git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
sfaclientlib improved
[sfa.git] / sfa / client / sfaclientlib.py
diff --git a/sfa/client/sfaclientlib.py b/sfa/client/sfaclientlib.py
index 2b5cb19..979fbbb 100644 (file)
--- a/sfa/client/sfaclientlib.py
+++ b/sfa/client/sfaclientlib.py
@@ -6,6 +6,9 @@
 import os,os.path
 
 import sfa.util.sfalogging
+# importing sfa.utils.faults does pull a lot of stuff 
+# OTOH it's imported from Certificate anyways, so..
+from sfa.util.faults import RecordNotFound
 
 from sfa.client.sfaserverproxy import SfaServerProxy
 
@@ -29,30 +32,180 @@ from sfa.trust.certificate import Keypair, Certificate
 #      obtained at the registry using Resolve
 #      using the step2 credential as credential
 #      default filename is <hrn>.user.gid
-##########
-# from that point on, the GID can/should be used as the SSL cert for anything
-# a new (slice) credential would be needed for slice operations and can be 
-# obtained at the registry through GetCredential
+#
+# From that point on, the GID is used as the SSL certificate
+# and the following can be done
+#
+# (**) retrieve a slice (or authority) credential 
+#      obtained at the registry with GetCredential
+#      using the (step2) user-credential as credential
+#      default filename is <hrn>.<type>.cred
+# (**) retrieve a slice (or authority) GID 
+#      obtained at the registry with Resolve
+#      using the (step2) user-credential as credential
+#      default filename is <hrn>.<type>.cred
+
+
+########## Implementation notes
+#
+# (*) decorators
+#
+# this implementation is designed as a guideline for 
+# porting to other languages
+#
+# the decision to go for decorators aims at focusing 
+# on the core of what needs to be done when everything
+# works fine, and to take caching and error management 
+# out of the way
+# 
+# for non-pythonic developers, it should be enough to 
+# implement the bulk of this code, namely the _produce methods
+# and to add caching and error management by whichever means 
+# is available, including inline 
+#
+# (*) self-signed certificates
+# 
+# still with other languages in mind, we've tried to keep the
+# dependencies to the rest of the code as low as possible
+# 
+# however this still relies on the sfa.trust.certificate module
+# for the initial generation of a self-signed-certificate that
+# is associated to the user's ssh-key
+# (for user-friendliness, and for smooth operations with planetlab, 
+# the usage model is to reuse an existing keypair)
+# 
+# there might be a more portable, i.e. less language-dependant way, to
+# implement this step by exec'ing the openssl command a known
+# successful attempt at this approach that worked for Java is
+# documented below
+# http://nam.ece.upatras.gr/fstoolkit/trac/wiki/JavaSFAClient
+#
+####################
+
+class SfaClientException (Exception): pass
 
-# xxx todo should protect against write file permissions
-# xxx todo review exceptions
 class SfaClientBootstrap:
 
-    # xxx todo should account for verbose and timeout that the proxy offers
-    def __init__ (self, user_hrn, registry_url, dir=None, logger=None):
+    # dir is mandatory but defaults to '.'
+    def __init__ (self, user_hrn, registry_url, dir=None, 
+                  verbose=False, timeout=None, logger=None):
         self.hrn=user_hrn
         self.registry_url=registry_url
         if dir is None: dir="."
         self.dir=dir
+        self.verbose=verbose
+        self.timeout=timeout
+        # default for the logger is to use the global sfa logger
         if logger is None: 
-            print 'special case for logger'
             logger = sfa.util.sfalogging.logger
         self.logger=logger
 
+    ######################################## *_produce methods
+    ### step1
+    # unconditionnally create a self-signed certificate
+    def self_signed_cert_produce (self,output):
+        self.assert_private_key()
+        private_key_filename = self.private_key_filename()
+        keypair=Keypair(filename=private_key_filename)
+        self_signed = Certificate (subject = self.hrn)
+        self_signed.set_pubkey (keypair)
+        self_signed.set_issuer (keypair, self.hrn)
+        self_signed.sign ()
+        self_signed.save_to_file (output)
+        self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
+                              (self.hrn,output))
+        return output
+
+    ### step2 
+    # unconditionnally retrieve my credential (GetSelfCredential)
+    # we always use the self-signed-cert as the SSL cert
+    def my_credential_produce (self, output):
+        self.assert_self_signed_cert()
+        certificate_filename = self.self_signed_cert_filename()
+        certificate_string = self.plain_read (certificate_filename)
+        self.assert_private_key()
+        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+                                         certificate_filename)
+        credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
+        self.plain_write (output, credential_string)
+        self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
+        return output
+
+    ### step3
+    # unconditionnally retrieve my GID - use the general form 
+    def my_gid_produce (self,output):
+        return self.gid_produce (output, self.hrn, "user")
+
+    ### retrieve any credential (GetCredential) unconditionnal form
+    # we always use the GID as the SSL cert
+    def credential_produce (self, output, hrn, type):
+        self.assert_my_gid()
+        certificate_filename = self.my_gid_filename()
+        self.assert_private_key()
+        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+                                         certificate_filename)
+        self.assert_my_credential()
+        my_credential_string = self.my_credential_string()
+        credential_string=registry_proxy.GetCredential (my_credential_string, hrn, type)
+        self.plain_write (output, credential_string)
+        self.logger.debug("SfaClientBootstrap: Wrote result of GetCredential in %s"%output)
+        return output
+
+    def slice_credential_produce (self, output, hrn):
+        return self.credential_produce (output, hrn, "slice")
+
+    def authority_credential_produce (self, output, hrn):
+        return self.credential_produce (output, hrn, "authority")
+
+    ### retrieve any gid (Resolve) - unconditionnal form
+    # use my GID when available as the SSL cert, otherwise the self-signed
+    def gid_produce (self, output, hrn, type ):
+        try:
+            self.assert_my_gid()
+            certificate_filename = self.my_gid_filename()
+        except:
+            self.assert_self_signed_cert()
+            certificate_filename = self.self_signed_cert_filename()
+            
+        self.assert_private_key()
+        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+                                         certificate_filename)
+        credential_string=self.plain_read (self.my_credential())
+        records = registry_proxy.Resolve (hrn, credential_string)
+        records=[record for record in records if record['type']==type]
+        if not records:
+            raise RecordNotFound, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url)
+        record=records[0]
+        self.plain_write (output, record['gid'])
+        self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
+        return output
+
     #################### public interface
+    
+    # return my_gid, run all missing steps in the bootstrap sequence
+    def bootstrap_my_gid (self):
+        self.self_signed_cert()
+        self.my_credential()
+        return self.my_gid()
+
+    # once we've bootstrapped we can use this object to issue any other SFA call
+    # always use my gid
+    def server_proxy (self, url):
+        self.assert_my_gid()
+        return SfaServerProxy (url, self.private_key_filename(), self.my_gid_filename(),
+                               verbose=self.verbose, timeout=self.timeout)
+
+    # now in some cases the self-signed is enough
+    def server_proxy_simple (self, url):
+        self.assert_self_signed_cert()
+        return SfaServerProxy (url, self.private_key_filename(), self.self_signed_cert_filename(),
+                               verbose=self.verbose, timeout=self.timeout)
 
-    # xxx should that be called in the constructor ?
-    # typically user_private_key is ~/.ssh/id_rsa
+    # this method can optionnally be invoked to ensure proper
+    # installation of the private key that belongs to this user
+    # installs private_key in working dir with expected name -- preserve mode
+    # typically user_private_key would be ~/.ssh/id_rsa
+    # xxx should probably check the 2 files are identical
     def init_private_key_if_missing (self, user_private_key):
         private_key_filename=self.private_key_filename()
         if not os.path.isfile (private_key_filename):
@@ -62,40 +215,33 @@ class SfaClientBootstrap:
             self.logger.debug("SfaClientBootstrap: Copied private key from %s into %s"%\
                                   (user_private_key,private_key_filename))
         
-    # make sure we have the GID at hand
-    def bootstrap_gid (self):
-        if self.any_certificate_filename() is None:
-            self.get_self_signed_cert()
-        self.get_credential()
-        self.get_gid()
-
-    def server_proxy (self, url):
-        return SfaServerProxy (url, self.private_key_filename(), self.gid_filename())
-
-    def get_credential_string (self):
-        return self.plain_read (self.get_credential())
-
-    # more to come to get credentials about other objects (authority/slice)
-
     #################### private details
     # stupid stuff
     def fullpath (self, file): return os.path.join (self.dir,file)
-    # %s -> self.hrn
-    def fullpath_format(self,format): return self.fullpath (format%self.hrn)
 
+    # the expected filenames for the various pieces
     def private_key_filename (self): 
-        return self.fullpath_format ("%s.pkey")
+        return self.fullpath ("%s.pkey"%self.hrn)
     def self_signed_cert_filename (self): 
-        return self.fullpath_format ("%s.sscert")
-    def credential_filename (self): 
-        return self.fullpath_format ("%s.user.cred")
-    def gid_filename (self): 
-        return self.fullpath_format ("%s.user.gid")
+        return self.fullpath ("%s.sscert"%self.hrn)
+    def my_credential_filename (self):
+        return self.credential_filename (self.hrn, "user")
+    def credential_filename (self, hrn, type): 
+        return self.fullpath ("%s.%s.cred"%(hrn,type))
+    def slice_credential_filename (self, hrn): 
+        return self.credential_filename(hrn,'slice')
+    def authority_credential_filename (self, hrn): 
+        return self.credential_filename(hrn,'authority')
+    def my_gid_filename (self):
+        return self.gid_filename ("user", self.hrn)
+    def gid_filename (self, hrn, type): 
+        return self.fullpath ("%s.%s.gid"%(hrn,type))
+    
 
 # optimizing dependencies
 # originally we used classes GID or Credential or Certificate 
 # like e.g. 
-#        return Credential(filename=self.get_credential()).save_to_string()
+#        return Credential(filename=self.my_credential()).save_to_string()
 # but in order to make it simpler to other implementations/languages..
     def plain_read (self, filename):
         infile=file(filename,"r")
@@ -108,82 +254,65 @@ class SfaClientBootstrap:
         result=outfile.write(contents)
         outfile.close()
 
