8 from geniserver import *
10 from trustedroot import *
11 from hierarchy import *
14 from genitable import *
15 from geniticket import *
17 def geni_fields_to_pl_fields(type, hrn, geni_fields, pl_fields):
19 if not "email" in pl_fields:
20 if not "email" in geni_fields:
21 raise MissingGeniInfo("email")
22 pl_fields["email"] = geni_fields["email"]
24 if not "first_name" in pl_fields:
25 pl_fields["first_name"] = "geni"
27 if not "last_name" in pl_fields:
28 pl_fields["last_name"] = hrn
31 if not "instantiation" in pl_fields:
32 pl_fields["instantiation"] = "plc-instantiated"
33 if not "name" in pl_fields:
34 pl_fields["name"] = hrn_to_pl_slicename(hrn)
35 if not "max_nodes" in pl_fields:
36 pl_fields["max_nodes"] = 10
39 if not "hostname" in pl_fields:
40 if not "dns" in geni_fields:
41 raise MissingGeniInfo("dns")
42 pl_fields["hostname"] = geni_fields["dns"]
44 if not "model" in pl_fields:
45 pl_fields["model"] = "geni"
48 pl_fields["login_base"] = hrn_to_pl_login_base(hrn)
50 if not "name" in pl_fields:
51 pl_fields["name"] = hrn
53 if not "abbreviated_name" in pl_fields:
54 pl_fields["abbreviated_name"] = hrn
56 if not "enabled" in pl_fields:
57 pl_fields["enabled"] = True
59 if not "is_public" in pl_fields:
60 pl_fields["is_public"] = True
62 class Registry(GeniServer):
63 def __init__(self, ip, port, key_file, cert_file):
64 GeniServer.__init__(self, ip, port, key_file, cert_file)
66 # get PL account settings from config module
67 self.pl_auth = get_pl_auth()
69 # connect to planetlab
70 if "Url" in self.pl_auth:
71 self.connect_remote_shell()
73 self.connect_local_shell()
75 def connect_remote_shell(self):
77 self.shell = remoteshell.RemoteShell()
79 def connect_local_shell(self):
81 self.shell = PLC.Shell.Shell(globals = globals())
83 def register_functions(self):
84 GeniServer.register_functions(self)
86 self.server.register_function(self.create_gid)
87 self.server.register_function(self.get_self_credential)
88 self.server.register_function(self.get_credential)
89 self.server.register_function(self.get_gid)
90 self.server.register_function(self.register)
91 self.server.register_function(self.remove)
92 self.server.register_function(self.update)
93 self.server.register_function(self.list)
94 self.server.register_function(self.resolve)
96 self.server.register_function(self.get_ticket)
98 def get_auth_info(self, name):
99 return AuthHierarchy.get_auth_info(name)
101 def get_auth_table(self, auth_name):
102 auth_info = self.get_auth_info(auth_name)
104 table = GeniTable(hrn=auth_name,
105 cninfo=auth_info.get_dbinfo())
107 # if the table doesn't exist, then it means we haven't put any records
108 # into this authority yet.
110 if not table.exists():
111 report.trace("Registry: creating table for authority " + auth_name)
116 def verify_auth_belongs_to_me(self, name):
117 # get_auth_info will throw an exception if the authority does not
119 self.get_auth_info(name)
121 def verify_object_belongs_to_me(self, name):
122 auth_name = get_authority(name)
124 # the root authority belongs to the registry by default?
125 # TODO: is this true?
127 self.verify_auth_belongs_to_me(auth_name)
129 def verify_object_permission(self, name):
130 object_hrn = self.object_gid.get_hrn()
131 if object_hrn == name:
133 if name.startswith(object_hrn + "."):
135 raise PermissionError(name)
137 def fill_record_pl_info(self, record):
138 type = record.get_type()
139 pointer = record.get_pointer()
141 # records with pointer==-1 do not have plc info associated with them.
142 # for example, the top level authority records which are
143 # authorities, but not PL "sites"
147 if (type == "sa") or (type == "ma"):
148 pl_res = self.shell.GetSites(self.pl_auth, [pointer])
149 elif (type == "slice"):
150 pl_res = self.shell.GetSlices(self.pl_auth, [pointer])
151 elif (type == "user"):
152 pl_res = self.shell.GetPersons(self.pl_auth, [pointer])
153 elif (type == "node"):
154 pl_res = self.shell.GetNodes(self.pl_auth, [pointer])
156 raise UnknownGeniType(type)
159 # the planetlab record no longer exists
160 # TODO: delete the geni record ?
