Commit d4e3b3a3 authored by Leigh Stoller's avatar Leigh Stoller

Brutal hack to support APT guest users; sign the user certificate with

an alternate CA so that they can never authenticate to the Geni
federation if they manage to get a hold of their certifiate (which
they can't). Only when TBMAINSITE=1
parent d6c49245
......@@ -57,6 +57,7 @@ my $TBAPPROVAL = "@TBAPPROVALEMAIL@";
my $TBAUDIT = "@TBAUDITEMAIL@";
my $BOSSNODE = "@BOSSNODE@";
my $OURDOMAIN = "@OURDOMAIN@";
my $MAINSITE = @TBMAINSITE@;
my $SIGNCRED = "$TB/sbin/signgenicred";
my $VERIFYCRED = "$TB/sbin/verifygenicred";
my $NFREE = "$TB/bin/nfree";
......@@ -209,8 +210,18 @@ sub Create($$;$)
my ($authority, $type, $name) = GeniHRN::Parse($urn);
my $caflag = $type eq "authority" ? "" : "-n";
my $showuuidflag = $showuuid ? " -U " : "";
if (! open(CERT, "$MKCERT $caflag -i \"$urn\" $url -e \"$email\" $hrn " .
"$showuuidflag$uuid |")) {
# Utah Specific.
my $altcaopt = "";
if ($MAINSITE) {
if (exists($argref->{'useaptca'})) {
$altcaopt = "-d -a /usr/testbed/etc/utah-apt.ca";
}
}
my $cmd = "$MKCERT $altcaopt $caflag ".
"-i \"$urn\" $url -e \"$email\" $hrn $showuuidflag$uuid";
print STDERR "$cmd\n";
if (! open(CERT, "$cmd |")) {
print STDERR "Could not start $MKCERT\n";
return undef;
}
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2013 University of Utah and the Flux Group.
# Copyright (c) 2008-2014 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -866,6 +866,9 @@ sub Sign($$)
}
$certificate = "-c $certfile";
}
elsif (-e "$how") {
$certificate = "-c $how";
}
elsif ($how == $LOCALSA_FLAG) {
$certificate = "-c $TB/etc/genisa.pem";
}
......
......@@ -76,6 +76,7 @@ my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@";
my $MAINSITE = @TBMAINSITE@;
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $SACERT = "$TB/etc/genisa.pem";
my $CMCERT = "$TB/etc/genicm.pem";
......@@ -223,6 +224,7 @@ my $sa_authority = GeniAuthority->Lookup($sa_certificate->urn());
if (!defined($sa_authority)) {
fatal("Could not load SA authority object");
}
my $speaker_signer = $GeniCredential::LOCALSA_FLAG;
#
# We want to contact our local CM to create the sliver.
......@@ -359,10 +361,21 @@ chomp($sshkey)
# so that we can operate on behalf of the user (via speaksfor).
#
my $geniuser = GeniUser->Lookup($user_urn, $localuser);
if (!defined($geniuser)) {
#
# In Utah, check for alternate SA
#
if ($MAINSITE) {
$user_urn = GeniHRN::Generate("aptlab.net", "user", $user_uid);
$user_hrn = "aptlab.${user_uid}";
}
$geniuser = GeniUser->Lookup($user_urn, 0);
}
if (!defined($geniuser)) {
if ($localuser) {
fatal("Could not lookup local user $user_urn");
}
#
# Do not allow overlap with local users.
#
......@@ -380,11 +393,14 @@ if (!defined($geniuser)) {
if ($auth_token !~ /^[\w]+$/) {
fatal("Bad auth token: $auth_token");
}
my $certificate = GeniCertificate->Create({"urn" => $user_urn,
"hrn" => $user_hrn,
"email" => $user_email,
"showuuid" => 1});
my $blob = {"urn" => $user_urn,
"hrn" => $user_hrn,
"email" => $user_email,
"showuuid" => 1};
if ($MAINSITE) {
$blob->{'useaptca'} = 1;
}
my $certificate = GeniCertificate->Create($blob);
fatal("Could not create certificate")
if (!defined($certificate));
......@@ -404,6 +420,17 @@ if (!defined($geniuser)) {
my $user_uuid = $geniuser->uuid();
# So we know this user has dome something lately.
$geniuser->BumpActivity();
# We get the -l flag on initial create only.
$localuser = ($geniuser->IsLocal() ? 1 : 0);
#
# Guest users use the apt CA, and so we must sign the speaksfor
# credential with the APT SA as well so that the target of the
# speaksfor credential is in the same namespace as the signer.
#
if (!$localuser && $MAINSITE) {
$speaker_signer = "/usr/testbed/etc/utah-apt.sa";
}
# Remember key. For now we accept only one key. We store it simply
# so we can display it again for the user in the web interface.
......@@ -495,7 +522,7 @@ fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG));
if ($speaksfor_credential->Sign($speaker_signer));
#
# Got this far, lets create a quickvm record.
......@@ -691,12 +718,13 @@ sub Terminate($)
if (!defined($slice_credential)) {
fatal("Could not create credential for $slice");
}
my $speaksfor_credential = GeniCredential->Create($geniuser, $sa_authority);
my $speaksfor_credential = GeniCredential->Create($geniuser,
$sa_authority);
fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG));
if ($speaksfor_credential->Sign($speaker_signer));
#
# Lock the slice in case it is doing something else, like taking
......@@ -817,12 +845,13 @@ sub Extend($$)
if (!defined($slice_credential)) {
fatal("Could not create credential for $slice");
}
my $speaksfor_credential = GeniCredential->Create($geniuser, $sa_authority);
my $speaksfor_credential = GeniCredential->Create($geniuser,
$sa_authority);
fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG));
if ($speaksfor_credential->Sign($speaker_signer));
my $response =
Genixmlrpc::CallMethod($cm_authority->url(), undef,
......@@ -891,12 +920,13 @@ sub SnapShot($$$)
if (!defined($slice_credential)) {
fatal("Could not create credential for $slice");
}
my $speaksfor_credential = GeniCredential->Create($geniuser, $sa_authority);
my $speaksfor_credential = GeniCredential->Create($geniuser,
$sa_authority);
fatal("Could not create speaksfor credential")
if (!defined($speaksfor_credential));
$speaksfor_credential->SetType("speaksfor");
fatal("Could not sign speaksfor credential")
if ($speaksfor_credential->Sign($GeniCredential::LOCALSA_FLAG));
if ($speaksfor_credential->Sign($speaker_signer));
#
# We do this with slice locked.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment