Commit 2a96fc09 authored by Leigh B Stoller's avatar Leigh B Stoller

Change the target test in CheckCredential(), to not consider the subauth.

In our world, a credential target matches if its from the same domain
(subauth not considered), has the same type and the same id.
parent d1a12ad1
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2015 University of Utah and the Flux Group.
# Copyright (c) 2008-2016 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -1139,11 +1139,19 @@ sub CheckCredential($;$$)
#
# If an authority is provided, the target must match the authority.
#
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
if (defined($target)) {
my $target_hrn = $target->urnOBJ();
my $this_hrn = GeniHRN->new($credential->target_urn());
# The point here, is that the subauth is not relevant; we assume that
# any credential signed at either level is valid.
if (! ($target_hrn->domain() eq $this_hrn->domain() &&
$target_hrn->type() eq $this_hrn->type() &&
$target_hrn->id() eq $this_hrn->id())) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"This credential is for another target!")
if (defined($target) &&
$credential->target_urn() ne $target->urn());
}
}
return $credential;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment