Commit c47cebf8 authored by Gary Wong's avatar Gary Wong

Implement fine-grained privileges. It should now be possible to

meaningfully delegate a subset of available privileges, so that the
delegate is permitted to invoke only a restricted set of operations.
parent 22a9a57d
......@@ -204,6 +204,11 @@ sub Resolve($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "resolve" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
if ($type eq "user") {
my $user = GeniUser->Lookup($lookup_token);
if (!defined($user)) {
......@@ -345,6 +350,11 @@ sub Register($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "refresh" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# Grab the uuid and hrn out of the certificate.
#
......@@ -584,6 +594,11 @@ sub Remove($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "refresh" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
if ($type eq "User") {
my $user = GeniUser->Lookup($uuid);
if (!defined($user)) {
......@@ -659,6 +674,11 @@ sub Shutdown($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "operator" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $slice = GeniSlice->Lookup($uuid);
if (!defined($slice)) {
print STDERR "No slice record $uuid for shutdown!\n";
......@@ -707,6 +727,11 @@ sub ListComponents($)
"This is not your credential!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "resolve" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# Return simple list of components managers (aggregate managers?)
#
......@@ -773,6 +798,11 @@ sub PostCRL($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "refresh" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $caller_authority = GeniAuthority->Lookup($ENV{'GENIUUID'});
if (!defined($caller_authority)) {
print STDERR "Could not find authority object for caller.\n";
......
......@@ -268,6 +268,12 @@ sub GetTicket($)
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "instantiate" ) or
$credential->HasPrivilege( "bind" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# Create slice form the certificate.
#
......@@ -743,6 +749,12 @@ sub UpdateSliver($)
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "instantiate" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $sliver = GeniSliver->Lookup($sliver_uuid);
if (defined($sliver)) {
return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
......@@ -1376,6 +1388,11 @@ sub StartSliver($)
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $sliver = GeniSliver->Lookup($sliver_uuid);
if (!defined($sliver)) {
# Might be an aggregate instead.
......@@ -1443,6 +1460,12 @@ sub DeleteSliver($)
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "instantiate" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# For now, only allow top level aggregate to be deleted.
#
......@@ -1534,6 +1557,12 @@ sub DeleteSlice($)
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "instantiate" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# See if we have a record of this slice in the DB. If not, then we have
# to go to the ClearingHouse to find its record, so that we can find out
......@@ -1585,6 +1614,12 @@ sub SplitSliver($)
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "instantiate" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $user = GeniUser->Lookup($user_uuid);
if (!defined($user)) {
$user = CreateUserFromCertificate($credential->owner_cert());
......@@ -1657,6 +1692,11 @@ sub GetSliver($)
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "info" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $user = GeniUser->Lookup($user_uuid);
if (!defined($user)) {
$user = CreateUserFromCertificate($credential->owner_cert());
......@@ -1723,6 +1763,11 @@ sub BindToSlice($)
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "bind" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $slice = GeniSlice->Lookup($slice_uuid);
if (!defined($slice)) {
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
......@@ -1792,6 +1837,12 @@ sub Shutdown($)
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "instantiate" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# Create the slice record, since we do not want a request to come
# in later.
......@@ -1964,6 +2015,11 @@ sub SliceStatus($)
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "info" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $slice = GeniSlice->Lookup($slice_uuid);
if (!defined($slice)) {
return GeniResponse->Create(GENIRESPONSE_SEARCHFAILED, undef,
......@@ -2042,6 +2098,11 @@ sub SliverStatus($)
"This is not your credential!");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "info" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# For now, only allow top level aggregate to be deleted.
#
......
......@@ -220,7 +220,9 @@ sub CreateFromSigned($$;$)
my ($cap_node) = $doc->getElementsByTagName("privileges");
return undef
if (!defined($cap_node));
my $capabilities = XMLin($cap_node->toString(), ForceArray => 0);
my $rawcapabilities = XMLin($cap_node->toString(),
ForceArray => [ "privilege" ] );
my $capabilities = $rawcapabilities->{ "privilege" };
# Dig out the extensions
my ($extensions_node) = $doc->getElementsByTagName("extensions");
......
......@@ -117,6 +117,11 @@ sub GetCredential($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "resolve" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $this_user = GeniUser->Lookup($credential->owner_uuid(), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN,
......@@ -212,6 +217,11 @@ sub Resolve($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "resolve" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# We need to enforce Emulab permissions here, since the credential
# allows anyone with a credential for this registry to lookup anyone
......@@ -333,6 +343,11 @@ sub Register($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "refresh" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# We need to enforce Emulab permissions here, since the credential
# allows anyone with a credential for this registry to lookup anyone
......@@ -509,6 +524,11 @@ sub Remove($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "refresh" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# We need to enforce Emulab permissions here, since the credential
# allows anyone with a credential for this registry to lookup anyone
......@@ -596,6 +616,11 @@ sub DiscoverResources($)
"Unknown slice for this credential");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "resolve" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# Ask clearing house for a list of components.
#
......@@ -645,6 +670,11 @@ sub GetKeys($)
undef, "This is not your registry!");
}
$credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "resolve" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $this_user = GeniUser->Lookup($credential->owner_uuid(), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN,
......@@ -699,6 +729,11 @@ sub BindToSlice($)
"Unknown slice for this credential");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "bind" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
#
# Locate the target user; must exist locally.
#
......@@ -745,6 +780,10 @@ sub Shutdown($)
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"Unknown slice for this credential");
}
$credential->HasPrivilege( "pi" ) or
$credential->HasPrivilege( "control" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
system("$SLICESHUTDOWN $slice_uuid");
if ($?) {
print STDERR "Could not shutdown $slice!\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment