sfa/managers/registry_manager.py

   1 import types
   2 import time
   3
   4 from sfa.util.faults import RecordNotFound, AccountNotEnabled, PermissionError, MissingAuthority, \
   5     UnknownSfaType, ExistingRecord
   6 from sfa.util.prefixTree import prefixTree
   7 from sfa.util.record import SfaRecord
   8 from sfa.util.table import SfaTable
   9 from sfa.util.xrn import Xrn, get_leaf, get_authority, hrn_to_urn, urn_to_hrn
  10 from sfa.util.plxrn import hrn_to_pl_login_base
  11 from sfa.util.version import version_core
  12
  13 from sfa.trust.gid import GID
  14 from sfa.trust.credential import Credential
  15 from sfa.trust.certificate import Certificate, Keypair, convert_public_key
  16 from sfa.trust.gid import create_uuid
  17
  18 class RegistryManager:
  19
  20     def __init__ (self): pass
  21
  22     # The GENI GetVersion call
  23     def GetVersion(self, api):
  24         peers = dict ( [ (hrn,interface._ServerProxy__host) for (hrn,interface) in api.registries.iteritems()
  25                        if hrn != api.hrn])
  26         xrn=Xrn(api.hrn)
  27         return version_core({'interface':'registry',
  28                              'hrn':xrn.get_hrn(),
  29                              'urn':xrn.get_urn(),
  30                              'peers':peers})
  31
  32     def GetCredential(self, api, xrn, type, is_self=False):
  33         # convert xrn to hrn
  34         if type:
  35             hrn = urn_to_hrn(xrn)[0]
  36         else:
  37             hrn, type = urn_to_hrn(xrn)
  38
  39         # Is this a root or sub authority
  40         auth_hrn = api.auth.get_authority(hrn)
  41         if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
  42             auth_hrn = hrn
  43         # get record info
  44         auth_info = api.auth.get_auth_info(auth_hrn)
  45         table = SfaTable()
  46         records = table.findObjects({'type': type, 'hrn': hrn})
  47         if not records:
  48             raise RecordNotFound(hrn)
  49         record = records[0]
  50
  51         # verify_cancreate_credential requires that the member lists
  52         # (researchers, pis, etc) be filled in
  53         api.driver.fill_record_info(record, api.aggregates)
  54         if record['type']=='user':
  55            if not record['enabled']:
  56               raise AccountNotEnabled(": PlanetLab account %s is not enabled. Please contact your site PI" %(record['email']))
  57
  58         # get the callers gid
  59         # if this is a self cred the record's gid is the caller's gid
  60         if is_self:
  61             caller_hrn = hrn
  62             caller_gid = record.get_gid_object()
  63         else:
  64             caller_gid = api.auth.client_cred.get_gid_caller()
  65             caller_hrn = caller_gid.get_hrn()
  66
  67         object_hrn = record.get_gid_object().get_hrn()
  68         rights = api.auth.determine_user_rights(caller_hrn, record)
  69         # make sure caller has rights to this object
  70         if rights.is_empty():
  71             raise PermissionError(caller_hrn + " has no rights to " + record['name'])
  72
  73         object_gid = GID(string=record['gid'])
  74         new_cred = Credential(subject = object_gid.get_subject())
  75         new_cred.set_gid_caller(caller_gid)
  76         new_cred.set_gid_object(object_gid)
  77         new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
  78         #new_cred.set_pubkey(object_gid.get_pubkey())
  79         new_cred.set_privileges(rights)
  80         new_cred.get_privileges().delegate_all_privileges(True)
  81         if 'expires' in record:
  82             new_cred.set_expiration(int(record['expires']))
  83         auth_kind = "authority,ma,sa"
  84         # Parent not necessary, verify with certs
  85         #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  86         new_cred.encode()
  87         new_cred.sign()
  88
  89         return new_cred.save_to_string(save_parents=True)
  90
  91
  92     def Resolve(self, api, xrns, type=None, full=True):
  93
  94         # load all known registry names into a prefix tree and attempt to find
  95         # the longest matching prefix
  96         if not isinstance(xrns, types.ListType):
  97             if not type:
  98                 type = Xrn(xrns).get_type()
  99             xrns = [xrns]
 100         hrns = [urn_to_hrn(xrn)[0] for xrn in xrns]
 101         # create a dict where key is a registry hrn and its value is a
 102         # hrns at that registry (determined by the known prefix tree).
 103         xrn_dict = {}
 104         registries = api.registries
 105         tree = prefixTree()
 106         registry_hrns = registries.keys()
 107         tree.load(registry_hrns)
 108         for xrn in xrns:
 109             registry_hrn = tree.best_match(urn_to_hrn(xrn)[0])
 110             if registry_hrn not in xrn_dict:
 111                 xrn_dict[registry_hrn] = []
 112             xrn_dict[registry_hrn].append(xrn)
 113
 114         records = []
 115         for registry_hrn in xrn_dict:
 116             # skip the hrn without a registry hrn
 117             # XX should we let the user know the authority is unknown?
 118             if not registry_hrn:
 119                 continue
 120
 121             # if the best match (longest matching hrn) is not the local registry,
 122             # forward the request
 123             xrns = xrn_dict[registry_hrn]
 124             if registry_hrn != api.hrn:
 125                 credential = api.getCredential()
 126                 interface = api.registries[registry_hrn]
 127                 server = api.server_proxy(interface, credential)
 128                 peer_records = server.Resolve(xrns, credential)
 129                 records.extend([SfaRecord(dict=record).as_dict() for record in peer_records])
 130
 131         # try resolving the remaining unfound records at the local registry
 132         remaining_hrns = set(hrns).difference([record['hrn'] for record in records])
 133         # convert set to list
 134         remaining_hrns = [hrn for hrn in remaining_hrns]
 135         table = SfaTable()
 136         local_records = table.findObjects({'hrn': remaining_hrns})
 137         if full:
 138             api.driver.fill_record_info(local_records, api.aggregates)
 139
 140         # convert local record objects to dicts
 141         records.extend([dict(record) for record in local_records])
 142         if not records:
 143             raise RecordNotFound(str(hrns))
 144
 145         if type:
 146             records = filter(lambda rec: rec['type'] in [type], records)
 147
 148         return records
 149
 150     def List(self, api, xrn, origin_hrn=None):
 151         hrn, type = urn_to_hrn(xrn)
 152         # load all know registry names into a prefix tree and attempt to find
 153         # the longest matching prefix
 154         records = []
 155         registries = api.registries
 156         registry_hrns = registries.keys()
 157         tree = prefixTree()
 158         tree.load(registry_hrns)
 159         registry_hrn = tree.best_match(hrn)
 160
 161         #if there was no match then this record belongs to an unknow registry
 162         if not registry_hrn:
 163             raise MissingAuthority(xrn)
 164         # if the best match (longest matching hrn) is not the local registry,
 165         # forward the request
 166         records = []
 167         if registry_hrn != api.hrn:
 168             credential = api.getCredential()
 169             interface = api.registries[registry_hrn]
 170             server = api.server_proxy(interface, credential)
 171             record_list = server.List(xrn, credential)
 172             records = [SfaRecord(dict=record).as_dict() for record in record_list]
 173
 174         # if we still have not found the record yet, try the local registry
 175         if not records:
 176             if not api.auth.hierarchy.auth_exists(hrn):
 177                 raise MissingAuthority(hrn)
 178
 179             table = SfaTable()
 180             records = table.find({'authority': hrn})
 181
 182         return records
 183
 184
 185     def CreateGid(self, api, xrn, cert):
 186         # get the authority
 187         authority = Xrn(xrn=xrn).get_authority_hrn()
 188         auth_info = api.auth.get_auth_info(authority)
 189         if not cert:
 190             pkey = Keypair(create=True)
 191         else:
 192             certificate = Certificate(string=cert)
 193             pkey = certificate.get_pubkey()
 194         gid = api.auth.hierarchy.create_gid(xrn, create_uuid(), pkey)
 195         return gid.save_to_string(save_parents=True)
 196
 197     def Register(self, api, record):
 198
 199         hrn, type = record['hrn'], record['type']
 200         urn = hrn_to_urn(hrn,type)
 201         # validate the type
 202         if type not in ['authority', 'slice', 'node', 'user']:
 203             raise UnknownSfaType(type)
 204
 205         # check if record already exists
 206         table = SfaTable()
 207         existing_records = table.find({'type': type, 'hrn': hrn})
 208         if existing_records:
 209             raise ExistingRecord(hrn)
 210
 211         record = SfaRecord(dict = record)
 212         record['authority'] = get_authority(record['hrn'])
 213         type = record['type']
 214         hrn = record['hrn']
 215         auth_info = api.auth.get_auth_info(record['authority'])
 216         pub_key = None
 217         # make sure record has a gid
 218         if 'gid' not in record:
 219             uuid = create_uuid()
 220             pkey = Keypair(create=True)
 221             if 'key' in record and record['key']:
 222                 if isinstance(record['key'], types.ListType):
 223                     pub_key = record['key'][0]
 224                 else:
 225                     pub_key = record['key']
 226                 pkey = convert_public_key(pub_key)
 227
 228             gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 229             gid = gid_object.save_to_string(save_parents=True)
 230             record['gid'] = gid
 231             record.set_gid(gid)
 232
 233         if type in ["authority"]:
 234             # update the tree
 235             if not api.auth.hierarchy.auth_exists(hrn):
 236                 api.auth.hierarchy.create_auth(hrn_to_urn(hrn,'authority'))
 237
 238             # get the GID from the newly created authority
 239             gid = auth_info.get_gid_object()
 240             record.set_gid(gid.save_to_string(save_parents=True))
 241             pl_record = api.driver.sfa_fields_to_pl_fields(type, hrn, record)
 242             sites = api.driver.GetSites([pl_record['login_base']])
 243             if not sites:
 244                 pointer = api.driver.AddSite(pl_record)
 245             else:
 246                 pointer = sites[0]['site_id']
 247
 248             record.set_pointer(pointer)
 249             record['pointer'] = pointer
 250
 251         elif (type == "slice"):
 252             acceptable_fields=['url', 'instantiation', 'name', 'description']
 253             pl_record = api.driver.sfa_fields_to_pl_fields(type, hrn, record)
 254             for key in pl_record.keys():
 255                 if key not in acceptable_fields:
 256                     pl_record.pop(key)
 257             slices = api.driver.GetSlices([pl_record['name']])
 258             if not slices:
 259                  pointer = api.driver.AddSlice(pl_record)
 260             else:
 261                  pointer = slices[0]['slice_id']
 262             record.set_pointer(pointer)
 263             record['pointer'] = pointer
 264
 265         elif  (type == "user"):
 266             persons = api.driver.GetPersons([record['email']])
 267             if not persons:
 268                 pointer = api.driver.AddPerson(dict(record))
 269             else:
 270                 pointer = persons[0]['person_id']
 271
 272             if 'enabled' in record and record['enabled']:
 273                 api.driver.UpdatePerson(pointer, {'enabled': record['enabled']})
 274             # add this persons to the site only if he is being added for the first
 275             # time by sfa and doesont already exist in plc
 276             if not persons or not persons[0]['site_ids']:
 277                 login_base = get_leaf(record['authority'])
 278                 api.driver.AddPersonToSite(pointer, login_base)
 279
 280             # What roles should this user have?
 281             api.driver.AddRoleToPerson('user', pointer)
 282             # Add the user's key
 283             if pub_key:
 284                 api.driver.AddPersonKey(pointer, {'key_type' : 'ssh', 'key' : pub_key})
 285
 286         elif (type == "node"):
 287             pl_record = api.driver.sfa_fields_to_pl_fields(type, hrn, record)
 288             login_base = hrn_to_pl_login_base(record['authority'])
 289             nodes = api.driver.GetNodes([pl_record['hostname']])
 290             if not nodes:
 291                 pointer = api.driver.AddNode(login_base, pl_record)
 292             else:
 293                 pointer = nodes[0]['node_id']
 294
 295         record['pointer'] = pointer
 296         record.set_pointer(pointer)
 297         record_id = table.insert(record)
 298         record['record_id'] = record_id
 299
 300         # update membership for researchers, pis, owners, operators
 301         api.driver.update_membership(None, record)
 302
 303         return record.get_gid_object().save_to_string(save_parents=True)
 304
 305     def Update(self, api, record_dict):
 306         new_record = SfaRecord(dict = record_dict)
 307         type = new_record['type']
 308         hrn = new_record['hrn']
 309         urn = hrn_to_urn(hrn,type)
 310         table = SfaTable()
 311         # make sure the record exists
 312         records = table.findObjects({'type': type, 'hrn': hrn})
 313         if not records:
 314             raise RecordNotFound(hrn)
 315         record = records[0]
 316         record['last_updated'] = time.gmtime()
 317
 318         # Update_membership needs the membership lists in the existing record
 319         # filled in, so it can see if members were added or removed
 320         api.driver.fill_record_info(record, api.aggregates)
 321
 322         # Use the pointer from the existing record, not the one that the user
 323         # gave us. This prevents the user from inserting a forged pointer
 324         pointer = record['pointer']
 325         # update the PLC information that was specified with the record
 326
 327         if (type == "authority"):
 328             api.driver.UpdateSite(pointer, new_record)
 329
 330         elif type == "slice":
 331             pl_record=api.driver.sfa_fields_to_pl_fields(type, hrn, new_record)
 332             if 'name' in pl_record:
 333                 pl_record.pop('name')
 334                 api.driver.UpdateSlice(pointer, pl_record)
 335
 336         elif type == "user":
 337             # SMBAKER: UpdatePerson only allows a limited set of fields to be
 338             #    updated. Ideally we should have a more generic way of doing
 339             #    this. I copied the field names from UpdatePerson.py...
 340             update_fields = {}
 341             all_fields = new_record
 342             for key in all_fields.keys():
 343                 if key in ['first_name', 'last_name', 'title', 'email',
 344                            'password', 'phone', 'url', 'bio', 'accepted_aup',
 345                            'enabled']:
 346                     update_fields[key] = all_fields[key]
 347             api.driver.UpdatePerson(pointer, update_fields)
 348
 349             if 'key' in new_record and new_record['key']:
 350                 # must check this key against the previous one if it exists
 351                 persons = api.driver.GetPersons([pointer], ['key_ids'])
 352                 person = persons[0]
 353                 keys = person['key_ids']
 354                 keys = api.driver.GetKeys(person['key_ids'])
 355                 key_exists = False
 356                 if isinstance(new_record['key'], types.ListType):
 357                     new_key = new_record['key'][0]
 358                 else:
 359                     new_key = new_record['key']
 360
 361                 # Delete all stale keys
 362                 for key in keys:
 363                     if new_record['key'] != key['key']:
 364                         api.driver.DeleteKey(key['key_id'])
 365                     else:
 366                         key_exists = True
 367                 if not key_exists:
 368                     api.driver.AddPersonKey(pointer, {'key_type': 'ssh', 'key': new_key})
 369
 370                 # update the openssl key and gid
 371                 pkey = convert_public_key(new_key)
 372                 uuid = create_uuid()
 373                 gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 374                 gid = gid_object.save_to_string(save_parents=True)
 375                 record['gid'] = gid
 376                 record = SfaRecord(dict=record)
 377                 table.update(record)
 378
 379         elif type == "node":
 380             api.driver.UpdateNode(pointer, new_record)
 381
 382         else:
 383             raise UnknownSfaType(type)
 384
 385         # update membership for researchers, pis, owners, operators
 386         api.driver.update_membership(record, new_record)
 387
 388         return 1
 389
 390     # expecting an Xrn instance
 391     def Remove(self, api, xrn, origin_hrn=None):
 392
 393         table = SfaTable()
 394         filter = {'hrn': xrn.get_hrn()}
 395         hrn=xrn.get_hrn()
 396         type=xrn.get_type()
 397         if type and type not in ['all', '*']:
 398             filter['type'] = type
 399
 400         records = table.find(filter)
 401         if not records: raise RecordNotFound(hrn)
 402         record = records[0]
 403         type = record['type']
 404
 405         credential = api.getCredential()
 406         registries = api.registries
 407
 408         # Try to remove the object from the PLCDB of federated agg.
 409         # This is attempted before removing the object from the local agg's PLCDB and sfa table
 410         if hrn.startswith(api.hrn) and type in ['user', 'slice', 'authority']:
 411             for registry in registries:
 412                 if registry not in [api.hrn]:
 413                     try:
 414                         result=registries[registry].remove_peer_object(credential, record, origin_hrn)
 415                     except:
 416                         pass
 417         if type == "user":
 418             persons = api.driver.GetPersons(record['pointer'])
 419             # only delete this person if he has site ids. if he doesnt, it probably means
 420             # he was just removed from a site, not actually deleted
 421             if persons and persons[0]['site_ids']:
 422                 api.driver.DeletePerson(record['pointer'])
 423         elif type == "slice":
 424             if api.driver.GetSlices(record['pointer']):
 425                 api.driver.DeleteSlice(record['pointer'])
 426         elif type == "node":
 427             if api.driver.GetNodes(record['pointer']):
 428                 api.driver.DeleteNode(record['pointer'])
 429         elif type == "authority":
 430             if api.driver.GetSites(record['pointer']):
 431                 api.driver.DeleteSite(record['pointer'])
 432         else:
 433             raise UnknownSfaType(type)
 434
 435         table.remove(record)
 436
 437         return 1
 438
 439     def remove_peer_object(self, api, record, origin_hrn=None):
 440         pass
 441
 442     def register_peer_object(self, api, record, origin_hrn=None):
 443         pass