function smime_encrypt($message, $target_cert = NULL)
{
if (!$target_cert) {
/* Cannot encrypt without a target certificate. */
return $message;
}
$msg_file = writeDataToTempFile($message, "msg-");
$out_file = tempnam(sys_get_temp_dir(), "smime-");
/* No mail headers */
$headers = array();
if (openssl_pkcs7_encrypt($msg_file, $out_file, $target_cert, $headers)) {
/* SUCCESS */
smime_debug("smime_sign_message succeeded.");
$message = file_get_contents($out_file);
} else {
/* FAILURE */
error_log("smime_encrypt failed.");
}
unlink($msg_file);
unlink($out_file);
return $message;
}
/**
* Set a passphrase on the member's private key.
*
* Probably to support the speaks-for signing tool.
*
* @param $in_key the clear key (no passphrase)
* @param $passphrase the passphrase to set on the key
* @param $out_key reference to variable where the
* passphrase-protected key should be stored on
* return.
*/
function set_key_passphrase($in_key, $passphrase, &$out_key)
{
// Execute the openssl command to set the passphrase:
// openssl rsa -des3 -in $tmpin.key -out $tmpout.key
// More:
// Use "-passout file:$pp_file"
// Where $pp_file is a temp file containing the desired passphrase
// Then read the resulting key from tmp file
// Write in_key to a tmp file
// Write passphrase to a tmp file.
// Grab a tmp file for writing out_key
/* $out_key will contain the passphrase protected key.
* Initialize it to NULL to avoid returning garbage.
*/
$out_key = NULL;
$in_key_file = writeDataToTempFile($in_key, "passphrase-in-");
$passphrase_file = writeDataToTempFile($passphrase, "passphrase-");
$out_key_file = writeDataToTempFile('', "passphrase-out-");
$cmd_array = array('openssl', 'rsa', '-des3', '-in', $in_key_file, '-out', $out_key_file, '-passout', 'file:' . $passphrase_file);
$command = implode(" ", $cmd_array);
//error_log("COMMAND = " . $command);
// openssl rsa -des3 -in /tmp/passphrase-in-4prbom
// -out /tmp/passphrase-out-snVSxl
// -passout file:/tmp/passphrase-3rU1XQ
exec($command, $rsa_output, $rsa_status);
//error_log("openssl rsa status was $rsa_status");
if ($rsa_status == 0) {
$out_key = file_get_contents($out_key_file);
$result = TRUE;
} else {
// openssl command failed.
// XXX Signal Error
error_log("openssl command failed with status {$rsa_status}");
$result = FALSE;
}
unlink($in_key_file);
unlink($passphrase_file);
unlink($out_key_file);
return $result;
}
}
if (array_key_exists('rspec_selection', $_FILES)) {
$local_rspec_file = $_FILES['rspec_selection']['tmp_name'];
$local_rspec_file = trim($local_rspec_file);
$temp_rspec_file = null;
if (strlen($local_rspec_file) > 0) {
$rspec = file_get_contents($local_rspec_file);
$temp_rspec_file = writeDataToTempFile($rspec, 'rspec-');
}
} else {
if (array_key_exists('rspec_jacks', $_REQUEST)) {
$temp_rspec_file = null;
$local_rspec_file = $_REQUEST['rspec_jacks'];
if (strlen($local_rspec_file) > 0) {
$rspec = $local_rspec_file;
$temp_rspec_file = writeDataToTempFile($rspec, 'rspec-');
}
}
}
if (array_key_exists('ji', $_REQUEST)) {
$ji = $_REQUEST['ji'];
}
if (isset($slice_expired) && convert_boolean($slice_expired)) {
if (!isset($slice_name)) {
$slice_name = "";
}
$_SESSION['lasterror'] = "Slice " . $slice_name . " is expired.";
relative_redirect('dashboard.php#slices');
}
if (!$user->isAllowed(SA_ACTION::LOOKUP_SLICE, CS_CONTEXT_TYPE::SLICE, $slice_id)) {
relative_redirect('home.php');
function update_user_keys_on_slivers($sa_url, $signer, $slice_id, $slice_urn, $members_to_add, $members_to_change, $members_to_remove)
{
$username = $signer->username;
$ma_url = sa_to_ma_url($sa_url);
$am_urls = array();
// Get list of aggregates for slice
$aggs_for_slice = aggregates_in_slice($sa_url, $signer, $slice_urn);
// error_log("SLIVER_INFO.RES = " . print_r($aggs_for_slice, true));
foreach ($aggs_for_slice as $agg_info) {
if (!array_key_exists(SERVICE_ATTRIBUTE_TAG, $agg_info)) {
continue;
}
$agg_attributes = $agg_info[SERVICE_ATTRIBUTE_TAG];
$am_type = $agg_attributes[SERVICE_ATTRIBUTE_AM_TYPE];
if ($am_type != SERVICE_ATTRIBUTE_INSTAGENI_AM) {
continue;
}
// This call only works for IG/PG racks
$am_url = $agg_info[SR_TABLE_FIELDNAME::SERVICE_URL];
$am_urls[] = $am_url;
}
// error_log("AM_URLS = " . print_r($am_urls, true));
// If there are no AM URLs (e.g. no IG/PG AMs), then nothing to do here. Bail.
if (count($am_urls) < 1) {
return True;
}
// Generate slice_users list of dictionaries: [{"urn" : urn, "keys" : [key1, key2]}, ...]
$slice_users_list = array();
$slice_members = get_slice_members($sa_url, $signer, $slice_id);
// error_log("MEMBERS = " . print_r($slice_members, true));
foreach ($slice_members as $member_info) {
$member_id = $member_info[MA_MEMBER_TABLE_FIELDNAME::MEMBER_ID];
$member_urn = get_member_urn($ma_url, $signer, $member_id);
$keys_res = lookup_public_ssh_keys($ma_url, $signer, $member_id);
// error_log("MEMBER_ID = " . print_r($member_id, true));
// error_log("KEYS_RES = " . print_r($keys_res, true));
$member_public_keys = array();
foreach ($keys_res as $key_info) {
$public_key = $key_info[MA_SSH_KEY_TABLE_FIELDNAME::PUBLIC_KEY];
$member_public_keys[] = $public_key;
}
$member_entry = array('urn' => $member_urn, 'keys' => $member_public_keys);
$slice_users_list[] = $member_entry;
}
// For each removed member, add an empty entry to list (to remove their SSH keys)
foreach ($members_to_remove as $member_to_remove) {
$member_entry = array('urn' => $member_to_remove, 'keys' => array());
$slice_users_list[] = $member_entry;
}
$slice_users = array('geni_users' => $slice_users_list);
// error_log("GENI_USERS = " . print_r($slice_users, true));
// invoke omni to call the geni_update_users POA
$slice_users_json = json_encode($slice_users);
$slice_users_filename = writeDataToTempFile($slice_users_json);
$args = array("--optionsfile", $slice_users_filename, "poa", $slice_urn, 'geni_update_users');
$res = invoke_omni_function($am_urls, $signer, $args, array(), 0, 0, false, NULL, 3);
// error_log("Update_user_keys_on_slivers.RES = " . print_r($res, true));
// Clean up JSON file and invocation directory
unlink($slice_users_filename);
return $res;
}
function restart_sliver($am_url, $user, $slice_credential, $slice_urn, $slice_id)
{
if (!isset($am_url) || is_null($am_url)) {
if (!(is_array($am_url) || $am_url != '')) {
error_log("am_client cannot invoke Omni without an AM URL");
return "Missing AM URL";
}
}
if (!isset($slice_credential) || is_null($slice_credential) || $slice_credential == '') {
error_log("am_client cannot act on a slice without a credential");
return "Missing slice credential";
}
$member_id = $user->account_id;
$msg = "User {$member_id} calling POA geni_restart at {$am_url} on {$slice_urn}";
geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, $msg);
// Caller logs if the restart appeared successful, so don't bother doing this
// log_action("Called POA(geni_restart)", $user, $am_url, $slice_urn, NULL, $slice_id);
$slice_credential_filename = writeDataToTempFile($slice_credential, $user->username . "-cred-");
$args = array("--slicecredfile", $slice_credential_filename, 'performoperationalaction', $slice_urn, 'geni_restart');
// Note that this AM no longer has resources
$output = invoke_omni_function($am_url, $user, $args, array(), 0, 0, false, NULL, $api_version = "3");
unlink($slice_credential_filename);
return $output;
}
