Commit a8d6de15 authored by Gary Wong's avatar Gary Wong

Another checkpoint for URN support. The SA should now handle requests

in URN form.
parent 01fb8ce4
......@@ -46,8 +46,11 @@ my $SLICESHUTDOWN = "$TB/sbin/protogeni/shutdownslice";
#
sub GetCredential($)
{
# FIXME once migration to URNs is complete, $uuid should be removed,
# and $type automatically deduced from the URN.
my ($argref) = @_;
my $uuid = $argref->{'uuid'};
my $urn = $argref->{'urn'};
my $cred = $argref->{'credential'};
my $type = $argref->{'type'};
......@@ -71,6 +74,9 @@ sub GetCredential($)
#
# This credential is for access to this SA.
#
# FIXME We need to update this to use authority and user URNs,
# not UUIDs. But that will require more thought to avoid
# breaking stuff.
my $authority = GeniAuthority->Lookup($ENV{'MYUUID'});
if (!defined($authority)) {
print STDERR "Could not find local authority object\n";
......@@ -88,9 +94,14 @@ sub GetCredential($)
return GeniResponse->Create(GENIRESPONSE_SUCCESS,
$credential->asString());
}
if (! (defined($uuid) && ($uuid =~ /^[-\w]*$/))) {
return GeniResponse->MalformedArgsResponse();
}
# Currently accept either a UUID or a URN, but not both. Once we
# have migrated the federation to URNs, UUID support will be removed.
return GeniResponse->MalformedArgsResponse()
if( defined( $uuid ) == defined( $urn ) );
return GeniResponse->MalformedArgsResponse()
if( defined( $uuid ) && $uuid !~ /^[-\w]*$/ );
return GeniResponse->MalformedArgsResponse()
if( defined( $urn ) && !GeniHRN::IsValid( $urn ) );
my $credential = GeniCredential->CreateFromSigned($cred);
if (!defined($credential)) {
......@@ -131,10 +142,10 @@ sub GetCredential($)
#
# User provided a credential, and wants a new credential to access
# the object referenced by the uuid.
# the object referenced by the URN.
#
if ($type eq "Slice") {
my $slice = GeniSlice->Lookup($uuid);
my $slice = GeniSlice->Lookup( defined( $urn ) ? $urn : $uuid );
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
"No such Slice")
if (!defined($slice));
......@@ -297,6 +308,9 @@ sub Resolve($)
"uuid" => $slice->uuid(),
"creator_uuid" => $slice->creator_uuid(),
"gid" => $slice->cert(),
"urn" => GeniHRN::Generate( $OURDOMAIN,
"slice",
$slice->slicename() )
};
return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
}
......@@ -312,6 +326,8 @@ sub Resolve($)
#
sub Register($)
{
# FIXME once migration to URNs is complete, $type should be removed
# (it's deduced automatically from the URN).
my ($argref) = @_;
my $cred = $argref->{'credential'};
my $type = $argref->{'type'};
......@@ -321,10 +337,22 @@ sub Register($)
return GeniResponse->MalformedArgsResponse();
}
if (! ($hrn =~ /^[-\w\.]*$/)) {
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"hrn: Invalid characters");
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"Invalid URN")
if( !GeniHRN::IsValid( $hrn ) && $hrn !~ /^[-\w\.]*$/);
if( GeniHRN::IsValid( $hrn ) ) {
my ($auth,$t,$id) = GeniHRN::Parse( $hrn );
return GeniResponse->Create( GENIRESPONSE_ERROR, undef,
"Authority mismatch" )
if( $auth ne $OURDOMAIN );
$type = $t;
$hrn = $id;
}
my $credential = GeniCredential->CreateFromSigned($cred);
if (!defined($credential)) {
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
......@@ -367,10 +395,10 @@ sub Register($)
undef, "Who are you?");
}
if ($type eq "Slice") {
if ( lc( $type ) eq "slice") {
my $userbindings = $argref->{'userbindings'};
if (! ($hrn =~ /^\w*$/)) {
if (! ($hrn =~ /^[-\w]+$/)) {
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"hrn: Single token only please");
}
......@@ -484,11 +512,28 @@ sub Register($)
#
sub Remove($)
{
# FIXME once migration to URNs is complete, $type should be removed
# (it's deduced automatically from the URN). $uuid should die, too.
my ($argref) = @_;
my $uuid = $argref->{'uuid'};
my $hrn = $argref->{'hrn'};
my $cred = $argref->{'credential'};
my $type = $argref->{'type'};
my $type = lc( $argref->{'type'} );
if( defined( $hrn ) && GeniHRN::IsValid( $hrn ) ) {
# this is pretty ugly, but since this section will have to be
# cleaned up eventually to remove support for deprecated HRNs,
# it will do for now.
my ($auth,$t,$id) = GeniHRN::Parse( $hrn );
return GeniResponse->Create( GENIRESPONSE_ERROR, undef,
"Authority mismatch" )
if( $auth ne $OURDOMAIN );
$type = lc( $t );
$hrn = $id;
}
if (! (defined($uuid) || defined($hrn))) {
return GeniResponse->MalformedArgsResponse();
......@@ -499,7 +544,7 @@ sub Remove($)
if (defined($hrn) && !($hrn =~ /^[-\w\.]*$/)) {
return GeniResponse->MalformedArgsResponse();
}
if (! (defined($type) && ($type =~ /^(SA|MA|Component|Slice|User)$/))) {
if (! (defined($type) && ($type =~ /^(sa|ma|component|slice|user)$/))) {
return GeniResponse->MalformedArgsResponse();
}
if (! defined($cred)) {
......@@ -548,7 +593,7 @@ sub Remove($)
undef, "Who are you?");
}
if ($type eq "Slice") {
if ($type eq "slice") {
my $slice;
if (defined($uuid)) {
......
......@@ -53,7 +53,7 @@ sub mysystem($)
}
#
# Lookup by idx or uuid.
# Lookup by idx, URN or uuid.
#
sub Lookup($$)
{
......
......@@ -15,7 +15,7 @@ use Data::Dumper;
#
sub usage()
{
print("Usage: verifygenicap [-d] [-o file] <capfile>\n");
print("Usage: verifygenicred [-d] [-o file] <credfile>\n");
exit(-1);
}
my $optlist = "do:";
......@@ -250,6 +250,16 @@ foreach my $credential ( keys( %credentials ) ) {
unless $allowed{ $name } or $allowed{ "*" };
}
}
my $expiry = lookup( $node, "expiry" )->textContent;
my $parent_expiry = lookup( $parent, "expiry" )->textContent;
my $dateregexp = '^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d$';
fatal( "invalid delegation (malformed expiry)" )
if $expiry !~ $dateregexp or $parent_expiry !~ $dateregexp;
fatal( "invalid delegation (expiry violation)" )
if $expiry > $parent_expiry;
}
}
......
......@@ -155,10 +155,6 @@ c.appendChild( Lookup( old, "target_gid" ).cloneNode( True ) )
c.appendChild( SimpleNode( doc, "uuid", str( uuid.uuid4() ) ) )
t = datetime.datetime.utcnow() + datetime.timedelta( hours = 6 )
t = t.replace( microsecond = 0 )
c.appendChild( SimpleNode( doc, "expires", t.isoformat() ) )
for n in old.childNodes:
if n.nodeName in ( "privileges", "capabilities" ):
if len( args ) > 2:
......@@ -193,7 +189,7 @@ for n in old.childNodes:
# a privilege which cannot be delegated: delete it
# from the clone
clone.removeChild( child )
elif n.nodeName in ( "ticket", "extensions" ):
elif n.nodeName in ( "ticket", "extensions", "expires" ):
c.appendChild( n.cloneNode( True ) )
doc.documentElement.replaceChild( c, old )
......
......@@ -208,7 +208,6 @@ def get_self_credential():
f.close()
return c
params = {}
params["uuid"] = "0b2eb97e-ed30-11db-96cb-001143e453fe"
rval,response = do_method("sa", "GetCredential", params)
if rval:
Fatal("Could not get my credential")
......@@ -237,7 +236,10 @@ def get_slice_credential( slice, selfcredential ):
params = {}
params["credential"] = selfcredential
params["type"] = "Slice"
params["uuid"] = slice["uuid"]
if "urn" in slice:
params["urn"] = slice["urn"]
else:
params["uuid"] = slice["uuid"]
rval,response = do_method("sa", "GetCredential", params)
if rval:
Fatal("Could not get Slice credential")
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment