omf_sfa 0.1.1

data/lib/omf-sfa/am/am-rpc/abstract_rpc_service.rb

@@ -0,0 +1,60 @@
+
+
+require 'xmlrpc/parser'
+require 'rack/rpc'  
+
+require 'omf_base/lobject'
+
+require 'omf-sfa/am'
+
+module OMF::SFA::AM
+  module RPC; end
+end
+
+module OMF::SFA::AM::RPC
+  
+  class AbstractService < Rack::RPC::Server
+
+    include OMF::Base::Loggable
+
+    # This defines a method to declare the service methods and all their 
+    # parameters.
+    #
+    def self.implement(api)
+      @@mappings ||= {}
+      api.api_description.each do |m|
+        wrapper_name = "_wrapper_#{m.method_name}".to_sym
+        self.send(:define_method, wrapper_name) do |*args|
+          begin
+            self.class.hooks[:before].each do |command| 
+              command.call(self) if command.callable?(m.method_name)
+            end
+            
+            out = self.send(m.method_name, *args)
+            
+            self.class.hooks[:after].each do |command| 
+              command.call(self) if command.callable?(m.method_name)
+            end
+            out
+          rescue Exception => ex
+            error ex
+            debug "Backtrace\n\t#{ex.backtrace.join("\n\t")}"
+            raise ex
+          end
+        end
+        #puts "API: map #{m.rpc_name} to #{wrapper_name}"
+        @@mappings[m.rpc_name.to_s] = wrapper_name
+      end
+    end
+    
+    def self.rpc(mappings = nil)
+      raise "Unexpected argument '#{mappings}' for rpc" if mappings
+      @@mappings
+    end
+  end # AbstractService
+  
+  
+end # module
+
+
+

data/lib/omf-sfa/am/am-rpc/am_authorizer.rb

@@ -0,0 +1,161 @@
+require 'omf_base/lobject'
+require 'omf-sfa/am/default_authorizer'
+require 'omf-sfa/am/user_credential'
+require 'omf-sfa/am/privilege_credential'
+
+module OMF::SFA::AM::RPC
+
+  include OMF::Base
+
+  # This class implements the decision logic for determining
+  # access of a user in a specific context to specific functionality
+  # in the AM
+  #
+  class AMAuthorizer < OMF::SFA::AM::DefaultAuthorizer
+
+    # @!attribute [r] account
+    #        @return [OAccount] The account associated with this instance
+    attr_reader :account
+
+    # @!attribute [r] project
+    #        @return [OProject] The project associated with this account
+    attr_reader :project
+
+    # @!attribute [r] user
+    #        @return [User] The user associated with this membership
+    attr_reader :user
+
+
+    # @!attribute [r] certificate
+    #        @return [Hash] The certificate associated with this caller
+#    attr_reader :certificate
+
+
+    # Create an instance from the information
+    # provided by the rack's 'req' object.
+    #
+    # @param [Rack::Request] Request provided by the Rack API
+    # @param [AbstractAmManager#get_account] AM Manager for retrieving AM context
+    #
+    def self.create_for_sfa_request(account_urn, credentials, request, am_manager)
+
+      begin
+        raise "Missing peer cert" unless cert_s = request.env['rack.peer_cert']
+        peer = OMF::SFA::AM::UserCredential.unmarshall(cert_s)
+      end
+      debug "Requester: #{peer.subject} :: #{peer.user_urn}"
+
+      raise OMF::SFA::AM::InsufficientPrivilegesException.new "Credentials are missing." if credentials.nil?
+
+      unless peer.valid_at?     
+        OMF::SFA::AM::InsufficientPrivilegesException.new "The certificate has expired or not valid yet. Check the dates."
+      end
+      user = am_manager.find_or_create_user({:uuid => peer.user_uuid, :urn => peer.user_urn})
+
+      creds = credentials.map do |cs|
+        cs = OMF::SFA::AM::PrivilegeCredential.unmarshall(cs)
+        cs.tap do |c|
+          unless c.valid_at?
+            OMF::SFA::AM::InsufficientPrivilegesException.new "The credentials have expired or not valid yet. Check the dates."
+          end
+        end
+      end
+
+            
+      self.new(account_urn, peer, creds, am_manager)
+    end
+
+
+    ##### ACCOUNT
+
+    def can_renew_account?(account, expiration_time)
+      debug "Check permission 'can_renew_account?' (#{account == @account}, #{@permissions[:can_renew_account?]}, #{@user_cred.valid_at?(expiration_time)})"
+      unless account == @account && 
+          @permissions[:can_renew_account?] && 
+          @user_cred.valid_at?(expiration_time) # not sure if this is the right check
+        raise OMF::SFA::AM::InsufficientPrivilegesException.new("Can't renew account after the expiration of the credentials")
+      end
+    end
+        
+    ##### RESOURCE
+    
+    def can_release_resource?(resource)
+      unless resource.account == @account && @permissions[:can_release_resource?]
+        raise OMF::SFA::AM::InsufficientPrivilegesException.new      
+      end
+    end
+    
+    protected
+
+    def initialize(account_urn, user_cert, credentials, am_manager)
+      super()
+      
+      @user_cert = user_cert
+      
+      # NOTE: We only look at the first cred
+      credential = credentials[0]
+      debug "cred: #{credential.inspect}"
+      unless (user_cert.user_urn == credential.user_urn)
+        raise OMF::SFA::AM::InsufficientPrivilegesException.new "User urn mismatch in certificate and credentials. cert:'#{user_cert.user_urn}' cred:'#{credential.user_urn}'" 
+      end
+      
+      @user_cred = credential
+      
+      
+      if credential.type == 'slice'
+        if credential.privilege?('*')
+          @permissions[:can_create_account?] = true 
+          @permissions[:can_view_account?] = true
+          @permissions[:can_renew_account?] = true
+          @permissions[:can_close_account?] = true
+        else
+          @permissions[:can_create_account?] = credential.privilege?('control')
+          @permissions[:can_view_account?] = credential.privilege?('info')
+          @permissions[:can_renew_account?] = credential.privilege?('refresh')
+          @permissions[:can_close_account?] = credential.privilege?('control')
+        end
+      end
+
+      if credential.privilege?('*')
+        @permissions[:can_create_resource?] = true
+        @permissions[:can_view_resource?] = true
+        @permissions[:can_release_resource?] = true
+
+        @permissions[:can_view_lease?] = true
+        @permissions[:can_modify_lease?] = true
+        @permissions[:can_release_lease?] = true
+      else
+        @permissions[:can_create_resource?] = credential.privilege?('refresh')
+        @permissions[:can_view_resource?] = credential.privilege?('info')
+        @permissions[:can_release_resource?] = credential.privilege?('refresh')
+
+        @permissions[:can_view_lease?] = credential.privilege?('info')
+        @permissions[:can_modify_lease?] = credential.privilege?('refresh')
+        @permissions[:can_release_lease?] = credential.privilege?('refresh')
+      end
+
+      
+      debug "Have permission '#{@permissions.inspect}'"
+
+      unless account_urn.nil?
+        unless account_urn.eql?(credential.target_urn)
+          raise OMF::SFA::AM::InsufficientPrivilegesException.new "Slice urn mismatch in XML call and credentials"
+        end 
+
+        @account = am_manager.find_or_create_account({:urn => account_urn}, self)
+        @account.valid_until = @user_cred.valid_until
+        if @account.closed?
+          if @permissions[:can_create_account?]
+            @account.closed_at = nil
+          else
+            raise OMF::SFA::AM::InsufficientPrivilegesException.new("You don't have the privilege to enable a closed account")
+          end
+        end
+        # XXX: decide where/when to create the Project. Right now we are creating it along with the account in the above method
+        @project = @account.project
+      end
+      
+    end
+
+  end
+end

data/lib/omf-sfa/am/am-rpc/am_rpc_api.rb

@@ -0,0 +1,450 @@
+ 
+module OMF::SFA::ServiceAPI
+  Struct.new("MethodDescription", :rpc_name, :method_name, :opts)
+  
+  # This defines a method to declare the service methods and all their 
+  # parameters.
+  #
+  def declare(rpc_name, method_name, opts = {}, &block)
+    @@declarations ||= {}
+    m = (@@declarations[self] ||= [])
+    m << Struct::MethodDescription.new(rpc_name.to_sym, method_name.to_sym, opts)
+  end
+  
+  def api_description()
+    @@declarations ||= {}
+    @@declarations[self] || []
+  end
+
+end
+
+
+module OMF::SFA::AM::RPC::AMServiceAPI
+  extend OMF::SFA::ServiceAPI
+    
+  declare :GetVersion, :get_version, {
+    :short => "",
+    :params => {},
+    :return => {
+      :type => :hash,
+      :description => %{
+         Return the version of the GENI Aggregate API 
+         supported by this aggregate.
+      },
+      :params => [
+        { 
+          :name => 'geni_api',
+          :type => :integer,
+          :descriptiosn => %{
+            Indicating the revision of the Aggregate Manager API that 
+            an aggregate supports. The current version of the API 
+            is 1 (one).
+          }
+        }
+      ]
+    }
+  }
+
+  declare :ListResources, :list_resources, {
+    :short => %{Return information about available resources 
+                or resources allocated to a slice.},
+    :params => [
+      {
+        :name => 'credentials',
+        :type => :array,
+        :description  => %{
+          An array of credentials. At least one credential must
+          be valid for this operation (signed by a valid GENI certificate
+          authority either directly or by chain, and not expired). Note that
+          the semantics of this argument is not clear. Alternative
+          interpretations might, for example, accumulate privileges from each
+          valid credential to determine overall caller permissions.
+        } 
+      }, {
+        :name => 'options',
+        :type  => :hash,
+        :description => %{
+          A hash containing members indicating the set of resources
+          the caller is interested in or the format of the result. In addition
+          to the members specified below, callers can pass additional members
+          that specific aggregate manager implementations might honor. The
+          prefix geni_ is reserved for members that are part of this API
+          specification. Implementations should choose an appropriate prefix
+          to avoid conflicts.
+
+          The following members are available for use in the options
+          parameter. All aggregate managers are required to implement these
+          options.},
+        :params => [
+          {
+            :name => 'geni_available',
+            :type => :boolean,
+            :description => %{
+              A boolean value indicating whether the caller is
+              interested in all resources or available resources. If this value
+              is true, the result should contain only available resources. If
+              this value is false both available and allocated resources should
+              be returned. The Aggregate Manager is free to limit visibility of
+              certain resources based on the credentials parameter.
+            }
+          }, {
+            :name => 'geni_compressed',
+            :type => :boolean,
+            :description => %{
+              A boolean value indicating whether the caller
+              would like the result to be compressed. If the value is true, the
+              returned resource list will be compressed according to RFC 1950.
+            }
+          }, {
+            :name => 'geni_slice_urn',
+            :type => :string,
+            :description => %{
+              A string indicating that the caller is interested
+              in the set of resources allocated to the slice named by this
+              URN. If no resources are allocated to the indicated slice by this
+              aggregate, an empty RSPEC should be returned.            }
+          }
+        ]
+      }
+    ],
+    :return => {
+      :type => :hash,
+      :description => %{
+        For ListResources, value is an RSpec listing and describing resources 
+        at this aggregate. Depending on the arguments, this may be an advertisement
+        RSpec showing all local resources, or one showing only available local resources, 
+        or a manifest RSpec of resources reserved for a particular slice.
+      },
+      :params => [
+        { 
+          :name => 'code',
+          :type => :hash,
+          :description => %{
+            A struct indicating the success or failure of this call at 
+            the Aggregate Manager. It consists of 1 required field and 2 optional fields. 
+          },
+          :params => [
+            {
+              :name => 'geni_code',
+              :type => :integer,
+              :description => %{
+                An integer supplying the GENI standard return code indicating 
+                the success or failure of this call. Error codes are standardized 
+                and defined in the attached XML document. Codes may be negative. 
+                A success return is defined as geni_code of 0.
+              }
+            }
+          ]
+        },
+        {
+          :name => 'value',
+          :type => :text_xml,
+          :description => %{
+            For ListResources, value is an RSpec listing and describing resources at 
+            this aggregate. Depending on the arguments, this may be an advertisement 
+            RSpec showing all local resources, or one showing only available local 
+            resources, or a manifest RSpec of resources reserved for a particular slice. 
+          }
+        }
+      ]
+    }
+  }
+
+  declare :CreateSliver, :create_sliver, { 
+    :description => %{ 
+      Allocate resources to a slice. This operation is expected to start the
+      allocated resources asynchronously after the operation has
+      successfully completed. Callers can check on the status of the
+      resources using SliverStatus.
+    },
+    :params => [
+      {
+        :name => 'slice_urn',
+        :type => :string_urn,
+        :description  => %{
+          The URN of the slice to which the resources specified in
+          rspec will be allocated.
+        }
+      },
+      {
+        :name => 'credentials',
+        :type => :array,
+        :description  => %{
+          An array of credentials. At least one credential must be a
+          valid slice credential for the slice specified in
+          slice_urn. Note that the semantics of this argument is not
+          clear. Alternative interpretations might, for example,
+          accumulate privileges from each valid credential to
+          determine overall caller permissions. Aggregates should
+          ensure that the expiration time of the slice does not exceed
+          the expiration time of the slice credential used to perform
+          this operation.
+        } 
+      }, {
+        :name => 'rspec',
+        :type => :text_xml,
+        :description  => %{
+          An RSPEC containing the resources that the caller is
+          requesting for allocation to the slice specified in
+          slice_urn. These are expected to be based on resources
+          returned by a previous invocation of ListResources.
+        } 
+      }, {
+        :name => 'users',
+        :type => :array,
+        :description  => %{
+          An array of user structs, which contain information about
+          the users that might login to the sliver that the AM needs
+          to know about. Each struct must include the key 'keys',
+          which is an array of strings and can be empty. The struct
+          must also include the key 'urn', which is the user's URN
+          string. The users array can be empty. For example:
+
+            [
+              {
+                urn: urn:publicid:IDN+geni.net:gcf+user+alice
+                keys: [<ssh key>, <ssh key>]
+              },
+              {
+                urn: urn:publicid:IDN+geni.net:gcf+user+bob
+                keys: [<ssh key>]
+              }
+            ]
+        }
+      }
+    ],
+    :return => {
+      :type => :text_xml,
+      :description => %{
+        The return value is an RSPEC indicating the resources that
+        were allocated to the slice. The result RSPEC may contain
+        additional information about the allocated resources.
+      }
+    }
+  }
+
+  declare :DeleteSliver, :delete_sliver, { 
+    :description => %{ 
+      Delete a sliver by stopping it if it is still running, and then
+      deallocating the resources associated with it. This call will
+      stop and deallocate all resources associated with the given
+      slice URN.
+    },
+    :params => [
+      {
+        :name => 'slice_urn',
+        :type => :string_urn,
+        :description  => %{
+          The URN of the slice whose sliver should be deleted.
+        }
+      }, {
+        :name => 'credentials',
+        :type => :array,
+        :description  => %{
+          An array of credentials. At least one credential must be a
+          valid slice credential for the slice specified in
+          slice_urn. Note that the semantics of this argument is not
+          clear. Alternative interpretations might, for example,
+          accumulate privileges from each valid credential to
+          determine overall caller permissions.
+        } 
+      }
+    ],
+    :return => {
+      :type => :boolean,
+      :description => %{
+         Returns true on success and false on failure.       
+      }
+    }
+  }
+
+  declare :SliverStatus, :sliver_status, { 
+    :description => "Get the status of a sliver.",
+    :params => [
+      {
+        :name => 'slice_urn',
+        :type => :string_urn,
+        :description  => %{
+          The URN of the slice for which the sliver status is requested.
+        }
+      }, {
+        :name => 'credentials',
+        :type => :array,
+        :description  => %{
+          An array of credentials. At least one credential must be a
+          valid slice credential for the slice specified in
+          slice_urn. Note that the semantics of this argument is not
+          clear. Alternative interpretations might, for example,
+          accumulate privileges from each valid credential to
+          determine overall caller permissions.
+        } 
+      }
+    ],
+    :return => {
+      :type => :hash,
+      :description => %{
+         Returns an XMLRPC struct upon successful completion. The 
+         struct is of the following form: 
+      },
+      :params => [
+        {
+          :name => 'geni_urn',
+          :type => :string_urn,
+          :descriptions => %{
+            The URN of the sliver as a string. This is the sliver and
+            not the slice, and should be selected by the aggregate
+            manager.
+          }
+        }, {
+          :name => 'geni_status',
+          :type => :string,
+          :descriptions => %{
+            A string indicating the status of the sliver. Possible
+            values are: _configuring_, _ready_, _failed_, and
+            _unknown_. Configuring indicates that at least one resource
+            is being configured and none have failed. Ready indicates
+            that all resources in the sliver are ready. Failed
+            indicates that at least one resource in the sliver has
+            failed. Unknown indicates that the state of the sliver is
+            not one of the known states. More detailed information can
+            be found in the value of the geni_resources member.
+          }
+        }, {
+          :name => 'geni_resources',
+          :type => :array,
+          :descriptions => %{
+            An array of structs. Each struct in the array gives the
+            status of each resource in the sliver. The members of
+            these structs are described below.
+
+            The members of the resource struct(s) are as follows:
+          },
+          :params => [
+            {
+              :name => 'geni_urn',
+              :type => :string_urn,
+              :descriptions => %{
+                The URN of the resource as a string. This is specific
+                to the sliver, and should be selected by the aggregate
+                manager to allow status reporting and control at the
+                finest level supported at that aggregate. It may be a
+                sliver URN if there is only 1 resource in the sliver.
+              }
+            }, {
+              :name => 'geni_status',
+              :type => :string,
+              :descriptions => %{
+                A string indicating the status of the
+                resource. Possible values are: _configuring_, _ready_,
+                _failed_, and _unknown_. *Configuring* indicates that the
+                resources is being configured and is not yet ready for
+                use. *Ready* indicates that the resource is
+                ready. *Failed* indicates that the resource has
+                failed. *Unknown* indicates that the state of the
+                resource is not one of the known states.
+              }
+            }, {
+              :name => 'geni_error',
+              :type => :string,
+              :descriptions => %{
+                 A free form string. The aggregate manager should set
+                 this to a string that could be presented to a
+                 researcher to give more detailed information about
+                 the state of the resource if its status is failed.
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+
+  declare :RenewSliver, :renew_sliver, { 
+    :description => %{
+      Renews the resources in a sliver, extending the lifetime of the slice.
+
+      It is assumed that the caller will have already extended the
+      lifetime of the slice credential with the appropriate slice
+      authority prior to calling _RenewSliver_.
+    },
+    :params => [
+      {
+        :name => 'slice_urn',
+        :type => :string_urn,
+        :description  => %{
+          The URN of the slice that is to have its sliver renewed.
+        }
+      }, {
+        :name => 'credentials',
+        :type => :array,
+        :description  => %{
+          An array of credentials. At least one credential must be a
+          valid slice credential for the slice specified in
+          slice_urn. Note that the semantics of this argument is not
+          clear. Alternative interpretations might, for example,
+          accumulate privileges from each valid credential to
+          determine overall caller permissions.
+        } 
+      }, {
+        :name => 'expiration_time',
+        :type => :string_date,
+        :description  => %{
+           A string in RFC 3339 format indicating the expiration_time
+           desired by the caller. Note these times, per the RFC, must
+           be in or relative to UTC. This time must be less than or
+           equal to the slice duration in the slice credential. In
+           other words, at least one supplied (slice) credential must
+           still be valid at the desired new expiration time for this
+           call to succeed.
+        } 
+      }
+    ],
+    :return => {
+      :type => :boolean,
+      :description => %{
+         Returns true on successful completion, false otherwise.
+      }
+    }
+  }
+
+  declare :Shutdown, :shutdown_sliver, { 
+    :description => %{
+      Perform an emergency shut down of a sliver. This operation is
+      intended for administrative use. The sliver is shut down but
+      remains available for further forensics.
+    },
+    :params => [
+      {
+        :name => 'slice_urn',
+        :type => :string_urn,
+        :description  => %{
+          The URN of the slice is to have its sliver shut down.
+        }
+      }, {
+        :name => 'credentials',
+        :type => :array,
+        :description  => %{
+          An array of credentials. At least one credential must be a
+          valid slice credential for the slice specified in slice_urn
+          or a valid administrative credential with sufficient
+          privileges. Note that the semantics of this argument is not
+          clear. Alternative interpretations might, for example,
+          accumulate privileges from each valid credential to
+          determine overall caller permissions.
+        } 
+      }
+    ],
+    :return => {
+      :type => :boolean,
+      :description => %{
+         Returns true on success, false otherwise.
+      }
+    }
+  }
+  
+end # module OMF::SFA:AM
+
+
+
+
+