omf_sfa 0.1.1

data/lib/omf-sfa/am/credential.rb

@@ -0,0 +1,145 @@
+require 'nokogiri'
+require 'omf_base/lobject'
+
+module OMF::SFA::AM
+  class Credential < OMF::Base::LObject
+
+
+    @config = OMF::Base::YAML.load('omf-sfa-am', :path => [File.dirname(__FILE__) + '/../../../etc/omf-sfa'])[:omf_sfa_am]
+
+    rpc = @config[:endpoints].select { |v| v[:type] == 'xmlrpc' }.first
+    trusted_roots = File.expand_path(rpc[:trusted_roots])
+    certs = Dir.entries(trusted_roots)
+    certs.delete("..")
+    certs.delete(".")
+    @@root_certs = certs.collect do |v|
+      v = File.join(trusted_roots, v)
+    end
+
+    @@xmlsec = 'xmlsec1'
+   
+    # <?xml version="1.0"?>
+    # <signed-credential>
+      # <credential xml:id="ref0">
+        # <type>privilege</type>
+        # <serial>8</serial>
+        # <owner_gid>-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----</owner_gid>
+        # <owner_urn>urn:publicid:IDN+geni:gpo:gcf+user+alice</owner_urn>
+        # <target_gid>-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----</target_gid>
+        # <target_urn>urn:publicid:IDN+geni:gpo:gcf+slice+2c93-4a3:127.0.0.1%3A8000</target_urn>
+        # <uuid/>
+        # <expires>2012-02-01T03:03:33</expires>
+        # <privileges>
+          # <privilege><name>refresh</name><can_delegate>true</can_delegate></privilege>
+          # <privilege><name>embed</name><can_delegate>true</can_delegate></privilege>
+          # <privilege><name>bind</name><can_delegate>true</can_delegate></privilege>
+          # <privilege><name>control</name><can_delegate>true</can_delegate></privilege>
+          # <privilege><name>info</name><can_delegate>true</can_delegate></privilege>
+        # </privileges>
+      # </credential>
+      # <signatures>
+        # <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xml:id="Sig_ref0">
+          # ...
+        # </Signature>
+      # </signatures>
+    # </signed-credential>
+
+    def self.unmarshall(xml_text)
+      signer_urn = verify_signed_xml(xml_text)
+      cred = Nokogiri::XML.parse(xml_text)
+      unless cred.root.name == 'signed-credential'
+        raise "Expected 'signed-credential' but got '#{cred.root}'"
+      end
+      #puts @doc.to_xml
+      unless (type_el =  cred.xpath('//credential/type')[0])
+        raise "Credential doesn't contain 'type' element"
+      end
+      self.verify_type(type_el.content)
+      
+      #<owner_urn>urn:publicid:IDN+geni:gpo:gcf+user+alice</owner_urn>
+      self.new(cred, signer_urn)
+    end
+    
+    # The xml _content_ (provided as string) should
+    # contain a _Signature_ tag. 
+    #
+    # Returns urn of signer if signature is valid,  otherwise throw an exception
+    #
+    def self.verify_signed_xml(content)
+      tf = nil
+      begin
+        #debug "Verifying: ", content
+        tf = Tempfile.open('omf-am-rpc')
+        tf << content
+        tf.close
+        trusted_pems = @@root_certs.map do |r|
+          "--trusted-pem #{r}"
+        end.join(' ')
+        cmd = "#{@@xmlsec} verify --enabled-key-data 'x509' #{trusted_pems} --print-xml-debug #{tf.path} 2> /dev/null"
+        #cmd = "#{@@xmlsec} verify --trusted-pem #{@@root_certs} --print-xml-debug #{tf.path} 2> /dev/null"
+        out = []
+        result = nil
+        IO.popen(cmd) do |so| 
+          result = Nokogiri::XML.parse(so)
+          #debug result
+        end 
+        unless (result.xpath('/VerificationContext')[0]['status'] == 'succeeded')
+          raise OMF::SFA::AM::InsufficientPrivilegesException.new("Error: Signature doesn't verify")#\n#{@signature.to_xml}"
+        end
+          # <Certificate>
+          #   <SubjectName>/CN=geni//gpo//gcf.authority.sa</SubjectName>
+          #   <IssuerName>/CN=geni//gpo//gcf.authority.sa</IssuerName>
+          #   <SerialNumber>3</SerialNumber>
+          # </Certificate>        
+        signer = result.xpath('//Certificate/SubjectName')[0].content
+        debug "Signer of cert is '#{signer}'"
+        return signer
+      ensure
+        tf.close! if tf
+      end
+    end
+    
+    def self.verify_type(type)
+      raise "Implement 'verify_type' in '#{self}'"
+    end
+
+
+    attr_reader :owner_urn
+    attr_reader :target_urn    
+    attr_reader :signer_urn 
+    attr_reader :valid_until
+
+    def valid_at?(time = Time.now)
+      #debug ">>>> #{valid_until}"
+      time <= @valid_until     
+    end
+
+    protected
+    
+    # Create a credential described in +description_doc+
+    #
+    def initialize(description_doc, signer_urn)
+      unless el = description_doc.xpath('//credential/owner_urn')[0]
+        raise "Missing element 'owner_urn' in credential"
+      end
+      #URI:urn:publicid:IDN+topdomain:subdomain+user+pi
+      #@owner_urn = el.content[el.content.index('+')+1..el.content.length]
+      @owner_urn = el.content
+      unless el = description_doc.xpath('//credential/target_urn')[0]
+        raise "Missing element 'target_urn' in credential"
+      end
+      #URI:urn:publicid:IDN+topdomain:subdomain+slice+test
+      #@target_urn = el.content[el.content.index('+')+1..el.content.length]
+      @target_urn = el.content
+
+      unless el = description_doc.xpath('//credential/expires')[0]
+        raise "Missing element 'expires' in credential"
+      end
+      @valid_until = Time.parse(el.content)
+      
+      @signer_urn = signer_urn
+    end
+
+    
+  end # Credential                     
+end # OMF::GENI::AM

data/lib/omf-sfa/am/default_authorizer.rb

@@ -0,0 +1,44 @@
+
+
+require 'omf_base/lobject'
+
+module OMF::SFA::AM
+
+  include OMF::Base
+
+  class InsufficientPrivilegesException < AMManagerException; end
+
+  # This class implements an authorizer which
+  # only allows actions which have been enabled in a permission
+  # hash.
+  #
+  class DefaultAuthorizer < LObject
+
+    [
+      # ACCOUNT
+      :can_create_account?, # ()
+      :can_view_account?, # (account)
+      :can_renew_account?, # (account, until)
+      :can_close_account?, # (account)
+      # RESOURCE
+      :can_create_resource?, # (resource_descr, type)
+      :can_view_resource?, # (resource)
+      :can_release_resource?, # (resource)
+      # LEASE
+      :can_view_lease?, # (lease)
+      :can_modify_lease?, # (lease)
+      :can_release_lease?, # (lease)
+    ].each do |m|
+      define_method(m) do |*args|
+        debug "Check permission '#{m}' (#{@permissions.inspect})"
+        unless @permissions[m]
+          raise InsufficientPrivilegesException.new
+        end
+      end
+    end
+
+    def initialize(permissions = {})
+      @permissions = permissions
+    end
+  end
+end

data/lib/omf-sfa/am/privilege_credential.rb

@@ -0,0 +1,76 @@
+require 'omf-sfa/am/credential'
+
+module OMF::SFA::AM
+  
+  # Throws exception if credentials XML encoded in +cred_string_a+
+  # are *not* sufficient for _action_
+  #
+  # GENI API Credentials
+  #
+  # The privileges are the rights that are assigned to the owner
+  # of the credential on the target resource. Different slice
+  # authorities use different permission names, but they have
+  # similar semantic meaning.  If and only if a privilege can
+  # be delegated, then that means the owner of the credential
+  # can delegate that permission to another entity. 
+  # Currently, the only credentials used in the GENI API are
+  # slice credentials and user credentials.  Privileges have not
+  # yet been agreed upon between the control frameworks.  
+  # Currently, SFA assigns ['refresh', 'resolve', and 'info'] 
+  # rights to user credentials.    
+  # Slice credentials have "slice" rights. ProtoGENI defaults 
+  # to the "*" privilege which means that the owner has rights 
+  # to all methods associated with that credential type 
+  # (user or slice). 
+  # See https://www.protogeni.net/trac/protogeni/wiki/ReferenceImplementationPrivileges 
+  # for more information on ProtoGENI privileges.
+  #
+  class PrivilegeCredential < Credential
+    #attr_reader :privileges
+    
+    def self.verify_type(type)
+      raise "Expected type 'privilege' but got '#{type}'" unless type == 'privilege'
+    end
+    
+    def privilege?(pname)
+      @privileges.has_key?(pname)
+    end
+    
+    def user_urn
+      owner_urn
+    end
+    
+    def type
+      # urn:publicid:IDN+topdomain:subdomain+slice+test
+      target_urn.split('+')[2] # it should be one of "slice" or "user"
+    end
+
+    
+    # Create a credential described in +description_doc+ .
+    #
+    def initialize(description_doc, signer_urn)
+      super
+      # @see http://groups.geni.net/geni/wiki/GeniApiCredentials
+      # <privileges>
+        # <privilege><name>refresh</name><can_delegate>true</can_delegate></privilege>
+        # <privilege><name>embed</name><can_delegate>true</can_delegate></privilege>
+        # <privilege><name>bind</name><can_delegate>true</can_delegate></privilege>
+        # <privilege><name>control</name><can_delegate>true</can_delegate></privilege>
+        # <privilege><name>info</name><can_delegate>true</can_delegate></privilege>
+      # </privileges>
+      unless el = description_doc.xpath('//credential/privileges')[0]
+        raise "Missing element 'privileges' in credential"
+      end
+      @privileges = {}
+      el.children.each do |pel|
+        p = {} 
+        pel.children.each do |cel|
+          p[cel.name.to_sym] = cel.content
+        end
+	      # example: @privileges={"refresh"=>{:can_delegate=>"true"}, "resolve"=>{:can_delegate=>"true"}, "info"=>{:can_delegate=>"true"}}
+        @privileges[p.delete(:name)] = p 
+      end
+    end
+
+  end # PrivilegeCredential                     
+end # OMF::SFA::AM

data/lib/omf-sfa/am/signature.rb

@@ -0,0 +1,37 @@
+
+module OMF::GENI::AM
+  class Signature
+
+    # The xml _content_ (provided as string) should
+    # contain a _Signature_ tag. 
+    #
+    # Returns a _Signature_ object if valid.
+    # Raises exception if not valid
+    #
+    def self.verify_xml_string(content)
+      tf = sig = nil
+      begin
+        tf = Tempfile.open('omf-am-rpc')
+        tf << content
+        tf.close
+        cmd = "#{@@xmlsec} verify --trusted-pem #{@@root_certs} --print-xml-debug #{tf.path} 2> /dev/null"
+        out = []
+        #IO.popen("#{cmd} 2>&1") do |so| 
+        IO.popen(cmd) do |so| 
+          sig = Nokogiri::XML.parse(so)
+        end 
+        unless (sig.xpath('/VerificationContext')[0]['status'] == 'succeeded')
+          raise "Error: Signature doesn't verify\n#{sig.to_xml}"
+        end
+      ensure
+        tf.close! if tf
+      end
+      return Signature.new(sig)
+    end
+    
+    def initialize(sig_doc)
+      @sig_doc = sig_doc
+    end
+
+  end # Signature
+end # OMF::GENI::AM

data/lib/omf-sfa/am/user_credential.rb

@@ -0,0 +1,56 @@
+
+require 'omf-sfa/am/credential'
+
+module OMF::SFA::AM
+  class UserCredential < OMF::Base::LObject
+
+    include OMF::SFA::Resource
+
+    attr_reader :user_urn, :user_uuid
+
+    def self.unmarshall(cert_s)
+      cert = OpenSSL::X509::Certificate.new(cert_s)
+      #puts cert
+      unless OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.verify(cert)
+        raise OMF::SFA::AM::InsufficientPrivilegesException.new("Non valid user cert")
+      end
+      self.new(cert)
+    end
+
+    def initialize(cert)
+      @cert = cert
+
+      @cert.extensions.each do |e|
+        if e.oid == 'subjectAltName'
+          #URI:urn:publicid:IDN+topdomain:subdomain+user+pi, URI:urn:uuid:759ae077-2fda-4d02-8921-ab0235a09920
+          e.value.split(',').each do |u|
+            u.slice!('URI:')
+            @user_urn = u.strip if u.start_with?('urn:publicid:IDN')
+            @user_uuid = u.match(/^urn:uuid:(.*)/)[1] if u.start_with?('urn:uuid')
+          end
+          #e.value.split('URI:urn:').each do |u|
+          #  str = u.split('+')
+          #  if str.include?('publicid:IDN')
+          #    @user_urn = str[-3..-1].join('+').chomp(', ')
+          #  end
+          #  str = u.split(':')
+          #  if str.include?('uuid')
+          #    @user_uuid = str.last
+          #  end
+          #end
+        end
+      end
+    end
+
+    def subject 
+      @cert.subject
+    end
+
+    def valid_at?(time = Time.now)
+      debug "valid?  #{@cert.not_before} < #{time} < #{@cert.not_after}"
+      time >= @cert.not_before && time <= @cert.not_after      
+    end
+
+  end # UserCredential
+end # OMF::SFA::AM
+

data/lib/omf-sfa/am.rb

@@ -0,0 +1,7 @@
+
+
+require 'omf_sfa'
+
+module OMF::SFA
+  module AM; end
+end

data/lib/omf-sfa/model/abstract_prop_description.rb

@@ -0,0 +1,87 @@
+
+
+# An +ModelDataPropertyDescription+ holds all the relevant information 
+# for describing properties of entities.
+#
+
+module OMF::SFA
+  module Model
+    
+    class AbstractPropertyDescription < OMF::Base::LObject
+      
+      @@name2inst = {}
+      
+      def self.create_from_xml(cel)
+        about = cel.attribute_with_ns('about', RDF_NS)
+        name = xml_full_name(about.value, cel)
+        klass = @@name2inst[name] ||= self.new(name)
+        klass.parse(cel)
+        klass
+      end
+      
+      def self.each(&block)
+        @@name2inst.values.each &block
+      end
+      
+      attr_reader :name, :ns, :uri
+      
+      def initialize(full_name)
+        @uri = full_name
+        @ns, @name = full_name.split('#')
+        super @name
+      end
+      
+      def validate()
+        if @domain 
+          @domain = validate_class_reference(@domain)
+          @domain.add_property(self)
+        else
+          #warn "No domain reference for property '#{@name}'"
+        end
+      end
+      
+      # Return class description for +ref+
+      #
+      def validate_class_reference(ref)
+        unless ref.kind_of? ModelClassDescription
+          if ref
+            ref = ModelClassDescription[ref] || raise("Unknonw class '#{ref}'")
+          else
+            raise 'Empty class reference'
+          end
+        end
+        ref
+      end
+      
+      
+      def parse(cel)
+        cel.children.each do |el|
+          node_name = el.node_name
+          next if node_name == 'comment'
+
+          attr = el.attribute_with_ns('resource', RDF_NS)
+          res_name = attr ? xml_full_name(attr.value, el) : nil
+          
+          parse_el(node_name, res_name, el)
+        end
+      end
+    
+      def parse_el(node_name, res_name, el)
+        case node_name
+        when 'range'
+          @range = res_name # ModelClassDescription[res] || raise("Unknonw class '#{res}'")
+        when 'domain'
+          @domain = res_name
+        else
+          warn "Unknown eleement '#{node_name}' in '#{self.class.name}'"
+        end
+      end
+              
+      
+      def to_s
+        "#{@name} (#{self.class.name})"
+      end
+
+    end # AbstractPropDescription
+  end # Model
+end # OMF::SFA

data/lib/omf-sfa/model/model_class_description.rb

@@ -0,0 +1,145 @@
+
+# An +MClass+ holds all the releevant information relevant to the
+# specific model class in an overal model or schema.
+#
+
+module OMF::SFA
+  module Model
+    
+    class ModelClassDescription < OMF::Base::LObject
+      
+      @@name2inst = {}
+      
+      def self.[](uri)
+        @@name2inst[uri]
+      end
+      
+      def self.each(&block)
+        if block
+          @@name2inst.values.each &block
+        else
+          @@name2inst.values
+        end
+      end
+      
+      def self.models()
+        @@name2inst.values
+      end
+      
+      def self.create_from_xml(cel)
+        about = cel.attribute_with_ns('about', RDF_NS)
+        name = xml_full_name(about.value, cel)
+        klass = @@name2inst[name] ||= self.new(name)
+        klass.parse(cel)
+        klass
+      end
+      
+      
+      attr_reader :name, :ns, :uri
+      
+      def initialize(full_name)
+        @uri = full_name
+        @ns, @name = full_name.split('#')
+        super @name
+        @properties = {}
+        @children = []
+      end
+      
+      def add_property(prop_description)
+        name = prop_description.name
+        if p = @properties[name]
+          if p != prop_description
+            error "Trying to add additional property with smae name '#{name}'"
+          end
+        else
+          @properties[name] = prop_description
+        end
+      end
+      
+      
+      def parse(cel)
+        cel.children.each do |el|
+          node_name = el.node_name
+          next if node_name == 'comment'
+          
+          case el.node_name
+          when 'subClassOf'
+            parse_super(el)
+          when 'disjointWith'
+            # <owl:disjointWith rdf:resource="#Item"/>
+          when 'label'
+            @label = el.content
+          else
+            warn "Unknown eleement '#{el.node_name}' in '#{self.class.name}'"
+          end
+        end
+      end
+    
+      # TODO: Parsing of 'Restriction'
+      #
+      #  <rdfs:subClassOf rdf:resource="#NetworkElement"/>
+      #  <rdfs:subClassOf>
+      #      <owl:Restriction>
+      #          <owl:onProperty rdf:resource="#hasSwitchMatrix"/>
+      #          <owl:someValuesFrom rdf:resource="#SwitchMatrix"/>
+      #      </owl:Restriction>
+      #  </rdfs:subClassOf>
+      #
+      def parse_super(el)
+        res = el.attribute_with_ns('resource', RDF_NS)
+        if res
+          if @superklass
+            warn "Don't really know how to handle multiple inheritence in '#{@name}'"
+          end
+          @superklass = xml_full_name(res.value, el)
+        end
+        
+      end
+      
+      def superklass
+        unless @superklass.kind_of? self.class
+          if klass = self.class[@superklass]
+            @superklass = klass
+            klass.add_child_class(self)
+          end
+        end
+        @superklass
+      end
+      
+      def add_child_class(class_model)
+        @children << class_model
+      end
+      
+      def describe(level = 0, max_level = 99)
+        if !@properties.empty? || level == 0
+          prefix = "  " * level
+          puts "#{prefix}-------------------------"
+          puts "#{prefix}Class: #{name}"
+          describe_properties(prefix)
+        end
+        @children.each do |ch|
+          ch.describe level + 1, max_level
+        end
+      end
+
+      def describe_properties(prefix)
+        # if superklass.kind_of? self.class
+          # superklass.describe_properties
+        # end
+        @properties.each do |n, p|
+          mark = p.kind_of?(ModelDataPropertyDescription) ? '=' : '>'
+          puts "#{prefix}  #{mark} #{n}"
+        end
+      end
+      
+      def validate()
+        superklass
+      end
+      
+      def to_s
+        "#{@name} (#{self.class.name}) - super: #{superklass || 'none'}"
+      end
+
+    end # ModelClassDescription
+  end # Model
+end # OMF::SFA

data/lib/omf-sfa/model/model_data_prop_description.rb

@@ -0,0 +1,28 @@
+
+require 'omf-sfa/model/abstract_prop_description'
+
+# An +ModelDataPropertyDescription+ holds all the relevant information 
+# for describing properties of entities.
+#
+
+module OMF::SFA
+  module Model
+    
+    class ModelDataPropertyDescription < AbstractPropertyDescription
+      
+      # <owl:DatatypeProperty rdf:about="#numHop">
+      #   <rdfs:domain rdf:resource="#NetworkTransportElement"/>
+      #   <rdfs:range rdf:resource="&xsd;int"/>
+      # </owl:DatatypeProperty>
+      #
+      def parse_el(node_name, res_name, el)
+        case node_name
+        when 'XXX'
+        else
+          super
+        end
+      end
+    
+    end # ModelClassDescription
+  end # Model
+end # OMF::SFA

data/lib/omf-sfa/model/model_obj_prop_description.rb

@@ -0,0 +1,49 @@
+
+require 'omf-sfa/model/abstract_prop_description'
+
+# An +ModelObjectPropertyDescription+ holds all the relevant information 
+# for describing relationship between entities.
+#
+
+module OMF::SFA
+  module Model
+    
+    class ModelObjectPropertyDescription < AbstractPropertyDescription
+      
+      @@types = {
+        'http://www.w3.org/2002/07/owl#TransitiveProperty' => :transitive,
+        'http://www.w3.org/2002/07/owl#FunctionalProperty' => :functional,
+        'http://www.w3.org/2002/07/owl#InverseFunctionalProperty' => :inverse_functional,
+        'http://www.w3.org/2002/07/owl#SymmetricProperty' => :symmetric,
+        'http://www.w3.org/2002/07/owl#AsymmetricProperty' => :asymmetric,
+        'http://www.w3.org/2002/07/owl#ReflexiveProperty' => :reflexive,        
+        'http://www.w3.org/2002/07/owl#IrreflexiveProperty' => :irreflexive
+      }
+      
+      
+      # <!-- http://geni-orca.renci.org/owl/topology.owl#connectedTo -->
+      # 
+      # <owl:ObjectProperty rdf:about="#connectedTo">
+      #   <rdf:type rdf:resource="&owl;TransitiveProperty"/>
+      #   <rdfs:range rdf:resource="#NetworkElement"/>
+      #   <rdfs:domain rdf:resource="#NetworkElement"/>
+      #   <rdfs:subPropertyOf rdf:resource="&layer;feature"/>
+      # </owl:ObjectProperty>
+      #
+      def parse_el(node_name, res_name, el)
+        case node_name
+        when 'subPropertyOf'
+          @subPropertyOf = res_name
+        when 'type'
+          @type = @@types[res_name] || raise("Unknonw property type '#{res_name}'")
+        when 'inverseOf'
+          @inverseOf = res_name
+        else
+          super
+        end
+      end
+    
+
+    end # ModelClassDescription
+  end # Model
+end # OMF::SFA