/** * Return a dictionary of attribute->value pairs * that were pre-asserted about the given eppn. */ function get_asserted_attributes($eppn) { $table_name = "km_asserted_attribute"; $conn = db_conn(); $sql = "select * from " . $table_name . " where LOWER(eppn) " . " = LOWER(" . $conn->quote($eppn, 'text') . ")"; $result = db_fetch_rows($sql); if ($result[RESPONSE_ARGUMENT::CODE] != RESPONSE_ERROR::NONE) { $db_error = $result[RESPONSE_ARGUMENT::OUTPUT]; geni_syslog(GENI_SYSLOG_PREFIX::MA, "Database error: {$db_error}"); geni_syslog(GENI_SYSLOG_PREFIX::MA, "Query was: " . $sql); // return an empty array because we couldn't load any attributes. return array(); } // SUCCESS -- create the return value from the db results $value = array(); foreach ($result[RESPONSE_ARGUMENT::VALUE] as $row) { $value[$row['name']] = $row['value']; } return $value; }
$CURRENT_SHIB_ID_TAG = "CURRENT_SHIB_ID"; $current_shib_id = $_SERVER["Shib-Session-ID"]; if (!isset($_SESSION)) { session_start(); } $shib_id_changed = false; if (!array_key_exists($CURRENT_SHIB_ID_TAG, $_SESSION) || $_SESSION[$CURRENT_SHIB_ID_TAG] != $current_shib_id) { $shib_id_changed = true; } // error_log("NEW SHIB_ID = " . $current_shib_id); if ($shib_id_changed) { $eppn = "No EPPN Found"; if (array_key_exists("eppn", $_SERVER)) { $eppn = strtolower($_SERVER["eppn"]); } geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, "New login to portal: " . $eppn); $_SESSION[$CURRENT_SHIB_ID_TAG] = $current_shib_id; } } $extra_js = array(); function add_js_script($script_url) { global $extra_js; $extra_js[] = $script_url; } /** * Display the HTML preamble and HTML head block. * * This is modularized to facilitate sharing with pages that * should not show the standard menubar header. */
function delete_speaks_for($token) { $conn = portal_conn(); $q_token = $conn->quote($token, 'text'); $sql = 'DELETE FROM speaks_for'; $sql .= ' WHERE token = ' . $q_token; /* print "Query = $sql<br/>"; */ $result = db_execute_statement($sql, "delete_speaks_for"); if ($result[RESPONSE_ARGUMENT::CODE] != RESPONSE_ERROR::NONE) { $msg = "delete_speaks_for: " . $result[RESPONSE_ARGUMENT::OUTPUT]; geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, $msg); error_log($msg); return FALSE; } else { return TRUE; } }
$msg = "ERROR. A {$visibility} RSpec already exists with name \"{$name} \"."; $_SESSION['lasterror'] = $msg; relative_redirect('profile#rspecs'); exit; } $am_urns_image = ""; foreach ($am_urns as $am_urn) { $am_urns_image = $am_urns_image . $am_urn . " "; } //error_log("PARSE : " . $is_bound . " " . $is_stitch . " " . $am_urns_image); // FIXME: Need a utility that determines schema and version // from the RSpec itself. $schema = "GENI"; $schema_version = "3"; if ($rspec_id != "") { $uploaded_rspec = $errorcode != UPLOAD_ERR_NO_FILE; $result = db_update_rspec($rspec_id, $user, $name, $description, $contents, $schema, $schema_version, $visibility, $is_bound, $is_stitch, $am_urns_image, $uploaded_rspec); } else { $result = db_add_rspec($user, $name, $description, $contents, $schema, $schema_version, $visibility, $is_bound, $is_stitch, $am_urns_image); } geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, "db_add_rspec: " . print_r($result, true)); //error_log("db_add_rspec: " . print_r($result, true)); // FIXME: check result if (!$result) { $_SESSION['lasterror'] = "ERROR. Failed to upload Resource Specification " . $name; } elseif ($rspec_id != "") { $_SESSION['lastmessage'] = "Updated Resource Specification " . $name; } else { $_SESSION['lastmessage'] = "Uploaded Resource Specification " . $name; } relative_redirect('profile#rspecs');
function handle_message($prefix, $cs_url, $cacerts, $receiver_cert, $receiver_key, $guard_factory) { if (is_null($receiver_cert)) { throw new Exception('No receiver certificate in handle_message call.'); } if (is_null($receiver_key)) { throw new Exception('No receiver key in handle_message call.'); } if (is_null($guard_factory)) { $guard_factory = new DefaultGuardFactory($prefix, $cs_url); } // mh_debug($prefix . ": starting"); $data = extract_message(); // Now process the data $data = smime_decrypt($data); // No CAs specified, use the default set. if (is_null($cacerts)) { $cacerts = default_cacerts(); } $msg = smime_validate($data, $cacerts, $signer_pem); mh_debug("msg = " . print_r($msg, TRUE)); if (is_null($msg)) { /* Message failed to verify. Return authentication failure. */ $result = generate_response(RESPONSE_ERROR::AUTHENTICATION, NULL, "Message verification failed."); goto done; } if (is_null($signer_pem)) { // error_log("$prefix received unsigned message: " . print_r($msg, true)); } $geni_message = new GeniMessage($msg, $signer_pem); $funcargs = $geni_message->parse(); $func = $funcargs[0]; if (!is_callable($func)) { $result = generate_response(RESPONSE_ERROR::ARGS, NULL, "Unknown operation \"{$func}\"."); goto done; } if (is_null($geni_message->signer())) { geni_syslog("MessageHandler", "No signer on {$prefix}.{$func}"); } $action = $func; $guards = $guard_factory->createGuards($geni_message); foreach ($guards as $guard) { if (!$guard->evaluate()) { $principal = $geni_message->signerUrn(); $msg = "{$principal} is not authorized to {$action}."; error_log("Failed by guard " . print_r($guard, true)); $result = generate_response(RESPONSE_ERROR::AUTHORIZATION, NULL, $msg); goto done; } } mh_debug("Action {$func} is authorized."); $refFunc = new ReflectionFunction($func); $paramCount = $refFunc->getNumberOfParameters(); if ($paramCount === 1) { $result = call_user_func($func, $funcargs[1]); } else { if ($paramCount === 2) { $result = call_user_func($func, $funcargs[1], $geni_message); } else { error_log("Unknown method signature for invoked method \"{$func}\"." . " Expected 1 or 2 parameters, but {$func} expects" . " {$paramCount}"); $result = generate_response(RESPONSE_ERROR::ARGS, NULL, "Bad callback signature for \"{$func}\"."); } } /* Sweet! I get to use GOTO! */ done: // mh_debug("RESULT = " . print_r($result, true)); $output = encode_result($result); // mh_debug("RESULT(enc) = " . $output); // mh_debug("RESULT(dec) = " . decode_result($output)); $output = smime_sign_message($output, $receiver_cert, $receiver_key); $output = smime_encrypt($output); // mh_debug("BEFORE PRINT:" . $output); print $output; }
function evaluate() { $result = (bool) $this->message->signerPem(); if (!$result) { $pm = $this->message->parse(); $op = $pm[0]; geni_syslog("SignedMessageGuard", "blocking {$op}: unsigned message."); } return $result; }
function restart_sliver($am_url, $user, $slice_credential, $slice_urn, $slice_id) { if (!isset($am_url) || is_null($am_url)) { if (!(is_array($am_url) || $am_url != '')) { error_log("am_client cannot invoke Omni without an AM URL"); return "Missing AM URL"; } } if (!isset($slice_credential) || is_null($slice_credential) || $slice_credential == '') { error_log("am_client cannot act on a slice without a credential"); return "Missing slice credential"; } $member_id = $user->account_id; $msg = "User {$member_id} calling POA geni_restart at {$am_url} on {$slice_urn}"; geni_syslog(GENI_SYSLOG_PREFIX::PORTAL, $msg); // Caller logs if the restart appeared successful, so don't bother doing this // log_action("Called POA(geni_restart)", $user, $am_url, $slice_urn, NULL, $slice_id); $slice_credential_filename = writeDataToTempFile($slice_credential, $user->username . "-cred-"); $args = array("--slicecredfile", $slice_credential_filename, 'performoperationalaction', $slice_urn, 'geni_restart'); // Note that this AM no longer has resources $output = invoke_omni_function($am_url, $user, $args, array(), 0, 0, false, NULL, $api_version = "3"); unlink($slice_credential_filename); return $output; }