Merged RC1 (from merge_rc1_src_1 to merge_rc1_dst_1)

diff --git a/org.glite.security.proxyrenewal/Makefile b/org.glite.security.proxyrenewal/Makefile
index cf745c2..3730746 100644 (file)
--- a/org.glite.security.proxyrenewal/Makefile
+++ b/org.glite.security.proxyrenewal/Makefile
@@ -134,7 +134,7 @@ install:
        ${INSTALL} -m 644 ${top_srcdir}/LICENSE ${PREFIX}/share/doc/${package}-${version}
        cd ${top_srcdir}/interface && ${INSTALL} -m 644 renewal.h ${PREFIX}/include/glite/security/proxyrenewal
 
-       ${INSTALL} -m 755 ${top_srcdir}/config/startup ${PREFIX}/etc/init.d/${DAEMON}
+       ${INSTALL} -m 755 ${top_srcdir}/config/startup ${PREFIX}/etc/init.d/glite-proxy-renewald
 
 
 clean:

diff --git a/org.glite.security.proxyrenewal/config/startup b/org.glite.security.proxyrenewal/config/startup
index 70d1c6b..26ba757 100755 (executable)
--- a/org.glite.security.proxyrenewal/config/startup
+++ b/org.glite.security.proxyrenewal/config/startup
@@ -32,6 +32,14 @@ start()
        [ -z "$creds" ] &&
                echo $0: WARNING: No credentials specified. Using default lookup which is dangerous. >&2
 
+       # workaround for VOMS_FindByVO that seems to always require user's own VOMS config file (bug #7511)
+       user_voms_config=$HOME/.glite/vomses
+       if [ ! -f "$user_voms_config" ]; then
+               rm -f /tmp/renewal_vomses
+               su - $GLITE_USER -c "touch /tmp/renewal_vomses && chmod 644 /tmp/renewal_vomses"
+               user_voms_config=/tmp/renewal_vomses
+       fi
+
        echo -n Starting ProxyRenewal Daemon: glite-proxy-renewd ...
 
        if [ ! -d "$PROXY_REPOSITORY" ]; then
@@ -40,32 +48,26 @@ start()
                chmod 0700 $PROXY_REPOSITORY
        fi
        
-       su - $GLITE_USER -c "$GLITE_LOCATION/bin/glite-proxy-renewd \
-               -r $PROXY_REPOSITORY $creds" && echo " done"
+       su - $GLITE_USER -c "VOMS_USERCONF=$user_voms_config \
+               $GLITE_LOCATION/bin/glite-proxy-renewd \
+               -r $PROXY_REPOSITORY $creds -A" && echo " done"
 }
 
 stop()
 {
        echo -n "Stopping ProxyRenewal Daemon: glite-proxy-renewd ..."
-       PIDS=`ps -C glite-proxy-renewd -o pid --no-heading`
-       if [ -z "$PIDS" ]; then
-               echo " no process glite-proxy-renewd running"
-               exit 1
-       else
-               kill $PIDS && echo " done"
-       fi
+       killall glite-proxy-renewd
+       echo " done"
 }
 
 status()
 {
-       PIDS=`ps -C glite-proxy-renewd -o pid --no-heading`
-       if ps p $PIDS >/dev/null 2>&1; then
-               echo glite-proxy-renewd running \($PIDS\)
-               return 0
+       if netstat -an --unix | grep "^unix .* LISTEN.* /tmp/dgpr_renew_" >/dev/null 2>&1 ;then
+               echo glite-proxy-renewd running
+       else
+               echo glite-proxy-renewd not running
+               return 1
        fi
-       
-       echo glite-proxy-renewd not running
-       return 1
 }
 
 case x$1 in

diff --git a/org.glite.security.proxyrenewal/src/commands.c b/org.glite.security.proxyrenewal/src/commands.c
index 288c994..79b96d3 100644 (file)
--- a/org.glite.security.proxyrenewal/src/commands.c
+++ b/org.glite.security.proxyrenewal/src/commands.c
@@ -564,15 +564,18 @@ get_record_ext(FILE *fd, proxy_record *record, int *last_used_suffix)
       if (tmp_record.jobids.len == 0) {
         /* no jobs registered for this record, so use it initialized with the
          * parameters (currently myproxy location) provided by user */
-        char *server = record->myproxy_server;
-
-        memset(record, 0, sizeof(*record));
         record->suffix = tmp_record.suffix;
-        record->myproxy_server = server;
+        record->next_renewal = record->end_time = 0;
         free_record(&tmp_record);
         return 0;
       }
 
+      /* Proxies with VOMS attributes require a separate record, which is not
+       * shared with another proxies. The same applies it the unique flag was
+       * set by the caller */
+      if (record->voms_exts || record->unique)
+        continue;
+
       if (tmp_record.jobids.len > 0 && record->myproxy_server &&
          strcmp(record->myproxy_server, tmp_record.myproxy_server) != 0)
         continue;

diff --git a/org.glite.security.proxyrenewal/src/renew.c b/org.glite.security.proxyrenewal/src/renew.c
index c327280..c14b6c0 100644 (file)
--- a/org.glite.security.proxyrenewal/src/renew.c
+++ b/org.glite.security.proxyrenewal/src/renew.c
@@ -120,7 +120,7 @@ renew_proxy(proxy_record *record, char *basename, char **new_proxy)
    edg_wlpr_Log(LOG_DEBUG, "Trying to renew proxy in %s.%d",
                basename, record->suffix);
 
-   snprintf(tmp_proxy, sizeof(tmp_proxy), "%s.%d.renew.XXXXXX", 
+   snprintf(tmp_proxy, sizeof(tmp_proxy), "%s.%d.myproxy.XXXXXX", 
            basename, record->suffix);
    tmp_fd = mkstemp(tmp_proxy);
    if (tmp_fd == -1) {
@@ -157,22 +157,24 @@ renew_proxy(proxy_record *record, char *basename, char **new_proxy)
    } else
       socket_attrs->psport = MYPROXY_SERVER_PORT;
 
+   verror_clear();
    ret = myproxy_get_delegation(socket_attrs, client_request,
                                server_response, tmp_proxy);
    if (ret == 1) {
       ret = EDG_WLPR_ERROR_MYPROXY;
-      edg_wlpr_Log(LOG_ERR, "Error contacting MyProxy server for proxy %s",
-                  repository_file);
+      edg_wlpr_Log(LOG_ERR, "Error contacting MyProxy server for proxy %s: %s",
+                  repository_file, verror_get_string());
+      verror_clear();
       goto end;
    }
 
    renewed_proxy = tmp_proxy;
 
-   if (voms_enabled) {
+   if (voms_enabled && record->voms_exts) {
       char tmp_voms_proxy[FILENAME_MAX];
       int tmp_voms_fd;
       
-      snprintf(tmp_voms_proxy, sizeof(tmp_voms_proxy), "%s.%d.renew.XXXXXX",
+      snprintf(tmp_voms_proxy, sizeof(tmp_voms_proxy), "%s.%d.voms.XXXXXX",
               basename, record->suffix);
       tmp_voms_fd = mkstemp(tmp_voms_proxy);
       if (tmp_voms_fd == -1) {
@@ -182,11 +184,15 @@ renew_proxy(proxy_record *record, char *basename, char **new_proxy)
         goto end;
       }
 
-      ret = renew_voms_certs(repository_file, tmp_voms_proxy);
-      if (ret)
+      ret = renew_voms_creds(repository_file, renewed_proxy, tmp_voms_proxy);
+      close(tmp_voms_fd);
+      if (ret) {
+        unlink(tmp_voms_proxy);
         goto end;
+      }
 
       renewed_proxy = tmp_voms_proxy;
+      unlink(tmp_proxy);
    }
 
    if (new_proxy)

diff --git a/org.glite.security.proxyrenewal/src/renewd.c b/org.glite.security.proxyrenewal/src/renewd.c
index 49e4b17..cd2bef8 100644 (file)
--- a/org.glite.security.proxyrenewal/src/renewd.c
+++ b/org.glite.security.proxyrenewal/src/renewd.c
@@ -15,8 +15,7 @@ char *vomsdir = NULL;
 int voms_enabled = 0;
 char *cert = NULL;
 char *key = NULL;
-
-char *vomsconf = "/opt/edg/etc/vomses";
+char *vomsconf = NULL;
 
 static volatile int die = 0, child_died = 0;
 

diff --git a/org.glite.security.proxyrenewal/src/renewd_locl.h b/org.glite.security.proxyrenewal/src/renewd_locl.h
index 37708c6..c4b8de4 100644 (file)
--- a/org.glite.security.proxyrenewal/src/renewd_locl.h
+++ b/org.glite.security.proxyrenewal/src/renewd_locl.h
@@ -75,6 +75,6 @@ int
 get_proxy_base_name(char *file, char **subject);
 
 int
-renew_voms_certs(const char *cur_file, const char *new_file);
+renew_voms_creds(const char *cur_file, const char *renewed_file, const char *new_file);
 
 #endif /* RENEWALD_LOCL_H */

diff --git a/org.glite.security.proxyrenewal/src/voms.c b/org.glite.security.proxyrenewal/src/voms.c
index 70e6b4f..f570fd4 100644 (file)
--- a/org.glite.security.proxyrenewal/src/voms.c
+++ b/org.glite.security.proxyrenewal/src/voms.c
@@ -11,6 +11,8 @@
 char * Decode(const char *, int, int *);
 char **listadd(char **, char *, int);
 
+extern char *vomsconf;
+
 static int
 generate_proxy(globus_gsi_cred_handle_t cur_proxy,
                X509_EXTENSION *voms_extension, const char *new_file)
@@ -25,39 +27,39 @@ generate_proxy(globus_gsi_cred_handle_t cur_proxy,
 
    result = globus_gsi_proxy_handle_init(&proxy_handle, NULL);
    if (result) {
-      fprintf(stderr, "globus_gsi_proxy_handle_init() failed\n");
+      edg_wlpr_Log(LOG_ERR, "globus_gsi_proxy_handle_init() failed\n");
       goto end;
    }
 
    result = globus_gsi_cred_get_key(cur_proxy, &cur_proxy_priv_key);
    if (result) {
-      fprintf(stderr, "globus_gsi_cred_get_key() failed\n");
+      edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_get_key() failed\n");
       goto end;
    }
 
    /* Create and sign a new proxy */
    result = globus_gsi_cred_get_cert_type(cur_proxy, &proxy_type);
    if (result) {
-      fprintf(stderr, "globus_gsi_cred_get_cert_type() failed\n");
+      edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_get_cert_type() failed\n");
       goto end;
    }
 
    result = globus_gsi_proxy_handle_set_type(proxy_handle, proxy_type);
    if (result) {
-      fprintf(stderr, "globus_gsi_proxy_handle_set_type() failed\n");
+      edg_wlpr_Log(LOG_ERR, "globus_gsi_proxy_handle_set_type() failed\n");
       goto end;
    }
 
    result = globus_gsi_proxy_create_signed(proxy_handle, cur_proxy, &proxy);
    if (result) {
-      fprintf(stderr, "globus_gsi_proxy_handle_init() failed\n");
+      edg_wlpr_Log(LOG_ERR, "globus_gsi_proxy_handle_init() failed\n");
       goto end;
    }
 
    /* Get the new proxy */
    result = globus_gsi_cred_get_cert(proxy, &new_cert);
    if (result) {
-      fprintf(stderr, "globus_gsi_cred_get_cert() failed\n");
+      edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_get_cert() failed\n");
       goto end;
    }
 
@@ -77,7 +79,7 @@ generate_proxy(globus_gsi_cred_handle_t cur_proxy,
    /* And put the cert back, older one is unallocated by the function */
    result = globus_gsi_cred_set_cert(proxy, voms_cert);
    if (result) {
-      fprintf(stderr, "globus_gsi_cred_set_cert() failed\n");
+      edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_set_cert() failed\n");
       goto end;
    }
 
@@ -98,7 +100,7 @@ my_VOMS_Export(void *buf, int buf_len, X509_EXTENSION **extension)
    p = pp = buf;
    ac = d2i_AC(NULL, &p, buf_len+1);
    if (ac == NULL) {
-      fprintf(stderr, "d2i_AC() failed\n");
+      edg_wlpr_Log(LOG_ERR, "d2i_AC() failed\n");
       return 1;
    }
 
@@ -120,14 +122,14 @@ create_voms_command(struct vomsdata *vd, struct voms **voms_cert, char **command
    for (i = 2; i < argc; i++) {
       ret = VOMS_Ordering(argv[i], vd, &voms_error);
       if (ret == 0) {
-        fprintf(stderr, "VOMS_Ordering() failed\n"); 
+        edg_wlpr_Log(LOG_ERR, "VOMS_Ordering() failed\n"); 
         return 1;
       }
    }
 #endif
 
    if (voms_cert == NULL || *voms_cert == NULL || (*voms_cert)->std == NULL) {
-      fprintf(stderr, "Invalid VOMS certificate\n");
+      edg_wlpr_Log(LOG_ERR, "Invalid VOMS certificate\n");
       return 1;
    }
 
@@ -151,10 +153,10 @@ renew_voms_cert(struct vomsdata *vd, struct voms **voms_cert,
    struct contactdata **voms_contacts = NULL;
    char *command = NULL;
 
-   voms_contacts = VOMS_FindByVO(vd, (*voms_cert)->voname, NULL, NULL, &voms_error);
+   voms_contacts = VOMS_FindByVO(vd, (*voms_cert)->voname, vomsconf, NULL, &voms_error);
 
    if (voms_contacts == NULL) {
-      fprintf(stderr, "VOMS_FindByVO() failed\n");
+      edg_wlpr_Log(LOG_ERR, "VOMS_FindByVO() failed\n");
       return 1;
    }
 
@@ -166,7 +168,7 @@ renew_voms_cert(struct vomsdata *vd, struct voms **voms_cert,
                         (void**) buf, buf_len, &voms_version,
                         vd, &voms_error);
    if (ret == 0) {
-      fprintf(stderr, "VOMS_Contact() failed\n");
+      edg_wlpr_Log(LOG_ERR, "VOMS_Contact() failed\n");
       return 1;
    }
 
@@ -178,21 +180,26 @@ renew_voms_cert(struct vomsdata *vd, struct voms **voms_cert,
    return 0;
 }
 
-int
-renew_voms_certs(const char *cur_file, const char *new_file)
+static int
+renew_voms_certs(const char *cur_file, const char *renewed_file, const char *new_file)
 {
    globus_gsi_cred_handle_t cur_proxy = NULL;
+   globus_gsi_cred_handle_t new_proxy = NULL;
    struct vomsdata *vd = NULL;
    struct voms **voms_cert = NULL;
    int voms_err, ret;
    X509 *cert = NULL;
    STACK_OF(X509) *chain = NULL;
    char *buf = NULL;
-   size_t buf_len;
+   size_t buf_len = 0;
    X509_EXTENSION *extension = NULL;
    char *old_env_proxy = getenv("X509_USER_PROXY");
+   char *old_env_cert = getenv("X509_USER_CERT");
+   char *old_env_key = getenv("X509_USER_KEY");
 
    setenv("X509_USER_PROXY", cur_file, 1);
+   setenv("X509_USER_CERT", renewed_file, 1);
+   setenv("X509_USER_KEY", renewed_file, 1);
 
    ret = load_proxy(cur_file, &cert, NULL, &chain, &cur_proxy);
    if (ret)
@@ -200,7 +207,7 @@ renew_voms_certs(const char *cur_file, const char *new_file)
 
    vd = VOMS_Init(NULL, NULL);
    if (vd == NULL) {
-      fprintf(stderr, "VOMS_Init() failed\n");
+      edg_wlpr_Log(LOG_ERR, "VOMS_Init() failed\n");
       return 1;
    }
 
@@ -208,11 +215,13 @@ renew_voms_certs(const char *cur_file, const char *new_file)
    if (ret == 0) {
       if (voms_err == VERR_NOEXT) {
         /* no VOMS cred, no problem; continue */
-        fprintf(stderr, "No VOMS attributes found in proxy %s\n", cur_file);
+        /* XXX this part shouldn't be reachable, this call is only called
+         * if the proxy does contain VOMS attributes */
+        edg_wlpr_Log(LOG_ERR, "No VOMS attributes found in proxy %s\n", cur_file);
         ret = 0;
         goto end;
       } else {
-        fprintf(stderr, "Cannot get VOMS certificate(s) from proxy");
+        edg_wlpr_Log(LOG_ERR, "Cannot get VOMS certificate(s) from proxy");
         ret = 1;
         goto end;
       }
@@ -247,21 +256,42 @@ renew_voms_certs(const char *cur_file, const char *new_file)
    if (ret)
       goto end;
 
-   ret = generate_proxy(cur_proxy, extension, new_file);
+   ret = load_proxy(renewed_file, NULL, NULL, NULL, &new_proxy);
+   if (ret)
+      goto end;
+
+   ret = generate_proxy(new_proxy, extension, new_file);
 
 end:
-#if 0
-   if (ret)
-      unlink(new_file);
-#endif
    (old_env_proxy) ? setenv("X509_USER_PROXY", old_env_proxy, 1) :
                     unsetenv("X509_USER_PROXY");
-
-   VOMS_Destroy(vd);
+   (old_env_cert) ? setenv("X509_USER_CERT", old_env_cert, 1) :
+                    unsetenv("X509_USER_CERT");
+   (old_env_key) ? setenv("X509_USER_KEY", old_env_key, 1) :
+                   unsetenv("X509_USER_KEY");
+
+   if (cert)
+      X509_free(cert);
+   if (chain)
+      sk_X509_pop_free(chain, X509_free);
+   if (vd)
+      VOMS_Destroy(vd);
+   if (cur_proxy)
+      globus_gsi_cred_handle_destroy(cur_proxy);
+   if (new_proxy)
+      globus_gsi_cred_handle_destroy(new_proxy);
+   if (buf)
+      free(buf);
 
    return ret;
 }
 
+int
+renew_voms_creds(const char *cur_file, const char *renewed_file, const char *new_file)
+{
+   return renew_voms_certs(cur_file, renewed_file, new_file);
+}
+
 #if 0
 int
 main(int argc, char *argv[])
@@ -277,7 +307,7 @@ main(int argc, char *argv[])
 
    if (globus_module_activate(GLOBUS_GSI_PROXY_MODULE) != GLOBUS_SUCCESS ||
        globus_module_activate(GLOBUS_GSI_CERT_UTILS_MODULE) != GLOBUS_SUCCESS) {
-       fprintf(stderr, "[%d]: Unable to initialize Globus modules\n", getpid());
+       edg_wlpr_Log(LOG_ERR, "[%d]: Unable to initialize Globus modules\n", getpid());
        return 1;
    }