def create_top_level_auth_records(self, hrn): """ Create top level records (includes root and sub authorities (local/remote) """ urn = hrn_to_urn(hrn, 'authority') # make sure parent exists parent_hrn = get_authority(hrn) if not parent_hrn: parent_hrn = hrn if not parent_hrn == hrn: self.create_top_level_auth_records(parent_hrn) # create the authority if it doesnt already exist if not self.AuthHierarchy.auth_exists(urn): self.logger.info("Import: creating top level authorities") self.AuthHierarchy.create_auth(urn) # create the db record if it doesnt already exist auth_info = self.AuthHierarchy.get_auth_info(hrn) table = SfaTable() auth_record = table.find({'type': 'authority', 'hrn': hrn}) if not auth_record: auth_record = SfaRecord(hrn=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=-1) auth_record['authority'] = get_authority(auth_record['hrn']) self.logger.info("Import: inserting authority record for %s"%hrn) table.insert(auth_record)
def get_sfa_peer(api, hrn): # return the authority for this hrn or None if we are the authority sfa_peer = None slice_authority = get_authority(hrn) site_authority = get_authority(slice_authority) if site_authority != api.hrn: sfa_peer = site_authority return sfa_peer
def get_sfa_peer(self, xrn): hrn, type = urn_to_hrn(xrn) # return the authority for this hrn or None if we are the authority sfa_peer = None slice_authority = get_authority(hrn) site_authority = get_authority(slice_authority) if site_authority != self.driver.hrn: sfa_peer = site_authority return sfa_peer
def get_sfa_peer(self, xrn): hrn, type = urn_to_hrn(xrn) # return the authority for this hrn or None if we are the authority sfa_peer = None slice_authority = get_authority(hrn) site_authority = get_authority(slice_authority) if site_authority != self.api.hrn: sfa_peer = site_authority return sfa_peer
def import_tenants(self, existing_hrns, existing_records): # Get all tenants # A tenant can represent an organizational group (site) or a # slice. If a tenant's authorty/parent matches the root authority it is # considered a group/site. All other tenants are considered slices. tenants = self.shell.auth_manager.tenants.list() tenants_dict = {} for tenant in tenants: hrn = self.config.SFA_INTERFACE_HRN + '.' + tenant.name tenants_dict[hrn] = tenant authority_hrn = OSXrn(xrn=hrn, type='authority').get_authority_hrn() if hrn in existing_hrns: continue if authority_hrn == self.config.SFA_INTERFACE_HRN: # import group/site record = RegAuthority() urn = OSXrn(xrn=hrn, type='authority').get_urn() if not self.auth_hierarchy.auth_exists(urn): self.auth_hierarchy.create_auth(urn) auth_info = self.auth_hierarchy.get_auth_info(urn) gid = auth_info.get_gid_object() record.type = 'authority' record.hrn = hrn record.gid = gid record.authority = get_authority(hrn) global_dbsession.add(record) global_dbsession.commit() self.logger.info("OpenstackImporter: imported authority: %s" % record) else: record = RegSlice() urn = OSXrn(xrn=hrn, type='slice').get_urn() pkey = Keypair(create=True) gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey) record.type = 'slice' record.hrn = hrn record.gid = gid record.authority = get_authority(hrn) global_dbsession.add(record) global_dbsession.commit() self.logger.info("OpenstackImporter: imported slice: %s" % record) return tenants_dict
def import_site(self, hrn, site): shell = self.shell plc_auth = self.plc_auth urn = hrn_to_urn(hrn, 'authority') self.logger.info("Import: site %s"%hrn) # create the authority if not self.AuthHierarchy.auth_exists(urn): self.AuthHierarchy.create_auth(urn) auth_info = self.AuthHierarchy.get_auth_info(urn) table = SfaTable() auth_record = SfaRecord(hrn=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=site['site_id']) auth_record['authority'] = get_authority(auth_record['hrn']) existing_records = table.find({'hrn': hrn, 'type': 'authority', 'pointer': site['site_id']}) if not existing_records: table.insert(auth_record) else: self.logger.info("Import: %s exists, updating " % hrn) existing_record = existing_records[0] auth_record['record_id'] = existing_record['record_id'] table.update(auth_record) return hrn
def import_slice(self, parent_hrn, slice): slicename = slice['name'].split("_",1)[-1] slicename = _cleanup_string(slicename) if not slicename: self.logger.error("Import: failed to parse slice name %s" %slice['name']) return hrn = parent_hrn + "." + slicename self.logger.info("Import: slice %s"%hrn) pkey = Keypair(create=True) urn = hrn_to_urn(hrn, 'slice') slice_gid = self.AuthHierarchy.create_gid(urn, create_uuid(), pkey) slice_record = SfaRecord(hrn=hrn, gid=slice_gid, type="slice", pointer=slice['slice_id']) slice_record['authority'] = get_authority(slice_record['hrn']) table = SfaTable() existing_records = table.find({'hrn': hrn, 'type': 'slice', 'pointer': slice['slice_id']}) if not existing_records: table.insert(slice_record) else: self.logger.info("Import: %s exists, updating " % hrn) existing_record = existing_records[0] slice_record['record_id'] = existing_record['record_id'] table.update(slice_record)
def create_interface_records(self): """ Create a record for each SFA interface """ # just create certs for all sfa interfaces even if they # aren't enabled auth_info = self.auth_hierarchy.get_auth_info( self.config.SFA_INTERFACE_HRN) pkey = auth_info.get_pkey_object() hrn = self.config.SFA_INTERFACE_HRN for type in [ 'authority+sa', 'authority+am', 'authority+sm', ]: urn = hrn_to_urn(hrn, type) gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey) # for now we have to preserve the authority+<> stuff if self.record_exists(type, hrn): continue interface_record = RegAuthority(type=type, hrn=hrn, gid=gid, authority=get_authority(hrn)) interface_record.just_created() global_dbsession.add(interface_record) global_dbsession.commit() self.logger.info("SfaImporter: imported authority (%s) %s " % (type, interface_record))
def get_auth_ticket(self, xrn): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() ticket = SfaTicket(subject=hrn) ticket.set_gid_caller(gid) ticket.set_gid_object(gid) ticket.set_delegate(True) ticket.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion ticket.set_issuer(auth_info.get_pkey_object(), hrn) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn) ticket.set_parent(self.get_auth_cred(parent_hrn)) ticket.encode() ticket.sign() return ticket
def update_cert_records(gids): """ Make sure there is a record in the registry for the specified gids. Removes old records from the db. """ # import db stuff here here so this module can be loaded by PlcComponentApi from sfa.storage.alchemy import dbsession from sfa.storage.model import RegRecord if not gids: return # get records that actually exist in the db gid_urns = [gid.get_urn() for gid in gids] hrns_expected = [gid.get_hrn() for gid in gids] records_found = dbsession.query(RegRecord).\ filter_by(pointer=-1).filter(RegRecord.hrn.in_(hrns_expected)).all() # remove old records for record in records_found: if record.hrn not in hrns_expected and \ record.hrn != self.api.config.SFA_INTERFACE_HRN: dbsession.delete(record) # TODO: store urn in the db so we do this in 1 query for gid in gids: hrn, type = gid.get_hrn(), gid.get_type() record = dbsession.query(RegRecord).filter_by(hrn=hrn, type=type,pointer=-1).first() if not record: record = RegRecord (dict= {'type':type, 'hrn': hrn, 'authority': get_authority(hrn), 'gid': gid.save_to_string(save_parents=True), }) dbsession.add(record) dbsession.commit()
def get_pis (self): # don't ruin the import of that file in a client world from sfa.storage.alchemy import dbsession from sfa.util.xrn import get_authority authority_hrn = get_authority(self.hrn) auth_record = dbsession.query(RegAuthority).filter_by(hrn=authority_hrn).first() return auth_record.reg_pis
def get_auth_cred(self, xrn, kind="authority"): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() cred = Credential(subject=hrn) cred.set_gid_caller(gid) cred.set_gid_object(gid) cred.set_privileges(kind) cred.get_privileges().delegate_all_privileges(True) #cred.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename()) cred.set_parent(self.get_auth_cred(parent_hrn, kind)) cred.encode() cred.sign() return cred
def testUpdate(self): authority = get_authority(self.hrn) auth_cred = self.client.GetCredential(authority, 'authority') records = self.registry.Resolve(self.credential, self.hrn) if not records: assert False record = records[0] self.registry.update(auth_cred, record)
def get_peer(self, xrn): hrn, hrn_type = urn_to_hrn(xrn) #Does this slice belong to a local site or a peer senslab site? peer = None # get this slice's authority (site) slice_authority = get_authority(hrn) site_authority = slice_authority # get this site's authority (sfa root authority or sub authority) #site_authority = get_authority(slice_authority).lower() logger.debug("SLABSLICES \ get_peer slice_authority %s \ site_authority %s hrn %s" %(slice_authority, \ site_authority, hrn)) #This slice belongs to the current site if site_authority == self.driver.root_auth : return None # check if we are already peered with this site_authority, if so #peers = self.driver.GetPeers({}) peers = self.driver.GetPeers(peer_filter = slice_authority) for peer_record in peers: if site_authority == peer_record.hrn: peer = peer_record logger.debug(" SLABSLICES \tget_peer peer %s " %(peer)) return peer
def create_special_vini_record(self, interface_hrn): # special case for vini if ".vini" in interface_hrn and interface_hrn.endswith('vini'): # create a fake internet2 site first i2site = { 'name': 'Internet2', 'login_base': 'internet2', 'site_id': -1 } site_hrn = _get_site_hrn(interface_hrn, i2site) # import if hrn is not in list of existing hrns or if the hrn exists # but its not a site record if ( 'authority', site_hrn, ) not in self.records_by_type_hrn: urn = hrn_to_urn(site_hrn, 'authority') if not self.auth_hierarchy.auth_exists(urn): self.auth_hierarchy.create_auth(urn) auth_info = self.auth_hierarchy.get_auth_info(urn) auth_record = RegAuthority(hrn=site_hrn, gid=auth_info.get_gid_object(), pointer=site['site_id'], authority=get_authority(site_hrn)) auth_record.just_created() global_dbsession.add(auth_record) global_dbsession.commit() self.logger.info( "PlImporter: Imported authority (vini site) %s" % auth_record) self.remember_record(site_record)
def call(self, cred, record_dict, origin_hrn=None): user_cred = Credential(string=cred) #log the call if not origin_hrn: origin_hrn = user_cred.get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, None, self.name)) # validate the cred self.api.auth.check(cred, "register") # make sure this is a peer record if 'peer_authority' not in record_dict or \ not record_dict['peer_authority']: raise SfaInvalidArgument, "peer_authority must be specified" record = SfaRecord(dict = record_dict) type, hrn, peer_authority = record['type'], record['hrn'], record['peer_authority'] record['authority'] = get_authority(record['hrn']) # verify permissions self.api.auth.verify_cred_is_me(cred) # check if record already exists table = SfaTable() existing_records = table.find({'type': type, 'hrn': hrn, 'peer_authority': peer_authority}) if existing_records: for existing_record in existing_records: if existing_record['pointer'] != record['pointer']: record['record_id'] = existing_record['record_id'] table.update(record) else: record_id = table.insert(record) return 1
def testRegister(self): authority = get_authority(self.hrn) auth_cred = self.client.GetCredential(authority, 'authority') auth_record = {'hrn': '.'.join([authority, random_string(10).lower()]), 'type': 'authority'} node_record = {'hrn': '.'.join([authority, random_string(10)]), 'type': 'node', 'hostname': random_string(6) + '.' + random_string(6)} slice_record = {'hrn': '.'.join([authority, random_string(10)]), 'type': 'slice', 'researcher': [self.hrn]} user_record = {'hrn': '.'.join([authority, random_string(10)]), 'type': 'user', 'email': random_string(6) +'@'+ random_string(5) +'.'+ random_string(3), 'first_name': random_string(7), 'last_name': random_string(7)} all_records = [auth_record, node_record, slice_record, user_record] for record in all_records: try: self.registry.Register(auth_cred, record) self.registry.Resolve(self.credential, record['hrn']) except: raise finally: try: self.registry.Remove(auth_cred, record['type'], record['hrn']) except: pass
def get_slice_and_slivers(self, slice_xrn, login=None): """ Returns a dict of slivers keyed on the sliver's node_id """ slivers = {} sfa_slice = None if not slice_xrn: return (sfa_slice, slivers) slice_urn = hrn_to_urn(slice_xrn, 'slice') slice_hrn, _ = urn_to_hrn(slice_xrn) slice_name = slice_hrn slices = self.driver.GetSlices(slice_filter= str(slice_name), \ slice_filter_type = 'slice_hrn', login=login) logger.debug("Slabaggregate api \tget_slice_and_slivers \ sfa_slice %s \r\n slices %s self.driver.hrn %s" \ %(sfa_slice, slices, self.driver.hrn)) if not slices: return (sfa_slice, slivers) #if isinstance(sfa_slice, list): #sfa_slice = slices[0] #else: #sfa_slice = slices # sort slivers by node id , if there is a job #and therfore, node allocated to this slice for sfa_slice in slices: try: node_ids_list = sfa_slice['node_ids'] except KeyError: logger.log_exc("SLABAGGREGATE \t \ get_slice_and_slivers KeyError ") continue for node in node_ids_list: sliver_xrn = Xrn(slice_urn, type='sliver', id=node) sliver_xrn.set_authority(self.driver.hrn) #node_id = self.driver.root_auth + '.' + node_id sliver = Sliver({'sliver_id':sliver_xrn.urn, 'name': sfa_slice['hrn'], 'type': 'slab-node', 'tags': []}) slivers[node] = sliver #Add default sliver attribute : #connection information for senslab if get_authority (sfa_slice['hrn']) == self.driver.root_auth: tmp = sfa_slice['hrn'].split('.') ldap_username = tmp[1].split('_')[0] vmaddr = 'ssh ' + ldap_username + '@grenoble.senslab.info' slivers['default_sliver'] = {'vm': vmaddr , 'login': ldap_username} #TODO get_slice_and_slivers Find the login of the external user logger.debug("SLABAGGREGATE api get_slice_and_slivers slivers %s "\ %(slivers)) return (slices, slivers)
def get_credentials(pl_username, private_key, sfi_dir, password): # Getting user from PLE auth = { 'AuthMethod': 'password', 'Username': pl_username, 'AuthString': password } ple = xmlrpclib.Server(PLE_API, allow_none=1) persons = ple.GetPersons(auth, {'email': pl_username}, ['person_id', 'site_ids']) if not persons: raise Exception, "User not found." sys.exit(1) person_id = persons[0]['person_id'] site_id = persons[0]['site_ids'][0] # Getting site from PLE sites = ple.GetSites(auth, {'site_id': site_id}, ['login_base']) if not sites: raise Exception, "Site not found" sys.exit(1) site_hrn = ".".join([INTERFACE_HRN, sites[0]['login_base']]) user_hrn = email_to_hrn(site_hrn, pl_username) # Getting slices from PLE slices = ple.GetSlices(auth, {}, ['name', 'person_ids']) slices = [s for s in slices if person_id in s['person_ids']] # Delegating user account and slices sfa = SfaHelper(user_hrn, private_key, sfi_dir) sfa.bootstrap() creds = [] c = { 'target': user_hrn, 'type': 'user', 'cred': sfa.delegate('user', user_hrn) } creds.append(c) user_auth = get_authority(user_hrn) c = { 'target': user_auth, 'type': 'authority', 'cred': sfa.delegate('authority', user_auth) } creds.append(c) for s in slices: s_hrn = slicename_to_hrn(INTERFACE_HRN, s['name']) c = { 'target': s_hrn, 'type': 'slice', 'cred': sfa.delegate('slice', s_hrn) } creds.append(c) return creds
def _process_ldap_info_for_one_user(self, record, result_data): """ Put the user's ldap data into shape. Only deals with one user record and one user data from ldap. :param record: user record :param result_data: Raw ldap data coming from LdapSearch :returns: user's data dict with 'type','pkey','uid', 'email', 'first_name' 'last_name''serial''authority''peer_authority' 'pointer''hrn' :type record: dict :type result_data: list :rtype :dict """ #One entry only in the ldap data because we used a filter #to find one user only ldapentry = result_data[0][1] logger.debug("LDAP.PY \t LdapFindUser ldapentry %s" % (ldapentry)) tmpname = ldapentry['uid'][0] tmpemail = ldapentry['mail'][0] if ldapentry['mail'][0] == "unknown": tmpemail = None parent_hrn = None peer_authority = None if 'hrn' in record: hrn = record['hrn'] parent_hrn = get_authority(hrn) if parent_hrn != self.authname: peer_authority = parent_hrn #In case the user was not imported from Iotlab LDAP #but from another federated site, has an account in #iotlab but currently using his hrn from federated site #then the login is different from the one found in its hrn if tmpname != hrn.split('.')[1]: hrn = None else: hrn = None results = { 'type': 'user', 'pkey': ldapentry['sshPublicKey'], #'uid': ldapentry[1]['uid'][0], 'uid': tmpname, 'email': tmpemail, #'email': ldapentry[1]['mail'][0], 'first_name': ldapentry['givenName'][0], 'last_name': ldapentry['sn'][0], #'phone': 'none', 'serial': 'none', 'authority': parent_hrn, 'peer_authority': peer_authority, 'pointer': -1, 'hrn': hrn, } return results
def get_pis (self): from sqlalchemy.orm import sessionmaker Session=sessionmaker() dbsession=Session.object_session(self) from sfa.util.xrn import get_authority authority_hrn = get_authority(self.hrn) auth_record = dbsession.query(RegAuthority).filter_by(hrn=authority_hrn).first() return auth_record.reg_pis
def CreateSliver(client): # register a slice that will be used for some test authority = get_authority(client.hrn) auth_cred = client.GetCredential(authority, 'authority') slice_record = {'hrn': ".".join([authority, random_string(10)]), 'type': 'slice', 'researcher': [client.hrn]} client.registry.Register(auth_cred, slice_record) return slice_record
def __get_registry_objects(slice_xrn, creds, users): """ """ hrn, type = urn_to_hrn(slice_xrn) hrn_auth = get_authority(hrn) # Build up objects that an SFA registry would return if SFA # could contact the slice's registry directly reg_objects = None if users: # dont allow special characters in the site login base #only_alphanumeric = re.compile('[^a-zA-Z0-9]+') #login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower() slicename = hrn_to_pl_slicename(hrn) login_base = slicename.split('_')[0] reg_objects = {} site = {} site['site_id'] = 0 site['name'] = 'geni.%s' % login_base site['enabled'] = True site['max_slices'] = 100 # Note: # Is it okay if this login base is the same as one already at this myplc site? # Do we need uniqueness? Should use hrn_auth instead of just the leaf perhaps? site['login_base'] = login_base site['abbreviated_name'] = login_base site['max_slivers'] = 1000 reg_objects['site'] = site slice = {} # get_expiration always returns a normalized datetime - no need to utcparse extime = Credential(string=creds[0]).get_expiration() # If the expiration time is > 60 days from now, set the expiration time to 60 days from now if extime > datetime.datetime.utcnow() + datetime.timedelta(days=60): extime = datetime.datetime.utcnow() + datetime.timedelta(days=60) slice['expires'] = int(time.mktime(extime.timetuple())) slice['hrn'] = hrn slice['name'] = hrn_to_pl_slicename(hrn) slice['url'] = hrn slice['description'] = hrn slice['pointer'] = 0 reg_objects['slice_record'] = slice reg_objects['users'] = {} for user in users: user['key_ids'] = [] hrn, _ = urn_to_hrn(user['urn']) user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net" user['first_name'] = hrn user['last_name'] = hrn reg_objects['users'][user['email']] = user return reg_objects
def import_tenants(self, existing_hrns, existing_records): # Get all tenants # A tenant can represent an organizational group (site) or a # slice. If a tenant's authorty/parent matches the root authority it is # considered a group/site. All other tenants are considered slices. tenants = self.shell.auth_manager.tenants.list() tenants_dict = {} for tenant in tenants: hrn = self.config.SFA_INTERFACE_HRN + '.' + tenant.name tenants_dict[hrn] = tenant authority_hrn = OSXrn(xrn=hrn, type='authority').get_authority_hrn() if hrn in existing_hrns: continue if authority_hrn == self.config.SFA_INTERFACE_HRN: # import group/site record = RegAuthority() urn = OSXrn(xrn=hrn, type='authority').get_urn() if not self.auth_hierarchy.auth_exists(urn): self.auth_hierarchy.create_auth(urn) auth_info = self.auth_hierarchy.get_auth_info(urn) gid = auth_info.get_gid_object() record.type='authority' record.hrn=hrn record.gid=gid record.authority=get_authority(hrn) dbsession.add(record) dbsession.commit() self.logger.info("OpenstackImporter: imported authority: %s" % record) else: record = RegSlice () urn = OSXrn(xrn=hrn, type='slice').get_urn() pkey = Keypair(create=True) gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey) record.type='slice' record.hrn=hrn record.gid=gid record.authority=get_authority(hrn) dbsession.add(record) dbsession.commit() self.logger.info("OpenstackImporter: imported slice: %s" % record) return tenants_dict
def import_users(self, existing_hrns, existing_records): # Get all users users = self.shell.auth_manager.users.list() users_dict = {} keys_filename = self.config.config_path + os.sep + 'person_keys.py' old_user_keys = load_keys(keys_filename) user_keys = {} for user in users: auth_hrn = self.config.SFA_INTERFACE_HRN if user.tenantId is not None: tenant = self.shell.auth_manager.tenants.find(id=user.tenantId) auth_hrn = OSXrn(name=tenant.name, auth=self.config.SFA_INTERFACE_HRN, type='authority').get_hrn() hrn = OSXrn(name=user.name, auth=auth_hrn, type='user').get_hrn() users_dict[hrn] = user old_keys = old_user_keys.get(hrn, []) keyname = OSXrn(xrn=hrn, type='user').get_slicename() keys = [ k.public_key for k in self.shell.nova_manager.keypairs.findall(name=keyname) ] user_keys[hrn] = keys update_record = False if old_keys != keys: update_record = True if hrn not in existing_hrns or \ (hrn, 'user') not in existing_records or update_record: urn = OSXrn(xrn=hrn, type='user').get_urn() if keys: try: pkey = convert_public_key(keys[0]) except: self.logger.log_exc( 'unable to convert public key for %s' % hrn) pkey = Keypair(create=True) else: self.logger.warn( "OpenstackImporter: person %s does not have a PL public key" % hrn) pkey = Keypair(create=True) user_gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey, email=user.email) user_record = RegUser() user_record.type = 'user' user_record.hrn = hrn user_record.gid = user_gid user_record.authority = get_authority(hrn) global_dbsession.add(user_record) global_dbsession.commit() self.logger.info("OpenstackImporter: imported person %s" % user_record) return users_dict, user_keys
def get_pis(self): from sqlalchemy.orm import sessionmaker Session = sessionmaker() dbsession = Session.object_session(self) from sfa.util.xrn import get_authority authority_hrn = get_authority(self.hrn) auth_record = dbsession.query(RegAuthority).filter_by( hrn=authority_hrn).first() return auth_record.reg_pis
def shutdown(self, opts, args): slice_hrn = args[0] slice_urn = hrn_to_urn(slice_hrn, 'slice') slice_cred = self.get_slice_cred(slice_hrn).save_to_string(save_parents=True) creds = [slice_cred] if opts.delegate: delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority)) creds.append(delegated_cred) server = self.get_server_from_opts(opts) return server.Shutdown(slice_urn, creds)
def get_auth_filenames(self, xrn): hrn, type = urn_to_hrn(xrn) leaf = get_leaf(hrn) parent_hrn = get_authority(hrn) directory = os.path.join(self.basedir, hrn.replace(".", "/")) gid_filename = os.path.join(directory, leaf+".gid") privkey_filename = os.path.join(directory, leaf+".pkey") return (directory, gid_filename, privkey_filename)
def get_peer(pldriver, hrn): # Because of myplc native federation, we first need to determine if this # slice belongs to out local plc or a myplc peer. We will assume it # is a local site, unless we find out otherwise peer = None # get this slice's authority (site) slice_authority = get_authority(hrn) # get this site's authority (sfa root authority or sub authority) site_authority = get_authority(slice_authority).lower() # check if we are already peered with this site_authority, if so peers = pldriver.shell.GetPeers( {}, ['peer_id', 'peername', 'shortname', 'hrn_root']) for peer_record in peers: names = [name.lower() for name in peer_record.values() if isinstance(name, StringTypes)] if site_authority in names: peer = peer_record['shortname'] return peer
def import_sites_and_nodes(self, testbed_shell): """ Gets all the sites and nodes from OAR, process the information, creates hrns and RegAuthority for sites, and feed them to the database. For each site, import the site's nodes to the DB by calling import_nodes. :param testbed_shell: IotlabDriver object, used to have access to testbed_shell methods and fetching info on sites and nodes. :type testbed_shell: IotlabDriver """ sites_listdict = testbed_shell.GetSites() nodes_listdict = testbed_shell.GetNodes() nodes_by_id = dict([(node['node_id'], node) for node in nodes_listdict]) for site in sites_listdict: site_hrn = site['name'] site_record = self.find_record_by_type_hrn('authority', site_hrn) self.logger.info("IotlabImporter: import_sites_and_nodes \ (site) %s \r\n " % site_record) if not site_record: try: urn = hrn_to_urn(site_hrn, 'authority') if not self.auth_hierarchy.auth_exists(urn): self.auth_hierarchy.create_auth(urn) auth_info = self.auth_hierarchy.get_auth_info(urn) site_record = \ RegAuthority(hrn=site_hrn, gid=auth_info.get_gid_object(), pointer='-1', authority=get_authority(site_hrn)) site_record.just_created() global_dbsession.add(site_record) global_dbsession.commit() self.logger.info("IotlabImporter: imported authority \ (site) %s" % site_record) self.update_just_added_records_dict(site_record) except SQLAlchemyError: # if the site import fails then there is no point in # trying to import the # site's child records(node, slices, persons), so skip them. self.logger.log_exc("IotlabImporter: failed to import \ site. Skipping child records") continue else: # xxx update the record ... pass site_record.stale = False self.import_nodes(site['node_ids'], nodes_by_id, testbed_shell) return
def CreateSliver(client): # register a slice that will be used for some test authority = get_authority(client.hrn) auth_cred = client.GetCredential(authority, 'authority') slice_record = { 'hrn': ".".join([authority, random_string(10)]), 'type': 'slice', 'researcher': [client.hrn] } client.registry.Register(auth_cred, slice_record) return slice_record
def import_sites_and_nodes(self, testbed_shell): """ Gets all the sites and nodes from OAR, process the information, creates hrns and RegAuthority for sites, and feed them to the database. For each site, import the site's nodes to the DB by calling import_nodes. :param testbed_shell: IotlabDriver object, used to have access to testbed_shell methods and fetching info on sites and nodes. :type testbed_shell: IotlabDriver """ sites_listdict = testbed_shell.GetSites() nodes_listdict = testbed_shell.GetNodes() nodes_by_id = dict([(node['node_id'], node) for node in nodes_listdict]) for site in sites_listdict: site_hrn = site['name'] site_record = self.find_record_by_type_hrn ('authority', site_hrn) self.logger.info("IotlabImporter: import_sites_and_nodes \ (site) %s \r\n " % site_record) if not site_record: try: urn = hrn_to_urn(site_hrn, 'authority') if not self.auth_hierarchy.auth_exists(urn): self.auth_hierarchy.create_auth(urn) auth_info = self.auth_hierarchy.get_auth_info(urn) site_record = \ RegAuthority(hrn=site_hrn, gid=auth_info.get_gid_object(), pointer='-1', authority=get_authority(site_hrn)) site_record.just_created() global_dbsession.add(site_record) global_dbsession.commit() self.logger.info("IotlabImporter: imported authority \ (site) %s" % site_record) self.update_just_added_records_dict(site_record) except SQLAlchemyError: # if the site import fails then there is no point in # trying to import the # site's child records(node, slices, persons), so skip them. self.logger.log_exc("IotlabImporter: failed to import \ site. Skipping child records") continue else: # xxx update the record ... pass site_record.stale = False self.import_nodes(site['node_ids'], nodes_by_id, testbed_shell) return
def get_sfa_peer(self, xrn): """Returns the authority name for the xrn or None if the local site is the authority. :param xrn: the xrn of the resource we are looking the authority for. :type xrn: string :returns: the resources's authority name. :rtype: string """ hrn, hrn_type = urn_to_hrn(xrn) # return the authority for this hrn or None if we are the authority sfa_peer = None slice_authority = get_authority(hrn) site_authority = get_authority(slice_authority) if site_authority != self.driver.hrn: sfa_peer = site_authority return sfa_peer
def get_peer(self, xrn): """ Finds the authority of a resource based on its xrn. If the authority is Iotlab (local) return None, Otherwise, look up in the DB if Iotlab is federated with this site authority and returns its DB record if it is the case. :param xrn: resource's xrn :type xrn: string :returns: peer record :rtype: dict """ hrn, hrn_type = urn_to_hrn(xrn) #Does this slice belong to a local site or a peer iotlab site? peer = None # get this slice's authority (site) slice_authority = get_authority(hrn) #Iotlab stuff #This slice belongs to the current site if slice_authority == self.driver.testbed_shell.root_auth: site_authority = slice_authority return None site_authority = get_authority(slice_authority).lower() # get this site's authority (sfa root authority or sub authority) logger.debug("IOTLABSLICES \t get_peer slice_authority %s \ site_authority %s hrn %s" % (slice_authority, site_authority, hrn)) # check if we are already peered with this site_authority #if so find the peer record peers = self.driver.GetPeers(peer_filter=site_authority) for peer_record in peers: if site_authority == peer_record.hrn: peer = peer_record logger.debug(" IOTLABSLICES \tget_peer peer %s " % (peer)) return peer
def testRemove(self): authority = get_authority(self.hrn) auth_cred = self.client.GetCredential(authority, 'authority') record = {'hrn': ".".join([authority, random_string(10)]), 'type': 'slice'} self.registry.Register(auth_cred, record) self.registry.Remove(auth_cred, record['type'], record['hrn']) # should generate an exception try: self.registry.Resolve(self.credential, record['hrn']) assert False except: assert True
def create_top_level_auth_records(self, hrn): """ Create top level db records (includes root and sub authorities (local/remote) """ # make sure parent exists parent_hrn = get_authority(hrn) if not parent_hrn: parent_hrn = hrn if not parent_hrn == hrn: self.create_top_level_auth_records(parent_hrn) # ensure key and cert exists: self.auth_hierarchy.create_top_level_auth(hrn) # create the db record if it doesnt already exist if not self.record_exists ('authority',hrn): auth_info = self.auth_hierarchy.get_auth_info(hrn) auth_record = RegAuthority(hrn=hrn, gid=auth_info.get_gid_object(), authority=get_authority(hrn)) auth_record.just_created() dbsession.add (auth_record) dbsession.commit() self.logger.info("SfaImporter: imported authority (parent) %s " % auth_record)
def get_peer(pldriver, hrn): # Because of myplc native federation, we first need to determine if this # slice belongs to out local plc or a myplc peer. We will assume it # is a local site, unless we find out otherwise peer = None # get this slice's authority (site) slice_authority = get_authority(hrn) # get this site's authority (sfa root authority or sub authority) site_authority = get_authority(slice_authority).lower() # check if we are already peered with this site_authority, if so peers = pldriver.shell.GetPeers( {}, ['peer_id', 'peername', 'shortname', 'hrn_root']) for peer_record in peers: names = [ name.lower() for name in peer_record.values() if isinstance(name, StringTypes) ] if site_authority in names: peer = peer_record['shortname'] return peer
def import_slice(self, slice_hrn, slice_record, user_record): """ Create RegSlice record according to the slice hrn if the slice does not exist yet.Creates a relationship with the user record associated with the slice. Commit the record to the database. :param slice_hrn: Human readable name of the slice. :type slice_hrn: string :param slice_record: record of the slice found in the DB, if any. :type slice_record: RegSlice or None :param user_record: user record found in the DB if any. :type user_record: RegUser .. todo::Update the record if a slice record already exists. """ if not slice_record: pkey = Keypair(create=True) urn = hrn_to_urn(slice_hrn, 'slice') slice_gid = \ self.auth_hierarchy.create_gid(urn, create_uuid(), pkey) slice_record = RegSlice(hrn=slice_hrn, gid=slice_gid, pointer='-1', authority=get_authority(slice_hrn)) try: slice_record.just_created() global_dbsession.add(slice_record) global_dbsession.commit() self.update_just_added_records_dict(slice_record) except SQLAlchemyError: self.logger.log_exc("IotlabImporter: failed to import slice") #No slice update upon import in iotlab else: # xxx update the record ... self.logger.warning("Iotlab Slice update not implemented") # record current users affiliated with the slice slice_record.reg_researchers = [user_record] try: global_dbsession.commit() slice_record.stale = False except SQLAlchemyError: self.logger.log_exc("IotlabImporter: failed to update slice")
def get_auth_filenames(self, xrn): hrn, type = urn_to_hrn(xrn) if '\\' in hrn: hrn = hrn.replace('\\', '') leaf = hrn else: leaf = get_leaf(hrn) parent_hrn = get_authority(hrn) directory = os.path.join(self.basedir, hrn.replace(".", "/")) gid_filename = os.path.join(directory, leaf+".gid") privkey_filename = os.path.join(directory, leaf+".pkey") return (directory, gid_filename, privkey_filename)
def delete(self, opts, args): slice_hrn = args[0] slice_urn = hrn_to_urn(slice_hrn, 'slice') slice_cred = self.get_slice_cred(slice_hrn).save_to_string(save_parents=True) creds = [slice_cred] if opts.delegate: delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority)) creds.append(delegated_cred) server = self.get_server_from_opts(opts) call_args = [slice_urn, creds] if self.server_supports_call_id_arg(server): call_args.append(unique_call_id()) return server.DeleteSliver(*call_args)
def slices(self, opts, args): """ list instantiated slices """ user_cred = self.get_user_cred().save_to_string(save_parents=True) creds = [user_cred] if opts.delegate: delegated_cred = self.delegate_cred(user_cred, get_authority(self.authority)) creds.append(delegated_cred) server = self.get_server_from_opts(opts) #results = server.ListSlices(creds, unique_call_id()) results = server.ListSlices(creds) display_list(results) return
def testRemove(self): authority = get_authority(self.hrn) auth_cred = self.client.GetCredential(authority, 'authority') record = { 'hrn': ".".join([authority, random_string(10)]), 'type': 'slice' } self.registry.Register(auth_cred, record) self.registry.Remove(auth_cred, record['type'], record['hrn']) # should generate an exception try: self.registry.Resolve(self.credential, record['hrn']) assert False except: assert True
def create_top_level_auth_records(self, hrn): """ Create top level db records (includes root and sub authorities (local/remote) """ # make sure parent exists parent_hrn = get_authority(hrn) if not parent_hrn: parent_hrn = hrn if not parent_hrn == hrn: self.create_top_level_auth_records(parent_hrn) # ensure key and cert exists: self.auth_hierarchy.create_top_level_auth(hrn) # create the db record if it doesnt already exist if not self.record_exists('authority', hrn): auth_info = self.auth_hierarchy.get_auth_info(hrn) auth_record = RegAuthority(hrn=hrn, gid=auth_info.get_gid_object(), authority=get_authority(hrn)) auth_record.just_created() global_dbsession.add(auth_record) global_dbsession.commit() self.logger.info("SfaImporter: imported authority (parent) %s " % auth_record)
def get_credentials(self): # Getting the list of slices in which user_hrn is a researcher user_cred = self.my_credential_string records = self.registry.Resolve(hrn_to_urn(self.user_hrn, 'user'), user_cred) if not records: raise Exception, "Cannot retrieve slice information for %s" % self.user_hrn record = records[0] slices = record['reg-slices'] creds = [] #c = { # 'target': self.user_hrn, # 'type': 'user', # 'cred': self.delegate('user', self.user_hrn) #} c = self.delegate('user', self.user_hrn) creds.append(c) try: user_auth = get_authority(self.user_hrn) #c = { # 'target': user_auth, # 'type': 'authority', # 'cred': self.delegate('authority', user_auth) #} c = self.delegate('authority', user_auth) creds.append(c) except Exception: print "I: No authority credential." for s in slices: #c = { # 'target': s, # 'type': 'slice', # 'cred': self.delegate('slice', s) #} c = self.delegate('slice', s) creds.append(c) return creds
def testRegister(self): authority = get_authority(self.hrn) auth_cred = self.client.GetCredential(authority, 'authority') auth_record = { 'hrn': '.'.join([authority, random_string(10).lower()]), 'type': 'authority' } node_record = { 'hrn': '.'.join([authority, random_string(10)]), 'type': 'node', 'hostname': random_string(6) + '.' + random_string(6) } slice_record = { 'hrn': '.'.join([authority, random_string(10)]), 'type': 'slice', 'researcher': [self.hrn] } user_record = { 'hrn': '.'.join([authority, random_string(10)]), 'type': 'user', 'email': random_string(6) + '@' + random_string(5) + '.' + random_string(3), 'first_name': random_string(7), 'last_name': random_string(7) } all_records = [auth_record, node_record, slice_record, user_record] for record in all_records: try: self.registry.Register(auth_cred, record) self.registry.Resolve(self.credential, record['hrn']) except: raise finally: try: self.registry.Remove(auth_cred, record['type'], record['hrn']) except: pass
def create_auth(self, xrn, create_parents=False): hrn, type = urn_to_hrn(str(xrn)) logger.debug("Hierarchy: creating authority: %s"% hrn) # create the parent authority if necessary parent_hrn = get_authority(hrn) parent_urn = hrn_to_urn(parent_hrn, 'authority') if (parent_hrn) and (not self.auth_exists(parent_urn)) and (create_parents): self.create_auth(parent_urn, create_parents) (directory, gid_filename, privkey_filename,) = \ self.get_auth_filenames(hrn) # create the directory to hold the files try: os.makedirs(directory) # if the path already exists then pass except OSError, (errno, strerr): if errno == 17: pass
def create_sm_client_record(self): """ Create a user record for the Slicemanager service. """ hrn = self.interface_hrn + '.slicemanager' urn = hrn_to_urn(hrn, 'user') if not self.auth_hierarchy.auth_exists(urn): self.logger.info("SfaImporter: creating Slice Manager user") self.auth_hierarchy.create_auth(urn) if self.record_exists('user', hrn): return auth_info = self.auth_hierarchy.get_auth_info(hrn) user_record = RegUser(hrn=hrn, gid=auth_info.get_gid_object(), authority=get_authority(hrn)) user_record.just_created() global_dbsession.add(user_record) global_dbsession.commit() self.logger.info("SfaImporter: importing user (slicemanager) %s " % user_record)
def verify_object_permission(self, name): """ Verify that the object gid that was specified in the credential allows permission to the object 'name'. This is done by a simple prefix test. For example, an object_gid for plc.arizona would match the objects plc.arizona.slice1 and plc.arizona. @param name human readable name to test """ object_hrn = self.object_gid.get_hrn() logger.debug( "VERIFY OBJECT PERMISSION. \n\n object_hrn: %s \n name: %s \n get_authority(name): %s" % (object_hrn, name, get_authority(name))) if object_hrn == name: return if name.startswith(object_hrn + "."): return #if name.startswith(get_authority(name)): #return raise PermissionError(name)
def update_cert_records(gids): """ Make sure there is a record in the registry for the specified gids. Removes old records from the db. """ # import db stuff here here so this module can be loaded by PlcComponentApi from sfa.storage.alchemy import global_dbsession from sfa.storage.model import RegRecord dbsession = global_dbsession if not gids: return # get records that actually exist in the db gid_urns = [gid.get_urn() for gid in gids] hrns_expected = [gid.get_hrn() for gid in gids] records_found = dbsession.query(RegRecord).\ filter_by(pointer=-1).filter(RegRecord.hrn.in_(hrns_expected)).all() # remove old records for record in records_found: if record.hrn not in hrns_expected and \ record.hrn != self.api.config.SFA_INTERFACE_HRN: dbsession.delete(record) # TODO: store urn in the db so we do this in 1 query for gid in gids: hrn, type = gid.get_hrn(), gid.get_type() record = dbsession.query(RegRecord).filter_by(hrn=hrn, type=type, pointer=-1).first() if not record: record = RegRecord( dict={ 'type': type, 'hrn': hrn, 'authority': get_authority(hrn), 'gid': gid.save_to_string(save_parents=True), }) dbsession.add(record) dbsession.commit()
def create_gid(self, xrn, uuid, pkey, CA=False, email=None): hrn, type = urn_to_hrn(xrn) if not type: type = 'authority' parent_hrn = get_authority(hrn) # Using hrn_to_urn() here to make sure the urn is in the right format # If xrn was a hrn instead of a urn, then the gid's urn will be # of type None urn = hrn_to_urn(hrn, type) gid = GID(subject=hrn, uuid=uuid, hrn=hrn, urn=urn, email=email) # is this a CA cert if hrn == self.config.SFA_INTERFACE_HRN or not parent_hrn: # root or sub authority gid.set_intermediate_ca(True) elif type and 'authority' in type: # authority type gid.set_intermediate_ca(True) elif CA: gid.set_intermediate_ca(True) else: gid.set_intermediate_ca(False) # set issuer if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion gid.set_issuer(pkey, hrn) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) gid.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn) gid.set_parent(parent_auth_info.get_gid_object()) gid.set_pubkey(pkey) gid.encode() gid.sign() return gid
def import_persons_and_slices(self, testbed_shell): """ Gets user data from LDAP, process the information. Creates hrn for the user's slice, the user's gid, creates the RegUser record associated with user. Creates the RegKey record associated nwith the user's key. Saves those records into the SFA DB. import the user's slice onto the database as well by calling import_slice. :param testbed_shell: IotlabDriver object, used to have access to testbed_shell attributes. :type testbed_shell: IotlabDriver .. warning:: does not support multiple keys per user """ ldap_person_listdict = testbed_shell.GetPersons() self.logger.info("IOTLABIMPORT \t ldap_person_listdict %s \r\n" % (ldap_person_listdict)) # import persons for person in ldap_person_listdict: self.logger.info("IotlabImporter: person :" % (person)) if 'ssh-rsa' not in person['pkey']: #people with invalid ssh key (ssh-dss, empty, bullshit keys...) #won't be imported continue person_hrn = person['hrn'] slice_hrn = self.slicename_to_hrn(person['hrn']) # xxx suspicious again if len(person_hrn) > 64: person_hrn = person_hrn[:64] person_urn = hrn_to_urn(person_hrn, 'user') self.logger.info("IotlabImporter: users_rec_by_email %s " % (self.users_rec_by_email)) #Check if user using person['email'] from LDAP is already registered #in SFA. One email = one person. In this case, do not create another #record for this person #person_hrn returned by GetPerson based on iotlab root auth + #uid ldap user_record = self.find_record_by_type_hrn('user', person_hrn) if not user_record and person['email'] in self.users_rec_by_email: user_record = self.users_rec_by_email[person['email']] person_hrn = user_record.hrn person_urn = hrn_to_urn(person_hrn, 'user') slice_record = self.find_record_by_type_hrn('slice', slice_hrn) iotlab_key = person['pkey'] # new person if not user_record: (pubkey, pkey) = self.init_person_key(person, iotlab_key) if pubkey is not None and pkey is not None: person_gid = \ self.auth_hierarchy.create_gid(person_urn, create_uuid(), pkey) if person['email']: self.logger.debug("IOTLAB IMPORTER \ PERSON EMAIL OK email %s " % (person['email'])) person_gid.set_email(person['email']) user_record = \ RegUser(hrn=person_hrn, gid=person_gid, pointer='-1', authority=get_authority(person_hrn), email=person['email']) else: user_record = \ RegUser(hrn=person_hrn, gid=person_gid, pointer='-1', authority=get_authority(person_hrn)) if pubkey: user_record.reg_keys = [RegKey(pubkey)] else: self.logger.warning("No key found for user %s" % (user_record)) try: user_record.just_created() global_dbsession.add(user_record) global_dbsession.commit() self.logger.info("IotlabImporter: imported person \ %s" % (user_record)) self.update_just_added_records_dict(user_record) except SQLAlchemyError: self.logger.log_exc("IotlabImporter: \ failed to import person %s" % (person)) else: # update the record ? # if user's primary key has changed then we need to update # the users gid by forcing an update here sfa_keys = user_record.reg_keys new_key = False if iotlab_key is not sfa_keys: new_key = True if new_key: self.logger.info("IotlabImporter: \t \t USER UPDATE \ person: %s" % (person['hrn'])) (pubkey, pkey) = self.init_person_key(person, iotlab_key) person_gid = \ self.auth_hierarchy.create_gid(person_urn, create_uuid(), pkey) if not pubkey: user_record.reg_keys = [] else: user_record.reg_keys = [RegKey(pubkey)] self.logger.info("IotlabImporter: updated person: %s" % (user_record)) if person['email']: user_record.email = person['email'] try: global_dbsession.commit() user_record.stale = False except SQLAlchemyError: self.logger.log_exc("IotlabImporter: \ failed to update person %s" % (person)) self.import_slice(slice_hrn, slice_record, user_record)
def get_authority(self, hrn): return get_authority(hrn)
def run (self, options): config = Config () interface_hrn = config.SFA_INTERFACE_HRN root_auth = config.SFA_REGISTRY_ROOT_AUTH shell = DummyShell (config) ######## retrieve all existing SFA objects all_records = global_dbsession.query(RegRecord).all() # create hash by (type,hrn) # we essentially use this to know if a given record is already known to SFA self.records_by_type_hrn = \ dict ( [ ( (record.type, record.hrn) , record ) for record in all_records ] ) # create hash by (type,pointer) self.records_by_type_pointer = \ dict ( [ ( (record.type, record.pointer) , record ) for record in all_records if record.pointer != -1] ) # initialize record.stale to True by default, then mark stale=False on the ones that are in use for record in all_records: record.stale=True # DEBUG #all_records = global_dbsession.query(RegRecord).all() #for record in all_records: print record ######## retrieve Dummy TB data # Get all plc sites # retrieve only required stuf sites = [shell.GetTestbedInfo()] print "sites: " + sites # create a hash of sites by login_base # sites_by_login_base = dict ( [ ( site['login_base'], site ) for site in sites ] ) # Get all dummy TB users users = shell.GetUsers() # create a hash of users by user_id users_by_id = dict ( [ ( user['user_id'], user) for user in users ] ) # Get all dummy TB public keys keys = [] for user in users: if 'keys' in user: keys.extend(user['keys']) # create a dict user_id -> [ keys ] keys_by_person_id = {} for user in users: if 'keys' in user: keys_by_person_id[user['user_id']] = user['keys'] # Get all dummy TB nodes nodes = shell.GetNodes() # create hash by node_id nodes_by_id = dict ( [ ( node['node_id'], node, ) for node in nodes ] ) # Get all dummy TB slices slices = shell.GetSlices() # create hash by slice_id slices_by_id = dict ( [ (slice['slice_id'], slice ) for slice in slices ] ) # start importing print " STARTING FOR SITES" for site in sites: site_hrn = _get_site_hrn(interface_hrn, site) # import if hrn is not in list of existing hrns or if the hrn exists # but its not a site record site_record=self.locate_by_type_hrn ('authority', site_hrn) print site_hrn print site_record if not site_record: try: print "TRY TO CREATE SITE RECORD" urn = hrn_to_urn(site_hrn, 'authority') if not self.auth_hierarchy.auth_exists(urn): print "create auth "+urn self.auth_hierarchy.create_auth(urn) auth_info = self.auth_hierarchy.get_auth_info(urn) site_record = RegAuthority(hrn=site_hrn, gid=auth_info.get_gid_object(), pointer= -1, authority=get_authority(site_hrn)) site_record.just_created() print "urn: "+urn print "auth_info: " + auth_info print site_record global_dbsession.add(site_record) global_dbsession.commit() self.logger.info("DummyImporter: imported authority (site) : %s" % site_record) self.remember_record (site_record) except: # if the site import fails then there is no point in trying to import the # site's child records (node, slices, persons), so skip them. self.logger.log_exc("DummyImporter: failed to import site. Skipping child records") continue else: # xxx update the record ... pass site_record.stale=False # import node records for node in nodes: site_auth = get_authority(site_hrn) site_name = site['name'] node_hrn = hostname_to_hrn(site_auth, site_name, node['hostname']) # xxx this sounds suspicious if len(node_hrn) > 64: node_hrn = node_hrn[:64] node_record = self.locate_by_type_hrn ( 'node', node_hrn ) if not node_record: try: pkey = Keypair(create=True) urn = hrn_to_urn(node_hrn, 'node') node_gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey) node_record = RegNode (hrn=node_hrn, gid=node_gid, pointer =node['node_id'], authority=get_authority(node_hrn)) node_record.just_created() global_dbsession.add(node_record) global_dbsession.commit() self.logger.info("DummyImporter: imported node: %s" % node_record) self.remember_record (node_record) except: self.logger.log_exc("DummyImporter: failed to import node") else: # xxx update the record ... pass node_record.stale=False all_records = global_dbsession.query(RegRecord).all() for record in all_records: print record site_pis=[] # import users for user in users: user_hrn = email_to_hrn(site_hrn, user['email']) # xxx suspicious again if len(user_hrn) > 64: user_hrn = user_hrn[:64] user_urn = hrn_to_urn(user_hrn, 'user') user_record = self.locate_by_type_hrn ( 'user', user_hrn) # return a tuple pubkey (a dummy TB key object) and pkey (a Keypair object) def init_user_key (user): pubkey = None pkey = None if user['keys']: # randomly pick first key in set for key in user['keys']: pubkey = key try: pkey = convert_public_key(pubkey) break except: continue if not pkey: self.logger.warn('DummyImporter: unable to convert public key for %s' % user_hrn) pkey = Keypair(create=True) else: # the user has no keys. Creating a random keypair for the user's gid self.logger.warn("DummyImporter: user %s does not have a NITOS public key"%user_hrn) pkey = Keypair(create=True) return (pubkey, pkey) # new user try: if not user_record: (pubkey,pkey) = init_user_key (user) user_gid = self.auth_hierarchy.create_gid(user_urn, create_uuid(), pkey) user_gid.set_email(user['email']) user_record = RegUser (hrn=user_hrn, gid=user_gid, pointer=user['user_id'], authority=get_authority(user_hrn), email=user['email']) if pubkey: user_record.reg_keys=[RegKey (pubkey)] else: self.logger.warning("No key found for user %s"%user_record) user_record.just_created() global_dbsession.add (user_record) global_dbsession.commit() self.logger.info("DummyImporter: imported person: %s" % user_record) self.remember_record ( user_record ) else: # update the record ? # if user's primary key has changed then we need to update the # users gid by forcing an update here sfa_keys = user_record.reg_keys def key_in_list (key,sfa_keys): for reg_key in sfa_keys: if reg_key.key==key: return True return False # is there a new key in Dummy TB ? new_keys=False for key in user['keys']: if not key_in_list (key,sfa_keys): new_keys = True if new_keys: (pubkey,pkey) = init_user_key (user) user_gid = self.auth_hierarchy.create_gid(user_urn, create_uuid(), pkey) if not pubkey: user_record.reg_keys=[] else: user_record.reg_keys=[ RegKey (pubkey)] self.logger.info("DummyImporter: updated person: %s" % user_record) user_record.email = user['email'] global_dbsession.commit() user_record.stale=False except: self.logger.log_exc("DummyImporter: failed to import user %d %s"%(user['user_id'],user['email'])) # import slices for slice in slices: slice_hrn = slicename_to_hrn(site_hrn, slice['slice_name']) slice_record = self.locate_by_type_hrn ('slice', slice_hrn) if not slice_record: try: pkey = Keypair(create=True) urn = hrn_to_urn(slice_hrn, 'slice') slice_gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey) slice_record = RegSlice (hrn=slice_hrn, gid=slice_gid, pointer=slice['slice_id'], authority=get_authority(slice_hrn)) slice_record.just_created() global_dbsession.add(slice_record) global_dbsession.commit() self.logger.info("DummyImporter: imported slice: %s" % slice_record) self.remember_record ( slice_record ) except: self.logger.log_exc("DummyImporter: failed to import slice") else: # xxx update the record ... self.logger.warning ("Slice update not yet implemented") pass # record current users affiliated with the slice slice_record.reg_researchers = \ [ self.locate_by_type_pointer ('user',user_id) for user_id in slice['user_ids'] ] global_dbsession.commit() slice_record.stale=False ### remove stale records # special records must be preserved system_hrns = [interface_hrn, root_auth, interface_hrn + '.slicemanager'] for record in all_records: if record.hrn in system_hrns: record.stale=False if record.peer_authority: record.stale=False for record in all_records: try: stale=record.stale except: stale=True self.logger.warning("stale not found with %s"%record) if stale: self.logger.info("DummyImporter: deleting stale record: %s" % record) global_dbsession.delete(record) global_dbsession.commit()