From 5d5dfbe33dc7726efcfbaf622b3ef8dc99090c43 Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Thu, 8 Dec 2011 16:37:27 +0100 Subject: [PATCH] sfaclientlib improved can get credentials and gids for other hrns and types make clientlibsync can extract the minimal client env for tests --- Makefile | 10 + sfa/client/sfaclientlib.py | 343 ++++++++++++++++++++++++----------- sfa/client/sfaserverproxy.py | 12 +- sfa/examples/miniclient.py | 65 +++++-- 4 files changed, 303 insertions(+), 127 deletions(-) diff --git a/Makefile b/Makefile index ef3e497d..47dbacc9 100644 --- a/Makefile +++ b/Makefile @@ -165,3 +165,13 @@ clientsync: .PHONY: sync fastsync clientsync ########## +CLIENTLIBFILES= \ +sfa/examples/miniclient.py \ +sfa/__init__.py \ +sfa/client/{sfaserverproxy,sfaclientlib,__init__}.py \ +sfa/trust/{certificate,__init__}.py \ +sfa/util/{sfalogging,faults,genicode,enumeration,__init__}.py + +clientlibsync: + @[ -d "$(CLIENTLIBTARGET)" ] || { echo "You need to set the make variable CLIENTLIBTARGET"; exit 1; } + rsync -av --relative $(CLIENTLIBFILES) $(CLIENTLIBTARGET) diff --git a/sfa/client/sfaclientlib.py b/sfa/client/sfaclientlib.py index 2b5cb199..979fbbbf 100644 --- a/sfa/client/sfaclientlib.py +++ b/sfa/client/sfaclientlib.py @@ -6,6 +6,9 @@ import os,os.path import sfa.util.sfalogging +# importing sfa.utils.faults does pull a lot of stuff +# OTOH it's imported from Certificate anyways, so.. +from sfa.util.faults import RecordNotFound from sfa.client.sfaserverproxy import SfaServerProxy @@ -29,30 +32,180 @@ from sfa.trust.certificate import Keypair, Certificate # obtained at the registry using Resolve # using the step2 credential as credential # default filename is .user.gid -########## -# from that point on, the GID can/should be used as the SSL cert for anything -# a new (slice) credential would be needed for slice operations and can be -# obtained at the registry through GetCredential +# +# From that point on, the GID is used as the SSL certificate +# and the following can be done +# +# (**) retrieve a slice (or authority) credential +# obtained at the registry with GetCredential +# using the (step2) user-credential as credential +# default filename is ..cred +# (**) retrieve a slice (or authority) GID +# obtained at the registry with Resolve +# using the (step2) user-credential as credential +# default filename is ..cred + + +########## Implementation notes +# +# (*) decorators +# +# this implementation is designed as a guideline for +# porting to other languages +# +# the decision to go for decorators aims at focusing +# on the core of what needs to be done when everything +# works fine, and to take caching and error management +# out of the way +# +# for non-pythonic developers, it should be enough to +# implement the bulk of this code, namely the _produce methods +# and to add caching and error management by whichever means +# is available, including inline +# +# (*) self-signed certificates +# +# still with other languages in mind, we've tried to keep the +# dependencies to the rest of the code as low as possible +# +# however this still relies on the sfa.trust.certificate module +# for the initial generation of a self-signed-certificate that +# is associated to the user's ssh-key +# (for user-friendliness, and for smooth operations with planetlab, +# the usage model is to reuse an existing keypair) +# +# there might be a more portable, i.e. less language-dependant way, to +# implement this step by exec'ing the openssl command a known +# successful attempt at this approach that worked for Java is +# documented below +# http://nam.ece.upatras.gr/fstoolkit/trac/wiki/JavaSFAClient +# +#################### + +class SfaClientException (Exception): pass -# xxx todo should protect against write file permissions -# xxx todo review exceptions class SfaClientBootstrap: - # xxx todo should account for verbose and timeout that the proxy offers - def __init__ (self, user_hrn, registry_url, dir=None, logger=None): + # dir is mandatory but defaults to '.' + def __init__ (self, user_hrn, registry_url, dir=None, + verbose=False, timeout=None, logger=None): self.hrn=user_hrn self.registry_url=registry_url if dir is None: dir="." self.dir=dir + self.verbose=verbose + self.timeout=timeout + # default for the logger is to use the global