git://git.onelab.eu / sfa.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
added redeemticket
[sfa.git] / registry / registry.py
1 import tempfile
2 import os
3 import time
4 import sys
5
6 from cert import *
7 from gid import *
8 from geniserver import *
9 from excep import *
10 from trustedroot import *
11 from hierarchy import *
12 from misc import *
13 from record import *
14 from genitable import *
15 from geniticket import *
16
17 def geni_fields_to_pl_fields(type, hrn, geni_fields, pl_fields):
18     if type == "user":
19         if not "email" in pl_fields:
20             if not "email" in geni_fields:
21                 raise MissingGeniInfo("email")
22             pl_fields["email"] = geni_fields["email"]
23
24         if not "first_name" in pl_fields:
25             pl_fields["first_name"] = "geni"
26
27         if not "last_name" in pl_fields:
28             pl_fields["last_name"] = hrn
29
30     elif type == "slice":
31         if not "instantiation" in pl_fields:
32             pl_fields["instantiation"] = "plc-instantiated"
33         if not "name" in pl_fields:
34             pl_fields["name"] = hrn_to_pl_slicename(hrn)
35         if not "max_nodes" in pl_fields:
36             pl_fields["max_nodes"] = 10
37
38     elif type == "node":
39         if not "hostname" in pl_fields:
40             if not "dns" in geni_fields:
41                 raise MissingGeniInfo("dns")
42             pl_fields["hostname"] = geni_fields["dns"]
43
44         if not "model" in pl_fields:
45             pl_fields["model"] = "geni"
46
47     elif type == "sa":
48         pl_fields["login_base"] = hrn_to_pl_login_base(hrn)
49
50         if not "name" in pl_fields:
51             pl_fields["name"] = hrn
52
53         if not "abbreviated_name" in pl_fields:
54             pl_fields["abbreviated_name"] = hrn
55
56         if not "enabled" in pl_fields:
57             pl_fields["enabled"] = True
58
59         if not "is_public" in pl_fields:
60             pl_fields["is_public"] = True
61
62 class Registry(GeniServer):
63     def __init__(self, ip, port, key_file, cert_file):
64         GeniServer.__init__(self, ip, port, key_file, cert_file)
65
66         # get PL account settings from config module
67         self.pl_auth = get_pl_auth()
68
69         # connect to planetlab
70         if "Url" in self.pl_auth:
71             self.connect_remote_shell()
72         else:
73             self.connect_local_shell()
74
75     def connect_remote_shell(self):
76         import remoteshell
77         self.shell = remoteshell.RemoteShell()
78
79     def connect_local_shell(self):
80         import PLC.Shell
81         self.shell = PLC.Shell.Shell(globals = globals())
82
83     def register_functions(self):
84         GeniServer.register_functions(self)
85         # registry interface
86         self.server.register_function(self.create_gid)
87         self.server.register_function(self.get_self_credential)
88         self.server.register_function(self.get_credential)
89         self.server.register_function(self.get_gid)
90         self.server.register_function(self.register)
91         self.server.register_function(self.remove)
92         self.server.register_function(self.update)
93         self.server.register_function(self.list)
94         self.server.register_function(self.resolve)
95         # component interface
96         self.server.register_function(self.get_ticket)
97
98     def get_auth_info(self, name):
99         return AuthHierarchy.get_auth_info(name)
100
101     def get_auth_table(self, auth_name):
102         auth_info = self.get_auth_info(auth_name)
103
104         table = GeniTable(hrn=auth_name,
105                           cninfo=auth_info.get_dbinfo())
106
107         # if the table doesn't exist, then it means we haven't put any records
108         # into this authority yet.
109
110         if not table.exists():
111             report.trace("Registry: creating table for authority " + auth_name)
112             table.create()
113
114         return table
115
116     def verify_auth_belongs_to_me(self, name):
117         # get_auth_info will throw an exception if the authority does not
118         # exist
119         self.get_auth_info(name)
120
121     def verify_object_belongs_to_me(self, name):
122         auth_name = get_authority(name)
123         if not auth_name:
124             # the root authority belongs to the registry by default?
125             # TODO: is this true?
126             return
127         self.verify_auth_belongs_to_me(auth_name)
128
129     def verify_object_permission(self, name):
130         object_hrn = self.object_gid.get_hrn()
131         if object_hrn == name:
132             return
133         if name.startswith(object_hrn + "."):
134             return
135         raise PermissionError(name)
136
137     def fill_record_pl_info(self, record):
138         type = record.get_type()
139         pointer = record.get_pointer()
140
141         # records with pointer==-1 do not have plc info associated with them.
142         # for example, the top level authority records which are
143         # authorities, but not PL "sites"
144         if pointer == -1:
145             return
146
147         if (type == "sa") or (type == "ma"):
148             pl_res = self.shell.GetSites(self.pl_auth, [pointer])
149         elif (type == "slice"):
150             pl_res = self.shell.GetSlices(self.pl_auth, [pointer])
151         elif (type == "user"):
152             pl_res = self.shell.GetPersons(self.pl_auth, [pointer])
153         elif (type == "node"):
154             pl_res = self.shell.GetNodes(self.pl_auth, [pointer])
155         else:
156             raise UnknownGeniType(type)
157
158         if not pl_res:
159             # the planetlab record no longer exists
160             # TODO: delete the geni record ?
161             raise PlanetLabRecordDoesNotExist(record.get_name())
162
163         record.set_pl_info(pl_res[0])
164
165     def fill_record_geni_info(self, record):
166         pass
167
168     def fill_record_info(self, record):
169         self.fill_record_pl_info(record)
170         self.fill_record_geni_info(record)
171
172     def register(self, cred, record_dict):
173         self.decode_authentication(cred, "register")
174
175         record = GeniRecord(dict = record_dict)
176         type = record.get_type()
177         name = record.get_name()
178
179         auth_name = get_authority(name)
180         self.verify_object_permission(auth_name)
181         auth_info = self.get_auth_info(auth_name)
182         table = self.get_auth_table(auth_name)
183
184         pkey = None
185
186         # check if record already exists
187         existing_records = table.resolve(type, name)
188         if existing_records:
189             raise ExistingRecord(name)
190
191         if (type == "sa") or (type=="ma"):
192             # update the tree
193             if not AuthHierarchy.auth_exists(name):
194                 AuthHierarchy.create_auth(name)
195
196             # authorities are special since they are managed by the registry
197             # rather than by the caller. We create our own GID for the
198             # authority rather than relying on the caller to supply one.
199
200             # get the GID from the newly created authority
201             child_auth_info = self.get_auth_info(name)
202             gid = auth_info.get_gid_object()
203             record.set_gid(gid.save_to_string(save_parents=True))
204
205             geni_fields = record.get_geni_info()
206             site_fields = record.get_pl_info()
207
208             # if registering a sa, see if a ma already exists
209             # if registering a ma, see if a sa already exists
210             if (type == "sa"):
211                 other_rec = table.resolve("ma", record.get_name())
212             elif (type == "ma"):
213                 other_rec = table.resolve("sa", record.get_name())
214
215             if other_rec:
216                 print "linking ma and sa to the same plc site"
217                 pointer = other_rec[0].get_pointer()
218             else:
219                 geni_fields_to_pl_fields(type, name, geni_fields, site_fields)
220                 print "adding site with fields", site_fields
221                 pointer = self.shell.AddSite(self.pl_auth, site_fields)
222
223             record.set_pointer(pointer)
224
225         elif (type == "slice"):
226             geni_fields = record.get_geni_info()
227             slice_fields = record.get_pl_info()
228
229             geni_fields_to_pl_fields(type, name, geni_fields, slice_fields)
230
231             pointer = self.shell.AddSlice(self.pl_auth, slice_fields)
232             record.set_pointer(pointer)
233
234         elif (type == "user"):
235             geni_fields = record.get_geni_info()
236             user_fields = record.get_pl_info()
237
238             geni_fields_to_pl_fields(type, name, geni_fields, user_fields)
239
240             pointer = self.shell.AddPerson(self.pl_auth, user_fields)
241             record.set_pointer(pointer)
242
243         elif (type == "node"):
244             geni_fields = record.get_geni_info()
245             node_fields = record.get_pl_info()
246
247             geni_fields_to_pl_fields(type, name, geni_fields, node_fields)
248
249             login_base = hrn_to_pl_login_base(auth_name)
250
251             print "calling addnode with", login_base, node_fields
252             pointer = self.shell.AddNode(self.pl_auth, login_base, node_fields)
253             record.set_pointer(pointer)
254
255         else:
256             raise UnknownGeniType(type)
257
258         table.insert(record)
259
260         return record.get_gid_object().save_to_string(save_parents=True)
261
262     def remove(self, cred, record_dict):
263         self.decode_authentication(cred, "remove")
264
265         record = GeniRecord(dict = record_dict)
266         type = record.get_type()
267
268         self.verify_object_permission(record.get_name())
269
270         auth_name = get_authority(record.get_name())
271         table = self.get_auth_table(auth_name)
272
273         # let's not trust that the caller has a well-formed record (a forged
274         # pointer field could be a disaster), so look it up ourselves
275         record_list = table.resolve(type, record.get_name())
276         if not record_list:
277             raise RecordNotFound(name)
278         record = record_list[0]
279
280         # TODO: sa, ma
281         if type == "user":
282             self.shell.DeletePerson(self.pl_auth, record.get_pointer())
283         elif type == "slice":
284             self.shell.DeleteSlice(self.pl_auth, record.get_pointer())
285         elif type == "node":
286             self.shell.DeleteNode(self.pl_auth, record.get_pointer())
287         elif (type == "sa") or (type == "ma"):
288             if (type == "sa"):
289                 other_rec = table.resolve("ma", record.get_name())
290             elif (type == "ma"):
291                 other_rec = table.resolve("sa", record.get_name())
292
293             if other_rec:
294                 # sa and ma both map to a site, so if we are deleting one
295                 # but the other still exists, then do not delete the site
296                 print "not removing site", record.get_name(), "because either sa or ma still exists"
297                 pass
298             else:
299                 print "removing site", record.get_name()
300                 self.shell.DeleteSite(self.pl_auth, record.get_pointer())
301         else:
302             raise UnknownGeniType(type)
303
304         table.remove(record)
305
306         return True
307
308     def update(self, cred, record_dict):
309         self.decode_authentication(cred, "update")
310
311         record = GeniRecord(dict = record_dict)
312         type = record.get_type()
313
314         self.verify_object_permission(record.get_name())
315
316         auth_name = get_authority(record.get_name())
317         table = self.get_auth_table(auth_name)
318
319         # make sure the record exists
320         existing_record_list = table.resolve(type, record.get_name())
321         if not existing_record_list:
322             raise RecordNotFound(record.get_name())
323
324         existing_record = existing_record_list[0]
325         pointer = existing_record.get_pointer()
326
327         if (type == "sa") or (type == "ma"):
328             self.shell.UpdateSite(self.pl_auth, pointer, record.get_pl_info())
329
330         elif type == "slice":
331             self.shell.UpdateSlice(self.pl_auth, pointer, record.get_pl_info())
332
333         elif type == "user":
334             self.shell.UpdatePerson(self.pl_auth, pointer, record.get_pl_info())
335
336         elif type == "node":
337             self.shell.UpdateNode(self.pl_auth, pointer, record.get_pl_info())
338
339         else:
340             raise UnknownGeniType(type)
341
342     # TODO: List doesn't take an hrn and uses the hrn contained in the
343     #    objectGid of the credential. Does this mean the only way to list an
344     #    authority is by having a credential for that authority? 
345     def list(self, cred):
346         self.decode_authentication(cred, "list")
347
348         auth_name = self.object_gid.get_hrn()
349         table = self.get_auth_table(auth_name)
350
351         records = table.list()
352
353         good_records = []
354         for record in records:
355             try:
356                 self.fill_record_info(record)
357                 good_records.append(record)
358             except PlanetLabRecordDoesNotExist:
359                 # silently drop the ones that are missing in PL.
360                 # is this the right thing to do?
361                 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
362                 table.remove(record)
363
364         dicts = []
365         for record in good_records:
366             dicts.append(record.as_dict())
367
368         return dicts
369
370         return dict_list
371
372     def resolve_raw(self, type, name, must_exist=True):
373         auth_name = get_authority(name)
374
375         table = self.get_auth_table(auth_name)
376
377         records = table.resolve(type, name)
378
379         if (not records) and must_exist:
380             raise RecordNotFound(name)
381
382         good_records = []
383         for record in records:
384             try:
385                 self.fill_record_info(record)
386                 good_records.append(record)
387             except PlanetLabRecordDoesNotExist:
388                 # silently drop the ones that are missing in PL.
389                 # is this the right thing to do?
390                 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
391                 table.remove(record)
392
393         return good_records
394
395     def resolve(self, cred, name):
396         self.decode_authentication(cred, "resolve")
397
398         records = self.resolve_raw("*", name)
399         dicts = []
400         for record in records:
401             dicts.append(record.as_dict())
402
403         return dicts
404
405     def get_gid(self, name):
406         self.verify_object_belongs_to_me(name)
407         records = self.resolve_raw("*", name)
408         gid_string_list = []
409         for record in records:
410             gid = record.get_gid()
411             gid_string_list.append(gid.save_to_string(save_parents=True))
412         return gid_string_list
413
414     def determine_rights(self, type, name):
415         rl = RightList()
416
417         # rights seem to be somewhat redundant with the type of the credential.
418         # For example, a "sa" credential implies the authority right, because
419         # a sa credential cannot be issued to a user who is not an owner of
420         # the authority
421
422         if type == "user":
423             rl.add("refresh")
424             rl.add("resolve")
425             rl.add("info")
426         elif type == "sa":
427             rl.add("authority")
428         elif type == "ma":
429             rl.add("authority")
430         elif type == "slice":
431             rl.add("embed")
432             rl.add("bind")
433             rl.add("control")
434             rl.add("info")
435         elif type == "component":
436             rl.add("operator")
437
438         return rl
439
440
441     def get_self_credential(self, type, name):
442         self.verify_object_belongs_to_me(name)
443
444         auth_hrn = get_authority(name)
445         auth_info = self.get_auth_info(auth_hrn)
446
447         # find a record that matches
448         records = self.resolve_raw(type, name, must_exist=True)
449         record = records[0]
450
451         gid = record.get_gid_object()
452         peer_cert = self.server.peer_cert
453         if not peer_cert.is_pubkey(gid.get_pubkey()):
454            raise ConnectionKeyGIDMismatch(gid.get_subject())
455
456         # create the credential
457         gid = record.get_gid_object()
458         cred = Credential(subject = gid.get_subject())
459         cred.set_gid_caller(gid)
460         cred.set_gid_object(gid)
461         cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
462         cred.set_pubkey(gid.get_pubkey())
463
464         rl = self.determine_rights(type, name)
465         cred.set_privileges(rl)
466
467         cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
468
469         cred.encode()
470         cred.sign()
471
472         return cred.save_to_string(save_parents=True)
473
474     def get_credential(self, cred, type, name):
475         if not cred:
476             return get_self_credential(self, type, name)
477
478         self.decode_authentication(cred, "getcredential")
479
480         self.verify_object_belongs_to_me(name)
481
482         auth_hrn = get_authority(name)
483         auth_info = self.get_auth_info(auth_hrn)
484
485         records = self.resolve_raw(type, name, must_exist=True)
486         record = records[0]
487
488         # TODO: Check permission that self.client_cred can access the object
489
490         object_gid = record.get_gid_object()
491         new_cred = Credential(subject = object_gid.get_subject())
492         new_cred.set_gid_caller(self.client_gid)
493         new_cred.set_gid_object(object_gid)
494         new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
495         new_cred.set_pubkey(object_gid.get_pubkey())
