oops.

[sfa.git] / geni / registry.py

diff --git a/geni/registry.py b/geni/registry.py
index 53581d4..97af960 100644 (file)
--- a/geni/registry.py
+++ b/geni/registry.py
@@ -6,20 +6,19 @@ import os
 import time
 import sys
 
-from util.credential import Credential
-from util.hierarchy import Hierarchy
-from util.trustedroot import TrustedRootList
-from util.cert import Keypair, Certificate
-from util.gid import GID, create_uuid
-from util.geniserver import GeniServer
-from util.record import GeniRecord
-from util.rights import RightList
-from util.genitable import GeniTable
-from util.geniticket import Ticket
-from util.excep import *
-from util.misc import *
-
-from util.config import *
+from geni.util.credential import Credential
+from geni.util.hierarchy import Hierarchy
+from geni.util.trustedroot import TrustedRootList
+from geni.util.cert import Keypair, Certificate
+from geni.util.gid import GID, create_uuid
+from geni.util.geniserver import GeniServer
+from geni.util.record import GeniRecord
+from geni.util.rights import RightList
+from geni.util.genitable import GeniTable
+from geni.util.geniticket import Ticket
+from geni.util.excep import *
+from geni.util.misc import *
+from geni.util.config import *
 
 ##
 # Convert geni fields to PLC fields for use when registering up updating
@@ -103,7 +102,7 @@ class Registry(GeniServer):
     # Connect to a remote shell via XMLRPC
 
     def connect_remote_shell(self):
-        import remoteshell
+        from geni.util import remoteshell
         self.shell = remoteshell.RemoteShell()
 
     ##
@@ -123,6 +122,7 @@ class Registry(GeniServer):
         self.server.register_function(self.get_self_credential)
         self.server.register_function(self.get_credential)
         self.server.register_function(self.get_gid)
+        self.server.register_function(self.get_ticket)
         self.server.register_function(self.register)
         self.server.register_function(self.remove)
         self.server.register_function(self.update)
@@ -320,6 +320,62 @@ class Registry(GeniServer):
         self.fill_record_pl_info(record)
         self.fill_record_geni_info(record)
 
+    def update_membership_list(self, oldRecord, record, listName, addFunc, delFunc):
+        # get a list of the HRNs tht are members of the old and new records\r
+        if oldRecord:\r
+            if oldRecord.pl_info == None:\r
+                oldRecord.pl_info = {}\r
+            oldList = oldRecord.get_geni_info().get(listName, [])\r
+        else:\r
+            oldList = []\r
+        newList = record.get_geni_info().get(listName, [])\r
+\r
+        # if the lists are the same, then we don't have to update anything\r
+        if (oldList == newList):\r
+            return\r
+\r
+        # build a list of the new person ids, by looking up each person to get\r
+        # their pointer\r
+        newIdList = []\r
+        for hrn in newList:\r
+            userRecord = self.resolve_raw("user", hrn)[0]\r
+            newIdList.append(userRecord.get_pointer())\r
+\r
+        # build a list of the old person ids from the person_ids field of the\r
+        # pl_info\r
+        if oldRecord:\r
+            oldIdList = oldRecord.pl_info.get("person_ids", [])\r
+            containerId = oldRecord.get_pointer()\r
+        else:\r
+            # if oldRecord==None, then we are doing a Register, instead of an\r
+            # update.\r
+            oldIdList = []\r
+            containerId = record.get_pointer()\r
+\r
+        # add people who are in the new list, but not the oldList\r
+        for personId in newIdList:\r
+            if not (personId in oldIdList):\r
+                print "adding id", personId, "to", record.get_name()\r
+                addFunc(self.pl_auth, personId, containerId)\r
+\r
+        # remove people who are in the old list, but not the new list\r
+        for personId in oldIdList:\r
+            if not (personId in newIdList):\r
+                print "removing id", personId, "from", record.get_name()\r
+                delFunc(self.pl_auth, personId, containerId)\r
+\r
+    def update_membership(self, oldRecord, record):\r
+        if record.type == "slice":\r
+            self.update_membership_list(oldRecord, record, 'researcher',\r
+                                        self.shell.AddPersonToSlice,\r
+                                        self.shell.DeletePersonFromSlice)\r
+        elif record.type == "sa":\r
+            # TODO\r
+            pass\r
+        elif record.type == "ma":\r
+            # TODO\r
+            pass
+
     ##
     # GENI API: register
     #
@@ -418,6 +474,9 @@ class Registry(GeniServer):
 
         table.insert(record)
 
