def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OMemberAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_amsoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_amsoil_path(config.get("delegatetools.trusted_cert_keys_path"))
hostname = config.get('flask.cbas_hostname')
self._ma_crl_path = expand_amsoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \
+ hostname + '.authority.ma'
self._ma_cert_str = self._resource_manager_tools.read_file(cert_path + '/' +
OMemberAuthorityResourceManager.MA_CERT_FILE)
self._ma_cert_key_str = self._resource_manager_tools.read_file(cert_key_path + '/' +
OMemberAuthorityResourceManager.MA_KEY_FILE)
self.gfed_ex = pm.getService('apiexceptionsv2')
self._urn = self.urn()
self._cert_revoke_reasons = crypto.Revoked().all_reasons()
self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM, self._ma_cert_str)
self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM, self._ma_cert_key_str)
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OMemberAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_amsoil_path(
config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_amsoil_path(
config.get("delegatetools.trusted_cert_keys_path"))
hostname = config.get('flask.cbas_hostname')
self._ma_crl_path = expand_amsoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \
+ hostname + '.authority.ma'
self._ma_cert_str = self._resource_manager_tools.read_file(
cert_path + '/' + OMemberAuthorityResourceManager.MA_CERT_FILE)
self._ma_cert_key_str = self._resource_manager_tools.read_file(
cert_key_path + '/' + OMemberAuthorityResourceManager.MA_KEY_FILE)
self.gfed_ex = pm.getService('apiexceptionsv2')
self._urn = self.urn()
self._cert_revoke_reasons = crypto.Revoked().all_reasons()
self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
self._ma_cert_str)
self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
self._ma_cert_key_str)
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OSliceAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_amsoil_path(
config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_amsoil_path(
config.get("delegatetools.trusted_cert_keys_path"))
self._sa_c = self._resource_manager_tools.read_file(
cert_path + '/' + OSliceAuthorityResourceManager.SA_CERT_FILE)
self._sa_pr = self._resource_manager_tools.read_file(
cert_key_path + '/' + OSliceAuthorityResourceManager.SA_KEY_FILE)
#<UT>
self._delegate_tools = pm.getService('delegatetools')
self.gfed_ex = pm.getService('apiexceptionsv2')
def __init__(self):
"""
Load configuration files. Combine the default field names with the supplemenary fields to form a combined list.
"""
self.STATIC = {} #: holds static configuration and settings loaded from JSON files (config.json and defaults.json)
self._load_files()
self._combine_fields()
config = pm.getService("config")
self.TRUSTED_CERT_PATH = expand_amsoil_path(config.get("delegatetools.trusted_cert_path")) +'/' #<UT>
self.TRUSTED_CRL_PATH = expand_amsoil_path(config.get("delegatetools.trusted_crl_path")) + '/' #<UT>
def __init__(self):
"""
Load configuration files. Combine the default field names with the supplemenary fields to form a combined list.
"""
self.STATIC = {
} #: holds static configuration and settings loaded from JSON files (config.json and defaults.json)
self._load_files()
self._combine_fields()
config = pm.getService("config")
self.TRUSTED_CERT_PATH = expand_amsoil_path(
config.get("delegatetools.trusted_cert_path")) + '/' #<UT>
self.TRUSTED_CRL_PATH = expand_amsoil_path(
config.get("delegatetools.trusted_crl_path")) + '/' #<UT>
def auth(self, client_cert, credentials, slice_urn=None, privileges=()):
# check variables
if not isinstance(privileges, tuple):
raise TypeError("Privileges need to be a tuple.")
# collect credentials (only GENI certs, version ignored)
geni_credentials = []
for c in credentials:
if c['geni_type'] == 'geni_sfa':
geni_credentials.append(c['geni_value'])
# get the cert_root
config = pm.getService("config")
cert_root = expand_amsoil_path(config.get("chapiv1rpc.ch_cert_root"))
if client_cert == None:
# work around if the certificate could not be acquired due to the shortcommings of the werkzeug library
if config.get("flask.debug"):
import gcf.sfa.trust.credential as cred
client_cert = cred.Credential(string=geni_credentials[0]).gidCaller.save_to_string(save_parents=True)
else:
raise CHAPIv1ForbiddenError("Could not determine the client SSL certificate")
# test the credential
try:
cred_verifier = gcf.geni.cred_util.CredentialVerifier(cert_root)
cred_verifier.verify_from_strings(client_cert, geni_credentials, slice_urn, privileges)
except Exception as e:
raise CHAPIv1ForbiddenError(str(e))
user_gid = gid.GID(string=client_cert)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email # TODO document return
def auth(self, client_cert, credentials, slice_urn=None, privileges=()):
"""
This method authenticates and authorizes.
It returns the client's urn, uuid, email (extracted from the {client_cert}). Example call: "urn, uuid, email = self.auth(...)"
Be aware, the email is not required in the certificate, hence it might be empty.
If the validation fails, an GENIv3ForbiddenError is thrown.
The credentials are checked so the user has all the required privileges (success if any credential fits all privileges).
The client certificate is not checked: this is usually done via the webserver configuration.
This method only treats certificates of type 'geni_sfa'.
Here a list of possible privileges (format: right_in_credential: [privilege1, privilege2, ...]):
"authority" : ["register", "remove", "update", "resolve", "list", "getcredential", "*"],
"refresh" : ["remove", "update"],
"resolve" : ["resolve", "list", "getcredential"],
"sa" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice",
"getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver",
"deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
"embed" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice",
"deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
"bind" : ["getticket", "loanresources", "redeemticket"],
"control" : ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice",
"deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
"info" : ["listslices", "listnodes", "getpolicy"],
"ma" : ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
"operator" : ["gettrustedcerts", "getgids"],
"*" : ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"]
When using the gcf clearinghouse implementation the credentials will have the rights:
- user: "******", "resolve", "info" (which resolves to the privileges: "remove", "update", "resolve", "list", "getcredential", "listslices", "listnodes", "getpolicy").
- slice: "refresh", "embed", "bind", "control", "info" (well, do the resolving yourself...)
"""
# check variables
if not isinstance(privileges, tuple):
raise TypeError("Privileges need to be a tuple.")
# collect credentials (only GENI certs, version ignored)
geni_credentials = []
for c in credentials:
if c['geni_type'] == 'geni_sfa':
geni_credentials.append(c['geni_value'])
# get the cert_root
config = pm.getService("config")
cert_root = expand_amsoil_path(config.get("geniv3rpc.cert_root"))
if client_cert == None:
raise GENIv3ForbiddenError("Could not determine the client SSL certificate")
# test the credential
try:
cred_verifier = ext.geni.CredentialVerifier(cert_root)
cred_verifier.verify_from_strings(client_cert, geni_credentials, slice_urn, privileges)
except Exception as e:
raise GENIv3ForbiddenError(str(e))
user_gid = gid.GID(string=client_cert)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email # TODO document return
def main():
# set home environment variable to something (needed for apache deployment)
os.environ['HOME'] = config.expand_amsoil_path('~')
# load plugins
pm.init(config.PLUGINS_PATH)
rcp_server = pm.getService('jsonrpc')
rcp_server.runServer()
def main():
# set home environment variable to something (needed for apache deployment)
os.environ['HOME'] = config.expand_amsoil_path('~')
# load plugins
pm.init(config.PLUGINS_PATH)
rcp_server = pm.getService('jsonrpc')
rcp_server.runServer()
def auth(self, client_cert, credentials, slice_urn=None, privileges=()):
"""
This method authenticates and authorizes.
It returns the client's urn, uuid, email (extracted from the {client_cert}). Example call: "urn, uuid, email = self.auth(...)"
Be aware, the email is not required in the certificate, hence it might be empty.
If the validation fails, an GENIv3ForbiddenError is thrown.
The credentials are checked so the user has all the required privileges (success if any credential fits all privileges).
The client certificate is not checked: this is usually done via the webserver configuration.
This method only treats certificates of type 'geni_sfa'.
Here a list of possible privileges (format: right_in_credential: [privilege1, privilege2, ...]):
"authority" : ["register", "remove", "update", "resolve", "list", "getcredential", "*"],
"refresh" : ["remove", "update"],
"resolve" : ["resolve", "list", "getcredential"],
"sa" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice",
"getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver",
"deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
"embed" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice",
"deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
"bind" : ["getticket", "loanresources", "redeemticket"],
"control" : ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice",
"deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
"info" : ["listslices", "listnodes", "getpolicy"],
"ma" : ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
"operator" : ["gettrustedcerts", "getgids"],
"*" : ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"]
When using the gcf clearinghouse implementation the credentials will have the rights:
- user: "******", "resolve", "info" (which resolves to the privileges: "remove", "update", "resolve", "list", "getcredential", "listslices", "listnodes", "getpolicy").
- slice: "refresh", "embed", "bind", "control", "info" (well, do the resolving yourself...)
"""
# check variables
if not isinstance(privileges, tuple):
raise TypeError("Privileges need to be a tuple.")
# collect credentials (only GENI certs, version ignored)
geni_credentials = []
for c in credentials:
if c['geni_type'] == 'geni_sfa':
geni_credentials.append(c['geni_value'])
# get the cert_root
config = pm.getService("config")
cert_root = expand_amsoil_path(config.get("geniv3rpc.cert_root"))
# test the credential
try:
cred_verifier = ext.geni.CredentialVerifier(cert_root)
cred_verifier.verify_from_strings(client_cert, geni_credentials,
slice_urn, privileges)
except Exception as e:
raise GENIv3ForbiddenError(str(e))
user_gid = gid.GID(string=client_cert)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email # TODO document return
def _get_paths(self):
"""
Get full file paths for JSON files to load (config.json and defaults.json).
Returns:
dictionary containing the loaded JSON content
"""
config = pm.getService("config")
config_path = config.get("delegatetools.config_path")
supplemetary_fields_path = config.get("delegatetools.supplemetary_fileds_path")
service_registry_path = config.get("delegatetools.service_registry_path")
defaults_path = config.get("delegatetools.defaults_path")
return {'CONFIG' : expand_amsoil_path(config_path),
'DEFAULTS' : expand_amsoil_path(defaults_path),
'SUPPLEMENTARY_FIELDS' : expand_amsoil_path(supplemetary_fields_path),
'REGISTRY' : expand_amsoil_path(service_registry_path)}
def _get_paths(self):
"""
Get full file paths for JSON files to load (config.json and defaults.json).
Returns:
dictionary containing the loaded JSON content
"""
config = pm.getService("config")
config_path = config.get("delegatetools.config_path")
supplemetary_fields_path = config.get(
"delegatetools.supplemetary_fileds_path")
service_registry_path = config.get(
"delegatetools.service_registry_path")
defaults_path = config.get("delegatetools.defaults_path")
authz_path = config.get("delegatetools.authz_path") #<UT>
roles_path = config.get("delegatetools.roles_path") #<UT>
return {
'CONFIG': expand_amsoil_path(config_path),
'DEFAULTS': expand_amsoil_path(defaults_path),
'SUPPLEMENTARY_FIELDS':
expand_amsoil_path(supplemetary_fields_path),
'REGISTRY': expand_amsoil_path(service_registry_path),
'AUTHZ': expand_amsoil_path(authz_path), #<UT>
'ROLES': expand_amsoil_path(roles_path), #<UT>
}
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OSliceAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_amsoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_amsoil_path(config.get("delegatetools.trusted_cert_keys_path"))
self._sa_c = self._resource_manager_tools.read_file(cert_path + '/' +
OSliceAuthorityResourceManager.SA_CERT_FILE)
self._sa_pr = self._resource_manager_tools.read_file(cert_key_path + '/' +
OSliceAuthorityResourceManager.SA_KEY_FILE)
#<UT>
self._delegate_tools = pm.getService('delegatetools')
self.gfed_ex = pm.getService('apiexceptionsv2')
def _authorize_dict_list(self, client_cert, credentials, result, options):
client_cert = geniutil.infer_client_cert(client_cert, credentials)
try:
trusted_cert_path = expand_amsoil_path(config.get("ofed.cert_root"))
geniutil.verify_certificate(client_cert, trusted_cert_path)
# TODO remove this (only for testing)
# BEGING REMOVE
client_urn, client_uuid, client_email = geniutil.extract_certificate_info(client_cert)
client_auth, client_type, client_name = geniutil.decode_urn(client_urn)
if not client_name == "admin": # only test if the name is not admin
# END REMOVE
for urn, info in result.iteritems():
geniutil.verify_credential(credentials, client_cert, urn, trusted_cert_path, ('list',))
except Exception as e:
raise gfed_ex.GFedv1AuthorizationError(str(e))
def requestCertificate(self):
"""Retrieve the certificate which the client has sent. If using the development server, the certificate is read from a static file (see config keys)."""
# get it from the request's environment
if request.environ.has_key('CLIENT_RAW_CERT'):
return request.environ['CLIENT_RAW_CERT']
# unfortunately, werkzeug (the server behind flask) can not handle client certificates
# hence we fake it by using a file configured by the user
config = pm.getService("config")
if config.get("flask.debug") and not config.get("flask.fcgi"):
try:
return open(
expand_amsoil_path(
config.get("flask.debug.client_cert_file")),
'r').read()
except:
raise exceptions.DebugClientCertNotFound()
return None
def requestCertificate(self):
"""Retrieve the certificate which the client has sent. If using the development server, the certificate can not be determined (werkzeug is stupid in that sense)."""
# get it from the request's environment
if request.environ.has_key('SSL_CLIENT_CERT'):
return request.environ['SSL_CLIENT_CERT']
if request.environ.has_key('CLIENT_RAW_CERT'):
return request.environ['CLIENT_RAW_CERT']
# unfortunately, werkzeug (the server behind flask) can not handle client certificates
# hence we fake it by using a file configured by the user
config = pm.getService("config")
if config.get("flask.debug") and not config.get("flask.fcgi"):
try:
return open(expand_amsoil_path(config.get("flask.debug.client_cert_file")), 'r').read()
except:
raise exceptions.DebugClientCertNotFound()
return None
return None
def _authorize_dict_list(self, client_cert, credentials, result, options):
client_cert = geniutil.infer_client_cert(client_cert, credentials)
try:
trusted_cert_path = expand_amsoil_path(
config.get("ofed.cert_root"))
geniutil.verify_certificate(client_cert, trusted_cert_path)
# TODO remove this (only for testing)
# BEGING REMOVE
client_urn, client_uuid, client_email = geniutil.extract_certificate_info(
client_cert)
client_auth, client_type, client_name = geniutil.decode_urn(
client_urn)
if not client_name == "admin": # only test if the name is not admin
# END REMOVE
for urn, info in result.iteritems():
geniutil.verify_credential(credentials, client_cert, urn,
trusted_cert_path, ('list', ))
except Exception as e:
raise gfed_ex.GFedv1AuthorizationError(str(e))
def main():
# set home environment variable to something (needed for apache deployment)
os.environ['HOME'] = config.expand_amsoil_path('~')
# load plugins
pm.init(config.PLUGINS_PATH)
try:
opts, args = getopt.getopt(sys.argv[1:], 'hw', ['help', 'worker'])
except getopt.GetoptError as e:
print "Wrong arguments: " + str(e)
print
print_usage()
return
for option, opt_arg in opts:
if option in ['-h', '--help']:
print_usage()
sys.exit(0)
registration_server = pm.getService('registration')
registration_server.runServer()
def auth(self, client_cert, credentials, slice_urn=None, privileges=()):
# check variables
if not isinstance(privileges, tuple):
raise TypeError("Privileges need to be a tuple.")
# collect credentials (only GENI certs, version ignored)
geni_credentials = []
for c in credentials:
if c['geni_type'] == 'geni_sfa':
geni_credentials.append(c['geni_value'])
# get the cert_root
config = pm.getService("config")
cert_root = expand_amsoil_path(config.get("chapiv1rpc.ch_cert_root"))
if client_cert == None:
# work around if the certificate could not be acquired due to the shortcommings of the werkzeug library
if config.get("flask.debug"):
import gcf.sfa.trust.credential as cred
client_cert = cred.Credential(
string=geni_credentials[0]).gidCaller.save_to_string(
save_parents=True)
else:
raise CHAPIv1ForbiddenError(
"Could not determine the client SSL certificate")
# test the credential
try:
cred_verifier = gcf.geni.cred_util.CredentialVerifier(cert_root)
cred_verifier.verify_from_strings(client_cert, geni_credentials,
slice_urn, privileges)
except Exception as e:
raise CHAPIv1ForbiddenError(str(e))
user_gid = gid.GID(string=client_cert)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email # TODO document return
))
self.free_lease(lease)
return
# ----------------------------------------------------
# ------------------ database stuff ------------------
# ----------------------------------------------------
from sqlalchemy import Column, Integer, String, DateTime, create_engine
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.ext.declarative import declarative_base
from amsoil.config import expand_amsoil_path
from datetime import datetime, timedelta
# initialize sqlalchemy
OPENNAASDB_PATH = expand_amsoil_path(
pm.getService('config').get('opennaas.dbpath'))
OPENNAASDB_ENGINE = "sqlite:///%s" % (OPENNAASDB_PATH, )
db_engine = create_engine(
OPENNAASDB_ENGINE, pool_recycle=6000) # please see the wiki for more info
db_session_factory = sessionmaker(
autoflush=True, bind=db_engine, expire_on_commit=False
) # the class which can create sessions (factory pattern)
db_session = scoped_session(
db_session_factory
) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it
Base = declarative_base(
) # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
# We should limit the session's scope (lifetime) to one request. Yet, here we have a different solution.
# In order to avoid side effects (from someone changing a database object), we expunge_all() objects when we hand out objects to other classes.
return AttributeDict(result_dict)
# ----------------------------------------------------
# ------------------ database stuff ------------------
# ----------------------------------------------------
from sqlalchemy import Column, Integer, String, DateTime, Boolean, PickleType, create_engine
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.sql import exists
from sqlalchemy.sql.expression import and_, or_, not_
from amsoil.config import expand_amsoil_path
# initialize sqlalchemy
DB_PATH = expand_amsoil_path(pm.getService('config').get('schedule.dbpath'))
DB_ENGINE = create_engine("sqlite:///%s" % (DB_PATH,)) # please see the wiki for more info
DB_SESSION_FACTORY = sessionmaker(autoflush=True, bind=DB_ENGINE, expire_on_commit=False)
db_session = scoped_session(DB_SESSION_FACTORY)
DB_Base = declarative_base() # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
class ReservationRecord(DB_Base):
"""Encapsulates a record in the database."""
__tablename__ = 'reservations'
reservation_id = Column(Integer, primary_key=True)
schedule_subject = Column(String(255))
##I do not think it is useful
resource_id = Column(String(255))
import amsoil.core.pluginmanager as pm
import hashlib, datetime
from amsoil.config import expand_amsoil_path
from amsoil.config import (registration_server_ip, registration_server_port)
from SocketServer import ThreadingMixIn
from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer
from registration_utils import *
KEY_PATH = expand_amsoil_path('test/creds') + '/'
AUTHORITY_NAME = 'ma'
AUTHORITY = "test:fp7-ofelia:eu"
MA_CERT_FILE = 'ma-cert.pem'
MA_KEY_FILE = 'ma-key.pem'
CRED_EXPIRY = datetime.datetime.utcnow() + datetime.timedelta(days=100)
class RegistrationAppServer(ThreadingMixIn, SimpleJSONRPCServer):
pass
def register_user(first_name,
last_name,
user_name,
user_email,
public_key=None):
"""
Register user by creating public ssh Keys and credentials
class OSliceAuthorityResourceManager(object):
"""
Manage Slice Authority objects and resources.
Generates neccessary fields when creating a new object.
"""
KEY_PATH = expand_amsoil_path('test/creds') + '/'
SA_CERT_FILE = 'sa-cert.pem'
SA_KEY_FILE = 'sa-key.pem'
CRED_EXPIRY = datetime.datetime.utcnow() + datetime.timedelta(days=100)
AUTHORITY_NAME = 'sa' #: The short-name for this authority
SUPPORTED_SERVICES = [
'SLICE', 'SLICE_MEMBER', 'SLIVER_INFO', 'PROJECT', 'PROJECT_MEMBER'
] #: The objects supported by this authority
SUPPORTED_CREDENTIAL_TYPES = [{
"type": "SFA",
"version": 1
}] #: The credential type supported by this authority
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OSliceAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
self._sa_c = self._resource_manager_tools.read_file(
OSliceAuthorityResourceManager.KEY_PATH +
OSliceAuthorityResourceManager.SA_CERT_FILE)
self._sa_pr = self._resource_manager_tools.read_file(
OSliceAuthorityResourceManager.KEY_PATH +
OSliceAuthorityResourceManager.SA_KEY_FILE)
#--- 'get_version' methods
def _set_unique_keys(self):
"""
Set the required unique keys in the database for a Slice Authority.
"""
self._resource_manager_tools.set_index(self.AUTHORITY_NAME,
'SLICE_UID')
self._resource_manager_tools.set_index(self.AUTHORITY_NAME,
'SLICE_URN')
self._resource_manager_tools.set_index(self.AUTHORITY_NAME,
'SLIVER_INFO_URN')
self._resource_manager_tools.set_index(self.AUTHORITY_NAME,
'PROJECT_UID')
self._resource_manager_tools.set_index(self.AUTHORITY_NAME,
'PROJECT_URN')
def urn(self):
"""
Get the URN for this Slice Authority.
Retrieve the hostname from the Flask AMsoil plugin and use this to build
the URN.
"""
config = pm.getService('config')
hostname = config.get('flask.hostname')
return 'urn:publicid:IDN+' + hostname + '+authority+sa'
def implementation(self):
"""
Get the implementation details for this Slice Authority.
Retrieve details from the AMsoil plugin and form them into a dictionary
suitable for the API call response.
"""
manifest = pm.getManifest('osliceauthorityrm')
if len(manifest) > 0:
return {'code_version': str(manifest['version'])}
else:
return None
def services(self):
"""
Return the services implemented by this Slice Authority.
"""
return self.SUPPORTED_SERVICES
def api_versions(self):
"""
Get the different endpoints (of type 'ma'), registered with AMsoil.
Form these endpoints into a dictionary suitable for the API call response.
"""
config = pm.getService('config')
hostname = config.get('flask.hostname')
port = str(config.get('flask.app_port'))
endpoints = pm.getService('apitools').get_endpoints(
type=self.AUTHORITY_NAME)
return self._resource_manager_tools.form_api_versions(
hostname, port, endpoints)
def credential_types(self):
"""
Return the credential types implemented by this Slice Authority.
"""
return self.SUPPORTED_CREDENTIAL_TYPES
#--- object methods
def create_slice(self, client_cert, credentials, fields, options):
"""
Create a slice object.
Generate fields for a new object:
* SLICE_URN: retrieve the hostname from the Flask AMsoil plugin
and form into a valid URN
* SLICE_UID: generate a new UUID4 value
* SLICE_CREATION: get the time now and convert it into RFC3339 form
* SLICE_EXPIRED: slice object has just been created, so it is has not
yet expired
"""
u_c = None
#credentials_testing = credentials #self._resource_manager_tools.read_file(OSliceAuthorityResourceManager.KEY_PATH + "credentials_test")
root = ET.fromstring(
credentials[0]['SFA']
) #FIXME: short-term solution to fix string handling, take first credential of SFA format
#print '-->'
#print credentials
#print '<--'
self._resource_manager_tools.validate_credentials(credentials)
config = pm.getService('config')
geniutil = pm.getService('geniutil')
hostname = config.get('flask.hostname')
fields['SLICE_URN'] = geniutil.encode_urn(
OSliceAuthorityResourceManager.AUTHORITY_NAME, 'slice',
str(fields.get('SLICE_NAME')))
fields['SLICE_UID'] = str(uuid.uuid4())
fields['SLICE_CREATION'] = pyrfc3339.generate(
datetime.datetime.utcnow().replace(tzinfo=pytz.utc))
fields['SLICE_EXPIRED'] = False
#Generating Slice Credentials
s_c, s_pu, s_pr = geniutil.create_certificate(fields['SLICE_URN'],
self._sa_pr, self._sa_c)
#default owner is slice itself
u_c = s_c
#Try to get the user credentials for use as owner
for child in root:
if child.tag == 'credential':
u_c = child[2].text
break
fields['SLICE_CREDENTIALS'] = geniutil.create_credential(
u_c, s_c, self._sa_pr, self._sa_c, "slice",
OSliceAuthorityResourceManager.CRED_EXPIRY)
return self._resource_manager_tools.object_create(
self.AUTHORITY_NAME, fields, 'slice')
def update_slice(self, urn, client_cert, credentials, fields, options):
"""
Update a slice object.
"""
return self._resource_manager_tools.object_update(
self.AUTHORITY_NAME, fields, 'slice', {'SLICE_URN': urn})
def lookup_slice(self, client_cert, credentials, match, filter_, options):
"""
Lookup a slice object.
"""
return self._resource_manager_tools.object_lookup(
self.AUTHORITY_NAME, 'slice', match, filter_)
def create_sliver_info(self, client_cert, credentials, fields, options):
"""
Create a sliver information object.
"""
return self._resource_manager_tools.object_create(
self.AUTHORITY_NAME, fields, 'sliver_info')
def update_sliver_info(self, urn, client_cert, credentials, fields,
options):
"""
Update a sliver information object.
"""
return self._resource_manager_tools.object_update(
self.AUTHORITY_NAME, fields, 'sliver_info',
{'SLIVER_INFO_URN': urn})
def lookup_sliver_info(self, client_cert, credentials, match, filter_,
options):
"""
Lookup a sliver information object.
"""
return self._resource_manager_tools.object_lookup(
self.AUTHORITY_NAME, 'sliver_info', match, filter_)
def delete_sliver_info(self, urn, client_cert, credentials, options):
"""
Delete a sliver information object.
"""
return self._resource_manager_tools.object_delete(
self.AUTHORITY_NAME, 'sliver_info', {'SLIVER_INFO_URN': urn})
def create_project(self, client_cert, credentials, fields, options):
"""
Create a project object.
Generate fields for a new object:
* PROJECT_URN: retrieve the hostname from the Flask AMsoil plugin
and form into a valid URN
* PROJECT_UID: generate a new UUID4 value
* PROJECT_CREATION: get the time now and convert it into RFC3339 form
* PROJECT_EXPIRED: project object has just been created, so it is
has not yet expired
"""
config = pm.getService('config')
hostname = config.get('flask.hostname')
fields[
'PROJECT_URN'] = 'urn:publicid+IDN+' + hostname + '+project+' + fields.get(
'PROJECT_NAME')
fields['PROJECT_UID'] = str(uuid.uuid4())
fields['PROJECT_CREATION'] = pyrfc3339.generate(
datetime.datetime.utcnow().replace(tzinfo=pytz.utc))
fields['PROJECT_EXPIRED'] = False
return self._resource_manager_tools.object_create(
self.AUTHORITY_NAME, fields, 'project')
def update_project(self, urn, client_cert, credentials, fields, options):
"""
Update a project object.
"""
return self._resource_manager_tools.object_update(
self.AUTHORITY_NAME, fields, 'project', {'PROJECT_URN': urn})
def delete_project(self, urn, client_cert, credentials, options):
"""
Delete a project object.
"""
return self._resource_manager_tools.object_delete(
self.AUTHORITY_NAME, 'project', {'PROJECT_URN': urn})
def lookup_project(self, client_cert, credentials, match, filter_,
options):
"""
Lookup a project object.
"""
return self._resource_manager_tools.object_lookup(
self.AUTHORITY_NAME, 'project', match, filter_)
def modify_slice_membership(self, urn, certificate, credentials, options):
"""
Modify a slice membership object.
"""
return self._resource_manager_tools.member_modify(
self.AUTHORITY_NAME, 'slice_member', urn, options, 'SLICE_MEMBER',
'SLICE_URN')
def modify_project_membership(self, urn, certificate, credentials,
options):
"""
Modify a project membership object.
"""
return self._resource_manager_tools.member_modify(
self.AUTHORITY_NAME, 'project_member', urn, options,
'PROJECT_MEMBER', 'PROJECT_URN')
def lookup_slice_membership(self, urn, certificate, credentials, options):
"""
Lookup a slice membership object.
"""
return self._resource_manager_tools.member_lookup(
self.AUTHORITY_NAME, 'slice_member', 'SLICE_URN', urn,
['SLICE_URN'])
def lookup_project_membership(self, urn, certificate, credentials,
options):
"""
Lookup a project membership object.
"""
return self._resource_manager_tools.member_lookup(
self.AUTHORITY_NAME, 'project_member', 'PROJECT_URN', urn,
['PROJECT_URN'])
def lookup_slice_membership_for_member(self, member_urn, certificate,
credentials, options):
"""
Lookup a slice membership object for a given member.
"""
return self._resource_manager_tools.member_lookup(
self.AUTHORITY_NAME, 'slice_member', 'SLICE_MEMBER', member_urn,
['SLICE_MEMBER'])
def lookup_project_membership_for_member(self, member_urn, certificate,
credentials, options):
"""
Lookup a project membership object for a given member.
"""
return self._resource_manager_tools.member_lookup(
self.AUTHORITY_NAME, 'project_member', 'PROJECT_MEMBER',
member_urn, ['PROJECT_MEMBER'])
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.sql import exists
import amsoil.core.pluginmanager as pm
import amsoil.core.log
logger = amsoil.core.log.getLogger('worker')
from amsoil.config import expand_amsoil_path
from ip import IP
# initialize sqlalchemy
DHCPDB_PATH = expand_amsoil_path(pm.getService('config').get('dhcprm.dbpath'))
DHCPDB_ENGINE = "sqlite:///%s" % (DHCPDB_PATH, )
db_engine = create_engine(
DHCPDB_ENGINE, pool_recycle=6000) # please see the wiki for more info
db_session_factory = sessionmaker(
autoflush=True, bind=db_engine, expire_on_commit=False
) # the class which can create sessions (factory pattern)
db_session = scoped_session(
db_session_factory
) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it
Base = declarative_base(
) # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
# We should limit the session's scope (lifetime) to one request. Yet, here we have a different solution.
# In order to avoid side effects (from someone changing a database object), we expunge_all() objects when we hand out objects to other classes.
import os.path
from datetime import datetime
from sqlalchemy import Table, Column, MetaData, ForeignKey, PickleType, DateTime, String, Integer, Text, create_engine, select, and_, or_, not_, event
from sqlalchemy.orm import scoped_session, sessionmaker, mapper
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
import amsoil.core.pluginmanager as pm
import amsoil.core.log
logger = amsoil.core.log.getLogger('worker')
from amsoil.config import expand_amsoil_path
WORKERDB_PATH = expand_amsoil_path(
pm.getService('config').get('worker.dbpath'))
WORKERDB_ENGINE = "sqlite:///%s" % (WORKERDB_PATH, )
# initialize sqlalchemy
db_engine = create_engine(
WORKERDB_ENGINE, pool_recycle=6000) # please see the wiki for more info
db_session_factory = sessionmaker(
autoflush=True, bind=db_engine, expire_on_commit=False
) # the class which can create sessions (factory pattern)
db_session = scoped_session(
db_session_factory
) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it
# we could limit the session's scope (lifetime) to one request, but for this plugin it is not necessary
Base = declarative_base(
) # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
import amsoil.core.pluginmanager as pm
import hashlib, datetime
from amsoil.config import expand_amsoil_path
from amsoil.config import (registration_server_ip, registration_server_port)
from SocketServer import ThreadingMixIn
from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer
from registration_utils import *
KEY_PATH = expand_amsoil_path('test/creds') + '/'
AUTHORITY_NAME = 'ma'
AUTHORITY="cbas.eict.de"
MA_CERT_FILE = 'ma-cert.pem'
MA_KEY_FILE = 'ma-key.pem'
CRED_EXPIRY = datetime.datetime.utcnow() + datetime.timedelta(days=100)
class RegistrationAppServer(ThreadingMixIn, SimpleJSONRPCServer):
pass
def register_user(first_name, last_name, user_name, user_email, public_key=None, privileges=[]):
"""
Register user by creating public ssh Keys and credentials
Args:
first_name: The first name of the user which will be included in the URN
last_name: The last name of the user which will be included in the URN
username: A name that might be used to reference a certail user
email : The User Email
logger.info("Removing expired OPENNAAS elements: %s(%s) on slice %s" % (lease.name, lease.resType, lease.slice_name,))
self.free_lease(lease)
return
# ----------------------------------------------------
# ------------------ database stuff ------------------
# ----------------------------------------------------
from sqlalchemy import Column, Integer, String, DateTime, create_engine
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.ext.declarative import declarative_base
from amsoil.config import expand_amsoil_path
from datetime import datetime, timedelta
# initialize sqlalchemy
OPENNAASDB_PATH = expand_amsoil_path(pm.getService('config').get('opennaas.dbpath'))
OPENNAASDB_ENGINE = "sqlite:///%s" % (OPENNAASDB_PATH,)
db_engine = create_engine(OPENNAASDB_ENGINE, pool_recycle=6000) # please see the wiki for more info
db_session_factory = sessionmaker(autoflush=True, bind=db_engine, expire_on_commit=False) # the class which can create sessions (factory pattern)
db_session = scoped_session(db_session_factory) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it
Base = declarative_base() # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
# We should limit the session's scope (lifetime) to one request. Yet, here we have a different solution.
# In order to avoid side effects (from someone changing a database object), we expunge_all() objects when we hand out objects to other classes.
# So, we can leave the session as it is, because there are no objects in it anyway.
class OPENNAASLease(Base):
"""Please see the Database wiki page."""
__tablename__ = 'leases'
from sqlalchemy import Column, Integer, String, DateTime, create_engine
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.sql import exists
import amsoil.core.pluginmanager as pm
import amsoil.core.log
logger=amsoil.core.log.getLogger('worker')
from amsoil.config import expand_amsoil_path
from ip import IP
# initialize sqlalchemy
DHCPDB_PATH = expand_amsoil_path(pm.getService('config').get('dhcprm.dbpath'))
DHCPDB_ENGINE = "sqlite:///%s" % (DHCPDB_PATH,)
db_engine = create_engine(DHCPDB_ENGINE, pool_recycle=6000) # please see the wiki for more info
db_session_factory = sessionmaker(autoflush=True, bind=db_engine, expire_on_commit=False) # the class which can create sessions (factory pattern)
db_session = scoped_session(db_session_factory) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it
Base = declarative_base() # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
# We should limit the session's scope (lifetime) to one request. Yet, here we have a different solution.
# In order to avoid side effects (from someone changing a database object), we expunge_all() objects when we hand out objects to other classes.
# So, we can leave the session as it is, because there are no objects in it anyway.
class DHCPLease(Base):
"""Please see the Database wiki page."""
__tablename__ = 'leases'