GeniMA.pm.in 19.3 KB
Newer Older
Jonathon Duerig's avatar
Jonathon Duerig committed
1
2
#!/usr/bin/perl -wT
#
Leigh B Stoller's avatar
Leigh B Stoller committed
3
# Copyright (c) 2008-2014 University of Utah and the Flux Group.
Jonathon Duerig's avatar
Jonathon Duerig committed
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# 
# {{{GENIPUBLIC-LICENSE
# 
# GENI Public License
# 
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
# 
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
# 
# }}}
#
package GeniMA;

#
33
# Shim for implementing standard GENI MA interface.
Jonathon Duerig's avatar
Jonathon Duerig committed
34
35
36
37
38
39
40
41
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);

@ISA    = "Exporter";
@EXPORT = qw ( );

42
use GeniStd;
Jonathon Duerig's avatar
Jonathon Duerig committed
43
44
45
46
47
use GeniSA;
use GeniResponse;
use GeniCredential;
use GeniRegistry;
use emutil;
48
49
50
use Data::Dumper;

my $coder = Frontier::RPC2->new('use_objects' => 1);
Jonathon Duerig's avatar
Jonathon Duerig committed
51

52
53
54
55
56
57
58
my $GENI_VERSION;

sub SetGeniVersion($) 
{
    ($GENI_VERSION) = @_;
}

Jonathon Duerig's avatar
Jonathon Duerig committed
59
60
sub GetVersion()
{
61
62
63
64
65
66
67
68
69
70
71
72
73
74
    my $me = GeniAuthority->Lookup($ENV{'MYURN'});
    if (!defined($me)) {
        print STDERR "Could not find local authority object\n";
        return GeniResponse->Create(GENIRESPONSE_ERROR);
    }

    my $api_version = "2";
    if (defined($GENI_VERSION) && $GENI_VERSION == 1) {
        $api_version = "1";
    }

    my $url = $me->url();
    $url =~ s/ma$/geni-ma/;

Jonathon Duerig's avatar
Jonathon Duerig committed
75
    my $blob = {
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
        "VERSION" => $coder->string($api_version),
        "URN" => $me->urn(),
        "IMPLEMENTATION" => { "code_version" => $coder->string("0.2") },
        "SERVICES" => [ "MEMBER", "KEY" ],
        "CREDENTIAL_TYPES" => [ { "type" => "geni_sfa", "version" => $coder->string("3") },
                                { "type" => "geni_abac", "version" => $coder->string("1") } 
                              ],
        "API_VERSIONS" => {
            "1" => "$url/1",
            "2" => "$url/2",
        },
        'FIELDS' => {
            '_EMULAB_MEMBER_HRN' => { 
                'OBJECT' => 'MEMBER',
                'TYPE' => 'STRING',
                'CREATE' => 'NOT ALLOWED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
                'PROTECT' => 'PUBLIC'
            },
            '_EMULAB_MEMBER_FULLNAME' => { 
                'OBJECT' => 'MEMBER',
                'TYPE' => 'STRING',
                'CREATE' => 'REQUIRED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
                'PROTECT' => 'IDENTIFYING'
            },
            '_EMULAB_MEMBER_SSL_CERTIFICATE' => { 
                'OBJECT' => 'MEMBER',
                'TYPE' => 'CERTIFICATE',
                'CREATE' => 'NOT ALLOWED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
                'PROTECT' => 'PUBLIC'
            },
            'MEMBER_EMAIL' => {
                'OBJECT' => 'MEMBER',
                'TYPE' => 'STRING',
                'CREATE' => 'REQUIRED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
                'PROTECT' => 'IDENTIFYING'
            },
            'KEY_ID' => {
                'OBJECT' => 'KEY',
                'TYPE' => 'STRING',
                'CREATE' => 'NOT ALLOWED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
            },
            'KEY_TYPE' => {
                'OBJECT' => 'KEY',
                'TYPE' => 'STRING',
                'CREATE' => 'REQUIRED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
            },
            'KEY_PUBLIC' => {
                'OBJECT' => 'KEY',
                'TYPE' => 'STRING',
                'CREATE' => 'REQUIRED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
            },
            'KEY_PRIVATE' => {
                'OBJECT' => 'KEY',
                'TYPE' => 'STRING',
                'CREATE' => 'NOT ALLOWED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
            },
            'KEY_DESCRIPTION' => {
                'OBJECT' => 'KEY',
                'TYPE' => 'STRING',
                'CREATE' => 'ALLOWED',
                'UPDATE' => $coder->boolean(0),
                'MATCH' => $coder->boolean(0),
            },
        }
Jonathon Duerig's avatar
Jonathon Duerig committed
156
157
158
159
    };
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
}

160
161
# Create in v2 of the API works for different objects.
sub Create($$)
Jonathon Duerig's avatar
Jonathon Duerig committed
162
{
163
    my ($type, $credential_args, $options) = @_;
164

165
166
167
168
169
170
    if (uc($type) eq 'MEMBER') {
        return CreateMember($credential_args, $options);
    }
    if (uc($type) eq 'KEY') {
        return CreateKey($credential_args, $options);
    }
Jonathon Duerig's avatar
Jonathon Duerig committed
171

172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
	return GeniResponse->MalformedArgsResponse('create not supported for type "' . $type . '"');
}
sub Lookup($$)
{
    my ($type, $credential_args, $options) = @_;

    if (uc($type) eq 'MEMBER') {
        return LookupMembers($credential_args, $options);
    }
    if (uc($type) eq 'KEY') {
        return LookupKeys($credential_args, $options);
    }

	return GeniResponse->MalformedArgsResponse('lookup not supported for type "' . $type . '"');
}
sub Update($$)
{
    my ($type, $urn, $credential_args, $options) = @_;

    if (uc($type) eq 'MEMBER') {
        return UpdateMember($urn, $credential_args, $options);
    }
    if (uc($type) eq 'KEY') {
        return UpdateKey($urn, $credential_args, $options);
    }

	return GeniResponse->MalformedArgsResponse('update not supported for type "' . $type . '"');
}
sub Delete($$)
{
    my ($type, $urn, $credential_args, $options) = @_;

    if (uc($type) eq 'KEY') {
        return DeleteKey($urn, $credential_args, $options);
    }

	return GeniResponse->MalformedArgsResponse('delete not supported for type "' . $type . '"');
}

sub AddUserToBlob($$$$)
{
    my ($geniuser, $reply, $is_local_user, $filter) = @_;

    # last and first name are not stored seperatly, so this is a guess.
    # doesn't work well for all users, as last names can be multiple words
    my @namelist = split(/ /, $geniuser->name());
    my $lastname = pop(@namelist);
    my $firstname = join(" ", @namelist);

    my $publicblob = {
222
223
		"MEMBER_URN"      => $geniuser->urn(),
		"MEMBER_UID"      => $geniuser->uid(),
224
225
226
227
228
229
        "MEMBER_USERNAME" => $geniuser->uid(),
        "_EMULAB_MEMBER_HRN" => $geniuser->hrn(),
        "_EMULAB_MEMBER_SSL_CERTIFICATE" => 
                '-----BEGIN CERTIFICATE-----'."\n" . 
                  $geniuser->cert() . 
                '-----END CERTIFICATE-----'."\n"
230
	    };
231
232
233
234
235
236
237
238
239
240
241
242
243

    my $identifyingblob = {
        #since they are wrong sometimes, better not to return them
        #"MEMBER_FIRSTNAME" => $firstname,
        #"MEMBER_LASTNAME"  => $lastname,
        "_EMULAB_MEMBER_FULLNAME" => $geniuser->name(),
        "MEMBER_EMAIL"     => $geniuser->email()
    };

    my $privateblob = { };

    my $completeblob = $is_local_user ? { %$publicblob, %$identifyingblob, %$privateblob } : $publicblob;

244
	    my $blob = GeniStd::FilterFields($completeblob, $filter);
245
    $reply->{$geniuser->urn()} = $blob;
Jonathon Duerig's avatar
Jonathon Duerig committed
246
	}
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282

sub LookupMembers($$)
{
    my ($credential_args, $options) = @_;

    my ($credential,$speaksfor) = GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
    ($credential, $speaksfor) = GeniStd::AddUserCredWhenSpeaksForOnly($credential, $speaksfor);
    return $credential if (GeniResponse::IsResponse($credential));
    return GeniResponse->MalformedArgsResponse("Missing self credential when looking up member") if (!defined($credential));
   
    my $this_user = GeniUser->Lookup((defined($speaksfor) ?
			  $speaksfor->target_urn() : $ENV{'GENIURN'}), 1);

    my $is_local_user = defined($this_user);

    $is_local_user = 0 unless 
    $credential->HasPrivilege( "authority" ) or
	$credential->HasPrivilege( "resolve" );

    my ($match, $filter) = GeniStd::GetMatchFilter($options);

    my $checkRes = GeniStd::CheckMatchAllowed('lookup MEMBER', $match, 
        ['MEMBER_URN', 'MEMBER_USERNAME', 'MEMBER_UID', '_EMULAB_MEMBER_HRN'],
        ['_EMULAB_MEMBER_SSL_CERTIFICATE'], 
        ['MEMBER_FIRSTNAME', 'MEMBER_LASTNAME', 'MEMBER_EMAIL']); 
    return $checkRes if (GeniResponse::IsError($checkRes));

    my $reply = {};
    if (defined($match) && defined($match->{'MEMBER_URN'})) {
        my $match_member_urns = $match->{'MEMBER_URN'};
        foreach my $member_urn (@$match_member_urns) {
            my $geniuser = GeniUser->Lookup($member_urn, 1);
            if (defined($geniuser)) {
                AddUserToBlob($geniuser, $reply, $is_local_user, $filter);
    }
        }
Jonathon Duerig's avatar
Jonathon Duerig committed
283
    }
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
    if (defined($match) && defined($match->{'_EMULAB_MEMBER_HRN'})) {
        my $match_member_hrns = $match->{'_EMULAB_MEMBER_HRN'};
        foreach my $member_hrn (@$match_member_hrns) {
            if (index($member_hrn, '.') != -1) {
                my $geniuser = GeniUser->Lookup($member_hrn, 1);
                if (defined($geniuser)) {
                    AddUserToBlob($geniuser, $reply, $is_local_user, $filter);
                }
            } else {
                print STDERR "_EMULAB_MEMBER_HRN '$member_hrn' is ignored because it does not contain a dot char.\n";
            }
        }
    }
    if (defined($match) && defined($match->{'MEMBER_USERNAME'})) {
        my $match_member_usernames = $match->{'MEMBER_USERNAME'};
        foreach my $member_username (@$match_member_usernames) {
            if (index($member_username, '.') == -1) {
                my $geniuser = GeniUser->Lookup('.' . $member_username, 1);
                if (defined($geniuser)) {
                    AddUserToBlob($geniuser, $reply, $is_local_user, $filter);
                }
            } else {
                print STDERR "MEMBER_USERNAME '$member_username' is ignored because it contains a dot char.\n";
            }
        }
    }
    if (defined($match) && defined($match->{'MEMBER_UID'})) {
        my $match_member_uids = $match->{'MEMBER_UID'};
        foreach my $member_uid (@$match_member_uids) {
            if (index($member_uid, '.') == -1) {
                my $geniuser = GeniUser->Lookup('.' . $member_uid, 1);
                if (defined($geniuser)) {
                    AddUserToBlob($geniuser, $reply, $is_local_user, $filter);
                }
            } else {
                print STDERR "MEMBER_UID '$member_uid' is ignored because it contains a dot char.\n";
            }
        }
    }
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $reply);
}

my @public_member_fields = ('MEMBER_URN', 'MEMBER_UID', 'MEMBER_USERNAME', '_EMULAB_MEMBER_HRN', '_EMULAB_MEMBER_SSL_CERTIFICATE');
my @identifying_member_fields = ('MEMBER_EMAIL', '_EMULAB_MEMBER_FULLNAME');
my @private_member_fields = ();

sub RestrictFilter($$)
{
    my ($filter, $restriction) = @_;

    if (!defined($filter) || scalar @{ $filter } == 0) {
        return $restriction;
    }

    my $newfilter = [];

    foreach my $f (@{ $filter }) {
        if (grep ($_ eq $f, @{ $restriction })) {
            push(@$newfilter, $f);
        }
    }

    print STDOUT "Debug: filter=@$filter\n       newfilter=@$newfilter\n       restriction=@$restriction\n";

    return $newfilter;
}

sub LookupPublic($)
{
    my ($credential_args, $options) = @_;

    my ($match, $filter) = GeniStd::GetMatchFilter($options);

    $filter = RestrictFilter($filter, [ @public_member_fields ]);
    if (!defined($options)) {
        $options = { };
    }
    $options->{'filter'} = $filter;

    return LookupMembers($credential_args, $options);
Jonathon Duerig's avatar
Jonathon Duerig committed
364
365
366
367
368
}

sub LookupPrivate($$)
{
    my ($credential_args, $options) = @_;
369
370
    my ($credential,$speaksfor) =
	GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
371
    ($credential, $speaksfor) = GeniStd::AddUserCredWhenSpeaksForOnly($credential, $speaksfor);
Jonathon Duerig's avatar
Jonathon Duerig committed
372
373
    return $credential
	if (GeniResponse::IsResponse($credential));
374
375
376
    return GeniResponse->MalformedArgsResponse("Missing self credential")
	if (!defined($credential));
   
377
378
379
380
381
    #
    # We need to enforce Emulab permissions here, since the credential
    # allows anyone with a credential for this registry to lookup anyone
    # else. Good feature of the Geni API.
    #
382
383
384
    my $this_user =
	GeniUser->Lookup((defined($speaksfor) ?
			  $speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
385
386
    if (!defined($this_user)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
387
388
			    "Permission denied. Only local users are allowed ".
				    "to make private lookups.");
389
390
    }

Jonathon Duerig's avatar
Jonathon Duerig committed
391
392
393
394
    $credential->HasPrivilege( "authority" ) or
	$credential->HasPrivilege( "resolve" ) or
	return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
				     "Insufficient privilege" );
395

396
    my ($match, $filter) = GeniStd::GetMatchFilter($options);
Jonathon Duerig's avatar
Jonathon Duerig committed
397

398
399
400
    $filter = RestrictFilter($filter, [ @public_member_fields, @private_member_fields ]);
    if (!defined($options)) {
        $options = { };
Jonathon Duerig's avatar
Jonathon Duerig committed
401
	}
402
403
404
    $options->{'filter'} = $filter;

    return LookupMembers($credential_args, $options);
Jonathon Duerig's avatar
Jonathon Duerig committed
405
406
407
408
409
410
}

sub LookupIdentifying($$)
{
    my ($credential_args, $options) = @_;

411
412
    my ($credential,$speaksfor) =
	GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
413
    ($credential, $speaksfor) = GeniStd::AddUserCredWhenSpeaksForOnly($credential, $speaksfor);
Jonathon Duerig's avatar
Jonathon Duerig committed
414
415
    return $credential
	if (GeniResponse::IsResponse($credential));
416
417
    return GeniResponse->MalformedArgsResponse("Missing self credential")
	if (!defined($credential));
Jonathon Duerig's avatar
Jonathon Duerig committed
418
   
419
420
421
422
423
    #
    # We need to enforce Emulab permissions here, since the credential
    # allows anyone with a credential for this registry to lookup anyone
    # else. Good feature of the Geni API.
    #
424
425
426
    my $this_user =
	GeniUser->Lookup((defined($speaksfor) ?
			  $speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
427
428
    if (!defined($this_user)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
429
430
			    "Permission denied. Only local users are allowed ".
				    "to make identifying lookups.");
431
432
    }

Jonathon Duerig's avatar
Jonathon Duerig committed
433
434
435
436
437
    $credential->HasPrivilege( "authority" ) or
	$credential->HasPrivilege( "resolve" ) or
	return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
				     "Insufficient privilege" );

438
    my ($match, $filter) = GeniStd::GetMatchFilter($options);
Jonathon Duerig's avatar
Jonathon Duerig committed
439

440
441
442
    $filter = RestrictFilter($filter, [ @public_member_fields, @identifying_member_fields ]);
    if (!defined($options)) {
        $options = { };
Jonathon Duerig's avatar
Jonathon Duerig committed
443
	}
444
445
446
    $options->{'filter'} = $filter;

    return LookupMembers($credential_args, $options);
Jonathon Duerig's avatar
Jonathon Duerig committed
447
448
449
450
451
452
}

sub UpdateMember($$$)
{
    my ($member_urn, $credential_args, $options) = @_;
    return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
453
				"update MEMBER is unimplemented");
Jonathon Duerig's avatar
Jonathon Duerig committed
454
455
456
457
458
459
}

sub GetCredentials($$$)
{
    my ($member_urn, $credential_args, $options) = @_;

460
461
462
    #
    # Need to know if only a speaksfor is provided. 
    #
Leigh B Stoller's avatar
Leigh B Stoller committed
463
464
465
466
    my ($credential,$speaksfor);
    my $credential_args = GeniStd::FilterCredentials($credential_args);
    if (@{ $credential_args }) {
	($credential,$speaksfor) = GeniStd::CheckCredentials($credential_args);
467
        return $credential if (GeniResponse::IsResponse($credential));
Leigh B Stoller's avatar
Leigh B Stoller committed
468
    }
469
470
471
472
473
    my $args = { "urn" => $member_urn };
    if (defined($speaksfor)) {
	$args->{"credential"} = $speaksfor->asString();
    }
    $credential = GeniSA::GetCredential($args);
474
    return $credential if (GeniResponse::IsError($credential));
Jonathon Duerig's avatar
Jonathon Duerig committed
475
476

    my $blob = {
477
	"geni_type" => "geni_sfa",
478
	"geni_version" => $coder->string("3"),
479
	"geni_value" => $credential->{"value"}
Jonathon Duerig's avatar
Jonathon Duerig committed
480
481
482
483
    };

    return GeniResponse->Create(GENIRESPONSE_SUCCESS, [$blob]);
}
484
485
486
487

sub CreateKey($$$)
{
    my ($member_urn, $credential_args, $options) = @_;
Leigh B Stoller's avatar
Leigh B Stoller committed
488
489

    return GeniResponse->Create(GENIRESPONSE_NOT_IMPLEMENTED);
490
491
492
493
494
}

sub DeleteKey($$$$)
{
    my ($member_urn, $key_id, $credentials, $options) = @_;
Leigh B Stoller's avatar
Leigh B Stoller committed
495
496

    return GeniResponse->Create(GENIRESPONSE_NOT_IMPLEMENTED);
497
498
499
500
501
}

sub UpdateKey($$$$)
{
    my ($member_urn, $key_id, $credentials, $options) = @_;
Leigh B Stoller's avatar
Leigh B Stoller committed
502
503

    return GeniResponse->Create(GENIRESPONSE_NOT_IMPLEMENTED);
504
505
506
507
}

sub LookupKeys($$)
{
508
    my ($credential_args, $options) = @_;
Leigh B Stoller's avatar
Leigh B Stoller committed
509

510
511
512
513
    my ($credential,$speaksfor) = GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
    ($credential, $speaksfor) = GeniStd::AddUserCredWhenSpeaksForOnly($credential, $speaksfor);
    return GeniStd::WrapResponse($credential, 'lookup KEY encountered an error: ') if (GeniResponse::IsResponse($credential));
    return GeniResponse->MalformedArgsResponse("Missing self credential") if (0 && !defined($credential));
514
   
515
    my $this_user = GeniUser->Lookup((defined($speaksfor) ?
516
517
518
519
520
521
522
523
524
525
526
527
			  $speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
    if (!defined($this_user)) {
	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
				    "Permission denied.");
    }

    defined($credential) && 
	($credential->HasPrivilege( "authority" ) or
	 $credential->HasPrivilege( "resolve" ) or
	 return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
				      "Insufficient privilege" ));

528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
    my ($match, $filter) = GeniStd::GetMatchFilter($options);

    my $checkRes = GeniStd::CheckMatchAllowed('lookup KEY', $match, 
        ['KEY_MEMBER'], 
        [], 
        ['KEY_ID', 'KEY_TYPE', 'KEY_PUBLIC', 'KEY_PRIVATE', 'KEY_DESCRIPTION']); 
    return $checkRes if (GeniResponse::IsError($checkRes));
    if (! defined($match->{'KEY_MEMBER'}) ) {
        return GeniResponse->MalformedArgsResponse('Search is too broad: You are required to match on KEY_MEMBER');
    }

    my $blob = { };
    if (defined($match) && defined($match->{'KEY_MEMBER'})) {
        my $match_member_urns = $match->{'KEY_MEMBER'};
        foreach my $member_urn (@$match_member_urns) {
            my $geniuser = GeniUser->Lookup($member_urn, 1);

545
    my @keys;
546
547
            if ($geniuser->GetKeyBundle(\@keys) != 0) {
                print STDERR "Could not get keys for $geniuser\n";
548
549
	return GeniResponse->Create(GENIRESPONSE_ERROR);	
    }
550
551
552
553

            my ($server_auth, $server_type, $server_authname) = GeniHRN::Parse( $ENV{'MYURN'} );

            my $i = 0;
554
555
    my @list = ();
    foreach my $key (@keys) {
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
                my $keyurn = GeniHRN::Generate($server_auth, 'key', $geniuser->uid() . '-' . $i);
                my $keyblob = { 
                    'KEY_MEMBER' => $geniuser->urn(), 
                    'KEY_ID' => $keyurn,
                    'KEY_TYPE' => 'openssh',
                    'KEY_DESCRIPTION' => 'a SSH key of user '.$geniuser->uid(),
                    'KEY_PUBLIC' => $key->{'key'} 
                };
                my $filteredkeyblob = GeniStd::FilterFields($keyblob, $filter);
                if (defined($GENI_VERSION) && $GENI_VERSION == 2) {
                    $blob->{$keyurn} = $filteredkeyblob;
                } else {
                    push(@list, $filteredkeyblob);
    }

                $i += 1;
            }
            if (defined($GENI_VERSION) && $GENI_VERSION == 2) {
                #nothing to do
            } else {
                $blob->{ $geniuser->urn() } = \@list;
            }
        }
579
580
581
    }
    
    return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
582
}
583
584
585

# _Always_ make sure that this 1 is at the end of the file...
1;