496
497         rl = self.determine_rights(type, name)
498         new_cred.set_privileges(rl)
499
500         new_cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
501
502         new_cred.encode()
503         new_cred.sign()
504
505         return new_cred.save_to_string(save_parents=True)
506
507     def create_gid(self, cred, name, uuid, pubkey_str):
508         self.decode_authentication(cred, "getcredential")
509
510         self.verify_object_belongs_to_me(name)
511
512         self.verify_object_permission(name)
513
514         if uuid == None:
515             uuid = create_uuid()
516
517         pkey = Keypair()
518         pkey.load_pubkey_from_string(pubkey_str)
519         gid = AuthHierarchy.create_gid(name, uuid, pkey)
520
521         return gid.save_to_string(save_parents=True)
522
523     # ------------------------------------------------------------------------
524     # Component Interface
525
526     def record_to_slice_info(self, record):
527
528         # get the user keys from the slice
529         keys = []
530         persons = self.shell.GetPersons(self.pl_auth, record.pl_info['person_ids'])
531         for person in persons:
532             person_keys = self.shell.GetKeys(self.pl_auth, person["key_ids"])
533             for person_key in person_keys:
534                 keys = keys + [person_key['key']]
535
536         attributes={}
537         attributes['name'] = record.pl_info['name']
538         attributes['keys'] = keys
539         attributes['instantiation'] = record.pl_info['instantiation']
540         attributes['vref'] = 'default'
541         attributes['timestamp'] = time.time()
542
543         rspec = {}
544
545         # get the PLC attributes and separate them into slice attributes and
546         # rspec attributes
547         filter = {}
548         filter['slice_id'] = record.pl_info['slice_id']
549         plc_attrs = self.shell.GetSliceAttributes(self.pl_auth, filter)
550         for attr in plc_attrs:
551             name = attr['name']
552
553             # initscripts: lookup the contents of the initscript and store it
554             # in the ticket attributes
555             if (name == "initscript"):
556                 filter={'name': attr['value']}
557                 initscripts = self.shell.GetInitScripts(self.pl_auth, filter)
558                 if initscripts:
559                     attributes['initscript'] = initscripts[0]['script']
560             else:
561                 rspec[name] = attr['value']
562
563         return (attributes, rspec)
564
565
566     def get_ticket(self, cred, name, rspec):
567         self.decode_authentication(cred, "getticket")
568
569         self.verify_object_belongs_to_me(name)
570
571         self.verify_object_permission(name)
572
573         # XXX much of this code looks like get_credential... are they so similar
574         # that they should be combined?
575
576         auth_hrn = get_authority(name)
577         auth_info = self.get_auth_info(auth_hrn)
578
579         records = self.resolve_raw("slice", name, must_exist=True)
580         record = records[0]
581
582         object_gid = record.get_gid_object()
583         new_ticket = Ticket(subject = object_gid.get_subject())
584         new_ticket.set_gid_caller(self.client_gid)
585         new_ticket.set_gid_object(object_gid)
586         new_ticket.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
587         new_ticket.set_pubkey(object_gid.get_pubkey())
588
589         self.fill_record_info(record)
590
591         (attributes, rspec) = self.record_to_slice_info(record)
592
593         new_ticket.set_attributes(attributes)
594         new_ticket.set_rspec(rspec)
595
596         new_ticket.set_parent(AuthHierarchy.get_auth_ticket(auth_hrn))
597
598         new_ticket.encode()
599         new_ticket.sign()
600
601         return new_ticket.save_to_string(save_parents=True)
602
603
604 if __name__ == "__main__":
605     global AuthHierarchy
606     global TrustedRoots
607
608     key_file = "server.key"
609     cert_file = "server.cert"
610
611     # if no key is specified, then make one up
612     if (not os.path.exists(key_file)) or (not os.path.exists(cert_file)):
613         key = Keypair(create=True)
614         key.save_to_file(key_file)
615
616         cert = Certificate(subject="registry")
617         cert.set_issuer(key=key, subject="registry")
618         cert.set_pubkey(key)
619         cert.sign()
620         cert.save_to_file(cert_file)
621
622     AuthHierarchy = Hierarchy()
623
624     TrustedRoots = TrustedRootList()
625
626     s = Registry("", 12345, key_file, cert_file)
627     s.trusted_cert_list = TrustedRoots.get_list()
628     s.run()
629
sfa