Commit 219d771b authored by Leigh B Stoller's avatar Leigh B Stoller

Add generation of real ABAC credentials, now that AL2S accepts them.

See USEABACCREDS toplevel variable in APT_Geni.
parent f0122c1c
......@@ -50,6 +50,9 @@ my $SACERT = "$TB/etc/genisa.pem";
# libraries that make the XMLRPC calls.
my %credcache = ();
# Use real abac credentials (which means we can do speaks-for at ALS2).
my $USEABACCREDS = 0;
#
# Generate the credentials we need.
#
......@@ -123,15 +126,23 @@ sub GenCredentials($$;$)
prnt STDERR "Could not load SA authority object\n";
goto bad;
}
$speaksfor = GeniCredential->Create($geniuser, $sa_authority);
if (!defined($speaksfor)) {
print STDERR "Could not create speaksfor credential\n";
goto bad;
if ($USEABACCREDS) {
$speaksfor = GenABACCredential($geniuser, $sa_authority);
goto bad
if (!defined($speaksfor));
}
$speaksfor->SetType("speaksfor");
if ($speaksfor->Sign($speaker_signer)) {
print STDERR "Could not sign speaksfor credential\n";
goto bad;
else {
$speaksfor = GeniCredential->Create($geniuser, $sa_authority);
if (!defined($speaksfor)) {
print STDERR "Could not create speaksfor credential\n";
goto bad;
}
$speaksfor->SetType("speaksfor");
if ($speaksfor->Sign($speaker_signer)) {
print STDERR "Could not sign speaksfor credential\n";
goto bad;
}
}
}
$credential = GeniCredential->Create($target, $geniuser);
......@@ -227,5 +238,58 @@ sub GenAuthCredential($;$)
return $credential;
}
#
# Generate a real ABAC credential
#
sub GenABACCredential($$)
{
my ($geniuser, $speaker) = @_;
require ABAC;
import ABAC;
my $userfile = $geniuser->GetCertificate()->WriteToFile(1);
if (!defined($userfile)) {
print STDERR "Could not write user cert/key to file!\n";
return undef;
}
my $speakerfile = $speaker->GetCertificate()->WriteToFile(1);
if (!defined($speakerfile)) {
print STDERR "Could not write speaker cert/key to file!\n";
return undef;
}
my $abacuser = ABAC::ID->new($userfile);
if (!defined($abacuser)) {
print STDERR "Could not create user ABAC:ID for $geniuser\n";
return undef;
}
$abacuser->load_privkey($userfile);
my $abactool = ABAC::ID->new($speakerfile);
if (!defined($abactool)) {
print STDERR "Could not create speaker ABAC:ID\n";
return undef;
}
my $abacattr = ABAC::Attribute->new($abacuser,
"speaks_for_" . $abacuser->keyid(),
30 * 24 * 60 * 60);
if (!defined($abacattr)) {
print STDERR "Could not create ABAC::Attribute\n";
return undef;
}
$abacattr->principal($abactool->keyid());
$abacattr->bake();
my $xml = $abacattr->cert_chunk();
my $cred = GeniCredential->CreateFromSigned($xml);
if (!defined($cred)) {
print STDERR "Could not create ABAC credential from $xml\n";
return undef;
}
$cred->SetTargetCert($geniuser->GetCertificate());
$cred->SetOwnerCert($speaker->GetCertificate());
return $cred;
}
# _Always_ make sure that this 1 is at the end of the file...
1;
......@@ -69,7 +69,6 @@ my $usemydevtree = 0;
sub fatal($);
sub UserError($);
sub SnapShot($$$);
sub GenCredentials($$$$);
sub CreateDatasetCreds($$$$$);
sub CreateSlivers();
sub RunStitcher();
......@@ -1202,9 +1201,11 @@ sub RunStitcher()
#
my $users = [];
foreach my $user (@{$sshkeys}) {
my @tmp = map { $_->{'key'} } @{$user->{'keys'}};
push(@{$users},
{"urn" => $user->{'urn'},
"keys" => map { $_->{'key'} } @{$user->{'keys'}}});
"keys" => [ @tmp ] });
}
#
......@@ -1212,7 +1213,9 @@ sub RunStitcher()
#
my $command = "$STITCHER --fileDir $tmpdir --cred $speaksforfile ".
"--slicecredfile $slicecredfile --usercredfile $slicecredfile ".
"--al2scredfile $al2scredfile --debug ".
($speaksfor_credential->type() eq "speaksfor" ?
"--al2scredfile $al2scredfile " : "") .
"--debug ".
# We do not want these two files defaulting to user home dir.
"--GetVersionCacheName=$tmpdir/get_version_cache.json ".
"--AggNickCacheName=$tmpdir/agg_nick_cache ".
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment