Added support for the following extensions.

1) Exception for allow_externalusers policy 2) Exception for Max_sliver_lifetime policy 3) Bug Fix in GeniXML.

Added support for the following extensions.
1) Exception for allow_externalusers policy 2) Exception for Max_sliver_lifetime policy 3) Bug Fix in GeniXML.
f5ccb4e3 · Srikanth Chikkulapelly · 3b4a1b38 · f5ccb4e3 · f5ccb4e3 · f5ccb4e3
Commit f5ccb4e3 authored Apr 06, 2010 by Srikanth Chikkulapelly
Showing with 128 additions and 24 deletions

protogeni/lib/GeniCM.pm.in protogeni/lib/GeniCM.pm.in +81 -19

protogeni/lib/GeniCMV2.pm.in protogeni/lib/GeniCMV2.pm.in +46 -4

protogeni/lib/GeniXML.pm.in protogeni/lib/GeniXML.pm.in +1 -1

No files found.
--- a/protogeni/lib/GeniCM.pm.in
+++ b/protogeni/lib/GeniCM.pm.in
@@ -214,12 +214,12 @@ sub DiscoverResources($)
 	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
 				    "Invalid credentials for operation");
    }
-    return DiscoverResourcesAux($available, $compress);
+    return DiscoverResourcesAux($available, $compress, [$credential]);
 }
 # Helper function for V2.
-sub DiscoverResourcesAux($$)
+sub DiscoverResourcesAux($$$)
 {
-    my ($available, $compress) = @_;
+    my ($available, $compress, $credentials) = @_;
    my $user_uuid  = $ENV{'GENIUSER'};

    # Oh, for $*%(s sake.  Frontier::RPC2 insists on representing a
@@ -240,7 +240,20 @@ sub DiscoverResourcesAux($$)
 	# Cannot get the value, say no.
 	$allow_externalusers = 0;
    }
-    if (!$allow_externalusers) {
+
+    # Figure out if user has a credentials that exempts him
+    # from the following policy. If external users are blocked access
+    # and he presents a credential that exempts him from it, 
+    # then he should get access.
+    my $isExempted = 0;
+    foreach my $credential (@$credentials) {
+      if (1 == GeniXML::PolicyExists('allow_externalusers', $credential)) {
+        $isExempted = 1;
+        last;
+      }
+    }
+
+    if (!$allow_externalusers && !$isExempted) {
 	my $user = GeniUser->Lookup($user_uuid, 1);
 	# No record means the user is remote.
 	if (!defined($user) || !$user->IsLocal()) {
@@ -397,12 +410,12 @@ sub GetTicketAux($$$$$$$)
 	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
    return GetTicketAuxAux($slice, $user, $rspecstr,
-			   $isupdate, $impotent, $v2, $level, $ticket);
+			   $isupdate, $impotent, $v2, $level, $ticket, [$credential]);
 }
-sub GetTicketAuxAux($$$$$$$$)
+sub GetTicketAuxAux($$$$$$$$$)
 {
-    my ($slice, $user,
-	$rspecstr, $isupdate, $impotent, $v2, $level, $ticket) = @_;
+    my ($slice, $user, $rspecstr, 
+        $isupdate, $impotent, $v2, $level, $ticket, $credentials) = @_;
    my $response    = undef;
    my $restorevirt = 0;	# Flag to restore virtual state
    my $restorephys = 0;	# Flag to restore physical state
@@ -445,11 +458,24 @@ sub GetTicketAuxAux($$$$$$$$)
    #
    my $allow_externalusers = 0;
    if (!TBGetSiteVar('protogeni/allow_externalusers', \$allow_externalusers)){
-	# Cannot get the value, say no.
-	$allow_externalusers = 0;
+	    # Cannot get the value, say no.
+	    $allow_externalusers = 0;
+    }
+
+    # Figure out if user has a credentials that exempts him
+    # from the following policy. If external users are blocked access
+    # and he presents a credential that exempts him from it, 
+    # then he should get access.
+    my $isExempted = 0;
+    foreach my $credential (@$credentials) {
+      if (1 == GeniXML::PolicyExists('allow_externalusers', $credential)) {
+        $isExempted = 1;
+        last;
+      }
    }
-    if (!$allow_externalusers && !$user->IsLocal()) {
-	return GeniResponse->Create(GENIRESPONSE_UNAVAILABLE, undef,
+
+    if (!$allow_externalusers && !$isExempted && !$user->IsLocal()) {
+	    return GeniResponse->Create(GENIRESPONSE_UNAVAILABLE, undef,
 				    "External users temporarily denied");
    }
    
@@ -475,9 +501,26 @@ sub GetTicketAuxAux($$$$$$$$)
 	
 	#
 	# Do we need a policy limit?
-	#
+  # A sitevar controls the sliver lifetime.
+  #
+  my $max_sliver_lifetime = 0;
+  if (!TBGetSiteVar('protogeni/max_sliver_lifetime', \$max_sliver_lifetime)){
+	  # Cannot get the value, default it to 90 days.
+	  $max_sliver_lifetime = 90;
+  }
+
+  # Check if the user has a credential that lets him obtain slivers
+  # with extended sliver lifetime. If so allow him to get sliver.
+  foreach my $credential (@$credentials) {
+    my $nodes = GeniXML::FindNodesNS("//n:max_sliver_lifetime",
+        GeniXML::Parse($credential->{'extensions'}), $GeniUtil::EXTENSIONS_NS);
+    if (0 < $nodes->size) {
+      $max_sliver_lifetime = int($nodes->pop()->string_value);
+      last;
+    }
+  }
 	my $diff = $when - time();
-	if ($diff < (60 * 5) || $diff > (3600 * 24 * 90)) {
+	if ($diff < (60 * 5) || $diff > (3600 * 24 * $max_sliver_lifetime)) {
 	    return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
 					"valid_until out of range");
 	}
@@ -2426,17 +2469,18 @@ sub RenewSlice($)
 	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
 				    "This is not your credential!");
    }
-    return RenewSliverAux($credential, $expires);
+    return RenewSliverAux([$credential], $expires);
 }

 sub RenewSliverAux($$)
 {
-    my ($credential, $expires) = @_;
+    my ($credentials, $expires) = @_;
+    my $credential = $credentials->[0];
    my $slice_uuid  = $credential->target_uuid();
    my $user_uuid   = $credential->owner_uuid(); 
    my $message     = "Error renewing aggregate";
    my $when;
-   
+    
    $credential->HasPrivilege( "pi" ) or
 	$credential->HasPrivilege( "control" ) or
 	return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
@@ -2484,10 +2528,28 @@ sub RenewSliverAux($$)
 	}
 	#
 	# Do we need a policy limit?
-	#
+  # A sitevar controls the sliver lifetime.
+  #
+  my $max_sliver_lifetime = 0;
+  if (!TBGetSiteVar('protogeni/max_sliver_lifetime', \$max_sliver_lifetime)){
+	  # Cannot get the value, default it to 90 days.
+	  $max_sliver_lifetime = 90;
+  }
+
+  # Check if the user has a credential that lets him obtain slivers
+  # with extended sliver lifetime. If so allow him to get sliver.
+  foreach my $credential (@$credentials) {
+    my $nodes = GeniXML::FindNodesNS("//n:max_sliver_lifetime",
+        GeniXML::Parse($credential->{'extensions'}), $GeniUtil::EXTENSIONS_NS);
+    if (0 < $nodes->size) {
+      $max_sliver_lifetime = int($nodes->pop()->string_value);
+      last;
+    }
+  }
+
 	my $diff = $when - time();

-	if ($diff < (60 * 5) || $diff > (3600 * 24 * 90)) {
+	if ($diff < (60 * 5) || $diff > (3600 * 24 * $max_sliver_lifetime)) {
 	    $message = "expiration out of range";
 	    goto bad;
 	}

--- a/protogeni/lib/GeniCMV2.pm.in
+++ b/protogeni/lib/GeniCMV2.pm.in
@@ -250,7 +250,14 @@ sub DiscoverResources($)
    return $credential
 	if (GeniResponse::IsResponse($credential));

-    return GeniCM::DiscoverResourcesAux($available, $compress);
+    my $credential_objects = [];
+    foreach my $credstr (@$credentials) {
+      my $cred = CheckCredential($credstr);
+      push(@$credential_objects, $cred) 
+        if(!GeniResponse::IsResponse($cred));
+    }
+    return GeniCM::DiscoverResourcesAux($available, $compress,
+        $credential_objects);
 }

 #
@@ -905,7 +912,13 @@ sub RenewSlice($)
 	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
 				    "Credential does not match the URN");
    }
-    return GeniCM::RenewSliverAux($credential, $valid_until);
+    my $credential_objects = [];
+    foreach my $credstr (@$credentials) {
+      my $cred = CheckCredential($credstr);
+      push(@$credential_objects, $cred) 
+        if(!GeniResponse::IsResponse($cred));
+    }
+    return GeniCM::RenewSliverAux($credential_objects, $valid_until);
 }

 #
@@ -1057,8 +1070,14 @@ sub UpdateTicket($)
    if (!defined($user)) {
 	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
+    my $credential_objects = [];
+    foreach my $credstr (@$credentials) {
+      my $cred = CheckCredential($credstr);
+      push(@$credential_objects, $cred) 
+        if(!GeniResponse::IsResponse($cred));
+    }
    return GeniCM::GetTicketAuxAux($slice, $user,
-				   $rspecstr, 1, $impotent, 1, 1, $ticket);
+				   $rspecstr, 1, $impotent, 1, 1, $ticket, $credential_objects);
 }

 #
@@ -1125,8 +1144,14 @@ sub UpdateSliver($)
    if (!defined($user)) {
 	return GeniResponse->Create(GENIRESPONSE_ERROR);
    }
+    my $credential_objects = [];
+    foreach my $credstr (@$credentials) {
+      my $cred = CheckCredential($credstr);
+      push(@$credential_objects, $cred) 
+        if(!GeniResponse::IsResponse($cred));
+    }
    return GeniCM::GetTicketAuxAux($slice, $user,
-				   $rspecstr, 1, $impotent, 1, 1, undef);
+				   $rspecstr, 1, $impotent, 1, 1, undef, $credential_objects);
 }

 #
@@ -1352,6 +1377,23 @@ sub CheckCredentials($)
    return $credential;
 }

+sub CheckCredential($)
+{
+    my $credential = GeniCredential->CreateFromSigned($_[0]);
+    if (!defined($credential)) {
+	return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
+				    "Could not create credential object");
+    }
+    #
+    # Make sure the credential was issued to the caller.
+    #
+    if ($credential->owner_uuid() ne $ENV{'GENIUUID'}) {
+	return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
+				    "This is not your credential");
+    }
+    return $credential;
+}
+
 #
 # Convert a URN to the local object.
 #

--- a/protogeni/lib/GeniXML.pm.in
+++ b/protogeni/lib/GeniXML.pm.in
@@ -327,7 +327,7 @@ sub PolicyExists($$)

  return 0
    if (!ref($credential) or !defined($policy));
-  my $extensions_elem = GeniXML::Parse($credential->{'extensions'});
+  my $extensions_elem = GeniXML::Parse($credential->extensions());
  return 0
    if (!defined($extensions_elem));
  my $policies = GeniXML::FindNodesNS("//n:policy_exceptions/*",