sfaclientlib improved

can get credentials and gids for other hrns and types
make clientlibsync can extract the minimal client env for tests

diff --git a/Makefile b/Makefile
index ef3e497..47dbacc 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -165,3 +165,13 @@ clientsync:
 .PHONY: sync fastsync clientsync
 
 ##########
+CLIENTLIBFILES= \
+sfa/examples/miniclient.py \
+sfa/__init__.py \
+sfa/client/{sfaserverproxy,sfaclientlib,__init__}.py \
+sfa/trust/{certificate,__init__}.py \
+sfa/util/{sfalogging,faults,genicode,enumeration,__init__}.py 
+
+clientlibsync: 
+       @[ -d "$(CLIENTLIBTARGET)" ] || { echo "You need to set the make variable CLIENTLIBTARGET"; exit 1; }
+       rsync -av --relative $(CLIENTLIBFILES) $(CLIENTLIBTARGET)

diff --git a/sfa/client/sfaclientlib.py b/sfa/client/sfaclientlib.py
index 2b5cb19..979fbbb 100644 (file)
--- a/sfa/client/sfaclientlib.py
+++ b/sfa/client/sfaclientlib.py
@@ -6,6 +6,9 @@
 import os,os.path
 
 import sfa.util.sfalogging
+# importing sfa.utils.faults does pull a lot of stuff 
+# OTOH it's imported from Certificate anyways, so..
+from sfa.util.faults import RecordNotFound
 
 from sfa.client.sfaserverproxy import SfaServerProxy
 
@@ -29,30 +32,180 @@ from sfa.trust.certificate import Keypair, Certificate
 #      obtained at the registry using Resolve
 #      using the step2 credential as credential
 #      default filename is <hrn>.user.gid
-##########
-# from that point on, the GID can/should be used as the SSL cert for anything
-# a new (slice) credential would be needed for slice operations and can be 
-# obtained at the registry through GetCredential
+#
+# From that point on, the GID is used as the SSL certificate
+# and the following can be done
+#
+# (**) retrieve a slice (or authority) credential 
+#      obtained at the registry with GetCredential
+#      using the (step2) user-credential as credential
+#      default filename is <hrn>.<type>.cred
+# (**) retrieve a slice (or authority) GID 
+#      obtained at the registry with Resolve
+#      using the (step2) user-credential as credential
+#      default filename is <hrn>.<type>.cred
+
+
+########## Implementation notes
+#
+# (*) decorators
+#
+# this implementation is designed as a guideline for 
+# porting to other languages
+#
+# the decision to go for decorators aims at focusing 
+# on the core of what needs to be done when everything
+# works fine, and to take caching and error management 
+# out of the way
+# 
+# for non-pythonic developers, it should be enough to 
+# implement the bulk of this code, namely the _produce methods
+# and to add caching and error management by whichever means 
+# is available, including inline 
+#
+# (*) self-signed certificates
+# 
+# still with other languages in mind, we've tried to keep the
+# dependencies to the rest of the code as low as possible
+# 
+# however this still relies on the sfa.trust.certificate module
+# for the initial generation of a self-signed-certificate that
+# is associated to the user's ssh-key
+# (for user-friendliness, and for smooth operations with planetlab, 
+# the usage model is to reuse an existing keypair)
+# 
+# there might be a more portable, i.e. less language-dependant way, to
+# implement this step by exec'ing the openssl command a known
+# successful attempt at this approach that worked for Java is
+# documented below
+# http://nam.ece.upatras.gr/fstoolkit/trac/wiki/JavaSFAClient
+#
+####################
+
+class SfaClientException (Exception): pass
 
-# xxx todo should protect against write file permissions
-# xxx todo review exceptions
 class SfaClientBootstrap:
 
-    # xxx todo should account for verbose and timeout that the proxy offers
-    def __init__ (self, user_hrn, registry_url, dir=None, logger=None):
+    # dir is mandatory but defaults to '.'
+    def __init__ (self, user_hrn, registry_url, dir=None, 
+                  verbose=False, timeout=None, logger=None):
         self.hrn=user_hrn
         self.registry_url=registry_url
         if dir is None: dir="."
         self.dir=dir
+        self.verbose=verbose
+        self.timeout=timeout
+        # default for the logger is to use the global sfa logger
         if logger is None: 
-            print 'special case for logger'
             logger = sfa.util.sfalogging.logger
         self.logger=logger
 
+    ######################################## *_produce methods
+    ### step1
+    # unconditionnally create a self-signed certificate
+    def self_signed_cert_produce (self,output):
+        self.assert_private_key()
+        private_key_filename = self.private_key_filename()
+        keypair=Keypair(filename=private_key_filename)
+        self_signed = Certificate (subject = self.hrn)
+        self_signed.set_pubkey (keypair)
+        self_signed.set_issuer (keypair, self.hrn)
+        self_signed.sign ()
+        self_signed.save_to_file (output)
+        self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
+                              (self.hrn,output))
+        return output
+
+    ### step2 
+    # unconditionnally retrieve my credential (GetSelfCredential)
+    # we always use the self-signed-cert as the SSL cert
+    def my_credential_produce (self, output):
+        self.assert_self_signed_cert()
+        certificate_filename = self.self_signed_cert_filename()
+        certificate_string = self.plain_read (certificate_filename)
+        self.assert_private_key()
+        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+                                         certificate_filename)
+        credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
+        self.plain_write (output, credential_string)
+        self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
+        return output
+
+    ### step3
+    # unconditionnally retrieve my GID - use the general form 
+    def my_gid_produce (self,output):
+        return self.gid_produce (output, self.hrn, "user")
+
+    ### retrieve any credential (GetCredential) unconditionnal form
+    # we always use the GID as the SSL cert
+    def credential_produce (self, output, hrn, type):
+        self.assert_my_gid()
+        certificate_filename = self.my_gid_filename()
+        self.assert_private_key()
+        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+                                         certificate_filename)
+        self.assert_my_credential()
+        my_credential_string = self.my_credential_string()
+        credential_string=registry_proxy.GetCredential (my_credential_string, hrn, type)
+        self.plain_write (output, credential_string)
+        self.logger.debug("SfaClientBootstrap: Wrote result of GetCredential in %s"%output)
+        return output
+
+    def slice_credential_produce (self, output, hrn):
+        return self.credential_produce (output, hrn, "slice")
+
+    def authority_credential_produce (self, output, hrn):
+        return self.credential_produce (output, hrn, "authority")
+
+    ### retrieve any gid (Resolve) - unconditionnal form
+    # use my GID when available as the SSL cert, otherwise the self-signed
+    def gid_produce (self, output, hrn, type ):
+        try:
+            self.assert_my_gid()
+            certificate_filename = self.my_gid_filename()
+        except:
+            self.assert_self_signed_cert()
+            certificate_filename = self.self_signed_cert_filename()
+            
+        self.assert_private_key()
+        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
+                                         certificate_filename)
+        credential_string=self.plain_read (self.my_credential())
+        records = registry_proxy.Resolve (hrn, credential_string)
+        records=[record for record in records if record['type']==type]
+        if not records:
+            raise RecordNotFound, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url)
+        record=records[0]
+        self.plain_write (output, record['gid'])
+        self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
+        return output
+
     #################### public interface
+    
+    # return my_gid, run all missing steps in the bootstrap sequence
+    def bootstrap_my_gid (self):
+        self.self_signed_cert()
+        self.my_credential()
+        return self.my_gid()
+
+    # once we've bootstrapped we can use this object to issue any other SFA call
+    # always use my gid
+    def server_proxy (self, url):
+        self.assert_my_gid()
+        return SfaServerProxy (url, self.private_key_filename(), self.my_gid_filename(),
+                               verbose=self.verbose, timeout=self.timeout)
+
+    # now in some cases the self-signed is enough
+    def server_proxy_simple (self, url):
+        self.assert_self_signed_cert()
+        return SfaServerProxy (url, self.private_key_filename(), self.self_signed_cert_filename(),
+                               verbose=self.verbose, timeout=self.timeout)
 
-    # xxx should that be called in the constructor ?
-    # typically user_private_key is ~/.ssh/id_rsa
+    # this method can optionnally be invoked to ensure proper
+    # installation of the private key that belongs to this user
+    # installs private_key in working dir with expected name -- preserve mode
+    # typically user_private_key would be ~/.ssh/id_rsa
+    # xxx should probably check the 2 files are identical
     def init_private_key_if_missing (self, user_private_key):
         private_key_filename=self.private_key_filename()
         if not os.path.isfile (private_key_filename):
@@ -62,40 +215,33 @@ class SfaClientBootstrap:
             self.logger.debug("SfaClientBootstrap: Copied private key from %s into %s"%\
                                   (user_private_key,private_key_filename))
         
-    # make sure we have the GID at hand
-    def bootstrap_gid (self):
-        if self.any_certificate_filename() is None:
-            self.get_self_signed_cert()
-        self.get_credential()
-        self.get_gid()
-
-    def server_proxy (self, url):
-        return SfaServerProxy (url, self.private_key_filename(), self.gid_filename())
-
-    def get_credential_string (self):
-        return self.plain_read (self.get_credential())
-
-    # more to come to get credentials about other objects (authority/slice)
-
     #################### private details
     # stupid stuff
     def fullpath (self, file): return os.path.join (self.dir,file)
-    # %s -> self.hrn
-    def fullpath_format(self,format): return self.fullpath (format%self.hrn)
 
+    # the expected filenames for the various pieces
     def private_key_filename (self): 
-        return self.fullpath_format ("%s.pkey")
+        return self.fullpath ("%s.pkey"%self.hrn)
     def self_signed_cert_filename (self): 
-        return self.fullpath_format ("%s.sscert")
-    def credential_filename (self): 
-        return self.fullpath_format ("%s.user.cred")
-    def gid_filename (self): 
-        return self.fullpath_format ("%s.user.gid")
+        return self.fullpath ("%s.sscert"%self.hrn)
+    def my_credential_filename (self):
+        return self.credential_filename (self.hrn, "user")
+    def credential_filename (self, hrn, type): 
+        return self.fullpath ("%s.%s.cred"%(hrn,type))
+    def slice_credential_filename (self, hrn): 
+        return self.credential_filename(hrn,'slice')
+    def authority_credential_filename (self, hrn): 
+        return self.credential_filename(hrn,'authority')
+    def my_gid_filename (self):
+        return self.gid_filename ("user", self.hrn)
+    def gid_filename (self, hrn, type): 
+        return self.fullpath ("%s.%s.gid"%(hrn,type))
+    
 
 # optimizing dependencies
 # originally we used classes GID or Credential or Certificate 
 # like e.g. 
-#        return Credential(filename=self.get_credential()).save_to_string()
+#        return Credential(filename=self.my_credential()).save_to_string()
 # but in order to make it simpler to other implementations/languages..
     def plain_read (self, filename):
         infile=file(filename,"r")
@@ -108,82 +254,65 @@ class SfaClientBootstrap:
         result=outfile.write(contents)
         outfile.close()
 
-    # the private key
-    def check_private_key (self):
-        if not os.path.isfile (self.private_key_filename()):
-            raise Exception,"No such file %s"%self.private_key_filename()
+    def assert_filename (self, filename, kind):
+        if not os.path.isfile (filename):
+            raise IOError,"Missing %s file %s"%(kind,filename)
         return True
+        
+    def assert_private_key (self): return self.assert_filename (self.private_key_filename(),"private key")
+    def assert_self_signed_cert (self): return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate")
+    def assert_my_credential (self): return self.assert_filename (self.my_credential_filename(),"user's credential")
+    def assert_my_gid (self): return self.assert_filename (self.my_gid_filename(),"user's GID")
 
-    # get any certificate
-    # rationale  for this method, once we have the gid, it's actually safe
-    # to remove the .sscert
-    def any_certificate_filename (self):
-        attempts=[ self.gid_filename(), self.self_signed_cert_filename() ]
-        for attempt in attempts:
-            if os.path.isfile (attempt): return attempt
-        return None
 
-    ### step1
-    # unconditionnally
-    def create_self_signed_certificate (self,output):
-        self.check_private_key()
-        private_key_filename = self.private_key_filename()
-        keypair=Keypair(filename=private_key_filename)
-        self_signed = Certificate (subject = self.hrn)
-        self_signed.set_pubkey (keypair)
-        self_signed.set_issuer (keypair, self.hrn)
-        self_signed.sign ()
-        self_signed.save_to_file (output)
-        self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
-                              (self.hrn,output))
-        return output
+    # decorator to make up the other methods
+    def get_or_produce (filename_method, produce_method):
+        def wrap (f):
+            def wrapped (self, *args, **kw):
+                filename=filename_method (self, *args, **kw)
+                if os.path.isfile ( filename ): return filename
+                try:
+                    produce_method (self, filename, *args, **kw)
+                    return filename
+                except IOError:
+                    raise 
+                except:
+                    import traceback
+                    traceback.print_exc()
+                    raise Exception, "Could not produce/retrieve %s"%filename
+            wrapped.__name__=f.__name__
+            return wrapped
+        return wrap
 
-    def get_self_signed_cert (self):
-        self_signed_cert_filename = self.self_signed_cert_filename()
-        if os.path.isfile (self_signed_cert_filename):
-            return self_signed_cert_filename
-        return self.create_self_signed_certificate(self_signed_cert_filename)
-        
-    ### step2 
-    # unconditionnally
-    def retrieve_credential (self, output):
-        self.check_private_key()
-        certificate_filename = self.any_certificate_filename()
-        certificate_string = self.plain_read (certificate_filename)
-        registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
-                                         certificate_filename)
-        credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user")
-        self.plain_write (output, credential_string)
-        self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output)
-        return output
+    @get_or_produce (self_signed_cert_filename, self_signed_cert_produce)
+    def self_signed_cert (self): pass
 
-    def get_credential (self):
-        credential_filename = self.credential_filename ()
-        if os.path.isfile(credential_filename): 
-            return credential_filename
-        return self.retrieve_credential (credential_filename)
+    @get_or_produce (my_credential_filename, my_credential_produce)
+    def my_credential (self): pass
+
+    @get_or_produce (my_gid_filename, my_gid_produce)
+    def my_gid (self): pass
+
+    @get_or_produce (credential_filename, credential_produce)
+    def credential (self, hrn, type): pass
+
+    @get_or_produce (slice_credential_filename, slice_credential_produce)
+    def slice_credential (self, hrn): pass
+
+    @get_or_produce (authority_credential_filename, authority_credential_produce)
+    def authority_credential (self, hrn): pass
+
+    @get_or_produce (gid_filename, gid_produce)
+    def gid (self, hrn, type ): pass
 
-    ### step3
-    # unconditionnally
-    def retrieve_gid (self, hrn, type, output):
-         self.check_private_key()
-         certificate_filename = self.any_certificate_filename()
-         registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(),
-                                          certificate_filename)
-         credential_string=self.plain_read (self.get_credential())
-         records = registry_proxy.Resolve (hrn, credential_string)
-         records=[record for record in records if record['type']==type]
-         if not records:
-             # RecordNotFound
-             raise Exception, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url)
-         record=records[0]
-         self.plain_write (output, record['gid'])
-         self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output))
-         return output
-
-    def get_gid (self):
-        gid_filename=self.gid_filename()
-        if os.path.isfile(gid_filename): 
-            return gid_filename
-        return self.retrieve_gid(self.hrn, "user", gid_filename)
 
+    # get the credentials as strings, for inserting as API arguments
+    def my_credential_string (self): 
+        self.my_credential()
+        return self.plain_read(self.my_credential_filename())
+    def slice_credential_string (self, hrn): 
+        self.slice_credential(hrn)
+        return self.plain_read(self.slice_credential_filename(hrn))
+    def authority_credential_string (self, hrn): 
+        self.authority_credential(hrn)
+        return self.plain_read(self.authority_credential_filename(hrn))

diff --git a/sfa/client/sfaserverproxy.py b/sfa/client/sfaserverproxy.py
index 18b7713..141d57c 100644 (file)
--- a/sfa/client/sfaserverproxy.py
+++ b/sfa/client/sfaserverproxy.py
@@ -51,20 +51,18 @@ class XMLRPCTransport(xmlrpclib.Transport):
         # host may be a string, or a (host, x509-dict) tuple
         host, extra_headers, x509 = self.get_host_info(host)
         if need_HTTPSConnection:
-            #conn = HTTPSConnection(host, None, key_file=self.key_file, cert_file=self.cert_file, timeout=self.timeout) #**(x509 or {}))
-            conn = HTTPSConnection(host, None, key_file=self.key_file, cert_file=self.cert_file) #**(x509 or {}))
+            conn = HTTPSConnection(host, None, key_file=self.key_file, cert_file=self.cert_file)
         else:
-            #conn = HTTPS(host, None, key_file=self.key_file, cert_file=self.cert_file, timeout=self.timeout) #**(x509 or {}))
-            conn = HTTPS(host, None, key_file=self.key_file, cert_file=self.cert_file) #**(x509 or {}))
-
-        if hasattr(conn, 'set_timeout'):
-            conn.set_timeout(self.timeout)
+            conn = HTTPS(host, None, key_file=self.key_file, cert_file=self.cert_file)
 
         # Some logic to deal with timeouts. It appears that some (or all) versions
         # of python don't set the timeout after the socket is created. We'll do it
         # ourselves by forcing the connection to connect, finding the socket, and
         # calling settimeout() on it. (tested with python 2.6)
         if self.timeout:
+            if hasattr(conn, 'set_timeout'):
+                conn.set_timeout(self.timeout)
+
             if hasattr(conn, "_conn"):
                 # HTTPS is a wrapper around HTTPSConnection
                 real_conn = conn._conn

diff --git a/sfa/examples/miniclient.py b/sfa/examples/miniclient.py
index dbfa3fa..616d613 100755 (executable)
--- a/sfa/examples/miniclient.py
+++ b/sfa/examples/miniclient.py
@@ -10,6 +10,9 @@ logger=logging.getLogger('')
 logger.addHandler(console)
 logger.setLevel(logging.DEBUG)
 
+import uuid
+def unique_call_id(): return uuid.uuid4().urn
+
 # use sys.argv to point to a completely fresh directory
 import sys
 args=sys.argv[1:]
@@ -31,39 +34,75 @@ aggregate_url="http://sfa1.pl.sophia.inria.fr:12347/"
 # search for public_key / private_key
 private_key="miniclient-private-key"
 # user hrn
-hrn="pla.inri.fake-pi1"
+user_hrn="pla.inri.fake-pi1"
+
+slice_hrn="pla.inri.slpl1"
+# hrn_to_urn(slice_hrn,'slice')
+slice_urn='urn:publicid:IDN+pla:inri+slice+slpl1'
 
 from sfa.client.sfaclientlib import SfaClientBootstrap
 
-bootstrap = SfaClientBootstrap (hrn, registry_url, dir=dir, logger=logger)
+bootstrap = SfaClientBootstrap (user_hrn, registry_url, dir=dir, logger=logger)
 # install the private key in the client directory from 'private_key'
 bootstrap.init_private_key_if_missing(private_key)
-bootstrap.bootstrap_gid()
+
+def truncate(content, length=20, suffix='...'):
+    if isinstance (content, (int) ): return content
+    if isinstance (content, list): return truncate ( "%s"%content, length, suffix)
+    if len(content) <= length:
+        return content
+    else:
+        return content[:length+1]+ ' '+suffix
+
+def has_call_id (server_version):
+    return server_version.has_key('call_id_support')
+
 
 ### issue a GetVersion call
 ### this assumes we've already somehow initialized the certificate
 def get_version (url):
-    
-    server_proxy = bootstrap.server_proxy(url)
-    retcod = server_proxy.GetVersion()
-    print "GetVersion at %s returned following keys: %s"%(url,retcod.keys())
-
+    # make sure we have a self-signed cert
+    bootstrap.self_signed_cert()
+    server_proxy = bootstrap.server_proxy_simple(url)
+    server_version = server_proxy.GetVersion()
+    print "miniclient: GetVersion at %s returned:"%(url)
+    for (k,v) in server_version.iteritems(): print "miniclient: \tversion[%s]=%s"%(k,truncate(v))
+    print "has-call-id=",has_call_id(server_version)
 
 # version_dict = {'type': 'SFA', 'version': '1', }
 
 version_dict = {'type':'ProtoGENI', 'version':'2'}
 
+
 # ditto with list resources
 def list_resources ():
-    options = { 'geni_rspec_version' : version_dict}
-    credential = bootstrap.get_credential_string()
+    bootstrap.bootstrap_my_gid()
+    credential = bootstrap.my_credential_string()
+    credentials = [ credential ]
+    options = {}
+    options [ 'geni_rspec_version' ] = version_dict
+#    options [ 'call_id' ] = unique_call_id()
+    list_resources = bootstrap.server_proxy (aggregate_url).ListResources(credentials,options)
+    print "miniclient: ListResources at %s returned : %s"%(aggregate_url,truncate(list_resources))
+
+def list_slice_resources ():
+    bootstrap.bootstrap_my_gid()
+    credential = bootstrap.slice_credential_string (slice_hrn)
     credentials = [ credential ]
-    retcod = bootstrap.server_proxy (aggregate_url).ListResources(credentials,options)
-    print "ListResources at %s returned : %20s..."%(aggregate_url,retcod)
+    options = { }
+    options [ 'geni_rspec_version' ] = version_dict
+    options [ 'geni_slice_urn' ] = slice_urn
+#    options [ 'call_id' ] = unique_call_id()
+    list_resources = bootstrap.server_proxy (aggregate_url).ListResources(credentials,options)
+    print "miniclient: ListResources at %s for slice %s returned : %s"%(aggregate_url,slice_urn,truncate(list_resources))
+    
+    
+    
 
 def main ():
     get_version(registry_url)
     get_version(aggregate_url)
-    list_resources()
+#    list_resources()
+#    list_slice_resources()
 
 main()