Commit bd265b07 authored by Leigh B Stoller's avatar Leigh B Stoller

Replace old and crufty script to generate a max_sliver_lifetime

override credential. New script is less crufty, I think.

Usage: genextendcred -t <days> [-e <days>] -s <slice> [-u <user> | -c <cert>]
       genextendcred -t <days> [-e <days>] -u <user> | -c <cert>
Options:
  -s    - Slice to use. If no user, issue to slice creator.
          In the absence of a slice, the target is the CM, allowing
          the user to extend any of his slivers.
  -u    - Issue to user
  -c    - Issue to user via his public certificate
  -t    - How many days to allow extension for
  -e    - How many days before credential expires; default 5 days

 Note that the renewsliver.py and renewslice.pl test scripts now take
 one of these credentials as an extra argument.
parent d5c719b7
......@@ -46,7 +46,7 @@ PSBIN_STUFF = register_resources expire_daemon gencrl postcrl \
getchcredential genallow_extcred advt-merge.py \
reservevlans delgeniuser delegatecredential \
updatecert fixcerts initcerts cacontrol webcacontrol \
genextend_lifetime rspeclint chstats listactive \
genextendcred rspeclint chstats listactive \
maptoslice webmaptoslice setexpiration quickvm webquickvm
ifeq ($(ISCLEARINGHOUSE),1)
......
#!/usr/bin/perl -w
#
# Copyright (c) 2008-2012 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
# GENI Public License
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
#
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
#
# }}}
#
use strict;
use lib '@prefix@/lib';
my $OURDOMAIN = '@OURDOMAIN@';
use GeniCredential;
use GeniCertificate;
use GeniAuthority;
use GeniHRN;
use GeniUser;
use GeniUtil;
use Getopt::Std;
#
# Create the credential - return it as a string
#
sub CreateCredential {
my ($usercert, $target_cm_urn, $howlong, $expires) = @_;
#
# Lookup the authority that this credential is supposed to be valid at
#
if (!GeniHRN::IsValid($target_cm_urn)) {
die "Invalid target URN '$target_cm_urn'\n";
}
my $authority = GeniAuthority->Lookup($target_cm_urn);
if (!defined($authority)) {
die "Could not find local authority object for $target_cm_urn\n";
}
#
# Create the basic credential object
#
my $signer = $GeniCredential::LOCALCM_FLAG;
my $credential = Create($authority,$usercert,$expires);
if (!defined($credential)) {
die "Internal error creating credential\n";
}
#
# Add this specific policy exception
#
my $policy_excep = XML::LibXML::Element->new( "max_sliver_lifetime" );
$policy_excep->setNamespace($GeniUtil::EXTENSIONS_NS, $GeniUtil::EXTENSIONS_PREFIX);
$policy_excep->appendText("$howlong");
$credential->AddExtension($policy_excep);
#
# Sign the resulting credential
#
if ($credential->Sign($signer) != 0) {
$credential->Delete();
die "Could not sign credential\n";
}
return $credential->asString();
}
#
# XXX: This code was ripped out of GeniCredential.pm and modified a bit
# What we probably should do instead is to provide an appropriate constructor
# in that file
#
sub Create($$$) {
my ($target, $usercert, $expires) = @_;
return undef
if (! (ref($target) && ref($usercert)));
my $self = {};
$self->{'target_uuid'} = $target->uuid();
$self->{'target_cert'} = $target->GetCertificate();
$self->{'owner_cert'} = $usercert;
$self->{'owner_uuid'} = $usercert->uuid();
$self->{'string'} = undef;
$self->{'capabilities'} = undef;
$self->{'extensions'} = undef;
$self->{'uuid'} = GeniUtil::NewUUID();
$self->{'idx'} = undef; # Only set when stored to DB.
$self->{'type'} = "privilege";
bless($self, "GeniCredential");
$self->SetExpiration(time() + ($expires * 60 * 60 * 24));
return $self;
}
my $num_days = 30;
my $expire_days;
sub usage {
warn "Usage: ./genextend_lifetime [-d days] [-e days] <-u user | -c cert>\n";
warn " -d days: How many days to allow slivers to live for (default $num_days)\n";
warn " -e days: How many days in the future this credential expires (defaults to same value as -d)\n";
warn " -u user: Local user to make the credential for\n";
warn " -c cert: File containing user's certificate\n";
exit(1);
}
my %opt;
if (!getopts('hd:u:c:e:',\%opt) ||
$opt{h} || !(exists($opt{u}) xor exists($opt{c}))) {
usage();
}
my $cert;
if ($opt{u}) {
#
# If the username doesn't look like a URN, assume it is a local user
#
my $target_urn;
if ($opt{u} =~ /^urn:/) {
$target_urn = $opt{u};
} else {
$target_urn = GeniHRN::Generate( $OURDOMAIN, "user", "$opt{u}" );
}
my $user = GeniUser->Lookup($target_urn,1);
if (!defined($user)) { die "Unable to lookup user $opt{u}\n"; }
$cert = $user->GetCertificate();
} else {
#
# Slurp in the file with the owner's credential
#
open(FILE, $opt{c}) or die "Unable to open $opt{c}\n";
my $owner_cert = "";
while (<FILE>) { $owner_cert .= $_; }
close FILE;
$cert = GeniCertificate->LoadFromString($owner_cert);
if (!$cert) {
die "Unable to read certificate from $opt{c}\n";
}
}
if ($opt{d}) {
$num_days = $opt{d};
}
if ($opt{e}) {
$expire_days = $opt{e};
} else {
$expire_days = $num_days;
}
#
# We can only create credentials that apply to ourself
#
my $target_cm_string = GeniHRN::Generate( $OURDOMAIN, "authority", "cm" );
my $val = CreateCredential($cert,$target_cm_string,$num_days,$expire_days);
print $val;
#!/usr/bin/perl -w
#
# Copyright (c) 2008-2014 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
# GENI Public License
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
#
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
#
# }}}
#
use strict;
use English;
use Getopt::Std;
use Data::Dumper;
#
# Generate an extended renewal credential.
#
sub usage()
{
print "Usage: $0 -t <days> [-e <days>] -s <slice> ".
"[-u <user> | -c <cert>]";
print "\n";
print " $0 -t <days> [-e <days>] -u <user> | -c <cert>\n";
print "Options:\n";
print " -s - Slice to use. If no user, issue to slice creator.\n";
print " In the absence of a slice, the target is the CM,\n";
print " allowing the user to extend any of his slivers.\n";
print " -u - Issue to user\n";
print " -c - Issue to user via his public certificate\n";
print " -t - How many days to allow extension for\n";
print " -e - How many days before credential expires; default 5 days\n";
exit(1);
}
my $optlist = "t:s:u:c:e:";
my $expires = 5;
my $slice_urn;
my $user_urn;
my $user_cert;
# Configure ...
my $TB = "@prefix@";
my $CMCERT = "$TB/etc/genicm.pem";
use lib '@prefix@/lib';
use GeniDB;
use GeniCredential;
use GeniCertificate;
use GeniUtil;
use GeniAuthority;
use GeniHRN;
use GeniResponse;
use GeniUser;
use GeniSlice;
# Connect to the proper DB.
DBConnect(GENICM_DBNAME());
sub fatal($)
{
my ($msg) = @_;
die("*** $0:\n".
" $msg\n");
}
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
usage()
if (!defined($options{"t"}));
my $numdays = $options{"t"};
if (defined($options{"e"})) {
$expires = $options{"e"};
}
if (defined($options{"s"})) {
$slice_urn = $options{"s"};
}
if (defined($options{"u"})) {
$user_urn = $options{"u"};
}
elsif (defined($options{"c"})) {
$user_cert = $options{"c"};
}
#
# Load the CM cert to act as the signer.
#
my $certificate = GeniCertificate->LoadFromFile($CMCERT);
if (!defined($certificate)) {
fatal("Could not load certificate from $CMCERT\n");
}
my $authority = GeniAuthority->Lookup($certificate->urn());
if (!defined($authority)) {
fatal("Could not load authority object");
}
#
# Figure out the who the credential is being given to.
#
my $owner;
if (defined($user_urn)) {
my $geniuser = GeniUser->Lookup($user_urn, 1);
if (!defined($geniuser)) {
fatal("No such geni user");
}
$owner = $geniuser;
}
elsif (defined($user_cert)) {
my $certificate = GeniCertificate->LoadFromFile($user_cert);
if (!defined($certificate)) {
fatal("Could not load user certificate");
}
if ($certificate->VerifySSLChain()) {
fatal("Could not verify certificate chain");
}
$owner = $certificate;
}
elsif (defined($slice_urn)) {
my $slice = GeniSlice->Lookup($slice_urn);
if (!defined($slice)) {
fatal("No such slice");
}
my $geniuser = GeniUser->Lookup($slice->creator_urn(), 1);
if (!defined($geniuser)) {
fatal("No creator for slice");
}
$owner = $geniuser;
}
else {
fatal("Who is this credential for?");
}
#
# If a slice was specified, then issue a credential for just
# that slice. Otherwise the target is the CM, which gives the
# user the ability to extend any slice he is bound to.
#
my $target;
if (defined($slice_urn)) {
my $slice = GeniSlice->Lookup($slice_urn);
if (!defined($slice)) {
fatal("No such slice");
}
$target = $slice;
}
else {
$target = $authority;
}
my $credential = GeniCredential->Create($target, $owner);
fatal("Could not create credential")
if (!defined($credential));
#
# Credential is valid for ...
#
$credential->SetExpiration(time() + ($expires * 3600 * 24));
#
# Hmm, this is annoying.
#
my $policy_excep = XML::LibXML::Element->new("max_sliver_lifetime");
$policy_excep->setNamespace($GeniUtil::EXTENSIONS_NS,
$GeniUtil::EXTENSIONS_PREFIX);
$policy_excep->appendText($numdays);
$credential->AddExtension($policy_excep);
fatal("Could not sign credential")
if ($credential->Sign($GeniCredential::LOCALCM_FLAG));
print $credential->{'string'};
exit(0);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment