Add generation of real ABAC credentials, now that AL2S accepts them.

See USEABACCREDS toplevel variable in APT_Geni.

Add generation of real ABAC credentials, now that AL2S accepts them.
See USEABACCREDS toplevel variable in APT_Geni.
219d771b · Leigh B Stoller · f0122c1c · 219d771b · 219d771b
Commit 219d771b authored Aug 20, 2015 by Leigh B Stoller
Hide whitespace changes
Inline Side-by-side

Showing with 78 additions and 11 deletions

apt/APT_Geni.pm.in apt/APT_Geni.pm.in +72 -8

apt/create_instance.in apt/create_instance.in +6 -3

No files found.
--- a/apt/APT_Geni.pm.in
+++ b/apt/APT_Geni.pm.in
@@ -50,6 +50,9 @@ my $SACERT	  = "$TB/etc/genisa.pem";
 # libraries that make the XMLRPC calls.
 my %credcache = ();

+# Use real abac credentials (which means we can do speaks-for at ALS2).
+my $USEABACCREDS  = 0;
+
 #
 # Generate the credentials we need. 
 #
@@ -123,15 +126,23 @@ sub GenCredentials($$;$)
 		prnt STDERR "Could not load SA authority object\n";
 		goto bad;
 	    }
-	    $speaksfor = GeniCredential->Create($geniuser, $sa_authority);
-	    if (!defined($speaksfor)) {
-		print STDERR "Could not create speaksfor credential\n";
-		goto bad;
+
+	    if ($USEABACCREDS) {
+		$speaksfor = GenABACCredential($geniuser, $sa_authority);
+		goto bad
+		    if (!defined($speaksfor));
 	    }
-	    $speaksfor->SetType("speaksfor");
-	    if ($speaksfor->Sign($speaker_signer)) {
-		print STDERR "Could not sign speaksfor credential\n";
-		goto bad;
+	    else {
+		$speaksfor = GeniCredential->Create($geniuser, $sa_authority);
+		if (!defined($speaksfor)) {
+		    print STDERR "Could not create speaksfor credential\n";
+		    goto bad;
+		}
+		$speaksfor->SetType("speaksfor");
+		if ($speaksfor->Sign($speaker_signer)) {
+		    print STDERR "Could not sign speaksfor credential\n";
+		    goto bad;
+		}
 	    }
 	}
 	$credential = GeniCredential->Create($target, $geniuser);
@@ -227,5 +238,58 @@ sub GenAuthCredential($;$)
    return $credential;
 }

+#
+# Generate a real ABAC credential
+#
+sub GenABACCredential($$)
+{
+    my ($geniuser, $speaker) = @_;
+    require ABAC;
+    import ABAC;
+
+    my $userfile = $geniuser->GetCertificate()->WriteToFile(1);
+    if (!defined($userfile)) {
+	print STDERR "Could not write user cert/key to file!\n";
+	return undef;
+    }
+    my $speakerfile = $speaker->GetCertificate()->WriteToFile(1);
+    if (!defined($speakerfile)) {
+	print STDERR "Could not write speaker cert/key to file!\n";
+	return undef;
+    }
+    my $abacuser = ABAC::ID->new($userfile);
+    if (!defined($abacuser)) {
+	print STDERR "Could not create user ABAC:ID for $geniuser\n";
+	return undef;
+    }
+    $abacuser->load_privkey($userfile);
+
+    my $abactool = ABAC::ID->new($speakerfile);
+    if (!defined($abactool)) {
+	print STDERR "Could not create speaker ABAC:ID\n";
+	return undef;
+    }
+
+    my $abacattr = ABAC::Attribute->new($abacuser,
+					"speaks_for_" . $abacuser->keyid(),
+					30 * 24 * 60 * 60);
+    if (!defined($abacattr)) {
+	print STDERR "Could not create ABAC::Attribute\n";
+	return undef;
+    }
+    
+    $abacattr->principal($abactool->keyid());
+    $abacattr->bake();
+    my $xml  = $abacattr->cert_chunk();
+    my $cred = GeniCredential->CreateFromSigned($xml);
+    if (!defined($cred)) {
+	print STDERR "Could not create ABAC credential from $xml\n";
+	return undef;
+    }
+    $cred->SetTargetCert($geniuser->GetCertificate());
+    $cred->SetOwnerCert($speaker->GetCertificate());
+    return $cred;
+}
+
 # _Always_ make sure that this 1 is at the end of the file...
 1;
--- a/apt/create_instance.in
+++ b/apt/create_instance.in
@@ -69,7 +69,6 @@ my $usemydevtree  = 0;
 sub fatal($);
 sub UserError($);
 sub SnapShot($$$);
-sub GenCredentials($$$$);
 sub CreateDatasetCreds($$$$$);
 sub CreateSlivers();
 sub RunStitcher();
@@ -1202,9 +1201,11 @@ sub RunStitcher()
    #
    my $users = [];
    foreach my $user (@{$sshkeys}) {
+	my @tmp = map { $_->{'key'} } @{$user->{'keys'}};
+	
 	push(@{$users},
 	     {"urn"  => $user->{'urn'},
-	      "keys" => map { $_->{'key'} } @{$user->{'keys'}}});
+	      "keys" => [ @tmp ] });
    }

    #
@@ -1212,7 +1213,9 @@ sub RunStitcher()
    #
    my $command = "$STITCHER --fileDir $tmpdir --cred $speaksforfile ".
 	"--slicecredfile $slicecredfile --usercredfile $slicecredfile ".
-	"--al2scredfile $al2scredfile --debug ".
+	($speaksfor_credential->type() eq "speaksfor" ?
+	 "--al2scredfile $al2scredfile " : "") .
+	"--debug ".
 	# We do not want these two files defaulting to user home dir.
 	"--GetVersionCacheName=$tmpdir/get_version_cache.json ".
 	"--AggNickCacheName=$tmpdir/agg_nick_cache ".