registry/registry.py

   1 ##
   2 # Geni Registry Wrapper
   3 #
   4 # This wrapper implements the Geni Registry
   5 ##
   6
   7 import tempfile
   8 import os
   9 import time
  10 import sys
  11
  12 from cert import *
  13 from gid import *
  14 from geniserver import *
  15 from excep import *
  16 from trustedroot import *
  17 from hierarchy import *
  18 from misc import *
  19 from record import *
  20 from genitable import *
  21 from geniticket import *
  22
  23 ##
  24 # Convert geni fields to PLC fields for use when registering up updating
  25 # registry record in the PLC database
  26 #
  27 # @params type type of record (user, slice, ...)
  28 # @params hrn human readable name
  29 # @params geni_fields dictionary of geni fields
  30 # @params pl_fields dictionary of PLC fields (output)
  31
  32 def geni_fields_to_pl_fields(type, hrn, geni_fields, pl_fields):
  33     if type == "user":
  34         if not "email" in pl_fields:
  35             if not "email" in geni_fields:
  36                 raise MissingGeniInfo("email")
  37             pl_fields["email"] = geni_fields["email"]
  38
  39         if not "first_name" in pl_fields:
  40             pl_fields["first_name"] = "geni"
  41
  42         if not "last_name" in pl_fields:
  43             pl_fields["last_name"] = hrn
  44
  45     elif type == "slice":
  46         if not "instantiation" in pl_fields:
  47             pl_fields["instantiation"] = "plc-instantiated"
  48         if not "name" in pl_fields:
  49             pl_fields["name"] = hrn_to_pl_slicename(hrn)
  50         if not "max_nodes" in pl_fields:
  51             pl_fields["max_nodes"] = 10
  52
  53     elif type == "node":
  54         if not "hostname" in pl_fields:
  55             if not "dns" in geni_fields:
  56                 raise MissingGeniInfo("dns")
  57             pl_fields["hostname"] = geni_fields["dns"]
  58
  59         if not "model" in pl_fields:
  60             pl_fields["model"] = "geni"
  61
  62     elif type == "sa":
  63         pl_fields["login_base"] = hrn_to_pl_login_base(hrn)
  64
  65         if not "name" in pl_fields:
  66             pl_fields["name"] = hrn
  67
  68         if not "abbreviated_name" in pl_fields:
  69             pl_fields["abbreviated_name"] = hrn
  70
  71         if not "enabled" in pl_fields:
  72             pl_fields["enabled"] = True
  73
  74         if not "is_public" in pl_fields:
  75             pl_fields["is_public"] = True
  76
  77 ##
  78 # Registry is a GeniServer that serves registry requests. It also serves
  79 # component and slice operations that are implemented on the registry
  80 # due to SFA engineering decisions
  81 #
  82
  83 class Registry(GeniServer):
  84     def __init__(self, ip, port, key_file, cert_file):
  85         GeniServer.__init__(self, ip, port, key_file, cert_file)
  86
  87         # get PL account settings from config module
  88         self.pl_auth = get_pl_auth()
  89
  90         # connect to planetlab
  91         if "Url" in self.pl_auth:
  92             self.connect_remote_shell()
  93         else:
  94             self.connect_local_shell()
  95
  96     ##
  97     # Connect to a remote shell via XMLRPC
  98
  99     def connect_remote_shell(self):
 100         import remoteshell
 101         self.shell = remoteshell.RemoteShell()
 102
 103     ##
 104     # Connect to a local shell via local API functions
 105
 106     def connect_local_shell(self):
 107         import PLC.Shell
 108         self.shell = PLC.Shell.Shell(globals = globals())
 109
 110     ##
 111     # Register the server RPCs for the registry
 112
 113     def register_functions(self):
 114         GeniServer.register_functions(self)
 115         # registry interface
 116         self.server.register_function(self.create_gid)
 117         self.server.register_function(self.get_self_credential)
 118         self.server.register_function(self.get_credential)
 119         self.server.register_function(self.get_gid)
 120         self.server.register_function(self.register)
 121         self.server.register_function(self.remove)
 122         self.server.register_function(self.update)
 123         self.server.register_function(self.list)
 124         self.server.register_function(self.resolve)
 125         # component interface
 126         self.server.register_function(self.get_ticket)
 127
 128     ##
 129     # Given an authority name, return the information for that authority. This
 130     # is basically a stub that calls the hierarchy module.
 131     #
 132     # @param auth_hrn human readable name of authority
 133
 134     def get_auth_info(self, auth_hrn):
 135         return AuthHierarchy.get_auth_info(auth_hrn)
 136
 137     ##
 138     # Given an authority name, return the database table for that authority. If
 139     # the database table does not exist, then one will be automatically
 140     # created.
 141     #
 142     # @param auth_name human readable name of authority
 143
 144     def get_auth_table(self, auth_name):
 145         auth_info = self.get_auth_info(auth_name)
 146
 147         table = GeniTable(hrn=auth_name,
 148                           cninfo=auth_info.get_dbinfo())
 149
 150         # if the table doesn't exist, then it means we haven't put any records
 151         # into this authority yet.
 152
 153         if not table.exists():
 154             report.trace("Registry: creating table for authority " + auth_name)
 155             table.create()
 156
 157         return table
 158
 159     ##
 160     # Verify that an authority belongs to this registry. This is basically left
 161     # up to the implementation of the hierarchy module. If the specified name
 162     # does not belong to this registry, an exception is thrown indicating the
 163     # caller should contact someone else.
 164     #
 165     # @param auth_name human readable name of authority
 166
 167     def verify_auth_belongs_to_me(self, name):
 168         # get_auth_info will throw an exception if the authority does not
 169         # exist
 170         self.get_auth_info(name)
 171
 172     ##
 173     # Verify that an object belongs to this registry. By extension, this implies
 174     # that the authority that owns the object belongs to this registry. If the
 175     # object does not belong to this registry, then an exception is thrown.
 176     #
 177     # @param name human readable name of object
 178
 179     def verify_object_belongs_to_me(self, name):
 180         auth_name = get_authority(name)
 181         if not auth_name:
 182             # the root authority belongs to the registry by default?
 183             # TODO: is this true?
 184             return
 185         self.verify_auth_belongs_to_me(auth_name)
 186
 187     ##
 188     # Verify that the object_gid that was specified in the credential allows
 189     # permission to the object 'name'. This is done by a simple prefix test.
 190     # For example, an object_gid for planetlab.us.arizona would match the
 191     # objects planetlab.us.arizona.slice1 and planetlab.us.arizona.
 192     #
 193     # @param name human readable name to test
 194
 195     def verify_object_permission(self, name):
 196         object_hrn = self.object_gid.get_hrn()
 197         if object_hrn == name:
 198             return
 199         if name.startswith(object_hrn + "."):
 200             return
 201         raise PermissionError(name)
 202
 203     ##
 204     # Fill in the planetlab-specific fields of a Geni record. This involves
 205     # calling the appropriate PLC methods to retrieve the database record for
 206     # the object.
 207     #
 208     # PLC data is filled into the pl_info field of the record.
 209     #
 210     # @param record record to fill in fields (in/out param)
 211
 212     def fill_record_pl_info(self, record):
 213         type = record.get_type()
 214         pointer = record.get_pointer()
 215
 216         # records with pointer==-1 do not have plc info associated with them.
 217         # for example, the top level authority records which are
 218         # authorities, but not PL "sites"
 219         if pointer == -1:
 220             return
 221
 222         if (type == "sa") or (type == "ma"):
 223             pl_res = self.shell.GetSites(self.pl_auth, [pointer])
 224         elif (type == "slice"):
 225             pl_res = self.shell.GetSlices(self.pl_auth, [pointer])
 226         elif (type == "user"):
 227             pl_res = self.shell.GetPersons(self.pl_auth, [pointer])
 228         elif (type == "node"):
 229             pl_res = self.shell.GetNodes(self.pl_auth, [pointer])
 230         else:
 231             raise UnknownGeniType(type)
 232
 233         if not pl_res:
 234             # the planetlab record no longer exists
 235             # TODO: delete the geni record ?
 236             raise PlanetLabRecordDoesNotExist(record.get_name())
 237
 238         record.set_pl_info(pl_res[0])
 239
 240     ##
 241     # Look up user records given PLC user-ids. This is used as part of the
 242     # process for reverse-mapping PLC records into Geni records.
 243     #
 244     # @param auth_table database table for the authority that holds the user records
 245     # @param user_id_list list of user ids
 246     # @param role either "*" or a string describing the role to look for ("pi", "user", ...)
 247     #
 248     # TODO: This function currently only searches one authority because it would
 249     # be inefficient to brute-force search all authorities for a user id. The
 250     # solution would likely be to implement a reverse mapping of user-id to
 251     # (type, hrn) pairs.
 252
 253     def lookup_users(self, auth_table, user_id_list, role="*"):
 254         record_list = []
 255         for person_id in user_id_list:
 256             user_records = auth_table.find("user", person_id, "pointer")
 257             for user_record in user_records:
 258                 self.fill_record_info(user_record)
 259
 260                 user_roles = user_record.get_pl_info().get("roles")
 261                 if (role=="*") or (role in user_roles):
 262                     record_list.append(user_record.get_name())
 263         return record_list
 264
 265     ##
 266     # Fill in the geni-specific fields of the record.
 267     #
 268     # Note: It is assumed the fill_record_pl_info() has already been performed
 269     # on the record.
 270
 271     def fill_record_geni_info(self, record):
 272         geni_info = {}
 273         type = record.get_type()
 274
 275         if (type == "slice"):
 276             auth_table = self.get_auth_table(get_authority(record.get_name()))
 277             person_ids = record.pl_info.get("person_ids", [])
 278             researchers = self.lookup_users(auth_table, person_ids)
 279             geni_info['researcher'] = researchers
 280
 281         elif (type == "sa"):
 282             auth_table = self.get_auth_table(record.get_name())
 283             person_ids = record.pl_info.get("person_ids", [])
 284             pis = self.lookup_users(auth_table, person_ids, "pi")
 285             geni_info['pi'] = pis
 286             # TODO: OrganizationName
 287
 288         elif (type == "ma"):
 289             auth_table = self.get_auth_table(record.get_name())
 290             person_ids = record.pl_info.get("person_ids", [])
 291             operators = self.lookup_users(auth_table, person_ids, "tech")
 292             geni_info['operator'] = operators
 293             # TODO: OrganizationName
 294
 295             auth_table = self.get_auth_table(record.get_name())
 296             person_ids = record.pl_info.get("person_ids", [])
 297             owners = self.lookup_users(auth_table, person_ids, "admin")
 298             geni_info['owner'] = owners
 299
 300         elif (type == "node"):
 301             geni_info['dns'] = record.pl_info.get("hostname", "")
 302             # TODO: URI, LatLong, IP, DNS
 303
 304         elif (type == "user"):
 305             geni_info['email'] = record.pl_info.get("email", "")
 306             # TODO: PostalAddress, Phone
 307
 308         record.set_geni_info(geni_info)
 309
 310     ##
 311     # Given a Geni record, fill in the PLC-specific and Geni-specific fields
 312     # in the record.
 313
 314     def fill_record_info(self, record):
 315         self.fill_record_pl_info(record)
 316         self.fill_record_geni_info(record)
 317
 318     ##
 319     # GENI API: register
 320     #
 321     # Register an object with the registry. In addition to being stored in the
 322     # Geni database, the appropriate records will also be created in the
 323     # PLC databases
 324     #
 325     # @param cred credential string
 326     # @param record_dict dictionary containing record fields
 327
 328     def register(self, cred, record_dict):
 329         self.decode_authentication(cred, "register")
 330
 331         record = GeniRecord(dict = record_dict)
 332         type = record.get_type()
 333         name = record.get_name()
 334
 335         auth_name = get_authority(name)
 336         self.verify_object_permission(auth_name)
 337         auth_info = self.get_auth_info(auth_name)
 338         table = self.get_auth_table(auth_name)
 339
 340         pkey = None
 341
 342         # check if record already exists
 343         existing_records = table.resolve(type, name)
 344         if existing_records:
 345             raise ExistingRecord(name)
 346
 347         if (type == "sa") or (type=="ma"):
 348             # update the tree
 349             if not AuthHierarchy.auth_exists(name):
 350                 AuthHierarchy.create_auth(name)
 351
 352             # authorities are special since they are managed by the registry
 353             # rather than by the caller. We create our own GID for the
 354             # authority rather than relying on the caller to supply one.
 355
 356             # get the GID from the newly created authority
 357             child_auth_info = self.get_auth_info(name)
 358             gid = auth_info.get_gid_object()
 359             record.set_gid(gid.save_to_string(save_parents=True))
 360
 361             geni_fields = record.get_geni_info()
 362             site_fields = record.get_pl_info()
 363
 364             # if registering a sa, see if a ma already exists
 365             # if registering a ma, see if a sa already exists
 366             if (type == "sa"):
 367                 other_rec = table.resolve("ma", record.get_name())
 368             elif (type == "ma"):
 369                 other_rec = table.resolve("sa", record.get_name())
 370
 371             if other_rec:
 372                 print "linking ma and sa to the same plc site"
 373                 pointer = other_rec[0].get_pointer()
 374             else:
 375                 geni_fields_to_pl_fields(type, name, geni_fields, site_fields)
 376                 print "adding site with fields", site_fields
 377                 pointer = self.shell.AddSite(self.pl_auth, site_fields)
 378
 379             record.set_pointer(pointer)
 380
 381         elif (type == "slice"):
 382             geni_fields = record.get_geni_info()
 383             slice_fields = record.get_pl_info()
 384
 385             geni_fields_to_pl_fields(type, name, geni_fields, slice_fields)
 386
 387             pointer = self.shell.AddSlice(self.pl_auth, slice_fields)
 388             record.set_pointer(pointer)
 389
 390         elif (type == "user"):
 391             geni_fields = record.get_geni_info()
 392             user_fields = record.get_pl_info()
 393
 394             geni_fields_to_pl_fields(type, name, geni_fields, user_fields)
 395
 396             pointer = self.shell.AddPerson(self.pl_auth, user_fields)
 397             record.set_pointer(pointer)
 398
 399         elif (type == "node"):
 400             geni_fields = record.get_geni_info()
 401             node_fields = record.get_pl_info()
 402
 403             geni_fields_to_pl_fields(type, name, geni_fields, node_fields)
 404
 405             login_base = hrn_to_pl_login_base(auth_name)
 406
 407             print "calling addnode with", login_base, node_fields
 408             pointer = self.shell.AddNode(self.pl_auth, login_base, node_fields)
 409             record.set_pointer(pointer)
 410
 411         else:
 412             raise UnknownGeniType(type)
 413
 414         table.insert(record)
 415
 416         return record.get_gid_object().save_to_string(save_parents=True)
 417
 418     ##
 419     # GENI API: remove
 420     #
 421     # Remove an object from the registry. If the object represents a PLC object,
 422     # then the PLC records will also be removed.
 423     #
 424     # @param cred credential string
 425     # @param record_dict dictionary containing record fields. The only relevant
 426     #     fields of the record are 'name' and 'type', which are used to lookup
 427     #     the current copy of the record in the Geni database, to make sure
 428     #     that the appopriate record is removed.
 429
 430     def remove(self, cred, record_dict):
 431         self.decode_authentication(cred, "remove")
 432
 433         record = GeniRecord(dict = record_dict)
 434         type = record.get_type()
 435
 436         self.verify_object_permission(record.get_name())
 437
 438         auth_name = get_authority(record.get_name())
 439         table = self.get_auth_table(auth_name)
 440
 441         # let's not trust that the caller has a well-formed record (a forged
 442         # pointer field could be a disaster), so look it up ourselves
 443         record_list = table.resolve(type, record.get_name())
 444         if not record_list:
 445             raise RecordNotFound(name)
 446         record = record_list[0]
 447
 448         # TODO: sa, ma
 449         if type == "user":
 450             self.shell.DeletePerson(self.pl_auth, record.get_pointer())
 451         elif type == "slice":
 452             self.shell.DeleteSlice(self.pl_auth, record.get_pointer())
 453         elif type == "node":
 454             self.shell.DeleteNode(self.pl_auth, record.get_pointer())
 455         elif (type == "sa") or (type == "ma"):
 456             if (type == "sa"):
 457                 other_rec = table.resolve("ma", record.get_name())
 458             elif (type == "ma"):
 459                 other_rec = table.resolve("sa", record.get_name())
 460
 461             if other_rec:
 462                 # sa and ma both map to a site, so if we are deleting one
 463                 # but the other still exists, then do not delete the site
 464                 print "not removing site", record.get_name(), "because either sa or ma still exists"
 465                 pass
 466             else:
 467                 print "removing site", record.get_name()
 468                 self.shell.DeleteSite(self.pl_auth, record.get_pointer())
 469         else:
 470             raise UnknownGeniType(type)
 471
 472         table.remove(record)
 473
 474         return True
 475
 476     ##
 477     # GENI API: update
 478
 479     def update(self, cred, record_dict):
 480         self.decode_authentication(cred, "update")
 481
 482         record = GeniRecord(dict = record_dict)
 483         type = record.get_type()
 484
 485         self.verify_object_permission(record.get_name())
 486
 487         auth_name = get_authority(record.get_name())
 488         table = self.get_auth_table(auth_name)
 489
 490         # make sure the record exists
 491         existing_record_list = table.resolve(type, record.get_name())
 492         if not existing_record_list:
 493             raise RecordNotFound(record.get_name())
 494
 495         existing_record = existing_record_list[0]
 496         pointer = existing_record.get_pointer()
 497
 498         # update the PLC information that was specified with the record
 499
 500         if (type == "sa") or (type == "ma"):
 501             self.shell.UpdateSite(self.pl_auth, pointer, record.get_pl_info())
 502
 503         elif type == "slice":
 504             self.shell.UpdateSlice(self.pl_auth, pointer, record.get_pl_info())
 505
 506         elif type == "user":
 507             self.shell.UpdatePerson(self.pl_auth, pointer, record.get_pl_info())
 508
 509         elif type == "node":
 510             self.shell.UpdateNode(self.pl_auth, pointer, record.get_pl_info())
 511
 512         else:
 513             raise UnknownGeniType(type)
 514
 515     # TODO: List doesn't take an hrn and uses the hrn contained in the
 516     #    objectGid of the credential. Does this mean the only way to list an
 517     #    authority is by having a credential for that authority?
 518     def list(self, cred):
 519         self.decode_authentication(cred, "list")
 520
 521         auth_name = self.object_gid.get_hrn()
 522         table = self.get_auth_table(auth_name)
 523
 524         records = table.list()
 525
 526         good_records = []
 527         for record in records:
 528             try:
 529                 self.fill_record_info(record)
 530                 good_records.append(record)
 531             except PlanetLabRecordDoesNotExist:
 532                 # silently drop the ones that are missing in PL.
 533                 # is this the right thing to do?
 534                 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
 535                 table.remove(record)
 536
 537         dicts = []
 538         for record in good_records:
 539             dicts.append(record.as_dict())
 540
 541         return dicts
 542
 543         return dict_list
 544
 545     def resolve_raw(self, type, name, must_exist=True):
 546         auth_name = get_authority(name)
 547
 548         table = self.get_auth_table(auth_name)
 549
 550         records = table.resolve(type, name)
 551
 552         if (not records) and must_exist:
 553             raise RecordNotFound(name)
 554
 555         good_records = []
 556         for record in records:
 557             try:
 558                 self.fill_record_info(record)
 559                 good_records.append(record)
 560             except PlanetLabRecordDoesNotExist:
 561                 # silently drop the ones that are missing in PL.
 562                 # is this the right thing to do?
 563                 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
 564                 table.remove(record)
 565
 566         return good_records
 567
 568     def resolve(self, cred, name):
 569         self.decode_authentication(cred, "resolve")
 570
 571         records = self.resolve_raw("*", name)
 572         dicts = []
 573         for record in records:
 574             dicts.append(record.as_dict())
 575
 576         return dicts
 577
 578     def get_gid(self, name):
 579         self.verify_object_belongs_to_me(name)
 580         records = self.resolve_raw("*", name)
 581         gid_string_list = []
 582         for record in records:
 583             gid = record.get_gid()
 584             gid_string_list.append(gid.save_to_string(save_parents=True))
 585         return gid_string_list
 586
 587     def determine_rights(self, type, name):
 588         rl = RightList()
 589
 590         # rights seem to be somewhat redundant with the type of the credential.
 591         # For example, a "sa" credential implies the authority right, because
 592         # a sa credential cannot be issued to a user who is not an owner of
 593         # the authority
 594
 595         if type == "user":
 596             rl.add("refresh")
 597             rl.add("resolve")
 598             rl.add("info")
 599         elif type == "sa":
 600             rl.add("authority")
 601         elif type == "ma":
 602             rl.add("authority")
 603         elif type == "slice":
 604             rl.add("embed")
 605             rl.add("bind")
 606             rl.add("control")
 607             rl.add("info")
 608         elif type == "component":
 609             rl.add("operator")
 610
 611         return rl
 612
 613
 614     def get_self_credential(self, type, name):
 615         self.verify_object_belongs_to_me(name)
 616
 617         auth_hrn = get_authority(name)
 618         auth_info = self.get_auth_info(auth_hrn)
 619
 620         # find a record that matches
 621         records = self.resolve_raw(type, name, must_exist=True)
 622         record = records[0]
 623
 624         gid = record.get_gid_object()
 625         peer_cert = self.server.peer_cert
 626         if not peer_cert.is_pubkey(gid.get_pubkey()):
 627            raise ConnectionKeyGIDMismatch(gid.get_subject())
 628
 629         # create the credential
 630         gid = record.get_gid_object()
 631         cred = Credential(subject = gid.get_subject())
 632         cred.set_gid_caller(gid)
 633         cred.set_gid_object(gid)
 634         cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
 635         cred.set_pubkey(gid.get_pubkey())
 636
 637         rl = self.determine_rights(type, name)
 638         cred.set_privileges(rl)
 639
 640         cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
 641
 642         cred.encode()
 643         cred.sign()
 644
 645         return cred.save_to_string(save_parents=True)
 646
 647     def get_credential(self, cred, type, name):
 648         if not cred:
 649             return get_self_credential(self, type, name)
 650
 651         self.decode_authentication(cred, "getcredential")
 652
 653         self.verify_object_belongs_to_me(name)
 654
 655         auth_hrn = get_authority(name)
 656         auth_info = self.get_auth_info(auth_hrn)
 657
 658         records = self.resolve_raw(type, name, must_exist=True)
 659         record = records[0]
 660
 661         # TODO: Check permission that self.client_cred can access the object
 662
 663         object_gid = record.get_gid_object()
 664         new_cred = Credential(subject = object_gid.get_subject())
 665         new_cred.set_gid_caller(self.client_gid)
 666         new_cred.set_gid_object(object_gid)
 667         new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
 668         new_cred.set_pubkey(object_gid.get_pubkey())
 669
 670         rl = self.determine_rights(type, name)
 671         new_cred.set_privileges(rl)
 672
 673         new_cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
 674
 675         new_cred.encode()
 676         new_cred.sign()
 677
 678         return new_cred.save_to_string(save_parents=True)
 679
 680     def create_gid(self, cred, name, uuid, pubkey_str):
 681         self.decode_authentication(cred, "getcredential")
 682
 683         self.verify_object_belongs_to_me(name)
 684
 685         self.verify_object_permission(name)
 686
 687         if uuid == None:
 688             uuid = create_uuid()
 689
 690         pkey = Keypair()
 691         pkey.load_pubkey_from_string(pubkey_str)
 692         gid = AuthHierarchy.create_gid(name, uuid, pkey)
 693
 694         return gid.save_to_string(save_parents=True)
 695
 696     # ------------------------------------------------------------------------
 697     # Component Interface
 698
 699     def record_to_slice_info(self, record):
 700
 701         # get the user keys from the slice
 702         keys = []
 703         persons = self.shell.GetPersons(self.pl_auth, record.pl_info['person_ids'])
 704         for person in persons:
 705             person_keys = self.shell.GetKeys(self.pl_auth, person["key_ids"])
 706             for person_key in person_keys:
 707                 keys = keys + [person_key['key']]
 708
 709         attributes={}
 710         attributes['name'] = record.pl_info['name']
 711         attributes['keys'] = keys
 712         attributes['instantiation'] = record.pl_info['instantiation']
 713         attributes['vref'] = 'default'
 714         attributes['timestamp'] = time.time()
 715
 716         rspec = {}
 717
 718         # get the PLC attributes and separate them into slice attributes and
 719         # rspec attributes
 720         filter = {}
 721         filter['slice_id'] = record.pl_info['slice_id']
 722         plc_attrs = self.shell.GetSliceAttributes(self.pl_auth, filter)
 723         for attr in plc_attrs:
 724             name = attr['name']
 725
 726             # initscripts: lookup the contents of the initscript and store it
 727             # in the ticket attributes
 728             if (name == "initscript"):
 729                 filter={'name': attr['value']}
 730                 initscripts = self.shell.GetInitScripts(self.pl_auth, filter)
 731                 if initscripts:
 732                     attributes['initscript'] = initscripts[0]['script']
 733             else:
 734                 rspec[name] = attr['value']
 735
 736         return (attributes, rspec)
 737
 738
 739     def get_ticket(self, cred, name, rspec):
 740         self.decode_authentication(cred, "getticket")
 741
 742         self.verify_object_belongs_to_me(name)
 743
 744         self.verify_object_permission(name)
 745
 746         # XXX much of this code looks like get_credential... are they so similar
 747         # that they should be combined?
 748
 749         auth_hrn = get_authority(name)
 750         auth_info = self.get_auth_info(auth_hrn)
 751
 752         records = self.resolve_raw("slice", name, must_exist=True)
 753         record = records[0]
 754
 755         object_gid = record.get_gid_object()
 756         new_ticket = Ticket(subject = object_gid.get_subject())
 757         new_ticket.set_gid_caller(self.client_gid)
 758         new_ticket.set_gid_object(object_gid)
 759         new_ticket.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
 760         new_ticket.set_pubkey(object_gid.get_pubkey())
 761
 762         self.fill_record_info(record)
 763
 764         (attributes, rspec) = self.record_to_slice_info(record)
 765
 766         new_ticket.set_attributes(attributes)
 767         new_ticket.set_rspec(rspec)
 768
 769         new_ticket.set_parent(AuthHierarchy.get_auth_ticket(auth_hrn))
 770
 771         new_ticket.encode()
 772         new_ticket.sign()
 773
 774         return new_ticket.save_to_string(save_parents=True)
 775
 776
 777 if __name__ == "__main__":
 778     global AuthHierarchy
 779     global TrustedRoots
 780
 781     key_file = "server.key"
 782     cert_file = "server.cert"
 783
 784     # if no key is specified, then make one up
 785     if (not os.path.exists(key_file)) or (not os.path.exists(cert_file)):
 786         key = Keypair(create=True)
 787         key.save_to_file(key_file)
 788
 789         cert = Certificate(subject="registry")
 790         cert.set_issuer(key=key, subject="registry")
 791         cert.set_pubkey(key)
 792         cert.sign()
 793         cert.save_to_file(cert_file)
 794
 795     AuthHierarchy = Hierarchy()
 796
 797     TrustedRoots = TrustedRootList()
 798
 799     s = Registry("", 12345, key_file, cert_file)
 800     s.trusted_cert_list = TrustedRoots.get_list()
 801     s.run()
 802