Shuffle GetSSHKeys a bit so I can use it from the XMLRPC interface.

dfd1d0a7 · Leigh B Stoller · c3339c9d · dfd1d0a7 · dfd1d0a7
Commit dfd1d0a7 authored Sep 24, 2015 by Leigh B Stoller
Hide whitespace changes
Inline Side-by-side

Showing with 102 additions and 15 deletions

apt/APT_Instance.pm.in apt/APT_Instance.pm.in +91 -2

apt/create_instance.in apt/create_instance.in +11 -13

No files found.
--- a/apt/APT_Instance.pm.in
+++ b/apt/APT_Instance.pm.in
@@ -30,14 +30,21 @@ use Data::Dumper;
 use POSIX qw(tmpnam);
 use Exporter;
 use vars qw(@ISA @EXPORT $AUTOLOAD
-	    $RECORDHISTORY_TERMINATED $RECORDHISTORY_EXPIRED);
+	    $RECORDHISTORY_TERMINATED $RECORDHISTORY_EXPIRED
+	    $APT_HOLDINGPROJECT $CLOUD_HOLDINGPROJECT);
+
 @ISA    = "Exporter";

 # RecordHistory flags.
 $RECORDHISTORY_TERMINATED	= 0x00;
 $RECORDHISTORY_EXPIRED		= 0x01;

-@EXPORT = qw($RECORDHISTORY_TERMINATED $RECORDHISTORY_EXPIRED);
+# Names of the holding projects.
+$APT_HOLDINGPROJECT   = "aptguests";
+$CLOUD_HOLDINGPROJECT = "CloudLab";
+
+@EXPORT = qw($RECORDHISTORY_TERMINATED $RECORDHISTORY_EXPIRED
+             $APT_HOLDINGPROJECT $CLOUD_HOLDINGPROJECT);

 # Must come after package declaration!
 use EmulabConstants;
@@ -526,6 +533,14 @@ sub GetGeniAuthority($)
    return APT_Geni::GetAuthority($self->aggregate_urn());
 }

+sub GetProject($)
+{
+    my ($self) = @_;
+    require Project;
+    
+    return Project->Lookup($self->pid_idx());
+}
+
 #
 # Warn creator that the experiment is going to expire. This is hooked
 # in from the sa_daemon, so we can send a message that is less geni like
@@ -719,6 +734,80 @@ sub WriteCredentials($$)
    return 0;
 }

+#
+# Build a set of sshkeys.
+#
+sub GetSSHKeys($$)
+{
+    my ($self, $pref) = @_;
+    my $rval;
+    my @keys;
+
+    my $geniuser = $self->GetGeniUser();
+    return -1
+	if (!defined($geniuser));
+    my $project  = $self->GetProject();
+    return -1
+	if (!defined($project));
+
+    if ($geniuser->GetKeyBundle(\@keys, 1) < 0 || !@keys) {
+	print STDERR "No ssh keys for $geniuser\n";
+	return -1;
+    }
+
+    #
+    # CM format.
+    #
+    $rval = [{'urn'   => $geniuser->urn(),
+	      'login' => $geniuser->uid(),
+	      'keys'  => [ @keys ]
+	     }];
+
+    if (! ($project->pid() eq $APT_HOLDINGPROJECT ||
+	   $project->pid() eq $CLOUD_HOLDINGPROJECT)) {
+	#
+	# Get other users from the project. Real local users are easy,
+	# nonlocal users from the GPO portal are messy.
+	#
+	my @members;
+	if ($project->GetProjectGroup()->MemberList(\@members)) {
+	    print STDERR "Error getting memberlist for $project\n";
+	}
+	else {
+	    foreach my $member (@members) {
+		next
+		    if ($member->SameUser($geniuser->emulab_user()));
+	    
+		my $guser = GeniUser->CreateFromLocal($member);
+		next
+		    if (!defined($guser));
+
+		#
+		# So, users coming in from the trusted signer have their keys
+		# at their home portal. We download those keys whenever they
+		# log in, and cache them in their local stub account, but they
+		# could be out of date. But in order to refresh those keys, we
+		# would need a valid (not expired) speaks-for credential, which
+		# we might have, but typically not since they have short expire
+		# times. So, lets not worry about this right now, just use the
+		# cached keys and see who complains.
+		#
+		@keys = ();
+		if ($guser->GetKeyBundle(\@keys, 1) < 0 || !@keys) {
+		    print STDERR "No ssh keys for $guser\n";
+		    next;
+		}
+		push(@{$rval}, {'urn'   => $guser->urn(),
+				'login' => $guser->uid(),
+				'keys'  => [ @keys ]
+		               });
+	    }
+	}
+    }
+    $$pref = $rval;
+    return 0;
+}
+
 ###################################################################
 package APT_Instance::Aggregate;
 use emdb;

--- a/apt/create_instance.in
+++ b/apt/create_instance.in
@@ -92,10 +92,6 @@ my $UPDATEGENIUSER= "$TB/sbin/protogeni/updategeniuser";
 my $STITCHER      = "$TB/gcf/src/stitcher.py";
 my $OPENSSL       = "/usr/bin/openssl";

-# Names of the holding projects.
-my $APT_HOLDINGPROJECT   = "aptguests";
-my $CLOUD_HOLDINGPROJECT = "CloudLab";
-
 # un-taint path
 $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
 delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
@@ -579,15 +575,6 @@ if (!$debug) {
    }
 }

-#
-# Get the set of keys (accounts) that need to be sent along. We build
-# them in CM format, but convert to AM format later if needed.
-#
-my $sshkeys;
-if (GetSSHKeys($geniuser, $project, \$sshkeys) < 0 || !@{$sshkeys}) {
-    fatal("No ssh keys to use for $geniuser/$project!");
-}
-
 # Generate the extra credentials that tells the backend this experiment
 # can access the datasets.
 my @dataset_credentials = ();
@@ -727,6 +714,17 @@ else {
    $instance->Update({'aggregate_urn' => $default_aggregate_urn});
 }

+#
+# Get the set of keys (accounts) that need to be sent along. We build
+# them in CM format, but convert to AM format later if needed.
+#
+my $sshkeys;
+if ($instance->GetSSHKeys(\$sshkeys) < 0 || !@{$sshkeys}) {
+    $slice->Delete();
+    $instance->Delete();
+    fatal("Error constructing ssh key list");
+}
+
 # We use this list of references for ParRun below.
 my @aggregate_list = ();
 foreach my $aggregate_urn (@aggregate_urns) {