+        # update membership for researchers, pis, owners, operators
+        self.update_membership(None, record)
+
         return record.get_gid_object().save_to_string(save_parents=True)
 
     ##
@@ -442,7 +501,7 @@ class Registry(GeniServer):
 
         record_list = table.resolve(type, hrn)
         if not record_list:
-            raise RecordNotFound(name)
+            raise RecordNotFound(hrn)
         record = record_list[0]
 
         # TODO: sa, ma
@@ -474,7 +533,7 @@ class Registry(GeniServer):
         return True
 
     ##
-    # GENI API: Register
+    # GENI API: Update
     #
     # Update an object in the registry. Currently, this only updates the
     # PLC information associated with the record. The Geni fields (name, type,
@@ -498,14 +557,22 @@ class Registry(GeniServer):
         self.verify_object_permission(record.get_name())
 
         auth_name = get_authority(record.get_name())
+        if not auth_name:
+            auth_name = record.get_name()
         table = self.get_auth_table(auth_name)
 
         # make sure the record exists
         existing_record_list = table.resolve(type, record.get_name())
         if not existing_record_list:
             raise RecordNotFound(record.get_name())
-
         existing_record = existing_record_list[0]
+
+        # Update_membership needs the membership lists in the existing record
+        # filled in, so it can see if members were added or removed
+        self.fill_record_info(existing_record)
+
+        # Use the pointer from the existing record, not the one that the user
+        # gave us. This prevents the user from inserting a forged pointer
         pointer = existing_record.get_pointer()
 
         # update the PLC information that was specified with the record
@@ -535,6 +602,9 @@ class Registry(GeniServer):
         else:
             raise UnknownGeniType(type)
 
+        # update membership for researchers, pis, owners, operators\r
+        self.update_membership(existing_record, record)
+
     ##
     # List the records in an authority. The objectGID in the supplied credential
     # should name the authority that will be listed.
@@ -588,11 +658,10 @@ class Registry(GeniServer):
 
     def resolve_raw(self, type, name, must_exist=True):
         auth_name = get_authority(name)
-
+        if not auth_name:
+            auth_name = name
         table = self.get_auth_table(auth_name)
-
         records = table.resolve(type, name)
-
         if (not records) and must_exist:
             raise RecordNotFound(name)
 
@@ -673,9 +742,9 @@ class Registry(GeniServer):
             rl.add("resolve")
             rl.add("info")
         elif type == "sa":
-            rl.add("authority")
+            rl.add("authority,sa")
         elif type == "ma":
-            rl.add("authority")
+            rl.add("authority,ma")
         elif type == "slice":
             rl.add("refresh")
             rl.add("embed")
@@ -709,8 +778,9 @@ class Registry(GeniServer):
         self.verify_object_belongs_to_me(name)
 
         auth_hrn = get_authority(name)
+        if not auth_hrn:
+            auth_hrn = name
         auth_info = self.get_auth_info(auth_hrn)
-
         # find a record that matches
         records = self.resolve_raw(type, name, must_exist=True)
         record = records[0]
@@ -731,13 +801,47 @@ class Registry(GeniServer):
         rl = self.determine_rights(type, name)
         cred.set_privileges(rl)
 
-        cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+        # determine the type of credential that we want to use as a parent for
+        # this credential.
+
+        if (type == "ma") or (type == "node"):
+            auth_kind = "authority,ma"
+        else: # user, slice, sa
+            auth_kind = "authority,sa"
+
+        cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 
         cred.encode()
         cred.sign()
 
         return cred.save_to_string(save_parents=True)
 
+    ##
+    # verify_cancreate_credential
+    #
+    # Verify that a user can retrieve a particular type of credential. For
+    # slices, the user must be on the researcher list. For SA and MA the user
+    # must be on the pi and operator lists respectively.
+
+    def verify_cancreate_credential(self, src_cred, record):
+        type = record.get_type()
+        cred_object_hrn = src_cred.get_gid_object().get_hrn()
+        config = Config()
+        if cred_object_hrn in [config.GENI_REGISTRY_ROOT_AUTH]:
+            return
+        if type=="slice":
+            researchers = record.get_geni_info().get("researcher", [])
+            if not (cred_object_hrn in researchers):
+                raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name())
+        elif type == "sa":
+            pis = record.get_geni_info().get("pi", [])
+            if not (cred_object_hrn in pis):
+                raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name())
+        elif type == "ma":
+            operators = record.get_geni_info().get("operator", [])
+            if not (cred_object_hrn in operators):
+                raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name())
+
     ##
     # GENI API: Get_credential
     #
@@ -760,11 +864,19 @@ class Registry(GeniServer):
         self.verify_object_belongs_to_me(name)
 
         auth_hrn = get_authority(name)
+        if not auth_hrn:
+            auth_hrn = name
         auth_info = self.get_auth_info(auth_hrn)
 
         records = self.resolve_raw(type, name, must_exist=True)
         record = records[0]
 
+        # verify_cancreate_credential requires that the member lists
+        # (researchers, pis, etc) be filled in
+        self.fill_record_info(record)
+
+        self.verify_cancreate_credential(self.client_cred, record)
+
         # TODO: Check permission that self.client_cred can access the object
 
         object_gid = record.get_gid_object()
@@ -777,13 +889,77 @@ class Registry(GeniServer):
         rl = self.determine_rights(type, name)
         new_cred.set_privileges(rl)
 
-        new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+        # determine the type of credential that we want to use as a parent for
+        # this credential.
+
+        if (type == "ma") or (type == "node"):
+            auth_kind = "authority,ma"
+        else: # user, slice, sa
+            auth_kind = "authority,sa"
+
+        new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 
         new_cred.encode()
         new_cred.sign()
 
         return new_cred.save_to_string(save_parents=True)
 
+    ##
+    # GENI API: get_ticket
+    #
+    # Retrieve a ticket. This operation is currently implemented on PLC
+    # only (see SFA, engineering decisions); it is not implemented on
+    # components.
+    #
+    # The ticket is filled in with information from the PLC database. This
+    # information includes resources, and attributes such as user keys and
+    # initscripts.
+    #
+    # @param cred credential string
+    # @param name name of the slice to retrieve a ticket for
+    # @param rspec resource specification dictionary
+    #
+    # @return the string representation of a ticket object
+
+    def get_ticket(self, cred, name, rspec):
+        self.decode_authentication(cred, "getticket")
+
+        self.verify_object_belongs_to_me(name)
+
+        self.verify_object_permission(name)
+
+        # XXX much of this code looks like get_credential... are they so similar
+        # that they should be combined?
+
+        auth_hrn = get_authority(name)
+        if not auth_hrn:
+            auth_hrn = name
+        auth_info = self.get_auth_info(auth_hrn)
+
+        records = self.resolve_raw("slice", name, must_exist=True)
+        record = records[0]
+
+        object_gid = record.get_gid_object()
+        new_ticket = Ticket(subject = object_gid.get_subject())
+        new_ticket.set_gid_caller(self.client_gid)
+        new_ticket.set_gid_object(object_gid)
+        new_ticket.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
+        new_ticket.set_pubkey(object_gid.get_pubkey())
+
+        self.fill_record_info(record)
+
+        (attributes, rspec) = self.record_to_slice_info(record)
+
+        new_ticket.set_attributes(attributes)
+        new_ticket.set_rspec(rspec)
+
+        new_ticket.set_parent(AuthHierarchy.get_auth_ticket(auth_hrn))
+
+        new_ticket.encode()
+        new_ticket.sign()
+
+        return new_ticket.save_to_string(save_parents=True)
+
     ##
     # GENI_API: Create_gid
     #