Commit d4e3b3a3 authored by Leigh B Stoller's avatar Leigh B Stoller
Browse files

Brutal hack to support APT guest users; sign the user certificate with

an alternate CA so that they can never authenticate to the Geni
federation if they manage to get a hold of their certifiate (which
they can't). Only when TBMAINSITE=1
parent d6c49245
...@@ -57,6 +57,7 @@ my $TBAPPROVAL = "@TBAPPROVALEMAIL@"; ...@@ -57,6 +57,7 @@ my $TBAPPROVAL = "@TBAPPROVALEMAIL@";
my $TBAUDIT = "@TBAUDITEMAIL@"; my $TBAUDIT = "@TBAUDITEMAIL@";
my $BOSSNODE = "@BOSSNODE@"; my $BOSSNODE = "@BOSSNODE@";
my $OURDOMAIN = "@OURDOMAIN@"; my $OURDOMAIN = "@OURDOMAIN@";
my $MAINSITE = @TBMAINSITE@;
my $SIGNCRED = "$TB/sbin/signgenicred"; my $SIGNCRED = "$TB/sbin/signgenicred";
my $VERIFYCRED = "$TB/sbin/verifygenicred"; my $VERIFYCRED = "$TB/sbin/verifygenicred";
my $NFREE = "$TB/bin/nfree"; my $NFREE = "$TB/bin/nfree";
...@@ -209,8 +210,18 @@ sub Create($$;$) ...@@ -209,8 +210,18 @@ sub Create($$;$)
my ($authority, $type, $name) = GeniHRN::Parse($urn); my ($authority, $type, $name) = GeniHRN::Parse($urn);
my $caflag = $type eq "authority" ? "" : "-n"; my $caflag = $type eq "authority" ? "" : "-n";
my $showuuidflag = $showuuid ? " -U " : ""; my $showuuidflag = $showuuid ? " -U " : "";
if (! open(CERT, "$MKCERT $caflag -i \"$urn\" $url -e \"$email\" $hrn " . # Utah Specific.
"$showuuidflag$uuid |")) { my $altcaopt = "";
if ($MAINSITE) {
if (exists($argref->{'useaptca'})) {
$altcaopt = "-d -a /usr/testbed/etc/utah-apt.ca";
}
}
my $cmd = "$MKCERT $altcaopt $caflag ".
"-i \"$urn\" $url -e \"$email\" $hrn $showuuidflag$uuid";
print STDERR "$cmd\n";
if (! open(CERT, "$cmd |")) {
print STDERR "Could not start $MKCERT\n"; print STDERR "Could not start $MKCERT\n";
return undef; return undef;
} }
......
#!/usr/bin/perl -wT #!/usr/bin/perl -wT
# #
# Copyright (c) 2008-2013 University of Utah and the Flux Group. # Copyright (c) 2008-2014 University of Utah and the Flux Group.
# #
# {{{GENIPUBLIC-LICENSE # {{{GENIPUBLIC-LICENSE
# #
...@@ -866,6 +866,9 @@ sub Sign($$) ...@@ -866,6 +866,9 @@ sub Sign($$)
} }
$certificate = "-c $certfile"; $certificate = "-c $certfile";
} }
elsif (-e "$how") {
$certificate = "-c $how";
}
elsif ($how == $LOCALSA_FLAG) { elsif ($how == $LOCALSA_FLAG) {
$certificate = "-c $TB/etc/genisa.pem"; $certificate = "-c $TB/etc/genisa.pem";
} }
......
...@@ -76,6 +76,7 @@ my $TB = "@prefix@"; ...@@ -76,6 +76,7 @@ my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@"; my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@"; my $TBLOGS = "@TBLOGSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@"; my $OURDOMAIN = "@OURDOMAIN@";
my $MAINSITE = @TBMAINSITE@;
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@"; my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $SACERT = "$TB/etc/genisa.pem"; my $SACERT = "$TB/etc/genisa.pem";
my $CMCERT = "$TB/etc/genicm.pem"; my $CMCERT = "$TB/etc/genicm.pem";
...@@ -223,6 +224,7 @@ my $sa_authority = GeniAuthority->Lookup($sa_certificate->urn()); ...@@ -223,6 +224,7 @@ my $sa_authority = GeniAuthority->Lookup($sa_certificate->urn());
if (!defined($sa_authority)) { if (!defined($sa_authority)) {
fatal("Could not load SA authority object"); fatal("Could not load SA authority object");
} }
my $speaker_signer = $GeniCredential::LOCALSA_FLAG;
# #
# We want to contact our local CM to create the sliver. # We want to contact our local CM to create the sliver.
...@@ -359,10 +361,21 @@ chomp($sshkey) ...@@ -359,10 +361,21 @@ chomp($sshkey)
# so that we can operate on behalf of the user (via speaksfor). # so that we can operate on behalf of the user (via speaksfor).
# #
my $geniuser = GeniUser->Lookup($user_urn, $localuser); my $geniuser = GeniUser->Lookup($user_urn, $localuser);
if (!defined($geniuser)) {
#
# In Utah, check for alternate SA
#
if ($MAINSITE) {
$user_urn = GeniHRN::Generate("aptlab.net", "user", $user_uid);
$user_hrn = "aptlab.${user_uid}";
}
$geniuser = GeniUser->Lookup($user_urn, 0);
}
if (!defined($geniuser)) { if (!defined($geniuser)) {
if ($localuser) { if ($localuser) {
fatal("Could not lookup local user $user_urn"); fatal("Could not lookup local user $user_urn");
} }
# #
# Do not allow overlap with local users. # Do not allow overlap with local users.
# #
...@@ -380,11 +393,14 @@ if (!defined($geniuser)) { ...@@ -380,11 +393,14 @@ if (!defined($geniuser)) {
if ($auth_token !~ /^[\w]+$/) { if ($auth_token !~ /^[\w]+$/) {
fatal("Bad auth token: $auth_token"); fatal("Bad auth token: $auth_token");
} }
my $blob = {"urn" => $user_urn,
my $certificate = GeniCertificate->Create({"urn" => $user_urn, "hrn" => $user_hrn,
"hrn" => $user_hrn, "email" => $user_email,
"email" => $user_email, "showuuid" => 1};
"showuuid" => 1}); if ($MAINSITE) {
$blob->{'useaptca'} = 1;
}
my $certificate = GeniCertificate->Create($blob);
fatal("Could not create certificate") fatal("Could not create certificate")
if (!defined($certificate)); if (!defined($certificate));
...@@ -404,6 +420,17 @@ if (!defined($geniuser)) { ...@@ -404,6 +420,17 @@ if (!defined($geniuser)) {
my $user_uuid = $geniuser->uuid(); my $user_uuid = $geniuser->uuid();
# So we know this user has dome something lately. # So we know this user has dome something lately.
$geniuser->BumpActivity(); $geniuser->BumpActivity();
# We get the -l flag on initial create only.
$localuser = ($geniuser->IsLocal() ? 1 : 0);
#
# Guest users use the apt CA, and so we must sign the speaksfor
# credential with the APT SA as well so that the target of the
# speaksfor credential is in the same namespace as the signer.
#
if (!$localuser && $MAINSITE) {
$speaker_signer = "/usr/testbed/etc/utah-apt.sa";
}
# Remember key. For now we accept only one key. We store it simply # Remember key. For now we accept only one key. We store it simply
# so we can display it again for the user in the web interface. # so we can display it again for the user in the web interface.
...@@ -495,7 +522,7 @@ fatal("Could not create speaksfor credential") ...@@ -495,7 +522,7 @@ fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential)); if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor"); $speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential") fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG)); if ($speaksfor_credential->Sign($speaker_signer));
# #
# Got this far, lets create a quickvm record. # Got this far, lets create a quickvm record.
...@@ -691,12 +718,13 @@ sub Terminate($) ...@@ -691,12 +718,13 @@ sub Terminate($)
if (!defined($slice_credential)) { if (!defined($slice_credential)) {
fatal("Could not create credential for $slice"); fatal("Could not create credential for $slice");
} }
my $speaksfor_credential = GeniCredential->Create($geniuser, $sa_authority); my $speaksfor_credential = GeniCredential->Create($geniuser,
$sa_authority);
fatal("Could not create speaksfor credential") fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential)); if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor"); $speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential") fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG)); if ($speaksfor_credential->Sign($speaker_signer));
# #
# Lock the slice in case it is doing something else, like taking # Lock the slice in case it is doing something else, like taking
...@@ -817,12 +845,13 @@ sub Extend($$) ...@@ -817,12 +845,13 @@ sub Extend($$)
if (!defined($slice_credential)) { if (!defined($slice_credential)) {
fatal("Could not create credential for $slice"); fatal("Could not create credential for $slice");
} }
my $speaksfor_credential = GeniCredential->Create($geniuser, $sa_authority); my $speaksfor_credential = GeniCredential->Create($geniuser,
$sa_authority);
fatal("Could not create speaksfor credential") fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential)); if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor"); $speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential") fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG)); if ($speaksfor_credential->Sign($speaker_signer));
my $response = my $response =
Genixmlrpc::CallMethod($cm_authority->url(), undef, Genixmlrpc::CallMethod($cm_authority->url(), undef,
...@@ -891,12 +920,13 @@ sub SnapShot($$$) ...@@ -891,12 +920,13 @@ sub SnapShot($$$)
if (!defined($slice_credential)) { if (!defined($slice_credential)) {
fatal("Could not create credential for $slice"); fatal("Could not create credential for $slice");
} }
my $speaksfor_credential = GeniCredential->Create($geniuser, $sa_authority); my $speaksfor_credential = GeniCredential->Create($geniuser,
$sa_authority);
fatal("Could not create speaksfor credential") fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential)); if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor"); $speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential") fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG)); if ($speaksfor_credential->Sign($speaker_signer));
# #
# We do this with slice locked. # We do this with slice locked.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment