GeniCMV2.pm.in 61.7 KB
Newer Older
1 2 3
#!/usr/bin/perl -wT
#
# GENIPUBLIC-COPYRIGHT
4
# Copyright (c) 2008-2011 University of Utah and the Flux Group.
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
# All rights reserved.
#
package GeniCMV2;

#
# The server side of the CM interface on remote sites. Also communicates
# with the GMC interface at Geni Central as a client.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

@ISA    = "Exporter";
@EXPORT = qw ( );

# Must come after package declaration!
use GeniDB;
use GeniResponse;
use GeniTicket;
use GeniCredential;
use GeniCertificate;
26
use GeniComponent;
27 28 29 30
use GeniSlice;
use GeniAggregate;
use GeniSliver;
use GeniUtil;
31
use GeniCM;
32
use GeniHRN;
33
use GeniXML;
34 35 36 37 38 39 40 41
use emutil;
use English;
use Data::Dumper;
use XML::Simple;
use Date::Parse;
use POSIX qw(strftime tmpnam);
use Time::Local;
use Compress::Zlib;
42
use File::Temp qw(tempfile);
43 44 45 46 47 48 49 50 51 52
use MIME::Base64;

# Configure variables
my $TB		   = "@prefix@";
my $TBOPS          = "@TBOPSEMAIL@";
my $TBAPPROVAL     = "@TBAPPROVALEMAIL@";
my $TBAUDIT   	   = "@TBAUDITEMAIL@";
my $BOSSNODE       = "@BOSSNODE@";
my $OURDOMAIN      = "@OURDOMAIN@";
my $PGENIDOMAIN    = "@PROTOGENI_DOMAIN@";
53
my $ELABINELAB     = "@ELABINELAB@";
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
my $CREATEEXPT     = "$TB/bin/batchexp";
my $ENDEXPT        = "$TB/bin/endexp";
my $NALLOC	   = "$TB/bin/nalloc";
my $NFREE	   = "$TB/bin/nfree";
my $AVAIL	   = "$TB/sbin/avail";
my $PTOPGEN	   = "$TB/libexec/ptopgen";
my $TBSWAP	   = "$TB/bin/tbswap";
my $SWAPEXP	   = "$TB/bin/swapexp";
my $PLABSLICE	   = "$TB/sbin/plabslicewrapper";
my $NAMEDSETUP     = "$TB/sbin/named_setup";
my $VNODESETUP     = "$TB/sbin/vnode_setup";
my $GENTOPOFILE    = "$TB/libexec/gentopofile";
my $TARFILES_SETUP = "$TB/bin/tarfiles_setup";
my $MAPPER         = "$TB/bin/mapper";
my $VTOPGEN        = "$TB/bin/vtopgen";
my $SNMPIT         = "$TB/bin/snmpit";
70
my $XMLLINT	   = "/usr/local/bin/xmllint";
71 72
my $PRERENDER      = "$TB/libexec/vis/prerender";
my $EMULAB_PEMFILE = "@prefix@/etc/genicm.pem";
73 74
# Just one of these, at Utah.
my $GENICH_PEMFILE = "@prefix@/etc/genich.pem";
75
my $API_VERSION    = 2;
76 77 78 79 80 81 82 83

#
# Tell the client what API revision we support.  The correspondence
# between revision numbers and API features is to be specified elsewhere.
# No credentials are required.
#
sub GetVersion()
{
84 85
    my @input_rspec_versions = ( "0.1", "0.2", "2", "PG 0.1", "PG 0.2", "PG 2" );
    my @ad_rspec_versions = ( "0.1", "0.2", "2", "PG 0.1", "PG 0.2", "PG 2" );
Gary Wong's avatar
Gary Wong committed
86 87 88
    my $blob = {
	"api" => $API_VERSION,
	"level" => 1,
89
	"input_rspec" => \@input_rspec_versions,
90 91
	"output_rspec" => "0.2",
	"ad_rspec" => \@ad_rspec_versions
Gary Wong's avatar
Gary Wong committed
92 93
    };

94
    return GeniResponse->Create( GENIRESPONSE_SUCCESS, $blob);
95 96 97 98 99 100 101 102
}

#
# Respond to a Resolve request. 
#
sub Resolve($)
{
    my ($argref) = @_;
103 104
    my $credentials = $argref->{'credentials'};
    my $urn         = $argref->{'urn'};
105
    my $admin       = 0;
106
    my $isauth	    = 0;
107

108 109 110 111 112 113 114 115 116 117
    if (! (defined($credentials) && defined($urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($urn)) {
	return GeniResponse->MalformedArgsResponse("Invalid URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

118 119 120
    my ($object, $type) = LookupURN($urn);
    return $object
	if (GeniResponse::IsResponse($object));
121 122 123 124

    #
    # This is a convenience for testing. If a local user and that
    # user is an admin person, then do whatever it says. This is
125 126
    # easier then trying to do this with credential privs. But,
    # watch for credentials from authorities instead of users.
127
    #
128 129
    my (undef,$callertype,$callerid) = GeniHRN::Parse($credential->owner_urn());
    if ($callertype eq "user") {
130
	my $user = GeniCM::CreateUserFromCertificate($credential);
131 132
	if (!GeniResponse::IsResponse($user) &&
	    $user->IsLocal() && $user->admin()) {
133 134 135 136 137
	    $admin = 1;
	}
    }
    elsif ($callertype eq "authority" && $callerid eq "cm") {
	$isauth = 1;
138
    }
139 140
    
    if ($type eq "node") {
141
	my $node  = $object;
142
	my $rspec = GeniCM::GetAdvertisement(0, $node->node_id(), "0.1", undef);
143
	if (! defined($rspec)) {
144
	    print STDERR "Could not get advertisement for $node!\n";
145
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
146
					"Error getting advertisement");
147
	}
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183
	my $me = GeniAuthority->Lookup($ENV{'MYURN'});
	if (!defined($me)) {
	    print STDERR
		"Could not find local authority object for $ENV{'MYURN'}\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Error getting advertisement");
	}
	my $myurn = GeniHRN::Generate($OURDOMAIN, "node", $node->node_id());
	my $myhrn = "${PGENIDOMAIN}." . $node->node_id();

	#
	# See if the component object exists; if not create it.
	#
	my $component = GeniComponent->Lookup($node->uuid());
	if (!defined($component)) {
	    my $certificate = GeniCertificate->Lookup($node->uuid());
	    if (!defined($certificate)) {
		$certificate =
		    GeniCertificate->Create({'urn'  => $myurn,
					     'hrn'  => $myhrn,
					     'email'=> $TBOPS,
					     'uuid' => $node->uuid(),
					     'url'  => $me->url()});
		if (!defined($certificate)) {
		    print STDERR "Could not generate certificate for $node\n";
		    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
		}
	    }
	    $component = GeniComponent->Create($certificate, $me);
	    if (!defined($component)) {
		print STDERR "Could not create component for $node\n";
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
	    }
	}
184
	# Return a blob.
185
	my $blob = { "hrn"          => $myhrn,
186 187
		     "uuid"         => $node->uuid(),
		     "role"	    => $node->role(),
188 189
		     "hostname"     =>
			 GeniUtil::FindHostname($node->node_id()),
190 191
		     "physctrl"     => 
			 Interface->LookupControl($node->phys_nodeid())->IP(),
192 193 194 195
		     "urn"          => $myurn,
		     "rspec"        => $rspec,
		     "url"          => $me->url(),
		     "gid"          => $component->cert(),
196 197 198 199
		   };

	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
200
    if ($type eq "slice") {
201 202
	my $slice = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
203 204 205 206
	#
	# In this implementation, the caller must hold a valid slice
	# credential for the slice being looked up. 
	#
207 208
	if (! ($isauth || $admin ||
	       $slice->urn() eq $credential->target_urn())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
209 210 211 212 213 214 215
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN());
	}
	# Return a blob.
	my $blob = { "urn"          => $urn };

	my $aggregate = GeniAggregate->SliceAggregate($slice);
	if (defined($aggregate)) {
216
	    $blob->{'sliver_urn'} = $aggregate->urn();
217 218 219 220
	    my $manifest = $aggregate->GetManifest(1);
	    if (defined($manifest)) {
		$blob->{'manifest'}   = $manifest;
	    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
221 222 223
	}
	my $ticket = GeniTicket->SliceTicket($slice);
	if (defined($ticket)) {
224
	    $blob->{'ticket_urn'} = $ticket->urn();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
225 226 227 228
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "sliver") {
229 230
	my $sliver = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
231 232 233 234
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential for the slice being looked up. 
	#
235
	if (! ($admin ||
236
	       $sliver->urn() eq $credential->target_urn() ||
237
	       $sliver->slice_uuid() eq $credential->target_uuid())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
238 239
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN);
	}
240 241
	my $manifest = $sliver->GetManifest(1);
	if (!defined($manifest)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
242 243 244 245 246 247 248 249 250
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
	# Return a blob.
	my $blob = { "urn"          => $urn,
		     "manifest"     => $manifest,
		 };
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "ticket") {
251 252
	my $ticket = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
253 254 255 256
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential to get the ticket.
	#
257
	my $slice = GeniSlice->Lookup($ticket->slice_urn());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
258 259 260 261
	if (!defined($slice)) {
	    print STDERR "Could not find slice for $ticket\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
262
	if (! ($admin || $slice->urn() eq $credential->target_urn())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
263 264 265 266 267
	    #
	    # See if its the sliver credential. 
	    #
	    my $aggregate = GeniAggregate->SliceAggregate($slice);
	    if (!defined($aggregate) ||
268
		$aggregate->urn() ne $credential->target_urn()) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
269 270 271 272 273
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN());
	    }
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());
    }
274 275
    return GeniResponse->Create(GENIRESPONSE_UNSUPPORTED, undef,
				"Cannot resolve $type at this authority");
276 277 278 279 280 281 282 283
}

#
# Discover resources on this component, returning a resource availablity spec
#
sub DiscoverResources($)
{
    my ($argref) = @_;
284 285 286
    my $credentials = $argref->{'credentials'};
    my $available   = $argref->{'available'} || 0;
    my $compress    = $argref->{'compress'} || 0;
287
    my $version     = $argref->{'rspec_version'} || undef;
288 289 290 291 292 293 294

    if (! (defined($credentials))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
295

296 297
    my $credential_objects = [];
    foreach my $credstr (@$credentials) {
298 299 300
        my $cred = CheckCredential($credstr);
        push(@$credential_objects, $cred) 
            if(!GeniResponse::IsResponse($cred));
301 302
    }
    return GeniCM::DiscoverResourcesAux($available, $compress,
303
        $version, $credential_objects);
304 305 306 307 308 309 310 311
}

#
# Create a Sliver.
#
sub CreateSliver($)
{
    my ($argref) = @_;
312 313 314 315 316
    my $slice_urn    = $argref->{'slice_urn'};
    my $rspecstr     = $argref->{'rspec'};
    my $credentials  = $argref->{'credentials'};
    my $keys         = $argref->{'keys'};
    my $impotent     = $argref->{'impotent'} || 0;
317 318
    require Node;
    require Experiment;
319 320
    require libtestbed;
    require libaudit;
321 322
    
    # For now, I am not worrying about the slice_urn argument.
323 324
    if (! (defined($credentials) &&
	   defined($slice_urn) && defined($rspecstr))) {
325 326
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
327 328 329 330 331 332
    if (! ($rspecstr =~ /^[\040-\176\012\015\011]+$/)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in rspec");
    }
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
333 334 335
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
336

337 338 339 340 341 342 343
    #
    # In this implementation, the user must provide a slice credential,
    # so we ignore the slice_urn. For CreateSliver(), the slice must not
    # be instantiated.
    #
    my ($slice,$aggregate) = Credential2SliceAggregate($credential);
    if (defined($slice)) {
344 345 346
	return $slice
	    if (GeniResponse::IsResponse($slice));

347 348 349 350
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
	}
351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366
	#
	# Watch for a placeholder slice and update it.
	#
	if ($slice->isplaceholder()) {
	    if ($slice->Lock() != 0) {
		return GeniResponse->BusyResponse();
	    }
	    #
	    # Confirm that the slice certificate is the same.
	    #
	    if ($slice->cert() ne $credential->target_cert()->cert()) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
					    "Slice certificate mismatch");
	    }
	    my $user =
367
		GeniCM::CreateUserFromCertificate($credential);
368
	    if (GeniResponse::IsResponse($user)) {	    
369
		$slice->UnLock();
370
		return $user;
371 372 373 374 375 376 377 378
	    }
	    if ($slice->ConvertPlaceholder($user) != 0) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Could not convert placeholder");
	    }
	    $slice->UnLock();
	}
379 380 381 382 383
	if (defined($aggregate)) {
	    return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					"Must delete existing slice first");
	}
    }
384
    my $rspec = GeniCM::GetTicketAux($credential,
385
				     $rspecstr, 0, $impotent, 1, 0, undef);
386 387 388
    return $rspec
	if (GeniResponse::IsResponse($rspec));

389 390 391 392
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

393
    my $response = GeniCM::SliverWorkAux($credential,
394
					 $rspec, $keys, 0, $impotent, 1, 0);
395

396 397 398 399 400 401 402
    if (GeniResponse::IsError($response)) {
	#
	# We have to make sure there is nothing left over since there
	# is no actual ticket, so the resources will not get cleaned
	# up by the daemon. This is mostly cause I am reaching into
	# the V1 code, and its messy.
	#
403
	my $slice = GeniSlice->Lookup($credential->target_urn());
404 405 406 407 408 409 410
	if ($slice->Lock() != 0) {
	    print STDERR "CreateSliver: Could not lock $slice before delete\n";
	    return $response;
	}
	if (defined($slice)) {
	    GeniCM::CleanupDeadSlice($slice, 1);
	}
411
	return $response;
412
    }
413 414
    my ($sliver_credential, $sliver_manifest) = @{ $response->{'value'} };
    
415 416 417
    #
    # Leave the slice intact on error, so we can go look at it. 
    #
418
    $slice = GeniSlice->Lookup($credential->target_urn());
419 420 421 422 423 424 425 426 427 428
    if (!defined($slice)) {
	print STDERR "CreateSliver: Could not find slice for $credential\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
    if ($slice->Lock() != 0) {
	print STDERR "CreateSliver: Could not lock $slice before start\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
429
    $aggregate = GeniAggregate->SliceAggregate($slice);
430 431 432 433 434
    if (!defined($aggregate)) {
	print STDERR "CreateSliver: Could not find aggregate for $slice\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
435 436 437 438 439 440 441 442 443 444 445 446 447 448
    #
    # At this point we want to return and let the startsliver proceed
    # in the background
    #
    my $mypid = fork();
    if ($mypid) {
	# Let the child get going.
	sleep(1);
	return GeniResponse->Create(GENIRESPONSE_SUCCESS,
				    [$sliver_credential, $sliver_manifest]);
    }
    # This switches the file that we are writing to. 
    libaudit::AuditFork();
    
449 450 451 452
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

Leigh B. Stoller's avatar
Leigh B. Stoller committed
453
    if ($aggregate->Start($API_VERSION, 0) != 0) {
454
	$slice->UnLock();
455 456
	print STDERR "Could not start sliver\n";
	return -1;
457
    }
458
    $slice->UnLock();
459
    return 0;
460 461 462 463 464 465
}

#
# Delete a Sliver.
#
sub DeleteSliver($)
466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486
{
    my ($argref) = @_;
    my $sliver_urn   = $argref->{'sliver_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

    if (! (defined($credentials) && defined($sliver_urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($sliver_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    #
    # In this implementation, the user must provide a slice or sliver
    # credential
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
487 488 489
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
    
490 491 492 493 494 495 496 497 498 499 500 501 502 503
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "Sliver does not exist");
    }
    if ($sliver_urn ne $aggregate->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }

    #
    # We need this below to sign the ticket.
    #
    my $authority = GeniCertificate->LoadFromFile($EMULAB_PEMFILE);
    if (!defined($authority)) {
504
	print STDERR " Could not load $EMULAB_PEMFILE\n";
505 506 507 508 509 510
	return GeniResponse->Create(GENIRESPONSE_ERROR);
	
    }
    #
    # We need the user to sign the new ticket to. 
    #
511
    my $user = GeniCM::CreateUserFromCertificate($credential);
512 513
    return $user
	if (GeniResponse::IsResponse($user));
514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532
    
    my $response = GeniCM::DeleteSliverAux($credential, $impotent, 1);
    return $response
	if (GeniResponse::IsResponse($response));

    #
    # In the v2 API, return a new ticket for the resources
    # (which were not released). As with all tickets, it will
    # expire very quickly. 
    #
    #
    # Create a new ticket from the manifest.
    #
    my $manifest = $aggregate->GetManifest(0);
    if (!defined($manifest)) {
	print STDERR "No manifest found for $aggregate\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
533 534
    my $ticket = GeniTicket->Create($authority, $user,
				    GeniXML::Serialize($manifest));
535 536 537 538 539
    if (!defined($ticket)) {
	print STDERR "Could not create new ticket for $slice\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
540
    $ticket->SetSlice($slice);
541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570
    
    if ($ticket->Sign()) {
	$ticket->Delete();
	print STDERR "Could not sign new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    if ($ticket->Store()) {
	$ticket->Delete();
	print STDERR "Could not store new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    my $slice_uuid = $slice->uuid();
    DBQueryWarn("delete from geni_manifests ".
		"where slice_uuid='$slice_uuid'");
    $slice->UnLock();
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());

  bad:
    if (GeniCM::CleanupDeadSlice($slice) != 0) {
	print STDERR "Could not cleanup slice\n";
    }
    return $response;
}

#
# Delete a Slice
#
sub DeleteSlice($)
571 572
{
    my ($argref) = @_;
573 574 575 576
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

577
    if (! (defined($credentials) && defined($slice_urn))) {
578 579
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
580 581 582
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
583 584 585
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
586

587 588 589 590
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
591 592 593
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

594 595 596 597 598 599 600 601 602 603 604
    if (! defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No such slice here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
605
    if (GeniCM::CleanupDeadSlice($slice, 1) != 0) {
606 607 608 609
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not cleanup slice");
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
610 611 612 613 614 615 616 617
}

#
# Get a Sliver (credential)
#
sub GetSliver($)
{
    my ($argref) = @_;
618 619
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
620

621
    if (! (defined($credentials) && defined($slice_urn))) {
622 623
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
624 625 626
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
627 628 629 630
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

631 632 633 634
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
635 636 637
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

638
    if (! (defined($slice) && defined($aggregate))) {
639
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
640 641 642 643 644 645
				    "No slice or aggregate here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
646
    return GeniCM::GetSliverAux($credential);
647 648 649
}

#
650
# Start a sliver (not sure what this means yet, so reboot for now).
651
#
652
sub StartSliver($)
653 654
{
    my ($argref) = @_;
655
    my $slice_urn    = $argref->{'slice_urn'};
656
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
657
    my $credentials  = $argref->{'credentials'};
658
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
659
    
660 661
    return SliverAction("start",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
662 663 664 665 666 667
}

sub StopSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
668
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
669 670
    my $credentials  = $argref->{'credentials'};

671 672
    return SliverAction("stop",
			$slice_urn, $sliver_urns, $credentials, undef);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
673 674 675 676 677 678
}

sub RestartSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
679
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
680
    my $credentials  = $argref->{'credentials'};
681
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
682

683 684
    return SliverAction("restart",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
685
}
686

687
sub SliverAction($$$$$)
Leigh B. Stoller's avatar
Leigh B. Stoller committed
688
{
689
    my ($action, $slice_urn, $sliver_urns, $credentials, $manifest) = @_;
690
    my $response;
691
    my $isasync = 0;
692

693 694
    if (! (defined($credentials) &&
	   (defined($slice_urn) || defined($sliver_urns)))) {
695 696 697 698 699 700 701 702 703 704 705
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "info" ) or
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Insufficient privilege");

706 707 708 709 710 711 712 713 714
    if (defined($manifest)) {
	$manifest = GeniXML::Parse($manifest);
	if (!defined($manifest)) {
	    print STDERR "Error reading manifest\n";
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
					"Bad manifest");
	}
    }
    
715 716 717
    #
    # For now, only allow top level aggregate or the slice
    #
718
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
719 720
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
Srikanth's avatar
Srikanth committed
721

722 723 724 725 726
    if ( (!defined($slice)) && 
          ($credential->target_urn() =~ /\+authority\+cm$/)) {
          # administrative credentials are presented.
          my $cm_urn = GeniHRN::Generate($OURDOMAIN, "authority", "cm");
          if ($cm_urn != $credential->target_urn()) {
Srikanth's avatar
Srikanth committed
727
            return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
728 729 730 731
                      "Credential target does not match CM URN");
          }

      if (!defined($slice_urn)) {
Srikanth's avatar
Srikanth committed
732 733
          return GeniResponse->MalformedArgsResponse("Missing arguments");
      }       
734 735 736 737 738 739 740 741
      $slice = GeniSlice->Lookup($slice_urn);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                "No Slice with urn $slice_urn here")
          if (!defined($slice));
      $aggregate = GeniAggregate->SliceAggregate($slice);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                      "No Aggregate here")
          if (!defined($aggregate));
Srikanth's avatar
Srikanth committed
742
    } 
743

744 745 746 747 748 749
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No slice or aggregate here");
    }
    if (defined($slice_urn)) {
	if (! GeniHRN::IsValid($slice_urn)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
750 751
	    return
		GeniResponse->MalformedArgsResponse("Bad characters in URN");
752
	}
753 754 755
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
756
	}
757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
    # Shutdown slices get nothing.
    if ($slice->shutdown()) {
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Slice has been shutdown");
    }
    if ($aggregate->ComputeState()) {
	$slice->UnLock();
	print STDERR "Could not determine current state\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
    my $CheckState = sub {
	my ($object, $action) = @_;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
775
	if ($action eq "start") {
776 777
	    if ($object->state() ne "stopped" && $object->state() ne "new"
		&& $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
778 779 780 781 782
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not stopped (yet)");
	    }
	}
	elsif ($action eq "stop") {
783
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
784 785 786 787 788
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
	}
	elsif ($action eq "restart") {
789
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
790 791 792
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
793 794 795 796 797 798
	}
	return 0;
    };
    my $PerformAction = sub {
	my ($object, $action) = @_;

799 800
	my $exitval = 0;

801
	if ($action eq "start") {
802
	    $exitval = $object->Start($API_VERSION, 0);
803
	}
804
	elsif ($action eq "stop") {
805
	    $exitval = $object->Stop($API_VERSION);
806 807
	}
	elsif ($action eq "restart") {
808
	    $exitval = $object->Start($API_VERSION, 1);
809
	}
810 811 812 813
	return GeniResponse->Create(GENIRESPONSE_ERROR, 
				    "Could not $action sliver")
	    if ($exitval);
	
814 815 816 817 818 819 820 821
	return 0;
    };

    if (defined($slice_urn)) {
	$response = &$CheckState($aggregate, $action);
	goto bad
	    if (GeniResponse::IsResponse($response));
	    
822 823 824
	if ($action eq "start" || $action eq "restart") {
	    if (defined($manifest) &&
		$aggregate->ProcessManifest($manifest)) {
825 826 827 828 829
		$response = GeniResponse->Create(GENIRESPONSE_ERROR,
						 undef,
						 "Error processing manifest");
		goto bad;
	    }
830 831 832 833 834 835 836 837 838 839 840 841 842 843
	    #
	    # At this point we want to return and let the startsliver proceed
	    # in the background
	    #
	    my $mypid = fork();
	    if ($mypid) {
		# Let the child get going.
		sleep(1);
		return GeniResponse->Create(GENIRESPONSE_SUCCESS);
	    }
	    $isasync = 1;
	    
	    # This switches the file that we are writing to. 
	    libaudit::AuditFork();
844
	}
845 846 847 848
	$response = &$PerformAction($aggregate, $action);
	goto bad
	    if (GeniResponse::IsResponse($response));

849
	$slice->UnLock();
850 851
	return ($isasync ? GENIRESPONSE_SUCCESS :
		GeniResponse->Create(GENIRESPONSE_SUCCESS));
852
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
853
    else {
854
	my @slivers = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
855

856 857 858 859 860
	#
	# Sanity check all arguments before doing anything.
	#
	foreach my $urn (@{ $sliver_urns }) {
	    my $sliver = GeniSliver->Lookup($urn);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
861 862 863 864 865 866
	    if (!defined($sliver)) {
		$response = GeniResponse->Create(GENIRESPONSE_SEARCHFAILED,
						 undef,
						 "Nothing here by that name");
		goto bad;
	    }
867 868 869 870 871 872 873 874
	    
	    $response = &$CheckState($sliver, $action);
	    goto bad
		if (GeniResponse::IsResponse($response));

	    push(@slivers, $sliver);
	}
	foreach my $sliver (@slivers) {
875 876 877 878 879 880 881 882
	    if ($action eq "start" && defined($manifest)) {
		if ($sliver->ProcessManifest($manifest)) {
		    $response = GeniResponse->Create(GENIRESPONSE_ERROR,
				     undef,
				     "Error processing manifest for $sliver");
		    goto bad;
		}
	    }
883 884 885 886 887 888
	    $response = &$PerformAction($sliver, $action);
	    goto bad
		if (GeniResponse::IsResponse($response));
	}
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_SUCCESS);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
889
    }
890 891
  bad:
    $slice->UnLock();
892
    return ($isasync ? $response->code() : $response);
893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922
}

#
# Get sliver status
#
sub SliverStatus($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};

    if (! (defined($credentials) && defined($slice_urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "info" ) or
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Insufficient privilege");

    #
    # For now, only allow top level aggregate or the slice
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
923 924 925
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

926
    if (! (defined($slice) && defined($aggregate))) {
927
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
928 929 930 931 932
				    "No slice or aggregate here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
933 934 935 936
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
937 938 939 940 941
    if ($aggregate->ComputeState()) {
	print STDERR "SliverStatus: Could not compute state for $aggregate\n";
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
942 943 944 945 946 947 948 949 950 951 952

    #
    # Grab all the slivers for this slice, and then
    # look for just the nodes.
    #
    my @slivers    = ();
    if ($aggregate->SliverList(\@slivers) != 0) {
	print STDERR "SliverStatus: Could not get slivers for $aggregate\n";
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
953 954 955

    my $blob = {
	"state"   => $aggregate->state(),
Leigh B. Stoller's avatar
Leigh B. Stoller committed
956
	"status"  => $aggregate->status(),
957
	"error"   => $aggregate->ErrorLog(),
Leigh B. Stoller's avatar
Leigh B. Stoller committed
958 959
	"details" => {},
    };
960
    foreach my $sliver (@slivers) {
961 962 963 964 965 966 967 968
	if ($sliver->isa("GeniAggregate")) {
	    next
		if (! (ref($sliver) eq "GeniAggregate::Link" ||
		       ref($sliver) eq "GeniAggregate::Tunnel"));
	}
	elsif ($sliver->resource_type() ne "Node") {
	    next;
	}
969

970 971
	my $sliver_urn    = $sliver->sliver_urn();
	my $component_urn = $sliver->component_urn();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
972 973 974
	my $state         = $sliver->state();
	my $status        = $sliver->status();
	my $error         = "";
975

976 977 978 979
	# New is the same as stopped. Separate state is handy.
	$state = "stopped"
	    if ($state eq "new");

Leigh B. Stoller's avatar
Leigh B. Stoller committed
980 981
	if ($status eq "failed") {
	    $error = $sliver->ErrorLog();
982
	}
983 984
	$blob->{'details'}->{$sliver_urn} = {
	    "component_urn" => $component_urn,
985 986 987 988 989 990 991
	    "state"  => $state,
	    "status" => $status,
	    "error"  => $error,
	};
    }
    $slice->UnLock();
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
992 993 994 995 996 997 998 999
}

#
# Shutdown sliver
#
sub Shutdown($)
{
    my ($argref) = @_;
1000 1001 1002
    my $slice_urn    = $argref->{'slice_urn'};
    my $clear        = $argref->{'clear'} || 0;
    my $credentials  = $argref->{'credentials'};
1003
    require libtestbed;
1004

1005
    if (! (defined($credentials) && defined($slice_urn))) {
1006 1007 1008 1009 1010
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
1011

1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062
    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "instantiate" ) or
	$credential->HasPrivilege( "control" ) or
	return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
				     "Insufficient privilege" );

    #
    # The clearinghouse generates a different credential to do this.
    #
    if ($slice_urn ne $credential->target_urn()) {
	my $certificate = GeniCertificate->LoadFromFile($GENICH_PEMFILE);
	if (!defined($certificate)) {
	    print STDERR "Could not load certificate from $GENICH_PEMFILE\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}

	# The caller has to match the clearinghouse.
	if ($credential->owner_urn() ne $certificate->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
					"Insufficient privilege");
	}
    }

    #
    # No slice here? Done.
    #
    my $slice = GeniSlice->Lookup($slice_urn);
    if (!defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_SUCCESS);
    }
    #
    # Do not worry about locking when setting the shutdown time.
    # This can lead to race though, if a clear shutdown comes in first.
    # Seems unlikely though. 
    #
    if (!$clear) {
	# Do not overwrite original shutdown time
	$slice->SetShutdown(1)
	    if (!defined($slice->shutdown()) || $slice->shutdown() eq "");
    }
    else {
	$slice->SetShutdown(0);
    }
    # Always make sure the slice is shutdown.
    if ($slice->shutdown()) {
	# The expire daemon is going to look for this, so it will get
	# taken care of shortly.
	if ($slice->Lock() != 0) {
	    return GeniResponse->BusyResponse();
	}
	if (GeniCM::CleanupDeadSlice($slice, 0) != 0) {
1063 1064
	    libtestbed::SENDMAIL($TBOPS, "Emergency Shutdown failed",
				 "Emergency shutdown failed on $slice\n");
1065 1066 1067 1068 1069 1070 1071
	    print STDERR "Could not shutdown $slice!\n";
	    # Lets call this a non-error since the local admin person
	    # is going to have to deal with it anyway. 
	}
	$slice->UnLock();
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
1072 1073 1074
}

#
1075
# Renew a slice
1076
#
1077
sub RenewSlice($)
1078 1079
{
    my ($argref) = @_;
1080
    my $slice_urn    = $argref->{'slice_urn'};
1081
    my $valid_until  = $argref->{'valid_until'} || $argref->{'expiration'};