Commit 2bfec1fa authored by Gary Wong's avatar Gary Wong

Add GENI Service Registry interface.

parent cfad00c0
......@@ -1487,6 +1487,175 @@ ScriptAlias /protogeni/xmlrpc @prefix@/protogeni/xmlrpc/protogeni-wrapper.pl
SetEnv USER "nobody"
</Directory>
</VirtualHost>
# Another virtual host, for unprotected GENI XMLRPC calls (without client auth)
Listen @GENI_PUBRPCPORT@
<VirtualHost @PROTOGENI_RPCNAME@:@GENI_PUBRPCPORT@>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "@prefix@/www"
ServerName @PROTOGENI_RPCNAME@
ServerAdmin @TBOPSEMAIL_NOSLASH@
LogLevel warn
ErrorLog @prefix@/log/apache_ssl_error_log
TransferLog @prefix@/log/apache_ssl_access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile @prefix@/etc/genirpc.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile @prefix@/etc/genirpc.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient none
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog @prefix@/log/apache_ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# A bundle of trusted protogeni sites.
SSLCACertificateFile @prefix@/etc/genica.bundle
# Another bundle of CRLs.
SSLCARevocationFile @prefix@/etc/genicrl.bundle
ScriptAlias /protogeni/pubxmlrpc @prefix@/protogeni/pubxmlrpc/pubgeni-wrapper.pl
ScriptAlias /protogeni/stoller/pubxmlrpc @prefix@/devel/stoller/protogeni/pubxmlrpc/pubgeni-wrapper.pl
ScriptAlias /protogeni/gtw/pubxmlrpc @prefix@/devel/gtw/protogeni/pubxmlrpc/pubgeni-wrapper.pl
<Directory "@prefix@/protogeni/pubxmlrpc/">
SSLRequireSSL
Order deny,allow
allow from all
SSLOptions +StdEnvVars
Options +ExecCGI +FollowSymLinks
SetHandler cgi-script
SetEnv USER "nobody"
</Directory>
</VirtualHost>
</IfDefine>
#
......
......@@ -1578,6 +1578,204 @@ ScriptAlias /protogeni/gtw/xmlrpc @prefix@/devel/gtw/protogeni/xmlrpc/protogeni-
SetEnv USER "nobody"
</Directory>
</VirtualHost>
# Another virtual host, for unprotected GENI XMLRPC calls (without client auth)
Listen @GENI_PUBRPCPORT@
<VirtualHost @PROTOGENI_RPCNAME@:@GENI_PUBRPCPORT@>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "@prefix@/www"
ServerName @PROTOGENI_RPCNAME@
ServerAdmin @TBOPSEMAIL_NOSLASH@
LogLevel warn
ErrorLog @prefix@/log/apache_ssl_error_log
TransferLog @prefix@/log/apache_ssl_access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile @prefix@/etc/genirpc.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile @prefix@/etc/genirpc.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient none
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog @prefix@/log/apache_ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# A bundle of trusted protogeni sites.
SSLCACertificateFile @prefix@/etc/genica.bundle
# Another bundle of CRLs.
SSLCARevocationFile @prefix@/etc/genicrl.bundle
ScriptAlias /protogeni/pubxmlrpc @prefix@/protogeni/pubxmlrpc/protogeni-wrapper.pl
ScriptAlias /protogeni/stoller/pubxmlrpc @prefix@/devel/stoller/protogeni/pubxmlrpc/protogeni-wrapper.pl
ScriptAlias /protogeni/gtw/pubxmlrpc @prefix@/devel/gtw/protogeni/pubxmlrpc/protogeni-wrapper.pl
<Directory "@prefix@/protogeni/pubxmlrpc/">
SSLRequireSSL
Order deny,allow
allow from all
SSLOptions +StdEnvVars
Options +ExecCGI +FollowSymLinks
SetHandler cgi-script
SetEnv USER "nobody"
</Directory>
<Directory "@prefix@/devel/stoller/protogeni/pubxmlrpc/">
SSLRequireSSL
Order deny,allow
deny from all
allow from 155.98.60.
allow from 155.98.32.
allow from 155.98.33.74
# Leigh
allow from 155.98.39.70
allow from 69.59.214.104
# Jon
allow from 166.70.15.64
SSLOptions +StdEnvVars
Options +ExecCGI +FollowSymLinks
SetHandler cgi-script
SetEnv USER "nobody"
</Directory>
<Directory "@prefix@/devel/gtw/protogeni/pubxmlrpc/">
SSLRequireSSL
Order deny,allow
deny from all
allow from 155.98.60.
allow from 155.98.32.
allow from 155.98.33.74
SSLOptions +StdEnvVars
Options +ExecCGI +FollowSymLinks
SetHandler cgi-script
SetEnv USER "nobody"
</Directory>
</VirtualHost>
</IfDefine>
#
......
......@@ -685,6 +685,7 @@ GMAP_API_KEY
STANDALONE_CLEARINGHOUSE
PROTOGENI_GENIRACK
PROTOGENI_URL
GENI_PUBRPCPORT
PROTOGENI_RPCNAME
PROTOGENI_RPCPORT
PROTOGENI_DOMAIN
......@@ -4916,6 +4917,7 @@ done
#
......@@ -5014,6 +5016,7 @@ PROTOGENI_WEBSITE="www.emulab.net"
PROTOGENI_DOMAIN="unknown"
PROTOGENI_RPCPORT=12369
PROTOGENI_RPCNAME=""
GENI_PUBRPCPORT=12370
PROTOGENI_GENIRACK=0
STANDALONE_CLEARINGHOUSE=0
NODE_USAGE_SUPPORT=0
......@@ -6694,7 +6697,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
protogeni/GNUmakefile protogeni/security/GNUmakefile \
protogeni/xmlrpc/GNUmakefile protogeni/lib/GNUmakefile \
protogeni/scripts/GNUmakefile protogeni/etc/GNUmakefile \
protogeni/test/GNUmakefile \
protogeni/test/GNUmakefile protogeni/pubxmlrpc/GNUmakefile \
protogeni/rspec-emulab/GNUmakefile \
protogeni/rspec-emulab/0.1/GNUmakefile \
protogeni/rspec-emulab/0.2/GNUmakefile \
......
......@@ -245,6 +245,7 @@ AC_SUBST(PROTOGENI_EMAIL)
AC_SUBST(PROTOGENI_DOMAIN)
AC_SUBST(PROTOGENI_RPCPORT)
AC_SUBST(PROTOGENI_RPCNAME)
AC_SUBST(GENI_PUBRPCPORT)
AC_SUBST(PROTOGENI_URL)
AC_SUBST(PROTOGENI_GENIRACK)
AC_SUBST(STANDALONE_CLEARINGHOUSE)
......@@ -372,6 +373,7 @@ PROTOGENI_WEBSITE="www.emulab.net"
PROTOGENI_DOMAIN="unknown"
PROTOGENI_RPCPORT=12369
PROTOGENI_RPCNAME=""
GENI_PUBRPCPORT=12370
PROTOGENI_GENIRACK=0
STANDALONE_CLEARINGHOUSE=0
NODE_USAGE_SUPPORT=0
......@@ -1230,7 +1232,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
protogeni/GNUmakefile protogeni/security/GNUmakefile \
protogeni/xmlrpc/GNUmakefile protogeni/lib/GNUmakefile \
protogeni/scripts/GNUmakefile protogeni/etc/GNUmakefile \
protogeni/test/GNUmakefile \
protogeni/test/GNUmakefile protogeni/pubxmlrpc/GNUmakefile \
protogeni/rspec-emulab/GNUmakefile \
protogeni/rspec-emulab/0.1/GNUmakefile \
protogeni/rspec-emulab/0.2/GNUmakefile \
......
......@@ -36,7 +36,7 @@ ELABINELAB = @ELABINELAB@
include $(OBJDIR)/Makeconf
SUBDIRS = security xmlrpc lib scripts etc rspec-emulab
SUBDIRS = security xmlrpc lib scripts etc rspec-emulab pubxmlrpc
all: check-submodule all-subdirs
......@@ -50,6 +50,7 @@ install:
@$(MAKE) -C etc install
@$(MAKE) -C rspec-emulab install
@$(MAKE) -C test install
@$(MAKE) -C pubxmlrpc install
check-submodule:
@if [ ! -e "rspec-emulab" ]; then \
......
......@@ -42,7 +42,7 @@ LIB_SCRIPTS = GeniDB.pm GeniUser.pm \
GeniUtil.pm GeniRegistry.pm GeniUsage.pm GeniHRN.pm \
GeniSES.pm GeniResource.pm GeniXML.pm GeniAM.pm \
GeniEmulab.pm GeniFoam.pm GeniStitch.pm \
GeniStd.pm GeniMA.pm GeniStdSA.pm
GeniStd.pm GeniMA.pm GeniStdSA.pm GeniSR.pm
SBIN_SCRIPTS = plabnodewrapper plabslicewrapper
SCRIPTS = genischemacheck.pl
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2013 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
# GENI Public License
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
#
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
#
# }}}
#
package GeniSR;
#
# The server side of the GENI CH interface.
#
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);
@ISA = "Exporter";
@EXPORT = qw ( );
# Must come after package declaration!
use libtestbed;
use libEmulab;
use GeniDB;
use Genixmlrpc;
use GeniResponse;
use GeniUser;
use GeniSlice;
use GeniCredential;
use GeniCertificate;
use GeniAuthority;
use GeniHRN;
use English;
use XML::Simple;
use Data::Dumper;
use Date::Parse;
use POSIX qw(strftime);
use Time::Local;
use Project;
# Configure variables
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $MAINSITE = @TBMAINSITE@;
my $OURDOMAIN = "@OURDOMAIN@";
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PROTOGENI_URL = "@PROTOGENI_URL@";
my $API_VERSION = "1.0";
#
# Provide a structure detailing the version information as well as details
# of accepted options for Registry API calls.
#
# NB: This is an unprotected call, no client cert required.
#
# Arguments:
# None
# Return:
# get_version structure information as described above
#
sub get_version()
{
my %version = (
"VERSION" => $API_VERSION, "FIELDS" => ()
);
return GeniResponse->Create( GENIRESPONSE_SUCCESS, \%version );
}
sub GetAuthorities($$)
{
my ($type,$options) = @_;
my @authorities = ();
my @result = ();
if( GeniAuthority->ListAll( \@authorities ) ) {
return GeniResponse->Create( GENIRESPONSE_ERROR, undef,
"Could not retrieve authority list" );
}
foreach my $authority (@authorities) {
next if( $authority->type() ne $type or $authority->disabled() );
my %authdata = (
"SERVICE_URN" => $authority->urn(),
"SERVICE_URL" => $authority->url(),
"SERVICE_CERT" => $authority->cert(),
"SERVICE_NAME" => $authority->hrn(),
"SERVICE_DESCRIPTION" => $authority->GetCertificate()->DN()
);
push( @result, \%authdata );
}
return GeniResponse->Create( GENIRESPONSE_SUCCESS, \@result );
}
#
# Return information about all aggregates associated with the Federation
#
# NB: This is an unprotected call, no client cert required.
#
# Arguments:
# options: List of field names (from get_version) to be provided for each AM
# Return:
# List of dictionaries of name/value pairs for each returned AM
#
sub lookup_aggregates($)
{
my ($options) = @_;
return GetAuthorities( "cm", $options );
}
#
# Return information about all MAs associated with the Federation
#
# NB: This is an unprotected call, no client cert required.
#
# Arguments:
# options: List of field names (from get_version) to be provided for each MA
# Return:
# List of dictionaries of name/value pairs for each returned MA
#
sub lookup_member_authorities($)
{
my ($options) = @_;
return GetAuthorities( "ma", $options );
}
#
# Return information about all SAs associated with the Federation
#
# NB: This is an unprotected call, no client cert required.
#
# Arguments:
# options: List of field names (from get_version) to be provided for each SA
# Return:
# List of dictionaries of name/value pairs for each returned SA
#
sub lookup_slice_authorities($)
{
my ($options) = @_;
return GetAuthorities( "sa", $options );
}
#
# Lookup the authorities for a given URNs
# There should be at most one (potentially none) per URN
#
# NB: This is an unprotected call, no client cert required.
#
# Arguments:
# urns: URNs of entities for which the authority is requested
# Return:
# List of URLs of Authorities corresponding, in order, to given URNs
#
sub lookup_authorities_for_urns($)
{
my ($urns) = @_;
my @result = ();
my %typemap = (
"authority" => "root",
"node" => "cm", # might change to "am" at some point
"slice" => "sa",
"sliver" => "cm", # might change to "am" at some point
"user" => "sa" # will probably change to "ma" at some point
);
foreach my $urn (@{$urns}) {
GeniHRN::IsValid( $urn ) or goto bad;
my ($authority, $type, $id) = GeniHRN::Parse( $urn );
exists( $typemap{$type} ) or goto bad;
my $auth_name = GeniHRN::Generate( $authority, "authority",
$typemap{$type} );
my $auth_obj = GeniAuthority->Lookup( $auth_name );
$auth_obj or goto bad;
push( @result, $auth_obj->url() );
next;
bad:
push( @result, undef );
}
return GeniResponse->Create( GENIRESPONSE_SUCCESS, \@result );
}
#
# Return list of trust roots (certificates) associated with this CH.
# Often this is a concatenatation of the trust roots of the included
# authorities.
#
# NB: This is an unprotected call, no client cert required.
#
# Arguments:
# None
# Return:
# List of certificates representing trust roots of this CH.
#
sub get_trust_roots()
{
my @result = ();
local $/ = undef;
while( <@prefix@/etc/genicacerts/*.pem> ) {
local( *F, $/ );
open( F, $_ ) or next;
push( @result, <F> );
}
return GeniResponse->Create( GENIRESPONSE_SUCCESS, \@result );
}
# _Always_ make sure that this 1 is at the end of the file...
1;
#
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
# GENI Public License
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
#
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
#
# }}}
#
SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ../..
SUBDIR = protogeni/pubxmlrpc
include $(OBJDIR)/Makeconf
# These scripts installed setuid, with sudo.
SETUID_BIN_SCRIPTS =