GeniCM.pm.in 24.7 KB
Newer Older
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2008 University of Utah and the Flux Group.
# All rights reserved.
#
package GeniCM;

#
# The server side of the CM interface on remote sites. Also communicates
# with the GMC interface at Geni Central as a client.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

@ISA    = "Exporter";
@EXPORT = qw ( );

# Must come after package declaration!
use lib '@prefix@/lib';
use GeniDB;
use Genixmlrpc;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
24 25
use GeniResponse;
use GeniTicket;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
26
use GeniCredential;
27
use GeniCertificate;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
28
use GeniSlice;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
29
use GeniAggregate;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
30
use GeniSliver;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
31
use GeniUser;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
32
use libtestbed;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
33 34 35
# Hate to import all this crap; need a utility library.
use libdb qw(TBGetUniqueIndex TBcheck_dbslot TBDB_CHECKDBSLOT_ERROR);
use User;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
36
use Node;
37
use Interface;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
38 39
use English;
use Data::Dumper;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
40
use XML::Simple;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
41
use Experiment;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
42 43 44 45 46 47 48 49

# Configure variables
my $TB		   = "@prefix@";
my $TBOPS          = "@TBOPSEMAIL@";
my $TBAPPROVAL     = "@TBAPPROVALEMAIL@";
my $TBAUDIT   	   = "@TBAUDITEMAIL@";
my $BOSSNODE       = "@BOSSNODE@";
my $OURDOMAIN      = "@OURDOMAIN@";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
50 51
my $CREATEEXPT     = "$TB/bin/batchexp";
my $NALLOC	   = "$TB/bin/nalloc";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
52
my $AVAIL	   = "$TB/sbin/avail";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
53 54
my $TBSWAP	   = "$TB/bin/tbswap";
my $SWAPEXP	   = "$TB/bin/swapexp";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
55 56 57 58 59 60 61

#
# Discover resources on this component, returning a resource availablity spec
#
sub DiscoverResources($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
62
    my $slice      = $argref->{'slice'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
63 64
    my $credential = $argref->{'credential'};
    my $user_uuid  = $ENV{'GENIUSER'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
65
    my $slice_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
66

Leigh B. Stoller's avatar
Leigh B. Stoller committed
67
    if (! defined($slice)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
68 69 70 71 72 73 74 75
	return GeniResponse->MalformedArgsResponse();
    }

    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
76
    GeniCertificate->CertificateInfo($slice, \$slice_uuid) == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
77 78 79
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
80 81 82 83 84 85 86 87 88 89 90
    # The credential owner/slice has to match what was provided.
    if (! ($user_uuid eq $credential->owner_uuid() &&
	   $slice_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }

    #
    # Eventually we will take an optional rspec, but for now just return
    # a list of free nodes using avail. 
    #
91 92
    my @nodelist = ();
    if (! open(AVAIL, "$AVAIL type=pc  aslist |")) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
93 94 95 96 97 98 99 100 101 102 103 104
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not start avail");
    }
    while (<AVAIL>) {
	my $nodeid = $_;
	chomp($nodeid);
	my $node = Node->Lookup($nodeid);
	push(@nodelist, $node)
	    if (defined($node));
    }
    close(AVAIL);

Leigh B. Stoller's avatar
Leigh B. Stoller committed
105
    my $xml = "<rspec xmlns=\"http://protogeni.net/resources/rspec/0.1\">\n";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
106 107 108 109 110 111
    foreach my $node (@nodelist) {
	my $uuid = $node->uuid();
	my $nodeid = $node->node_id();
	
	$xml .= "<node uuid=\"$uuid\" name=\"$nodeid\">".
	    "<available>true</available></node>\n";
112 113 114 115 116 117 118 119 120 121 122 123

	my @interfaces = Interface->LookupAll($node);
	foreach my $interface (@interfaces) {
	    my $iface_uuid = $interface->uuid();
	    my $iface      = $interface->iface();

	    next 
		if (! $interface->IsExperimental());
	    
	    $xml .= "<interface uuid=\"$iface_uuid\" node_name=\"$nodeid\">".
		"<iface>$iface</iface></interface>\n";
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
124 125 126 127 128
    }
    $xml .= "</rspec>";

    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $xml);
}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
129

Leigh B. Stoller's avatar
Leigh B. Stoller committed
130
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
131
# Respond to a GetTicket request. 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
132 133 134 135
#
sub GetTicket($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
136
    my $slice_cert = $argref->{'slice'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
137
    my $rspec      = $argref->{'rspec'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
138
    my $impotent   = $argref->{'impotent'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
139
    my $credential = $argref->{'credential'};
140
    my $vtopo      = $argref->{'virtual_topology'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
141
    my $owner_uuid = $ENV{'GENIUSER'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
142
    my $slice_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
143

Leigh B. Stoller's avatar
Leigh B. Stoller committed
144
    if (! defined($slice_cert)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
145
	GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
146
			     "Improper slice");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
147
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
148 149 150
    if (! (defined($rspec) && ($rspec =~ /^[-\w]+$/))) {
	GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
			     "Improper rspec");	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
151
    }
152 153
    $rspec = XMLin($rspec, ForceArray => ["node", "link"]);
    #print Dumper($rspec);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
154

Leigh B. Stoller's avatar
Leigh B. Stoller committed
155 156 157
    $impotent = 0
	if (!defined($impotent));

Leigh B. Stoller's avatar
Leigh B. Stoller committed
158
    $credential = GeniCredential->CreateFromSigned($credential);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
159 160 161 162
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
163
    GeniCertificate->CertificateInfo($slice_cert, \$slice_uuid) == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
164 165 166 167
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
	
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
168 169 170 171 172 173
    # The credential owner/slice has to match what was provided.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $slice_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
174

Leigh B. Stoller's avatar
Leigh B. Stoller committed
175 176 177 178 179 180 181
    #
    # See if we have a record of this slice in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    my $slice = GeniSlice->Lookup($slice_uuid);
    if (!defined($slice)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
182 183 184 185 186 187
	$slice = GeniSlice->CreateFromRegistry($slice_uuid);
	if (!defined($slice)) {
	    print STDERR "No slice $slice_uuid in the ClearingHouse\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
			    "Could not get slice info from ClearingHouse");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
188 189
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
190
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
191 192 193 194 195 196 197 198 199 200 201 202
    # Ditto the user.
    #
    my $user = GeniUser->Lookup($owner_uuid);
    if (!defined($user)) {
	$user = GeniUser->CreateFromRegistry($owner_uuid);
	if (!defined($user)) {
	    print STDERR "No user $owner_uuid in the ClearingHouse\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
			    "Could not get user info from ClearingHouse");
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
203
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
204 205 206 207
    # If the underlying experiment does not exist, need to create
    # a holding experiment. All these are going to go into the same
    # project for now. Generally, users for non-local slices do not
    # have local accounts or directories.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
208
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
209 210 211 212 213 214 215 216 217
    my $experiment = Experiment->Lookup($slice_uuid);
    if (!defined($experiment)) {
	#
	# Form an eid for the experiment. 
	#
	my $eid = "slice" . TBGetUniqueIndex('next_sliceid', 1);

	# Note the -h option; allows experiment with no NS file.
	system("$CREATEEXPT -q -i -w -E 'Geni Slice Experiment' ".
Leigh B. Stoller's avatar
Leigh B. Stoller committed
218
	       "-h '$slice_uuid' -p GeniSlices -e $eid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
219 220 221 222 223 224 225
	if ($?) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Internal Error");
	}
	$experiment = Experiment->Lookup($slice_uuid);
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
226
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
227 228 229
    # An rspec is a structure that requests specific nodes. If those
    # nodes are available, then reserve it. Otherwise the ticket
    # cannot be granted. 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
230
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
231
    my @nodeids = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
232 233 234
    my $pid     = $experiment->pid();
    my $eid     = $experiment->eid();

235 236 237
    foreach my $resource_uuid (keys(%{$rspec->{'node'}})) {
	my $node = Node->Lookup($resource_uuid);
	if (!defined($node)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
238
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
239
					"Bad resource_uuid $resource_uuid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
240
	}
241
	push(@nodeids, $node->node_id());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
242
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
243 244

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
245
    # Create the ticket first, before allocating the node.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
246
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
247
    my $ticket = GeniTicket->Create($slice, $user, $rspec);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
248 249 250 251
    if (!defined($ticket)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniTicket object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
252
    # Nalloc might fail if the node gets picked up by someone else.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
253
    if (!$impotent) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
254
	system("$NALLOC $pid $eid @nodeids");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
255 256 257 258 259 260 261 262 263 264
	if (($? >> 8) < 0) {
	    $ticket->Delete();
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Allocation failure");
	}
	elsif (($? >> 8) > 0) {
	    $ticket->Delete();
	    return GeniResponse->Create(GENIRESPONSE_UNAVAILABLE, undef,
					"Could not allocate node\n");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
265
    }
266 267 268 269 270 271 272
    if (defined($vtopo) && $experiment->InsertVirtTopo($vtopo) != 0) {
	# Release will free the nodes.
	$ticket->Release();
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not insert virt topology");
    }
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
273
    if ($ticket->Sign() != 0) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
274
	# Release will free the nodes.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
275
	$ticket->Release();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
276 277 278
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not sign Ticket");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
279 280 281 282 283 284 285 286 287 288
    return GeniResponse->Create(GENIRESPONSE_SUCCESS,
				$ticket->asString());
}

#
# Create a sliver.
#
sub CreateSliver($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
289 290
    my $owner_uuid = $ENV{'GENIUSER'};
    my $ticket     = $argref->{'ticket'};
291
    my $impotent   = $argref->{'impotent'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
292
    my $message    = "Error creating sliver/aggregate";
293 294 295

    $impotent = 0
	if (!defined($impotent));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
296 297 298 299 300 301 302 303 304 305 306 307

    if (! (defined($ticket) &&
	   !TBcheck_dbslot($ticket, "default", "text",
			   TBDB_CHECKDBSLOT_ERROR))) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "ticket: ". TBFieldErrorString());
    }
    $ticket = GeniTicket->CreateFromSignedTicket($ticket);
    if (!defined($ticket)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniTicket object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
308 309 310 311 312
    # The credential owner has to match what is in the ticket.
    if ($owner_uuid ne $ticket->owner_uuid()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
313

Leigh B. Stoller's avatar
Leigh B. Stoller committed
314 315 316 317 318
    my $experiment = Experiment->Lookup($ticket->slice_uuid());
    if (!defined($experiment)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No local experiment for slice");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
319 320
    my $pid = $experiment->pid();
    my $eid = $experiment->eid();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
321

322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340
    #
    # See if we have a record of this slice in the DB. If not, throw an
    # error; might change later.
    #
    my $slice = GeniSlice->Lookup($ticket->slice_uuid());
    if (!defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No slice record for slice");
    }

    #
    # Ditto the user.
    #
    my $owner = GeniUser->Lookup($owner_uuid);
    if (!defined($owner)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No user record for $owner_uuid");
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
341 342 343 344 345 346
    #
    # Create an emulab nonlocal user for tmcd.
    #
    $owner->BindToSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error binding user to slice");
347

Leigh B. Stoller's avatar
Leigh B. Stoller committed
348
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
349
    # We are actually an Aggregate, so return an aggregate of slivers,
350
    # unless there is just one node.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
351
    #
352 353 354 355 356
    my $aggregate;
    if (scalar(keys(%{$ticket->rspec()->{'node'}})) > 1) {
	$aggregate = GeniAggregate->Create($ticket);
	if (!defined($aggregate)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
357
				    "Could not create GeniAggregate object");
358
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
359
    }
360
    #print Dumper($ticket);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
361 362

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
363 364
    # Now for each resource (okay, node) in the ticket create a sliver and
    # add it to the aggregate.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
365
    #
366
    my %slivers = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
367
    foreach my $resource_uuid (keys(%{$ticket->rspec()->{'node'}})) {
368 369 370
	my $node = Node->Lookup($resource_uuid);
	if (!defined($node)) {
	    $message = "Unknown resource_uuid in ticket: $resource_uuid";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
371 372
	    goto bad;
	}
373
	my $sliver = GeniSliver::Node->Create($slice, $owner, $resource_uuid);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
374 375 376 377
	if (!defined($sliver)) {
	    $message = "Could not create GeniSliver object for $resource_uuid";
	    goto bad;
	}
378
	$slivers{$resource_uuid} = $sliver;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
379
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
380

381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438
    #
    # Now do the links. For each link, we have to add a sliver for the
    # interfaces, and then combine those two interfaces into an aggregate,
    # and then that aggregate goes into the aggregate for toplevel sliver.
    #
    foreach my $linkname (keys(%{$ticket->rspec()->{'link'}})) {
	my @linkslivers  = ();
	if (! ($linkname =~ /^[-\w]*$/)) {
	    $message = "Bad name for link: $linkname";
	    goto bad;
	}

	my $linkaggregate = GeniAggregate::Link->Create($ticket);
	if (!defined($linkaggregate)) {
	    $message = "Could not create link aggregate for $linkname";
	    goto bad;
	}
	$slivers{$linkaggregate->uuid()} = $linkaggregate;

	my $linkendpoints =
	    $ticket->rspec()->{'link'}->{$linkname}->{'LinkEndPoints'};
	
	my $src_interface_spec = $linkendpoints->{'source_interface'};
	my $dst_interface_spec = $linkendpoints->{'destination_interface'};

	my @interfaces = ($src_interface_spec, $dst_interface_spec);
	foreach my $iface (@interfaces) {
	    my $node_uuid = $iface->{'node_uuid'};
	    my $iface     = $iface->{'iface_name'};
	    my $nodesliver= $slivers{$node_uuid};
	    if (!defined($nodesliver)) {
		$message = "Link $linkname specifies a non-existent node";
		goto bad;
	    }
	    my $nodeobject= Node->Lookup($node_uuid);
	    if (!defined($nodeobject)) {
		$message = "Could not find node object for $node_uuid";
		goto bad;
	    }
	    my $interface = Interface->LookupByIface($nodeobject, $iface);
	    if (!defined($interface)) {
		$message = "No such interface $iface on node $nodeobject";
		goto bad;
	    }
	    my $sliver = GeniSliver::Interface->Create($slice, $owner,
						       $interface->uuid());
	    if (!defined($sliver)) {
		$message = "Could not create GeniSliver ".
		    "$interface in $linkname";
		goto bad;
	    }
	    if ($sliver->SetAggregate($linkaggregate) != 0) {
		$message = "Could not add link sliver $sliver to $aggregate";
		goto bad;
	    }
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
439 440 441 442
    #
    # Now do the provisioning (note that we actually allocated the node
    # above when the ticket was granted). The add the sliver to the aggregate.
    #
443
    foreach my $sliver (values(%slivers)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
444 445 446
	if (!$impotent && $sliver->Provision() != 0) {
	    $message = "Could not provision $sliver";
	    goto bad;
447

Leigh B. Stoller's avatar
Leigh B. Stoller committed
448
	}
449 450
	if (defined($aggregate) &&
	    $sliver->SetAggregate($aggregate) != 0) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
451 452 453 454 455
	    $message = "Could not aggregate for $sliver to $aggregate";
	    goto bad;
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
456
    #
457
    # This stuff needs to be moved elsewhere.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
458 459 460 461 462
    #
    # XXX What if we have multiple slivers for this slice? We are going
    # to need some locking or management at the slice level so that we run
    # tbswap only once, or at least no more then one at a time.
    #
463
    if (0 && !$impotent) {
464
	system("$SWAPEXP -s modify -g $pid $eid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
465 466 467 468 469 470
	if ($?) {
	    $message = "Failed to tbswap $pid,$eid";
	    goto bad;
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
471
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
472
    # The API states we return a credential to control the sliver/aggregate.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
473
    #
474 475 476 477 478 479 480
    my $credential;
    if (defined($aggregate)) {
	$credential = $aggregate->NewCredential($owner);
    }
    else {
	$credential = ((values(%slivers))[0])->NewCredential($owner);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
481
    if (!defined($credential)) {
482
	$message = "Could not create credential";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
483
	goto bad;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
484 485
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $credential->asString());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
486 487

  bad:
488
    foreach my $sliver (values(%slivers)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
489 490 491 492 493 494 495 496
	$sliver->UnProvision()
	    if (! $impotent);
	$sliver->Delete();
    }
    $aggregate->Delete()
	if (defined($aggregate));
    
    return GeniResponse->Create(GENIRESPONSE_ERROR, undef, $message);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
497 498 499
}

#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
500
# Start a sliver (not sure what this means yet, so reboot for now).
Leigh B. Stoller's avatar
Leigh B. Stoller committed
501
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
502
sub StartSliver($)
Leigh B. Stoller's avatar
Leigh B. Stoller committed
503 504
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
505
    my $owner_uuid  = $ENV{'GENIUSER'};
506
    my $sliver_cert = $argref->{'sliver'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
507
    my $credential  = $argref->{'credential'};
508
    my $sliver_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
509 510 511 512
    my $impotent   = $argref->{'impotent'};

    $impotent = 0
	if (!defined($impotent));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
513

514
    if (!defined($sliver_cert) || !defined($credential)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
515 516
	return GeniResponse->Create(GENIRESPONSE_BADARGS);
    }
517 518 519 520
    GeniCertificate->CertificateInfo($sliver_cert, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
521 522 523 524 525
    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
526 527
    my $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
528 529 530 531 532 533
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No such sliver/aggregate $sliver_uuid");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
534
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
535 536 537 538 539 540 541 542
    
    # The credential owner has to match what is in the ticket.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $sliver_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
    if (!$impotent) {
543
	$sliver->Start() == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				"Could not start sliver/aggregate");
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
}

#
# Destroy a sliver/aggregate.
#
sub DestroySliver($)
{
    my ($argref) = @_;
    my $owner_uuid  = $ENV{'GENIUSER'};
    my $sliver_cert = $argref->{'sliver'};
    my $credential  = $argref->{'credential'};
    my $sliver_uuid;
    my $impotent   = $argref->{'impotent'};

    $impotent = 0
	if (!defined($impotent));

    if (!defined($sliver_cert) || !defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS);
    }
    GeniCertificate->CertificateInfo($sliver_cert, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
572 573
    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
574
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
575
				    "Could not create GeniCredential object");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
576
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
577 578 579 580 581 582 583 584 585 586
    my $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No such sliver/aggregate $sliver_uuid");
	}
    }
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
587 588 589 590 591
    # The credential owner has to match what is in the ticket.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $sliver_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
592
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
593 594 595 596 597
    if (!$impotent) {
	$sliver->UnProvision() == 0 or
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				"Could not unprovision sliver/aggregate");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
598 599
    $sliver->Delete() == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
600
				    "Could not delete sliver/aggregate");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
601 602
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
603
}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814

#
# Bind a user to a slice.
#
sub BindUser($)
{
    my ($argref) = @_;
    my $sliver     = $argref->{'sliver'};
    my $hrn        = $argref->{'userinfo'}->{'hrn'};
    my $uuid       = $argref->{'userinfo'}->{'uuid'};
    my $name       = $argref->{'userinfo'}->{'name'};
    my $email      = $argref->{'userinfo'}->{'email'};
    my $cert       = $argref->{'userinfo'}->{'cert'};
    my $sshkey     = $argref->{'userinfo'}->{'sshkey'};
    my $sliver_uuid;

    if (! (defined($hrn) && defined($name) && defined($sliver) &&
	   defined($email) && defined($cert) && defined($uuid))) {
	return GeniResponse->MalformedArgsResponse();
    }

    GeniCertificate->CertificateInfo($sliver, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    #
    # See if we have a record of this sliver in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"No such sliver $sliver_uuid");
	}
    }
    my $slice = $sliver->GetSlice();

    #
    # Use the Emulab checkslot routines.
    #
    if (! ($hrn =~ /^[-\w\.]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "hrn: Invalid characters");
    }
    if (! ($uuid =~ /^[-\w]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uuid: Invalid characters");
    }
    if (! TBcheck_dbslot($name, "users", "usr_name", TBDB_CHECKDBSLOT_ERROR)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "name: ". TBFieldErrorString());
    }
    if (! TBcheck_dbslot($email, "users", "usr_email",TBDB_CHECKDBSLOT_ERROR)){
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "email: ". TBFieldErrorString());
    }
    if (! ($cert =~ /^[\012\015\040-\176]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "cert: Invalid characters");
    }
    if (defined($sshkey) && ! ($sshkey =~ /^[\012\015\040-\176]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "sshkey: Invalid characters");
    }

    #
    # The SA UUID comes from the SSL environment (certificate). Verify it
    # and the prefix match for the uuid.
    #
    my $sa_uuid = $ENV{'GENIUUID'};
    my $authority = GeniAuthority->Lookup($sa_uuid);
    if (!defined($authority)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No slice authority record for $sa_uuid");
    }
    if (! $authority->PrefixMatch($uuid)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "uuid: Prefix mismatch");
    }

    #
    # Verify that this is the SA for the slice. 
    #
    if (! $slice->IsSliceAuthority($authority)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Must be the SA for the slice");
    }

    # Might already exist. Not an error, Just check binding and return.
    my $user = GeniUser->Lookup($uuid);
    if (defined($user)) {
	$user->BindToSlice($slice) == 0
	    or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					   "Error binding user to slice");

	return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
			    "$hrn/$email has been bound to slice");
    }

    #
    # XXX
    #
    # What kind of uniquess requirements do we need? No one else with this
    # email address? Of course, we have to allow hrn reuse, but should we
    # require that for a given SA, that hrn is unique, at least to avoid
    # lots of confusion?
    #
    if (GeniUser->CheckExisting($hrn, $email)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "$hrn/$email already registered");
    }

    # The local uid we will use is the last part of the hrn.
    my ($uid) = ($hrn =~ /^.*\.(\w*)$/);
    if (!defined($uid)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uid: cannot parse hrn to get uid");
    }
    elsif (! TBcheck_dbslot($uid, "users", "uid", TBDB_CHECKDBSLOT_ERROR)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uid: ". TBFieldErrorString());
    }
    my $newuser = GeniUser->Create($hrn, $uid, $uuid,
				   $name, $email, $cert,
				   $authority->idx(), $sshkey);
    if (!defined($newuser)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "$hrn/$email could not be registered");
    }
    $newuser->BindToSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error binding user to sliver");
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				"$hrn/$email has been bound to $sliver_uuid");
}

#
# Unbind user from sliver.
#
sub UnBindUser($)
{
    my ($argref) = @_;
    my $sliver      = $argref->{'sliver'};
    my $user       = $argref->{'user'};
    my $sliver_uuid;
    my $user_uuid;

    if (! (defined($sliver) && defined($user))) {
	return GeniResponse->MalformedArgsResponse();
    }

    GeniCertificate->CertificateInfo($sliver, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    GeniCertificate->CertificateInfo($user, \$user_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    #
    # See if we have a record of this sliver in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"No such sliver $sliver_uuid");
	}
    }
    # Does not exist? Not an error.
    $user = GeniUser->Lookup($user_uuid);
    if (! defined($user)) {
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				    "$user_uuid is not bound to $sliver_uuid");
    }
    my $slice = $sliver->GetSlice();

    #
    # The SA UUID comes from the SSL environment (certificate). 
    #
    my $sa_uuid = $ENV{'GENIUUID'};
    my $authority = GeniAuthority->Lookup($sa_uuid);
    if (!defined($authority)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No slice authority record for $sa_uuid");
    }
    #
    # Verify that this is the SA for the slice. 
    #
    if (! $slice->IsSliceAuthority($authority)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Must be the SA for the slice");
    }

    $user->UnBindFromSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error unbinding user from sliver");
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				"$user_uuid has been unbound from sliver");
}