libdb.pm.in

#!/usr/bin/perl -w

#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# All rights reserved.
#

#
# A library of useful DB stuff. Mostly things that get done a lot.
# Saves typing.
#
# XXX: The notion of "uid" is a tad confused. A unix uid is a number,
#      while in the DB a user uid is a string (equiv to unix login).
#      Needs to be cleaned up.
#

package libdb;
use Exporter;
@ISA = "Exporter";
@EXPORT =
    qw ( NODERELOADING_PID NODERELOADING_EID NODEDEAD_PID NODEDEAD_EID
	 NODEBOOTSTATUS_OKAY NODEBOOTSTATUS_FAILED NODEBOOTSTATUS_UNKNOWN
	 NODESTARTSTATUS_NOSTATUS PROJMEMBERTRUST_NONE PROJMEMBERTRUST_USER
	 PROJMEMBERTRUST_ROOT PROJMEMBERTRUST_GROUPROOT
	 PROJMEMBERTRUST_PROJROOT

	 TBTrustConvert TBMinTrust TBGrpTrust TBProjTrust

	 TB_NODEACCESS_READINFO TB_NODEACCESS_MODIFYINFO
	 TB_NODEACCESS_LOADIMAGE TB_NODEACCESS_REBOOT
	 TB_NODEACCESS_POWERCYCLE TB_NODEACCESS_MODIFYVLANS
	 TB_NODEACCESS_MIN TB_NODEACCESS_MAX

	 TB_USERINFO_READINFO TB_USERINFO_MODIFYINFO
	 TB_USERINFO_MIN TB_USERINFO_MAX

	 USERSTATUS_ACTIVE USERSTATUS_FROZEN
	 USERSTATUS_UNAPPROVED USERSTATUS_UNVERIFIED USERSTATUS_NEWUSER

	 TB_EXPT_READINFO TB_EXPT_MODIFY TB_EXPT_DESTROY
	 TB_EXPT_MIN TB_EXPT_MAX

	 TB_PROJECT_READINFO TB_PROJECT_MAKEGROUP
	 TB_PROJECT_EDITGROUP TB_PROJECT_DELGROUP
	 TB_PROJECT_LEADGROUP TB_PROJECT_ADDUSER
	 TB_PROJECT_DELUSER TB_PROJECT_MAKEOSID
	 TB_PROJECT_DELOSID TB_PROJECT_MAKEIMAGEID TB_PROJECT_DELIMAGEID
	 TB_PROJECT_CREATEEXPT TB_PROJECT_MIN TB_PROJECT_MAX

	 TB_OSID_READINFO TB_OSID_CREATE
	 TB_OSID_DESTROY TB_OSID_MIN TB_OSID_MAX

	 TB_IMAGEID_READINFO TB_IMAGEID_MODIFYINFO
	 TB_IMAGEID_CREATE TB_IMAGEID_DESTROY
	 TB_IMAGEID_ACCESS TB_IMAGEID_MIN TB_IMAGEID_MAX
	 
	 DBLIMIT_NSFILESIZE NODERELOADPENDING_EID

	 EXPTSTATE_NEW EXPTSTATE_PRERUN EXPTSTATE_SWAPPED EXPTSTATE_SWAPPING
	 EXPTSTATE_ACTIVATING EXPTSTATE_ACTIVE EXPTSTATE_TESTING
	 EXPTSTATE_TERMINATING EXPTSTATE_TERMINATED EXPTSTATE_UPDATING

	 BATCHSTATE_POSTED BATCHSTATE_RUNNING BATCHSTATE_TERMINATING
	 BATCHSTATE_ACTIVATING
	 TBBatchState TBSetBatchState

	 TB_NODELOGTYPE_MISC TB_NODELOGTYPES TB_DEFAULT_NODELOGTYPE 

	 TB_DEFAULT_RELOADTYPE TB_RELOADTYPE_FRISBEE TB_RELOADTYPE_NETDISK

	 TB_EXPTPRIORITY_LOW TB_EXPTPRIORITY_HIGH

	 TB_ASSIGN_TOOFEWNODES TB_OPSPID

	 TBDB_TBEVENT_NODESTATE TBDB_TBEVENT_NODEOPMODE
	 TBDB_TBEVENT_ISUP TBDB_TBEVENT_REBOOTING TBDB_TBEVENT_REBOOTED
	 TBDB_TBEVENT_NORMAL TBDB_TBEVENT_DELAYING TBDB_TBEVENT_UNKNOWNOS
	 TBDB_TBEVENT_RELOADING
	 TBDB_NODESTATE_ISUP TBDB_NODESTATE_REBOOTING TBDB_NODESTATE_REBOOTED
	 TBDB_NODESTATE_UNKNOWN
	 TBDB_NODEOPMODE_NORMAL TBDB_NODEOPMODE_DELAYING
	 TBDB_NODEOPMODE_UNKNOWNOS TBDB_NODEOPMODE_RELOADING
	 TBDB_NODEOPMODE_UNKNOWN
	 TBDB_EXPT_WORKDIR
	 TBSetNodeEventState TBGetNodeEventState
	 TBSetNodeOpMode TBGetNodeOpMode

	 TBAdmin TBProjAccessCheck TBNodeAccessCheck TBOSIDAccessCheck
	 TBImageIDAccessCheck TBExptAccessCheck ExpLeader MarkNodeDown
	 SetNodeBootStatus OSFeatureSupported IsShelved NodeidToExp
	 UserDBInfo DBQuery DBQueryFatal DBQueryWarn DBWarn DBFatal
	 DBQuoteSpecial UNIX2DBUID ExpState SetExpState ProjLeader
	 ExpNodes DBDateTime DefaultImageID GroupLeader TBGroupUnixInfo
	 TBValidNodeLogType TBValidNodeName TBSetNodeLogEntry
	 TBSetSchedReload MapNodeOSID TBLockExp TBUnLockExp TBSetExpSwapTime
	 TBUnixGroupList TBOSID TBImageID TBdbfork VnameToNodeid TBExpLocked
	 TBIsNodeRemote TBExptSetLogFile TBExptClearLogFile TBExptGetLogFile
	 TBIsNodeVirtual TBControlNetIP TBPhysNodeID
	 TBExptOpenLogFile TBExptCloseLogFile TBExptCreateLogFile
	 TBNodeUpdateAccountsByPid TBNodeUpdateAccountsByType
	 TBSaveExpLogFiles TBExptWorkDir TBExptUserDir TBExptLogDir
	 TBExptDestroy

	 TBDB_WIDEAREA_LOCALNODE
	 TBWideareaNodeID
	 );

# Must come after package declaration!
use lib '@prefix@/lib';
use English;
use File::Basename;
use POSIX qw(strftime);
require Mysql;

# Configure variables
my $TB		= "@prefix@";
my $DBNAME	= "@TBDBNAME@";
my $TBOPS       = "@TBOPSEMAIL@";
my $EVENTSYS    = "@EVENTSYS@";
my $BOSSNODE    = "@BOSSNODE@";
my $TBOPSPID	= "emulab-ops";

if ($EVENTSYS) {
    require event;
    import event;
}

#
# Set up for querying the database. Note that fork causes a reconnect
# to the DB in the child. 
#
my $DB;

sub TBDBConnect()
{
    my $maxtries = 5;

    #
    # Construct a 'username' from the name of this script and the user who
    # ran it. This is for accounting purposes.
    #
    my $scriptname;
    my $prog="";
    if ($0 =~ /^([a-z0-9\-\/\.\_]*)$/) { $prog = $1; }
    if ($prog) {
	$scriptname = basename($prog);
    }
    if (!$scriptname) {
	$scriptname = "unknown";
    }
    my $name = getpwuid($UID);
    if (!$name) {
	$name = "uid$UID";
    }
    my $dbuser = "$scriptname:$name";

    while ($maxtries) {
	$DB = Mysql->connect("localhost", $DBNAME, $dbuser, "none");
	if (defined($DB)) {
	    last;
	}
	$maxtries--;
	sleep(1);
    }
    if (!defined($DB)) {
	die("Cannot connect to DB after several attempts!\n");
    }
    $DB->{'dbh'}->{'PrintError'} = 0;    
}
TBDBConnect();

