sfa/managers/registry_manager.py

   1 import types
   2 import time
   3 # for get_key_from_incoming_ip
   4 import tempfile
   5 import os
   6 import commands
   7
   8 from sfa.util.faults import RecordNotFound, AccountNotEnabled, PermissionError, MissingAuthority, \
   9     UnknownSfaType, ExistingRecord, NonExistingRecord
  10 from sfa.util.prefixTree import prefixTree
  11 from sfa.util.record import SfaRecord
  12 from sfa.util.table import SfaTable
  13 from sfa.util.xrn import Xrn, get_leaf, get_authority, hrn_to_urn, urn_to_hrn
  14 from sfa.util.plxrn import hrn_to_pl_login_base
  15 from sfa.util.version import version_core
  16
  17 from sfa.trust.gid import GID
  18 from sfa.trust.credential import Credential
  19 from sfa.trust.certificate import Certificate, Keypair, convert_public_key
  20 from sfa.trust.gid import create_uuid
  21
  22 class RegistryManager:
  23
  24     def __init__ (self): pass
  25
  26     # The GENI GetVersion call
  27     def GetVersion(self, api):
  28         peers = dict ( [ (hrn,interface._ServerProxy__host) for (hrn,interface) in api.registries.iteritems()
  29                        if hrn != api.hrn])
  30         xrn=Xrn(api.hrn)
  31         return version_core({'interface':'registry',
  32                              'hrn':xrn.get_hrn(),
  33                              'urn':xrn.get_urn(),
  34                              'peers':peers})
  35
  36     def GetCredential(self, api, xrn, type, is_self=False):
  37         # convert xrn to hrn
  38         if type:
  39             hrn = urn_to_hrn(xrn)[0]
  40         else:
  41             hrn, type = urn_to_hrn(xrn)
  42
  43         # Is this a root or sub authority
  44         auth_hrn = api.auth.get_authority(hrn)
  45         if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
  46             auth_hrn = hrn
  47         # get record info
  48         auth_info = api.auth.get_auth_info(auth_hrn)
  49         table = SfaTable()
  50         records = table.findObjects({'type': type, 'hrn': hrn})
  51         if not records:
  52             raise RecordNotFound(hrn)
  53         record = records[0]
  54
  55         # verify_cancreate_credential requires that the member lists
  56         # (researchers, pis, etc) be filled in
  57         api.driver.fill_record_info(record, api.aggregates)
  58         if record['type']=='user':
  59            if not record['enabled']:
  60               raise AccountNotEnabled(": PlanetLab account %s is not enabled. Please contact your site PI" %(record['email']))
  61
  62         # get the callers gid
  63         # if this is a self cred the record's gid is the caller's gid
  64         if is_self:
  65             caller_hrn = hrn
  66             caller_gid = record.get_gid_object()
  67         else:
  68             caller_gid = api.auth.client_cred.get_gid_caller()
  69             caller_hrn = caller_gid.get_hrn()
  70
  71         object_hrn = record.get_gid_object().get_hrn()
  72         rights = api.auth.determine_user_rights(caller_hrn, record)
  73         # make sure caller has rights to this object
  74         if rights.is_empty():
  75             raise PermissionError(caller_hrn + " has no rights to " + record['name'])
  76
  77         object_gid = GID(string=record['gid'])
  78         new_cred = Credential(subject = object_gid.get_subject())
  79         new_cred.set_gid_caller(caller_gid)
  80         new_cred.set_gid_object(object_gid)
  81         new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
  82         #new_cred.set_pubkey(object_gid.get_pubkey())
  83         new_cred.set_privileges(rights)
  84         new_cred.get_privileges().delegate_all_privileges(True)
  85         if 'expires' in record:
  86             new_cred.set_expiration(int(record['expires']))
  87         auth_kind = "authority,ma,sa"
  88         # Parent not necessary, verify with certs
  89         #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  90         new_cred.encode()
  91         new_cred.sign()
  92
  93         return new_cred.save_to_string(save_parents=True)
  94
  95
  96     def Resolve(self, api, xrns, type=None, full=True):
  97
  98         # load all known registry names into a prefix tree and attempt to find
  99         # the longest matching prefix
 100         if not isinstance(xrns, types.ListType):
 101             if not type:
 102                 type = Xrn(xrns).get_type()
 103             xrns = [xrns]
 104         hrns = [urn_to_hrn(xrn)[0] for xrn in xrns]
 105         # create a dict where key is a registry hrn and its value is a
 106         # hrns at that registry (determined by the known prefix tree).
 107         xrn_dict = {}
 108         registries = api.registries
 109         tree = prefixTree()
 110         registry_hrns = registries.keys()
 111         tree.load(registry_hrns)
 112         for xrn in xrns:
 113             registry_hrn = tree.best_match(urn_to_hrn(xrn)[0])
 114             if registry_hrn not in xrn_dict:
 115                 xrn_dict[registry_hrn] = []
 116             xrn_dict[registry_hrn].append(xrn)
 117
 118         records = []
 119         for registry_hrn in xrn_dict:
 120             # skip the hrn without a registry hrn
 121             # XX should we let the user know the authority is unknown?
 122             if not registry_hrn:
 123                 continue
 124
 125             # if the best match (longest matching hrn) is not the local registry,
 126             # forward the request
 127             xrns = xrn_dict[registry_hrn]
 128             if registry_hrn != api.hrn:
 129                 credential = api.getCredential()
 130                 interface = api.registries[registry_hrn]
 131                 server = api.server_proxy(interface, credential)
 132                 peer_records = server.Resolve(xrns, credential)
 133                 records.extend([SfaRecord(dict=record).as_dict() for record in peer_records])
 134
 135         # try resolving the remaining unfound records at the local registry
 136         remaining_hrns = set(hrns).difference([record['hrn'] for record in records])
 137         # convert set to list
 138         remaining_hrns = [hrn for hrn in remaining_hrns]
 139         table = SfaTable()
 140         local_records = table.findObjects({'hrn': remaining_hrns})
 141         if full:
 142             api.driver.fill_record_info(local_records, api.aggregates)
 143
 144         # convert local record objects to dicts
 145         records.extend([dict(record) for record in local_records])
 146         if not records:
 147             raise RecordNotFound(str(hrns))
 148
 149         if type:
 150             records = filter(lambda rec: rec['type'] in [type], records)
 151
 152         return records
 153
 154     def List(self, api, xrn, origin_hrn=None):
 155         hrn, type = urn_to_hrn(xrn)
 156         # load all know registry names into a prefix tree and attempt to find
 157         # the longest matching prefix
 158         records = []
 159         registries = api.registries
 160         registry_hrns = registries.keys()
 161         tree = prefixTree()
 162         tree.load(registry_hrns)
 163         registry_hrn = tree.best_match(hrn)
 164
 165         #if there was no match then this record belongs to an unknow registry
 166         if not registry_hrn:
 167             raise MissingAuthority(xrn)
 168         # if the best match (longest matching hrn) is not the local registry,
 169         # forward the request
 170         records = []
 171         if registry_hrn != api.hrn:
 172             credential = api.getCredential()
 173             interface = api.registries[registry_hrn]
 174             server = api.server_proxy(interface, credential)
 175             record_list = server.List(xrn, credential)
 176             records = [SfaRecord(dict=record).as_dict() for record in record_list]
 177
 178         # if we still have not found the record yet, try the local registry
 179         if not records:
 180             if not api.auth.hierarchy.auth_exists(hrn):
 181                 raise MissingAuthority(hrn)
 182
 183             table = SfaTable()
 184             records = table.find({'authority': hrn})
 185
 186         return records
 187
 188
 189     def CreateGid(self, api, xrn, cert):
 190         # get the authority
 191         authority = Xrn(xrn=xrn).get_authority_hrn()
 192         auth_info = api.auth.get_auth_info(authority)
 193         if not cert:
 194             pkey = Keypair(create=True)
 195         else:
 196             certificate = Certificate(string=cert)
 197             pkey = certificate.get_pubkey()
 198         gid = api.auth.hierarchy.create_gid(xrn, create_uuid(), pkey)
 199         return gid.save_to_string(save_parents=True)
 200
 201     def Register(self, api, record):
 202
 203         hrn, type = record['hrn'], record['type']
 204         urn = hrn_to_urn(hrn,type)
 205         # validate the type
 206         if type not in ['authority', 'slice', 'node', 'user']:
 207             raise UnknownSfaType(type)
 208
 209         # check if record already exists
 210         table = SfaTable()
 211         existing_records = table.find({'type': type, 'hrn': hrn})
 212         if existing_records:
 213             raise ExistingRecord(hrn)
 214
 215         record = SfaRecord(dict = record)
 216         record['authority'] = get_authority(record['hrn'])
 217         type = record['type']
 218         hrn = record['hrn']
 219         auth_info = api.auth.get_auth_info(record['authority'])
 220         pub_key = None
 221         # make sure record has a gid
 222         if 'gid' not in record:
 223             uuid = create_uuid()
 224             pkey = Keypair(create=True)
 225             if 'key' in record and record['key']:
 226                 if isinstance(record['key'], types.ListType):
 227                     pub_key = record['key'][0]
 228                 else:
 229                     pub_key = record['key']
 230                 pkey = convert_public_key(pub_key)
 231
 232             gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 233             gid = gid_object.save_to_string(save_parents=True)
 234             record['gid'] = gid
 235             record.set_gid(gid)
 236
 237         if type in ["authority"]:
 238             # update the tree
 239             if not api.auth.hierarchy.auth_exists(hrn):
 240                 api.auth.hierarchy.create_auth(hrn_to_urn(hrn,'authority'))
 241
 242             # get the GID from the newly created authority
 243             gid = auth_info.get_gid_object()
 244             record.set_gid(gid.save_to_string(save_parents=True))
 245             pl_record = api.driver.sfa_fields_to_pl_fields(type, hrn, record)
 246             sites = api.driver.GetSites([pl_record['login_base']])
 247             if not sites:
 248                 pointer = api.driver.AddSite(pl_record)
 249             else:
 250                 pointer = sites[0]['site_id']
 251
 252             record.set_pointer(pointer)
 253             record['pointer'] = pointer
 254
 255         elif (type == "slice"):
 256             acceptable_fields=['url', 'instantiation', 'name', 'description']
 257             pl_record = api.driver.sfa_fields_to_pl_fields(type, hrn, record)
 258             for key in pl_record.keys():
 259                 if key not in acceptable_fields:
 260                     pl_record.pop(key)
 261             slices = api.driver.GetSlices([pl_record['name']])
 262             if not slices:
 263                  pointer = api.driver.AddSlice(pl_record)
 264             else:
 265                  pointer = slices[0]['slice_id']
 266             record.set_pointer(pointer)
 267             record['pointer'] = pointer
 268
 269         elif  (type == "user"):
 270             persons = api.driver.GetPersons([record['email']])
 271             if not persons:
 272                 pointer = api.driver.AddPerson(dict(record))
 273             else:
 274                 pointer = persons[0]['person_id']
 275
 276             if 'enabled' in record and record['enabled']:
 277                 api.driver.UpdatePerson(pointer, {'enabled': record['enabled']})
 278             # add this persons to the site only if he is being added for the first
 279             # time by sfa and doesont already exist in plc
 280             if not persons or not persons[0]['site_ids']:
 281                 login_base = get_leaf(record['authority'])
 282                 api.driver.AddPersonToSite(pointer, login_base)
 283
 284             # What roles should this user have?
 285             api.driver.AddRoleToPerson('user', pointer)
 286             # Add the user's key
 287             if pub_key:
 288                 api.driver.AddPersonKey(pointer, {'key_type' : 'ssh', 'key' : pub_key})
 289
 290         elif (type == "node"):
 291             pl_record = api.driver.sfa_fields_to_pl_fields(type, hrn, record)
 292             login_base = hrn_to_pl_login_base(record['authority'])
 293             nodes = api.driver.GetNodes([pl_record['hostname']])
 294             if not nodes:
 295                 pointer = api.driver.AddNode(login_base, pl_record)
 296             else:
 297                 pointer = nodes[0]['node_id']
 298
 299         record['pointer'] = pointer
 300         record.set_pointer(pointer)
 301         record_id = table.insert(record)
 302         record['record_id'] = record_id
 303
 304         # update membership for researchers, pis, owners, operators
 305         api.driver.update_membership(None, record)
 306
 307         return record.get_gid_object().save_to_string(save_parents=True)
 308
 309     def Update(self, api, record_dict):
 310         new_record = SfaRecord(dict = record_dict)
 311         type = new_record['type']
 312         hrn = new_record['hrn']
 313         urn = hrn_to_urn(hrn,type)
 314         table = SfaTable()
 315         # make sure the record exists
 316         records = table.findObjects({'type': type, 'hrn': hrn})
 317         if not records:
 318             raise RecordNotFound(hrn)
 319         record = records[0]
 320         record['last_updated'] = time.gmtime()
 321
 322         # Update_membership needs the membership lists in the existing record
 323         # filled in, so it can see if members were added or removed
 324         api.driver.fill_record_info(record, api.aggregates)
 325
 326         # Use the pointer from the existing record, not the one that the user
 327         # gave us. This prevents the user from inserting a forged pointer
 328         pointer = record['pointer']
 329         # update the PLC information that was specified with the record
 330
 331         if (type == "authority"):
 332             api.driver.UpdateSite(pointer, new_record)
 333
 334         elif type == "slice":
 335             pl_record=api.driver.sfa_fields_to_pl_fields(type, hrn, new_record)
 336             if 'name' in pl_record:
 337                 pl_record.pop('name')
 338                 api.driver.UpdateSlice(pointer, pl_record)
 339
 340         elif type == "user":
 341             # SMBAKER: UpdatePerson only allows a limited set of fields to be
 342             #    updated. Ideally we should have a more generic way of doing
 343             #    this. I copied the field names from UpdatePerson.py...
 344             update_fields = {}
 345             all_fields = new_record
 346             for key in all_fields.keys():
 347                 if key in ['first_name', 'last_name', 'title', 'email',
 348                            'password', 'phone', 'url', 'bio', 'accepted_aup',
 349                            'enabled']:
 350                     update_fields[key] = all_fields[key]
 351             api.driver.UpdatePerson(pointer, update_fields)
 352
 353             if 'key' in new_record and new_record['key']:
 354                 # must check this key against the previous one if it exists
 355                 persons = api.driver.GetPersons([pointer], ['key_ids'])
 356                 person = persons[0]
 357                 keys = person['key_ids']
 358                 keys = api.driver.GetKeys(person['key_ids'])
 359                 key_exists = False
 360                 if isinstance(new_record['key'], types.ListType):
 361                     new_key = new_record['key'][0]
 362                 else:
 363                     new_key = new_record['key']
 364
 365                 # Delete all stale keys
 366                 for key in keys:
 367                     if new_record['key'] != key['key']:
 368                         api.driver.DeleteKey(key['key_id'])
 369                     else:
 370                         key_exists = True
 371                 if not key_exists:
 372                     api.driver.AddPersonKey(pointer, {'key_type': 'ssh', 'key': new_key})
 373
 374                 # update the openssl key and gid
 375                 pkey = convert_public_key(new_key)
 376                 uuid = create_uuid()
 377                 gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 378                 gid = gid_object.save_to_string(save_parents=True)
 379                 record['gid'] = gid
 380                 record = SfaRecord(dict=record)
 381                 table.update(record)
 382
 383         elif type == "node":
 384             api.driver.UpdateNode(pointer, new_record)
 385
 386         else:
 387             raise UnknownSfaType(type)
 388
 389         # update membership for researchers, pis, owners, operators
 390         api.driver.update_membership(record, new_record)
 391
 392         return 1
 393
 394     # expecting an Xrn instance
 395     def Remove(self, api, xrn, origin_hrn=None):
 396
 397         table = SfaTable()
 398         filter = {'hrn': xrn.get_hrn()}
 399         hrn=xrn.get_hrn()
 400         type=xrn.get_type()
 401         if type and type not in ['all', '*']:
 402             filter['type'] = type
 403
 404         records = table.find(filter)
 405         if not records: raise RecordNotFound(hrn)
 406         record = records[0]
 407         type = record['type']
 408
 409         credential = api.getCredential()
 410         registries = api.registries
 411
 412         # Try to remove the object from the PLCDB of federated agg.
 413         # This is attempted before removing the object from the local agg's PLCDB and sfa table
 414         if hrn.startswith(api.hrn) and type in ['user', 'slice', 'authority']:
 415             for registry in registries:
 416                 if registry not in [api.hrn]:
 417                     try:
 418                         result=registries[registry].remove_peer_object(credential, record, origin_hrn)
 419                     except:
 420                         pass
 421         if type == "user":
 422             persons = api.driver.GetPersons(record['pointer'])
 423             # only delete this person if he has site ids. if he doesnt, it probably means
 424             # he was just removed from a site, not actually deleted
 425             if persons and persons[0]['site_ids']:
 426                 api.driver.DeletePerson(record['pointer'])
 427         elif type == "slice":
 428             if api.driver.GetSlices(record['pointer']):
 429                 api.driver.DeleteSlice(record['pointer'])
 430         elif type == "node":
 431             if api.driver.GetNodes(record['pointer']):
 432                 api.driver.DeleteNode(record['pointer'])
 433         elif type == "authority":
 434             if api.driver.GetSites(record['pointer']):
 435                 api.driver.DeleteSite(record['pointer'])
 436         else:
 437             raise UnknownSfaType(type)
 438
 439         table.remove(record)
 440
 441         return 1
 442
 443     def get_key_from_incoming_ip (self, api):
 444         # verify that the callers's ip address exist in the db and is an interface
 445         # for a node in the db
 446         (ip, port) = api.remote_addr
 447         interfaces = api.driver.GetInterfaces({'ip': ip}, ['node_id'])
 448         if not interfaces:
 449             raise NonExistingRecord("no such ip %(ip)s" % locals())
 450         nodes = api.driver.GetNodes([interfaces[0]['node_id']], ['node_id', 'hostname'])
 451         if not nodes:
 452             raise NonExistingRecord("no such node using ip %(ip)s" % locals())
 453         node = nodes[0]
 454
 455         # look up the sfa record
 456         table = SfaTable()
 457         records = table.findObjects({'type': 'node', 'pointer': node['node_id']})
 458         if not records:
 459             raise RecordNotFound("pointer:" + str(node['node_id']))
 460         record = records[0]
 461
 462         # generate a new keypair and gid
 463         uuid = create_uuid()
 464         pkey = Keypair(create=True)
 465         urn = hrn_to_urn(record['hrn'], record['type'])
 466         gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 467         gid = gid_object.save_to_string(save_parents=True)
 468         record['gid'] = gid
 469         record.set_gid(gid)
 470
 471         # update the record
 472         table.update(record)
 473
 474         # attempt the scp the key
 475         # and gid onto the node
 476         # this will only work for planetlab based components
 477         (kfd, key_filename) = tempfile.mkstemp()
 478         (gfd, gid_filename) = tempfile.mkstemp()
 479         pkey.save_to_file(key_filename)
 480         gid_object.save_to_file(gid_filename, save_parents=True)
 481         host = node['hostname']
 482         key_dest="/etc/sfa/node.key"
 483         gid_dest="/etc/sfa/node.gid"
 484         scp = "/usr/bin/scp"
 485         #identity = "/etc/planetlab/root_ssh_key.rsa"
 486         identity = "/etc/sfa/root_ssh_key"
 487         scp_options=" -i %(identity)s " % locals()
 488         scp_options+="-o StrictHostKeyChecking=no " % locals()
 489         scp_key_command="%(scp)s %(scp_options)s %(key_filename)s root@%(host)s:%(key_dest)s" %\
 490                          locals()
 491         scp_gid_command="%(scp)s %(scp_options)s %(gid_filename)s root@%(host)s:%(gid_dest)s" %\
 492                          locals()
 493
 494         all_commands = [scp_key_command, scp_gid_command]
 495
 496         for command in all_commands:
 497             (status, output) = commands.getstatusoutput(command)
 498             if status:
 499                 raise Exception, output
 500
 501         for filename in [key_filename, gid_filename]:
 502             os.unlink(filename)
 503
 504         return 1