+ # Establishes limiting conventions
+ # - conflates MAs and SAs
+ # - assumes last token in slice name is unique
+ #
+ # Bootstraps credentials
+ # - bootstrap user credential from self-signed certificate
+ # - bootstrap authority credential from user credential
+ # - bootstrap slice credential from user credential
+ #
+
+ # init self-signed cert, user credentials and gid
+ def bootstrap (self):
+ bootstrap = SfaClientBootstrap (self.user, self.reg_url, self.options.sfi_dir)
+ # if -k is provided, use this to initialize private key
+ if self.options.user_private_key:
+ bootstrap.init_private_key_if_missing (self.options.user_private_key)
+ else:
+ # trigger legacy compat code if needed
+ # the name has changed from just <leaf>.pkey to <hrn>.pkey
+ if not os.path.isfile(bootstrap.private_key_filename()):
+ self.logger.info ("private key not found, trying legacy name")
+ try:
+ legacy_private_key = os.path.join (self.options.sfi_dir, "%s.pkey"%get_leaf(self.user))
+ self.logger.debug("legacy_private_key=%s"%legacy_private_key)
+ bootstrap.init_private_key_if_missing (legacy_private_key)
+ self.logger.info("Copied private key from legacy location %s"%legacy_private_key)
+ except:
+ self.logger.log_exc("Can't find private key ")
+ sys.exit(1)
+
+ # make it bootstrap
+ bootstrap.bootstrap_my_gid()
+ # extract what's needed
+ self.private_key = bootstrap.private_key()
+ self.my_credential_string = bootstrap.my_credential_string ()
+ self.my_gid = bootstrap.my_gid ()
+ self.bootstrap = bootstrap
+
+
+ def my_authority_credential_string(self):
+ if not self.authority:
+ self.logger.critical("no authority specified. Use -a or set SF_AUTH")
+ sys.exit(-1)
+ return self.bootstrap.authority_credential_string (self.authority)
+
+ def slice_credential_string(self, name):
+ return self.bootstrap.slice_credential_string (name)
+
+ # xxx should be supported by sfaclientbootstrap as well
+ def delegate_cred(self, object_cred, hrn, type='authority'):
+ # the gid and hrn of the object we are delegating
+ if isinstance(object_cred, str):
+ object_cred = Credential(string=object_cred)
+ object_gid = object_cred.get_gid_object()
+ object_hrn = object_gid.get_hrn()
+
+ if not object_cred.get_privileges().get_all_delegate():
+ self.logger.error("Object credential %s does not have delegate bit set"%object_hrn)
+ return
+
+ # the delegating user's gid
+ caller_gidfile = self.my_gid()
+
+ # the gid of the user who will be delegated to
+ delegee_gid = self.bootstrap.gid(hrn,type)
+ delegee_hrn = delegee_gid.get_hrn()
+ dcred = object_cred.delegate(delegee_gid, self.private_key, caller_gidfile)
+ return dcred.save_to_string(save_parents=True)
+
+ #
+ # Management of the servers
+ #
+
+ def registry (self):
+ # cache the result
+ if not hasattr (self, 'registry_proxy'):
+ self.logger.info("Contacting Registry at: %s"%self.reg_url)
+ self.registry_proxy = SfaServerProxy(self.reg_url, self.private_key, self.my_gid,
+ timeout=self.options.timeout, verbose=self.options.debug)
+ return self.registry_proxy
+
+ def sliceapi (self):
+ # cache the result
+ if not hasattr (self, 'sliceapi_proxy'):
+ # if the command exposes the --component option, figure it's hostname and connect at CM_PORT
+ if hasattr(self.command_options,'component') and self.command_options.component:
+ # resolve the hrn at the registry
+ node_hrn = self.command_options.component
+ records = self.registry().Resolve(node_hrn, self.my_credential_string)
+ records = filter_records('node', records)
+ if not records:
+ self.logger.warning("No such component:%r"% opts.component)
+ record = records[0]
+ cm_url = "http://%s:%d/"%(record['hostname'],CM_PORT)
+ self.sliceapi_proxy=SfaServerProxy(cm_url, self.private_key, self.my_gid)
+ else:
+ # otherwise use what was provided as --sliceapi, or SFI_SM in the config
+ if not self.sm_url.startswith('http://') or self.sm_url.startswith('https://'):
+ self.sm_url = 'http://' + self.sm_url
+ self.logger.info("Contacting Slice Manager at: %s"%self.sm_url)
+ self.sliceapi_proxy = SfaServerProxy(self.sm_url, self.private_key, self.my_gid,
+ timeout=self.options.timeout, verbose=self.options.debug)
+ return self.sliceapi_proxy