Commit ae3ea197 authored by Leigh B Stoller's avatar Leigh B Stoller

Add speaksfor to GeniSA/MA/StdSA modules, and add/fix things to

support the genidesktop.
parent 9064171a
......@@ -54,6 +54,7 @@ use File::Temp qw(tempfile);
use Date::Parse;
use POSIX qw(strftime);
use Time::Local;
use Carp qw(cluck carp);
use overload ('""' => 'Stringify');
# Exported variables
......@@ -412,6 +413,11 @@ sub CreateFromSigned($$;$)
$nosig = 0
if (!defined($nosig));
if (!defined($string)) {
$msg = "No string";
goto bad;
}
# First verify the credential
if (! $nosig) {
my ($fh, $filename) = tempfile(UNLINK => 0);
......@@ -675,6 +681,7 @@ sub CreateFromSigned($$;$)
$msg = "Internal error creating credential object";
}
print STDERR "$msg\n";
cluck("$msg");
$CreateFromSignedError = $msg;
return undef;
}
......@@ -1130,6 +1137,27 @@ sub CheckCredential($;$$)
return $credential;
}
#
# Load a certificate from a file. This creates an object, but does
# not store it in the DB.
#
sub LoadFromFile($$)
{
my ($class, $filename) = @_;
my $contents = "";
if (! open(CRED, $filename)) {
print STDERR "Could not open $filename: $!\n";
return undef;
}
while (<CRED>) {
$contents .= $_;
}
close(CRED);
return GeniCredential->CreateFromSigned($contents);
}
########################################################################
# ABAC version of a credential. This a total hack job, will need to
# be flushed and redone later.
......
......@@ -84,18 +84,25 @@ sub LookupPublic($)
sub LookupPrivate($$)
{
my ($credential_args, $options) = @_;
my ($credential) = GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
my ($credential,$speaksfor) =
GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
return $credential
if (GeniResponse::IsResponse($credential));
return GeniResponse->MalformedArgsResponse("Missing self credential")
if (!defined($credential));
#
# We need to enforce Emulab permissions here, since the credential
# allows anyone with a credential for this registry to lookup anyone
# else. Good feature of the Geni API.
#
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Permission denied. Only local users are allowed to make private lookups.");
"Permission denied. Only local users are allowed ".
"to make private lookups.");
}
$credential->HasPrivilege( "authority" ) or
......@@ -119,19 +126,25 @@ sub LookupIdentifying($$)
{
my ($credential_args, $options) = @_;
my ($credential) = GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
my ($credential,$speaksfor) =
GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
return $credential
if (GeniResponse::IsResponse($credential));
return GeniResponse->MalformedArgsResponse("Missing self credential")
if (!defined($credential));
#
# We need to enforce Emulab permissions here, since the credential
# allows anyone with a credential for this registry to lookup anyone
# else. Good feature of the Geni API.
#
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Permission denied. Only local users are allowed to make identifying lookups.");
"Permission denied. Only local users are allowed ".
"to make identifying lookups.");
}
$credential->HasPrivilege( "authority" ) or
......@@ -171,7 +184,19 @@ sub GetCredentials($$$)
{
my ($member_urn, $credential_args, $options) = @_;
my $credential = GeniSA::GetCredential({ "urn" => $member_urn });
#
# Need to know if only a speaksfor is provided.
#
my ($credential,$speaksfor) =
GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
return $credential
if (GeniResponse::IsResponse($credential));
my $args = { "urn" => $member_urn };
if (defined($speaksfor)) {
$args->{"credential"} = $speaksfor->asString();
}
$credential = GeniSA::GetCredential($args);
return $credential
if (GeniResponse::IsError($credential));
......@@ -207,7 +232,44 @@ sub UpdateKey($$$$)
sub LookupKeys($$)
{
my ($credentials, $options) = @_;
my ($credential_args, $options) = @_;
return GeniResponse->Create(GENIRESPONSE_NOT_IMPLEMENTED);
my ($credential,$speaksfor) =
GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
return $credential
if (GeniResponse::IsResponse($credential));
return GeniResponse->MalformedArgsResponse("Missing self credential")
if (0 && !defined($credential));
#
# We need to enforce Emulab permissions here, since the credential
# allows anyone with a credential for this registry to lookup anyone
# else. Good feature of the Geni API.
#
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Permission denied.");
}
defined($credential) &&
($credential->HasPrivilege( "authority" ) or
$credential->HasPrivilege( "resolve" ) or
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" ));
my @keys;
if ($this_user->GetKeyBundle(\@keys) != 0) {
print STDERR "Could not get keys for $this_user\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my @list = ();
foreach my $key (@keys) {
push(@list, {"KEY_PUBLIC" => $key->{'key'} });
}
my $blob = { $this_user->urn() => \@list };
return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
}
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2013 University of Utah and the Flux Group.
# Copyright (c) 2008-2014 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -52,6 +52,7 @@ use GeniCredential;
use GeniCertificate;
use GeniAuthority;
use GeniHRN;
use GeniStd;
use English;
use XML::Simple;
use Data::Dumper;
......@@ -91,32 +92,53 @@ sub GetCredential($)
my ($argref) = @_;
my $urn = $argref->{'urn'};
my $cred = $argref->{'credential'};
my $creds = $argref->{'credentials'};
my $geniuser;
if (0 && $MAINSITE) {
print STDERR "Debugging getslicecred()\n";
}
#
# No credential, then return a generic credential giving user permission
# to do other things.
# This credential is for access to this SA.
#
if (!defined($cred)) {
my $geniuser = GeniUser->Lookup($ENV{'GENIURN'}, 1);
if (!defined($geniuser)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN,
undef, "Who are you?");
}
my $authority = GeniAuthority->Lookup($ENV{'MYURN'});
if (!defined($authority)) {
print STDERR
"Could not find local authority object for $ENV{'MYURN'}\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
#
# If we got *only* a speaks-for credential, then a tool is asking for
# a self-cred on behalf of a user.
#
if (defined($cred)) {
my ($credential,$speaksfor) =
GeniStd::CheckCredentials([$cred], $authority);
return $credential
if (GeniResponse::IsResponse($credential));
if (defined($speaksfor)) {
$geniuser = GeniUser->Lookup($speaksfor->target_urn(), 1);
if (!defined($geniuser)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN,
undef, "Who are you speaking for?");
}
# Asking for a self cred for the target user.
goto selfcred;
}
}
elsif (!(defined($cred) || defined($creds))) {
#
# This credential is for access to this SA.
# No cred, caller wants a self credential.
#
my $authority = GeniAuthority->Lookup($ENV{'MYURN'});
if (!defined($authority)) {
print STDERR
"Could not find local authority object for $ENV{'MYURN'}\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
$geniuser = GeniUser->Lookup($ENV{'GENIURN'}, 1);
if (!defined($geniuser)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you?");
}
selfcred:
if( !CheckMembership( $geniuser ) ) {
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN,
undef, "No privilege at this " .
......@@ -160,7 +182,13 @@ sub GetCredential($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = GeniCredential::CheckCredential($cred, $authority);
my ($credential,$speaksfor);
if (defined($cred)) {
$credential = GeniCredential::CheckCredential($cred, $authority);
}
else {
($credential,$speaksfor) = GeniStd::CheckCredentials($creds, $authority);
}
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -169,14 +197,16 @@ sub GetCredential($)
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN,
undef, "Who are you?");
}
my ($undef, $type, $id) = GeniHRN::Parse($urn);
if( !CheckMembership( $this_user ) ) {
$geniuser =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($geniuser)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you? No local record");
}
if( !CheckMembership( $geniuser ) ) {
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN,
undef, "No privilege at this " .
"authority" );
......@@ -191,8 +221,8 @@ sub GetCredential($)
# Bump the activity counter for the user. Lets us know in the
# main DB that a user is doing something useful.
#
$this_user->BumpActivity()
if ($this_user->IsLocal());
$geniuser->BumpActivity()
if ($geniuser->IsLocal());
my $slice = GeniSlice->Lookup($urn);
......@@ -202,8 +232,8 @@ sub GetCredential($)
if ($slice->Lock() != 0) {
return GeniResponse->BusyResponse("slice");
}
if ($slice->creator_urn() ne $this_user->urn() &&
!$slice->IsBound($this_user)) {
if ($slice->creator_urn() ne $geniuser->urn() &&
!$slice->IsBound($geniuser)) {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Not your slice!");
......@@ -211,13 +241,13 @@ sub GetCredential($)
#
# Return a credential for the slice.
#
my $slice_credential = GeniCredential->Lookup($slice, $this_user);
my $slice_credential = GeniCredential->Lookup($slice, $geniuser);
if (defined($slice_credential)) {
#
# Check for expiration and for changed certificate.
#
if ($slice_credential->IsExpired() ||
!$slice_credential->SameCerts($slice, $this_user)) {
!$slice_credential->SameCerts($slice, $geniuser)) {
$slice_credential->Delete();
$slice_credential = undef;
}
......@@ -225,7 +255,7 @@ sub GetCredential($)
if (!defined($slice_credential)) {
$slice_credential =
GeniCredential->CreateSigned($slice,
$this_user,
$geniuser,
$main::PROJECT ?
$authority->GetCertificate() :
$GeniCredential::LOCALSA_FLAG );
......@@ -256,6 +286,7 @@ sub Resolve($)
my $urn = $argref->{'urn'};
my $cred = $argref->{'credential'};
my $type = $argref->{'type'};
my $creds = $argref->{'credentials'};
if (! (defined($hrn) || defined($urn))) {
return GeniResponse->MalformedArgsResponse();
......@@ -285,7 +316,7 @@ sub Resolve($)
(undef,$type,undef) = GeniHRN::Parse($urn);
}
$type = lc($type);
if (! defined($cred)) {
if (! (defined($cred) || defined($creds))) {
return GeniResponse->MalformedArgsResponse();
}
......@@ -294,7 +325,13 @@ sub Resolve($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = GeniCredential::CheckCredential($cred, $authority);
my ($credential, $speaksfor);
if (defined($cred)) {
$credential = GeniCredential::CheckCredential($cred, $authority);
}
else {
($credential,$speaksfor) = GeniStd::CheckCredentials($creds, $authority);
}
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -308,7 +345,9 @@ sub Resolve($)
# allows anyone with a credential for this registry to lookup anyone
# else. Good feature of the Geni API.
#
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you? No local record");
......@@ -410,11 +449,13 @@ sub Register($)
# (it's deduced automatically from the URN).
my ($argref) = @_;
my $cred = $argref->{'credential'};
my $creds = $argref->{'credentials'};
my $type = $argref->{'type'};
my $hrn = $argref->{'hrn'};
my $urn = $argref->{'urn'};
if (! ((defined($hrn) || defined($urn)) && defined($cred))) {
if (! ((defined($hrn) || defined($urn)) &&
(defined($cred) || defined($creds)))) {
return GeniResponse->MalformedArgsResponse();
}
if (defined($urn)) {
......@@ -457,7 +498,13 @@ sub Register($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = GeniCredential::CheckCredential($cred, $authority);
my ($credential, $speaksfor);
if (defined($cred)) {
$credential = GeniCredential::CheckCredential($cred, $authority);
}
else {
($credential,$speaksfor) = GeniStd::CheckCredentials($creds, $authority);
}
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -471,7 +518,9 @@ sub Register($)
# allows anyone with a credential for this registry to lookup anyone
# else. Good feature of the Geni API.
#
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you? No local record");
......@@ -655,8 +704,10 @@ sub Remove($)
my $urn = $argref->{'urn'};
my $cred = $argref->{'credential'};
my $type = $argref->{'type'};
my $creds= $argref->{'credentials'};
if (! ((defined($hrn) || defined($urn)) && defined($cred))) {
if (! ((defined($hrn) || defined($urn)) &&
(defined($cred) || defined($creds)))) {
return GeniResponse->MalformedArgsResponse();
}
if (defined($urn)) {
......@@ -688,7 +739,13 @@ sub Remove($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = GeniCredential::CheckCredential($cred, $authority);
my ($credential, $speaksfor);
if (defined($cred)) {
$credential = GeniCredential::CheckCredential($cred, $authority);
}
else {
($credential,$speaksfor) = GeniStd::CheckCredentials($creds, $authority);
}
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -697,7 +754,9 @@ sub Remove($)
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you? No local record");
......@@ -770,10 +829,11 @@ sub GetKeys($)
{
my ($argref) = @_;
my $cred = $argref->{'credential'};
my $creds = $argref->{'credentials'};
# Hidden option. Remove later.
my $version = $argref->{'version'} || 1;
if (! defined($cred)) {
if (! (defined($cred) || defined($creds))) {
return GeniResponse->MalformedArgsResponse();
}
......@@ -782,7 +842,13 @@ sub GetKeys($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = GeniCredential::CheckCredential($cred, $authority);
my ($credential, $speaksfor);
if (defined($cred)) {
$credential = GeniCredential::CheckCredential($cred, $authority);
}
else {
($credential,$speaksfor) = GeniStd::CheckCredentials($creds, $authority);
}
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -791,7 +857,9 @@ sub GetKeys($)
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you? No local record");
......@@ -832,9 +900,10 @@ sub BindToSlice($)
{
my ($argref) = @_;
my $cred = $argref->{'credential'};
my $creds = $argref->{'credentials'};
my $urn = $argref->{'urn'};
if (! (defined($urn) && defined($cred))) {
if (! (defined($urn) && (defined($cred) || defined($creds)))) {
return GeniResponse->MalformedArgsResponse();
}
return GeniResponse->MalformedArgsResponse()
......@@ -845,7 +914,13 @@ sub BindToSlice($)
print STDERR "Could not find local authority object\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my $credential = GeniCredential::CheckCredential($cred);
my ($credential, $speaksfor);
if (defined($cred)) {
$credential = GeniCredential::CheckCredential($cred, $authority);
}
else {
($credential,$speaksfor) = GeniStd::CheckCredentials($creds, $authority);
}
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -854,7 +929,9 @@ sub BindToSlice($)
return GeniResponse->Create( GENIRESPONSE_FORBIDDEN, undef,
"Insufficient privilege" );
my $this_user = GeniUser->Lookup($ENV{'GENIURN'}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you? No local record");
......@@ -928,15 +1005,29 @@ sub Shutdown($)
sub RenewSlice($)
{
my ($argref) = @_;
my $credstr = $argref->{'credential'};
my $cred = $argref->{'credential'};
my $creds = $argref->{'credentials'};
my $expires = $argref->{'expiration'};
my $message = "Error renewing slice";
if (! (defined($credstr) && defined($expires))) {
if (! (defined($cred) || defined($creds)) && defined($expires)) {
return GeniResponse->Create(GENIRESPONSE_BADARGS);
}
my $credential = GeniCredential::CheckCredential($credstr);
my $authority = GeniAuthority->Lookup($ENV{'MYURN'});
if (!defined($authority)) {
print STDERR
"Could not find local authority object for $ENV{'MYURN'}\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
my ($credential, $speaksfor);
if (defined($cred)) {
$credential = GeniCredential::CheckCredential($cred, $authority);
}
else {
($credential,$speaksfor) = GeniStd::CheckCredentials($creds);
}
return $credential
if (GeniResponse::IsResponse($credential));
......@@ -951,13 +1042,6 @@ sub RenewSlice($)
"Unknown slice for this credential");
}
my $authority = GeniAuthority->Lookup($ENV{'MYURN'});
if (!defined($authority)) {
print STDERR
"Could not find local authority object for $ENV{'MYURN'}\n";
return GeniResponse->Create(GENIRESPONSE_ERROR);
}
#
# Not allowed to renew a cooked mode slice via this interface.
#
......@@ -966,7 +1050,9 @@ sub RenewSlice($)
"Cooked mode Slice");
}
my $this_user = GeniUser->Lookup($ENV{"GENIURN"}, 1);
my $this_user =
GeniUser->Lookup((defined($speaksfor) ?
$speaksfor->target_urn() : $ENV{'GENIURN'}), 1);
if (!defined($this_user)) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Who are you? No local record");
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2013 University of Utah and the Flux Group.
# Copyright (c) 2008-2014 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -47,6 +47,7 @@ use GeniRegistry;
use emutil;
use URI;
use Data::Dumper;
use Carp qw(cluck carp);
# Filter out any credentials of an uknown type leaving only geni_sfa
# version 2 and version 3 credentials in a list. Also invokes
......@@ -58,8 +59,11 @@ sub FilterCredentials
if (defined($credentials)) {
foreach my $cred (@{ $credentials }) {
if (ref($cred) eq "HASH" &&
$cred->{'geni_type'} eq "geni_sfa" &&
($cred->{'geni_version'} eq 2 || $cred->{'geni_version'} eq 3)) {
(($cred->{'geni_type'} eq "geni_sfa" &&
($cred->{'geni_version'} eq 2 ||
$cred->{'geni_version'} eq 3)) ||
($cred->{'geni_type'} eq "geni_abac" &&
($cred->{'geni_version'} eq 1)))) {
push(@{ $result }, $cred->{'geni_value'});
auto_add_sa($cred->{'geni_value'});
}
......@@ -76,7 +80,7 @@ sub auto_add_sa($)
my $signers = $cred->signer_certs();
return
if ($cred->type() eq "speaksfor");
if ($cred->type() eq "speaksfor" || $cred->type() eq "abac");
# The credential has been verified, so the signer derives from a
# trusted root.
......@@ -193,11 +197,18 @@ sub auto_add_sa($)
#
# Initial credential check.
#
sub CheckCredentials($)
sub CheckCredentials($;$)
{
my ($arg, $target_authority) = @_;
my ($speakee, $speaksfor);
my @rest = ();
my $error;
if (!defined($arg)) {
cluck("CheckCredentials: No credentials!");
$error = GeniResponse->Create(GENIRESPONSE_ERROR);
goto bad;
}
if (ref($_[0]) ne "ARRAY") {
$error = GeniResponse->MalformedArgsResponse("Credentials should be a ".
......@@ -206,14 +217,6 @@ sub CheckCredentials($)
}
else {
my @credential_strings = @{ $_[0] };
if (scalar(@credential_strings) == 1) {
#
# Must be a speaks-as credential.
#
$speakee = GeniCredential::CheckCredential($credential_strings[0]);
}
else {
#
# The only other case is that we get multiple credentials. One
# is the speaks-for credential and another one is the real
......@@ -242,7 +245,8 @@ sub CheckCredentials($)
# just the way I want it.
#
$speakee = shift(@credentials);
$speakee = GeniCredential::CheckCredential($speakee);
$speakee = GeniCredential::CheckCredential($speakee,
$target_authority);
if (GeniResponse::IsError($speakee)) {
$error = $speakee;
goto bad;
......@@ -253,7 +257,9 @@ sub CheckCredentials($)
# The rest of the credentials have to be valid too.
#
foreach my $credential (@rest) {
$credential = GeniCredential::CheckCredential($credential);
$credential =
GeniCredential::CheckCredential($credential,
$target_authority);
if (GeniResponse::IsError($credential)) {
$error = $credential;
goto bad;
......@@ -319,8 +325,9 @@ sub CheckCredentials($)
# by the user, so the owners must match.
#
foreach my $credential (@credentials) {
my $cred = GeniCredential::CheckCredential($credential,
undef, 1);
my $cred =
GeniCredential::CheckCredential($credential,
$target_authority, 1);
if (GeniResponse::IsError($cred)) {
$error = $cred;
goto bad;
......@@ -340,7 +347,7 @@ sub CheckCredentials($)
$speakee = shift(@credentials);
@rest = @credentials;
}
}
}
if (wantarray()) {
return ($speakee, $speaksfor, @rest);
......
......@@ -43,6 +43,8 @@ use vars qw(@ISA @EXPORT);
use GeniStd;
use GeniSA;
use GeniSlice;
use GeniUser;
use User;
use GeniResponse;
use GeniCredential;
use GeniRegistry;
......@@ -73,12 +75,9 @@ sub CreateSlice($$)
return GeniResponse->MalformedArgsResponse('Requires a list of credentials, an options field, and a SLICE_NAME in the options field');
}
my $credential = GeniStd::CheckCredentials(GeniStd::FilterCredentials($credential_args));
return $credential
if (GeniResponse::IsResponse($credential));
my $hrn = $options->{'fields'}->{'SLICE_NAME'};
my $args = {
"credential" => $credential->asString(),
"credentials" => GeniStd::FilterCredentials($credential_args),
"hrn" => $hrn,
"type" => "slice"
};
......@@ -156,9 +155,6 @@ sub LookupSlices()
sub UpdateSlice()
{
my ($slice_urn, $credential_args, $options) = @_;