GeniCM.pm.in 24.7 KB
Newer Older
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2008 University of Utah and the Flux Group.
# All rights reserved.
#
package GeniCM;

#
# The server side of the CM interface on remote sites. Also communicates
# with the GMC interface at Geni Central as a client.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

@ISA    = "Exporter";
@EXPORT = qw ( );

# Must come after package declaration!
use lib '@prefix@/lib';
use GeniDB;
use Genixmlrpc;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
24
25
use GeniResponse;
use GeniTicket;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
26
use GeniCredential;
27
use GeniCertificate;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
28
use GeniSlice;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
29
use GeniAggregate;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
30
use GeniSliver;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
31
use GeniUser;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
32
use libtestbed;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
33
34
35
# Hate to import all this crap; need a utility library.
use libdb qw(TBGetUniqueIndex TBcheck_dbslot TBDB_CHECKDBSLOT_ERROR);
use User;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
36
use Node;
37
use Interface;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
38
39
use English;
use Data::Dumper;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
40
use XML::Simple;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
41
use Experiment;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
42
43
44
45
46
47
48
49

# Configure variables
my $TB		   = "@prefix@";
my $TBOPS          = "@TBOPSEMAIL@";
my $TBAPPROVAL     = "@TBAPPROVALEMAIL@";
my $TBAUDIT   	   = "@TBAUDITEMAIL@";
my $BOSSNODE       = "@BOSSNODE@";
my $OURDOMAIN      = "@OURDOMAIN@";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
50
51
my $CREATEEXPT     = "$TB/bin/batchexp";
my $NALLOC	   = "$TB/bin/nalloc";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
52
my $AVAIL	   = "$TB/sbin/avail";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
53
54
my $TBSWAP	   = "$TB/bin/tbswap";
my $SWAPEXP	   = "$TB/bin/swapexp";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
55
56
57
58
59
60
61

#
# Discover resources on this component, returning a resource availablity spec
#
sub DiscoverResources($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
62
    my $slice      = $argref->{'slice'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
63
64
    my $credential = $argref->{'credential'};
    my $user_uuid  = $ENV{'GENIUSER'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
65
    my $slice_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
66

Leigh B. Stoller's avatar
Leigh B. Stoller committed
67
    if (! defined($slice)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
68
69
70
71
72
73
74
75
	return GeniResponse->MalformedArgsResponse();
    }

    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
76
    GeniCertificate->CertificateInfo($slice, \$slice_uuid) == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
77
78
79
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
80
81
82
83
84
85
86
87
88
89
90
    # The credential owner/slice has to match what was provided.
    if (! ($user_uuid eq $credential->owner_uuid() &&
	   $slice_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }

    #
    # Eventually we will take an optional rspec, but for now just return
    # a list of free nodes using avail. 
    #
91
92
    my @nodelist = ();
    if (! open(AVAIL, "$AVAIL type=pc  aslist |")) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
93
94
95
96
97
98
99
100
101
102
103
104
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not start avail");
    }
    while (<AVAIL>) {
	my $nodeid = $_;
	chomp($nodeid);
	my $node = Node->Lookup($nodeid);
	push(@nodelist, $node)
	    if (defined($node));
    }
    close(AVAIL);

Leigh B. Stoller's avatar
Leigh B. Stoller committed
105
    my $xml = "<rspec xmlns=\"http://protogeni.net/resources/rspec/0.1\">\n";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
106
107
108
109
110
111
    foreach my $node (@nodelist) {
	my $uuid = $node->uuid();
	my $nodeid = $node->node_id();
	
	$xml .= "<node uuid=\"$uuid\" name=\"$nodeid\">".
	    "<available>true</available></node>\n";
112
113
114
115
116
117
118
119
120
121
122
123

	my @interfaces = Interface->LookupAll($node);
	foreach my $interface (@interfaces) {
	    my $iface_uuid = $interface->uuid();
	    my $iface      = $interface->iface();

	    next 
		if (! $interface->IsExperimental());
	    
	    $xml .= "<interface uuid=\"$iface_uuid\" node_name=\"$nodeid\">".
		"<iface>$iface</iface></interface>\n";
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
124
125
126
127
128
    }
    $xml .= "</rspec>";

    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $xml);
}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
129

Leigh B. Stoller's avatar
Leigh B. Stoller committed
130
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
131
# Respond to a GetTicket request. 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
132
133
134
135
#
sub GetTicket($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
136
    my $slice_cert = $argref->{'slice'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
137
    my $rspec      = $argref->{'rspec'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
138
    my $impotent   = $argref->{'impotent'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
139
    my $credential = $argref->{'credential'};
140
    my $vtopo      = $argref->{'virtual_topology'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
141
    my $owner_uuid = $ENV{'GENIUSER'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
142
    my $slice_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
143

Leigh B. Stoller's avatar
Leigh B. Stoller committed
144
    if (! defined($slice_cert)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
145
	GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
146
			     "Improper slice");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
147
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
148
149
150
    if (! (defined($rspec) && ($rspec =~ /^[-\w]+$/))) {
	GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
			     "Improper rspec");	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
151
    }
152
153
    $rspec = XMLin($rspec, ForceArray => ["node", "link"]);
    #print Dumper($rspec);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
154

Leigh B. Stoller's avatar
Leigh B. Stoller committed
155
156
157
    $impotent = 0
	if (!defined($impotent));

Leigh B. Stoller's avatar
Leigh B. Stoller committed
158
    $credential = GeniCredential->CreateFromSigned($credential);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
159
160
161
162
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
163
    GeniCertificate->CertificateInfo($slice_cert, \$slice_uuid) == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
164
165
166
167
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
	
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
168
169
170
171
172
173
    # The credential owner/slice has to match what was provided.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $slice_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
174

Leigh B. Stoller's avatar
Leigh B. Stoller committed
175
176
177
178
179
180
181
    #
    # See if we have a record of this slice in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    my $slice = GeniSlice->Lookup($slice_uuid);
    if (!defined($slice)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
182
183
184
185
186
187
	$slice = GeniSlice->CreateFromRegistry($slice_uuid);
	if (!defined($slice)) {
	    print STDERR "No slice $slice_uuid in the ClearingHouse\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
			    "Could not get slice info from ClearingHouse");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
188
189
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
190
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
191
192
193
194
195
196
197
198
199
200
201
202
    # Ditto the user.
    #
    my $user = GeniUser->Lookup($owner_uuid);
    if (!defined($user)) {
	$user = GeniUser->CreateFromRegistry($owner_uuid);
	if (!defined($user)) {
	    print STDERR "No user $owner_uuid in the ClearingHouse\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
			    "Could not get user info from ClearingHouse");
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
203
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
204
205
206
207
    # If the underlying experiment does not exist, need to create
    # a holding experiment. All these are going to go into the same
    # project for now. Generally, users for non-local slices do not
    # have local accounts or directories.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
208
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
209
210
211
212
213
214
215
216
217
    my $experiment = Experiment->Lookup($slice_uuid);
    if (!defined($experiment)) {
	#
	# Form an eid for the experiment. 
	#
	my $eid = "slice" . TBGetUniqueIndex('next_sliceid', 1);

	# Note the -h option; allows experiment with no NS file.
	system("$CREATEEXPT -q -i -w -E 'Geni Slice Experiment' ".
Leigh B. Stoller's avatar
Leigh B. Stoller committed
218
	       "-h '$slice_uuid' -p GeniSlices -e $eid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
219
220
221
222
223
224
225
	if ($?) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Internal Error");
	}
	$experiment = Experiment->Lookup($slice_uuid);
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
226
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
227
228
229
    # An rspec is a structure that requests specific nodes. If those
    # nodes are available, then reserve it. Otherwise the ticket
    # cannot be granted. 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
230
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
231
    my @nodeids = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
232
233
234
    my $pid     = $experiment->pid();
    my $eid     = $experiment->eid();

235
236
237
    foreach my $resource_uuid (keys(%{$rspec->{'node'}})) {
	my $node = Node->Lookup($resource_uuid);
	if (!defined($node)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
238
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
239
					"Bad resource_uuid $resource_uuid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
240
	}
241
	push(@nodeids, $node->node_id());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
242
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
243
244

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
245
    # Create the ticket first, before allocating the node.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
246
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
247
    my $ticket = GeniTicket->Create($slice, $user, $rspec);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
248
249
250
251
    if (!defined($ticket)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniTicket object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
252
    # Nalloc might fail if the node gets picked up by someone else.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
253
    if (!$impotent) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
254
	system("$NALLOC $pid $eid @nodeids");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
255
256
257
258
259
260
261
262
263
264
	if (($? >> 8) < 0) {
	    $ticket->Delete();
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Allocation failure");
	}
	elsif (($? >> 8) > 0) {
	    $ticket->Delete();
	    return GeniResponse->Create(GENIRESPONSE_UNAVAILABLE, undef,
					"Could not allocate node\n");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
265
    }
266
267
268
269
270
271
272
    if (defined($vtopo) && $experiment->InsertVirtTopo($vtopo) != 0) {
	# Release will free the nodes.
	$ticket->Release();
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not insert virt topology");
    }
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
273
    if ($ticket->Sign() != 0) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
274
	# Release will free the nodes.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
275
	$ticket->Release();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
276
277
278
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not sign Ticket");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
279
280
281
282
283
284
285
286
287
288
    return GeniResponse->Create(GENIRESPONSE_SUCCESS,
				$ticket->asString());
}

#
# Create a sliver.
#
sub CreateSliver($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
289
290
    my $owner_uuid = $ENV{'GENIUSER'};
    my $ticket     = $argref->{'ticket'};
291
    my $impotent   = $argref->{'impotent'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
292
    my $message    = "Error creating sliver/aggregate";
293
294
295

    $impotent = 0
	if (!defined($impotent));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
296
297
298
299
300
301
302
303
304
305
306
307

    if (! (defined($ticket) &&
	   !TBcheck_dbslot($ticket, "default", "text",
			   TBDB_CHECKDBSLOT_ERROR))) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "ticket: ". TBFieldErrorString());
    }
    $ticket = GeniTicket->CreateFromSignedTicket($ticket);
    if (!defined($ticket)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniTicket object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
308
309
310
311
312
    # The credential owner has to match what is in the ticket.
    if ($owner_uuid ne $ticket->owner_uuid()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
313

Leigh B. Stoller's avatar
Leigh B. Stoller committed
314
315
316
317
318
    my $experiment = Experiment->Lookup($ticket->slice_uuid());
    if (!defined($experiment)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No local experiment for slice");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
319
320
    my $pid = $experiment->pid();
    my $eid = $experiment->eid();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
321

322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
    #
    # See if we have a record of this slice in the DB. If not, throw an
    # error; might change later.
    #
    my $slice = GeniSlice->Lookup($ticket->slice_uuid());
    if (!defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No slice record for slice");
    }

    #
    # Ditto the user.
    #
    my $owner = GeniUser->Lookup($owner_uuid);
    if (!defined($owner)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No user record for $owner_uuid");
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
341
342
343
344
345
346
    #
    # Create an emulab nonlocal user for tmcd.
    #
    $owner->BindToSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error binding user to slice");
347

Leigh B. Stoller's avatar
Leigh B. Stoller committed
348
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
349
    # We are actually an Aggregate, so return an aggregate of slivers,
350
    # unless there is just one node.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
351
    #
352
353
354
355
356
    my $aggregate;
    if (scalar(keys(%{$ticket->rspec()->{'node'}})) > 1) {
	$aggregate = GeniAggregate->Create($ticket);
	if (!defined($aggregate)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
357
				    "Could not create GeniAggregate object");
358
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
359
    }
360
    #print Dumper($ticket);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
361
362

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
363
364
    # Now for each resource (okay, node) in the ticket create a sliver and
    # add it to the aggregate.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
365
    #
366
    my %slivers = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
367
    foreach my $resource_uuid (keys(%{$ticket->rspec()->{'node'}})) {
368
369
370
	my $node = Node->Lookup($resource_uuid);
	if (!defined($node)) {
	    $message = "Unknown resource_uuid in ticket: $resource_uuid";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
371
372
	    goto bad;
	}
373
	my $sliver = GeniSliver::Node->Create($slice, $owner, $resource_uuid);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
374
375
376
377
	if (!defined($sliver)) {
	    $message = "Could not create GeniSliver object for $resource_uuid";
	    goto bad;
	}
378
	$slivers{$resource_uuid} = $sliver;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
379
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
380

381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
    #
    # Now do the links. For each link, we have to add a sliver for the
    # interfaces, and then combine those two interfaces into an aggregate,
    # and then that aggregate goes into the aggregate for toplevel sliver.
    #
    foreach my $linkname (keys(%{$ticket->rspec()->{'link'}})) {
	my @linkslivers  = ();
	if (! ($linkname =~ /^[-\w]*$/)) {
	    $message = "Bad name for link: $linkname";
	    goto bad;
	}

	my $linkaggregate = GeniAggregate::Link->Create($ticket);
	if (!defined($linkaggregate)) {
	    $message = "Could not create link aggregate for $linkname";
	    goto bad;
	}
	$slivers{$linkaggregate->uuid()} = $linkaggregate;

	my $linkendpoints =
	    $ticket->rspec()->{'link'}->{$linkname}->{'LinkEndPoints'};
	
	my $src_interface_spec = $linkendpoints->{'source_interface'};
	my $dst_interface_spec = $linkendpoints->{'destination_interface'};

	my @interfaces = ($src_interface_spec, $dst_interface_spec);
	foreach my $iface (@interfaces) {
	    my $node_uuid = $iface->{'node_uuid'};
	    my $iface     = $iface->{'iface_name'};
	    my $nodesliver= $slivers{$node_uuid};
	    if (!defined($nodesliver)) {
		$message = "Link $linkname specifies a non-existent node";
		goto bad;
	    }
	    my $nodeobject= Node->Lookup($node_uuid);
	    if (!defined($nodeobject)) {
		$message = "Could not find node object for $node_uuid";
		goto bad;
	    }
	    my $interface = Interface->LookupByIface($nodeobject, $iface);
	    if (!defined($interface)) {
		$message = "No such interface $iface on node $nodeobject";
		goto bad;
	    }
	    my $sliver = GeniSliver::Interface->Create($slice, $owner,
						       $interface->uuid());
	    if (!defined($sliver)) {
		$message = "Could not create GeniSliver ".
		    "$interface in $linkname";
		goto bad;
	    }
	    if ($sliver->SetAggregate($linkaggregate) != 0) {
		$message = "Could not add link sliver $sliver to $aggregate";
		goto bad;
	    }
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
439
440
441
442
    #
    # Now do the provisioning (note that we actually allocated the node
    # above when the ticket was granted). The add the sliver to the aggregate.
    #
443
    foreach my $sliver (values(%slivers)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
444
445
446
	if (!$impotent && $sliver->Provision() != 0) {
	    $message = "Could not provision $sliver";
	    goto bad;
447

Leigh B. Stoller's avatar
Leigh B. Stoller committed
448
	}
449
450
	if (defined($aggregate) &&
	    $sliver->SetAggregate($aggregate) != 0) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
451
452
453
454
455
	    $message = "Could not aggregate for $sliver to $aggregate";
	    goto bad;
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
456
    #
457
    # This stuff needs to be moved elsewhere.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
458
459
460
461
462
    #
    # XXX What if we have multiple slivers for this slice? We are going
    # to need some locking or management at the slice level so that we run
    # tbswap only once, or at least no more then one at a time.
    #
463
    if (0 && !$impotent) {
464
	system("$SWAPEXP -s modify -g $pid $eid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
465
466
467
468
469
470
	if ($?) {
	    $message = "Failed to tbswap $pid,$eid";
	    goto bad;
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
471
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
472
    # The API states we return a credential to control the sliver/aggregate.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
473
    #
474
475
476
477
478
479
480
    my $credential;
    if (defined($aggregate)) {
	$credential = $aggregate->NewCredential($owner);
    }
    else {
	$credential = ((values(%slivers))[0])->NewCredential($owner);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
481
    if (!defined($credential)) {
482
	$message = "Could not create credential";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
483
	goto bad;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
484
485
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $credential->asString());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
486
487

  bad:
488
    foreach my $sliver (values(%slivers)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
489
490
491
492
493
494
495
496
	$sliver->UnProvision()
	    if (! $impotent);
	$sliver->Delete();
    }
    $aggregate->Delete()
	if (defined($aggregate));
    
    return GeniResponse->Create(GENIRESPONSE_ERROR, undef, $message);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
497
498
499
}

#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
500
# Start a sliver (not sure what this means yet, so reboot for now).
Leigh B. Stoller's avatar
Leigh B. Stoller committed
501
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
502
sub StartSliver($)
Leigh B. Stoller's avatar
Leigh B. Stoller committed
503
504
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
505
    my $owner_uuid  = $ENV{'GENIUSER'};
506
    my $sliver_cert = $argref->{'sliver'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
507
    my $credential  = $argref->{'credential'};
508
    my $sliver_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
509
510
511
512
    my $impotent   = $argref->{'impotent'};

    $impotent = 0
	if (!defined($impotent));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
513

514
    if (!defined($sliver_cert) || !defined($credential)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
515
516
	return GeniResponse->Create(GENIRESPONSE_BADARGS);
    }
517
518
519
520
    GeniCertificate->CertificateInfo($sliver_cert, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
521
522
523
524
525
    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
526
527
    my $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
528
529
530
531
532
533
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No such sliver/aggregate $sliver_uuid");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
534
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
535
536
537
538
539
540
541
542
    
    # The credential owner has to match what is in the ticket.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $sliver_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
    if (!$impotent) {
543
	$sliver->Start() == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				"Could not start sliver/aggregate");
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
}

#
# Destroy a sliver/aggregate.
#
sub DestroySliver($)
{
    my ($argref) = @_;
    my $owner_uuid  = $ENV{'GENIUSER'};
    my $sliver_cert = $argref->{'sliver'};
    my $credential  = $argref->{'credential'};
    my $sliver_uuid;
    my $impotent   = $argref->{'impotent'};

    $impotent = 0
	if (!defined($impotent));

    if (!defined($sliver_cert) || !defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS);
    }
    GeniCertificate->CertificateInfo($sliver_cert, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
572
573
    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
574
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
575
				    "Could not create GeniCredential object");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
576
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
577
578
579
580
581
582
583
584
585
586
    my $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No such sliver/aggregate $sliver_uuid");
	}
    }
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
587
588
589
590
591
    # The credential owner has to match what is in the ticket.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $sliver_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
592
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
593
594
595
596
597
    if (!$impotent) {
	$sliver->UnProvision() == 0 or
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				"Could not unprovision sliver/aggregate");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
598
599
    $sliver->Delete() == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
600
				    "Could not delete sliver/aggregate");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
601
602
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
603
}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814

#
# Bind a user to a slice.
#
sub BindUser($)
{
    my ($argref) = @_;
    my $sliver     = $argref->{'sliver'};
    my $hrn        = $argref->{'userinfo'}->{'hrn'};
    my $uuid       = $argref->{'userinfo'}->{'uuid'};
    my $name       = $argref->{'userinfo'}->{'name'};
    my $email      = $argref->{'userinfo'}->{'email'};
    my $cert       = $argref->{'userinfo'}->{'cert'};
    my $sshkey     = $argref->{'userinfo'}->{'sshkey'};
    my $sliver_uuid;

    if (! (defined($hrn) && defined($name) && defined($sliver) &&
	   defined($email) && defined($cert) && defined($uuid))) {
	return GeniResponse->MalformedArgsResponse();
    }

    GeniCertificate->CertificateInfo($sliver, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    #
    # See if we have a record of this sliver in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"No such sliver $sliver_uuid");
	}
    }
    my $slice = $sliver->GetSlice();

    #
    # Use the Emulab checkslot routines.
    #
    if (! ($hrn =~ /^[-\w\.]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "hrn: Invalid characters");
    }
    if (! ($uuid =~ /^[-\w]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uuid: Invalid characters");
    }
    if (! TBcheck_dbslot($name, "users", "usr_name", TBDB_CHECKDBSLOT_ERROR)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "name: ". TBFieldErrorString());
    }
    if (! TBcheck_dbslot($email, "users", "usr_email",TBDB_CHECKDBSLOT_ERROR)){
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "email: ". TBFieldErrorString());
    }
    if (! ($cert =~ /^[\012\015\040-\176]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "cert: Invalid characters");
    }
    if (defined($sshkey) && ! ($sshkey =~ /^[\012\015\040-\176]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "sshkey: Invalid characters");
    }

    #
    # The SA UUID comes from the SSL environment (certificate). Verify it
    # and the prefix match for the uuid.
    #
    my $sa_uuid = $ENV{'GENIUUID'};
    my $authority = GeniAuthority->Lookup($sa_uuid);
    if (!defined($authority)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No slice authority record for $sa_uuid");
    }
    if (! $authority->PrefixMatch($uuid)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "uuid: Prefix mismatch");
    }

    #
    # Verify that this is the SA for the slice. 
    #
    if (! $slice->IsSliceAuthority($authority)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Must be the SA for the slice");
    }

    # Might already exist. Not an error, Just check binding and return.
    my $user = GeniUser->Lookup($uuid);
    if (defined($user)) {
	$user->BindToSlice($slice) == 0
	    or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					   "Error binding user to slice");

	return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
			    "$hrn/$email has been bound to slice");
    }

    #
    # XXX
    #
    # What kind of uniquess requirements do we need? No one else with this
    # email address? Of course, we have to allow hrn reuse, but should we
    # require that for a given SA, that hrn is unique, at least to avoid
    # lots of confusion?
    #
    if (GeniUser->CheckExisting($hrn, $email)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "$hrn/$email already registered");
    }

    # The local uid we will use is the last part of the hrn.
    my ($uid) = ($hrn =~ /^.*\.(\w*)$/);
    if (!defined($uid)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uid: cannot parse hrn to get uid");
    }
    elsif (! TBcheck_dbslot($uid, "users", "uid", TBDB_CHECKDBSLOT_ERROR)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uid: ". TBFieldErrorString());
    }
    my $newuser = GeniUser->Create($hrn, $uid, $uuid,
				   $name, $email, $cert,
				   $authority->idx(), $sshkey);
    if (!defined($newuser)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "$hrn/$email could not be registered");
    }
    $newuser->BindToSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error binding user to sliver");
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				"$hrn/$email has been bound to $sliver_uuid");
}

#
# Unbind user from sliver.
#
sub UnBindUser($)
{
    my ($argref) = @_;
    my $sliver      = $argref->{'sliver'};
    my $user       = $argref->{'user'};
    my $sliver_uuid;
    my $user_uuid;

    if (! (defined($sliver) && defined($user))) {
	return GeniResponse->MalformedArgsResponse();
    }

    GeniCertificate->CertificateInfo($sliver, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    GeniCertificate->CertificateInfo($user, \$user_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    #
    # See if we have a record of this sliver in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"No such sliver $sliver_uuid");
	}
    }
    # Does not exist? Not an error.
    $user = GeniUser->Lookup($user_uuid);
    if (! defined($user)) {
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				    "$user_uuid is not bound to $sliver_uuid");
    }
    my $slice = $sliver->GetSlice();

    #
    # The SA UUID comes from the SSL environment (certificate). 
    #
    my $sa_uuid = $ENV{'GENIUUID'};
    my $authority = GeniAuthority->Lookup($sa_uuid);
    if (!defined($authority)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No slice authority record for $sa_uuid");
    }
    #
    # Verify that this is the SA for the slice. 
    #
    if (! $slice->IsSliceAuthority($authority)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Must be the SA for the slice");
    }

    $user->UnBindFromSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error unbinding user from sliver");
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				"$user_uuid has been unbound from sliver");
}