/**
* Return a dictionary of attribute->value pairs
* that were pre-asserted about the given eppn.
*/
function get_asserted_attributes($eppn)
{
$table_name = "km_asserted_attribute";
$conn = db_conn();
$sql = "select * from " . $table_name . " where LOWER(eppn) " . " = LOWER(" . $conn->quote($eppn, 'text') . ")";
$result = db_fetch_rows($sql);
if ($result[RESPONSE_ARGUMENT::CODE] != RESPONSE_ERROR::NONE) {
$db_error = $result[RESPONSE_ARGUMENT::OUTPUT];
geni_syslog(GENI_SYSLOG_PREFIX::MA, "Database error: {$db_error}");
geni_syslog(GENI_SYSLOG_PREFIX::MA, "Query was: " . $sql);
// return an empty array because we couldn't load any attributes.
return array();
}
// SUCCESS -- create the return value from the db results
$value = array();
foreach ($result[RESPONSE_ARGUMENT::VALUE] as $row) {
$value[$row['name']] = $row['value'];
}
return $value;
}
$CURRENT_SHIB_ID_TAG = "CURRENT_SHIB_ID";
$current_shib_id = $_SERVER["Shib-Session-ID"];
if (!isset($_SESSION)) {
session_start();
}
$shib_id_changed = false;
if (!array_key_exists($CURRENT_SHIB_ID_TAG, $_SESSION) || $_SESSION[$CURRENT_SHIB_ID_TAG] != $current_shib_id) {
$shib_id_changed = true;
}
// error_log("NEW SHIB_ID = " . $current_shib_id);
if ($shib_id_changed) {
$eppn = "No EPPN Found";
if (array_key_exists("eppn", $_SERVER)) {
$eppn = strtolower($_SERVER["eppn"]);
}
geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, "New login to portal: " . $eppn);
$_SESSION[$CURRENT_SHIB_ID_TAG] = $current_shib_id;
}
}
$extra_js = array();
function add_js_script($script_url)
{
global $extra_js;
$extra_js[] = $script_url;
}
/**
* Display the HTML preamble and HTML head block.
*
* This is modularized to facilitate sharing with pages that
* should not show the standard menubar header.
*/
function delete_speaks_for($token)
{
$conn = portal_conn();
$q_token = $conn->quote($token, 'text');
$sql = 'DELETE FROM speaks_for';
$sql .= ' WHERE token = ' . $q_token;
/* print "Query = $sql<br/>"; */
$result = db_execute_statement($sql, "delete_speaks_for");
if ($result[RESPONSE_ARGUMENT::CODE] != RESPONSE_ERROR::NONE) {
$msg = "delete_speaks_for: " . $result[RESPONSE_ARGUMENT::OUTPUT];
geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, $msg);
error_log($msg);
return FALSE;
} else {
return TRUE;
}
}
$msg = "ERROR. A {$visibility} RSpec already exists with name \"{$name} \".";
$_SESSION['lasterror'] = $msg;
relative_redirect('profile#rspecs');
exit;
}
$am_urns_image = "";
foreach ($am_urns as $am_urn) {
$am_urns_image = $am_urns_image . $am_urn . " ";
}
//error_log("PARSE : " . $is_bound . " " . $is_stitch . " " . $am_urns_image);
// FIXME: Need a utility that determines schema and version
// from the RSpec itself.
$schema = "GENI";
$schema_version = "3";
if ($rspec_id != "") {
$uploaded_rspec = $errorcode != UPLOAD_ERR_NO_FILE;
$result = db_update_rspec($rspec_id, $user, $name, $description, $contents, $schema, $schema_version, $visibility, $is_bound, $is_stitch, $am_urns_image, $uploaded_rspec);
} else {
$result = db_add_rspec($user, $name, $description, $contents, $schema, $schema_version, $visibility, $is_bound, $is_stitch, $am_urns_image);
}
geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, "db_add_rspec: " . print_r($result, true));
//error_log("db_add_rspec: " . print_r($result, true));
// FIXME: check result
if (!$result) {
$_SESSION['lasterror'] = "ERROR. Failed to upload Resource Specification " . $name;
} elseif ($rspec_id != "") {
$_SESSION['lastmessage'] = "Updated Resource Specification " . $name;
} else {
$_SESSION['lastmessage'] = "Uploaded Resource Specification " . $name;
}
relative_redirect('profile#rspecs');
function handle_message($prefix, $cs_url, $cacerts, $receiver_cert, $receiver_key, $guard_factory)
{
if (is_null($receiver_cert)) {
throw new Exception('No receiver certificate in handle_message call.');
}
if (is_null($receiver_key)) {
throw new Exception('No receiver key in handle_message call.');
}
if (is_null($guard_factory)) {
$guard_factory = new DefaultGuardFactory($prefix, $cs_url);
}
// mh_debug($prefix . ": starting");
$data = extract_message();
// Now process the data
$data = smime_decrypt($data);
// No CAs specified, use the default set.
if (is_null($cacerts)) {
$cacerts = default_cacerts();
}
$msg = smime_validate($data, $cacerts, $signer_pem);
mh_debug("msg = " . print_r($msg, TRUE));
if (is_null($msg)) {
/* Message failed to verify. Return authentication failure. */
$result = generate_response(RESPONSE_ERROR::AUTHENTICATION, NULL, "Message verification failed.");
goto done;
}
if (is_null($signer_pem)) {
// error_log("$prefix received unsigned message: " . print_r($msg, true));
}
$geni_message = new GeniMessage($msg, $signer_pem);
$funcargs = $geni_message->parse();
$func = $funcargs[0];
if (!is_callable($func)) {
$result = generate_response(RESPONSE_ERROR::ARGS, NULL, "Unknown operation \"{$func}\".");
goto done;
}
if (is_null($geni_message->signer())) {
geni_syslog("MessageHandler", "No signer on {$prefix}.{$func}");
}
$action = $func;
$guards = $guard_factory->createGuards($geni_message);
foreach ($guards as $guard) {
if (!$guard->evaluate()) {
$principal = $geni_message->signerUrn();
$msg = "{$principal} is not authorized to {$action}.";
error_log("Failed by guard " . print_r($guard, true));
$result = generate_response(RESPONSE_ERROR::AUTHORIZATION, NULL, $msg);
goto done;
}
}
mh_debug("Action {$func} is authorized.");
$refFunc = new ReflectionFunction($func);
$paramCount = $refFunc->getNumberOfParameters();
if ($paramCount === 1) {
$result = call_user_func($func, $funcargs[1]);
} else {
if ($paramCount === 2) {
$result = call_user_func($func, $funcargs[1], $geni_message);
} else {
error_log("Unknown method signature for invoked method \"{$func}\"." . " Expected 1 or 2 parameters, but {$func} expects" . " {$paramCount}");
$result = generate_response(RESPONSE_ERROR::ARGS, NULL, "Bad callback signature for \"{$func}\".");
}
}
/* Sweet! I get to use GOTO! */
done:
// mh_debug("RESULT = " . print_r($result, true));
$output = encode_result($result);
// mh_debug("RESULT(enc) = " . $output);
// mh_debug("RESULT(dec) = " . decode_result($output));
$output = smime_sign_message($output, $receiver_cert, $receiver_key);
$output = smime_encrypt($output);
// mh_debug("BEFORE PRINT:" . $output);
print $output;
}
function evaluate()
{
$result = (bool) $this->message->signerPem();
if (!$result) {
$pm = $this->message->parse();
$op = $pm[0];
geni_syslog("SignedMessageGuard", "blocking {$op}: unsigned message.");
}
return $result;
}
function restart_sliver($am_url, $user, $slice_credential, $slice_urn, $slice_id)
{
if (!isset($am_url) || is_null($am_url)) {
if (!(is_array($am_url) || $am_url != '')) {
error_log("am_client cannot invoke Omni without an AM URL");
return "Missing AM URL";
}
}
if (!isset($slice_credential) || is_null($slice_credential) || $slice_credential == '') {
error_log("am_client cannot act on a slice without a credential");
return "Missing slice credential";
}
$member_id = $user->account_id;
$msg = "User {$member_id} calling POA geni_restart at {$am_url} on {$slice_urn}";
geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, $msg);
// Caller logs if the restart appeared successful, so don't bother doing this
// log_action("Called POA(geni_restart)", $user, $am_url, $slice_urn, NULL, $slice_id);
$slice_credential_filename = writeDataToTempFile($slice_credential, $user->username . "-cred-");
$args = array("--slicecredfile", $slice_credential_filename, 'performoperationalaction', $slice_urn, 'geni_restart');
// Note that this AM no longer has resources
$output = invoke_omni_function($am_url, $user, $args, array(), 0, 0, false, NULL, $api_version = "3");
unlink($slice_credential_filename);
return $output;
}