sub TBdbfork()
{
    undef($DB);
    TBDBConnect();
}

#
# Record last DB error string.
#
my $DBErrorString = "";

#
# Needs to be config'ed.
#
sub TBDB_EXPT_WORKDIR()		{ "/usr/testbed/expwork"; }
    
#
# Define exported "constants". Basically, these are just perl subroutines
# that look like constants cause you do not need to call a perl subroutine
# with parens. That is, FOO and FOO() are the same thing.
#
sub NODERELOADING_PID()		{ "emulab-ops"; }
sub NODERELOADING_EID()		{ "reloading"; }
sub NODERELOADPENDING_EID()	{ "reloadpending"; }
sub NODEDEAD_PID()		{ "emulab-ops"; }
sub NODEDEAD_EID()		{ "hwdown"; }

sub NODEBOOTSTATUS_OKAY()	{ "okay" ; }
sub NODEBOOTSTATUS_FAILED()	{ "failed"; }
sub NODEBOOTSTATUS_UNKNOWN()	{ "unknown"; }
sub NODESTARTSTATUS_NOSTATUS()	{ "none"; }

sub EXPTSTATE_NEW()		{ "new"; }
sub EXPTSTATE_PRERUN()		{ "prerunning"; }
sub EXPTSTATE_SWAPPED()		{ "swapped"; }
sub EXPTSTATE_SWAPPING()	{ "swapping"; }
sub EXPTSTATE_ACTIVATING()	{ "activating"; }
sub EXPTSTATE_ACTIVE()		{ "active"; }
sub EXPTSTATE_TESTING()		{ "testing"; }
sub EXPTSTATE_TERMINATING()	{ "terminating"; }
sub EXPTSTATE_TERMINATED()	{ "ended"; }
sub EXPTSTATE_UPDATING()	{ "updating"; }

sub BATCHSTATE_POSTED()		{ "posted"; }
sub BATCHSTATE_ACTIVATING()	{ "activating"; }
sub BATCHSTATE_RUNNING()	{ "active"; }
sub BATCHSTATE_TERMINATING()	{ "terminating"; }

sub USERSTATUS_ACTIVE()		{ "active"; }
sub USERSTATUS_FROZEN()		{ "frozen"; }
sub USERSTATUS_UNAPPROVED()	{ "unapproved"; }
sub USERSTATUS_UNVERIFIED()	{ "unverified"; }
sub USERSTATUS_NEWUSER()	{ "newuser"; }

#
# We want valid project membership to be non-zero for easy membership
# testing. Specific trust levels are encoded thusly.
# 
sub PROJMEMBERTRUST_NONE()	{ 0; }
sub PROJMEMBERTRUST_USER()	{ 1; }
sub PROJMEMBERTRUST_ROOT()	{ 2; }
sub PROJMEMBERTRUST_LOCALROOT()	{ 2; }
sub PROJMEMBERTRUST_GROUPROOT()	{ 3; }
sub PROJMEMBERTRUST_PROJROOT()	{ 4; }
sub PROJMEMBERTRUST_ADMIN()	{ 5; }

#
# Access types. Duplicated in the web interface. Make changes there too!
# 
# Things you can do to a node.
sub TB_NODEACCESS_READINFO()	{ 1; }
sub TB_NODEACCESS_MODIFYINFO()	{ 2; }
sub TB_NODEACCESS_LOADIMAGE()	{ 3; }
sub TB_NODEACCESS_REBOOT()	{ 4; }
sub TB_NODEACCESS_POWERCYCLE()	{ 5; }
sub TB_NODEACCESS_MODIFYVLANS()	{ 6; }
sub TB_NODEACCESS_MIN()		{ TB_NODEACCESS_READINFO; }
sub TB_NODEACCESS_MAX()		{ TB_NODEACCESS_MODIFYVLANS; }

# User Info (modinfo web page, etc).
sub TB_USERINFO_READINFO()	{ 1; }
sub TB_USERINFO_MODIFYINFO()	{ 2; }
sub TB_USERINFO_MIN()		{ TB_USERINFO_READINFO; }
sub TB_USERINFO_MAX()		{ TB_USERINFO_MODIFYINFO; }

# Experiments (also batch experiments).
sub TB_EXPT_READINFO()		{ 1; }
sub TB_EXPT_MODIFY()		{ 2; }
sub TB_EXPT_DESTROY()		{ 3; }
sub TB_EXPT_MIN()		{ TB_EXPT_READINFO; }
sub TB_EXPT_MAX()		{ TB_EXPT_DESTROY; }

# Projects.
sub TB_PROJECT_READINFO()	{ 1; }
sub TB_PROJECT_MAKEGROUP()	{ 2; }
sub TB_PROJECT_EDITGROUP()	{ 3; }
sub TB_PROJECT_DELGROUP()	{ 4; }
sub TB_PROJECT_LEADGROUP()	{ 5; }
sub TB_PROJECT_ADDUSER()	{ 6; }
sub TB_PROJECT_DELUSER()	{ 7; }
sub TB_PROJECT_MAKEOSID		{ 8; }
sub TB_PROJECT_DELOSID		{ 9; }
sub TB_PROJECT_MAKEIMAGEID	{ 10; }
sub TB_PROJECT_DELIMAGEID	{ 11; }
sub TB_PROJECT_CREATEEXPT	{ 12; }
sub TB_PROJECT_MIN()		{ TB_PROJECT_READINFO; }
sub TB_PROJECT_MAX()		{ TB_PROJECT_CREATEEXPT; }

# OSIDs 
sub TB_OSID_READINFO()		{ 1; }
sub TB_OSID_CREATE()		{ 2; }
sub TB_OSID_DESTROY()		{ 3; }
sub TB_OSID_MIN()		{ TB_OSID_READINFO; }
sub TB_OSID_MAX()		{ TB_OSID_DESTROY; }

# ImageIDs
#
# Clarification:
# READINFO is read-only access to the image and its contents
# (This is what people get for shared images)
# ACCESS means complete power over the image and its [meta]data
sub TB_IMAGEID_READINFO()	{ 1; }
sub TB_IMAGEID_MODIFYINFO()	{ 2; }
sub TB_IMAGEID_CREATE()		{ 3; }
sub TB_IMAGEID_DESTROY()	{ 4; }
sub TB_IMAGEID_ACCESS()		{ 5; }
sub TB_IMAGEID_MIN()		{ TB_IMAGEID_READINFO; }
sub TB_IMAGEID_MAX()		{ TB_IMAGEID_ACCESS; }

# Node Log Types
sub TB_NODELOGTYPE_MISC		{ "misc"; }
sub TB_NODELOGTYPES()		{ ( TB_NODELOGTYPE_MISC ) ; }
sub TB_DEFAULT_NODELOGTYPE()	{ TB_NODELOGTYPE_MISC; }

# Reload Types.
sub TB_RELOADTYPE_NETDISK()	{ "netdisk"; }
sub TB_RELOADTYPE_FRISBEE()	{ "frisbee"; }
sub TB_DEFAULT_RELOADTYPE()	{ TB_RELOADTYPE_FRISBEE; }

# Experiment priorities.
sub TB_EXPTPRIORITY_LOW()	{ 0; }
sub TB_EXPTPRIORITY_HIGH()	{ 20; }

# Assign exit status for too few nodes.
sub TB_ASSIGN_TOOFEWNODES()	{ 2; }

# System PID.
sub TB_OPSPID()			{ $TBOPSPID; }

#
# Events we may want to send
#
sub TBDB_TBEVENT_NODESTATE	{ "TBNODESTATE"; }
sub TBDB_TBEVENT_NODEOPMODE	{ "TBNODEOPMODE"; }

#
# TBNODESTATE Events
#
sub TBDB_TBEVENT_ISUP()		{ "ISUP"; }
sub TBDB_TBEVENT_REBOOTED()	{ "REBOOTED"; }
sub TBDB_TBEVENT_REBOOTING()	{ "REBOOTING"; }

#
# TBNODEOPMODE Events
#
sub TBDB_TBEVENT_NORMAL()	{ "NORMAL"; }
sub TBDB_TBEVENT_DELAYING()	{ "DELAYING"; }
sub TBDB_TBEVENT_UNKNOWNOS()	{ "UNKNOWNOS"; }
sub TBDB_TBEVENT_RELOADING()	{ "RELOADING"; }

#
# For nodes, we use this set of events.
#
sub TBDB_NODESTATE_ISUP()	{ TBDB_TBEVENT_ISUP; }
sub TBDB_NODESTATE_REBOOTED()	{ TBDB_TBEVENT_REBOOTED; }
sub TBDB_NODESTATE_REBOOTING()	{ TBDB_TBEVENT_REBOOTING; }
sub TBDB_NODESTATE_UNKNOWN()	{ "UNKNOWN"; };

sub TBDB_NODEOPMODE_NORMAL	{ TBDB_TBEVENT_NORMAL; }
sub TBDB_NODEOPMODE_DELAYING	{ TBDB_TBEVENT_DELAYING; }
sub TBDB_NODEOPMODE_UNKNOWNOS	{ TBDB_TBEVENT_UNKNOWNOS; }
sub TBDB_NODEOPMODE_RELOADING	{ TBDB_TBEVENT_RELOADING; }
sub TBDB_NODEOPMODE_UNKNOWN	{ "UNKNOWN"; }

#
# Node name we use in the widearea_* tables to represent a generic local node.
# All local nodes are considered to have the same network characteristcs.
#
sub TBDB_WIDEAREA_LOCALNODE     { "boss"; }

#
# We should list all of the DB limits.
#
sub DBLIMIT_NSFILESIZE()	{ (1024 * 16); }

#
# Auth stuff.
#

#
# Convert a trust string to the above numeric values.
#
sub TBTrustConvert($)
{
    my($trust_string) = @_;
    my $trust_value = 0;

    #
    # Convert string to value. Perhaps the DB should have done it this way?
    # 
    if ($trust_string eq "none") {
	$trust_value = PROJMEMBERTRUST_NONE;
    }
    elsif ($trust_string eq "user") {
	$trust_value = PROJMEMBERTRUST_USER;
    }
    elsif ($trust_string eq "local_root") {
	$trust_value = PROJMEMBERTRUST_LOCALROOT;
    }
    elsif ($trust_string eq "group_root") {
	$trust_value = PROJMEMBERTRUST_GROUPROOT;
    }
    elsif ($trust_string eq "project_root") {
	$trust_value = PROJMEMBERTRUST_PROJROOT;
    }
    elsif ($trust_string eq "admin") {
	$trust_value = PROJMEMBERTRUST_ADMIN;
    }
    else {
	    die("*** Invalid trust value $trust_string!");
    }

    return $trust_value;
}

#
# Return true if the given trust string is >= to the minimum required.
# The trust value can be either numeric or a string; if a string its
# first converted to the numeric equiv.
#
sub TBMinTrust($$)
{
    my ($trust_value, $minimum) = @_;

    if ($minimum < PROJMEMBERTRUST_NONE ||
	$minimum > PROJMEMBERTRUST_ADMIN) {
	    die("*** Invalid minimum trust $minimum!");
    }

    #
    # Sleazy? How do you do a typeof in perl?
    #
    if (length($trust_value) != 1) {
	$trust_value = TBTrustConvert($trust_value);
    }
    
    return $trust_value >= $minimum;
}

#
# Determine the trust level for a uid/pid/gid. That is, each uid will have
# a different trust level depending on the project/group in question.
# Return that trust level as one of the numeric values above. 
# 
# usage: TBGrpTrust($dbuid, $pid, $gid)
#        returns numeric trust value if a group member.
#        returns PROJMEMBERTRUST_NONE if not a group member.
# 
sub TBGrpTrust($$$)
{
    my ($uid, $pid, $gid) = @_;

    #
    # No group, then use the default group.
    #
    if (! $gid) {
	$gid = $pid;
    }

    my $query_result =
	DBQueryFatal("select trust from group_membership ".
		     "where uid='$uid' and pid='$pid' and gid='$gid'");

    #
    # No membership is the same as no trust. True? Maybe an error instead?
    #
    if ($query_result->numrows == 0) {
	return PROJMEMBERTRUST_NONE;
    }

    my @row = $query_result->fetchrow_array();
    $trust_string = $row[0];

    return TBTrustConvert($trust_string);
}

#
# Determine the project trust level for a uid/pid. This is the trust level
# for the default group in the project.
#
# usage: TBProjTrust($dbuid, $pid)
#        returns numeric trust value if a project member.
#        returns PROJMEMBERTRUST_NONE if not a project member.
# 
sub TBProjTrust($$)
{
    my ($uid, $pid) = @_;
    
    return TBGrpTrust($uid, $pid, $pid);
}

#
# Test admin status. Optional argument is the UID or Name to test. If not
# provided, then test the current UID.
#
# XXX Argument is *either* a numeric UID, or a string name.
#
# usage: TBAdmin([int or char* uid]);
#        returns 1 if an admin type.
#        returns 0 if a mere user.
# 
sub TBAdmin(;$)
{
    my($uid) = @_;
    my($name);

    #
    # No one is considered an admin unless they have the magic environment
    # variable set (so that you have to be a bit more explict about wanting
    # admin privs.) Use the withadminprivs script to get this variable set.
    # Also check with HTTP_ at the front of the name, since this is required
    # to get it through suexec from the web scripts.
    #
    if (!($ENV{WITH_TB_ADMIN_PRIVS} || $ENV{HTTP_WITH_TB_ADMIN_PRIVS})) {
	return 0;
    }

    if (!defined($uid)) {
	$uid = $UID;
    }

    #
    # Test if numeric. Map to name if it is.
    # 
    if ($uid =~ /^[0-9]+$/) {
	($name) = getpwuid($uid)
	    or die "$uid not in passwd file\n";
    }
    else {
	$name = $uid;
    }

    my $query_result =
	DBQueryFatal("select admin from users where uid='$name'");

    my @row = $query_result->fetchrow_array();
    if ($row[0] == 1) {
	return 1;
    }
    return 0;
}

#
# Project permission checks. The group id (gid) can be undef, in which case
# the pid is used (ie: a default group check is made).
#
# Usage: TBProjAccessCheck($uid, $pid, $gid, $access_type)
#	 returns 0 if not allowed.
#        returns 1 if allowed.
# 
sub TBProjAccessCheck($$$$)
{
    my ($uid, $pid, $gid, $access_type) = @_;
    my $mintrust;

    if ($access_type < TB_PROJECT_MIN ||
	$access_type > TB_PROJECT_MAX) {
	die("*** Invalid access type: $access_type!");
    }

    #
    # Admins do whatever they want!
    # 
    if (TBAdmin($uid)) {
	return 1;
    }
    $uid = MapNumericUID($uid);

    #
    # No group, then use the default group.
    #
    if (! defined($gid)) {
	$gid = $pid;
    }

    if ($access_type == TB_PROJECT_READINFO) {
	$mintrust = PROJMEMBERTRUST_USER;
    }
    elsif ($access_type == TB_PROJECT_CREATEEXPT) {
	$mintrust = PROJMEMBERTRUST_LOCALROOT;
    }
    else {
	die("*** Unexpected access type: $access_type!");
    }

    return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust);
}

#
# Experiment permission checks.
#
# Usage: TBExptAccessCheck($uid, $pid, $eid, $access_type)
#	 returns 0 if not allowed.
#        returns 1 if allowed.
# 
sub TBExptAccessCheck($$$$)
{
    my ($uid, $pid, $eid, $access_type) = @_;
    my $mintrust;

    if ($access_type < TB_EXPT_MIN ||
	$access_type > TB_EXPT_MAX) {
	die("*** Invalid access type: $access_type!");
    }

    #
    # Admins do whatever they want!
    # 
    if (TBAdmin($uid)) {
	return 1;
    }
    $uid = MapNumericUID($uid);

    my $query_result =
	DBQueryFatal("SELECT gid,expt_head_uid FROM experiments WHERE ".
		     "eid='$eid' and pid='$pid'");
    
    if ($query_result->numrows == 0) {
	return 0;
    }
    my @row = $query_result->fetchrow_array();
    my $gid     = $row[0];
    my $creator = $row[1];

    #
    # An experiment may be destroyed by the experiment creator or the
    # project/group leader.
    # 
    if ($access_type == TB_EXPT_DESTROY) {
	if ($uid eq $creator) {
	    return 1;
	}
	$mintrust = PROJMEMBERTRUST_GROUPROOT;
    }
    elsif ($access_type == TB_EXPT_READINFO) {
	$mintrust = PROJMEMBERTRUST_USER;
    }
    else {
	$mintrust = PROJMEMBERTRUST_LOCALROOT;
    }

    return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust);
}

#
# Determine if uid can access a node or list of nodes.
#
# Usage: TBNodeAccessCheck($uid, $access_type, $node_id, ...)
#	 returns 0 if not allowed.
#        returns 1 if allowed.
# 
sub TBNodeAccessCheck($$@)
{
    my ($uid, $access_type) = (shift, shift);
    my @nodelist = @_;
    my $mintrust;

    if ($access_type < TB_NODEACCESS_MIN ||
	$access_type > TB_NODEACCESS_MAX) {
	die("*** Invalid access type: $access_type!");
    }

    #
    # Admins do whatever they want!
    # 
    if (TBAdmin($uid)) {
	return 1;
    }
    $uid = MapNumericUID($uid);
 
    if ($access_type == TB_NODEACCESS_READINFO) {
	$mintrust = PROJMEMBERTRUST_USER;
    }
    else {
	$mintrust = PROJMEMBERTRUST_LOCALROOT;
    }

    foreach my $node (@nodelist) {
	my $query_result =
	    DBQueryFatal("select trust from reserved as n ".
			 "left join experiments as e on ".
			 "     e.pid=n.pid and e.eid=n.eid ".
			 "left join group_membership as g on ".
			 "     g.pid=e.pid and g.gid=e.gid ".
			 "where g.uid='$uid' and n.node_id='$node'");

	if ($query_result->numrows == 0) {
	    return 0;
	}
	my @row = $query_result->fetchrow_array();

	if (! TBMinTrust($row[0], $mintrust)) {
	    return 0;
	}
    }
    return 1;
}

#
# Access checks for an OSID. Tests for tbadmin.
#
# Usage: TBOSIDAccessCheck($uid, $osid, $access_type)
#	 returns 0 if not allowed.
#        returns 1 if allowed.
# 
sub TBOSIDAccessCheck($$$)
{
    my ($uid, $osid, $access_type) = @_;
    my $mintrust;

    if ($access_type < TB_OSID_MIN || $access_type > TB_OSID_MAX) {
	die("*** Invalid access type $access_type!");
    }

    #
    # Admins do whatever they want!
    # 
    if (TBAdmin($uid)) {
	return 1;
    }
    $uid = MapNumericUID($uid);

    #
    # No GIDs yet.
    #
    my $query_result =
	DBQueryFatal("SELECT pid,shared FROM os_info WHERE osid='$osid'");
    
    if ($query_result->numrows == 0) {
	return 0;
    }
    my @row = $query_result->fetchrow_array();
    my $pid = $row[0];
    my $shared = $row[1];

    #
    # Global OSIDs can be read by anyone.
    # 
    if ($shared) {
	if ($access_type == TB_OSID_READINFO) {
	    return 1;
	}
	return 0;
    }
    
    #
    # Otherwise must have proper trust in the project.
    # 
    if ($access_type == TB_OSID_READINFO) {
	$mintrust = PROJMEMBERTRUST_USER;
    }
    else {
	$mintrust = PROJMEMBERTRUST_LOCALROOT;
    }

    return TBMinTrust(TBProjTrust($uid, $pid), $mintrust);
}

#
# Access checks for an ImageID
#
# Usage: TBImageIDAccessCheck($uid, $imageid, $access_type)
#	 returns 0 if not allowed.
#        returns 1 if allowed.
# 
sub TBImageIDAccessCheck($$$)
{
    my ($uid, $imageid, $access_type) = @_;
    my $mintrust;

    if ($access_type < TB_IMAGEID_MIN || $access_type > TB_IMAGEID_MAX) {
	die("*** Invalid access type $access_type!");
    }

    #
    # Admins and root do whatever they want!
    # 
    if (TBAdmin($uid) || !$UID || $UID eq "root" || $uid eq "root") {
	return 1;
    }
    $uid = MapNumericUID($uid);

    #
    # No GIDs yet.
    #
    my $query_result =
	DBQueryFatal("SELECT pid,shared FROM images WHERE imageid='$imageid'");
    
    if ($query_result->numrows == 0) {
	return 0;
    }
    my @row = $query_result->fetchrow_array();
    my $pid = $row[0];
    my $shared = $row[1];

    #
    # Global ImageIDs can be read by anyone.
    # 
    if ($shared) {
	if ($access_type == TB_IMAGEID_READINFO) {
	    return 1;
	}
	return 0;
    }

    #
    # Otherwise must have proper trust in the project.
    # 
    if ($access_type == TB_IMAGEID_READINFO) {
	$mintrust = PROJMEMBERTRUST_USER;
    }
    else {
	$mintrust = PROJMEMBERTRUST_LOCALROOT;
    }

    return TBMinTrust(TBProjTrust($uid, $pid), $mintrust);
}

#
# Return Project leader. First argument pid.
#
# usage: ProjLeader(char *pid)
#        returns char *leader if a valid pid.
#        returns 0 if an invalid pid.
# 
sub ProjLeader($)
{
    my($pid) = @_;

    my $query_result =
	DBQueryFatal("select head_uid from projects where pid='$pid'");

    if ($query_result->numrows == 0) {
	return 0;
    }

    my @row = $query_result->fetchrow_array();
    return $row[0];
}

#
# Return Group leader. 
#
# usage: GroupLeader(char *pid, char *gid)
#        returns char *leader if a valid pid.
#        returns 0 if an invalid pid.
# 
sub GroupLeader($$)
{
    my($pid, $gid) = @_;

    my $query_result =
	DBQueryFatal("select leader from groups where ".
		     "pid='$pid' and gid='$gid'");

    if ($query_result->numrows == 0) {
	return 0;
    }

    my @row = $query_result->fetchrow_array();
    return $row[0];
}

#
# Return Experiment leader. First argument pid. Second argument is eid.
#
# usage: ExpLeader(char *pid, char *eid)
#        returns char *leader if a valid pid/eid.
#        returns 0 if an invalid pid/eid.
# 
sub ExpLeader($$)
{
    my($pid, $eid) = @_;

    my $query_result =
	DBQueryFatal("select expt_head_uid from experiments ".
		     "where eid='$eid' and pid='$pid'");

    if ($query_result->numrows == 0) {
	return 0;
    }

    my @row = $query_result->fetchrow_array();
    return $row[0];
}

#
# Return Experiment state.
#
# usage: ExpState(char *pid, char *eid)
#        returns state if a valid pid/eid.
#        returns 0 if an invalid pid/eid or if an error.
# 
sub ExpState($$)
{
    my($pid, $eid) = @_;

    my $query_result =
	DBQueryWarn("select state from experiments ".
		    "where eid='$eid' and pid='$pid'");

    if (! $query_result ||
	$query_result->numrows == 0) {
	return 0;
    }

    my @row = $query_result->fetchrow_array();
    return $row[0];
}

#
# Set Experiment state.
#
# usage: SetExpState(char *pid, char *eid, char *state)
#        returns 1 if okay.
#        returns 0 if an invalid pid/eid or if an error.
# 
sub SetExpState($$$)
{
    my($pid, $eid, $state) = @_;

    my $query_result =
	DBQueryWarn("update experiments set state='$state' ".
		    "where eid='$eid' and pid='$pid'");

    if (! $query_result) {
	return 0;
    }
    return 1;
}

#
# Set the swap in/out time for an experiment.
#
# usage: TBSetExpSwapTime(char *pid, char *eid)
#        returns 1 if okay.
#        returns 0 if an invalid pid/eid or if an error.
# 
sub TBSetExpSwapTime($$)
{
    my($pid, $eid) = @_;

    my $query_result =
	DBQueryWarn("update experiments set expt_swapped=now() ".
		    "where eid='$eid' and pid='$pid'");

    if (! $query_result ||
	$query_result->numrows == 0) {
	return 0;
    }
    return 1;
}

#
# Lock Experiment.
#
# usage: TBLockExp(char *pid, char *eid)
#        returns 1 if okay.
#        returns 0 if an invalid pid/eid or if an error.
# 
sub TBLockExp($$)
{
    my($pid, $eid) = @_;

    my $query_result =
	DBQueryWarn("update experiments set expt_locked=now() ".
		    "where eid='$eid' and pid='$pid'");

    if (! $query_result ||
	$query_result->numrows == 0) {
	return 0;
    }
    return 1;
}

#
# Test if Experiment is locked
#
# usage: TBExpLocked(char *pid, char *eid)
#        returns 1 if locked.
#        returns 0 if an invalid pid/eid or if an error.
# 
sub TBExpLocked($$)
{
    my($pid, $eid) = @_;

    my $query_result =
	DBQueryWarn("select expt_locked from experiments ".
		    "where eid='$eid' and pid='$pid'");

    if (! $query_result ||
	$query_result->numrows == 0) {
	return 0;
    }
    my @row = $query_result->fetchrow_array();
    if (! defined($row[0])) {
	return 0;
    }
    return 1;
}

#
# UnLock Experiment.
#
# usage: TBUnLockExp(char *pid, char *eid)
#        returns 1 if okay.
#        returns 0 if an invalid pid/eid or if an error.
#