sfa logger if logger is None: - print 'special case for logger' logger = sfa.util.sfalogging.logger self.logger=logger + ######################################## *_produce methods + ### step1 + # unconditionnally create a self-signed certificate + def self_signed_cert_produce (self,output): + self.assert_private_key() + private_key_filename = self.private_key_filename() + keypair=Keypair(filename=private_key_filename) + self_signed = Certificate (subject = self.hrn) + self_signed.set_pubkey (keypair) + self_signed.set_issuer (keypair, self.hrn) + self_signed.sign () + self_signed.save_to_file (output) + self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\ + (self.hrn,output)) + return output + + ### step2 + # unconditionnally retrieve my credential (GetSelfCredential) + # we always use the self-signed-cert as the SSL cert + def my_credential_produce (self, output): + self.assert_self_signed_cert() + certificate_filename = self.self_signed_cert_filename() + certificate_string = self.plain_read (certificate_filename) + self.assert_private_key() + registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(), + certificate_filename) + credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user") + self.plain_write (output, credential_string) + self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output) + return output + + ### step3 + # unconditionnally retrieve my GID - use the general form + def my_gid_produce (self,output): + return self.gid_produce (output, self.hrn, "user") + + ### retrieve any credential (GetCredential) unconditionnal form + # we always use the GID as the SSL cert + def credential_produce (self, output, hrn, type): + self.assert_my_gid() + certificate_filename = self.my_gid_filename() + self.assert_private_key() + registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(), + certificate_filename) + self.assert_my_credential() + my_credential_string = self.my_credential_string() + credential_string=registry_proxy.GetCredential (my_credential_string, hrn, type) + self.plain_write (output, credential_string) + self.logger.debug("SfaClientBootstrap: Wrote result of GetCredential in %s"%output) + return output + + def slice_credential_produce (self, output, hrn): + return self.credential_produce (output, hrn, "slice") + + def authority_credential_produce (self, output, hrn): + return self.credential_produce (output, hrn, "authority") + + ### retrieve any gid (Resolve) - unconditionnal form + # use my GID when available as the SSL cert, otherwise the self-signed + def gid_produce (self, output, hrn, type ): + try: + self.assert_my_gid() + certificate_filename = self.my_gid_filename() + except: + self.assert_self_signed_cert() + certificate_filename = self.self_signed_cert_filename() + + self.assert_private_key() + registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(), + certificate_filename) + credential_string=self.plain_read (self.my_credential()) + records = registry_proxy.Resolve (hrn, credential_string) + records=[record for record in records if record['type']==type] + if not records: + raise RecordNotFound, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url) + record=records[0] + self.plain_write (output, record['gid']) + self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output)) + return output + #################### public interface + + # return my_gid, run all missing steps in the bootstrap sequence + def bootstrap_my_gid (self): + self.self_signed_cert() + self.my_credential() + return self.my_gid() + + # once we've bootstrapped we can use this object to issue any other SFA call + # always use my gid + def server_proxy (self, url): + self.assert_my_gid() + return SfaServerProxy (url, self.private_key_filename(), self.my_gid_filename(), + verbose=self.verbose, timeout=self.timeout) + + # now in some cases the self-signed is enough + def server_proxy_simple (self, url): + self.assert_self_signed_cert() + return SfaServerProxy (url, self.private_key_filename(), self.self_signed_cert_filename(), + verbose=self.verbose, timeout=self.timeout) - # xxx should that be called in the constructor ? - # typically user_private_key is ~/.ssh/id_rsa + # this method can optionnally be invoked to ensure proper + # installation of the private key that belongs to this user + # installs private_key in working dir with expected name -- preserve mode + # typically user_private_key would be ~/.ssh/id_rsa + # xxx should probably check the 2 files are identical def init_private_key_if_missing (self, user_private_key): private_key_filename=self.private_key_filename() if not os.path.isfile (private_key_filename): @@ -62,40 +215,33 @@ class SfaClientBootstrap: self.logger.debug("SfaClientBootstrap: Copied private key from %s into %s"%\ (user_private_key,private_key_filename)) - # make sure we have the GID at hand - def bootstrap_gid (self): - if self.any_certificate_filename() is None: - self.get_self_signed_cert() - self.get_credential() - self.get_gid() - - def server_proxy (self, url): - return SfaServerProxy (url, self.private_key_filename(), self.gid_filename()) - - def get_credential_string (self): - return self.plain_read (self.get_credential()) - - # more to come to get credentials about other objects (authority/slice) - #################### private details # stupid stuff def fullpath (self, file): return os.path.join (self.dir,file) - # %s -> self.hrn - def fullpath_format(self,format): return self.fullpath (format%self.hrn) + # the expected filenames for the various pieces def private_key_filename (self): - return self.fullpath_format ("%s.pkey") + return self.fullpath ("%s.pkey"%self.hrn) def self_signed_cert_filename (self): - return self.fullpath_format ("%s.sscert") - def credential_filename (self): - return self.fullpath_format ("%s.user.cred") - def gid_filename (self): - return self.fullpath_format ("%s.user.gid") + return self.fullpath ("%s.sscert"%self.hrn) + def my_credential_filename (self): + return self.credential_filename (self.hrn, "user") + def credential_filename (self, hrn, type): + return self.fullpath ("%s.%s.cred"%(hrn,type)) + def slice_credential_filename (self, hrn): + return self.credential_filename(hrn,'slice') + def authority_credential_filename (self, hrn): + return self.credential_filename(hrn,'authority') + def my_gid_filename (self): + return self.gid_filename ("user", self.hrn) + def gid_filename (self, hrn, type): + return self.fullpath ("%s.%s.gid"%(hrn,type)) + # optimizing dependencies # originally we used classes GID or Credential or Certificate # like e.g. -# return Credential(filename=self.get_credential()).save_to_string() +# return Credential(filename=self.my_credential()).save_to_string() # but in order to make it simpler to other implementations/languages.. def plain_read (self, filename): infile=file(filename,"r") @@ -108,82 +254,65 @@ class SfaClientBootstrap: result=outfile.write(contents) outfile.close() - # the private key - def check_private_key (self): - if not os.path.isfile (self.private_key_filename()): - raise Exception,"No such file %s"%self.private_key_filename() + def assert_filename (self, filename, kind): + if not os.path.isfile (filename): + raise IOError,"Missing %s file %s"%(kind,filename) return True + + def assert_private_key (self): return self.assert_filename (self.private_key_filename(),"private key") + def assert_self_signed_cert (self): return self.assert_filename (self.self_signed_cert_filename(),"self-signed certificate") + def assert_my_credential (self): return self.assert_filename (self.my_credential_filename(),"user's credential") + def assert_my_gid (self): return self.assert_filename (self.my_gid_filename(),"user's GID") - # get any certificate - # rationale for this method, once we have the gid, it's actually safe - # to remove the .sscert - def any_certificate_filename (self): - attempts=[ self.gid_filename(), self.self_signed_cert_filename() ] - for attempt in attempts: - if os.path.isfile (attempt): return attempt - return None - ### step1 - # unconditionnally - def create_self_signed_certificate (self,output): - self.check_private_key() - private_key_filename = self.private_key_filename() - keypair=Keypair(filename=private_key_filename) - self_signed = Certificate (subject = self.hrn) - self_signed.set_pubkey (keypair) - self_signed.set_issuer (keypair, self.hrn) - self_signed.sign () - self_signed.save_to_file (output) - self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\ - (self.hrn,output)) - return output + # decorator to make up the other methods + def get_or_produce (filename_method, produce_method): + def wrap (f): + def wrapped (self, *args, **kw): + filename=filename_method (self, *args, **kw) + if os.path.isfile ( filename ): return filename + try: + produce_method (self, filename, *args, **kw) + return filename + except IOError: + raise + except: + import traceback + traceback.print_exc() + raise Exception, "Could not produce/retrieve %s"%filename + wrapped.__name__=f.__name__ + return wrapped + return wrap - def get_self_signed_cert (self): - self_signed_cert_filename = self.self_signed_cert_filename() - if os.path.isfile (self_signed_cert_filename): - return self_signed_cert_filename - return self.create_self_signed_certificate(self_signed_cert_filename) - - ### step2 - # unconditionnally - def retrieve_credential (self, output): - self.check_private_key() - certificate_filename = self.any_certificate_filename() - certificate_string = self.plain_read (certificate_filename) - registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(), - certificate_filename) - credential_string=registry_proxy.GetSelfCredential (certificate_string, self.hrn, "user") - self.plain_write (output, credential_string) - self.logger.debug("SfaClientBootstrap: Wrote result of GetSelfCredential in %s"%output) - return output + @get_or_produce (self_signed_cert_filename, self_signed_cert_produce) + def self_signed_cert (self): pass - def get_credential (self): - credential_filename = self.credential_filename () - if os.path.isfile(credential_filename): - return credential_filename - return self.retrieve_credential (credential_filename) + @get_or_produce (my_credential_filename, my_credential_produce) + def my_credential (self): pass + + @get_or_produce (my_gid_filename, my_gid_produce) + def my_gid (self): pass + + @get_or_produce (credential_filename, credential_produce) + def credential (self, hrn, type): pass + + @get_or_produce (slice_credential_filename, slice_credential_produce) + def slice_credential (self, hrn): pass + + @get_or_produce (authority_credential_filename, authority_credential_produce) + def authority_credential (self, hrn): pass + + @get_or_produce (gid_filename, gid_produce) + def gid (self, hrn, type ): pass - ### step3 - # unconditionnally - def retrieve_gid (self, hrn, type, output): - self.check_private_key() - certificate_filename = self.any_certificate_filename() - registry_proxy = SfaServerProxy (self.registry_url, self.private_key_filename(), - certificate_filename) - credential_string=self.plain_read (self.get_credential()) - records = registry_proxy.Resolve (hrn, credential_string) - records=[record for record in records if record['type']==type] - if not records: - # RecordNotFound - raise Exception, "hrn %s (%s) unknown to registry %s"%(hrn,type,self.registry_url) - record=records[0] - self.plain_write (output, record['gid']) - self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output)) - return output - - def get_gid (self): - gid_filename=self.gid_filename() - if os.path.isfile(gid_filename): - return gid_filename - return self.retrieve_gid(self.hrn, "user", gid_filename) + # get the credentials as strings, for inserting as API arguments + def my_credential_string (self): + self.my_credential() + return self.plain_read(self.my_credential_filename()) + def slice_credential_string (self, hrn): + self.slice_credential(hrn) + return self.plain_read(self.slice_credential_filename(hrn)) + def authority_credential_string (self, hrn): + self.authority_credential(hrn) + return self.plain_read(self.authority_credential_filename(hrn)) diff --git a/sfa/client/sfaserverproxy.py b/sfa/client/sfaserverproxy.py index 18b77131..141d57c0 100644 --- a/sfa/client/sfaserverproxy.py +++ b/sfa/client/sfaserverproxy.py @@ -51,20 +51,18 @@ class XMLRPCTransport(xmlrpclib.Transport): # host may be a string, or a (host, x509-dict) tuple host, extra_headers, x509 = self.get_host_info(host) if need_HTTPSConnection: - #conn = HTTPSConnection(host, None, key_file=self.key_file, cert_file=self.cert_file, timeout=self.timeout) #**(x509 or {})) - conn = HTTPSConnection(host, None, key_file=self.key_file, cert_file=self.cert_file) #**(x509 or {})) + conn = HTTPSConnection(host, None, key_file=self.key_file, cert_file=self.cert_file) else: - #conn = HTTPS(host, None, key_file=self.key_file, cert_file=self.cert_file, timeout=self.timeout) #**(x509 or {})) - conn = HTTPS(host, None, key_file=self.key_file, cert_file=self.cert_file) #**(x509 or {})) - - if hasattr(conn, 'set_timeout'): - conn.set_timeout(self.timeout) + conn = HTTPS(host, None, key_file=self.key_file, cert_file=self.cert_file) # Some logic to deal with timeouts. It appears that some (or all) versions # of python don't set the timeout after the socket is created. We'll do it # ourselves by forcing the connection to connect, finding the socket, and # calling settimeout() on it. (tested with python 2.6) if self.timeout: + if hasattr(conn, 'set_timeout'): + conn.set_timeout(self.timeout) + if hasattr(conn, "_conn"): # HTTPS is a wrapper around HTTPSConnection real_conn = conn._conn diff --git a/sfa/examples/miniclient.py b/sfa/examples/miniclient.py index dbfa3fad..616d6138 100755 --- a/sfa/examples/miniclient.py +++ b/sfa/examples/miniclient.py @@ -10,6 +10,9 @@ logger=logging.getLogger('') logger.addHandler(console) logger.setLevel(logging.DEBUG) +import uuid +def unique_call_id(): return uuid.uuid4().urn + # use sys.argv to point to a completely fresh directory import sys args=sys.argv[1:] @@ -31,39 +34,75 @@ aggregate_url="http://sfa1.pl.sophia.inria.fr:12347/" # search for public_key / private_key private_key="miniclient-private-key" # user hrn -hrn="pla.inri.fake-pi1" +user_hrn="pla.inri.fake-pi1" + +slice_hrn="pla.inri.slpl1" +# hrn_to_urn(slice_hrn,'slice') +slice_urn='urn:publicid:IDN+pla:inri+slice+slpl1' from sfa.client.sfaclientlib import SfaClientBootstrap -bootstrap = SfaClientBootstrap (hrn, registry_url, dir=dir, logger=logger) +bootstrap = SfaClientBootstrap (user_hrn, registry_url, dir=dir, logger=logger) # install the private key in the client directory from 'private_key' bootstrap.init_private_key_if_missing(private_key) -bootstrap.bootstrap_gid() + +def truncate(content, length=20, suffix='...'): + if isinstance (content, (int) ): return content + if isinstance (content, list): return truncate ( "%s"%content, length, suffix) + if len(content) <= length: + return content + else: + return content[:length+1]+ ' '+suffix + +def has_call_id (server_version): + return server_version.has_key('call_id_support') + ### issue a GetVersion call ### this assumes we've already somehow initialized the certificate def get_version (url): - - server_proxy = bootstrap.server_proxy(url) - retcod = server_proxy.GetVersion() - print "GetVersion at %s returned following keys: %s"%(url,retcod.keys()) - + # make sure we have a self-signed cert + bootstrap.self_signed_cert() + server_proxy = bootstrap.server_proxy_simple(url) + server_version = server_proxy.GetVersion() + print "miniclient: GetVersion at %s returned:"%(url) + for (k,v) in server_version.iteritems(): print "miniclient: \tversion[%s]=%s"%(k,truncate(v)) + print "has-call-id=",has_call_id(server_version) # version_dict = {'type': 'SFA', 'version': '1', } version_dict = {'type':'ProtoGENI', 'version':'2'} + # ditto with list resources def list_resources (): - options = { 'geni_rspec_version' : version_dict} - credential = bootstrap.get_credential_string() + bootstrap.bootstrap_my_gid() + credential = bootstrap.my_credential_string() + credentials = [ credential ] + options = {} + options [ 'geni_rspec_version' ] = version_dict +# options [ 'call_id' ] = unique_call_id() + list_resources = bootstrap.server_proxy (aggregate_url).ListResources(credentials,options) + print "miniclient: ListResources at %s returned : %s"%(aggregate_url,truncate(list_resources)) + +def list_slice_resources (): + bootstrap.bootstrap_my_gid() + credential = bootstrap.slice_credential_string (slice_hrn) credentials = [ credential ] - retcod = bootstrap.server_proxy (aggregate_url).ListResources(credentials,options) - print "ListResources at %s returned : %20s..."%(aggregate_url,retcod) + options = { } + options [ 'geni_rspec_version' ] = version_dict + options [ 'geni_slice_urn' ] = slice_urn +# options [ 'call_id' ] = unique_call_id() + list_resources = bootstrap.server_proxy (aggregate_url).ListResources(credentials,options) + print "miniclient: ListResources at %s for slice %s returned : %s"%(aggregate_url,slice_urn,truncate(list_resources)) + + + def main (): get_version(registry_url) get_version(aggregate_url) - list_resources() +# list_resources() +# list_slice_resources() main() -- 2.43.0