_if_missing (self, user_private_key):
234 private_key_filename=self.private_key_filename()
235 if not os.path.isfile (private_key_filename):
236 key=self.plain_read(user_private_key)
237 self.plain_write(private_key_filename, key)
238 os.chmod(private_key_filename,os.stat(user_private_key).st_mode)
239 self.logger.debug("SfaClientBootstrap: Copied private key from %s into %s"%\
240 (user_private_key,private_key_filename))
242 #################### private details
244 def fullpath (self, file): return os.path.join (self.dir,file)
246 # the expected filenames for the various pieces
247 def private_key_filename (self):
248 return self.fullpath ("%s.pkey" % Xrn.unescape(self.hrn))
249 def self_signed_cert_filename (self):
250 return self.fullpath ("%s.sscert"%self.hrn)
251 def my_credential_filename (self):
252 return self.credential_filename (self.hrn, "user")
253 def credential_filename (self, hrn, type):
254 return self.fullpath ("%s.%s.cred"%(hrn,type))
255 def slice_credential_filename (self, hrn):
256 return self.credential_filename(hrn,'slice')
257 def authority_credential_filename (self, hrn):
258 return self.credential_filename(hrn,'authority')
259 def my_gid_filename (self):
260 return self.gid_filename (self.hrn, "user")
261 def gid_filename (self, hrn, type):
262 return self.fullpath ("%s.%s.gid"%(hrn,type))
265 # optimizing dependencies
266 # originally we used classes GID or Credential or Certificate
268 # return Credential(filename=self.my_credential()).save_to_string()
269 # but in order to make it simpler to other implementations/languages..
270 def plain_read (self, filename):
271 infile=file(filename,"r")
276 def plain_write (self, filename, contents):
277 outfile=file(filename,"w")
278 result=outfile.write(contents)
281 def assert_filename (self, filename, kind):
282 if not os.path.isfile (filename):
283 raise IOError,"Missing %s file %s"%(kind,filename)
286 def assert_private_key (self): return self.assert_filename (self.private_key_filename(),"private key")
287 def assert_self_signed_cert (self): return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate")
288 def assert_my_credential (self): return self.assert_filename (self.my_credential_filename(),"user's credential")
289 def assert_my_gid (self): return self.assert_filename (self.my_gid_filename(),"user's GID")
292 # decorator to make up the other methods
293 def get_or_produce (filename_method, produce_method, validate_method=None):
294 # default validator returns true
296 def wrapped (self, *args, **kw):
297 filename=filename_method (self, *args, **kw)
298 if os.path.isfile ( filename ):
299 if not validate_method:
301 elif validate_method(self, filename):
304 # remove invalid file
305 self.logger.warning ("Removing %s - has expired"%filename)
308 produce_method (self, filename, *args, **kw)
313 error = sys.exc_info()[:2]
314 message="Could not produce/retrieve %s (%s -- %s)"%\
315 (filename,error[0],error[1])
316 self.logger.log_exc(message)
317 raise Exception, message
321 @get_or_produce (self_signed_cert_filename, self_signed_cert_produce)
322 def self_signed_cert (self): pass
324 @get_or_produce (my_credential_filename, my_credential_produce, validate_credential)
325 def my_credential (self): pass
327 @get_or_produce (my_gid_filename, my_gid_produce)
328 def my_gid (self): pass
330 @get_or_produce (credential_filename, credential_produce, validate_credential)
331 def credential (self, hrn, type): pass
333 @get_or_produce (slice_credential_filename, slice_credential_produce, validate_credential)
334 def slice_credential (self, hrn): pass
336 @get_or_produce (authority_credential_filename, authority_credential_produce, validate_credential)
337 def authority_credential (self, hrn): pass
339 @get_or_produce (gid_filename, gid_produce)
340 def gid (self, hrn, type ): pass
343 # get the credentials as strings, for inserting as API arguments
344 def my_credential_string (self):
346 return self.plain_read(self.my_credential_filename())
347 def slice_credential_string (self, hrn):
348 self.slice_credential(hrn)
349 return self.plain_read(self.slice_credential_filename(hrn))
350 def authority_credential_string (self, hrn):
351 self.authority_credential(hrn)
352 return self.plain_read(self.authority_credential_filename(hrn))
355 def private_key (self):
356 self.assert_private_key()
357 return self.private_key_filename()
359 def delegate_credential_string (self, original_credential, to_hrn, to_type='authority'):
361 sign a delegation credential to someone else
363 original_credential : typically one's user- or slice- credential to be delegated to s/b else
364 to_hrn : the hrn of the person that will be allowed to do stuff on our behalf
365 to_type : goes with to_hrn, usually 'user' or 'authority'
367 returns a string with the delegated credential
369 this internally uses self.my_gid()
370 it also retrieves the gid for to_hrn/to_type
371 and uses Credential.delegate()"""
373 # the gid and hrn of the object we are delegating
374 if isinstance (original_credential, str):
375 original_credential = Credential (string=original_credential)
376 original_gid = original_credential.get_gid_object()
377 original_hrn = original_gid.get_hrn()
379 if not original_credential.get_privileges().get_all_delegate():
380 self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn)
383 # the delegating user's gid
384 my_gid = self.my_gid()
386 # retrieve the GID for the entity that we're delegating to
387 to_gidfile = self.gid (to_hrn,to_type)
388 # to_gid = GID ( to_gidfile )
389 # to_hrn = delegee_gid.get_hrn()
390 # print 'to_hrn',to_hrn
391 delegated_credential = original_credential.delegate(to_gidfile, self.private_key(), my_gid)
392 return delegated_credential.save_to_string(save_parents=True)