GeniCM.pm.in 21.9 KB
Newer Older
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2008 University of Utah and the Flux Group.
# All rights reserved.
#
package GeniCM;

#
# The server side of the CM interface on remote sites. Also communicates
# with the GMC interface at Geni Central as a client.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

@ISA    = "Exporter";
@EXPORT = qw ( );

# Must come after package declaration!
use lib '@prefix@/lib';
use GeniDB;
use Genixmlrpc;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
24 25
use GeniResponse;
use GeniTicket;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
26
use GeniCredential;
27
use GeniCertificate;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
28
use GeniSlice;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
29
use GeniAggregate;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
30
use GeniSliver;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
31
use GeniUser;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
32
use libtestbed;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
33 34 35
# Hate to import all this crap; need a utility library.
use libdb qw(TBGetUniqueIndex TBcheck_dbslot TBDB_CHECKDBSLOT_ERROR);
use User;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
36
use Node;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
37 38
use English;
use Data::Dumper;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
39
use XML::Simple;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
40
use Experiment;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
41 42 43 44 45 46 47 48

# Configure variables
my $TB		   = "@prefix@";
my $TBOPS          = "@TBOPSEMAIL@";
my $TBAPPROVAL     = "@TBAPPROVALEMAIL@";
my $TBAUDIT   	   = "@TBAUDITEMAIL@";
my $BOSSNODE       = "@BOSSNODE@";
my $OURDOMAIN      = "@OURDOMAIN@";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
49 50
my $CREATEEXPT     = "$TB/bin/batchexp";
my $NALLOC	   = "$TB/bin/nalloc";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
51
my $AVAIL	   = "$TB/sbin/avail";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
52 53
my $TBSWAP	   = "$TB/bin/tbswap";
my $SWAPEXP	   = "$TB/bin/swapexp";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
54 55 56 57 58 59 60

#
# Discover resources on this component, returning a resource availablity spec
#
sub DiscoverResources($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
61
    my $slice      = $argref->{'slice'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
62 63
    my $credential = $argref->{'credential'};
    my $user_uuid  = $ENV{'GENIUSER'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
64
    my $slice_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
65

Leigh B. Stoller's avatar
Leigh B. Stoller committed
66
    if (! defined($slice)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
67 68 69 70 71 72 73 74
	return GeniResponse->MalformedArgsResponse();
    }

    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
75
    GeniCertificate->CertificateInfo($slice, \$slice_uuid) == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
76 77 78
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103
    # The credential owner/slice has to match what was provided.
    if (! ($user_uuid eq $credential->owner_uuid() &&
	   $slice_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }

    #
    # Eventually we will take an optional rspec, but for now just return
    # a list of free nodes using avail. 
    #
    if (! open(AVAIL, "$AVAIL type=pc aslist |")) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not start avail");
    }
    my @nodelist = ();
    while (<AVAIL>) {
	my $nodeid = $_;
	chomp($nodeid);
	my $node = Node->Lookup($nodeid);
	push(@nodelist, $node)
	    if (defined($node));
    }
    close(AVAIL);

Leigh B. Stoller's avatar
Leigh B. Stoller committed
104
    my $xml = "<rspec xmlns=\"http://protogeni.net/resources/rspec/0.1\">\n";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
105 106 107 108 109 110 111 112 113 114 115
    foreach my $node (@nodelist) {
	my $uuid = $node->uuid();
	my $nodeid = $node->node_id();
	
	$xml .= "<node uuid=\"$uuid\" name=\"$nodeid\">".
	    "<available>true</available></node>\n";
    }
    $xml .= "</rspec>";

    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $xml);
}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
116

Leigh B. Stoller's avatar
Leigh B. Stoller committed
117
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
118
# Respond to a GetTicket request. 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
119 120 121 122
#
sub GetTicket($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
123
    my $slice_cert = $argref->{'slice'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
124
    my $rspec      = $argref->{'rspec'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
125
    my $impotent   = $argref->{'impotent'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
126
    my $credential = $argref->{'credential'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
127
    my $owner_uuid = $ENV{'GENIUSER'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
128
    my $slice_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
129

Leigh B. Stoller's avatar
Leigh B. Stoller committed
130
    if (! defined($slice_cert)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
131
	GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
132
			     "Improper slice");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
133
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
134 135 136
    if (! (defined($rspec) && ($rspec =~ /^[-\w]+$/))) {
	GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
			     "Improper rspec");	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
137
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
138 139 140
    # Convert the rspec back to a structure.
    $rspec = XMLin($rspec, ForceArray => ["node"]);

Leigh B. Stoller's avatar
Leigh B. Stoller committed
141 142 143
    $impotent = 0
	if (!defined($impotent));

Leigh B. Stoller's avatar
Leigh B. Stoller committed
144
    $credential = GeniCredential->CreateFromSigned($credential);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
145 146 147 148
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
149
    GeniCertificate->CertificateInfo($slice_cert, \$slice_uuid) == 0 or
Leigh B. Stoller's avatar
Leigh B. Stoller committed
150 151 152 153
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
	
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
154 155 156 157 158 159
    # The credential owner/slice has to match what was provided.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $slice_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
160

Leigh B. Stoller's avatar
Leigh B. Stoller committed
161 162 163 164 165 166 167
    #
    # See if we have a record of this slice in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    my $slice = GeniSlice->Lookup($slice_uuid);
    if (!defined($slice)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
168 169 170 171 172 173
	$slice = GeniSlice->CreateFromRegistry($slice_uuid);
	if (!defined($slice)) {
	    print STDERR "No slice $slice_uuid in the ClearingHouse\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
			    "Could not get slice info from ClearingHouse");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
174 175
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
176
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
177 178 179 180 181 182 183 184 185 186 187 188
    # Ditto the user.
    #
    my $user = GeniUser->Lookup($owner_uuid);
    if (!defined($user)) {
	$user = GeniUser->CreateFromRegistry($owner_uuid);
	if (!defined($user)) {
	    print STDERR "No user $owner_uuid in the ClearingHouse\n";
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
			    "Could not get user info from ClearingHouse");
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
189
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
190 191 192 193
    # If the underlying experiment does not exist, need to create
    # a holding experiment. All these are going to go into the same
    # project for now. Generally, users for non-local slices do not
    # have local accounts or directories.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
194
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
195 196 197 198 199 200 201 202 203
    my $experiment = Experiment->Lookup($slice_uuid);
    if (!defined($experiment)) {
	#
	# Form an eid for the experiment. 
	#
	my $eid = "slice" . TBGetUniqueIndex('next_sliceid', 1);

	# Note the -h option; allows experiment with no NS file.
	system("$CREATEEXPT -q -i -w -E 'Geni Slice Experiment' ".
Leigh B. Stoller's avatar
Leigh B. Stoller committed
204
	       "-h '$slice_uuid' -p GeniSlices -e $eid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
205 206 207 208 209 210 211
	if ($?) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Internal Error");
	}
	$experiment = Experiment->Lookup($slice_uuid);
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
212
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
213 214 215
    # An rspec is a structure that requests specific nodes. If those
    # nodes are available, then reserve it. Otherwise the ticket
    # cannot be granted. 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
216
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
217
    my @nodeids = ();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
218 219 220
    my $pid     = $experiment->pid();
    my $eid     = $experiment->eid();

Leigh B. Stoller's avatar
Leigh B. Stoller committed
221 222 223 224 225 226 227 228 229
    foreach my $node_id (keys(%{$rspec->{'node'}})) {
	if ($node_id =~ /^(\w*)$/) {
	    $node_id = $1;
	}
	else {
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
					"Improper node id: $node_id");
	}
	push(@nodeids, $node_id);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
230
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
231 232

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
233
    # Create the ticket first, before allocating the node.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
234
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
235
    my $ticket = GeniTicket->Create($slice, $user, $rspec);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
236 237 238 239
    if (!defined($ticket)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniTicket object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
240
    # Nalloc might fail if the node gets picked up by someone else.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
241
    if (!$impotent) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
242
	system("$NALLOC $pid $eid @nodeids");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
243 244 245 246 247 248 249 250 251 252
	if (($? >> 8) < 0) {
	    $ticket->Delete();
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"Allocation failure");
	}
	elsif (($? >> 8) > 0) {
	    $ticket->Delete();
	    return GeniResponse->Create(GENIRESPONSE_UNAVAILABLE, undef,
					"Could not allocate node\n");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
253
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
254
    if ($ticket->Sign() != 0) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
255
	# Release will free the nodes.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
256
	$ticket->Release();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
257 258 259
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not sign Ticket");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
260 261 262 263 264 265 266 267 268 269
    return GeniResponse->Create(GENIRESPONSE_SUCCESS,
				$ticket->asString());
}

#
# Create a sliver.
#
sub CreateSliver($)
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
270 271
    my $owner_uuid = $ENV{'GENIUSER'};
    my $ticket     = $argref->{'ticket'};
272
    my $impotent   = $argref->{'impotent'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
273
    my $message    = "Error creating sliver/aggregate";
274 275 276

    $impotent = 0
	if (!defined($impotent));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
277 278 279 280 281 282 283 284 285 286 287 288

    if (! (defined($ticket) &&
	   !TBcheck_dbslot($ticket, "default", "text",
			   TBDB_CHECKDBSLOT_ERROR))) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "ticket: ". TBFieldErrorString());
    }
    $ticket = GeniTicket->CreateFromSignedTicket($ticket);
    if (!defined($ticket)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniTicket object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
289 290 291 292 293
    # The credential owner has to match what is in the ticket.
    if ($owner_uuid ne $ticket->owner_uuid()) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
294

Leigh B. Stoller's avatar
Leigh B. Stoller committed
295 296 297 298 299
    my $experiment = Experiment->Lookup($ticket->slice_uuid());
    if (!defined($experiment)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No local experiment for slice");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
300 301
    my $pid = $experiment->pid();
    my $eid = $experiment->eid();
Leigh B. Stoller's avatar
Leigh B. Stoller committed
302

303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321
    #
    # See if we have a record of this slice in the DB. If not, throw an
    # error; might change later.
    #
    my $slice = GeniSlice->Lookup($ticket->slice_uuid());
    if (!defined($slice)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No slice record for slice");
    }

    #
    # Ditto the user.
    #
    my $owner = GeniUser->Lookup($owner_uuid);
    if (!defined($owner)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "No user record for $owner_uuid");
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
322 323 324 325 326 327 328 329
    #
    # Create an emulab nonlocal user for tmcd.
    #
    $owner->BindToSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error binding user to slice");
	
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
330
    # We are actually an Aggregate, so return an aggregate of slivers,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
331 332 333 334
    # even if there is just one node (simpler).
    #
    my $aggregate = GeniAggregate->Create($ticket);
    if (!defined($aggregate)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
335
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
336
				    "Could not create GeniAggregate object");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
337
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
338 339

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
340 341
    # Now for each resource (okay, node) in the ticket create a sliver and
    # add it to the aggregate.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
342
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
343 344 345 346 347 348 349 350 351 352 353 354
    my @slivers = ();
    foreach my $resource_uuid (keys(%{$ticket->rspec()->{'node'}})) {
	if (! ($resource_uuid =~ /^[-\w]*$/)) {
	    $message = "Improper resource_uuid in ticket: $resource_uuid";
	    goto bad;
	}
	my $sliver = GeniSliver->Create($slice, $owner, $resource_uuid);
	if (!defined($sliver)) {
	    $message = "Could not create GeniSliver object for $resource_uuid";
	    goto bad;
	}
	push(@slivers, $sliver);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
355
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371

    #
    # Now do the provisioning (note that we actually allocated the node
    # above when the ticket was granted). The add the sliver to the aggregate.
    #
    foreach my $sliver (@slivers) {
	if (!$impotent && $sliver->Provision() != 0) {
	    $message = "Could not provision $sliver";
	    goto bad;
	}
	if ($sliver->SetAggregate($aggregate) != 0) {
	    $message = "Could not aggregate for $sliver to $aggregate";
	    goto bad;
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387
    #
    # Run swapexp in update mode. The nodes are already allocated, but need
    # to be configured like a real experiment.
    #
    # XXX What if we have multiple slivers for this slice? We are going
    # to need some locking or management at the slice level so that we run
    # tbswap only once, or at least no more then one at a time.
    #
    if (!$impotent) {
	system("$SWAPEXP -s modify -r -g $pid $eid");
	if ($?) {
	    $message = "Failed to tbswap $pid,$eid";
	    goto bad;
	}
    }

Leigh B. Stoller's avatar
Leigh B. Stoller committed
388
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
389
    # The API states we return a credential to control the sliver/aggregate.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
390
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
391
    my $credential = $aggregate->NewCredential($owner);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
392
    if (!defined($credential)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
393 394
	$message = "Could not create credential for $aggregate";
	goto bad;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
395 396
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $credential->asString());
Leigh B. Stoller's avatar
Leigh B. Stoller committed
397 398 399 400 401 402 403 404 405 406 407

  bad:
    foreach my $sliver (@slivers) {
	$sliver->UnProvision()
	    if (! $impotent);
	$sliver->Delete();
    }
    $aggregate->Delete()
	if (defined($aggregate));
    
    return GeniResponse->Create(GENIRESPONSE_ERROR, undef, $message);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
408 409 410
}

#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
411
# Start a sliver (not sure what this means yet, so reboot for now).
Leigh B. Stoller's avatar
Leigh B. Stoller committed
412
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
413
sub StartSliver($)
Leigh B. Stoller's avatar
Leigh B. Stoller committed
414 415
{
    my ($argref) = @_;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
416
    my $owner_uuid  = $ENV{'GENIUSER'};
417
    my $sliver_cert = $argref->{'sliver'};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
418
    my $credential  = $argref->{'credential'};
419
    my $sliver_uuid;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
420 421 422 423
    my $impotent   = $argref->{'impotent'};

    $impotent = 0
	if (!defined($impotent));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
424

425
    if (!defined($sliver_cert) || !defined($credential)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
426 427
	return GeniResponse->Create(GENIRESPONSE_BADARGS);
    }
428 429 430 431
    GeniCertificate->CertificateInfo($sliver_cert, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
432 433 434 435 436
    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not create GeniCredential object");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
437 438
    my $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
439 440 441 442 443 444
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No such sliver/aggregate $sliver_uuid");
	}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
445
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482
    
    # The credential owner has to match what is in the ticket.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $sliver_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
    }
    if (!$impotent) {
	$sliver->StartUp() == 0 or
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				"Could not start sliver/aggregate");
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
}

#
# Destroy a sliver/aggregate.
#
sub DestroySliver($)
{
    my ($argref) = @_;
    my $owner_uuid  = $ENV{'GENIUSER'};
    my $sliver_cert = $argref->{'sliver'};
    my $credential  = $argref->{'credential'};
    my $sliver_uuid;
    my $impotent   = $argref->{'impotent'};

    $impotent = 0
	if (!defined($impotent));

    if (!defined($sliver_cert) || !defined($credential)) {
	return GeniResponse->Create(GENIRESPONSE_BADARGS);
    }
    GeniCertificate->CertificateInfo($sliver_cert, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
483 484
    $credential = GeniCredential->CreateFromSigned($credential);
    if (!defined($credential)) {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
485
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
486
				    "Could not create GeniCredential object");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
487
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
488 489 490 491 492 493 494 495 496 497
    my $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
				    "No such sliver/aggregate $sliver_uuid");
	}
    }
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
498 499 500 501 502
    # The credential owner has to match what is in the ticket.
    if (! ($owner_uuid eq $credential->owner_uuid() &&
	   $sliver_uuid eq $credential->this_uuid())) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Invalid credentials for operation");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
503
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
504 505 506 507 508
    if (!$impotent) {
	$sliver->UnProvision() == 0 or
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				"Could not unprovision sliver/aggregate");
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
509 510
    $sliver->Delete() == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
Leigh B. Stoller's avatar
Leigh B. Stoller committed
511
				    "Could not delete sliver/aggregate");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
512 513
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
514
}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725

#
# Bind a user to a slice.
#
sub BindUser($)
{
    my ($argref) = @_;
    my $sliver     = $argref->{'sliver'};
    my $hrn        = $argref->{'userinfo'}->{'hrn'};
    my $uuid       = $argref->{'userinfo'}->{'uuid'};
    my $name       = $argref->{'userinfo'}->{'name'};
    my $email      = $argref->{'userinfo'}->{'email'};
    my $cert       = $argref->{'userinfo'}->{'cert'};
    my $sshkey     = $argref->{'userinfo'}->{'sshkey'};
    my $sliver_uuid;

    if (! (defined($hrn) && defined($name) && defined($sliver) &&
	   defined($email) && defined($cert) && defined($uuid))) {
	return GeniResponse->MalformedArgsResponse();
    }

    GeniCertificate->CertificateInfo($sliver, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    #
    # See if we have a record of this sliver in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"No such sliver $sliver_uuid");
	}
    }
    my $slice = $sliver->GetSlice();

    #
    # Use the Emulab checkslot routines.
    #
    if (! ($hrn =~ /^[-\w\.]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "hrn: Invalid characters");
    }
    if (! ($uuid =~ /^[-\w]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uuid: Invalid characters");
    }
    if (! TBcheck_dbslot($name, "users", "usr_name", TBDB_CHECKDBSLOT_ERROR)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "name: ". TBFieldErrorString());
    }
    if (! TBcheck_dbslot($email, "users", "usr_email",TBDB_CHECKDBSLOT_ERROR)){
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "email: ". TBFieldErrorString());
    }
    if (! ($cert =~ /^[\012\015\040-\176]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "cert: Invalid characters");
    }
    if (defined($sshkey) && ! ($sshkey =~ /^[\012\015\040-\176]*$/)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "sshkey: Invalid characters");
    }

    #
    # The SA UUID comes from the SSL environment (certificate). Verify it
    # and the prefix match for the uuid.
    #
    my $sa_uuid = $ENV{'GENIUUID'};
    my $authority = GeniAuthority->Lookup($sa_uuid);
    if (!defined($authority)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No slice authority record for $sa_uuid");
    }
    if (! $authority->PrefixMatch($uuid)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "uuid: Prefix mismatch");
    }

    #
    # Verify that this is the SA for the slice. 
    #
    if (! $slice->IsSliceAuthority($authority)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Must be the SA for the slice");
    }

    # Might already exist. Not an error, Just check binding and return.
    my $user = GeniUser->Lookup($uuid);
    if (defined($user)) {
	$user->BindToSlice($slice) == 0
	    or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					   "Error binding user to slice");

	return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
			    "$hrn/$email has been bound to slice");
    }

    #
    # XXX
    #
    # What kind of uniquess requirements do we need? No one else with this
    # email address? Of course, we have to allow hrn reuse, but should we
    # require that for a given SA, that hrn is unique, at least to avoid
    # lots of confusion?
    #
    if (GeniUser->CheckExisting($hrn, $email)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "$hrn/$email already registered");
    }

    # The local uid we will use is the last part of the hrn.
    my ($uid) = ($hrn =~ /^.*\.(\w*)$/);
    if (!defined($uid)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uid: cannot parse hrn to get uid");
    }
    elsif (! TBcheck_dbslot($uid, "users", "uid", TBDB_CHECKDBSLOT_ERROR)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "uid: ". TBFieldErrorString());
    }
    my $newuser = GeniUser->Create($hrn, $uid, $uuid,
				   $name, $email, $cert,
				   $authority->idx(), $sshkey);
    if (!defined($newuser)) {
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "$hrn/$email could not be registered");
    }
    $newuser->BindToSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error binding user to sliver");
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				"$hrn/$email has been bound to $sliver_uuid");
}

#
# Unbind user from sliver.
#
sub UnBindUser($)
{
    my ($argref) = @_;
    my $sliver      = $argref->{'sliver'};
    my $user       = $argref->{'user'};
    my $sliver_uuid;
    my $user_uuid;

    if (! (defined($sliver) && defined($user))) {
	return GeniResponse->MalformedArgsResponse();
    }

    GeniCertificate->CertificateInfo($sliver, \$sliver_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    GeniCertificate->CertificateInfo($user, \$user_uuid) == 0 or
	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				    "Could not get uuid from Certificate");
    
    #
    # See if we have a record of this sliver in the DB. If not, then we have
    # to go to the ClearingHouse to find its record, so that we can find out
    # who the SA for it is.
    #
    $sliver = GeniSliver->Lookup($sliver_uuid);
    if (!defined($sliver)) {
	# Might be an aggregate instead.
	$sliver = GeniAggregate->Lookup($sliver_uuid);
	if (!defined($sliver)) {
	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
					"No such sliver $sliver_uuid");
	}
    }
    # Does not exist? Not an error.
    $user = GeniUser->Lookup($user_uuid);
    if (! defined($user)) {
	return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				    "$user_uuid is not bound to $sliver_uuid");
    }
    my $slice = $sliver->GetSlice();

    #
    # The SA UUID comes from the SSL environment (certificate). 
    #
    my $sa_uuid = $ENV{'GENIUUID'};
    my $authority = GeniAuthority->Lookup($sa_uuid);
    if (!defined($authority)) {
	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
				    "No slice authority record for $sa_uuid");
    }
    #
    # Verify that this is the SA for the slice. 
    #
    if (! $slice->IsSliceAuthority($authority)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Must be the SA for the slice");
    }

    $user->UnBindFromSlice($slice) == 0
	or return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
				       "Error unbinding user from sliver");
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, undef,
				"$user_uuid has been unbound from sliver");
}