GeniCMV2.pm.in 103 KB
Newer Older
1
2
#!/usr/bin/perl -wT
#
3
# Copyright (c) 2008-2014 University of Utah and the Flux Group.
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 
# {{{GENIPUBLIC-LICENSE
# 
# GENI Public License
# 
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
# 
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
# 
# }}}
29
30
31
32
33
34
35
36
37
38
39
#
package GeniCMV2;

#
# The server side of the CM interface on remote sites. Also communicates
# with the GMC interface at Geni Central as a client.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

40
41
@ISA    = qw(Exporter);
@EXPORT = qw();
42
43
44
45
46
47
48

# Must come after package declaration!
use GeniDB;
use GeniResponse;
use GeniTicket;
use GeniCredential;
use GeniCertificate;
49
use GeniComponent;
50
51
52
53
use GeniSlice;
use GeniAggregate;
use GeniSliver;
use GeniUtil;
54
use GeniCM;
55
use GeniHRN;
56
use GeniXML;
57
use GeniStitch;
58
use GeniStd;
59
60
61
62
63
64
65
66
use emutil;
use English;
use Data::Dumper;
use XML::Simple;
use Date::Parse;
use POSIX qw(strftime tmpnam);
use Time::Local;
use Compress::Zlib;
67
use File::Temp qw(tempfile);
68
use MIME::Base64;
69
use Errno;
70
71
72
73
74
75
76
77
78

# Configure variables
my $TB		   = "@prefix@";
my $TBOPS          = "@TBOPSEMAIL@";
my $TBAPPROVAL     = "@TBAPPROVALEMAIL@";
my $TBAUDIT   	   = "@TBAUDITEMAIL@";
my $BOSSNODE       = "@BOSSNODE@";
my $OURDOMAIN      = "@OURDOMAIN@";
my $PGENIDOMAIN    = "@PROTOGENI_DOMAIN@";
79
my $ELABINELAB     = "@ELABINELAB@";
80
my $TBBASE         = "@TBBASE@";
81
my $TBDOCBASE      = "@TBDOCBASE@";
82
83
84
85
my $CREATEEXPT     = "$TB/bin/batchexp";
my $ENDEXPT        = "$TB/bin/endexp";
my $NALLOC	   = "$TB/bin/nalloc";
my $NFREE	   = "$TB/bin/nfree";
86
my $TEVC	   = "$TB/bin/tevc";
87
88
89
90
91
92
93
94
95
96
97
98
my $AVAIL	   = "$TB/sbin/avail";
my $PTOPGEN	   = "$TB/libexec/ptopgen";
my $TBSWAP	   = "$TB/bin/tbswap";
my $SWAPEXP	   = "$TB/bin/swapexp";
my $PLABSLICE	   = "$TB/sbin/plabslicewrapper";
my $NAMEDSETUP     = "$TB/sbin/named_setup";
my $VNODESETUP     = "$TB/sbin/vnode_setup";
my $GENTOPOFILE    = "$TB/libexec/gentopofile";
my $TARFILES_SETUP = "$TB/bin/tarfiles_setup";
my $MAPPER         = "$TB/bin/mapper";
my $VTOPGEN        = "$TB/bin/vtopgen";
my $SNMPIT         = "$TB/bin/snmpit";
99
100
my $CLONEIMAGE     = "$TB/sbin/clone_image";
my $CREATEIMAGE    = "$TB/bin/create_image";
101
my $DELETEIMAGE    = "$TB/sbin/delete_image";
102
103
my $WAP            = "$TB/sbin/withadminprivs";
my $SHAREVLAN      = "$TB/sbin/sharevlan";
104
my $XMLLINT	   = "/usr/local/bin/xmllint";
105
106
my $PRERENDER      = "$TB/libexec/vis/prerender";
my $EMULAB_PEMFILE = "@prefix@/etc/genicm.pem";
107
108
# Just one of these, at Utah.
my $GENICH_PEMFILE = "@prefix@/etc/genich.pem";
109
my $WITHPROVENANCE = @IMAGEPROVENANCE@;
110
my $API_VERSION    = 2;
111
112
113
114
115
116
117
118

#
# Tell the client what API revision we support.  The correspondence
# between revision numbers and API features is to be specified elsewhere.
# No credentials are required.
#
sub GetVersion()
{
119
120
    my @input_rspec_versions = ( "0.1", "0.2", "2", "3", "PG 0.1", "PG 0.2", "PG 2" );
    my @ad_rspec_versions = ( "0.1", "0.2", "2", "3", "PG 0.1", "PG 0.2", "PG 2" );
Gary Wong's avatar
Gary Wong committed
121
122
123
    my $blob = {
	"api" => $API_VERSION,
	"level" => 1,
124
	"input_rspec" => \@input_rspec_versions,
125
	"output_rspec" => "2",
126
	"ad_rspec" => \@ad_rspec_versions
Gary Wong's avatar
Gary Wong committed
127
    };
128
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
129
130
131
132
133
134
135
136
}

#
# Respond to a Resolve request. 
#
sub Resolve($)
{
    my ($argref) = @_;
137
138
    my $credentials = $argref->{'credentials'};
    my $urn         = $argref->{'urn'};
139
    my $admin       = 0;
140
    my $isauth	    = 0;
141

142
143
144
145
146
147
    if (! (defined($credentials) && defined($urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($urn)) {
	return GeniResponse->MalformedArgsResponse("Invalid URN");
    }
148
    my ($credential,$speaksfor) = GeniStd::CheckCredentials($credentials);
149
150
151
    return $credential
	if (GeniResponse::IsResponse($credential));

152
153
154
    my ($object, $type) = LookupURN($urn);
    return $object
	if (GeniResponse::IsResponse($object));
155
156
157
158

    #
    # This is a convenience for testing. If a local user and that
    # user is an admin person, then do whatever it says. This is
159
160
    # easier then trying to do this with credential privs. But,
    # watch for credentials from authorities instead of users.
161
    #
162
163
    my (undef,$callertype,$callerid) = GeniHRN::Parse($credential->owner_urn());
    if ($callertype eq "user") {
164
	my $user = GeniCM::CreateUserFromCertificate($credential);
165
166
	if (!GeniResponse::IsResponse($user) &&
	    $user->IsLocal() && $user->admin()) {
167
168
169
	    $admin = 1;
	}
    }
170
171
    elsif ($callertype eq "authority" &&
	   ($callerid eq "cm" || $callerid eq "sa")) {
172
	$isauth = 1;
173
    }
174
175
    
    if ($type eq "node") {
176
	my $node  = $object;
177
178
179
180
181
	# Not sure about this, but I do know that Resolving a virtnode
	# is not useful right now. 
	if ($node->isvirtnode()) {
	    $node = Node->Lookup($node->phys_nodeid());
	}
182
	my $rspec = GeniCM::GetAdvertisement(0, $node->node_id(), "0.1", undef);
183
	if (! defined($rspec)) {
184
	    print STDERR "Could not get advertisement for $node!\n";
185
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
186
					"Error getting advertisement");
187
	}
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
	my $me = GeniAuthority->Lookup($ENV{'MYURN'});
	if (!defined($me)) {
	    print STDERR
		"Could not find local authority object for $ENV{'MYURN'}\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Error getting advertisement");
	}
	my $myurn = GeniHRN::Generate($OURDOMAIN, "node", $node->node_id());
	my $myhrn = "${PGENIDOMAIN}." . $node->node_id();

	#
	# See if the component object exists; if not create it.
	#
	my $component = GeniComponent->Lookup($node->uuid());
	if (!defined($component)) {
	    my $certificate = GeniCertificate->Lookup($node->uuid());
	    if (!defined($certificate)) {
		$certificate =
		    GeniCertificate->Create({'urn'  => $myurn,
					     'hrn'  => $myhrn,
					     'email'=> $TBOPS,
					     'uuid' => $node->uuid(),
					     'url'  => $me->url()});
		if (!defined($certificate)) {
		    print STDERR "Could not generate certificate for $node\n";
		    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
		}
	    }
	    $component = GeniComponent->Create($certificate, $me);
	    if (!defined($component)) {
		print STDERR "Could not create component for $node\n";
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
	    }
	}
224
	# Return a blob.
225
	my $blob = { "hrn"          => $myhrn,
226
227
		     "uuid"         => $node->uuid(),
		     "role"	    => $node->role(),
228
229
		     "hostname"     =>
			 GeniUtil::FindHostname($node->node_id()),
230
231
		     "physctrl"     => 
			 Interface->LookupControl($node->phys_nodeid())->IP(),
232
233
234
235
		     "urn"          => $myurn,
		     "rspec"        => $rspec,
		     "url"          => $me->url(),
		     "gid"          => $component->cert(),
236
237
238
239
		   };

	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
240
    if ($type eq "slice") {
241
242
	my $slice = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
243
244
245
246
	#
	# In this implementation, the caller must hold a valid slice
	# credential for the slice being looked up. 
	#
247
248
	if (! ($isauth || $admin ||
	       $slice->urn() eq $credential->target_urn())) {
249
250
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"No permission to resolve $slice\n");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
251
252
253
254
255
256
	}
	# Return a blob.
	my $blob = { "urn"          => $urn };

	my $aggregate = GeniAggregate->SliceAggregate($slice);
	if (defined($aggregate)) {
257
	    $blob->{'sliver_urn'} = $aggregate->urn();
258
259
260
261
	    my $manifest = $aggregate->GetManifest(1);
	    if (defined($manifest)) {
		$blob->{'manifest'}   = $manifest;
	    }
262
263
264
265
266
267
268
269
270
271
272
	    # For key bindings.
	    my $slice_experiment = $slice->GetExperiment();
	    if (!defined($slice_experiment)) {
		print STDERR "*** No Experiment for $slice\n";
	    }
	    else {
		my $bindings;
		if ($slice_experiment->NonLocalUsers(\$bindings)) {
		    print STDERR "*** No bindings for $slice_experiment\n";
		}
		elsif (@{ $bindings }) {
273
		    $blob->{'users'} = $bindings;
274
275
		}
	    }
276
277
278
	    $blob->{'public_url'} =
		"$TBDOCBASE/showslicepub.php?publicid=" . $slice->publicid()
		if (defined($slice->publicid()));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
279
280
281
	}
	my $ticket = GeniTicket->SliceTicket($slice);
	if (defined($ticket)) {
282
	    $blob->{'ticket_urn'} = $ticket->urn();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
283
284
285
286
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "sliver") {
287
	my $sliver = $object;
288
289
290
	my $slice  = $sliver->GetSlice();
	return GeniResponse->Create(GENIRESPONSE_ERROR)
	    if (!defined($slice));
291

Leigh B. Stoller's avatar
Leigh B. Stoller committed
292
293
294
295
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential for the slice being looked up. 
	#
296
	if (! ($admin || $isauth ||
297
	       $sliver->urn() eq $credential->target_urn() ||
298
299
300
301
302
	       $slice->urn() eq $credential->target_urn())) {
	    print STDERR $sliver->urn() . "\n";
	    print STDERR $slice->urn() . "\n";
	    print STDERR $credential->target_urn() . "\n";
	    print STDERR $ENV{'MYURN'} . "\n";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
303
304
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN);
	}
305
306
	my $manifest = $sliver->GetManifest(1);
	if (!defined($manifest)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
307
308
309
310
311
312
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
	# Return a blob.
	my $blob = { "urn"          => $urn,
		     "manifest"     => $manifest,
		 };
313
314
315
316
	$blob->{'public_url'} =
	    "$TBDOCBASE/showslicepub.php?publicid=" . $slice->publicid()
	    if (defined($slice->publicid()));
	
317
318
319
320
321
322
323
324
325
326
327
	# For key bindings.
	my $slice_experiment = $slice->GetExperiment();
	if (!defined($slice_experiment)) {
	    print STDERR "*** No Experiment for $slice\n";
	}
	else {
	    my $bindings;
	    if ($slice_experiment->NonLocalUsers(\$bindings)) {
		print STDERR "*** No bindings for $slice_experiment\n";
	    }
	    elsif (@{ $bindings }) {
328
		$blob->{'users'} = $bindings;
329
330
	    }
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
331
332
333
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "ticket") {
334
335
	my $ticket = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
336
337
338
339
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential to get the ticket.
	#
340
	my $slice = GeniSlice->Lookup($ticket->slice_urn());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
341
342
343
344
	if (!defined($slice)) {
	    print STDERR "Could not find slice for $ticket\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
345
	if (! ($admin || $slice->urn() eq $credential->target_urn())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
346
347
348
349
350
	    #
	    # See if its the sliver credential. 
	    #
	    my $aggregate = GeniAggregate->SliceAggregate($slice);
	    if (!defined($aggregate) ||
351
		$aggregate->urn() ne $credential->target_urn()) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
352
353
354
355
356
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN());
	    }
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());
    }
357
358
    return GeniResponse->Create(GENIRESPONSE_UNSUPPORTED, undef,
				"Cannot resolve $type at this authority");
359
360
361
362
363
364
365
366
}

#
# Discover resources on this component, returning a resource availablity spec
#
sub DiscoverResources($)
{
    my ($argref) = @_;
367
368
369
    my $credentials = $argref->{'credentials'};
    my $available   = $argref->{'available'} || 0;
    my $compress    = $argref->{'compress'} || 0;
370
    my $version     = $argref->{'rspec_version'} || undef;
371
372
373
374

    if (! (defined($credentials))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
375
    my ($credential,$speaksfor,@morecreds) = GeniStd::CheckCredentials($credentials);
376
377
    return $credential
	if (GeniResponse::IsResponse($credential));
378

379
    return GeniCM::DiscoverResourcesAux($available, $compress,
380
        $version, [$credential, @morecreds]);
381
382
383
384
385
386
387
388
}

#
# Create a Sliver.
#
sub CreateSliver($)
{
    my ($argref) = @_;
389
390
391
392
393
    my $slice_urn    = $argref->{'slice_urn'};
    my $rspecstr     = $argref->{'rspec'};
    my $credentials  = $argref->{'credentials'};
    my $keys         = $argref->{'keys'};
    my $impotent     = $argref->{'impotent'} || 0;
394
395
    require Node;
    require Experiment;
396
397
    require libtestbed;
    require libaudit;
398

399
    # For now, I am not worrying about the slice_urn argument.
400
401
    if (! (defined($credentials) &&
	   defined($slice_urn) && defined($rspecstr))) {
402
403
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
404
405
406
407
408
409
    if (! ($rspecstr =~ /^[\040-\176\012\015\011]+$/)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in rspec");
    }
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
410
    my ($credential,$speaksfor) = GeniStd::CheckCredentials($credentials);
411
412
    return $credential
	if (GeniResponse::IsResponse($credential));
413

414
415
    main::AddLogfileMetaData("slice_urn", $slice_urn);
    
416
417
418
419
420
421
422
    #
    # In this implementation, the user must provide a slice credential,
    # so we ignore the slice_urn. For CreateSliver(), the slice must not
    # be instantiated.
    #
    my ($slice,$aggregate) = Credential2SliceAggregate($credential);
    if (defined($slice)) {
423
424
425
	return $slice
	    if (GeniResponse::IsResponse($slice));

426
427
428
429
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
	}
430
	main::AddLogfileMetaDataFromSlice($slice);
431
	
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
	#
	# Watch for a placeholder slice and update it.
	#
	if ($slice->isplaceholder()) {
	    if ($slice->Lock() != 0) {
		return GeniResponse->BusyResponse();
	    }
	    #
	    # Confirm that the slice certificate is the same.
	    #
	    if ($slice->cert() ne $credential->target_cert()->cert()) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
					    "Slice certificate mismatch");
	    }
	    my $user =
448
		GeniCM::CreateUserFromCertificate($credential);
449
	    if (GeniResponse::IsResponse($user)) {	    
450
		$slice->UnLock();
451
		return $user;
452
453
454
455
456
457
458
459
	    }
	    if ($slice->ConvertPlaceholder($user) != 0) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Could not convert placeholder");
	    }
	    $slice->UnLock();
	}
460
461
462
463
464
	if (defined($aggregate)) {
	    return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					"Must delete existing slice first");
	}
    }
465
466
    my $rspec = GeniCM::GetTicketAux($credential, $rspecstr,
				     0, $impotent, 1, 0, undef, $speaksfor);
467
468
469
    return $rspec
	if (GeniResponse::IsResponse($rspec));

Leigh B Stoller's avatar
Leigh B Stoller committed
470
    $slice = GeniSlice->Lookup($credential->target_urn());
471
472
473
474
    if (!defined($slice)) {
	print STDERR "CreateSliver: Could not find slice for $credential\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,"Internal Error");
    }
475
    main::AddLogfileMetaDataFromSlice($slice);
476

477
478
479
480
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

481
482
    my $response = GeniCM::SliverWorkAux($credential, $rspec,
					 $keys, 0, $impotent, 1, 0, $speaksfor);
483

484
485
486
487
488
489
490
    if (GeniResponse::IsError($response)) {
	#
	# We have to make sure there is nothing left over since there
	# is no actual ticket, so the resources will not get cleaned
	# up by the daemon. This is mostly cause I am reaching into
	# the V1 code, and its messy.
	#
491
	$slice = GeniSlice->Lookup($credential->target_urn());
492
	if (defined($slice)) {
493
494
495
496
497
	    if ($slice->Lock() != 0) {
		print STDERR
		    "CreateSliver: Could not lock $slice before delete\n";
		return $response;
	    }
498
499
	    GeniCM::CleanupDeadSlice($slice, 1);
	}
500
	return $response;
501
    }
502
    my ($sliver_credential) = @{ $response->{'value'} };
503

504
505
506
    #
    # Leave the slice intact on error, so we can go look at it. 
    #
507
    if ($slice->WaitForLock(30) != 0) {
508
509
510
511
	print STDERR "CreateSliver: Could not lock $slice before start\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
512
    $aggregate = GeniAggregate->SliceAggregate($slice);
513
514
515
516
517
    if (!defined($aggregate)) {
	print STDERR "CreateSliver: Could not find aggregate for $slice\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
518
519
520
    # We get the manifest from the aggregate object, so that the
    # expiration goes in.
    my $sliver_manifest = $aggregate->GetManifest(1);
521

522
523
    #
    # At this point we want to return and let the startsliver proceed
524
    # in the background. Parent never returns, just the child.
525
    #
526
    my $mypid = main::WrapperFork();
527
528
529
530
    if ($mypid) {
	return GeniResponse->Create(GENIRESPONSE_SUCCESS,
				    [$sliver_credential, $sliver_manifest]);
    }
531

532
533
534
535
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

536
537
538
539
540
541
542
    #
    # The callee might also do a wrapper fork, so remember our PID
    # to make sure we unlock properly in only the parent side of the
    # fork. Child runs with slice unlocked for now. 
    #
    $mypid = $PID;
    
543
    if ($aggregate->Start($API_VERSION) != 0) {
544
545
546
547
548
549
550
	if ($PID == $mypid) {
	    $slice->UnLock();
	    print STDERR "Could not start sliver.\n";
	}
	else {
	    print STDERR "Error waiting for nodes.\n";
	}
551
	return -1;
552
    }
553
554
555
    if ($PID == $mypid) {
	$slice->UnLock();
    }
556
    return 0;
557
558
559
560
561
562
}

#
# Delete a Sliver.
#
sub DeleteSliver($)
563
564
565
566
567
568
569
570
571
572
573
574
{
    my ($argref) = @_;
    my $sliver_urn   = $argref->{'sliver_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

    if (! (defined($credentials) && defined($sliver_urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($sliver_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
575
    my ($credential,$speaksfor) = GeniStd::CheckCredentials($credentials);
576
577
578
579
580
581
582
583
    return $credential
	if (GeniResponse::IsResponse($credential));

    #
    # In this implementation, the user must provide a slice or sliver
    # credential
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
584
585
586
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
    
587
588
589
590
591
592
593
594
595
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "Sliver does not exist");
    }
    if ($sliver_urn ne $aggregate->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }

596
597
598
599
    # If a monitor process is running, we are "busy".
    if ($slice->monitor_pid()) {
	return GeniResponse->MonitorResponse();
    }
600
601
602
603
604
605
606
607
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
    # If any slivers are imaging, then we are busy as well.
    if ($aggregate->CheckSliverStates("imaging")) {
	$slice->UnLock();
	return GeniResponse->BusyResponse();
    }
608
609
610
611
    
    main::AddLogfileMetaData("sliver_urn", $sliver_urn);
    main::AddLogfileMetaDataFromSlice($slice);
    
612
613
614
615
616
    #
    # We need this below to sign the ticket.
    #
    my $authority = GeniCertificate->LoadFromFile($EMULAB_PEMFILE);
    if (!defined($authority)) {
617
	print STDERR " Could not load $EMULAB_PEMFILE\n";
618
619
620
621
622
623
	return GeniResponse->Create(GENIRESPONSE_ERROR);
	
    }
    #
    # We need the user to sign the new ticket to. 
    #
624
    my $user = GeniCM::CreateUserFromCertificate($credential);
625
626
    return $user
	if (GeniResponse::IsResponse($user));
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
    
    my $response = GeniCM::DeleteSliverAux($credential, $impotent, 1);
    return $response
	if (GeniResponse::IsResponse($response));

    #
    # In the v2 API, return a new ticket for the resources
    # (which were not released). As with all tickets, it will
    # expire very quickly. 
    #
    #
    # Create a new ticket from the manifest.
    #
    my $manifest = $aggregate->GetManifest(0);
    if (!defined($manifest)) {
	print STDERR "No manifest found for $aggregate\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
646
647
    my $ticket = GeniTicket->Create($authority, $user,
				    GeniXML::Serialize($manifest));
648
649
650
651
652
    if (!defined($ticket)) {
	print STDERR "Could not create new ticket for $slice\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
653
    $ticket->SetSlice($slice);
654
655
    $ticket->SetSpeaksFor($speaksfor)
	if (defined($speaksfor));
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
    
    if ($ticket->Sign()) {
	$ticket->Delete();
	print STDERR "Could not sign new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    if ($ticket->Store()) {
	$ticket->Delete();
	print STDERR "Could not store new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    my $slice_uuid = $slice->uuid();
    DBQueryWarn("delete from geni_manifests ".
		"where slice_uuid='$slice_uuid'");
    $slice->UnLock();
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());

  bad:
    if (GeniCM::CleanupDeadSlice($slice) != 0) {
	print STDERR "Could not cleanup slice\n";
    }
    return $response;
}

#
# Delete a Slice
#
sub DeleteSlice($)
686
687
{
    my ($argref) = @_;
688
689
690
691
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

692
    if (! (defined($credentials) && defined($slice_urn))) {
693
694
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
695
696
697
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
698
    my ($credential,$speaksfor) = GeniStd::CheckCredentials($credentials);
699
700
    return $credential
	if (GeniResponse::IsResponse($credential));
701

702
703
704
705
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
706
707
708
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

709
710
711
712
    if (! defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No such slice here");
    }
713
    main::AddLogfileMetaDataFromSlice($slice);
714
    
715
716
717
718
719
720
721
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
722
723

    #
724
725
726
727
728
729
730
731
    # If a monitor process is running, then the slice is busy.
    # This might mean that the user will not be able to delete
    # the slice for a long time, but we are having problems with
    # users canceling slices before they finish setting up, and
    # the XEN client side is not handling this very well. Note that
    # the cleanupslice script calls GeniCM::CleanupDeadSlice()
    # directly, which *does* kill the monitor, so admin cleanup
    # is not affected.
732
733
    #
    if ($slice->monitor_pid()) {
734
735
	$slice->UnLock();
	return GeniResponse->MonitorResponse();
736
    }
737
    # If any slivers are imaging, then we are busy as well.
Leigh B Stoller's avatar
Leigh B Stoller committed
738
739
    if (defined($aggregate) &&
	$aggregate->CheckSliverStates("imaging")) {
740
741
742
	$slice->UnLock();
	return GeniResponse->BusyResponse();
    }
743
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
744
    if (GeniCM::CleanupDeadSlice($slice, 1) != 0) {
745
746
747
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not cleanup slice");
    }
748
  done:
749
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
750
751
752
753
754
755
756
757
}

#
# Get a Sliver (credential)
#
sub GetSliver($)
{
    my ($argref) = @_;
758
759
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
760

761
    if (! (defined($credentials) && defined($slice_urn))) {
762
763
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
764
765
766
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
767
    my ($credential,$speaksfor) = GeniStd::CheckCredentials($credentials);
768
769
770
    return $credential
	if (GeniResponse::IsResponse($credential));

771
772
773
774
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
775
776
777
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

778
    if (! (defined($slice) && defined($aggregate))) {
779
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
780
781
782
783
784
785
				    "No slice or aggregate here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
786
    return GeniCM::GetSliverAux($credential);
787
788
789
}

#
790
# Start a sliver (not sure what this means yet, so reboot for now).
791
#
792
sub StartSliver($)
793
794
{
    my ($argref) = @_;
795
    my $slice_urn    = $argref->{'slice_urn'};
796
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
797
    my $credentials  = $argref->{'credentials'};
798
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
799
    
800
801
    return SliverAction("start",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
802
803
804
805
806
807
}

sub StopSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
808
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
809
810
    my $credentials  = $argref->{'credentials'};

811
812
    return SliverAction("stop",
			$slice_urn, $sliver_urns, $credentials, undef);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
813
814
815
816
817
818
}

sub RestartSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
819
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
820
    my $credentials  = $argref->{'credentials'};
821
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
822

823
824
    return SliverAction("restart",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
825
}
826

827
828
829
830
831
832
833
834
835
836
837
sub ReloadSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
    my $credentials  = $argref->{'credentials'};

    return SliverAction("reload",
			$slice_urn, $sliver_urns, $credentials, undef);
}

838
sub SliverAction($$$$$)
Leigh B. Stoller's avatar
Leigh B. Stoller committed
839
{
840
    my ($action, $slice_urn, $sliver_urns, $credentials, $manifest) = @_;
841
    my $response;
842
    my $isasync = 0;
843

844
845
    if (! (defined($credentials) &&
	   (defined($slice_urn) || defined($sliver_urns)))) {
846
847
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
848
    my ($credential,$speaksfor) = GeniStd::CheckCredentials($credentials);
849
850
851
852
853
854
855
856
    return $credential
	if (GeniResponse::IsResponse($credential));

    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "info" ) or
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Insufficient privilege");

857
858
859
860
861
862
863
864
865
    if (defined($manifest)) {
	$manifest = GeniXML::Parse($manifest);
	if (!defined($manifest)) {
	    print STDERR "Error reading manifest\n";
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
					"Bad manifest");
	}
    }
    
866
867
868
    #
    # For now, only allow top level aggregate or the slice
    #
869
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
870
871
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
Srikanth's avatar
Srikanth committed
872

873
874
875
876
    #
    # I think this allows the CM to perform an action without
    # the slice credential?
    #
877
878
879
880
881
    if ( (!defined($slice)) && 
          ($credential->target_urn() =~ /\+authority\+cm$/)) {
          # administrative credentials are presented.
          my $cm_urn = GeniHRN::Generate($OURDOMAIN, "authority", "cm");
          if ($cm_urn != $credential->target_urn()) {
Srikanth's avatar
Srikanth committed
882
            return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
883
884
885
886
                      "Credential target does not match CM URN");
          }

      if (!defined($slice_urn)) {
Srikanth's avatar
Srikanth committed
887
888
          return GeniResponse->MalformedArgsResponse("Missing arguments");
      }       
889
890
891
892
893
894
895
896
      $slice = GeniSlice->Lookup($slice_urn);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                "No Slice with urn $slice_urn here")
          if (!defined($slice));
      $aggregate = GeniAggregate->SliceAggregate($slice);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                      "No Aggregate here")
          if (!defined($aggregate));
Srikanth's avatar
Srikanth committed
897
    } 
898

899
900
901
902
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No slice or aggregate here");
    }
903
904
905
906
907
908
909
    main::AddLogfileMetaDataFromSlice($slice);

    # If a monitor process is running, we are "busy".
    if ($slice->monitor_pid()) {
	return GeniResponse->MonitorResponse();
    }
    
910
911
    if (defined($slice_urn)) {
	if (! GeniHRN::IsValid($slice_urn)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
912
913
	    return
		GeniResponse->MalformedArgsResponse("Bad characters in URN");
914
	}
915
916
917
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
918
	}
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
    # Shutdown slices get nothing.
    if ($slice->shutdown()) {
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Slice has been shutdown");
    }
    if ($aggregate->ComputeState()) {
	$slice->UnLock();
	print STDERR "Could not determine current state\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
    my $CheckState = sub {
	my ($object, $action) = @_;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
937
	if ($action eq "start") {
938
939
	    if ($object->state() ne "stopped" && $object->state() ne "new"
		&& $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
940
941
942
943
944
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not stopped (yet)");
	    }
	}
	elsif ($action eq "stop") {
945
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
946
947
948
949
950
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
	}
	elsif ($action eq "restart") {
951
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
952
953
954
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
955
	}
956
957
958
959
960
961
	elsif ($action eq "reload") {
	    if ($object->state() ne "started" && $object->state() ne "stopped"){
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
				    "Sliver is not started or stopped (yet)");
	    }
	}
962
963
964
965
966
	return 0;
    };
    my $PerformAction = sub {
	my ($object, $action) = @_;

967
968
	my $exitval = 0;

969
	if ($action eq "start") {
970
	    $exitval = $object->Start($API_VERSION);
971
	}
972
	elsif ($action eq "stop") {
973
	    $exitval = $object->Stop($API_VERSION);
974
975
	}
	elsif ($action eq "restart") {
976
977
978
979
	    $exitval = $object->Restart($API_VERSION);
	}
	elsif ($action eq "reload") {
	    $exitval = $object->Reload($API_VERSION);
980
	}
981
982
983
984
	return GeniResponse->Create(GENIRESPONSE_ERROR, 
				    "Could not $action sliver")
	    if ($exitval);
	
985
986
987
	return 0;
    };

988
989
990
991
992
993
994
995
996
997
998
    my $user = GeniCM::CreateUserFromCertificate($credential);
    return $user
	if (GeniResponse::IsResponse($user));

    my $realuser = GeniCM::FlipToUser($slice, $user);
    if (! (defined($realuser) && $realuser)) {
	print STDERR "Error flipping to real user\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "FlipToUser Error");
    }

999
1000
    if (defined($slice_urn)) {
	$response = &$CheckState($aggregate, $action);