Commit 734bfd2a authored by Leigh B Stoller's avatar Leigh B Stoller

Change to previous revision wrt sliver registration. Need to be

backwards compatible with old SAs and CMs until new code makes it
out to everyone. So the CM now does a version check at the target SA,
and if an old version 1, use the bogus self signed cred. If the SA is
version 1.01, send a proper sliver credential.

In the SA, accept older bogus credential for now, but start accepting
the new sliver credential, and apply more stringent checks.
parent 6c5bc5a1
......@@ -86,6 +86,7 @@ my $VTOPGEN = "$TB/bin/vtopgen";
my $SNMPIT = "$TB/bin/snmpit";
my $PRERENDER = "$TB/libexec/vis/prerender";
my $XMLLINT = "/usr/local/bin/xmllint";
my $ADDAUTHORITY = "$TB/sbin/protogeni/addauthority";
my $EMULAB_PEMFILE = "@prefix@/etc/genicm.pem";
my $API_VERSION = 1;
......@@ -3731,7 +3732,13 @@ sub UnRegisterSliver($)
sub RegisterAux($$)
{
my ($slice, $unregister) = @_;
my $credential;
my $aggregate = GeniAggregate->SliceAggregate($slice);
if (!defined($aggregate)) {
print STDERR "Could not find aggregate for $slice\n";
return -1;
}
my $authority = $slice->SliceAuthority();
if (!defined($authority)) {
$authority =
......@@ -3741,20 +3748,57 @@ sub RegisterAux($$)
return -1;
}
}
my $registry = GeniRegistry::Client->Create($authority);
if (!defined($authority->url()) || $authority->url() eq "") {
print STDERR "No url for $authority; skipping registration\n";
$aggregate->SetRegistered(1);
return 0;
}
#
# Ask for the version number to see how we need to do this.
#
my $version = $authority->Version();
if (!defined($version)) {
print STDERR "No version for $authority; skipping registration\n";
return 0;
}
if ($version == 1) {
#
# Old API; uses a bogus self signed credential.
#
my $context = Genixmlrpc->GetContext();
$credential = GeniCredential->CreateSigned($authority,
$context->certificate(),
$context->certificate());
}
else {
my $me = GeniAuthority->Lookup($ENV{'MYURN'});
if (!defined($me)) {
# This should be done in initsite.
system("$ADDAUTHORITY -a $EMULAB_PEMFILE cm");
}
$me = GeniAuthority->Lookup($ENV{'MYURN'});
if (!defined($me)) {
print STDERR
"Could not find local authority object for $ENV{'MYURN'}\n";
return -1;
}
$credential = $aggregate->NewCredential($me);
}
if (!defined($credential)) {
print STDERR "Could not create a credential for $authority\n";
return -1;
}
my $registry = GeniRegistry::Client->Create($authority,undef,$credential);
if (!defined($registry)) {
print STDERR "Could not create a registry client for $authority\n";
return -1;
}
if ($unregister) {
$registry->UnRegisterSliver($slice->urn());
}
else {
my $aggregate = GeniAggregate->SliceAggregate($slice);
if (!defined($aggregate)) {
print STDERR "Could not find aggregate for $slice\n";
return -1;
}
my $creator = $aggregate->GetCreator();
if (!defined($creator)) {
print STDERR "Could not find creator for $slice\n";
......
......@@ -46,7 +46,7 @@ my $OURDOMAIN = "@OURDOMAIN@";
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $SLICESHUTDOWN = "$TB/sbin/protogeni/shutdownslice";
my $API_VERSION = 1;
my $API_VERSION = 1.01;
#
# Tell the client what API revision we support. The correspondence
......@@ -910,7 +910,7 @@ sub RegisterSliver($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = CheckCredential($credstr, $authority);
my $credential = CheckCredential($credstr);
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -923,6 +923,46 @@ sub RegisterSliver($)
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
"No such slice here");
}
if ($credential->target_urn() eq $authority->urn()) {
#
# Old permission check until all CMs are updated to send a
# proper sliver credential instead of bogus self signed
# credential.
#
my ($o_domain,$o_type,$o_id) =
GeniHRN::Parse($credential->owner_urn());
if (! ($o_type eq "authority" && $o_id eq "cm")) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Credential owner is not a CM");
}
}
else {
#
# New Permission check. The best we can do is make sure the
# caller is a CM, and the same CM that signed the credential,
# and the same CM as the sliver. This means that an errant CM
# can register a sliver for another slice, but not much we can
# do about that, without delegation. Not yet.
#
my ($o_domain,$o_type,$o_id) =
GeniHRN::Parse($credential->owner_urn());
if (! ($o_type eq "authority" && $o_id eq "cm")) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Credential owner is not a CM");
}
my ($t_domain,$t_type,$t_id) =
GeniHRN::Parse($credential->target_urn());
if (! ($t_type eq "sliver")) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Credential target is not a Sliver");
}
if ($t_domain ne $o_domain) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Target domain is different then owner");
}
}
# The user is embedded in the blob.
if (!exists($blob->{'creator_urn'})) {
return GeniResponse->MalformedArgsResponse("Please tell me creator");
......@@ -983,7 +1023,7 @@ sub UnRegisterSliver($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = CheckCredential($credstr, $authority);
my $credential = CheckCredential($credstr);
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -991,6 +1031,45 @@ sub UnRegisterSliver($)
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
if ($credential->target_urn() eq $authority->urn()) {
#
# Old permission check until all CMs are updated to send a
# proper sliver credential instead of bogus self signed
# credential.
#
my ($o_domain,$o_type,$o_id) =
GeniHRN::Parse($credential->owner_urn());
if (! ($o_type eq "authority" && $o_id eq "cm")) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Credential owner is not a CM");
}
}
else {
#
# New Permission check. The best we can do is make sure the
# caller is a CM, and the same CM that signed the credential,
# and the same CM as the sliver. This means that an errant CM
# can register a sliver for another slice, but not much we can
# do about that, without delegation. Not yet.
#
my ($o_domain,$o_type,$o_id) =
GeniHRN::Parse($credential->owner_urn());
if (! ($o_type eq "authority" && $o_id eq "cm")) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Credential owner is not a CM");
}
my ($t_domain,$t_type,$t_id) =
GeniHRN::Parse($credential->target_urn());
if (! ($t_type eq "sliver")) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Credential target is not a Sliver");
}
if ($t_domain ne $o_domain) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Target domain is different then owner");
}
}
my $slice = GeniSlice->Lookup($slice_urn);
if (!defined($slice)) {
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment