sfa/client/sfaclientlib.py

   1 # Thierry Parmentelat -- INRIA
   2 #
   3 # a minimal library for writing "lightweight" SFA clients
   4 #
   5
   6 import os,os.path
   7
   8 import sfa.util.sfalogging
   9
  10 # what we use on GID actually is inherited from Certificate
  11 #from sfa.trust.gid import GID
  12 from sfa.trust.certificate import Keypair, Certificate
  13 # what we need in the Credential class essentially amounts to saving the incoming result
  14 # in a file as the output from the registry already is under xml format
  15 #from sfa.trust.credential import Credential
  16
  17 import sfa.client.sfaprotocol as sfaprotocol
  18
  19 class SfaServerProxy:
  20
  21     def __init__ (self, url, keyfile, certfile, verbose=False, timeout=None):
  22         self.url=url
  23         self.keyfile=keyfile
  24         self.certfile=certfile
  25         self.verbose=verbose
  26         self.timeout=timeout
  27         # an instance of xmlrpclib.ServerProxy
  28         self.serverproxy=sfaprotocol.server_proxy \
  29             (self.url, self.keyfile, self.certfile, self.timeout, self.verbose)
  30
  31     # this is python magic to return the code to run when
  32     # SfaServerProxy receives a method call
  33     # so essentially we send the same method with identical arguments
  34     # to the server_proxy object
  35     def __getattr__(self, name):
  36         def func(*args, **kwds):
  37             return getattr(self.serverproxy, name)(*args, **kwds)
  38         return func
  39
  40 ##########
  41 # a helper class to implement the bootstrapping of crypto. material
  42 # assuming we are starting from scratch on the client side
  43 # what's needed to complete a full slice creation cycle
  44 # (**) prerequisites:
  45 #  (*) a local private key
  46 #  (*) the corresp. public key in the registry
  47 # (**) step1: a self-signed certificate
  48 #      default filename is <hrn>.sscert
  49 # (**) step2: a user credential
  50 #      obtained at the registry with GetSelfCredential
  51 #      using the self-signed certificate as the SSL cert
  52 #      default filename is <hrn>.user.cred
  53 # (**) step3: a registry-provided certificate (i.e. a GID)
  54 #      obtained at the registry using Resolve
  55 #      using the step2 credential as credential
  56 #      default filename is <hrn>.user.gid
  57 ##########
  58 # from that point on, the GID can/should be used as the SSL cert for anything
  59 # a new (slice) credential would be needed for slice operations and can be
  60 # obtained at the registry through GetCredential
  61
  62 # xxx todo should protect against write file permissions
  63 # xxx todo review exceptions
  64 class SfaClientBootstrap:
  65
  66     # xxx todo should account for verbose and timeout that the proxy offers
  67     def __init__ (self, user_hrn, registry_url, dir=None, logger=None):
  68         self.hrn=user_hrn
  69         self.registry_url=registry_url
  70         if dir is None: dir="."
  71         self.dir=dir
  72         if logger is None:
  73             print 'special case for logger'
  74             logger = sfa.util.sfalogging.logger
  75         self.logger=logger
  76
  77     #################### public interface
  78
  79     # xxx should that be called in the constructor ?
  80     # typically user_private_key is ~/.ssh/id_rsa
  81     def init_private_key_if_missing (self, user_private_key):
  82         private_key_filename=self.private_key_filename()
  83         if not os.path.isfile (private_key_filename):
  84             key=self.plain_read(user_private_key)
  85             self.plain_write(private_key_filename, key)
  86             os.chmod(private_key_filename,os.stat(user_private_key).st_mode)
  87             self.logger.debug("SfaClientBootstrap: Copied private key from %s into %s"%\
  88                                   (user_private_key,private_key_filename))
  89
  90     # make sure we have the GID at hand
  91     def bootstrap_gid (self):
  92         if self.any_certificate_filename() is None:
  93             self.get_self_signed_cert()
  94         self.get_credential()
  95         self.get_gid()
  96
  97     def server_proxy (self, url):
  98         return SfaServerProxy (url, self.private_key_filename(), self.gid_filename())
  99
 100     def get_credential_string (self):
 101         return self.plain_read (self.get_credential())
 102
 103     # more to come to get credentials about other objects (authority/slice)
 104
 105     #################### private details
 106     # stupid stuff
 107     def fullpath (self, file): return os.path.join (self.dir,file)
 108     # %s -> self.hrn
 109     def fullpath_format(self,format): return self.fullpath (format%self.hrn)
 110
 111     def private_key_filename (self):
 112         return self.fullpath_format ("%s.pkey")
 113     def self_signed_cert_filename (self):
 114         return self.fullpath_format ("%s.sscert")
 115     def credential_filename (self):
 116         return self.fullpath_format ("%s.user.cred")
 117     def gid_filename (self):
 118         return self.fullpath_format ("%s.user.gid")
 119
 120 # optimizing dependencies
 121 # originally we used classes GID or Credential or Certificate
 122 # like e.g.
 123 #        return Credential(filename=self.get_credential()).save_to_string()
 124 # but in order to make it simpler to other implementations/languages..
 125     def plain_read (self, filename):
 126         infile=file(filename,"r")
 127         result=infile.read()
 128         infile.close()
 129         return result
 130
 131     def plain_write (self, filename, contents):
 132         outfile=file(filename,"w")
 133         result=outfile.write(contents)
 134         outfile.close()
 135
 136     # the private key
 137     def check_private_key (self):
 138         if not os.path.isfile (self.private_key_filename()):
 139             raise Exception,"No such file %s"%self.private_key_filename()
 140         return True
 141
 142     # get any certificate
 143     # rationale  for this method, once we have the gid, it's actually safe
 144     # to remove the .sscert
 145     def any_certificate_filename (self):
 146         attempts=[ self.gid_filename(), self.self_signed_cert_filename() ]
 147         for attempt in attempts:
 148             if os.path.isfile (attempt): return attempt
 149         return None
 150
 151     ### step1
 152     # unconditionnally
 153     def create_self_signed_certificate (self,output):
 154         self.check_private_key()
 155         private_key_filename = self.private_key_filename()
 156         keypair=Keypair(filename=private_key_filename)
 157         self_signed = Certificate (subject = self.hrn)
 158         self_signed.set_pubkey (keypair)
 159         self_signed.set_issuer (keypair, self.hrn)
 160         self_signed.sign ()
 161         self_signed.save_to_file (output)
 162         self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
 163                               (self.hrn,output))
 164         return output
 165
 166     def get_self_signed_cert (self):
 167         self_signed_cert_filename = self.self_signed_cert_filename()
 168         if os.path.isfile (self_signed_cert_filename):
 169             return self_signed_cert_filename
 170         return self.create_self_signed_certificate(self_signed_cert_filename)
 171
 172     ### step2
 173     # unconditionnally
 174     def retrieve_credential (self, output):
 175         self.check_private_key()
 176         certificate_filename = self.any_certificate_filename()
 177         certificate_string = self.plain_read (certificate_filename)
 178         registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
 179                                          certificate_filename)
 180         credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
 181         self.plain_write (output, credential_string)
 182         self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
 183         return output
 184
 185     def get_credential (self):
 186         credential_filename = self.credential_filename ()
 187         if os.path.isfile(credential_filename):
 188             return credential_filename
 189         return self.retrieve_credential (credential_filename)
 190
 191     ### step3
 192     # unconditionnally
 193     def retrieve_gid (self, hrn, type, output):
 194          self.check_private_key()
 195          certificate_filename = self.any_certificate_filename()
 196          registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
 197                                           certificate_filename)
 198          credential_string=self.plain_read (self.get_credential())
 199          records = registry_proxy.Resolve (hrn, credential_string)
 200          records=[record for record in records if record['type']==type]
 201          if not records:
 202              # RecordNotFound
 203              raise Exception, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url)
 204          record=records[0]
 205          self.plain_write (output, record['gid'])
 206          self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
 207          return output
 208
 209     def get_gid (self):
 210         gid_filename=self.gid_filename()
 211         if os.path.isfile(gid_filename):
 212             return gid_filename
 213         return self.retrieve_gid(self.hrn, "user", gid_filename)
 214