Commit c027ba74 authored by Leigh B Stoller's avatar Leigh B Stoller
Browse files

Allow for either the speaksfor *or* the user certificate to be expired

(previously, we looked for expired speaksfor). If either is expired, we
fallback to generating an SA certificate (which we can do cause all
slices are in our namespace).
parent 8488ed3b
...@@ -60,7 +60,7 @@ my $USEABACCREDS = 0; ...@@ -60,7 +60,7 @@ my $USEABACCREDS = 0;
# #
sub GenCredentials($$;$$) sub GenCredentials($$;$$)
{ {
my ($target, $geniuser, $privs, $allowexpiredspeaksfor) = @_; my ($target, $geniuser, $privs, $allowexpired) = @_;
my ($speaksfor, $credential, $oldexpires); my ($speaksfor, $credential, $oldexpires);
# If the caller does not want a speaksfor, do not generate. # If the caller does not want a speaksfor, do not generate.
my $wantspeaksfor = wantarray; my $wantspeaksfor = wantarray;
...@@ -114,17 +114,35 @@ sub GenCredentials($$;$$) ...@@ -114,17 +114,35 @@ sub GenCredentials($$;$$)
goto bad; goto bad;
} }
} }
my $certificate =
GeniCertificate->LoadFromString($certificate_string);
if (!defined($certificate)) {
print STDERR "Could not load certificate from string\n";
goto bad;
}
# #
# Ick, if the speaks for credential has expired, we cannot # We need to generate an SA credential if either the speaksfor or
# operate as the user. We have no choice but to throw away # the user certificate is expired, and the caller is allowing the
# these credentials and generate a new one issued to the local # use of an SA credential instead (as for terminate, etc).
# SA instead of the user and not bother with a speaksfor.
# #
if ($speaksfor->IsExpired()) { my $gensacert = 0;
if ($certificate->IsExpired()) {
print STDERR "certificate for $geniuser has expired\n";
goto bad
if (!$allowexpired);
$gensacert = 1;
}
if ($wantspeaksfor && $speaksfor->IsExpired()) {
print STDERR "speaksfor credential for $geniuser has expired\n"; print STDERR "speaksfor credential for $geniuser has expired\n";
goto bad goto bad
if (!$allowexpiredspeaksfor); if (!$allowexpired);
$gensacert = 1;
}
if ($gensacert) {
# Be careful not to return this. # Be careful not to return this.
$speaksfor = undef; $speaksfor = undef;
...@@ -136,12 +154,6 @@ sub GenCredentials($$;$$) ...@@ -136,12 +154,6 @@ sub GenCredentials($$;$$)
} }
goto cached; goto cached;
} }
my $certificate =
GeniCertificate->LoadFromString($certificate_string);
if (!defined($certificate)) {
print STDERR "Could not load certificate from string\n";
goto bad;
}
$credential = GeniCredential->Create($target, $certificate); $credential = GeniCredential->Create($target, $certificate);
} }
else { else {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment