Commit 2131bfdc authored by Leigh B Stoller's avatar Leigh B Stoller

Add some calls to $node->IsTainted() to prevent console access and image

cloning. Also check when creating the manifest, so that the portal does not
provide a Console menu option.
parent e4de40f3
...@@ -3031,6 +3031,11 @@ sub CreateImage($) ...@@ -3031,6 +3031,11 @@ sub CreateImage($)
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef, return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
"No node for sliver urn"); "No node for sliver urn");
} }
if ($node->IsTainted()) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"node is tainted - image creation denied");
}
my $experiment = $slice->GetExperiment(); my $experiment = $slice->GetExperiment();
if (!defined($experiment)) { if (!defined($experiment)) {
return GeniResponse->Create(GENIRESPONSE_ERROR, undef, return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
...@@ -3939,6 +3944,10 @@ sub ConsoleURL($) ...@@ -3939,6 +3944,10 @@ sub ConsoleURL($)
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef, return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
"No node for sliver urn"); "No node for sliver urn");
} }
if ($node->IsTainted()) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"node is tainted - console access denied");
}
my $experiment = $slice->GetExperiment(); my $experiment = $slice->GetExperiment();
if (!defined($experiment)) { if (!defined($experiment)) {
return GeniResponse->Create(GENIRESPONSE_ERROR, undef, return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
...@@ -4024,6 +4033,10 @@ sub ConsoleInfo($) ...@@ -4024,6 +4033,10 @@ sub ConsoleInfo($)
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef, return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
"No node for sliver urn"); "No node for sliver urn");
} }
if ($node->IsTainted()) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"node is tainted - console access denied");
}
my $experiment = $slice->GetExperiment(); my $experiment = $slice->GetExperiment();
if (!defined($experiment)) { if (!defined($experiment)) {
return GeniResponse->Create(GENIRESPONSE_ERROR, undef, return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
......
...@@ -869,8 +869,9 @@ sub AnnotateManifest($) ...@@ -869,8 +869,9 @@ sub AnnotateManifest($)
# one, expecting it to be available by the time the user might # one, expecting it to be available by the time the user might
# want to use it. # want to use it.
# #
if (($node->TipServer(\$tipserver) == 0 && defined($tipserver)) || if (!$node->IsTainted() &&
$node->isvirtnode()) { (($node->TipServer(\$tipserver) == 0 && defined($tipserver)) ||
$node->isvirtnode())) {
if (! defined($services)) { if (! defined($services)) {
$services = GeniXML::AddElement("services", $rspec); $services = GeniXML::AddElement("services", $rspec);
} }
......
...@@ -196,6 +196,10 @@ $isvirtnode = $node->isvirtnode(); ...@@ -196,6 +196,10 @@ $isvirtnode = $node->isvirtnode();
if (!$node->AccessCheck($this_user, TB_NODEACCESS_LOADIMAGE())) { if (!$node->AccessCheck($this_user, TB_NODEACCESS_LOADIMAGE())) {
fatal("Not enough permission"); fatal("Not enough permission");
} }
if ($node->IsTainted()) {
fatal("$node is tainted - image creation denied!");
}
my $experiment = $node->Reservation(); my $experiment = $node->Reservation();
if (!defined($experiment)) { if (!defined($experiment)) {
fatal("Node is not reserved"); fatal("Node is not reserved");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment