def verify_slice(self, slice_hrn, slice_record, peer, sfa_peer, options={}):
slicename = hrn_to_pl_slicename(slice_hrn)
parts = slicename.split("_")
login_base = parts[0]
slices = self.driver.shell.GetSlices([slicename])
if not slices:
slice = {'name': slicename,
'url': slice_record.get('url', slice_hrn),
'description': slice_record.get('description', slice_hrn)}
# add the slice
slice['slice_id'] = self.driver.shell.AddSlice(slice)
slice['node_ids'] = []
slice['person_ids'] = []
if peer:
slice['peer_slice_id'] = slice_record.get('slice_id', None)
# mark this slice as an sfa peer record
# if sfa_peer:
# peer_dict = {'type': 'slice', 'hrn': slice_hrn,
# 'peer_authority': sfa_peer, 'pointer': slice['slice_id']}
# self.registry.register_peer_object(self.credential, peer_dict)
else:
slice = slices[0]
if peer:
slice['peer_slice_id'] = slice_record.get('slice_id', None)
# unbind from peer so we can modify if necessary. Will bind back later
self.driver.shell.UnBindObjectFromPeer('slice', slice['slice_id'], peer['shortname'])
#Update existing record (e.g. expires field) it with the latest info.
if slice_record.get('expires'):
requested_expires = int(datetime_to_epoch(utcparse(slice_record['expires'])))
if requested_expires and slice['expires'] != requested_expires:
self.driver.shell.UpdateSlice( slice['slice_id'], {'expires' : requested_expires})
return slice
def verify_slice(self, slice_hrn, slice_record, expiration, options={}):
slicename = hrn_to_unigetestbed_slicename(slice_hrn)
parts = slicename.split("_")
login_base = parts[0]
slices = self.driver.shell.GetSlices({'slice_name': slicename})
if not slices:
slice = {'slice_name': slicename}
# add the slice
slice['slice_id'] = self.driver.shell.AddSlice(slice)
slice['node_ids'] = []
slice['user_ids'] = []
else:
slice = slices[0]
if slice_record and slice_record.get('expires'):
requested_expires = int(
datetime_to_epoch(utcparse(slice_record['expires'])))
if requested_expires and slice['expires'] != requested_expires:
self.driver.shell.UpdateSlice({
'slice_id': slice['slice_id'],
'fields': {
'expires': expiration
}
})
return slice
def GetCredential(self, api, xrn, type, caller_xrn=None):
# convert xrn to hrn
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# Is this a root or sub authority
auth_hrn = api.auth.get_authority(hrn)
if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
auth_info = api.auth.get_auth_info(auth_hrn)
# get record info
record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first()
if not record:
raise RecordNotFound("hrn=%s, type=%s"%(hrn,type))
# get the callers gid
# if caller_xrn is not specified assume the caller is the record
# object itself.
if not caller_xrn:
caller_hrn = hrn
caller_gid = record.get_gid_object()
else:
caller_hrn, caller_type = urn_to_hrn(caller_xrn)
if caller_type:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first()
else:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first()
if not caller_record:
raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type))
caller_gid = GID(string=caller_record.gid)i
object_hrn = record.get_gid_object().get_hrn()
# call the builtin authorization/credential generation engine
rights = api.auth.determine_user_rights(caller_hrn, record)
# make sure caller has rights to this object
if rights.is_empty():
raise PermissionError("%s has no rights to %s (%s)" % \
(caller_hrn, object_hrn, xrn))
object_gid = GID(string=record.gid)
new_cred = Credential(subject = object_gid.get_subject())
new_cred.set_gid_caller(caller_gid)
new_cred.set_gid_object(object_gid)
new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
#new_cred.set_pubkey(object_gid.get_pubkey())
new_cred.set_privileges(rights)
new_cred.get_privileges().delegate_all_privileges(True)
if hasattr(record,'expires'):
date = utcparse(record.expires)
expires = datetime_to_epoch(date)
new_cred.set_expiration(int(expires))
auth_kind = "authority,ma,sa"
# Parent not necessary, verify with certs
#new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
return new_cred.save_to_string(save_parents=True)
def GetCredential(self, api, xrn, type, caller_xrn=None):
# convert xrn to hrn
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# Is this a root or sub authority
auth_hrn = api.auth.get_authority(hrn)
if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
auth_info = api.auth.get_auth_info(auth_hrn)
# get record info
record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first()
if not record:
raise RecordNotFound("hrn=%s, type=%s"%(hrn,type))
# get the callers gid
# if caller_xrn is not specified assume the caller is the record
# object itself.
if not caller_xrn:
caller_hrn = hrn
caller_gid = record.get_gid_object()
else:
caller_hrn, caller_type = urn_to_hrn(caller_xrn)
if caller_type:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first()
else:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first()
if not caller_record:
raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type))
caller_gid = GID(string=caller_record.gid)
object_hrn = record.get_gid_object().get_hrn()
# call the builtin authorization/credential generation engine
rights = api.auth.determine_user_rights(caller_hrn, record)
# make sure caller has rights to this object
if rights.is_empty():
raise PermissionError("%s has no rights to %s (%s)" % \
(caller_hrn, object_hrn, xrn))
object_gid = GID(string=record.gid)
new_cred = Credential(subject = object_gid.get_subject())
new_cred.set_gid_caller(caller_gid)
new_cred.set_gid_object(object_gid)
new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
#new_cred.set_pubkey(object_gid.get_pubkey())
new_cred.set_privileges(rights)
new_cred.get_privileges().delegate_all_privileges(True)
if hasattr(record,'expires'):
date = utcparse(record.expires)
expires = datetime_to_epoch(date)
new_cred.set_expiration(int(expires))
auth_kind = "authority,ma,sa"
# Parent not necessary, verify with certs
#new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
return new_cred.save_to_string(save_parents=True)
def verify_slice(self,
slice_hrn,
slice_record,
sfa_peer,
expiration,
options={}):
#top_auth_hrn = top_auth(slice_hrn)
#site_hrn = '.'.join(slice_hrn.split('.')[:-1])
#slice_part = slice_hrn.split('.')[-1]
#if top_auth_hrn == self.driver.hrn:
# login_base = slice_hrn.split('.')[-2][:12]
#else:
# login_base = hash_loginbase(site_hrn)
#slice_name = '_'.join([login_base, slice_part])
plxrn = PlXrn(xrn=slice_hrn)
slice_hrn = plxrn.get_hrn()
type = plxrn.get_type()
site_hrn = plxrn.get_authority_hrn()
authority_name = plxrn.pl_authname()
slicename = plxrn.pl_slicename()
login_base = plxrn.pl_login_base()
slices = self.driver.shell.GetSlices({'peer_id': None},
['slice_id', 'name', 'hrn'])
# Filter slices by HRN
slice_exists = [slice for slice in slices if slice['hrn'] == slice_hrn]
expires = int(datetime_to_epoch(utcparse(expiration)))
if not slice_exists:
if slice_record:
url = slice_record.get('url', slice_hrn)
description = slice_record.get('description', slice_hrn)
else:
url = slice_hrn
description = slice_hrn
slice = {
'name': slice_name,
'url': url,
'description': description
}
# add the slice
slice['slice_id'] = self.driver.shell.AddSlice(slice)
# set the slice HRN
self.driver.shell.SetSliceHrn(int(slice['slice_id']), slice_hrn)
# Tag this as created through SFA
self.driver.shell.SetSliceSfaCreated(int(slice['slice_id']),
'True')
# set the expiration
self.driver.shell.UpdateSlice(int(slice['slice_id']),
{'expires': expires})
else:
slice = slice_exists[0]
#Update expiration if necessary
if slice.get('expires', None) != expires:
self.driver.shell.UpdateSlice(int(slice['slice_id']),
{'expires': expires})
return self.driver.shell.GetSlices(int(slice['slice_id']))[0]
def renew (self, urns, expiration_time, options={}):
aggregate = unigetestbedAggregate(self)
slivers = aggregate.get_slivers(urns)
if not slivers:
raise SearchFailed(urns)
slice = slivers[0]
requested_time = utcparse(expiration_time)
record = {'expires': int(datetime_to_epoch(requested_time))}
self.shell.UpdateSlice({'slice_id': slice['slice_id'], 'fileds': record})
description = self.describe(urns, 'GENI 3', options)
return description['geni_slivers']
def renew(self, urns, expiration_time, options={}):
aggregate = PlAggregate(self)
slivers = aggregate.get_slivers(urns)
if not slivers:
raise SearchFailed(urns)
slice = slivers[0]
requested_time = utcparse(expiration_time)
record = {'expires': int(datetime_to_epoch(requested_time))}
self.shell.UpdateSlice(slice['slice_id'], record)
description = self.describe(urns, 'GENI 3', options)
return description['geni_slivers']
def renew_sliver (self, slice_urn, slice_hrn, creds, expiration_time, options):
slicename = hrn_to_pl_slicename(slice_hrn)
slices = self.shell.GetSlices({'name': slicename}, ['slice_id'])
if not slices:
raise RecordNotFound(slice_hrn)
slice = slices[0]
requested_time = utcparse(expiration_time)
record = {'expires': int(datetime_to_epoch(requested_time))}
try:
self.shell.UpdateSlice(slice['slice_id'], record)
return True
except:
return False
def renew_sliver(self, slice_urn, slice_hrn, creds, expiration_time, options):
slicename = hrn_to_dummy_slicename(slice_hrn)
slices = self.shell.GetSlices({"slice_name": slicename})
if not slices:
raise RecordNotFound(slice_hrn)
slice = slices[0]
requested_time = utcparse(expiration_time)
record = {"expires": int(datetime_to_epoch(requested_time))}
try:
self.shell.UpdateSlice({"slice_id": slice["slice_id"], "fields": record})
return True
except:
return False
def renew_sliver(self, slice_urn, slice_hrn, creds, expiration_time,
options):
slicename = hrn_to_nitos_slicename(slice_hrn)
slices = self.shell.GetSlices({'slicename': slicename}, ['slice_id'])
if not slices:
raise RecordNotFound(slice_hrn)
slice = slices[0]
requested_time = utcparse(expiration_time)
record = {'expires': int(datetime_to_epoch(requested_time))}
try:
self.shell.UpdateSlice(slice['slice_id'], record)
return True
except:
return False
def verify_slice(self, slice_hrn, slice_record, sfa_peer, expiration, options=None):
if options is None: options={}
top_auth_hrn = top_auth(slice_hrn)
site_hrn = '.'.join(slice_hrn.split('.')[:-1])
slice_part = slice_hrn.split('.')[-1]
if top_auth_hrn == self.driver.hrn:
login_base = slice_hrn.split('.')[-2][:12]
else:
login_base = hash_loginbase(site_hrn)
slice_name = '_'.join([login_base, slice_part])
expires = int(datetime_to_epoch(utcparse(expiration)))
# Filter slices by HRN
slices = self.driver.shell.GetSlices({'peer_id': None, 'hrn':slice_hrn},
['slice_id','name','hrn','expires'])
if slices:
slice = slices[0]
slice_id = slice['slice_id']
#Update expiration if necessary
if slice.get('expires', None) != expires:
self.driver.shell.UpdateSlice( slice_id, {'expires' : expires})
else:
if slice_record:
url = slice_record.get('url', slice_hrn)
description = slice_record.get('description', slice_hrn)
else:
url = slice_hrn
description = slice_hrn
slice = {'name': slice_name,
'url': url,
'description': description,
'hrn': slice_hrn,
'sfa_created': 'True',
#'expires': expires,
}
# add the slice
slice_id = self.driver.shell.AddSlice(slice)
# plcapi tends to mess with the incoming hrn so let's make sure
self.driver.shell.SetSliceHrn (slice_id, slice_hrn)
# cannot be set with AddSlice
# set the expiration
self.driver.shell.UpdateSlice(slice_id, {'expires': expires})
return self.driver.shell.GetSlices(slice_id)[0]
def verify_slice(self, slice_hrn, slice_record, expiration, options={}):
slicename = hrn_to_dummy_slicename(slice_hrn)
parts = slicename.split("_")
login_base = parts[0]
slices = self.driver.shell.GetSlices({'slice_name': slicename})
if not slices:
slice = {'slice_name': slicename}
# add the slice
slice['slice_id'] = self.driver.shell.AddSlice(slice)
slice['node_ids'] = []
slice['user_ids'] = []
else:
slice = slices[0]
if slice_record and slice_record.get('expires'):
requested_expires = int(datetime_to_epoch(utcparse(slice_record['expires'])))
if requested_expires and slice['expires'] != requested_expires:
self.driver.shell.UpdateSlice( {'slice_id': slice['slice_id'], 'fields':{'expires' : expiration}})
return slice
def sfa_fields_to_pl_fields(self, type, hrn, sfa_record):
pl_record = {}
if type == "slice":
pl_record["name"] = hrn_to_pl_slicename(hrn)
if "instantiation" in sfa_record:
pl_record['instantiation'] = sfa_record['instantiation']
else:
pl_record["instantiation"] = "plc-instantiated"
if "url" in sfa_record:
pl_record["url"] = sfa_record["url"]
if "description" in sfa_record:
pl_record["description"] = sfa_record["description"]
if "expires" in sfa_record:
date = utcparse(sfa_record['expires'])
expires = datetime_to_epoch(date)
pl_record["expires"] = expires
elif type == "node":
if not "hostname" in pl_record:
# fetch from sfa_record
if "hostname" not in sfa_record:
raise MissingSfaInfo("hostname")
pl_record["hostname"] = sfa_record["hostname"]
if "model" in sfa_record:
pl_record["model"] = sfa_record["model"]
else:
pl_record["model"] = "geni"
elif type == "authority":
pl_record["login_base"] = PlXrn(xrn=hrn,
type='authority').pl_login_base()
if "name" not in sfa_record:
pl_record["name"] = hrn
if "abbreviated_name" not in sfa_record:
pl_record["abbreviated_name"] = hrn
if "enabled" not in sfa_record:
pl_record["enabled"] = True
if "is_public" not in sfa_record:
pl_record["is_public"] = True
return pl_record
def sfa_fields_to_pl_fields(self, type, hrn, sfa_record):
pl_record = {}
if type == "slice":
pl_record["name"] = hrn_to_pl_slicename(hrn)
if "instantiation" in sfa_record:
pl_record['instantiation']=sfa_record['instantiation']
else:
pl_record["instantiation"] = "plc-instantiated"
if "url" in sfa_record:
pl_record["url"] = sfa_record["url"]
if "description" in sfa_record:
pl_record["description"] = sfa_record["description"]
if "expires" in sfa_record:
date = utcparse(sfa_record['expires'])
expires = datetime_to_epoch(date)
pl_record["expires"] = expires
elif type == "node":
if not "hostname" in pl_record:
# fetch from sfa_record
if "hostname" not in sfa_record:
raise MissingSfaInfo("hostname")
pl_record["hostname"] = sfa_record["hostname"]
if "model" in sfa_record:
pl_record["model"] = sfa_record["model"]
else:
pl_record["model"] = "geni"
elif type == "authority":
pl_record["login_base"] = PlXrn(xrn=hrn,type='authority').pl_login_base()
if "name" not in sfa_record:
pl_record["name"] = hrn
if "abbreviated_name" not in sfa_record:
pl_record["abbreviated_name"] = hrn
if "enabled" not in sfa_record:
pl_record["enabled"] = True
if "is_public" not in sfa_record:
pl_record["is_public"] = True
return pl_record
def GetCredential(self, api, xrn, type, caller_xrn=None):
# convert xrn to hrn
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# Is this a root or sub authority
auth_hrn = api.auth.get_authority(hrn)
if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
auth_info = api.auth.get_auth_info(auth_hrn)
# get record info
filter = {'hrn': hrn}
if type:
filter['type'] = type
record = dbsession.query(RegRecord).filter_by(**filter).first()
if not record:
raise RecordNotFound("hrn=%s, type=%s" % (hrn, type))
# verify_cancreate_credential requires that the member lists
# (researchers, pis, etc) be filled in
logger.debug("get credential before augment dict, keys=%s" %
record.__dict__.keys())
self.driver.augment_records_with_testbed_info(record.__dict__)
logger.debug("get credential after augment dict, keys=%s" %
record.__dict__.keys())
if not self.driver.is_enabled(record.__dict__):
raise AccountNotEnabled(
": PlanetLab account %s is not enabled. Please contact your site PI"
% (record.email))
# get the callers gid
# if caller_xrn is not specified assume the caller is the record
# object itself.
if not caller_xrn:
caller_hrn = hrn
caller_gid = record.get_gid_object()
else:
caller_hrn, caller_type = urn_to_hrn(caller_xrn)
caller_filter = {'hrn': caller_hrn}
if caller_type:
caller_filter['type'] = caller_type
caller_record = dbsession.query(RegRecord).filter_by(
**caller_filter).first()
if not caller_record:
raise RecordNotFound(
"Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"
% (caller_hrn, caller_type, hrn, type))
caller_gid = GID(string=caller_record.gid)
object_hrn = record.get_gid_object().get_hrn()
rights = api.auth.determine_user_rights(caller_hrn, record.todict())
# make sure caller has rights to this object
if rights.is_empty():
raise PermissionError(caller_hrn + " has no rights to " +
record.hrn)
object_gid = GID(string=record.gid)
new_cred = Credential(subject=object_gid.get_subject())
new_cred.set_gid_caller(caller_gid)
new_cred.set_gid_object(object_gid)
new_cred.set_issuer_keys(auth_info.get_privkey_filename(),
auth_info.get_gid_filename())
#new_cred.set_pubkey(object_gid.get_pubkey())
new_cred.set_privileges(rights)
new_cred.get_privileges().delegate_all_privileges(True)
if hasattr(record, 'expires'):
date = utcparse(record.expires)
expires = datetime_to_epoch(date)
new_cred.set_expiration(int(expires))
auth_kind = "authority,ma,sa"
# Parent not necessary, verify with certs
#new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
return new_cred.save_to_string(save_parents=True)
def GetCredential(self, api, xrn, type, caller_xrn=None):
# convert xrn to hrn
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# Is this a root or sub authority
auth_hrn = api.auth.get_authority(hrn)
if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
auth_info = api.auth.get_auth_info(auth_hrn)
# get record info
filter = {"hrn": hrn}
if type:
filter["type"] = type
record = dbsession.query(RegRecord).filter_by(**filter).first()
if not record:
raise RecordNotFound("hrn=%s, type=%s" % (hrn, type))
# verify_cancreate_credential requires that the member lists
# (researchers, pis, etc) be filled in
logger.debug("get credential before augment dict, keys=%s" % record.__dict__.keys())
api.driver.augment_records_with_testbed_info(record.__dict__)
logger.debug("get credential after augment dict, keys=%s" % record.__dict__.keys())
if not api.driver.is_enabled(record.__dict__):
raise AccountNotEnabled(
": PlanetLab account %s is not enabled. Please contact your site PI" % (record.email)
)
# get the callers gid
# if caller_xrn is not specified assume the caller is the record
# object itself.
if not caller_xrn:
caller_hrn = hrn
caller_gid = record.get_gid_object()
else:
caller_hrn, caller_type = urn_to_hrn(caller_xrn)
caller_filter = {"hrn": caller_hrn}
if caller_type:
caller_filter["type"] = caller_type
caller_record = dbsession.query(RegRecord).filter_by(**caller_filter).first()
if not caller_record:
raise RecordNotFound(
"Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"
% (caller_hrn, caller_type, hrn, type)
)
caller_gid = GID(string=caller_record.gid)
object_hrn = record.get_gid_object().get_hrn()
rights = api.auth.determine_user_rights(caller_hrn, record)
# make sure caller has rights to this object
if rights.is_empty():
raise PermissionError(caller_hrn + " has no rights to " + record.hrn)
object_gid = GID(string=record.gid)
new_cred = Credential(subject=object_gid.get_subject())
new_cred.set_gid_caller(caller_gid)
new_cred.set_gid_object(object_gid)
new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
# new_cred.set_pubkey(object_gid.get_pubkey())
new_cred.set_privileges(rights)
new_cred.get_privileges().delegate_all_privileges(True)
if hasattr(record, "expires"):
date = utcparse(record.expires)
expires = datetime_to_epoch(date)
new_cred.set_expiration(int(expires))
auth_kind = "authority,ma,sa"
# Parent not necessary, verify with certs
# new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
return new_cred.save_to_string(save_parents=True)