161 raise PlanetLabRecordDoesNotExist(record.get_name())
163 record.set_pl_info(pl_res[0])
165 def fill_record_geni_info(self, record):
168 def fill_record_info(self, record):
169 self.fill_record_pl_info(record)
170 self.fill_record_geni_info(record)
172 def register(self, cred, record_dict):
173 self.decode_authentication(cred, "register")
175 record = GeniRecord(dict = record_dict)
176 type = record.get_type()
177 name = record.get_name()
179 auth_name = get_authority(name)
180 self.verify_object_permission(auth_name)
181 auth_info = self.get_auth_info(auth_name)
182 table = self.get_auth_table(auth_name)
186 # check if record already exists
187 existing_records = table.resolve(type, name)
189 raise ExistingRecord(name)
191 if (type == "sa") or (type=="ma"):
193 if not AuthHierarchy.auth_exists(name):
194 AuthHierarchy.create_auth(name)
196 # authorities are special since they are managed by the registry
197 # rather than by the caller. We create our own GID for the
198 # authority rather than relying on the caller to supply one.
200 # get the GID from the newly created authority
201 child_auth_info = self.get_auth_info(name)
202 gid = auth_info.get_gid_object()
203 record.set_gid(gid.save_to_string(save_parents=True))
205 geni_fields = record.get_geni_info()
206 site_fields = record.get_pl_info()
208 # if registering a sa, see if a ma already exists
209 # if registering a ma, see if a sa already exists
211 other_rec = table.resolve("ma", record.get_name())
213 other_rec = table.resolve("sa", record.get_name())
216 print "linking ma and sa to the same plc site"
217 pointer = other_rec[0].get_pointer()
219 geni_fields_to_pl_fields(type, name, geni_fields, site_fields)
220 print "adding site with fields", site_fields
221 pointer = self.shell.AddSite(self.pl_auth, site_fields)
223 record.set_pointer(pointer)
225 elif (type == "slice"):
226 geni_fields = record.get_geni_info()
227 slice_fields = record.get_pl_info()
229 geni_fields_to_pl_fields(type, name, geni_fields, slice_fields)
231 pointer = self.shell.AddSlice(self.pl_auth, slice_fields)
232 record.set_pointer(pointer)
234 elif (type == "user"):
235 geni_fields = record.get_geni_info()
236 user_fields = record.get_pl_info()
238 geni_fields_to_pl_fields(type, name, geni_fields, user_fields)
240 pointer = self.shell.AddPerson(self.pl_auth, user_fields)
241 record.set_pointer(pointer)
243 elif (type == "node"):
244 geni_fields = record.get_geni_info()
245 node_fields = record.get_pl_info()
247 geni_fields_to_pl_fields(type, name, geni_fields, node_fields)
249 login_base = hrn_to_pl_login_base(auth_name)
251 print "calling addnode with", login_base, node_fields
252 pointer = self.shell.AddNode(self.pl_auth, login_base, node_fields)
253 record.set_pointer(pointer)
256 raise UnknownGeniType(type)
260 return record.get_gid_object().save_to_string(save_parents=True)
262 def remove(self, cred, record_dict):
263 self.decode_authentication(cred, "remove")
265 record = GeniRecord(dict = record_dict)
266 type = record.get_type()
268 self.verify_object_permission(record.get_name())
270 auth_name = get_authority(record.get_name())
271 table = self.get_auth_table(auth_name)
273 # let's not trust that the caller has a well-formed record (a forged
274 # pointer field could be a disaster), so look it up ourselves
275 record_list = table.resolve(type, record.get_name())
277 raise RecordNotFound(name)
278 record = record_list[0]
282 self.shell.DeletePerson(self.pl_auth, record.get_pointer())
283 elif type == "slice":
284 self.shell.DeleteSlice(self.pl_auth, record.get_pointer())
286 self.shell.DeleteNode(self.pl_auth, record.get_pointer())
287 elif (type == "sa") or (type == "ma"):
289 other_rec = table.resolve("ma", record.get_name())
291 other_rec = table.resolve("sa", record.get_name())
294 # sa and ma both map to a site, so if we are deleting one
295 # but the other still exists, then do not delete the site
296 print "not removing site", record.get_name(), "because either sa or ma still exists"
299 print "removing site", record.get_name()
300 self.shell.DeleteSite(self.pl_auth, record.get_pointer())
302 raise UnknownGeniType(type)
308 def update(self, cred, record_dict):
309 self.decode_authentication(cred, "update")
311 record = GeniRecord(dict = record_dict)
312 type = record.get_type()
314 self.verify_object_permission(record.get_name())
316 auth_name = get_authority(record.get_name())
317 table = self.get_auth_table(auth_name)
319 # make sure the record exists
320 existing_record_list = table.resolve(type, record.get_name())
321 if not existing_record_list:
322 raise RecordNotFound(record.get_name())
324 existing_record = existing_record_list[0]
325 pointer = existing_record.get_pointer()
327 if (type == "sa") or (type == "ma"):
328 self.shell.UpdateSite(self.pl_auth, pointer, record.get_pl_info())
330 elif type == "slice":
331 self.shell.UpdateSlice(self.pl_auth, pointer, record.get_pl_info())
334 self.shell.UpdatePerson(self.pl_auth, pointer, record.get_pl_info())
337 self.shell.UpdateNode(self.pl_auth, pointer, record.get_pl_info())
340 raise UnknownGeniType(type)
342 # TODO: List doesn't take an hrn and uses the hrn contained in the
343 # objectGid of the credential. Does this mean the only way to list an
344 # authority is by having a credential for that authority?
345 def list(self, cred):
346 self.decode_authentication(cred, "list")
348 auth_name = self.object_gid.get_hrn()
349 table = self.get_auth_table(auth_name)
351 records = table.list()
354 for record in records:
356 self.fill_record_info(record)
357 good_records.append(record)
358 except PlanetLabRecordDoesNotExist:
359 # silently drop the ones that are missing in PL.
360 # is this the right thing to do?
361 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
365 for record in good_records:
366 dicts.append(record.as_dict())
372 def resolve_raw(self, type, name, must_exist=True):
373 auth_name = get_authority(name)
375 table = self.get_auth_table(auth_name)
377 records = table.resolve(type, name)
379 if (not records) and must_exist:
380 raise RecordNotFound(name)
383 for record in records:
385 self.fill_record_info(record)
386 good_records.append(record)
387 except PlanetLabRecordDoesNotExist:
388 # silently drop the ones that are missing in PL.
389 # is this the right thing to do?
390 report.error("ignoring geni record " + record.get_name() + " because pl record does not exist")
395 def resolve(self, cred, name):
396 self.decode_authentication(cred, "resolve")
398 records = self.resolve_raw("*", name)
400 for record in records:
401 dicts.append(record.as_dict())
405 def get_gid(self, name):
406 self.verify_object_belongs_to_me(name)
407 records = self.resolve_raw("*", name)
409 for record in records:
410 gid = record.get_gid()
411 gid_string_list.append(gid.save_to_string(save_parents=True))
412 return gid_string_list
414 def determine_rights(self, type, name):
417 # rights seem to be somewhat redundant with the type of the credential.
418 # For example, a "sa" credential implies the authority right, because
419 # a sa credential cannot be issued to a user who is not an owner of
430 elif type == "slice":
435 elif type == "component":
441 def get_self_credential(self, type, name):
442 self.verify_object_belongs_to_me(name)
444 auth_hrn = get_authority(name)
445 auth_info = self.get_auth_info(auth_hrn)
447 # find a record that matches
448 records = self.resolve_raw(type, name, must_exist=True)
451 gid = record.get_gid_object()
452 peer_cert = self.server.peer_cert
453 if not peer_cert.is_pubkey(gid.get_pubkey()):
454 raise ConnectionKeyGIDMismatch(gid.get_subject())
456 # create the credential
457 gid = record.get_gid_object()
458 cred = Credential(subject = gid.get_subject())
459 cred.set_gid_caller(gid)
460 cred.set_gid_object(gid)
461 cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
462 cred.set_pubkey(gid.get_pubkey())
464 rl = self.determine_rights(type, name)
465 cred.set_privileges(rl)
467 cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
472 return cred.save_to_string(save_parents=True)
474 def get_credential(self, cred, type, name):
476 return get_self_credential(self, type, name)
478 self.decode_authentication(cred, "getcredential")
480 self.verify_object_belongs_to_me(name)
482 auth_hrn = get_authority(name)
483 auth_info = self.get_auth_info(auth_hrn)
485 records = self.resolve_raw(type, name, must_exist=True)
488 # TODO: Check permission that self.client_cred can access the object
490 object_gid = record.get_gid_object()
491 new_cred = Credential(subject = object_gid.get_subject())
492 new_cred.set_gid_caller(self.client_gid)
493 new_cred.set_gid_object(object_gid)
494 new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
495 new_cred.set_pubkey(object_gid.get_pubkey())
497 rl = self.determine_rights(type, name)
498 new_cred.set_privileges(rl)
500 new_cred.set_parent(AuthHierarchy.get_auth_cred(auth_hrn))
505 return new_cred.save_to_string(save_parents=True)
507 def create_gid(self, cred, name, uuid, pubkey_str):
508 self.decode_authentication(cred, "getcredential")
510 self.verify_object_belongs_to_me(name)
512 self.verify_object_permission(name)
518 pkey.load_pubkey_from_string(pubkey_str)
519 gid = AuthHierarchy.create_gid(name, uuid, pkey)
521 return gid.save_to_string(save_parents=True)
523 # ------------------------------------------------------------------------
524 # Component Interface
526 def record_to_slice_info(self, record):
528 # get the user keys from the slice
530 persons = self.shell.GetPersons(self.pl_auth, record.pl_info['person_ids'])
531 for person in persons:
532 person_keys = self.shell.GetKeys(self.pl_auth, person["key_ids"])
533 for person_key in person_keys:
534 keys = keys + [person_key['key']]
537 attributes['name'] = record.pl_info['name']
538 attributes['keys'] = keys
539 attributes['instantiation'] = record.pl_info['instantiation']
540 attributes['vref'] = 'default'
541 attributes['timestamp'] = time.time()
545 # get the PLC attributes and separate them into slice attributes and
548 filter['slice_id'] = record.pl_info['slice_id']
549 plc_attrs = self.shell.GetSliceAttributes(self.pl_auth, filter)
550 for attr in plc_attrs:
553 # initscripts: lookup the contents of the initscript and store it
554 # in the ticket attributes
555 if (name == "initscript"):
556 filter={'name': attr['value']}
557 initscripts = self.shell.GetInitScripts(self.pl_auth, filter)
559 attributes['initscript'] = initscripts[0]['script']
561 rspec[name] = attr['value']
563 return (attributes, rspec)
566 def get_ticket(self, cred, name, rspec):
567 self.decode_authentication(cred, "getticket")
569 self.verify_object_belongs_to_me(name)
571 self.verify_object_permission(name)
573 # XXX much of this code looks like get_credential... are they so similar
574 # that they should be combined?
576 auth_hrn = get_authority(name)
577 auth_info = self.get_auth_info(auth_hrn)
579 records = self.resolve_raw("slice", name, must_exist=True)
582 object_gid = record.get_gid_object()
583 new_ticket = Ticket(subject = object_gid.get_subject())
584 new_ticket.set_gid_caller(self.client_gid)
585 new_ticket.set_gid_object(object_gid)
586 new_ticket.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
587 new_ticket.set_pubkey(object_gid.get_pubkey())
589 self.fill_record_info(record)
591 (attributes, rspec) = self.record_to_slice_info(record)
593 new_ticket.set_attributes(attributes)
594 new_ticket.set_rspec(rspec)
596 new_ticket.set_parent(AuthHierarchy.get_auth_ticket(auth_hrn))
601 return new_ticket.save_to_string(save_parents=True)
604 if __name__ == "__main__":
608 key_file = "server.key"
609 cert_file = "server.cert"
611 # if no key is specified, then make one up
612 if (not os.path.exists(key_file)) or (not os.path.exists(cert_file)):
613 key = Keypair(create=True)
614 key.save_to_file(key_file)
616 cert = Certificate(subject="registry")
617 cert.set_issuer(key=key, subject="registry")
620 cert.save_to_file(cert_file)
622 AuthHierarchy = Hierarchy()
624 TrustedRoots = TrustedRootList()
626 s = Registry("", 12345, key_file, cert_file)
627 s.trusted_cert_list = TrustedRoots.get_list()