-# hierarchy.py
+##
+# This module implements a hierarchy of authorities and performs a similar
+# function as the "tree" module of the original geniwrapper prototype. An HRN
+# is assumed to be a string of authorities separated by dots. For example,
+# "planetlab.us.arizona.bakers". Each component of the HRN is a different
+# authority, with the last component being a leaf in the tree.
#
-# hierarchy of GENI authorities
-#
-# This correspond's almost identically to the functionality of Soner's
-# "tree" module. Each component of an HRN is stored in a different subdirectory.
-# Inside this subdirectory are:
+# Each authority is stored in a subdirectory on the registry. Inside this
+# subdirectory are several files:
# *.GID - GID file
# *.PKEY - private key file
# *.DBINFO - database info
+##
import os
import report
from config import *
from geniticket import *
+##
+# The AuthInfo class contains the information for an authority. This information
+# includes the GID, private key, and database connection information.
+
class AuthInfo():
hrn = None
gid_object = None
privkey_filename = None
dbinfo_filename = None
+ ##
+ # Initialize and authority object.
+ #
+ # @param hrn the human readable name of the authority
+ # @param gid_filename the filename containing the GID
+ # @param privkey_filename the filename containing the private key
+ # @param dbinfo_filename the filename containing the database info
+
def __init__(self, hrn, gid_filename, privkey_filename, dbinfo_filename):
self.hrn = hrn
self.set_gid_filename(gid_filename)
self.privkey_filename = privkey_filename
self.dbinfo_filename = dbinfo_filename
+ ##
+ # Set the filename of the GID
+ #
+ # @param fn filename of file containing GID
+
def set_gid_filename(self, fn):
self.gid_filename = fn
self.gid_object = None
+ ##
+ # Get the GID in the form of a GID object
+
def get_gid_object(self):
if not self.gid_object:
self.gid_object = GID(filename = self.gid_filename)
return self.gid_object
+ ##
+ # Get the private key in the form of a Keypair object
+
def get_pkey_object(self):
return Keypair(filename = self.privkey_filename)
+ ##
+ # Get the dbinfo in the form of a dictionary
+
def get_dbinfo(self):
f = file(self.dbinfo_filename)
dict = eval(f.read())\r
f.close()\r
return dict\r
\r
+ ##\r
+ # Replace the GID with a new one. The file specified by gid_filename is\r
+ # overwritten with the new GID object\r
+ #\r
+ # @param gid object containing new GID\r
+\r
def update_gid_object(self, gid):\r
gid.save_to_file(self.gid_filename)\r
self.gid_object = gid\r
+\r
+##\r
+# The Hierarchy class is responsible for managing the tree of authorities.\r
+# Each authority is a node in the tree and exists as an AuthInfo object.\r
+#\r
+# The tree is stored on disk in a hierarchical manner than reflects the\r
+# structure of the tree. Each authority is a subdirectory, and each subdirectory\r
+# contains the GID, pkey, and dbinfo files for that authority (as well as\r
+# subdirectories for each sub-authority)\r
class Hierarchy():
+ ##
+ # Create the hierarchy object.
+ #
+ # @param basedir the base directory to store the hierarchy in
+
def __init__(self, basedir="."):
self.basedir = os.path.join(basedir, "authorities")
+ ##
+ # Given a hrn, return the filenames of the GID, private key, and dbinfo
+ # files.
+ #
+ # @param hrn the human readable name of the authority
+
def get_auth_filenames(self, hrn):
leaf = get_leaf(hrn)
parent_hrn = get_authority(hrn)
return (directory, gid_filename, privkey_filename, dbinfo_filename)
+ ##
+ # Check to see if an authority exists. An authority exists if it's disk
+ # files exist.
+ #
+ # @param the human readable name of the authority to check
+
def auth_exists(self, hrn):
(directory, gid_filename, privkey_filename, dbinfo_filename) = \
self.get_auth_filenames(hrn)
os.path.exists(privkey_filename) and \
os.path.exists(dbinfo_filename)
+ ##
+ # Create an authority. A private key for the authority and the associated
+ # GID are created and signed by the parent authority.
+ #
+ # @param hrn the human readable name of the authority to create
+ # @param create_parents if true, also create the parents if they do not exist
+
def create_auth(self, hrn, create_parents=False):
report.trace("Hierarchy: creating authority: " + hrn)
dbinfo_file.write(str(dbinfo))\r
dbinfo_file.close()
+ ##
+ # Return the AuthInfo object for the specified authority. If the authority
+ # does not exist, then an exception is thrown. As a side effect, disk files
+ # and a subdirectory may be created to store the authority.
+ #
+ # @param hrn the human readable name of the authority to create.
+
def get_auth_info(self, hrn):
#report.trace("Hierarchy: getting authority: " + hrn)
return auth_info
+ ##
+ # Create a new GID. The GID will be signed by the authority that is it's
+ # immediate parent in the hierarchy (and recursively, the parents' GID
+ # will be signed by its parent)
+ #
+ # @param hrn the human readable name to store in the GID
+ # @param uuid the unique identifier to store in the GID
+ # @param pkey the public key to store in the GID
+
def create_gid(self, hrn, uuid, pkey):
gid = GID(subject=hrn, uuid=uuid, hrn=hrn)
return gid
+ ##
+ # Refresh a GID. The primary use of this function is to refresh the
+ # the expiration time of the GID. It may also be used to change the HRN,
+ # UUID, or Public key of the GID.
+ #
+ # @param gid the GID to refresh
+ # @param hrn if !=None, change the hrn
+ # @param uuid if !=None, change the uuid
+ # @param pubkey if !=None, change the public key
+
def refresh_gid(self, gid, hrn=None, uuid=None, pubkey=None):
# TODO: compute expiration time of GID, refresh it if necessary
gid_is_expired = False
return gid
+ ##
+ # Retrieve an authority credential for an authority. The authority
+ # credential will contain the authority privilege and will be signed by
+ # the authority's parent.
+ #
+ # @param hrn the human readable name of the authority
+
def get_auth_cred(self, hrn):
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
cred.sign()
return cred
-
- # this looks almost the same as get_auth_cred, but works for tickets
+ ##
+ # Retrieve an authority ticket. An authority ticket is not actually a
+ # redeemable ticket, but only serves the purpose of being included as the
+ # parent of another ticket, in order to provide a chain of authentication
+ # for a ticket.
+ #
+ # This looks almost the same as get_auth_cred, but works for tickets
# XXX does similarity imply there should be more code re-use?
+ #
+ # @param hrn the human readable name of the authority
+
def get_auth_ticket(self, hrn):
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()