delegatecredential.in 3.26 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
#!/usr/bin/perl -w
#
# GENIPUBLIC-COPYRIGHT
# Copyright (c) 2008-2011 University of Utah and the Flux Group.
# All rights reserved.
#
use strict;
use English;
use Getopt::Std;

#
# This script can be used to delegate a credential to a local user.
# Acts as the SA, but use -c to act as the CM. The credential is
# specified as a text file on the command line, or on stdin. The output
# is written to the file or stdout. The permissions to delegate are
# specified as pairs in the form 'perm:delegate" where 'perm' is
# something like "resolve" and 'delegate' is a boolean that says if
# that permission can be further delegated. You must supply at least
# one permission (can be special tag 'all' to grant all perms).
#
# For example:
#
# boss> getchcredential | delegatecredential urn:stoller resolve:0 list:1
#
# Note that I shortened the URN for brevity.
#
sub usage()
{
    print STDERR "Usage: $0 [-c] [-i input_file] [-o output_file] <user-urn> ";
    print STDERR "[permission,delegate ...]\n";
    exit(-1);
}
my $optlist = "ci:o:";
my $ascm    = 0;
my $infile;
my $outfile;

# Configure ...
my $TB		  = "@prefix@";
my $SACERT	  = "$TB/etc/genisa.pem";
my $CMCERT	  = "$TB/etc/genicm.pem";

# Do this early so that we talk to the right DB. 
use vars qw($GENI_DBNAME);
BEGIN { $GENI_DBNAME = "geni"; }

use lib '@prefix@/lib';
use GeniCredential;
use GeniCertificate;
use GeniAuthority;
use GeniHRN;
use GeniResponse;
use GeniUser;
use GeniRegistry;

sub fatal($)
{
    my ($msg) = @_;

    die("*** $0:\n".
	"    $msg\n");
}

#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
if (defined($options{"i"})) {
    $infile = 1;
}
if (defined($options{"o"})) {
    $outfile = 1;
}
if (defined($options{"c"})) {
    $ascm = 1;
}
usage()
    if (@ARGV < 2);
my $user_urn = shift();

#
# Must be an emulab user.
#
if (! (GeniHRN::IsValid($user_urn))) {
    fatal("Malformed user urn");
}
my $geniuser = GeniUser->Lookup($user_urn, 1);
if (!defined($geniuser)) {
    fatal("No such user in the DB");
}

#
# Load the cert to act as caller context.
#
my $certificate = GeniCertificate->LoadFromFile(($ascm ? $CMCERT : $SACERT));
if (!defined($certificate)) {
    fatal("Could not load certificate\n");
}
Genixmlrpc->SetContext(Genixmlrpc->Context($certificate));

#
# Load the input credential.
#
my $credstring = "";
if ($infile) {
    open(IN, $infile)
	or fatal("Could not open $infile");

    while (<IN>) {
	$credstring .= $_;
    }
}
else {
    while (<STDIN>) {
	$credstring .= $_;
    }
}
my $credential = GeniCredential->CreateFromSigned($credstring);
if (!defined($credential)) {
    fatal("Could not load credential\n");
}
my $delegate = $credential->Delegate($geniuser);
#
# Add the perms
#
foreach my $arg (@ARGV) {
    if ($arg =~ /^(\w*):(\d)$/) {
	$delegate->AddCapability($1, $2);
    }
    else {
	fatal("Bad permission: $arg");
    }
}
if ($delegate->Sign(($ascm ? $GeniCredential::LOCALCM_FLAG :
		     $GeniCredential::LOCALSA_FLAG)) != 0) {
    fatal("Could not sign delegated credential");
}
if ($outfile) {
    open(OUT, ">$outfile")
	or fatal("Could not open $outfile");
    print OUT $delegate->asString();
    close(OUT);
}
else {
    print $delegate->asString();
}
exit(0);