Another checkpoint for URN support. The SA should now handle requests

in URN form.

protogeni/lib/GeniSA.pm.in

@@ -46,8 +46,11 @@ my $SLICESHUTDOWN  = "$TB/sbin/protogeni/shutdownslice";
 #
 sub GetCredential($)
 {
+    # FIXME once migration to URNs is complete, $uuid should be removed,
+    # and $type automatically deduced from the URN.
     my ($argref) = @_;
     my $uuid = $argref->{'uuid'};
+    my $urn = $argref->{'urn'};
     my $cred = $argref->{'credential'};
     my $type = $argref->{'type'};
     
@@ -71,6 +74,9 @@ sub GetCredential($)
 	#
 	# This credential is for access to this SA.
 	#
+	# FIXME We need to update this to use authority and user URNs,
+	# not UUIDs.  But that will require more thought to avoid
+	# breaking stuff.
 	my $authority = GeniAuthority->Lookup($ENV{'MYUUID'});
 	if (!defined($authority)) {
 	    print STDERR "Could not find local authority object\n";
@@ -88,9 +94,14 @@ sub GetCredential($)
 	return GeniResponse->Create(GENIRESPONSE_SUCCESS,
 				    $credential->asString());
     }
-    if (! (defined($uuid) && ($uuid =~ /^[-\w]*$/))) {
-	return GeniResponse->MalformedArgsResponse();
-    }
+    # Currently accept either a UUID or a URN, but not both.  Once we
+    # have migrated the federation to URNs, UUID support will be removed.
+    return GeniResponse->MalformedArgsResponse()
+	if( defined( $uuid ) == defined( $urn ) );
+    return GeniResponse->MalformedArgsResponse()
+	if( defined( $uuid ) && $uuid !~ /^[-\w]*$/ );
+    return GeniResponse->MalformedArgsResponse()
+	if( defined( $urn ) && !GeniHRN::IsValid( $urn ) );
 
     my $credential = GeniCredential->CreateFromSigned($cred);
     if (!defined($credential)) {
@@ -131,10 +142,10 @@ sub GetCredential($)
     
     #
     # User provided a credential, and wants a new credential to access
-    # the object referenced by the uuid.
+    # the object referenced by the URN.
     #
     if ($type eq "Slice") {
-	my $slice = GeniSlice->Lookup($uuid);
+	my $slice = GeniSlice->Lookup( defined( $urn ) ? $urn : $uuid );
 	return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
 				    "No such Slice")
 	    if (!defined($slice));
@@ -297,6 +308,9 @@ sub Resolve($)
 		     "uuid"         => $slice->uuid(),
 		     "creator_uuid" => $slice->creator_uuid(),
 		     "gid"          => $slice->cert(),
+		     "urn"          => GeniHRN::Generate( $OURDOMAIN,
+							  "slice",
+							  $slice->slicename() )
 		 };
 	return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
     }
@@ -312,6 +326,8 @@ sub Resolve($)
 #
 sub Register($)
 {
+    # FIXME once migration to URNs is complete, $type should be removed
+    # (it's deduced automatically from the URN).
     my ($argref) = @_;
     my $cred  = $argref->{'credential'};
     my $type  = $argref->{'type'};
@@ -321,10 +337,22 @@ sub Register($)
 	return GeniResponse->MalformedArgsResponse();
     }
 
-    if (! ($hrn =~ /^[-\w\.]*$/)) {
-	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
-				    "hrn: Invalid characters");
+    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
+				"Invalid URN")
+	if( !GeniHRN::IsValid( $hrn ) && $hrn !~ /^[-\w\.]*$/);
+
+    if( GeniHRN::IsValid( $hrn ) ) {
+	my ($auth,$t,$id) = GeniHRN::Parse( $hrn );
+
+	return GeniResponse->Create( GENIRESPONSE_ERROR, undef,
+				     "Authority mismatch" )
+	    if( $auth ne $OURDOMAIN );
+	
+	$type = $t;
+
+	$hrn = $id;
     }
+
     my $credential = GeniCredential->CreateFromSigned($cred);
     if (!defined($credential)) {
 	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
@@ -367,10 +395,10 @@ sub Register($)
 				    undef, "Who are you?");
     }
     
-    if ($type eq "Slice") {
+    if ( lc( $type ) eq "slice") {
 	my $userbindings = $argref->{'userbindings'};
 	
-	if (! ($hrn =~ /^\w*$/)) {
+	if (! ($hrn =~ /^[-\w]+$/)) {
 	    return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
 					"hrn: Single token only please");
 	}
@@ -484,11 +512,28 @@ sub Register($)
 #
 sub Remove($)
 {
+    # FIXME once migration to URNs is complete, $type should be removed
+    # (it's deduced automatically from the URN).  $uuid should die, too.
     my ($argref) = @_;
     my $uuid = $argref->{'uuid'};
     my $hrn  = $argref->{'hrn'};
     my $cred = $argref->{'credential'};
-    my $type = $argref->{'type'};
+    my $type = lc( $argref->{'type'} );
+
+    if( defined( $hrn ) && GeniHRN::IsValid( $hrn ) ) {
+	# this is pretty ugly, but since this section will have to be
+	# cleaned up eventually to remove support for deprecated HRNs,
+	# it will do for now.
+	my ($auth,$t,$id) = GeniHRN::Parse( $hrn );
+
+	return GeniResponse->Create( GENIRESPONSE_ERROR, undef,
+				     "Authority mismatch" )
+	    if( $auth ne $OURDOMAIN );
+
+	$type = lc( $t );
+	
+	$hrn = $id;
+    }
 
     if (! (defined($uuid) || defined($hrn))) {
 	return GeniResponse->MalformedArgsResponse();
@@ -499,7 +544,7 @@ sub Remove($)
     if (defined($hrn) && !($hrn =~ /^[-\w\.]*$/)) {
 	return GeniResponse->MalformedArgsResponse();
     }
-    if (! (defined($type) && ($type =~ /^(SA|MA|Component|Slice|User)$/))) {
+    if (! (defined($type) && ($type =~ /^(sa|ma|component|slice|user)$/))) {
 	return GeniResponse->MalformedArgsResponse();
     }
     if (! defined($cred)) {
@@ -548,7 +593,7 @@ sub Remove($)
 				    undef, "Who are you?");
     }
     
-    if ($type eq "Slice") {
+    if ($type eq "slice") {
 	my $slice;
 	
 	if (defined($uuid)) {

protogeni/lib/GeniSlice.pm.in

@@ -53,7 +53,7 @@ sub mysystem($)
 }
 
 #
-# Lookup by idx or uuid.
+# Lookup by idx, URN or uuid.
 #
 sub Lookup($$)
 {

protogeni/security/verifygenicred.in

@@ -15,7 +15,7 @@ use Data::Dumper;
 # 
 sub usage()
 {
-    print("Usage: verifygenicap [-d] [-o file] <capfile>\n");
+    print("Usage: verifygenicred [-d] [-o file] <credfile>\n");
     exit(-1);
 }
 my $optlist = "do:";
@@ -250,6 +250,16 @@ foreach my $credential ( keys( %credentials ) ) {
 		    unless $allowed{ $name } or $allowed{ "*" };
 	    }		
 	}
+
+	my $expiry = lookup( $node, "expiry" )->textContent;
+	my $parent_expiry = lookup( $parent, "expiry" )->textContent;
+	my $dateregexp = '^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d$';
+
+	fatal( "invalid delegation (malformed expiry)" )
+	    if $expiry !~ $dateregexp or $parent_expiry !~ $dateregexp;
+
+	fatal( "invalid delegation (expiry violation)" )
+	    if $expiry > $parent_expiry;
     }
 }
 

protogeni/test/delegate.py

@@ -155,10 +155,6 @@ c.appendChild( Lookup( old, "target_gid" ).cloneNode( True ) )
 
 c.appendChild( SimpleNode( doc, "uuid", str( uuid.uuid4() ) ) )
 
-t = datetime.datetime.utcnow() + datetime.timedelta( hours = 6 )
-t = t.replace( microsecond = 0 )
-c.appendChild( SimpleNode( doc, "expires", t.isoformat() ) )
-
 for n in old.childNodes:
     if n.nodeName in ( "privileges", "capabilities" ):
         if len( args ) > 2:
@@ -193,7 +189,7 @@ for n in old.childNodes:
                     # a privilege which cannot be delegated: delete it
                     # from the clone
                     clone.removeChild( child )
-    elif n.nodeName in ( "ticket", "extensions" ):
+    elif n.nodeName in ( "ticket", "extensions", "expires" ):
         c.appendChild( n.cloneNode( True ) )
 
 doc.documentElement.replaceChild( c, old )

protogeni/test/test-common.py

@@ -208,7 +208,6 @@ def get_self_credential():
         f.close()
         return c
     params = {}
-    params["uuid"] = "0b2eb97e-ed30-11db-96cb-001143e453fe"
     rval,response = do_method("sa", "GetCredential", params)
     if rval:
         Fatal("Could not get my credential")
@@ -237,7 +236,10 @@ def get_slice_credential( slice, selfcredential ):
     params = {}
     params["credential"] = selfcredential
     params["type"]       = "Slice"
-    params["uuid"]       = slice["uuid"]
+    if "urn" in slice:
+        params["urn"]       = slice["urn"]
+    else:
+        params["uuid"]       = slice["uuid"]
     rval,response = do_method("sa", "GetCredential", params)
     if rval:
         Fatal("Could not get Slice credential")