Added support for the following extensions.

1) Exception for allow_externalusers policy
2) Exception for Max_sliver_lifetime policy
3) Bug Fix in GeniXML.
parent 3b4a1b38
......@@ -214,12 +214,12 @@ sub DiscoverResources($)
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Invalid credentials for operation");
}
return DiscoverResourcesAux($available, $compress);
return DiscoverResourcesAux($available, $compress, [$credential]);
}
# Helper function for V2.
sub DiscoverResourcesAux($$)
sub DiscoverResourcesAux($$$)
{
my ($available, $compress) = @_;
my ($available, $compress, $credentials) = @_;
my $user_uuid = $ENV{'GENIUSER'};
# Oh, for $*%(s sake. Frontier::RPC2 insists on representing a
......@@ -240,7 +240,20 @@ sub DiscoverResourcesAux($$)
# Cannot get the value, say no.
$allow_externalusers = 0;
}
if (!$allow_externalusers) {
# Figure out if user has a credentials that exempts him
# from the following policy. If external users are blocked access
# and he presents a credential that exempts him from it,
# then he should get access.
my $isExempted = 0;
foreach my $credential (@$credentials) {
if (1 == GeniXML::PolicyExists('allow_externalusers', $credential)) {
$isExempted = 1;
last;
}
}
if (!$allow_externalusers && !$isExempted) {
my $user = GeniUser->Lookup($user_uuid, 1);
# No record means the user is remote.
if (!defined($user) || !$user->IsLocal()) {
......@@ -397,12 +410,12 @@ sub GetTicketAux($$$$$$$)
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
return GetTicketAuxAux($slice, $user, $rspecstr,
$isupdate, $impotent, $v2, $level, $ticket);
$isupdate, $impotent, $v2, $level, $ticket, [$credential]);
}
sub GetTicketAuxAux($$$$$$$$)
sub GetTicketAuxAux($$$$$$$$$)
{
my ($slice, $user,
$rspecstr, $isupdate, $impotent, $v2, $level, $ticket) = @_;
my ($slice, $user, $rspecstr,
$isupdate, $impotent, $v2, $level, $ticket, $credentials) = @_;
my $response = undef;
my $restorevirt = 0; # Flag to restore virtual state
my $restorephys = 0; # Flag to restore physical state
......@@ -445,11 +458,24 @@ sub GetTicketAuxAux($$$$$$$$)
#
my $allow_externalusers = 0;
if (!TBGetSiteVar('protogeni/allow_externalusers', \$allow_externalusers)){
# Cannot get the value, say no.
$allow_externalusers = 0;
# Cannot get the value, say no.
$allow_externalusers = 0;
}
# Figure out if user has a credentials that exempts him
# from the following policy. If external users are blocked access
# and he presents a credential that exempts him from it,
# then he should get access.
my $isExempted = 0;
foreach my $credential (@$credentials) {
if (1 == GeniXML::PolicyExists('allow_externalusers', $credential)) {
$isExempted = 1;
last;
}
}
if (!$allow_externalusers && !$user->IsLocal()) {
return GeniResponse->Create(GENIRESPONSE_UNAVAILABLE, undef,
if (!$allow_externalusers && !$isExempted && !$user->IsLocal()) {
return GeniResponse->Create(GENIRESPONSE_UNAVAILABLE, undef,
"External users temporarily denied");
}
......@@ -475,9 +501,26 @@ sub GetTicketAuxAux($$$$$$$$)
#
# Do we need a policy limit?
#
# A sitevar controls the sliver lifetime.
#
my $max_sliver_lifetime = 0;
if (!TBGetSiteVar('protogeni/max_sliver_lifetime', \$max_sliver_lifetime)){
# Cannot get the value, default it to 90 days.
$max_sliver_lifetime = 90;
}
# Check if the user has a credential that lets him obtain slivers
# with extended sliver lifetime. If so allow him to get sliver.
foreach my $credential (@$credentials) {
my $nodes = GeniXML::FindNodesNS("//n:max_sliver_lifetime",
GeniXML::Parse($credential->{'extensions'}), $GeniUtil::EXTENSIONS_NS);
if (0 < $nodes->size) {
$max_sliver_lifetime = int($nodes->pop()->string_value);
last;
}
}
my $diff = $when - time();
if ($diff < (60 * 5) || $diff > (3600 * 24 * 90)) {
if ($diff < (60 * 5) || $diff > (3600 * 24 * $max_sliver_lifetime)) {
return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
"valid_until out of range");
}
......@@ -2426,17 +2469,18 @@ sub RenewSlice($)
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"This is not your credential!");
}
return RenewSliverAux($credential, $expires);
return RenewSliverAux([$credential], $expires);
}
sub RenewSliverAux($$)
{
my ($credential, $expires) = @_;
my ($credentials, $expires) = @_;
my $credential = $credentials->[0];
my $slice_uuid = $credential->target_uuid();
my $user_uuid = $credential->owner_uuid();
my $message = "Error renewing aggregate";
my $when;
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
......@@ -2484,10 +2528,28 @@ sub RenewSliverAux($$)
}
#
# Do we need a policy limit?
#
# A sitevar controls the sliver lifetime.
#
my $max_sliver_lifetime = 0;
if (!TBGetSiteVar('protogeni/max_sliver_lifetime', \$max_sliver_lifetime)){
# Cannot get the value, default it to 90 days.
$max_sliver_lifetime = 90;
}
# Check if the user has a credential that lets him obtain slivers
# with extended sliver lifetime. If so allow him to get sliver.
foreach my $credential (@$credentials) {
my $nodes = GeniXML::FindNodesNS("//n:max_sliver_lifetime",
GeniXML::Parse($credential->{'extensions'}), $GeniUtil::EXTENSIONS_NS);
if (0 < $nodes->size) {
$max_sliver_lifetime = int($nodes->pop()->string_value);
last;
}
}
my $diff = $when - time();
if ($diff < (60 * 5) || $diff > (3600 * 24 * 90)) {
if ($diff < (60 * 5) || $diff > (3600 * 24 * $max_sliver_lifetime)) {
$message = "expiration out of range";
goto bad;
}
......
......@@ -250,7 +250,14 @@ sub DiscoverResources($)
return $credential
if (GeniResponse::IsResponse($credential));
return GeniCM::DiscoverResourcesAux($available, $compress);
my $credential_objects = [];
foreach my $credstr (@$credentials) {
my $cred = CheckCredential($credstr);
push(@$credential_objects, $cred)
if(!GeniResponse::IsResponse($cred));
}
return GeniCM::DiscoverResourcesAux($available, $compress,
$credential_objects);
}
#
......@@ -905,7 +912,13 @@ sub RenewSlice($)
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN(), undef,
"Credential does not match the URN");
}
return GeniCM::RenewSliverAux($credential, $valid_until);
my $credential_objects = [];
foreach my $credstr (@$credentials) {
my $cred = CheckCredential($credstr);
push(@$credential_objects, $cred)
if(!GeniResponse::IsResponse($cred));
}
return GeniCM::RenewSliverAux($credential_objects, $valid_until);
}
#
......@@ -1057,8 +1070,14 @@ sub UpdateTicket($)
if (!defined($user)) {
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential_objects = [];
foreach my $credstr (@$credentials) {
my $cred = CheckCredential($credstr);
push(@$credential_objects, $cred)
if(!GeniResponse::IsResponse($cred));
}
return GeniCM::GetTicketAuxAux($slice, $user,
$rspecstr, 1, $impotent, 1, 1, $ticket);
$rspecstr, 1, $impotent, 1, 1, $ticket, $credential_objects);
}
#
......@@ -1125,8 +1144,14 @@ sub UpdateSliver($)
if (!defined($user)) {
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential_objects = [];
foreach my $credstr (@$credentials) {
my $cred = CheckCredential($credstr);
push(@$credential_objects, $cred)
if(!GeniResponse::IsResponse($cred));
}
return GeniCM::GetTicketAuxAux($slice, $user,
$rspecstr, 1, $impotent, 1, 1, undef);
$rspecstr, 1, $impotent, 1, 1, undef, $credential_objects);
}
#
......@@ -1352,6 +1377,23 @@ sub CheckCredentials($)
return $credential;
}
sub CheckCredential($)
{
my $credential = GeniCredential->CreateFromSigned($_[0]);
if (!defined($credential)) {
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"Could not create credential object");
}
#
# Make sure the credential was issued to the caller.
#
if ($credential->owner_uuid() ne $ENV{'GENIUUID'}) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"This is not your credential");
}
return $credential;
}
#
# Convert a URN to the local object.
#
......
......@@ -327,7 +327,7 @@ sub PolicyExists($$)
return 0
if (!ref($credential) or !defined($policy));
my $extensions_elem = GeniXML::Parse($credential->{'extensions'});
my $extensions_elem = GeniXML::Parse($credential->extensions());
return 0
if (!defined($extensions_elem));
my $policies = GeniXML::FindNodesNS("//n:policy_exceptions/*",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment