from geni.util.cert import Keypair, Certificate
from geni.util.gid import GID, create_uuid
from geni.util.geniserver import GeniServer
+from geni.util.geniclient import GeniClient
from geni.util.record import GeniRecord
from geni.util.rights import RightList
from geni.util.genitable import GeniTable
from geni.util.excep import *
from geni.util.misc import *
from geni.util.config import *
+from geni.util.storage import *
##
# Convert geni fields to PLC fields for use when registering up updating
# @param key_file private key filename of registry
# @param cert_file certificate filename containing public key (could be a GID file)
- def __init__(self, ip, port, key_file, cert_file):
+ def __init__(self, ip, port, key_file, cert_file, config = '/usr/share/geniwrapper/geni/util/geni_config'):
GeniServer.__init__(self, ip, port, key_file, cert_file)
# get PL account settings from config module
else:
self.connect_local_shell()
+ self.key_file = key_file
+ self.cert_file = cert_file
+ self.config = Config(config)
+ self.basedir = self.config.GENI_BASE_DIR + os.sep
+ self.server_basedir = self.basedir + os.sep + "geni" + os.sep
+ self.hrn = self.config.GENI_INTERFACE_HRN
+
+ # get peer registry information
+ registries_file = self.server_basedir + os.sep + 'registries.xml'
+ connection_dict = {'hrn': '', 'addr': '', 'port': ''}
+ self.registry_info = XmlStorage(registries_file, {'registries': {'registry': [connection_dict]}})
+ self.registry_info.load()
+ self.connectRegistry()
+ self.connectRegistries()
+
+
##
# Connect to a remote shell via XMLRPC
self.server.register_function(self.get_self_credential)
self.server.register_function(self.get_credential)
self.server.register_function(self.get_gid)
+ self.server.register_function(self.get_ticket)
self.server.register_function(self.register)
self.server.register_function(self.remove)
self.server.register_function(self.update)
self.server.register_function(self.list)
self.server.register_function(self.resolve)
+
+ def loadCredential(self):
+ """
+ Attempt to load credential from file if it exists. If it doesnt get
+ credential from registry.
+ """
+
+ # see if this file exists
+ # XX This is really the aggregate's credential. Using this is easier than getting
+ # the registry's credential from iteslf (ssl errors).
+ ma_cred_filename = self.server_basedir + os.sep + "agg." + self.hrn + ".ma.cred"
+ try:
+ self.credential = Credential(filename = ma_cred_filename)
+ except IOError:
+ self.credential = self.getCredentialFromRegistry()
+
+ def getCredentialFromRegistry(self):
+ """
+ Get our current credential from the registry.
+ """
+ # get self credential
+ self_cred_filename = self.server_basedir + os.sep + "smgr." + self.hrn + ".cred"
+ self_cred = self.registry.get_credential(None, 'ma', self.hrn)
+ self_cred.save_to_file(self_cred_filename, save_parents=True)
+
+ # get ma credential
+ ma_cred_filename = self.server_basedir + os.sep + "smgr." + self.hrn + ".sa.cred"
+ ma_cred = self.registry.get_credential(self_cred, 'sa', self.hrn)
+ ma_cred.save_to_file(ma_cred_filename, save_parents=True)
+ return ma_cred
+
+ def connectRegistry(self):
+ """
+ Connect to the registry
+ """
+ # connect to registry using GeniClient
+ address = self.config.GENI_REGISTRY_HOSTNAME
+ port = self.config.GENI_REGISTRY_PORT
+ url = 'http://%(address)s:%(port)s' % locals()
+ self.registry = GeniClient(url, self.key_file, self.cert_file)
+
+ def connectRegistries(self):
+ """
+ Get connection details for the trusted peer registries from file and
+ create an GeniClient connection to each.
+ """
+ self.registries= {}
+ registries = self.registry_info['registries']['registry']
+ if isinstance(registries, dict):
+ registries = [registries]
+ if isinstance(registries, list):
+ for registry in registries:
+ # create xmlrpc connection using GeniClient
+ hrn, address, port = registry['hrn'], registry['addr'], registry['port']
+ url = 'http://%(address)s:%(port)s' % locals()
+ self.registries[hrn] = GeniClient(url, self.key_file, self.cert_file)
+
##
# Given an authority name, return the information for that authority. This
# is basically a stub that calls the hierarchy module.
self.fill_record_pl_info(record)
self.fill_record_geni_info(record)
+ def update_membership_list(self, oldRecord, record, listName, addFunc, delFunc):
+ # get a list of the HRNs tht are members of the old and new records\r
+ if oldRecord:\r
+ if oldRecord.pl_info == None:\r
+ oldRecord.pl_info = {}\r
+ oldList = oldRecord.get_geni_info().get(listName, [])\r
+ else:\r
+ oldList = []\r
+ newList = record.get_geni_info().get(listName, [])\r
+\r
+ # if the lists are the same, then we don't have to update anything\r
+ if (oldList == newList):\r
+ return\r
+\r
+ # build a list of the new person ids, by looking up each person to get\r
+ # their pointer\r
+ newIdList = []\r
+ for hrn in newList:\r
+ userRecord = self.resolve_raw("user", hrn)[0]\r
+ newIdList.append(userRecord.get_pointer())\r
+\r
+ # build a list of the old person ids from the person_ids field of the\r
+ # pl_info\r
+ if oldRecord:\r
+ oldIdList = oldRecord.pl_info.get("person_ids", [])\r
+ containerId = oldRecord.get_pointer()\r
+ else:\r
+ # if oldRecord==None, then we are doing a Register, instead of an\r
+ # update.\r
+ oldIdList = []\r
+ containerId = record.get_pointer()\r
+\r
+ # add people who are in the new list, but not the oldList\r
+ for personId in newIdList:\r
+ if not (personId in oldIdList):\r
+ print "adding id", personId, "to", record.get_name()\r
+ addFunc(self.pl_auth, personId, containerId)\r
+\r
+ # remove people who are in the old list, but not the new list\r
+ for personId in oldIdList:\r
+ if not (personId in newIdList):\r
+ print "removing id", personId, "from", record.get_name()\r
+ delFunc(self.pl_auth, personId, containerId)\r
+\r
+ def update_membership(self, oldRecord, record):\r
+ if record.type == "slice":\r
+ self.update_membership_list(oldRecord, record, 'researcher',\r
+ self.shell.AddPersonToSlice,\r
+ self.shell.DeletePersonFromSlice)\r
+ elif record.type == "sa":\r
+ # TODO\r
+ pass\r
+ elif record.type == "ma":\r
+ # TODO\r
+ pass
+
##
# GENI API: register
#
table.insert(record)
+ # update membership for researchers, pis, owners, operators
+ self.update_membership(None, record)
+
return record.get_gid_object().save_to_string(save_parents=True)
##
return True
##
- # GENI API: Register
+ # GENI API: Update
#
# Update an object in the registry. Currently, this only updates the
# PLC information associated with the record. The Geni fields (name, type,
self.verify_object_permission(record.get_name())
auth_name = get_authority(record.get_name())
+ if not auth_name:
+ auth_name = record.get_name()
table = self.get_auth_table(auth_name)
# make sure the record exists
existing_record_list = table.resolve(type, record.get_name())
if not existing_record_list:
raise RecordNotFound(record.get_name())
-
existing_record = existing_record_list[0]
+
+ # Update_membership needs the membership lists in the existing record
+ # filled in, so it can see if members were added or removed
+ self.fill_record_info(existing_record)
+
+ # Use the pointer from the existing record, not the one that the user
+ # gave us. This prevents the user from inserting a forged pointer
pointer = existing_record.get_pointer()
# update the PLC information that was specified with the record
else:
raise UnknownGeniType(type)
+ # update membership for researchers, pis, owners, operators\r
+ self.update_membership(existing_record, record)
+
##
# List the records in an authority. The objectGID in the supplied credential
# should name the authority that will be listed.
def resolve_raw(self, type, name, must_exist=True):
auth_name = get_authority(name)
-
+ if not auth_name:
+ auth_name = name
table = self.get_auth_table(auth_name)
-
records = table.resolve(type, name)
-
if (not records) and must_exist:
raise RecordNotFound(name)
def resolve(self, cred, name):
self.decode_authentication(cred, "resolve")
+
+ try:
+ records = self.resolve_raw("*", name)
+ except:
+ records = []
+ for registry in self.registries:
+ if name.startswith(registry):
+ records = self.registries[registry].resolve(self.credential, name)
+
- records = self.resolve_raw("*", name)
dicts = []
for record in records:
dicts.append(record.as_dict())
records = self.resolve_raw("*", name)
gid_string_list = []
for record in records:
- gid = record.get_gid()
+ gid = record.get_gid_object()
gid_string_list.append(gid.save_to_string(save_parents=True))
return gid_string_list
self.verify_object_belongs_to_me(name)
auth_hrn = get_authority(name)
+ if not auth_hrn:
+ auth_hrn = name
auth_info = self.get_auth_info(auth_hrn)
-
# find a record that matches
records = self.resolve_raw(type, name, must_exist=True)
record = records[0]
return cred.save_to_string(save_parents=True)
+ ##
+ # verify_cancreate_credential
+ #
+ # Verify that a user can retrieve a particular type of credential. For
+ # slices, the user must be on the researcher list. For SA and MA the user
+ # must be on the pi and operator lists respectively.
+
+ def verify_cancreate_credential(self, src_cred, record):
+ type = record.get_type()
+ cred_object_hrn = src_cred.get_gid_object().get_hrn()
+ config = Config()
+ if cred_object_hrn in [config.GENI_REGISTRY_ROOT_AUTH]:
+ return
+ if type=="slice":
+ researchers = record.get_geni_info().get("researcher", [])
+ if not (cred_object_hrn in researchers):
+ raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name())
+ elif type == "sa":
+ pis = record.get_geni_info().get("pi", [])
+ if not (cred_object_hrn in pis):
+ raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name())
+ elif type == "ma":
+ operators = record.get_geni_info().get("operator", [])
+ if not (cred_object_hrn in operators):
+ raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name())
+
##
# GENI API: Get_credential
#
def get_credential(self, cred, type, name):
if not cred:
- return get_self_credential(self, type, name)
+ return self.get_self_credential(type, name)
self.decode_authentication(cred, "getcredential")
self.verify_object_belongs_to_me(name)
auth_hrn = get_authority(name)
+ if not auth_hrn:
+ auth_hrn = name
auth_info = self.get_auth_info(auth_hrn)
records = self.resolve_raw(type, name, must_exist=True)
record = records[0]
+ # verify_cancreate_credential requires that the member lists
+ # (researchers, pis, etc) be filled in
+ self.fill_record_info(record)
+
+ self.verify_cancreate_credential(self.client_cred, record)
+
# TODO: Check permission that self.client_cred can access the object
object_gid = record.get_gid_object()
return new_cred.save_to_string(save_parents=True)
+ ##
+ # GENI API: get_ticket
+ #
+ # Retrieve a ticket. This operation is currently implemented on PLC
+ # only (see SFA, engineering decisions); it is not implemented on
+ # components.
+ #
+ # The ticket is filled in with information from the PLC database. This
+ # information includes resources, and attributes such as user keys and
+ # initscripts.
+ #
+ # @param cred credential string
+ # @param name name of the slice to retrieve a ticket for
+ # @param rspec resource specification dictionary
+ #
+ # @return the string representation of a ticket object
+
+ def get_ticket(self, cred, name, rspec):
+ self.decode_authentication(cred, "getticket")
+
+ self.verify_object_belongs_to_me(name)
+
+ self.verify_object_permission(name)
+
+ # XXX much of this code looks like get_credential... are they so similar
+ # that they should be combined?
+
+ auth_hrn = get_authority(name)
+ if not auth_hrn:
+ auth_hrn = name
+ auth_info = self.get_auth_info(auth_hrn)
+
+ records = self.resolve_raw("slice", name, must_exist=True)
+ record = records[0]
+
+ object_gid = record.get_gid_object()
+ new_ticket = Ticket(subject = object_gid.get_subject())
+ new_ticket.set_gid_caller(self.client_gid)
+ new_ticket.set_gid_object(object_gid)
+ new_ticket.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
+ new_ticket.set_pubkey(object_gid.get_pubkey())
+
+ self.fill_record_info(record)
+
+ (attributes, rspec) = self.record_to_slice_info(record)
+
+ new_ticket.set_attributes(attributes)
+ new_ticket.set_rspec(rspec)
+
+ new_ticket.set_parent(AuthHierarchy.get_auth_ticket(auth_hrn))
+
+ new_ticket.encode()
+ new_ticket.sign()
+
+ return new_ticket.save_to_string(save_parents=True)
+
##
# GENI_API: Create_gid
#