+ self.logger = logger
+
+ # *_produce methods
+ # step1
+ # unconditionnally create a self-signed certificate
+ def self_signed_cert_produce(self, output):
+ self.assert_private_key()
+ private_key_filename = self.private_key_filename()
+ keypair = Keypair(filename=private_key_filename)
+ self_signed = Certificate(subject=self.hrn)
+ self_signed.set_pubkey(keypair)
+ self_signed.set_issuer(keypair, self.hrn)
+ self_signed.sign()
+ self_signed.save_to_file(output)
+ self.logger.debug("SfaClientBootstrap: Created self-signed certificate for {} in {}"
+ .format(self.hrn, output))
+ return output
+
+ # step2
+ # unconditionnally retrieve my credential (GetSelfCredential)
+ # we always use the self-signed-cert as the SSL cert
+ def my_credential_produce(self, output):
+ self.assert_self_signed_cert()
+ certificate_filename = self.self_signed_cert_filename()
+ certificate_string = self.plain_read(certificate_filename)
+ self.assert_private_key()
+ registry_proxy = SfaServerProxy(self.registry_url,
+ self.private_key_filename(),
+ certificate_filename)
+ try:
+ credential_string = registry_proxy.GetSelfCredential(
+ certificate_string, self.hrn, "user")
+ except:
+ # some urns hrns may replace non hierarchy delimiters '.' with an
+ # '_' instead of escaping the '.'
+ hrn = Xrn(self.hrn).get_hrn().replace('\.', '_')
+ credential_string = registry_proxy.GetSelfCredential(
+ certificate_string, hrn, "user")
+ self.plain_write(output, credential_string)
+ self.logger.debug(
+ "SfaClientBootstrap: Wrote result of GetSelfCredential in {}".format(output))
+ return output
+
+ # step3
+ # unconditionnally retrieve my GID - use the general form
+ def my_gid_produce(self, output):
+ return self.gid_produce(output, self.hrn, "user")
+
+ # retrieve any credential (GetCredential) unconditionnal form
+ # we always use the GID as the SSL cert
+ def credential_produce(self, output, hrn, type):
+ self.assert_my_gid()
+ certificate_filename = self.my_gid_filename()
+ self.assert_private_key()
+ registry_proxy = SfaServerProxy(self.registry_url, self.private_key_filename(),
+ certificate_filename)
+ self.assert_my_credential()
+ my_credential_string = self.my_credential_string()
+ credential_string = registry_proxy.GetCredential(
+ my_credential_string, hrn, type)
+ self.plain_write(output, credential_string)
+ self.logger.debug(
+ "SfaClientBootstrap: Wrote result of GetCredential in {}".format(output))
+ return output
+
+ def slice_credential_produce(self, output, hrn):
+ return self.credential_produce(output, hrn, "slice")
+
+ def authority_credential_produce(self, output, hrn):
+ return self.credential_produce(output, hrn, "authority")
+
+ # retrieve any gid(Resolve) - unconditionnal form
+ # use my GID when available as the SSL cert, otherwise the self-signed
+ def gid_produce(self, output, hrn, type):
+ try:
+ self.assert_my_gid()
+ certificate_filename = self.my_gid_filename()
+ except:
+ self.assert_self_signed_cert()
+ certificate_filename = self.self_signed_cert_filename()
+
+ self.assert_private_key()
+ registry_proxy = SfaServerProxy(self.registry_url, self.private_key_filename(),
+ certificate_filename)
+ credential_string = self.plain_read(self.my_credential())
+ records = registry_proxy.Resolve(hrn, credential_string)
+ records = [record for record in records if record['type'] == type]
+ if not records:
+ raise RecordNotFound("hrn {} ({}) unknown to registry {}".format(
+ hrn, type, self.registry_url))
+ record = records[0]
+ self.plain_write(output, record['gid'])
+ self.logger.debug(
+ "SfaClientBootstrap: Wrote GID for {} ({}) in {}".format(hrn, type, output))
+ return output
+
+
+# http://trac.myslice.info/wiki/MySlice/Developer/SFALogin
+# produce a pkcs12 bundled certificate from GID and private key
+# xxx for now we put a hard-wired password that's just, well, 'password'
+# when leaving this empty on the mac, result can't seem to be loaded in
+# keychain..
+ def my_pkcs12_produce(self, filename):
+ password = raw_input("Enter password for p12 certificate: ")
+ openssl_command = ['openssl', 'pkcs12', "-export"]
+ openssl_command += ["-password", "pass:{}".format(password)]
+ openssl_command += ["-inkey", self.private_key_filename()]
+ openssl_command += ["-in", self.my_gid_filename()]
+ openssl_command += ["-out", filename]
+ if subprocess.call(openssl_command) == 0:
+ print("Successfully created {}".format(filename))
+ else:
+ print("Failed to create {}".format(filename))