X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fclient%2Fsfaclientlib.py;h=dce22014d1d4bc13970260aa04688ea8fbff0192;hb=1cc8e9613cab8b5b22478de369f259e591c54e6d;hp=1253267edd31e1f97ca9a69ddfbbb7b7adafa406;hpb=386763dca287c6a8c2a467e1a2484cf6a44785fa;p=sfa.git diff --git a/sfa/client/sfaclientlib.py b/sfa/client/sfaclientlib.py index 1253267e..dce22014 100644 --- a/sfa/client/sfaclientlib.py +++ b/sfa/client/sfaclientlib.py @@ -3,7 +3,14 @@ # a minimal library for writing "lightweight" SFA clients # +# xxx todo +# this library should probably check for the expiration date of the various +# certificates and automatically retrieve fresh ones when expired + +import sys import os,os.path +from datetime import datetime +from sfa.util.xrn import Xrn import sfa.util.sfalogging # importing sfa.utils.faults does pull a lot of stuff @@ -14,7 +21,8 @@ from sfa.client.sfaserverproxy import SfaServerProxy # see optimizing dependencies below from sfa.trust.certificate import Keypair, Certificate - +from sfa.trust.credential import Credential +from sfa.trust.gid import GID ########## # a helper class to implement the bootstrapping of crypto. material # assuming we are starting from scratch on the client side @@ -75,9 +83,9 @@ from sfa.trust.certificate import Keypair, Certificate # the usage model is to reuse an existing keypair) # # there might be a more portable, i.e. less language-dependant way, to -# implement this step by exec'ing the openssl command a known -# successful attempt at this approach that worked for Java is -# documented below +# implement this step by exec'ing the openssl command. +# a known successful attempt at this approach that worked +# for Java is documented below # http://nam.ece.upatras.gr/fstoolkit/trac/wiki/JavaSFAClient # #################### @@ -126,7 +134,12 @@ class SfaClientBootstrap: self.assert_private_key() registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(), certificate_filename) - credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user") + try: + credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user") + except: + # some urns hrns may replace non hierarchy delimiters '.' with an '_' instead of escaping the '.' + hrn = Xrn(self.hrn).get_hrn().replace('\.', '_') + credential_string=registry_proxy.GetSelfCredential (certificate_string, hrn, "user") self.plain_write (output, credential_string) self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output) return output @@ -180,6 +193,17 @@ class SfaClientBootstrap: self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output)) return output + + # Returns True if credential file is valid. Otherwise return false. + def validate_credential(self, filename): + valid = True + cred = Credential(filename=filename) + # check if credential is expires + if cred.get_expiration() < datetime.now(): + valid = False + return valid + + #################### public interface # return my_gid, run all missing steps in the bootstrap sequence @@ -221,7 +245,7 @@ class SfaClientBootstrap: # the expected filenames for the various pieces def private_key_filename (self): - return self.fullpath ("%s.pkey"%self.hrn) + return self.fullpath ("%s.pkey" % Xrn.unescape(self.hrn)) def self_signed_cert_filename (self): return self.fullpath ("%s.sscert"%self.hrn) def my_credential_filename (self): @@ -233,7 +257,7 @@ class SfaClientBootstrap: def authority_credential_filename (self, hrn): return self.credential_filename(hrn,'authority') def my_gid_filename (self): - return self.gid_filename ("user", self.hrn) + return self.gid_filename (self.hrn, "user") def gid_filename (self, hrn, type): return self.fullpath ("%s.%s.gid"%(hrn,type)) @@ -266,38 +290,50 @@ class SfaClientBootstrap: # decorator to make up the other methods - def get_or_produce (filename_method, produce_method): + def get_or_produce (filename_method, produce_method, validate_method=None): + # default validator returns true def wrap (f): def wrapped (self, *args, **kw): filename=filename_method (self, *args, **kw) - if os.path.isfile ( filename ): return filename + if os.path.isfile ( filename ): + if not validate_method: + return filename + elif validate_method(self, filename): + return filename + else: + # remove invalid file + self.logger.warning ("Removing %s - has expired"%filename) + os.unlink(filename) try: produce_method (self, filename, *args, **kw) return filename except IOError: raise - except: - self.logger.log_exc("Could not produce/retrieve %s"%filename) - raise Exception, "Could not produce/retrieve %s"%filename + except : + error = sys.exc_info()[:2] + message="Could not produce/retrieve %s (%s -- %s)"%\ + (filename,error[0],error[1]) + self.logger.log_exc(message) + raise Exception, message return wrapped return wrap @get_or_produce (self_signed_cert_filename, self_signed_cert_produce) def self_signed_cert (self): pass - @get_or_produce (my_credential_filename, my_credential_produce) + @get_or_produce (my_credential_filename, my_credential_produce, validate_credential) def my_credential (self): pass @get_or_produce (my_gid_filename, my_gid_produce) def my_gid (self): pass - @get_or_produce (credential_filename, credential_produce) + @get_or_produce (credential_filename, credential_produce, validate_credential) def credential (self, hrn, type): pass - @get_or_produce (slice_credential_filename, slice_credential_produce) + @get_or_produce (slice_credential_filename, slice_credential_produce, validate_credential) def slice_credential (self, hrn): pass - @get_or_produce (authority_credential_filename, authority_credential_produce) + @get_or_produce (authority_credential_filename, authority_credential_produce, validate_credential) def authority_credential (self, hrn): pass @get_or_produce (gid_filename, gid_produce) @@ -319,3 +355,38 @@ class SfaClientBootstrap: def private_key (self): self.assert_private_key() return self.private_key_filename() + + def delegate_credential_string (self, original_credential, to_hrn, to_type='authority'): + """ + sign a delegation credential to someone else + + original_credential : typically one's user- or slice- credential to be delegated to s/b else + to_hrn : the hrn of the person that will be allowed to do stuff on our behalf + to_type : goes with to_hrn, usually 'user' or 'authority' + + returns a string with the delegated credential + + this internally uses self.my_gid() + it also retrieves the gid for to_hrn/to_type + and uses Credential.delegate()""" + + # the gid and hrn of the object we are delegating + if isinstance (original_credential, str): + original_credential = Credential (string=original_credential) + original_gid = original_credential.get_gid_object() + original_hrn = original_gid.get_hrn() + + if not original_credential.get_privileges().get_all_delegate(): + self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn) + return + + # the delegating user's gid + my_gid = self.my_gid() + + # retrieve the GID for the entity that we're delegating to + to_gidfile = self.gid (to_hrn,to_type) +# to_gid = GID ( to_gidfile ) +# to_hrn = delegee_gid.get_hrn() +# print 'to_hrn',to_hrn + delegated_credential = original_credential.delegate(to_gidfile, self.private_key(), my_gid) + return delegated_credential.save_to_string(save_parents=True)