GeniCMV2.pm.in 61.2 KB
Newer Older
1 2 3
#!/usr/bin/perl -wT
#
# GENIPUBLIC-COPYRIGHT
4
# Copyright (c) 2008-2011 University of Utah and the Flux Group.
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
# All rights reserved.
#
package GeniCMV2;

#
# The server side of the CM interface on remote sites. Also communicates
# with the GMC interface at Geni Central as a client.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

@ISA    = "Exporter";
@EXPORT = qw ( );

# Must come after package declaration!
use GeniDB;
use GeniResponse;
use GeniTicket;
use GeniCredential;
use GeniCertificate;
26
use GeniComponent;
27 28 29 30
use GeniSlice;
use GeniAggregate;
use GeniSliver;
use GeniUtil;
31
use GeniCM;
32
use GeniHRN;
33
use GeniXML;
34 35 36 37 38 39 40 41
use emutil;
use English;
use Data::Dumper;
use XML::Simple;
use Date::Parse;
use POSIX qw(strftime tmpnam);
use Time::Local;
use Compress::Zlib;
42
use File::Temp qw(tempfile);
43 44 45 46 47 48 49 50 51 52
use MIME::Base64;

# Configure variables
my $TB		   = "@prefix@";
my $TBOPS          = "@TBOPSEMAIL@";
my $TBAPPROVAL     = "@TBAPPROVALEMAIL@";
my $TBAUDIT   	   = "@TBAUDITEMAIL@";
my $BOSSNODE       = "@BOSSNODE@";
my $OURDOMAIN      = "@OURDOMAIN@";
my $PGENIDOMAIN    = "@PROTOGENI_DOMAIN@";
53
my $ELABINELAB     = "@ELABINELAB@";
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
my $CREATEEXPT     = "$TB/bin/batchexp";
my $ENDEXPT        = "$TB/bin/endexp";
my $NALLOC	   = "$TB/bin/nalloc";
my $NFREE	   = "$TB/bin/nfree";
my $AVAIL	   = "$TB/sbin/avail";
my $PTOPGEN	   = "$TB/libexec/ptopgen";
my $TBSWAP	   = "$TB/bin/tbswap";
my $SWAPEXP	   = "$TB/bin/swapexp";
my $PLABSLICE	   = "$TB/sbin/plabslicewrapper";
my $NAMEDSETUP     = "$TB/sbin/named_setup";
my $VNODESETUP     = "$TB/sbin/vnode_setup";
my $GENTOPOFILE    = "$TB/libexec/gentopofile";
my $TARFILES_SETUP = "$TB/bin/tarfiles_setup";
my $MAPPER         = "$TB/bin/mapper";
my $VTOPGEN        = "$TB/bin/vtopgen";
my $SNMPIT         = "$TB/bin/snmpit";
70
my $XMLLINT	   = "/usr/local/bin/xmllint";
71 72
my $PRERENDER      = "$TB/libexec/vis/prerender";
my $EMULAB_PEMFILE = "@prefix@/etc/genicm.pem";
73 74
# Just one of these, at Utah.
my $GENICH_PEMFILE = "@prefix@/etc/genich.pem";
75
my $API_VERSION    = 2;
76 77 78 79 80 81 82 83

#
# Tell the client what API revision we support.  The correspondence
# between revision numbers and API features is to be specified elsewhere.
# No credentials are required.
#
sub GetVersion()
{
84 85
    my @input_rspec_versions = ( "0.1", "0.2", "2", "PG 0.1", "PG 0.2", "PG 2" );
    my @ad_rspec_versions = ( "0.1", "0.2", "2", "PG 0.1", "PG 0.2", "PG 2" );
Gary Wong's avatar
Gary Wong committed
86 87 88
    my $blob = {
	"api" => $API_VERSION,
	"level" => 1,
89
	"input_rspec" => \@input_rspec_versions,
90 91
	"output_rspec" => "0.2",
	"ad_rspec" => \@ad_rspec_versions
Gary Wong's avatar
Gary Wong committed
92 93
    };

94
    return GeniResponse->Create( GENIRESPONSE_SUCCESS, $blob);
95 96 97 98 99 100 101 102
}

#
# Respond to a Resolve request. 
#
sub Resolve($)
{
    my ($argref) = @_;
103 104
    my $credentials = $argref->{'credentials'};
    my $urn         = $argref->{'urn'};
105
    my $admin       = 0;
106
    my $isauth	    = 0;
107

108 109 110 111 112 113 114 115 116 117
    if (! (defined($credentials) && defined($urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($urn)) {
	return GeniResponse->MalformedArgsResponse("Invalid URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

118 119 120
    my ($object, $type) = LookupURN($urn);
    return $object
	if (GeniResponse::IsResponse($object));
121 122 123 124

    #
    # This is a convenience for testing. If a local user and that
    # user is an admin person, then do whatever it says. This is
125 126
    # easier then trying to do this with credential privs. But,
    # watch for credentials from authorities instead of users.
127
    #
128 129
    my (undef,$callertype,$callerid) = GeniHRN::Parse($credential->owner_urn());
    if ($callertype eq "user") {
130
	my $user = GeniCM::CreateUserFromCertificate($credential);
131 132
	if (!GeniResponse::IsResponse($user) &&
	    $user->IsLocal() && $user->admin()) {
133 134 135 136 137
	    $admin = 1;
	}
    }
    elsif ($callertype eq "authority" && $callerid eq "cm") {
	$isauth = 1;
138
    }
139 140
    
    if ($type eq "node") {
141
	my $node  = $object;
142
	my $rspec = GeniCM::GetAdvertisement(0, $node->node_id(), "0.1", undef);
143
	if (! defined($rspec)) {
144
	    print STDERR "Could not get advertisement for $node!\n";
145
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
146
					"Error getting advertisement");
147
	}
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183
	my $me = GeniAuthority->Lookup($ENV{'MYURN'});
	if (!defined($me)) {
	    print STDERR
		"Could not find local authority object for $ENV{'MYURN'}\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Error getting advertisement");
	}
	my $myurn = GeniHRN::Generate($OURDOMAIN, "node", $node->node_id());
	my $myhrn = "${PGENIDOMAIN}." . $node->node_id();

	#
	# See if the component object exists; if not create it.
	#
	my $component = GeniComponent->Lookup($node->uuid());
	if (!defined($component)) {
	    my $certificate = GeniCertificate->Lookup($node->uuid());
	    if (!defined($certificate)) {
		$certificate =
		    GeniCertificate->Create({'urn'  => $myurn,
					     'hrn'  => $myhrn,
					     'email'=> $TBOPS,
					     'uuid' => $node->uuid(),
					     'url'  => $me->url()});
		if (!defined($certificate)) {
		    print STDERR "Could not generate certificate for $node\n";
		    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
		}
	    }
	    $component = GeniComponent->Create($certificate, $me);
	    if (!defined($component)) {
		print STDERR "Could not create component for $node\n";
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
	    }
	}
184
	# Return a blob.
185
	my $blob = { "hrn"          => $myhrn,
186 187
		     "uuid"         => $node->uuid(),
		     "role"	    => $node->role(),
188 189
		     "hostname"     =>
			 GeniUtil::FindHostname($node->node_id()),
190 191
		     "physctrl"     => 
			 Interface->LookupControl($node->phys_nodeid())->IP(),
192 193 194 195
		     "urn"          => $myurn,
		     "rspec"        => $rspec,
		     "url"          => $me->url(),
		     "gid"          => $component->cert(),
196 197 198 199
		   };

	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
200
    if ($type eq "slice") {
201 202
	my $slice = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
203 204 205 206
	#
	# In this implementation, the caller must hold a valid slice
	# credential for the slice being looked up. 
	#
207 208
	if (! ($isauth || $admin ||
	       $slice->urn() eq $credential->target_urn())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
209 210 211 212 213 214 215
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN());
	}
	# Return a blob.
	my $blob = { "urn"          => $urn };

	my $aggregate = GeniAggregate->SliceAggregate($slice);
	if (defined($aggregate)) {
216
	    $blob->{'sliver_urn'} = $aggregate->urn();
217 218 219 220
	    my $manifest = $aggregate->GetManifest(1);
	    if (defined($manifest)) {
		$blob->{'manifest'}   = $manifest;
	    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
221 222 223
	}
	my $ticket = GeniTicket->SliceTicket($slice);
	if (defined($ticket)) {
224
	    $blob->{'ticket_urn'} = $ticket->urn();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
225 226 227 228
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "sliver") {
229 230
	my $sliver = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
231 232 233 234
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential for the slice being looked up. 
	#
235
	if (! ($admin ||
236
	       $sliver->urn() eq $credential->target_urn() ||
237
	       $sliver->slice_uuid() eq $credential->target_uuid())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
238 239
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN);
	}
240 241
	my $manifest = $sliver->GetManifest(1);
	if (!defined($manifest)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
242 243 244 245 246 247 248 249 250
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
	# Return a blob.
	my $blob = { "urn"          => $urn,
		     "manifest"     => $manifest,
		 };
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "ticket") {
251 252
	my $ticket = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
253 254 255 256
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential to get the ticket.
	#
257
	my $slice = GeniSlice->Lookup($ticket->slice_urn());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
258 259 260 261
	if (!defined($slice)) {
	    print STDERR "Could not find slice for $ticket\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
262
	if (! ($admin || $slice->urn() eq $credential->target_urn())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
263 264 265 266 267
	    #
	    # See if its the sliver credential. 
	    #
	    my $aggregate = GeniAggregate->SliceAggregate($slice);
	    if (!defined($aggregate) ||
268
		$aggregate->urn() ne $credential->target_urn()) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
269 270 271 272 273
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN());
	    }
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());
    }
274 275
    return GeniResponse->Create(GENIRESPONSE_UNSUPPORTED, undef,
				"Cannot resolve $type at this authority");
276 277 278 279 280 281 282 283
}

#
# Discover resources on this component, returning a resource availablity spec
#
sub DiscoverResources($)
{
    my ($argref) = @_;
284 285 286
    my $credentials = $argref->{'credentials'};
    my $available   = $argref->{'available'} || 0;
    my $compress    = $argref->{'compress'} || 0;
287
    my $version     = $argref->{'rspec_version'} || undef;
288 289 290 291 292 293 294

    if (! (defined($credentials))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
295

296 297
    my $credential_objects = [];
    foreach my $credstr (@$credentials) {
298 299 300
        my $cred = CheckCredential($credstr);
        push(@$credential_objects, $cred) 
            if(!GeniResponse::IsResponse($cred));
301 302
    }
    return GeniCM::DiscoverResourcesAux($available, $compress,
303
        $version, $credential_objects);
304 305 306 307 308 309 310 311
}

#
# Create a Sliver.
#
sub CreateSliver($)
{
    my ($argref) = @_;
312 313 314 315 316
    my $slice_urn    = $argref->{'slice_urn'};
    my $rspecstr     = $argref->{'rspec'};
    my $credentials  = $argref->{'credentials'};
    my $keys         = $argref->{'keys'};
    my $impotent     = $argref->{'impotent'} || 0;
317 318
    require Node;
    require Experiment;
319 320
    require libtestbed;
    require libaudit;
321 322
    
    # For now, I am not worrying about the slice_urn argument.
323 324
    if (! (defined($credentials) &&
	   defined($slice_urn) && defined($rspecstr))) {
325 326
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
327 328 329 330 331 332
    if (! ($rspecstr =~ /^[\040-\176\012\015\011]+$/)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in rspec");
    }
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
333 334 335
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
336

337 338 339 340 341 342 343
    #
    # In this implementation, the user must provide a slice credential,
    # so we ignore the slice_urn. For CreateSliver(), the slice must not
    # be instantiated.
    #
    my ($slice,$aggregate) = Credential2SliceAggregate($credential);
    if (defined($slice)) {
344 345 346
	return $slice
	    if (GeniResponse::IsResponse($slice));

347 348 349 350
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
	}
351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366
	#
	# Watch for a placeholder slice and update it.
	#
	if ($slice->isplaceholder()) {
	    if ($slice->Lock() != 0) {
		return GeniResponse->BusyResponse();
	    }
	    #
	    # Confirm that the slice certificate is the same.
	    #
	    if ($slice->cert() ne $credential->target_cert()->cert()) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
					    "Slice certificate mismatch");
	    }
	    my $user =
367
		GeniCM::CreateUserFromCertificate($credential);
368
	    if (GeniResponse::IsResponse($user)) {	    
369
		$slice->UnLock();
370
		return $user;
371 372 373 374 375 376 377 378
	    }
	    if ($slice->ConvertPlaceholder($user) != 0) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Could not convert placeholder");
	    }
	    $slice->UnLock();
	}
379 380 381 382 383
	if (defined($aggregate)) {
	    return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					"Must delete existing slice first");
	}
    }
384
    my $rspec = GeniCM::GetTicketAux($credential,
385
				     $rspecstr, 0, $impotent, 1, 0, undef);
386 387 388
    return $rspec
	if (GeniResponse::IsResponse($rspec));

389 390 391 392
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

393
    my $response = GeniCM::SliverWorkAux($credential,
394
					 $rspec, $keys, 0, $impotent, 1, 0);
395

396 397 398 399 400 401 402
    if (GeniResponse::IsError($response)) {
	#
	# We have to make sure there is nothing left over since there
	# is no actual ticket, so the resources will not get cleaned
	# up by the daemon. This is mostly cause I am reaching into
	# the V1 code, and its messy.
	#
403
	my $slice = GeniSlice->Lookup($credential->target_urn());
404 405 406 407 408 409 410
	if ($slice->Lock() != 0) {
	    print STDERR "CreateSliver: Could not lock $slice before delete\n";
	    return $response;
	}
	if (defined($slice)) {
	    GeniCM::CleanupDeadSlice($slice, 1);
	}
411
	return $response;
412
    }
413 414
    my ($sliver_credential, $sliver_manifest) = @{ $response->{'value'} };
    
415 416 417
    #
    # Leave the slice intact on error, so we can go look at it. 
    #
418
    $slice = GeniSlice->Lookup($credential->target_urn());
419 420 421 422 423 424 425 426 427 428
    if (!defined($slice)) {
	print STDERR "CreateSliver: Could not find slice for $credential\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
    if ($slice->Lock() != 0) {
	print STDERR "CreateSliver: Could not lock $slice before start\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
429
    $aggregate = GeniAggregate->SliceAggregate($slice);
430 431 432 433 434
    if (!defined($aggregate)) {
	print STDERR "CreateSliver: Could not find aggregate for $slice\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
435 436 437 438 439 440 441 442 443 444 445 446 447 448
    #
    # At this point we want to return and let the startsliver proceed
    # in the background
    #
    my $mypid = fork();
    if ($mypid) {
	# Let the child get going.
	sleep(1);
	return GeniResponse->Create(GENIRESPONSE_SUCCESS,
				    [$sliver_credential, $sliver_manifest]);
    }
    # This switches the file that we are writing to. 
    libaudit::AuditFork();
    
449 450 451 452
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

Leigh B. Stoller's avatar
Leigh B. Stoller committed
453
    if ($aggregate->Start($API_VERSION, 0) != 0) {
454
	$slice->UnLock();
455 456
	print STDERR "Could not start sliver\n";
	return -1;
457
    }
458
    $slice->UnLock();
459
    return 0;
460 461 462 463 464 465
}

#
# Delete a Sliver.
#
sub DeleteSliver($)
466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486
{
    my ($argref) = @_;
    my $sliver_urn   = $argref->{'sliver_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

    if (! (defined($credentials) && defined($sliver_urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($sliver_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    #
    # In this implementation, the user must provide a slice or sliver
    # credential
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
487 488 489
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
    
490 491 492 493 494 495 496 497 498 499 500 501 502 503
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "Sliver does not exist");
    }
    if ($sliver_urn ne $aggregate->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }

    #
    # We need this below to sign the ticket.
    #
    my $authority = GeniCertificate->LoadFromFile($EMULAB_PEMFILE);
    if (!defined($authority)) {
504
	print STDERR " Could not load $EMULAB_PEMFILE\n";
505 506 507 508 509 510
	return GeniResponse->Create(GENIRESPONSE_ERROR);
	
    }
    #
    # We need the user to sign the new ticket to. 
    #
511
    my $user = GeniCM::CreateUserFromCertificate($credential);
512 513
    return $user
	if (GeniResponse::IsResponse($user));
514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532
    
    my $response = GeniCM::DeleteSliverAux($credential, $impotent, 1);
    return $response
	if (GeniResponse::IsResponse($response));

    #
    # In the v2 API, return a new ticket for the resources
    # (which were not released). As with all tickets, it will
    # expire very quickly. 
    #
    #
    # Create a new ticket from the manifest.
    #
    my $manifest = $aggregate->GetManifest(0);
    if (!defined($manifest)) {
	print STDERR "No manifest found for $aggregate\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
533 534
    my $ticket = GeniTicket->Create($authority, $user,
				    GeniXML::Serialize($manifest));
535 536 537 538 539
    if (!defined($ticket)) {
	print STDERR "Could not create new ticket for $slice\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
540
    $ticket->SetSlice($slice);
541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570
    
    if ($ticket->Sign()) {
	$ticket->Delete();
	print STDERR "Could not sign new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    if ($ticket->Store()) {
	$ticket->Delete();
	print STDERR "Could not store new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    my $slice_uuid = $slice->uuid();
    DBQueryWarn("delete from geni_manifests ".
		"where slice_uuid='$slice_uuid'");
    $slice->UnLock();
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());

  bad:
    if (GeniCM::CleanupDeadSlice($slice) != 0) {
	print STDERR "Could not cleanup slice\n";
    }
    return $response;
}

#
# Delete a Slice
#
sub DeleteSlice($)
571 572
{
    my ($argref) = @_;
573 574 575 576
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

577
    if (! (defined($credentials) && defined($slice_urn))) {
578 579
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
580 581 582
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
583 584 585
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
586

587 588 589 590
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
591 592 593
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

594 595 596 597 598 599 600 601 602 603 604
    if (! defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No such slice here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
605
    if (GeniCM::CleanupDeadSlice($slice, 1) != 0) {
606 607 608 609
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not cleanup slice");
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
610 611 612 613 614 615 616 617
}

#
# Get a Sliver (credential)
#
sub GetSliver($)
{
    my ($argref) = @_;
618 619
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
620

621
    if (! (defined($credentials) && defined($slice_urn))) {
622 623
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
624 625 626
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
627 628 629 630
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

631 632 633 634
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
635 636 637
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

638 639 640 641 642 643 644 645
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No slice or aggregate here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
646
    return GeniCM::GetSliverAux($credential);
647 648 649
}

#
650
# Start a sliver (not sure what this means yet, so reboot for now).
651
#
652
sub StartSliver($)
653 654
{
    my ($argref) = @_;
655
    my $slice_urn    = $argref->{'slice_urn'};
656
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
657
    my $credentials  = $argref->{'credentials'};
658
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
659
    
660 661
    return SliverAction("start",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
662 663 664 665 666 667
}

sub StopSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
668
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
669 670
    my $credentials  = $argref->{'credentials'};

671 672
    return SliverAction("stop",
			$slice_urn, $sliver_urns, $credentials, undef);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
673 674 675 676 677 678
}

sub RestartSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
679
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
680
    my $credentials  = $argref->{'credentials'};
681
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
682

683 684
    return SliverAction("restart",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
685
}
686

687
sub SliverAction($$$$$)
Leigh B. Stoller's avatar
Leigh B. Stoller committed
688
{
689
    my ($action, $slice_urn, $sliver_urns, $credentials, $manifest) = @_;
690
    my $response;
691

692 693
    if (! (defined($credentials) &&
	   (defined($slice_urn) || defined($sliver_urns)))) {
694 695 696 697 698 699 700 701 702 703 704
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "info" ) or
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Insufficient privilege");

705 706 707 708 709 710 711 712 713
    if (defined($manifest)) {
	$manifest = GeniXML::Parse($manifest);
	if (!defined($manifest)) {
	    print STDERR "Error reading manifest\n";
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
					"Bad manifest");
	}
    }
    
714 715 716
    #
    # For now, only allow top level aggregate or the slice
    #
717
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
718 719
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
Srikanth's avatar
Srikanth committed
720

721 722 723 724 725
    if ( (!defined($slice)) && 
          ($credential->target_urn() =~ /\+authority\+cm$/)) {
          # administrative credentials are presented.
          my $cm_urn = GeniHRN::Generate($OURDOMAIN, "authority", "cm");
          if ($cm_urn != $credential->target_urn()) {
Srikanth's avatar
Srikanth committed
726
            return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
727 728 729 730
                      "Credential target does not match CM URN");
          }

      if (!defined($slice_urn)) {
Srikanth's avatar
Srikanth committed
731 732
          return GeniResponse->MalformedArgsResponse("Missing arguments");
      }       
733 734 735 736 737 738 739 740
      $slice = GeniSlice->Lookup($slice_urn);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                "No Slice with urn $slice_urn here")
          if (!defined($slice));
      $aggregate = GeniAggregate->SliceAggregate($slice);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                      "No Aggregate here")
          if (!defined($aggregate));
Srikanth's avatar
Srikanth committed
741
    } 
742

743 744 745 746 747 748
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No slice or aggregate here");
    }
    if (defined($slice_urn)) {
	if (! GeniHRN::IsValid($slice_urn)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
749 750
	    return
		GeniResponse->MalformedArgsResponse("Bad characters in URN");
751
	}
752 753 754
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
755
	}
756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
    # Shutdown slices get nothing.
    if ($slice->shutdown()) {
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Slice has been shutdown");
    }
    if ($aggregate->ComputeState()) {
	$slice->UnLock();
	print STDERR "Could not determine current state\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
    my $CheckState = sub {
	my ($object, $action) = @_;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
774
	if ($action eq "start") {
775 776
	    if ($object->state() ne "stopped" && $object->state() ne "new"
		&& $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
777 778 779 780 781
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not stopped (yet)");
	    }
	}
	elsif ($action eq "stop") {
782
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
783 784 785 786 787
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
	}
	elsif ($action eq "restart") {
788
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
789 790 791
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
792 793 794 795 796 797
	}
	return 0;
    };
    my $PerformAction = sub {
	my ($object, $action) = @_;

798 799
	my $exitval = 0;

800
	if ($action eq "start") {
801
	    $exitval = $object->Start($API_VERSION, 0);
802
	}
803
	elsif ($action eq "stop") {
804
	    $exitval = $object->Stop($API_VERSION);
805 806
	}
	elsif ($action eq "restart") {
807
	    $exitval = $object->Start($API_VERSION, 1);
808
	}
809 810 811 812
	return GeniResponse->Create(GENIRESPONSE_ERROR, 
				    "Could not $action sliver")
	    if ($exitval);
	
813 814 815 816 817 818 819 820
	return 0;
    };

    if (defined($slice_urn)) {
	$response = &$CheckState($aggregate, $action);
	goto bad
	    if (GeniResponse::IsResponse($response));
	    
821 822 823 824 825 826 827 828 829
	if ($action eq "start" && defined($manifest)) {
	    if ($aggregate->ProcessManifest($manifest)) {
		$response = GeniResponse->Create(GENIRESPONSE_ERROR,
						 undef,
						 "Error processing manifest");
		goto bad;
	    }
	}
	
830 831 832 833
	$response = &$PerformAction($aggregate, $action);
	goto bad
	    if (GeniResponse::IsResponse($response));

834
	if ($action eq "start" || $action eq "restart") {
835
	    # GeniCM::UpdateManifest($slice);
836
	}
837 838
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_SUCCESS);
839
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
840
    else {
841
	my @slivers = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
842

843 844 845 846 847
	#
	# Sanity check all arguments before doing anything.
	#
	foreach my $urn (@{ $sliver_urns }) {
	    my $sliver = GeniSliver->Lookup($urn);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
848 849 850 851 852 853
	    if (!defined($sliver)) {
		$response = GeniResponse->Create(GENIRESPONSE_SEARCHFAILED,
						 undef,
						 "Nothing here by that name");
		goto bad;
	    }
854 855 856 857 858 859 860 861
	    
	    $response = &$CheckState($sliver, $action);
	    goto bad
		if (GeniResponse::IsResponse($response));

	    push(@slivers, $sliver);
	}
	foreach my $sliver (@slivers) {
862 863 864 865 866 867 868 869
	    if ($action eq "start" && defined($manifest)) {
		if ($sliver->ProcessManifest($manifest)) {
		    $response = GeniResponse->Create(GENIRESPONSE_ERROR,
				     undef,
				     "Error processing manifest for $sliver");
		    goto bad;
		}
	    }
870 871 872 873 874 875
	    $response = &$PerformAction($sliver, $action);
	    goto bad
		if (GeniResponse::IsResponse($response));
	}
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_SUCCESS);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
876
    }
877 878 879
  bad:
    $slice->UnLock();
    return $response;
880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909
}

#
# Get sliver status
#
sub SliverStatus($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};

    if (! (defined($credentials) && defined($slice_urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "info" ) or
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Insufficient privilege");

    #
    # For now, only allow top level aggregate or the slice
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
910 911 912
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

913
    if (! (defined($slice) && defined($aggregate))) {
914
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
915 916 917 918 919
				    "No slice or aggregate here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
920 921 922 923
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
924 925 926 927 928
    if ($aggregate->ComputeState()) {
	print STDERR "SliverStatus: Could not compute state for $aggregate\n";
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
929 930 931 932 933 934 935 936 937 938 939

    #
    # Grab all the slivers for this slice, and then
    # look for just the nodes.
    #
    my @slivers    = ();
    if ($aggregate->SliverList(\@slivers) != 0) {
	print STDERR "SliverStatus: Could not get slivers for $aggregate\n";
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
940 941 942

    my $blob = {
	"state"   => $aggregate->state(),
Leigh B. Stoller's avatar
Leigh B. Stoller committed
943
	"status"  => $aggregate->status(),
Leigh B. Stoller's avatar
Leigh B. Stoller committed
944 945 946
	"details" => {},
    };
    
947 948 949 950 951
    foreach my $sliver (@slivers) {
	next
	    if ($sliver->isa("GeniAggregate"));
	next
	    if ($sliver->resource_type() ne "Node");
952

953 954
	my $sliver_urn    = $sliver->sliver_urn();
	my $component_urn = $sliver->component_urn();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
955 956 957
	my $state         = $sliver->state();
	my $status        = $sliver->status();
	my $error         = "";
958

959 960 961 962
	# New is the same as stopped. Separate state is handy.
	$state = "stopped"
	    if ($state eq "new");

Leigh B. Stoller's avatar
Leigh B. Stoller committed
963 964
	if ($status eq "failed") {
	    $error = $sliver->ErrorLog();
965
	}
966 967
	$blob->{'details'}->{$sliver_urn} = {
	    "component_urn" => $component_urn,
968 969 970 971 972 973 974
	    "state"  => $state,
	    "status" => $status,
	    "error"  => $error,
	};
    }
    $slice->UnLock();
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
975 976 977 978 979 980 981 982
}

#
# Shutdown sliver
#
sub Shutdown($)
{
    my ($argref) = @_;
983 984 985
    my $slice_urn    = $argref->{'slice_urn'};
    my $clear        = $argref->{'clear'} || 0;
    my $credentials  = $argref->{'credentials'};
986
    require libtestbed;
987

988
    if (! (defined($credentials) && defined($slice_urn))) {
989 990 991 992 993
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
994

995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045
    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "instantiate" ) or
	$credential->HasPrivilege( "control" ) or
	return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
				     "Insufficient privilege" );

    #
    # The clearinghouse generates a different credential to do this.
    #
    if ($slice_urn ne $credential->target_urn()) {
	my $certificate = GeniCertificate->LoadFromFile($GENICH_PEMFILE);
	if (!defined($certificate)) {
	    print STDERR "Could not load certificate from $GENICH_PEMFILE\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}

	# The caller has to match the clearinghouse.
	if ($credential->owner_urn() ne $certificate->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
					"Insufficient privilege");
	}
    }

    #
    # No slice here? Done.
    #
    my $slice = GeniSlice->Lookup($slice_urn);
    if (!defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_SUCCESS);
    }
    #
    # Do not worry about locking when setting the shutdown time.
    # This can lead to race though, if a clear shutdown comes in first.
    # Seems unlikely though. 
    #
    if (!$clear) {
	# Do not overwrite original shutdown time
	$slice->SetShutdown(1)
	    if (!defined($slice->shutdown()) || $slice->shutdown() eq "");
    }
    else {
	$slice->SetShutdown(0);
    }
    # Always make sure the slice is shutdown.
    if ($slice->shutdown()) {
	# The expire daemon is going to look for this, so it will get
	# taken care of shortly.
	if ($slice->Lock() != 0) {
	    return GeniResponse->BusyResponse();
	}
	if (GeniCM::CleanupDeadSlice($slice, 0) != 0) {
1046 1047
	    libtestbed::SENDMAIL($TBOPS, "Emergency Shutdown failed",
				 "Emergency shutdown failed on $slice\n");
1048 1049 1050 1051 1052 1053 1054
	    print STDERR "Could not shutdown $slice!\n";
	    # Lets call this a non-error since the local admin person
	    # is going to have to deal with it anyway. 
	}
	$slice->UnLock();
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
1055 1056 1057
}

#
1058
# Renew a slice
1059
#
1060
sub RenewSlice($)
1061 1062
{
    my ($argref) = @_;
1063
    my $slice_urn    = $argref->{'slice_urn'};
1064
    my $valid_until  = $argref->{'valid_until'} || $argref->{'expiration'};
1065 1066
    my $credentials  = $argref->{'credentials'};

Leigh B. Stoller's avatar
Leigh B. Stoller committed
1067
    if (! (defined($credentials) && defined($slice_urn))) {
1068 1069
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
1070 1071 1072
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
1073 1074 1075 1076
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

1077 1078 1079 1080
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
1081 1082 1083
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));