X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fclient%2Fsfaclientlib.py;h=dce22014d1d4bc13970260aa04688ea8fbff0192;hb=1cc8e9613cab8b5b22478de369f259e591c54e6d;hp=f4b9a7e55d2cad21ffd26498e62e895b89b01796;hpb=78467ecd9b02ec60d9572178995ed347fc917f59;p=sfa.git

diff --git a/sfa/client/sfaclientlib.py b/sfa/client/sfaclientlib.py
index f4b9a7e5..dce22014 100644
--- a/sfa/client/sfaclientlib.py
+++ b/sfa/client/sfaclientlib.py
@@ -9,6 +9,8 @@
 
 import sys
 import os,os.path
+from datetime import datetime
+from sfa.util.xrn import Xrn
 
 import sfa.util.sfalogging
 # importing sfa.utils.faults does pull a lot of stuff 
@@ -19,7 +21,8 @@ from sfa.client.sfaserverproxy import SfaServerProxy
 
 # see optimizing dependencies below
 from sfa.trust.certificate import Keypair, Certificate
-
+from sfa.trust.credential import Credential
+from sfa.trust.gid import GID
 ########## 
 # a helper class to implement the bootstrapping of crypto. material
 # assuming we are starting from scratch on the client side 
@@ -80,9 +83,9 @@ from sfa.trust.certificate import Keypair, Certificate
 # the usage model is to reuse an existing keypair)
 # 
 # there might be a more portable, i.e. less language-dependant way, to
-# implement this step by exec'ing the openssl command a known
-# successful attempt at this approach that worked for Java is
-# documented below
+# implement this step by exec'ing the openssl command.
+# a known successful attempt at this approach that worked 
+# for Java is documented below
 # http://nam.ece.upatras.gr/fstoolkit/trac/wiki/JavaSFAClient
 #
 ####################
@@ -131,7 +134,12 @@ class SfaClientBootstrap:
         self.assert_private_key()
         registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
                                          certificate_filename)
-        credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
+        try:
+            credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
+        except:
+            # some urns hrns may replace non hierarchy delimiters '.' with an '_' instead of escaping the '.'
+            hrn = Xrn(self.hrn).get_hrn().replace('\.', '_') 
+            credential_string=registry_proxy.GetSelfCredential (certificate_string, hrn, "user")
         self.plain_write (output, credential_string)
         self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
         return output
@@ -185,6 +193,17 @@ class SfaClientBootstrap:
         self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
         return output
 
+
+    # Returns True if credential file is valid. Otherwise return false.
+    def validate_credential(self, filename):
+        valid = True
+        cred = Credential(filename=filename)
+        # check if credential is expires
+        if cred.get_expiration() < datetime.now():
+            valid = False
+        return valid
+    
+
     #################### public interface
     
     # return my_gid, run all missing steps in the bootstrap sequence
@@ -226,7 +245,7 @@ class SfaClientBootstrap:
 
     # the expected filenames for the various pieces
     def private_key_filename (self): 
-        return self.fullpath ("%s.pkey"%self.hrn)
+        return self.fullpath ("%s.pkey" % Xrn.unescape(self.hrn))
     def self_signed_cert_filename (self): 
         return self.fullpath ("%s.sscert"%self.hrn)
     def my_credential_filename (self):
@@ -271,11 +290,20 @@ class SfaClientBootstrap:
 
 
     # decorator to make up the other methods
-    def get_or_produce (filename_method, produce_method):
+    def get_or_produce (filename_method, produce_method, validate_method=None):
+        # default validator returns true
         def wrap (f):
             def wrapped (self, *args, **kw):
                 filename=filename_method (self, *args, **kw)
-                if os.path.isfile ( filename ): return filename
+                if os.path.isfile ( filename ):
+                    if not validate_method:
+                        return filename
+                    elif validate_method(self, filename): 
+                        return filename
+                    else:
+                        # remove invalid file
+                        self.logger.warning ("Removing %s - has expired"%filename)
+                        os.unlink(filename) 
                 try:
                     produce_method (self, filename, *args, **kw)
                     return filename
@@ -293,19 +321,19 @@ class SfaClientBootstrap:
     @get_or_produce (self_signed_cert_filename, self_signed_cert_produce)
     def self_signed_cert (self): pass
 
-    @get_or_produce (my_credential_filename, my_credential_produce)
+    @get_or_produce (my_credential_filename, my_credential_produce, validate_credential)
     def my_credential (self): pass
 
     @get_or_produce (my_gid_filename, my_gid_produce)
     def my_gid (self): pass
 
-    @get_or_produce (credential_filename, credential_produce)
+    @get_or_produce (credential_filename, credential_produce, validate_credential)
     def credential (self, hrn, type): pass
 
-    @get_or_produce (slice_credential_filename, slice_credential_produce)
+    @get_or_produce (slice_credential_filename, slice_credential_produce, validate_credential)
     def slice_credential (self, hrn): pass
 
-    @get_or_produce (authority_credential_filename, authority_credential_produce)
+    @get_or_produce (authority_credential_filename, authority_credential_produce, validate_credential)
     def authority_credential (self, hrn): pass
 
     @get_or_produce (gid_filename, gid_produce)
@@ -327,3 +355,38 @@ class SfaClientBootstrap:
     def private_key (self):
         self.assert_private_key()
         return self.private_key_filename()
+
+    def delegate_credential_string (self, original_credential, to_hrn, to_type='authority'):
+        """
+        sign a delegation credential to someone else
+
+        original_credential : typically one's user- or slice- credential to be delegated to s/b else
+        to_hrn : the hrn of the person that will be allowed to do stuff on our behalf
+        to_type : goes with to_hrn, usually 'user' or 'authority'
+
+        returns a string with the delegated credential
+
+        this internally uses self.my_gid()
+        it also retrieves the gid for to_hrn/to_type
+        and uses Credential.delegate()"""
+
+        # the gid and hrn of the object we are delegating
+        if isinstance (original_credential, str):
+            original_credential = Credential (string=original_credential)
+        original_gid = original_credential.get_gid_object()
+        original_hrn = original_gid.get_hrn()
+
+        if not original_credential.get_privileges().get_all_delegate():
+            self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn)
+            return
+
+        # the delegating user's gid
+        my_gid = self.my_gid()
+
+        # retrieve the GID for the entity that we're delegating to
+        to_gidfile = self.gid (to_hrn,to_type)
+#        to_gid = GID ( to_gidfile )
+#        to_hrn = delegee_gid.get_hrn()
+#        print 'to_hrn',to_hrn
+        delegated_credential = original_credential.delegate(to_gidfile, self.private_key(), my_gid)
+        return delegated_credential.save_to_string(save_parents=True)