2 # Geni Registry Wrapper
4 # This wrapper implements the Geni Registry
14 from geniserver import *
16 from trustedroot import *
17 from hierarchy import *
20 from genitable import *
21 from geniticket import *
24 # Convert geni fields to PLC fields for use when registering up updating
25 # registry record in the PLC database
27 # @params type type of record (user, slice, ...)
28 # @params hrn human readable name
29 # @params geni_fields dictionary of geni fields
30 # @params pl_fields dictionary of PLC fields (output)
32 def geni_fields_to_pl_fields(type, hrn, geni_fields, pl_fields):
34 if not "email" in pl_fields:
35 if not "email" in geni_fields:
36 raise MissingGeniInfo("email")
37 pl_fields["email"] = geni_fields["email"]
39 if not "first_name" in pl_fields:
40 pl_fields["first_name"] = "geni"
42 if not "last_name" in pl_fields:
43 pl_fields["last_name"] = hrn
46 if not "instantiation" in pl_fields:
47 pl_fields["instantiation"] = "plc-instantiated"
48 if not "name" in pl_fields:
49 pl_fields["name"] = hrn_to_pl_slicename(hrn)
50 if not "max_nodes" in pl_fields:
51 pl_fields["max_nodes"] = 10
54 if not "hostname" in pl_fields:
55 if not "dns" in geni_fields:
56 raise MissingGeniInfo("dns")
57 pl_fields["hostname"] = geni_fields["dns"]
59 if not "model" in pl_fields:
60 pl_fields["model"] = "geni"
63 pl_fields["login_base"] = hrn_to_pl_login_base(hrn)
65 if not "name" in pl_fields:
66 pl_fields["name"] = hrn
68 if not "abbreviated_name" in pl_fields:
69 pl_fields["abbreviated_name"] = hrn
71 if not "enabled" in pl_fields:
72 pl_fields["enabled"] = True
74 if not "is_public" in pl_fields:
75 pl_fields["is_public"] = True
78 # Registry is a GeniServer that serves registry requests. It also serves
79 # component and slice operations that are implemented on the registry
80 # due to SFA engineering decisions
83 class Registry(GeniServer):
84 def __init__(self, ip, port, key_file, cert_file):
85 GeniServer.__init__(self, ip, port, key_file, cert_file)
87 # get PL account settings from config module
88 self.pl_auth = get_pl_auth()
90 # connect to planetlab
91 if "Url" in self.pl_auth:
92 self.connect_remote_shell()
94 self.connect_local_shell()
97 # Connect to a remote shell via XMLRPC
99 def connect_remote_shell(self):
101 self.shell = remoteshell.RemoteShell()
104 # Connect to a local shell via local API functions
106 def connect_local_shell(self):
108 self.shell = PLC.Shell.Shell(globals = globals())
111 # Register the server RPCs for the registry
113 def register_functions(self):
114 GeniServer.register_functions(self)
116 self.server.register_function(self.create_gid)
117 self.server.register_function(self.get_self_credential)
118 self.server.register_function(self.get_credential)
119 self.server.register_function(self.get_gid)
120 self.server.register_function(self.register)
121 self.server.register_function(self.remove)
122 self.server.register_function(self.update)
123 self.server.register_function(self.list)
124 self.server.register_function(self.resolve)
125 # component interface
126 self.server.register_function(self.get_ticket)
129 # Given an authority name, return the information for that authority. This
130 # is basically a stub that calls the hierarchy module.
132 # @param auth_hrn human readable name of authority
134 def get_auth_info(self, auth_hrn):
135 return AuthHierarchy.get_auth_info(auth_hrn)
138 # Given an authority name, return the database table for that authority. If
139 # the database table does not exist, then one will be automatically
142 # @param auth_name human readable name of authority
144 def get_auth_table(self, auth_name):
145 auth_info = self.get_auth_info(auth_name)
147 table = GeniTable(hrn=auth_name,
148 cninfo=auth_info.get_dbinfo())
150 # if the table doesn't exist, then it means we haven't put any records
151 # into this authority yet.
153 if not table.exists():
154 report.trace("Registry: creating table for authority " + auth_name)
160 # Verify that an authority belongs to this registry. This is basically left
161 # up to the implementation of the hierarchy module. If the specified name
162 # does not belong to this registry, an exception is thrown indicating the
163 # caller should contact someone else.
165 # @param auth_name human readable name of authority
167 def verify_auth_belongs_to_me(self, name):
168 # get_auth_info will throw an exception if the authority does not
170 self.get_auth_info(name)
173 # Verify that an object belongs to this registry. By extension, this implies
174 # that the authority that owns the object belongs to this registry. If the
175 # object does not belong to this registry, then an exception is thrown.
177 # @param name human readable name of object
179 def verify_object_belongs_to_me(self, name):
180 auth_name = get_authority(name)
182 # the root authority belongs to the registry by default?
183 # TODO: is this true?
185 self.verify_auth_belongs_to_me(auth_name)
188 # Verify that the object_gid that was specified in the credential allows
189 # permission to the object 'name'. This is done by a simple prefix test.
190 # For example, an object_gid for planetlab.us.arizona would match the
191 # objects planetlab.us.arizona.slice1 and planetlab.us.arizona.
193 # @param name human readable name to test
195 def verify_object_permission(self, name):
196 object_hrn = self.object_gid.get_hrn()
197 if object_hrn == name:
199 if name.startswith(object_hrn + "."):
201 raise PermissionError(name)
204 # Fill in the planetlab-specific fields of a Geni record. This involves
205 # calling the appropriate PLC methods to retrieve the database record for
208 # PLC data is filled into the pl_info field of the record.
210 # @param record record to fill in fields (in/out param)
212 def fill_record_pl_info(self, record):
213 type = record.get_type()
214 pointer = record.get_pointer()
216 # records with pointer==-1 do not have plc info associated with them.
217 # for example, the top level authority records which are
218 # authorities, but not PL "sites"
222 if (type == "sa") or (type == "ma"):
223 pl_res = self.shell.GetSites(self.pl_auth, [pointer])
224 elif (type == "slice"):
225 pl_res = self.shell.GetSlices(self.pl_auth, [pointer])
226 elif (type == "user"):
227 pl_res = self.shell.GetPersons(self.pl_auth, [pointer])
228 elif (type == "node"):
229 pl_res = self.shell.GetNodes(self.pl_auth, [pointer])
231 raise UnknownGeniType(type)
234 # the planetlab record no longer exists
235 # TODO: delete the geni record ?
236 raise PlanetLabRecordDoesNotExist(record.get_name())
238 record.set_pl_info(pl_res[0])
241 # Look up user records given PLC user-ids. This is used as part of the
242 # process for reverse-mapping PLC records into Geni records.
244 # @param auth_table database table for the authority that holds the user records
245 # @param user_id_list list of user ids
246 # @param role either "*" or a string describing the role to look for ("pi", "user", ...)
248 # TODO: This function currently only searches one authority because it would
249 # be inefficient to brute-force search all authorities for a user id. The
250 # solution would likely be to implement a reverse mapping of user-id to
253 def lookup_users(self, auth_table, user_id_list, role="*"):
255 for person_id in user_id_list:
256 user_records = auth_table.find("user", person_id, "pointer")
257 for user_record in user_records:
258 self.fill_record_info(user_record)
260 user_roles = user_record.get_pl_info().get("roles")
261 if (role=="*") or (role in user_roles):
262 record_list.append(user_record.get_name())
266 # Fill in the geni-specific fields of the record.
268 # Note: It is assumed the fill_record_pl_info() has already been performed
271 def fill_record_geni_info(self, record):
273 type = record.get_type()
275 if (type == "slice"):
276 auth_table = self.get_auth_table(get_authority(record.get_name()))
277 person_ids = record.pl_info.get("person_ids", [])
278 researchers = self.lookup_users(auth_table, person_ids)
279 geni_info['researcher'] = researchers
282 auth_table = self.get_auth_table(record.get_name())
283 person_ids = record.pl_info.get("person_ids", [])
284 pis = self.lookup_users(auth_table, person_ids, "pi")
285 geni_info['pi'] = pis
286 # TODO: OrganizationName
289 auth_table = self.get_auth_table(record.get_name())
290 person_ids = record.pl_info.get("person_ids", [])
291 operators = self.lookup_users(auth_table, person_ids, "tech")
292 geni_info['operator'] = operators
293 # TODO: OrganizationName
295 auth_table = self.get_auth_table(record.get_name())
296 person_ids = record.pl_info.get("person_ids", [])
297 owners = self.lookup_users(auth_table, person_ids, "admin")
298 geni_info['owner'] = owners
300 elif (type == "node"):
301 geni_info['dns'] = record.pl_info.get("hostname", "")
302 # TODO: URI, LatLong, IP, DNS
304 elif (type == "user"):
305 geni_info['email'] = record.pl_info.get("email", "")
306 # TODO: PostalAddress, Phone
308 record.set_geni_info(geni_info)
311 # Given a Geni record, fill in the PLC-specific and Geni-specific fields
314 def fill_record_info(self, record):
315 self.fill_record_pl_info(record)
316 self.fill_record_geni_info(record)
321 # Register an object with the registry. In addition to being stored in the
322 # Geni database, the appropriate records will also be created in the
325 # @param cred credential string
326 # @param record_dict dictionary containing record fields
328 def register(self, cred, record_dict):
329 self.decode_authentication(cred, "register")
331 record = GeniRecord(dict = record_dict)
332 type = record.get_type()
333 name = record.get_name()
335 auth_name = get_authority(name)
336 self.verify_object_permission(auth_name)
337 auth_info = self.get_auth_info(auth_name)
338 table = self.get_auth_table(auth_name)
342 # check if record already exists
343 existing_records = table.resolve(type, name)
345 raise ExistingRecord(name)
347 if (type == "sa") or (type=="ma"):
349 if not AuthHierarchy.auth_exists(name):
350 AuthHierarchy.create_auth(name)
352 # authorities are special since they are managed by the registry
353 # rather than by the caller. We create our own GID for the
354 # authority rather than relying on the caller to supply one.
356 # get the GID from the newly created authority
357 child_auth_info = self.get_auth_info(name)
358 gid = auth_info.get_gid_object()
359 record.set_gid(gid.save_to_string(save_parents=True))
361 geni_fields = record.get_geni_info()
362 site_fields = record.get_pl_info()
364 # if registering a sa, see if a ma already exists
365 # if registering a ma, see if a sa already exists
367 other_rec = table.resolve("ma", record.get_name())
369 other_rec = table.resolve("sa", record.get_name())
372 print "linking ma and sa to the same plc site"
373 pointer = other_rec[0].get_pointer()
375 geni_fields_to_pl_fields(type, name, geni_fields, site_fields)
376 print "adding site with fields", site_fields
377 pointer = self.shell.AddSite(self.pl_auth, site_fields)
379 record.set_pointer(pointer)
381 elif (type == "slice"):
382 geni_fields = record.get_geni_info()
383 slice_fields = record.get_pl_info()
385 geni_fields_to_pl_fields(type, name, geni_fields, slice_fields)
387 pointer = self.shell.AddSlice(self.pl_auth, slice_fields)
388 record.set_pointer(pointer)
390 elif (type == "user"):
391 geni_fields = record.get_geni_info()
392 user_fields = record.get_pl_info()
394 geni_fields_to_pl_fields(type, name, geni_fields, user_fields)
396 pointer = self.shell.AddPerson(self.pl_auth, user_fields)
397 record.set_pointer(pointer)
399 elif (type == "node"):
400 geni_fields = record.get_geni_info()
401 node_fields = record.get_pl_info()
403 geni_fields_to_pl_fields(type, name, geni_fields, node_fields)
405 login_base = hrn_to_pl_login_base(auth_name)
407 print "calling addnode with", login_base, node_fields
408 pointer = self.shell.AddNode(self.pl_auth, login_base, node_fields)
409 record.set_pointer(pointer)
412 raise UnknownGeniType(type)
416 return record.get_gid_object().save_to_string(save_parents=True)
421 # Remove an object from the registry. If the object represents a PLC object,
422 # then the PLC records will also be removed.
424 # @param cred credential string
425 # @param record_dict dictionary containing record fields. The only relevant
426 # fields of the record are 'name' and 'type', which are used to lookup
427 # the current copy of the record in the Geni database, to make sure
428 # that the appopriate record is removed.
430 def remove(self, cred, record_dict):
431 self.decode_authentication(cred, "remove")
433 record = GeniRecord(dict = record_dict)
434 type = record.get_type()
436 self.verify_object_permission(record.get_name())
438 auth_name = get_authority(record.get_name())
439 table = self.get_auth_table(auth_name)
441 # let's not trust that the caller has a well-formed record (a forged
442 # pointer field could be a disaster), so look it up ourselves
443 record_list = table.resolve(type, record.get_name())
445 raise RecordNotFound(name)
446 record = record_list[0]
450 self.shell.DeletePerson(self.pl_auth, record.get_pointer())
451 elif type == "slice":
452 self.shell.DeleteSlice(self.pl_auth, record.get_pointer())
454 self.shell.DeleteNode(self.pl_auth, record.get_pointer())
455 elif (type == "sa") or (type == "ma"):
457 other_rec = table.resolve("ma", record.get_name())
459 other_rec = table.resolve("sa", record.get_name())
462 # sa and ma both map to a site, so if we are deleting one
463 # but the other still exists, then do not delete the site
464 print "not removing site", record.get_name(), "because either sa or ma still exists"
467 print "removing site", record.get_name()
468 self.shell.DeleteSite(self.pl_auth, record.get_pointer())
470 raise UnknownGeniType(type)
479 # Update an object in the registry. Currently, this only updates the
480 # PLC information associated with the record. The Geni fields (name, type,
483 # The record is expected to have the pl_info field filled in with the data
484 # that should be updated.
486 # TODO: The geni_info member of the record should be parsed and the pl_info
487 # adjusted as necessary (add/remove users from a slice, etc)
489 # @param cred credential string specifying rights of the caller
490 # @param record a record dictionary to be updated
492 def update(self, cred, record_dict):
493 self.decode_authentication(cred, "update")
495 record = GeniRecord(dict = record_dict)
496 type = record.get_type()
498 self.verify_object_permission(record.get_name())
500 auth_name = get_authority(record.get_name())
501 table = self.get_auth_table(auth_name)
503 # make sure the record exists
504 existing_record_list = table.resolve(type, record.get_name())
505 if not existing_record_list:
506 raise RecordNotFound(record.get_name())
508 existing_record = existing_record_list[0]
509 pointer = existing_record.get_pointer()
511 # update the PLC information that was specified with the record
513 if (type == "sa") or (type == "ma"):
514 self.shell.UpdateSite(self.pl_auth, pointer, record.get_pl_info())
516 elif type == "slice":
517 self.shell.UpdateSlice(self.pl_auth, pointer, record.get_pl_info())
520 self.shell.UpdatePerson(self.pl_auth, pointer, record.get_pl_info())
523 self.shell.UpdateNode(self.pl_auth, pointer, record.get_pl_info())
526 raise UnknownGeniType(type)
529 # List the records in an authority. The objectGID in the supplied credential
530 # should name the authority that will be listed.
532 # TODO: List doesn't take an hrn and uses the hrn contained in the
533 # objectGid of the credential. Does this mean the only way to list an
534 # authority is by having a credential for that authority?
536 # @param cred credential string specifying rights of the caller
538 # @return list of record dictionaries
539 def list(self, cred):
540 self.decode_authentication(cred, "list")
542 auth_name = self.object_gid.get_hrn()
543 table = self.get_auth_table(auth_name)
545 records = table.list()
548 for record in records:
550 self.fill_record_info(record)
551 good_records.append(record)
552 except PlanetLabRecordDoesNotExist:
553 # silently drop the ones that are missing in PL.
554 # is this the right thing to do?
555 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
559 for record in good_records:
560 dicts.append(record.as_dict())
567 # Resolve a record. This is an internal version of the Resolve API call
568 # and returns records in record object format rather than dictionaries
569 # that may be sent over XMLRPC.
571 # @param type type of record to resolve (user | sa | ma | slice | node)
572 # @param name human readable name of object
573 # @param must_exist if True, throw an exception if no records are found
575 # @return a list of record objects, or an empty list []
577 def resolve_raw(self, type, name, must_exist=True):
578 auth_name = get_authority(name)
580 table = self.get_auth_table(auth_name)
582 records = table.resolve(type, name)
584 if (not records) and must_exist:
585 raise RecordNotFound(name)
588 for record in records:
590 self.fill_record_info(record)
591 good_records.append(record)
592 except PlanetLabRecordDoesNotExist:
593 # silently drop the ones that are missing in PL.
594 # is this the right thing to do?
595 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
603 # This is a wrapper around resolve_raw that converts records objects into
604 # dictionaries before returning them to the user.
606 # @param cred credential string authorizing the caller
607 # @param name human readable name to resolve
609 # @return a list of record dictionaries, or an empty list
611 def resolve(self, cred, name):
612 self.decode_authentication(cred, "resolve")
614 records = self.resolve_raw("*", name)
616 for record in records:
617 dicts.append(record.as_dict())
624 # Retrieve the GID for an object. This function looks up a record in the
625 # registry and returns the GID of the record if it exists.
626 # TODO: Is this function needed? It's a shortcut for Resolve()
628 # @param name hrn to look up
630 # @return the string representation of a GID object
632 def get_gid(self, name):
633 self.verify_object_belongs_to_me(name)
634 records = self.resolve_raw("*", name)
636 for record in records:
637 gid = record.get_gid()
638 gid_string_list.append(gid.save_to_string(save_parents=True))
639 return gid_string_list
642 # Determine tje rights that an object should have. The rights are entirely
643 # dependent on the type of the object. For example, users automatically
644 # get "refresh", "resolve", and "info".
646 # @param type the type of the object (user | sa | ma | slice | node)
647 # @param name human readable name of the object (not used at this time)
649 # @return RightList object containing rights
651 def determine_rights(self, type, name):
654 # rights seem to be somewhat redundant with the type of the credential.
655 # For example, a "sa" credential implies the authority right, because
656 # a sa credential cannot be issued to a user who is not an owner of
667 elif type == "slice":
672 elif type == "component":
678 # GENI API: Get_self_credential
680 # Get_self_credential a degenerate version of get_credential used by a
681 # client to get his initial credential when he doesn't have one. This is
682 # the same as get_credential(..., cred=None,...).
684 # The registry ensures that the client is the principal that is named by
685 # (type, name) by comparing the public key in the record's GID to the
686 # private key used to encrypt the client-side of the HTTPS connection. Thus
687 # it is impossible for one principal to retrieve another principal's
688 # credential without having the appropriate private key.
690 # @param type type of object (user | slice | sa | ma | node
691 # @param name human readable name of object
693 # @return the string representation of a credential object
695 def get_self_credential(self, type, name):
696 self.verify_object_belongs_to_me(name)
698 auth_hrn = get_authority(name)
699 auth_info = self.get_auth_info(auth_hrn)
701 # find a record that matches
702 records = self.resolve_raw(type, name, must_exist=True)
705 gid = record.get_gid_object()
706 peer_cert = self.server.peer_cert
707 if not peer_cert.is_pubkey(gid.get_pubkey()):
708 raise ConnectionKeyGIDMismatch(gid.get_subject())
710 # create the credential
711 gid = record.get_gid_object()
712 cred = Credential(subject = gid.get_subject())
713 cred.set_gid_caller(gid)
714 cred.set_gid_object(gid)
715 cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
716 cred.set_pubkey(gid.get_pubkey())
718 rl = self.determine_rights(type, name)
719 cred.set_privileges(rl)
721 cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
726 return cred.save_to_string(save_parents=True)
729 # GENI API: Get_credential
731 # Retrieve a credential for an object.
733 # If cred==None, then the behavior reverts to get_self_credential()
735 # @param cred credential object specifying rights of the caller
736 # @param type type of object (user | slice | sa | ma | node)
737 # @param name human readable name of object
739 # @return the string representation of a credental object
741 def get_credential(self, cred, type, name):
743 return get_self_credential(self, type, name)
745 self.decode_authentication(cred, "getcredential")
747 self.verify_object_belongs_to_me(name)
749 auth_hrn = get_authority(name)
750 auth_info = self.get_auth_info(auth_hrn)
752 records = self.resolve_raw(type, name, must_exist=True)
755 # TODO: Check permission that self.client_cred can access the object
757 object_gid = record.get_gid_object()
758 new_cred = Credential(subject = object_gid.get_subject())
759 new_cred.set_gid_caller(self.client_gid)
760 new_cred.set_gid_object(object_gid)
761 new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
762 new_cred.set_pubkey(object_gid.get_pubkey())
764 rl = self.determine_rights(type, name)
765 new_cred.set_privileges(rl)
767 new_cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
772 return new_cred.save_to_string(save_parents=True)
775 # GENI_API: Create_gid
777 # Create a new GID. For MAs and SAs that are physically located on the
778 # registry, this allows a owner/operator/PI to create a new GID and have it
779 # signed by his respective authority.
781 # @param cred credential of caller
782 # @param name hrn for new GID
783 # @param uuid unique identifier for new GID
784 # @param pkey_string public-key string (TODO: why is this a string and not a keypair object?)
786 # @return the string representation of a GID object
788 def create_gid(self, cred, name, uuid, pubkey_str):
789 self.decode_authentication(cred, "getcredential")
791 self.verify_object_belongs_to_me(name)
793 self.verify_object_permission(name)
799 pkey.load_pubkey_from_string(pubkey_str)
800 gid = AuthHierarchy.create_gid(name, uuid, pkey)
802 return gid.save_to_string(save_parents=True)
804 # ------------------------------------------------------------------------
805 # Component Interface
808 # Convert a PLC record into the slice information that will be stored in
809 # a ticket. There are two parts to this information: attributes and
812 # Attributes are non-resource items, such as keys and the initscript
813 # Rspec is a set of resource specifications
815 # @param record a record object
817 # @return a tuple (attrs, rspec) of dictionaries
819 def record_to_slice_info(self, record):
821 # get the user keys from the slice
823 persons = self.shell.GetPersons(self.pl_auth, record.pl_info['person_ids'])
824 for person in persons:
825 person_keys = self.shell.GetKeys(self.pl_auth, person["key_ids"])
826 for person_key in person_keys:
827 keys = keys + [person_key['key']]
830 attributes['name'] = record.pl_info['name']
831 attributes['keys'] = keys
832 attributes['instantiation'] = record.pl_info['instantiation']
833 attributes['vref'] = 'default'
834 attributes['timestamp'] = time.time()
838 # get the PLC attributes and separate them into slice attributes and
841 filter['slice_id'] = record.pl_info['slice_id']
842 plc_attrs = self.shell.GetSliceAttributes(self.pl_auth, filter)
843 for attr in plc_attrs:
846 # initscripts: lookup the contents of the initscript and store it
847 # in the ticket attributes
848 if (name == "initscript"):
849 filter={'name': attr['value']}
850 initscripts = self.shell.GetInitScripts(self.pl_auth, filter)
852 attributes['initscript'] = initscripts[0]['script']
854 rspec[name] = attr['value']
856 return (attributes, rspec)
859 # GENI API: get_ticket
861 # Retrieve a ticket. This operation is currently implemented on the
862 # registry (see SFA, engineering decisions), and is not implemented on
865 # The ticket is filled in with information from the PLC database. This
866 # information includes resources, and attributes such as user keys and
869 # @param cred credential string
870 # @param name name of the slice to retrieve a ticket for
871 # @param rspec resource specification dictionary
873 # @return the string representation of a ticket object
875 def get_ticket(self, cred, name, rspec):
876 self.decode_authentication(cred, "getticket")
878 self.verify_object_belongs_to_me(name)
880 self.verify_object_permission(name)
882 # XXX much of this code looks like get_credential... are they so similar
883 # that they should be combined?
885 auth_hrn = get_authority(name)
886 auth_info = self.get_auth_info(auth_hrn)
888 records = self.resolve_raw("slice", name, must_exist=True)
891 object_gid = record.get_gid_object()
892 new_ticket = Ticket(subject = object_gid.get_subject())
893 new_ticket.set_gid_caller(self.client_gid)
894 new_ticket.set_gid_object(object_gid)
895 new_ticket.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
896 new_ticket.set_pubkey(object_gid.get_pubkey())
898 self.fill_record_info(record)
900 (attributes, rspec) = self.record_to_slice_info(record)
902 new_ticket.set_attributes(attributes)
903 new_ticket.set_rspec(rspec)
905 new_ticket.set_parent(AuthHierarchy.get_auth_ticket(auth_hrn))
910 return new_ticket.save_to_string(save_parents=True)
913 if __name__ == "__main__":
917 key_file = "server.key"
918 cert_file = "server.cert"
920 # if no key is specified, then make one up
921 if (not os.path.exists(key_file)) or (not os.path.exists(cert_file)):
922 key = Keypair(create=True)
923 key.save_to_file(key_file)
925 cert = Certificate(subject="registry")
926 cert.set_issuer(key=key, subject="registry")
929 cert.save_to_file(cert_file)
931 AuthHierarchy = Hierarchy()
933 TrustedRoots = TrustedRootList()
935 s = Registry("", 12345, key_file, cert_file)
936 s.trusted_cert_list = TrustedRoots.get_list()