-    # the private key
-    def check_private_key (self):
-        if not os.path.isfile (self.private_key_filename()):
-            raise Exception,"No such file %s"%self.private_key_filename()
+    def assert_filename (self, filename, kind):
+        if not os.path.isfile (filename):
+            raise IOError,"Missing %s file %s"%(kind,filename)
         return True
+        
+    def assert_private_key (self): return self.assert_filename (self.private_key_filename(),"private key")
+    def assert_self_signed_cert (self): return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate")
+    def assert_my_credential (self): return self.assert_filename (self.my_credential_filename(),"user's credential")
+    def assert_my_gid (self): return self.assert_filename (self.my_gid_filename(),"user's GID")
 
-    # get any certificate
-    # rationale  for this method, once we have the gid, it's actually safe
-    # to remove the .sscert
-    def any_certificate_filename (self):
-        attempts=[ self.gid_filename(), self.self_signed_cert_filename() ]
-        for attempt in attempts:
-            if os.path.isfile (attempt): return attempt
-        return None
 
-    ### step1
-    # unconditionnally
-    def create_self_signed_certificate (self,output):
-        self.check_private_key()
-        private_key_filename = self.private_key_filename()
-        keypair=Keypair(filename=private_key_filename)
-        self_signed = Certificate (subject = self.hrn)
-        self_signed.set_pubkey (keypair)
-        self_signed.set_issuer (keypair, self.hrn)
-        self_signed.sign ()
-        self_signed.save_to_file (output)
-        self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
-                              (self.hrn,output))
-        return output
+    # decorator to make up the other methods
+    def get_or_produce (filename_method, produce_method):
+        def wrap (f):
+            def wrapped (self, *args, **kw):
+                filename=filename_method (self, *args, **kw)
+                if os.path.isfile ( filename ): return filename
+                try:
+                    produce_method (self, filename, *args, **kw)
+                    return filename
+                except IOError:
+                    raise 
+                except:
+                    import traceback
+                    traceback.print_exc()
+                    raise Exception, "Could not produce/retrieve %s"%filename
+            wrapped.__name__=f.__name__
+            return wrapped
+        return wrap
 
-    def get_self_signed_cert (self):
-        self_signed_cert_filename = self.self_signed_cert_filename()
-        if os.path.isfile (self_signed_cert_filename):
-            return self_signed_cert_filename
-        return self.create_self_signed_certificate(self_signed_cert_filename)
-        
-    ### step2 
-    # unconditionnally
-    def retrieve_credential (self, output):
-        self.check_private_key()
-        certificate_filename = self.any_certificate_filename()
-        certificate_string = self.plain_read (certificate_filename)
-        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
-                                         certificate_filename)
-        credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
-        self.plain_write (output, credential_string)
-        self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
-        return output
+    @get_or_produce (self_signed_cert_filename, self_signed_cert_produce)
+    def self_signed_cert (self): pass
 
-    def get_credential (self):
-        credential_filename = self.credential_filename ()
-        if os.path.isfile(credential_filename): 
-            return credential_filename
-        return self.retrieve_credential (credential_filename)
+    @get_or_produce (my_credential_filename, my_credential_produce)
+    def my_credential (self): pass
+
+    @get_or_produce (my_gid_filename, my_gid_produce)
+    def my_gid (self): pass
+
+    @get_or_produce (credential_filename, credential_produce)
+    def credential (self, hrn, type): pass
+
+    @get_or_produce (slice_credential_filename, slice_credential_produce)
+    def slice_credential (self, hrn): pass
+
+    @get_or_produce (authority_credential_filename, authority_credential_produce)
+    def authority_credential (self, hrn): pass
+
+    @get_or_produce (gid_filename, gid_produce)
+    def gid (self, hrn, type ): pass
 
-    ### step3
-    # unconditionnally
-    def retrieve_gid (self, hrn, type, output):
-         self.check_private_key()
-         certificate_filename = self.any_certificate_filename()
-         registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
-                                          certificate_filename)
-         credential_string=self.plain_read (self.get_credential())
-         records = registry_proxy.Resolve (hrn, credential_string)
-         records=[record for record in records if record['type']==type]
-         if not records:
-             # RecordNotFound
-             raise Exception, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url)
-         record=records[0]
-         self.plain_write (output, record['gid'])
-         self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
-         return output
-
-    def get_gid (self):
-        gid_filename=self.gid_filename()
-        if os.path.isfile(gid_filename): 
-            return gid_filename
-        return self.retrieve_gid(self.hrn, "user", gid_filename)
 
+    # get the credentials as strings, for inserting as API arguments
+    def my_credential_string (self): 
+        self.my_credential()
+        return self.plain_read(self.my_credential_filename())
+    def slice_credential_string (self, hrn): 
+        self.slice_credential(hrn)
+        return self.plain_read(self.slice_credential_filename(hrn))
+    def authority_credential_string (self, hrn): 
+        self.authority_credential(hrn)
+        return self.plain_read(self.authority_credential_filename(hrn))
sfa