occi-api 4.0.0.alpha.1

data/lib/occi/api/client/http/authn_plugins/keystone.rb

@@ -0,0 +1,61 @@
+module Occi::Api::Client
+  module Http
+    module AuthnPlugins
+
+      class Keystone < Base
+
+        def setup(options = {})
+          response = @env_ref.class.head @env_ref.endpoint
+          Occi::Log.debug response.inspect
+
+          return if response.success?
+          raise ::Occi::Api::Client::Errors::AuthnError, "Keystone AuthN failed with #{response.code.to_s}!" unless response.code == 401
+
+          unless response.headers['www-authenticate'] && response.headers['www-authenticate'].start_with?('Keystone')
+            raise ::Occi::Api::Client::Errors::AuthnError, "Target endpoint is probably not OpenStack!"
+          end
+
+          keystone_uri = /^Keystone uri='(.+)'$/.match(response.headers['www-authenticate'])[1]
+
+          raise ::Occi::Api::Client::Errors::AuthnError, "Unable to get Keystone's URL from the response!" unless keystone_uri
+
+          headers = @env_ref.class.headers.clone
+          headers['Content-Type'] = "application/json"
+          headers['Accept'] = headers['Content-Type']
+
+          response = @env_ref.class.post(keystone_uri + "/v2.0/tokens", :body => get_keystone_req, :headers => headers)
+          Occi::Log.debug response.inspect
+
+          if response.success?
+            @env_ref.class.headers['X-Auth-Token'] = response['access']['token']['id']
+          else
+            raise ::Occi::Api::Client::Errors::AuthnError, "Unable to get a token from Keystone!"
+          end
+        end
+
+        private
+
+        def get_keystone_req(json = true)
+          if @options[:original_type] == "x509"
+            body = { "auth" => { "voms" => true } }
+          elsif @options[:username] && @options[:password]
+            body = {
+              "auth" => {
+                "passwordCredentials" => {
+                  "username" => @options[:username],
+                  "password" => @options[:password]
+                }
+              }
+            }
+          else
+            raise ::Occi::Api::Client::Errors::AuthnError, "Unable to request a token from Keystone! Chosen AuthN not supported."
+          end
+
+          json ? body.to_json : body
+        end
+
+      end
+
+    end
+  end
+end

data/lib/occi/api/client/http/authn_plugins/x509.rb

@@ -0,0 +1,46 @@
+module Occi::Api::Client
+  module Http
+    module AuthnPlugins
+
+      class X509 < Base
+
+        def initialize(env_ref, options = {})
+          super env_ref, options
+          @fallbacks = %w(keystone)
+        end
+
+        def setup(options = {})
+          # set up pem and optionally pem_password and ssl_ca_path
+          raise ArgumentError, "Missing required option 'user_cert' for x509 auth!" unless @options[:user_cert]
+          raise ArgumentError, "The file specified in 'user_cert' does not exist!" unless File.exists? @options[:user_cert]
+
+          # handle PKCS#12 credentials before passing them
+          # to httparty
+          if /\A(.)+\.p12\z/ =~ @options[:user_cert]
+            pem_cert = ::Occi::Api::Client::AuthnUtils.extract_pem_from_pkcs12(@options[:user_cert], @options[:user_cert_password])
+            @env_ref.class.pem pem_cert, ''
+          else
+            # httparty will handle ordinary PEM formatted credentials
+            # TODO: Issue #49, check PEM credentials in jRuby
+            pem_cert = File.open(@options[:user_cert], 'rb').read
+            @env_ref.class.pem pem_cert, @options[:user_cert_password]
+          end
+
+          @env_ref.class.ssl_ca_path @options[:ca_path] if @options[:ca_path]
+          @env_ref.class.ssl_ca_file @options[:ca_file] if @options[:ca_file]
+
+          if @options[:voms]
+            cert_ary = ::Occi::Api::Client::AuthnUtils.certs_to_file_ary @options[:user_cert]
+
+            # remove the first cert since it was already used as pem_cert
+            # use the rest to establish the chain of trust
+            cert_ary.shift
+            @env_ref.class.ssl_extra_chain_cert cert_ary unless cert_ary.empty?
+          end
+        end
+
+      end
+
+    end
+  end
+end

data/lib/occi/api/client/http/authn_plugins.rb

@@ -0,0 +1,6 @@
+require 'occi/api/client/http/authn_plugins/base'
+require 'occi/api/client/http/authn_plugins/dummy'
+require 'occi/api/client/http/authn_plugins/basic'
+require 'occi/api/client/http/authn_plugins/digest'
+require 'occi/api/client/http/authn_plugins/x509'
+require 'occi/api/client/http/authn_plugins/keystone'

data/lib/occi/api/client/http/authn_utils.rb

@@ -0,0 +1,87 @@
+require 'openssl'
+
+if defined? JRUBY_VERSION
+  require 'java'
+end
+
+module Occi
+  module Api
+    module Client
+
+      class AuthnUtils
+        CERT_REGEXP = /\n?(-----BEGIN CERTIFICATE-----\n.+?\n-----END CERTIFICATE-----)\n/m
+
+        # Reads credentials from a PKCS#12 compliant file. Returns
+        # X.509 certificate and decrypted private key in PEM
+        # formatted string.
+        #
+        # @example
+        #    extract_pem_from_pkcs12 "~/.globus/usercert.p12", "123456"
+        #      # => #<String>
+        #
+        # @param [String] Path to a PKCS#12 file with credentials
+        # @param [String] Password needed to unlock the PKCS#12 file
+        # @return [String] Decrypted credentials in a PEM formatted string
+        def self.extract_pem_from_pkcs12(path_to_p12_file, p12_password)
+          # decode certificate and its private key
+          pem_from_pkcs12 = ""
+          if defined? JRUBY_VERSION
+            # Java-based Ruby, read PKCS12 manually
+            # using KeyStore
+            keystore = Java::JavaSecurity::KeyStore.getInstance("PKCS12")
+            p12_input_stream = Java::JavaIo::FileInputStream.new(path_to_p12_file)
+            pass_char_array = Java::JavaLang::String.new(p12_password).to_char_array
+
+            # load and unlock PKCS#12 store
+            keystore.load p12_input_stream, pass_char_array
+
+            # read the first certificate and PK
+            cert = keystore.getCertificate("1")
+            pk = keystore.getKey("1", pass_char_array)
+
+            pem_from_pkcs12 << "-----BEGIN CERTIFICATE-----\n"
+            pem_from_pkcs12 << Java::JavaxXmlBind::DatatypeConverter.printBase64Binary(cert.getEncoded())
+            pem_from_pkcs12 << "\n-----END CERTIFICATE-----"
+
+            pem_from_pkcs12 << "\n"
+
+            pem_from_pkcs12 << "-----BEGIN PRIVATE KEY-----\n"
+            pem_from_pkcs12 << Java::JavaxXmlBind::DatatypeConverter.printBase64Binary(pk.getEncoded())
+            pem_from_pkcs12 << "\n-----END PRIVATE KEY-----"
+          else
+            # C-based Ruby, use OpenSSL::PKCS12
+            pkcs12 = OpenSSL::PKCS12.new(
+              File.open(
+                path_to_p12_file,
+                'rb'
+              ),
+              p12_password
+            )
+
+            # store cert and private key in a single PEM formatted string
+            pem_from_pkcs12 << pkcs12.certificate.to_pem << pkcs12.key.to_pem
+          end
+
+          pem_from_pkcs12
+        end
+
+        # Reads X.509 certificates from a file to an array.
+        #
+        # @example
+        #    certs_to_file_ary "~/.globus/usercert.pem"
+        #      # => [#<String>, #<String>, ...]
+        #
+        # @param [String] Path to a PEM file containing certificates
+        # @return [Array<String>] An array of read certificates
+        def self.certs_to_file_ary(ca_file)
+          # TODO: read and separate multiple certificates
+          certs_str = File.open(ca_file).read
+
+          certs_ary = certs_str.scan(CERT_REGEXP)
+          certs_ary ? certs_ary.flatten : []
+        end
+      end
+
+    end
+  end
+end

data/lib/occi/api/client/http/httparty_fix.rb

@@ -0,0 +1,53 @@
+module HTTParty
+  class ConnectionAdapter
+
+    private
+
+    def attach_ssl_certificates(http, options)
+      if http.use_ssl?
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+        # Client certificate authentication
+        if options[:pem]
+          http.cert = OpenSSL::X509::Certificate.new(options[:pem])
+          http.key = OpenSSL::PKey::RSA.new(options[:pem], options[:pem_password])
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+
+        # Set chain of client certificates
+        if options[:ssl_extra_chain_cert]
+          http.extra_chain_cert = []
+
+          options[:ssl_extra_chain_cert].each do |p_ca|
+            http.extra_chain_cert << OpenSSL::X509::Certificate.new(p_ca)
+          end
+        end
+
+        # SSL certificate authority file and/or directory
+        if options[:ssl_ca_file]
+          http.ca_file = options[:ssl_ca_file]
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+
+        if options[:ssl_ca_path]
+          http.ca_path = options[:ssl_ca_path]
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+
+        # This is only Ruby 1.9+
+        if options[:ssl_version] && http.respond_to?(:ssl_version=)
+          http.ssl_version = options[:ssl_version]
+        end
+      end
+    end
+
+  end
+
+  module ClassMethods
+
+    def ssl_extra_chain_cert(ary_of_certs)
+      default_options[:ssl_extra_chain_cert] = ary_of_certs
+    end
+
+  end
+end

data/lib/occi/api/client/http/net_http_fix.rb

@@ -0,0 +1,21 @@
+##############################################################################
+## Net::HTTP hack allowing the use of X.509 proxy certificates.
+##############################################################################
+
+module Net
+  class HTTP
+
+    if defined? SSL_ATTRIBUTES
+      # For Rubies 1.9.x
+      old_verbose, $VERBOSE = $VERBOSE, nil
+      SSL_ATTRIBUTES = SSL_ATTRIBUTES.concat %w(extra_chain_cert)
+      $VERBOSE = old_verbose
+
+      attr_accessor :extra_chain_cert
+    else
+      # For legacy Rubies 1.8.x
+      ssl_context_accessor :extra_chain_cert
+    end
+
+  end
+end

data/lib/occi/api/dsl.rb

@@ -0,0 +1,146 @@
+module Occi
+  module Api
+    module Dsl
+
+      def connect(protocol, *args)
+
+        case protocol
+        when :http 
+          @client = Occi::Api::Client::ClientHttp.new(*args)
+        when :amqp
+          @client = Occi::Api::Client::ClientAmqp.new(*args)
+        else
+          raise "Protocol #{protocol.to_s} is not supported!"
+        end
+
+        true
+      end
+
+      def list(*args)
+        check
+
+        @client.list(*args)
+      end
+
+      def describe(*args)
+        check
+
+        @client.describe(*args)
+      end
+
+      def create(*args)
+        check
+
+        @client.create(*args)
+      end
+
+      def delete(*args)
+        check
+
+        @client.delete(*args)
+      end
+
+      def trigger(*args)
+        check
+
+        @client.trigger(*args)
+      end
+
+      def refresh
+        check
+
+        @client.refresh
+      end
+
+      def model
+        check
+
+        @client.model
+      end
+
+      ###
+
+      def resource_types
+        check
+
+        @client.get_resource_types
+      end
+
+      def resource_type_identifiers
+        check
+
+        @client.get_resource_type_identifiers
+      end
+
+      def mixin_type_identifiers
+        check
+
+        @client.get_mixin_type_identifiers
+      end
+
+      def mixin_types
+        check
+
+        @client.get_mixin_types
+      end
+
+      def entity_types
+        check
+
+        @client.get_entity_types
+      end
+
+      def entity_type_identifiers
+        check
+
+        @client.get_entity_type_identifiers
+      end
+
+      def entity_types_related_to(*args)
+        check
+
+        @client.get_entity_types_related_to(*args)
+      end
+
+      def link_types
+        check
+
+        @client.get_link_types
+      end
+
+      def link_type_identifiers
+        check
+
+        @client.get_link_type_identifiers
+      end
+
+      ###
+
+      def mixins(*args)
+        check
+
+        @client.get_mixins(*args)
+      end
+
+      def resource(*args)
+        check
+
+        @client.get_resource(*args)
+      end
+
+      def mixin(*args)
+        check
+
+        @client.find_mixin(*args)
+      end
+
+      private
+
+      def check
+        raise "You have to issue 'connect' first!" if @client.nil?
+        raise "Client is disconnected!" unless @client.connected
+      end
+
+    end
+  end
+end

data/lib/occi/api/version.rb

@@ -0,0 +1,5 @@
+module Occi
+  module Api
+    VERSION = "4.0.0.alpha.1" unless defined?(::Occi::Api::VERSION)
+  end
+end

data/lib/occi-api.rb

@@ -0,0 +1,14 @@
+require 'rubygems'
+require 'rubygems/package'
+
+require 'occi-core'
+
+module Occi::Api; end
+
+require 'occi/api/version'
+require 'occi/api/client/client_base'
+require 'occi/api/client/errors'
+require 'occi/api/client/http/authn_plugins'
+require 'occi/api/client/client_http'
+require 'occi/api/client/client_amqp'
+require 'occi/api/dsl'

data/occi-api.gemspec

@@ -0,0 +1,38 @@
+# coding: utf-8
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'occi/api/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "occi-api"
+  gem.version       = Occi::Api::VERSION
+  gem.authors       = ["Florian Feldhaus","Piotr Kasprzak", "Boris Parak"]
+  gem.email         = ["florian.feldhaus@gwdg.de", "piotr.kasprzak@gwdg.de", "xparak@mail.muni.cz"]
+  gem.description   = %q{OCCI is a collection of classes to simplify the implementation of the Open Cloud Computing API in Ruby}
+  gem.summary       = %q{OCCI toolkit}
+  gem.homepage      = 'https://github.com/gwdg/rOCCI-api'
+
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.require_paths = ["lib"]
+  gem.extensions    = 'ext/mkrf_conf.rb'
+
+  gem.add_dependency 'occi-core'
+  gem.add_dependency 'httparty'
+  gem.add_dependency 'amqp'
+  gem.add_dependency 'json'
+
+  gem.add_development_dependency "rspec"
+  gem.add_development_dependency "rake"
+  gem.add_development_dependency "builder"
+  gem.add_development_dependency "simplecov"
+  gem.add_development_dependency "yard"
+  gem.add_development_dependency "yard-sinatra"
+  gem.add_development_dependency "yard-rspec"
+  gem.add_development_dependency "yard-cucumber"
+  gem.add_development_dependency "rspec-http"
+  gem.add_development_dependency "webmock", "~>1.9.3"
+
+  gem.required_ruby_version     = ">= 1.8.7"
+end