GeniCMV2.pm.in 65.8 KB
Newer Older
1 2 3
#!/usr/bin/perl -wT
#
# GENIPUBLIC-COPYRIGHT
4
# Copyright (c) 2008-2012 University of Utah and the Flux Group.
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
# All rights reserved.
#
package GeniCMV2;

#
# The server side of the CM interface on remote sites. Also communicates
# with the GMC interface at Geni Central as a client.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

@ISA    = "Exporter";
@EXPORT = qw ( );

# Must come after package declaration!
use GeniDB;
use GeniResponse;
use GeniTicket;
use GeniCredential;
use GeniCertificate;
26
use GeniComponent;
27 28 29 30
use GeniSlice;
use GeniAggregate;
use GeniSliver;
use GeniUtil;
31
use GeniCM;
32
use GeniHRN;
33
use GeniXML;
34 35 36 37 38 39 40 41
use emutil;
use English;
use Data::Dumper;
use XML::Simple;
use Date::Parse;
use POSIX qw(strftime tmpnam);
use Time::Local;
use Compress::Zlib;
42
use File::Temp qw(tempfile);
43 44 45 46 47 48 49 50 51 52
use MIME::Base64;

# Configure variables
my $TB		   = "@prefix@";
my $TBOPS          = "@TBOPSEMAIL@";
my $TBAPPROVAL     = "@TBAPPROVALEMAIL@";
my $TBAUDIT   	   = "@TBAUDITEMAIL@";
my $BOSSNODE       = "@BOSSNODE@";
my $OURDOMAIN      = "@OURDOMAIN@";
my $PGENIDOMAIN    = "@PROTOGENI_DOMAIN@";
53
my $ELABINELAB     = "@ELABINELAB@";
54 55 56 57
my $CREATEEXPT     = "$TB/bin/batchexp";
my $ENDEXPT        = "$TB/bin/endexp";
my $NALLOC	   = "$TB/bin/nalloc";
my $NFREE	   = "$TB/bin/nfree";
58
my $TEVC	   = "$TB/bin/tevc";
59 60 61 62 63 64 65 66 67 68 69 70
my $AVAIL	   = "$TB/sbin/avail";
my $PTOPGEN	   = "$TB/libexec/ptopgen";
my $TBSWAP	   = "$TB/bin/tbswap";
my $SWAPEXP	   = "$TB/bin/swapexp";
my $PLABSLICE	   = "$TB/sbin/plabslicewrapper";
my $NAMEDSETUP     = "$TB/sbin/named_setup";
my $VNODESETUP     = "$TB/sbin/vnode_setup";
my $GENTOPOFILE    = "$TB/libexec/gentopofile";
my $TARFILES_SETUP = "$TB/bin/tarfiles_setup";
my $MAPPER         = "$TB/bin/mapper";
my $VTOPGEN        = "$TB/bin/vtopgen";
my $SNMPIT         = "$TB/bin/snmpit";
71
my $XMLLINT	   = "/usr/local/bin/xmllint";
72 73
my $PRERENDER      = "$TB/libexec/vis/prerender";
my $EMULAB_PEMFILE = "@prefix@/etc/genicm.pem";
74 75
# Just one of these, at Utah.
my $GENICH_PEMFILE = "@prefix@/etc/genich.pem";
76
my $API_VERSION    = 2;
77 78 79 80 81 82 83 84

#
# Tell the client what API revision we support.  The correspondence
# between revision numbers and API features is to be specified elsewhere.
# No credentials are required.
#
sub GetVersion()
{
85 86
    my @input_rspec_versions = ( "0.1", "0.2", "2", "3", "PG 0.1", "PG 0.2", "PG 2" );
    my @ad_rspec_versions = ( "0.1", "0.2", "2", "3", "PG 0.1", "PG 0.2", "PG 2" );
Gary Wong's avatar
Gary Wong committed
87 88 89
    my $blob = {
	"api" => $API_VERSION,
	"level" => 1,
90
	"input_rspec" => \@input_rspec_versions,
91
	"output_rspec" => "2",
92
	"ad_rspec" => \@ad_rspec_versions
Gary Wong's avatar
Gary Wong committed
93 94
    };

95
    return GeniResponse->Create( GENIRESPONSE_SUCCESS, $blob);
96 97 98 99 100 101 102 103
}

#
# Respond to a Resolve request. 
#
sub Resolve($)
{
    my ($argref) = @_;
104 105
    my $credentials = $argref->{'credentials'};
    my $urn         = $argref->{'urn'};
106
    my $admin       = 0;
107
    my $isauth	    = 0;
108

109 110 111 112 113 114 115 116 117 118
    if (! (defined($credentials) && defined($urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($urn)) {
	return GeniResponse->MalformedArgsResponse("Invalid URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

119 120 121
    my ($object, $type) = LookupURN($urn);
    return $object
	if (GeniResponse::IsResponse($object));
122 123 124 125

    #
    # This is a convenience for testing. If a local user and that
    # user is an admin person, then do whatever it says. This is
126 127
    # easier then trying to do this with credential privs. But,
    # watch for credentials from authorities instead of users.
128
    #
129 130
    my (undef,$callertype,$callerid) = GeniHRN::Parse($credential->owner_urn());
    if ($callertype eq "user") {
131
	my $user = GeniCM::CreateUserFromCertificate($credential);
132 133
	if (!GeniResponse::IsResponse($user) &&
	    $user->IsLocal() && $user->admin()) {
134 135 136
	    $admin = 1;
	}
    }
137 138
    elsif ($callertype eq "authority" &&
	   ($callerid eq "cm" || $callerid eq "sa")) {
139
	$isauth = 1;
140
    }
141 142
    
    if ($type eq "node") {
143
	my $node  = $object;
144
	my $rspec = GeniCM::GetAdvertisement(0, $node->node_id(), "0.1", undef);
145
	if (! defined($rspec)) {
146
	    print STDERR "Could not get advertisement for $node!\n";
147
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
148
					"Error getting advertisement");
149
	}
150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185
	my $me = GeniAuthority->Lookup($ENV{'MYURN'});
	if (!defined($me)) {
	    print STDERR
		"Could not find local authority object for $ENV{'MYURN'}\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Error getting advertisement");
	}
	my $myurn = GeniHRN::Generate($OURDOMAIN, "node", $node->node_id());
	my $myhrn = "${PGENIDOMAIN}." . $node->node_id();

	#
	# See if the component object exists; if not create it.
	#
	my $component = GeniComponent->Lookup($node->uuid());
	if (!defined($component)) {
	    my $certificate = GeniCertificate->Lookup($node->uuid());
	    if (!defined($certificate)) {
		$certificate =
		    GeniCertificate->Create({'urn'  => $myurn,
					     'hrn'  => $myhrn,
					     'email'=> $TBOPS,
					     'uuid' => $node->uuid(),
					     'url'  => $me->url()});
		if (!defined($certificate)) {
		    print STDERR "Could not generate certificate for $node\n";
		    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
		}
	    }
	    $component = GeniComponent->Create($certificate, $me);
	    if (!defined($component)) {
		print STDERR "Could not create component for $node\n";
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Error getting advertisement");
	    }
	}
186
	# Return a blob.
187
	my $blob = { "hrn"          => $myhrn,
188 189
		     "uuid"         => $node->uuid(),
		     "role"	    => $node->role(),
190 191
		     "hostname"     =>
			 GeniUtil::FindHostname($node->node_id()),
192 193
		     "physctrl"     => 
			 Interface->LookupControl($node->phys_nodeid())->IP(),
194 195 196 197
		     "urn"          => $myurn,
		     "rspec"        => $rspec,
		     "url"          => $me->url(),
		     "gid"          => $component->cert(),
198 199 200 201
		   };

	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
202
    if ($type eq "slice") {
203 204
	my $slice = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
205 206 207 208
	#
	# In this implementation, the caller must hold a valid slice
	# credential for the slice being looked up. 
	#
209 210
	if (! ($isauth || $admin ||
	       $slice->urn() eq $credential->target_urn())) {
211 212
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"No permission to resolve $slice\n");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
213 214 215 216 217 218
	}
	# Return a blob.
	my $blob = { "urn"          => $urn };

	my $aggregate = GeniAggregate->SliceAggregate($slice);
	if (defined($aggregate)) {
219
	    $blob->{'sliver_urn'} = $aggregate->urn();
220 221 222 223
	    my $manifest = $aggregate->GetManifest(1);
	    if (defined($manifest)) {
		$blob->{'manifest'}   = $manifest;
	    }
224 225 226 227 228 229 230 231 232 233 234 235 236 237
	    # For key bindings.
	    my $slice_experiment = $slice->GetExperiment();
	    if (!defined($slice_experiment)) {
		print STDERR "*** No Experiment for $slice\n";
	    }
	    else {
		my $bindings;
		if ($slice_experiment->NonLocalUsers(\$bindings)) {
		    print STDERR "*** No bindings for $slice_experiment\n";
		}
		elsif (@{ $bindings }) {
		    $blob->{'keys'} = $bindings;
		}
	    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
238 239 240
	}
	my $ticket = GeniTicket->SliceTicket($slice);
	if (defined($ticket)) {
241
	    $blob->{'ticket_urn'} = $ticket->urn();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
242 243 244 245
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "sliver") {
246
	my $sliver = $object;
247 248 249
	my $slice  = $sliver->GetSlice();
	return GeniResponse->Create(GENIRESPONSE_ERROR)
	    if (!defined($slice));
250

Leigh B. Stoller's avatar
Leigh B. Stoller committed
251 252 253 254
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential for the slice being looked up. 
	#
255
	if (! ($admin || $isauth ||
256
	       $sliver->urn() eq $credential->target_urn() ||
257 258 259 260 261
	       $slice->urn() eq $credential->target_urn())) {
	    print STDERR $sliver->urn() . "\n";
	    print STDERR $slice->urn() . "\n";
	    print STDERR $credential->target_urn() . "\n";
	    print STDERR $ENV{'MYURN'} . "\n";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
262 263
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN);
	}
264 265
	my $manifest = $sliver->GetManifest(1);
	if (!defined($manifest)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
266 267 268 269 270 271
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
	# Return a blob.
	my $blob = { "urn"          => $urn,
		     "manifest"     => $manifest,
		 };
272 273 274 275 276 277 278 279 280 281 282 283 284 285
	# For key bindings.
	my $slice_experiment = $slice->GetExperiment();
	if (!defined($slice_experiment)) {
	    print STDERR "*** No Experiment for $slice\n";
	}
	else {
	    my $bindings;
	    if ($slice_experiment->NonLocalUsers(\$bindings)) {
		print STDERR "*** No bindings for $slice_experiment\n";
	    }
	    elsif (@{ $bindings }) {
		$blob->{'keys'} = $bindings;
	    }
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
286 287 288
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
    }
    if ($type eq "ticket") {
289 290
	my $ticket = $object;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
291 292 293 294
	#
	# In this implementation, the caller must hold a valid slice
	# or sliver credential to get the ticket.
	#
295
	my $slice = GeniSlice->Lookup($ticket->slice_urn());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
296 297 298 299
	if (!defined($slice)) {
	    print STDERR "Could not find slice for $ticket\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR);
	}
300
	if (! ($admin || $slice->urn() eq $credential->target_urn())) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
301 302 303 304 305
	    #
	    # See if its the sliver credential. 
	    #
	    my $aggregate = GeniAggregate->SliceAggregate($slice);
	    if (!defined($aggregate) ||
306
		$aggregate->urn() ne $credential->target_urn()) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
307 308 309 310 311
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN());
	    }
	}
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());
    }
312 313
    return GeniResponse->Create(GENIRESPONSE_UNSUPPORTED, undef,
				"Cannot resolve $type at this authority");
314 315 316 317 318 319 320 321
}

#
# Discover resources on this component, returning a resource availablity spec
#
sub DiscoverResources($)
{
    my ($argref) = @_;
322 323 324
    my $credentials = $argref->{'credentials'};
    my $available   = $argref->{'available'} || 0;
    my $compress    = $argref->{'compress'} || 0;
325
    my $version     = $argref->{'rspec_version'} || undef;
326 327 328 329 330 331 332

    if (! (defined($credentials))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
333

334 335
    my $credential_objects = [];
    foreach my $credstr (@$credentials) {
336 337 338
        my $cred = CheckCredential($credstr);
        push(@$credential_objects, $cred) 
            if(!GeniResponse::IsResponse($cred));
339 340
    }
    return GeniCM::DiscoverResourcesAux($available, $compress,
341
        $version, $credential_objects);
342 343 344 345 346 347 348 349
}

#
# Create a Sliver.
#
sub CreateSliver($)
{
    my ($argref) = @_;
350 351 352 353 354
    my $slice_urn    = $argref->{'slice_urn'};
    my $rspecstr     = $argref->{'rspec'};
    my $credentials  = $argref->{'credentials'};
    my $keys         = $argref->{'keys'};
    my $impotent     = $argref->{'impotent'} || 0;
355 356
    require Node;
    require Experiment;
357 358
    require libtestbed;
    require libaudit;
359 360
    
    # For now, I am not worrying about the slice_urn argument.
361 362
    if (! (defined($credentials) &&
	   defined($slice_urn) && defined($rspecstr))) {
363 364
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
365 366 367 368 369 370
    if (! ($rspecstr =~ /^[\040-\176\012\015\011]+$/)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in rspec");
    }
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
371 372 373
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
374

375 376 377 378 379 380 381
    #
    # In this implementation, the user must provide a slice credential,
    # so we ignore the slice_urn. For CreateSliver(), the slice must not
    # be instantiated.
    #
    my ($slice,$aggregate) = Credential2SliceAggregate($credential);
    if (defined($slice)) {
382 383 384
	return $slice
	    if (GeniResponse::IsResponse($slice));

385 386 387 388
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
	}
389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404
	#
	# Watch for a placeholder slice and update it.
	#
	if ($slice->isplaceholder()) {
	    if ($slice->Lock() != 0) {
		return GeniResponse->BusyResponse();
	    }
	    #
	    # Confirm that the slice certificate is the same.
	    #
	    if ($slice->cert() ne $credential->target_cert()->cert()) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
					    "Slice certificate mismatch");
	    }
	    my $user =
405
		GeniCM::CreateUserFromCertificate($credential);
406
	    if (GeniResponse::IsResponse($user)) {	    
407
		$slice->UnLock();
408
		return $user;
409 410 411 412 413 414 415 416
	    }
	    if ($slice->ConvertPlaceholder($user) != 0) {
		$slice->UnLock();
		return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					    "Could not convert placeholder");
	    }
	    $slice->UnLock();
	}
417 418 419 420 421
	if (defined($aggregate)) {
	    return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					"Must delete existing slice first");
	}
    }
422
    my $rspec = GeniCM::GetTicketAux($credential,
423
				     $rspecstr, 0, $impotent, 1, 0, undef);
424 425 426
    return $rspec
	if (GeniResponse::IsResponse($rspec));

427 428 429 430
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

431
    my $response = GeniCM::SliverWorkAux($credential,
432
					 $rspec, $keys, 0, $impotent, 1, 0);
433

434 435 436 437 438 439 440
    if (GeniResponse::IsError($response)) {
	#
	# We have to make sure there is nothing left over since there
	# is no actual ticket, so the resources will not get cleaned
	# up by the daemon. This is mostly cause I am reaching into
	# the V1 code, and its messy.
	#
441
	my $slice = GeniSlice->Lookup($credential->target_urn());
442 443 444 445 446 447 448
	if ($slice->Lock() != 0) {
	    print STDERR "CreateSliver: Could not lock $slice before delete\n";
	    return $response;
	}
	if (defined($slice)) {
	    GeniCM::CleanupDeadSlice($slice, 1);
	}
449
	return $response;
450
    }
451 452
    my ($sliver_credential, $sliver_manifest) = @{ $response->{'value'} };
    
453 454 455
    #
    # Leave the slice intact on error, so we can go look at it. 
    #
456
    $slice = GeniSlice->Lookup($credential->target_urn());
457 458 459 460 461 462 463 464 465 466
    if (!defined($slice)) {
	print STDERR "CreateSliver: Could not find slice for $credential\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
    if ($slice->Lock() != 0) {
	print STDERR "CreateSliver: Could not lock $slice before start\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
467
    $aggregate = GeniAggregate->SliceAggregate($slice);
468 469 470 471 472
    if (!defined($aggregate)) {
	print STDERR "CreateSliver: Could not find aggregate for $slice\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Internal Error");
    }
473 474 475 476 477 478 479 480 481 482 483 484 485 486
    #
    # At this point we want to return and let the startsliver proceed
    # in the background
    #
    my $mypid = fork();
    if ($mypid) {
	# Let the child get going.
	sleep(1);
	return GeniResponse->Create(GENIRESPONSE_SUCCESS,
				    [$sliver_credential, $sliver_manifest]);
    }
    # This switches the file that we are writing to. 
    libaudit::AuditFork();
    
487 488 489 490
    # Make sure that the next phase sees all changes.
    Experiment->FlushAll();
    Node->FlushAll();

Leigh B. Stoller's avatar
Leigh B. Stoller committed
491
    if ($aggregate->Start($API_VERSION, 0) != 0) {
492
	$slice->UnLock();
493 494
	print STDERR "Could not start sliver\n";
	return -1;
495
    }
496
    $slice->UnLock();
497
    return 0;
498 499 500 501 502 503
}

#
# Delete a Sliver.
#
sub DeleteSliver($)
504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524
{
    my ($argref) = @_;
    my $sliver_urn   = $argref->{'sliver_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

    if (! (defined($credentials) && defined($sliver_urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($sliver_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    #
    # In this implementation, the user must provide a slice or sliver
    # credential
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
525 526 527
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
    
528 529 530 531 532 533 534 535 536 537 538 539 540 541
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "Sliver does not exist");
    }
    if ($sliver_urn ne $aggregate->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }

    #
    # We need this below to sign the ticket.
    #
    my $authority = GeniCertificate->LoadFromFile($EMULAB_PEMFILE);
    if (!defined($authority)) {
542
	print STDERR " Could not load $EMULAB_PEMFILE\n";
543 544 545 546 547 548
	return GeniResponse->Create(GENIRESPONSE_ERROR);
	
    }
    #
    # We need the user to sign the new ticket to. 
    #
549
    my $user = GeniCM::CreateUserFromCertificate($credential);
550 551
    return $user
	if (GeniResponse::IsResponse($user));
552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570
    
    my $response = GeniCM::DeleteSliverAux($credential, $impotent, 1);
    return $response
	if (GeniResponse::IsResponse($response));

    #
    # In the v2 API, return a new ticket for the resources
    # (which were not released). As with all tickets, it will
    # expire very quickly. 
    #
    #
    # Create a new ticket from the manifest.
    #
    my $manifest = $aggregate->GetManifest(0);
    if (!defined($manifest)) {
	print STDERR "No manifest found for $aggregate\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
571 572
    my $ticket = GeniTicket->Create($authority, $user,
				    GeniXML::Serialize($manifest));
573 574 575 576 577
    if (!defined($ticket)) {
	print STDERR "Could not create new ticket for $slice\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
578
    $ticket->SetSlice($slice);
579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608
    
    if ($ticket->Sign()) {
	$ticket->Delete();
	print STDERR "Could not sign new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    if ($ticket->Store()) {
	$ticket->Delete();
	print STDERR "Could not store new ticket $ticket\n";
	$response = GeniResponse->Create(GENIRESPONSE_ERROR);
	goto bad;
    }
    my $slice_uuid = $slice->uuid();
    DBQueryWarn("delete from geni_manifests ".
		"where slice_uuid='$slice_uuid'");
    $slice->UnLock();
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $ticket->asString());

  bad:
    if (GeniCM::CleanupDeadSlice($slice) != 0) {
	print STDERR "Could not cleanup slice\n";
    }
    return $response;
}

#
# Delete a Slice
#
sub DeleteSlice($)
609 610
{
    my ($argref) = @_;
611 612 613 614
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
    my $impotent     = $argref->{'impotent'} || 0;

615
    if (! (defined($credentials) && defined($slice_urn))) {
616 617
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
618 619 620
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
621 622 623
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
624

625 626 627 628
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
629 630 631
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

632 633 634 635 636 637 638 639 640 641 642
    if (! defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No such slice here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
643
    if (GeniCM::CleanupDeadSlice($slice, 1) != 0) {
644 645 646 647
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not cleanup slice");
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
648 649 650 651 652 653 654 655
}

#
# Get a Sliver (credential)
#
sub GetSliver($)
{
    my ($argref) = @_;
656 657
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};
658

659
    if (! (defined($credentials) && defined($slice_urn))) {
660 661
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
662 663 664
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
665 666 667 668
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

669 670 671 672
    #
    # In this implementation, the user must provide a slice credential.
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
673 674 675
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

676
    if (! (defined($slice) && defined($aggregate))) {
677
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
678 679 680 681 682 683
				    "No slice or aggregate here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
    }
684
    return GeniCM::GetSliverAux($credential);
685 686 687
}

#
688
# Start a sliver (not sure what this means yet, so reboot for now).
689
#
690
sub StartSliver($)
691 692
{
    my ($argref) = @_;
693
    my $slice_urn    = $argref->{'slice_urn'};
694
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
695
    my $credentials  = $argref->{'credentials'};
696
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
697
    
698 699
    return SliverAction("start",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
700 701 702 703 704 705
}

sub StopSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
706
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
707 708
    my $credentials  = $argref->{'credentials'};

709 710
    return SliverAction("stop",
			$slice_urn, $sliver_urns, $credentials, undef);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
711 712 713 714 715 716
}

sub RestartSliver($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
717
    my $sliver_urns  = $argref->{'sliver_urns'} || $argref->{'component_urns'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
718
    my $credentials  = $argref->{'credentials'};
719
    my $manifest     = $argref->{'manifest'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
720

721 722
    return SliverAction("restart",
			$slice_urn, $sliver_urns, $credentials, $manifest);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
723
}
724

725
sub SliverAction($$$$$)
Leigh B. Stoller's avatar
Leigh B. Stoller committed
726
{
727
    my ($action, $slice_urn, $sliver_urns, $credentials, $manifest) = @_;
728
    my $response;
729
    my $isasync = 0;
730

731 732
    if (! (defined($credentials) &&
	   (defined($slice_urn) || defined($sliver_urns)))) {
733 734 735 736 737 738 739 740 741 742 743
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "info" ) or
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Insufficient privilege");

744 745 746 747 748 749 750 751 752
    if (defined($manifest)) {
	$manifest = GeniXML::Parse($manifest);
	if (!defined($manifest)) {
	    print STDERR "Error reading manifest\n";
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
					"Bad manifest");
	}
    }
    
753 754 755
    #
    # For now, only allow top level aggregate or the slice
    #
756
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
757 758
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));
Srikanth's avatar
Srikanth committed
759

760 761 762 763 764
    if ( (!defined($slice)) && 
          ($credential->target_urn() =~ /\+authority\+cm$/)) {
          # administrative credentials are presented.
          my $cm_urn = GeniHRN::Generate($OURDOMAIN, "authority", "cm");
          if ($cm_urn != $credential->target_urn()) {
Srikanth's avatar
Srikanth committed
765
            return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
766 767 768 769
                      "Credential target does not match CM URN");
          }

      if (!defined($slice_urn)) {
Srikanth's avatar
Srikanth committed
770 771
          return GeniResponse->MalformedArgsResponse("Missing arguments");
      }       
772 773 774 775 776 777 778 779
      $slice = GeniSlice->Lookup($slice_urn);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                "No Slice with urn $slice_urn here")
          if (!defined($slice));
      $aggregate = GeniAggregate->SliceAggregate($slice);
      return GeniResponse->Create(GENIRESPONSE_ERROR, undef, 
                      "No Aggregate here")
          if (!defined($aggregate));
Srikanth's avatar
Srikanth committed
780
    } 
781

782 783 784 785 786 787
    if (! (defined($slice) && defined($aggregate))) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No slice or aggregate here");
    }
    if (defined($slice_urn)) {
	if (! GeniHRN::IsValid($slice_urn)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
788 789
	    return
		GeniResponse->MalformedArgsResponse("Bad characters in URN");
790
	}
791 792 793
	if ($slice_urn ne $slice->urn()) {
	    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
					"Credential does not match the URN");
794
	}
795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
    # Shutdown slices get nothing.
    if ($slice->shutdown()) {
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Slice has been shutdown");
    }
    if ($aggregate->ComputeState()) {
	$slice->UnLock();
	print STDERR "Could not determine current state\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
    my $CheckState = sub {
	my ($object, $action) = @_;

Leigh B. Stoller's avatar
Leigh B. Stoller committed
813
	if ($action eq "start") {
814 815
	    if ($object->state() ne "stopped" && $object->state() ne "new"
		&& $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
816 817 818 819 820
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not stopped (yet)");
	    }
	}
	elsif ($action eq "stop") {
821
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
822 823 824 825 826
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
	}
	elsif ($action eq "restart") {
827
	    if ($object->state() ne "started" && $object->state() ne "mixed") {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
828 829 830
		return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
					    "Sliver is not started (yet)");
	    }
831 832 833 834 835 836
	}
	return 0;
    };
    my $PerformAction = sub {
	my ($object, $action) = @_;

837 838
	my $exitval = 0;

839
	if ($action eq "start") {
840
	    $exitval = $object->Start($API_VERSION, 0);
841
	}
842
	elsif ($action eq "stop") {
843
	    $exitval = $object->Stop($API_VERSION);
844 845
	}
	elsif ($action eq "restart") {
846
	    $exitval = $object->Start($API_VERSION, 1);
847
	}
848 849 850 851
	return GeniResponse->Create(GENIRESPONSE_ERROR, 
				    "Could not $action sliver")
	    if ($exitval);
	
852 853 854
	return 0;
    };

855 856 857 858 859 860 861 862 863 864 865
    my $user = GeniCM::CreateUserFromCertificate($credential);
    return $user
	if (GeniResponse::IsResponse($user));

    my $realuser = GeniCM::FlipToUser($slice, $user);
    if (! (defined($realuser) && $realuser)) {
	print STDERR "Error flipping to real user\n";
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "FlipToUser Error");
    }

866 867 868 869 870
    if (defined($slice_urn)) {
	$response = &$CheckState($aggregate, $action);
	goto bad
	    if (GeniResponse::IsResponse($response));
	    
871 872 873
	if ($action eq "start" || $action eq "restart") {
	    if (defined($manifest) &&
		$aggregate->ProcessManifest($manifest)) {
874 875 876 877 878
		$response = GeniResponse->Create(GENIRESPONSE_ERROR,
						 undef,
						 "Error processing manifest");
		goto bad;
	    }
879 880 881 882 883 884 885 886 887 888 889 890 891 892
	    #
	    # At this point we want to return and let the startsliver proceed
	    # in the background
	    #
	    my $mypid = fork();
	    if ($mypid) {
		# Let the child get going.
		sleep(1);
		return GeniResponse->Create(GENIRESPONSE_SUCCESS);
	    }
	    $isasync = 1;
	    
	    # This switches the file that we are writing to. 
	    libaudit::AuditFork();
893
	}
894 895 896 897
	$response = &$PerformAction($aggregate, $action);
	goto bad
	    if (GeniResponse::IsResponse($response));

898
	$slice->UnLock();
899 900
	return ($isasync ? GENIRESPONSE_SUCCESS :
		GeniResponse->Create(GENIRESPONSE_SUCCESS));
901
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
902
    else {
903
	my @slivers = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
904

905 906 907 908 909
	#
	# Sanity check all arguments before doing anything.
	#
	foreach my $urn (@{ $sliver_urns }) {
	    my $sliver = GeniSliver->Lookup($urn);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
910 911 912 913 914 915
	    if (!defined($sliver)) {
		$response = GeniResponse->Create(GENIRESPONSE_SEARCHFAILED,
						 undef,
						 "Nothing here by that name");
		goto bad;
	    }
916 917 918 919 920 921 922 923
	    
	    $response = &$CheckState($sliver, $action);
	    goto bad
		if (GeniResponse::IsResponse($response));

	    push(@slivers, $sliver);
	}
	foreach my $sliver (@slivers) {
924 925 926 927 928 929 930 931
	    if ($action eq "start" && defined($manifest)) {
		if ($sliver->ProcessManifest($manifest)) {
		    $response = GeniResponse->Create(GENIRESPONSE_ERROR,
				     undef,
				     "Error processing manifest for $sliver");
		    goto bad;
		}
	    }
932 933 934 935 936 937
	    $response = &$PerformAction($sliver, $action);
	    goto bad
		if (GeniResponse::IsResponse($response));
	}
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_SUCCESS);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
938
    }
939 940
  bad:
    $slice->UnLock();
941
    return ($isasync ? $response->{'code'} : $response);
942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971
}

#
# Get sliver status
#
sub SliverStatus($)
{
    my ($argref) = @_;
    my $slice_urn    = $argref->{'slice_urn'};
    my $credentials  = $argref->{'credentials'};

    if (! (defined($credentials) && defined($slice_urn))) {
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    if (! GeniHRN::IsValid($slice_urn)) {
	return GeniResponse->MalformedArgsResponse("Bad characters in URN");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));

    $credential->HasPrivilege( "pi" ) or
	$credential->HasPrivilege( "info" ) or
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Insufficient privilege");

    #
    # For now, only allow top level aggregate or the slice
    #
    my ($slice, $aggregate) = Credential2SliceAggregate($credential);
972 973 974
    return $slice
	if (defined($slice) && GeniResponse::IsResponse($slice));

975
    if (! (defined($slice) && defined($aggregate))) {
976
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
977 978 979 980 981
				    "No slice or aggregate here");
    }
    if ($slice_urn ne $slice->urn()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
				    "Credential does not match the URN");
982 983 984 985
    }
    if ($slice->Lock() != 0) {
	return GeniResponse->BusyResponse();
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
986 987 988 989 990
    if ($aggregate->ComputeState()) {
	print STDERR "SliverStatus: Could not compute state for $aggregate\n";
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
991 992 993 994 995 996 997 998 999 1000 1001

    #
    # Grab all the slivers for this slice, and then
    # look for just the nodes.
    #
    my @slivers    = ();
    if ($aggregate->SliverList(\@slivers) != 0) {
	print STDERR "SliverStatus: Could not get slivers for $aggregate\n";
	$slice->UnLock();
	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1002 1003 1004

    my $blob = {
	"state"   => $aggregate->state(),
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1005
	"status"  => $aggregate->status(),
1006
	"error"   => $aggregate->ErrorLog(),
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1007 1008
	"details" => {},
    };
1009
    foreach my $sliver (@slivers) {
1010 1011 1012 1013 1014 1015 1016 1017
	if ($sliver->isa("GeniAggregate")) {
	    next
		if (! (ref($sliver) eq "GeniAggregate::Link" ||
		       ref($sliver) eq "GeniAggregate::Tunnel"));
	}
	elsif ($sliver->resource_type() ne "Node") {
	    next;
	}
1018

1019
	my $sliver_urn    = $sliver->sliver_urn();
1020
	my $resource_id   = $sliver->resource_id();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1021 1022 1023
	my $state         = $sliver->state();
	my $status        = $sliver->status();
	my $error         = "";
1024

1025 1026 1027 1028
	# New is the same as stopped. Separate state is handy.
	$state = "stopped"
	    if ($state eq "new");

Leigh B. Stoller's avatar
Leigh B. Stoller committed
1029 1030
	if ($status eq "failed") {
	    $error = $sliver->ErrorLog();
1031
	}
1032
	$blob->{'details'}->{$sliver_urn} = {
1033
	    "component_urn" => $resource_id,
1034 1035 1036 1037 1038 1039 1040
	    "state"  => $state,
	    "status" => $status,
	    "error"  => $error,
	};
    }
    $slice->UnLock();
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
1041 1042 1043 1044 1045 1046 1047 1048
}

#
# Shutdown sliver
#
sub Shutdown($)
{
    my ($argref) = @_;
1049 1050 1051
    my $slice_urn    = $argref->{'slice_urn'};
    my $clear        = $argref->{'clear'} || 0;
    my $credentials  = $argref->{'credentials'};
1052
    require libtestbed;
1053

1054
    if (! (defined($credentials) && defined($slice_urn))) {
1055 1056 1057 1058 1059
	return GeniResponse->MalformedArgsResponse("Missing arguments");
    }
    my $credential = CheckCredentials($credentials);
    return $credential
	if (GeniResponse::IsResponse($credential));
1060

1061 1062 1063 1064 1065 1066 1067 1068 1069 1070