+* Thu Jan 29 2009 Andrew McNab <Andrew.McNab@cern.ch>
+- Merge in private version changes from Yibiao Li.
+- Merge in major 1.7.x vs 1.5.x divergences.
* Fri Feb 8 2008 Andrew McNab <Andrew.McNab@cern.ch>
- ==== GridSite version 1.7.0 ====
* Thu Nov 15 2007 Andrew McNab <Andrew.McNab@cern.ch>
int GRSThtcpTSTrequestMake(char **, int *, unsigned int, char *, char *, char *);
int GRSThtcpTSTresponseMake(char **, int *, unsigned int, char *, char *, char *);
int GRSThtcpMessageParse(GRSThtcpMessage *, char *, int);
+
+#ifndef GRST_PASSCODE_JS
+//#define __GRST_PASSCODE_JS__
+#define GRST_PASSCODE_JS "<script type=\"text/javascript\" language=\"Javascript\"><!--\nfunction changeValue(formName){ if( document.forms[formName].passcode.value==\"\" ) document.forms[formName].passcode.value=getCookie(\"GRIDHTTP_PASSCODE\"); return true; } \nfunction getCookie(c_name){ if (document.cookie.length>0) { c_start=document.cookie.indexOf(c_name + \"=\"); if (c_start!=-1) { c_start=c_start + c_name.length+1; c_end=document.cookie.indexOf(\";\",c_start); if (c_end==-1) c_end=document.cookie.length; return unescape(document.cookie.substring(c_start,c_end)); }} return \"\"; } \n -->\n</script>"
+#endif
+
//void error(char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file);
void admin_continue(char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file, GRSThttpBody *bp);
+//functions for cgi program
+int verifypasscode();
+void outputformactionerror(char *dn, GRSTgaclPerm perm, char *help_uri,
+ char *dir_path, char *dir_uri, char *admin_file);
+
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
- BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
*/
/*------------------------------------------------------------------*
- * This program is part of GridSite: http://www.gridsite.org/ *
- *------------------------------------------------------------------*/
+* This program is part of GridSite: http://www.gridsite.org/ *
+*------------------------------------------------------------------*/
#ifndef VERSION
#define VERSION "x.x.x"
#include "grst_admin.h"
+//char *GRST_PASSCODE_JS = "<script type=\"text/javascript\" language=\"Javascript\"><!--\nfunction changeValue(formName){ if( document.formName.passcode.value==\"\" ) { document.formName.passcode.value=getCookie(\"GRIDHTTP_PASSCODE\"); return true; } return false;} \nfunction getCookie(c_name){ if (document.cookie.length>0) { c_start=document.cookie.indexOf(c_name + \"=\"); if (c_start!=-1) { c_start=c_start + c_name.length+1; c_end=document.cookie.indexOf(\";\",c_start); if (c_end==-1) c_end=document.cookie.length; return unescape(document.cookie.substring(c_start,c_end)); }} return \"\"; } \n-->\n</script>";
+
+
+int verifypasscode()
+{
+ char *issuedpc=NULL, *returnedpc=NULL;
+ issuedpc = getenv("GRST_PASSCODE_COOKIE");
+ returnedpc = GRSThttpGetCGI("passcode");
+// GRSThttpError(issuedpc);
+ if( issuedpc==NULL )return 0;
+ if( returnedpc==NULL )return 0;
+ if( strcmp( issuedpc, returnedpc )==0 )return 1;
+ else return 0;
+}
+
+void outputformactionerror(char *dn, GRSTgaclPerm perm, char *help_uri,
+ char *dir_path, char *dir_uri, char *admin_file)
+{
+ GRSThttpBody bp;
+ puts("Status: 500 Failed trying to upload\nContent-Type: text/html");
+ GRSThttpBodyInit(&bp);
+
+ GRSThttpPrintf(&bp,"<title>Forbidden operation</title>\n");
+ GRSThttpPrintHeader(&bp, dir_path);
+
+ GRSThttpPrintf(&bp, "<h1 align=center>Forbidden operation</h1>\n");
+
+ GRSThttpPrintf(&bp,"<p align=center>"
+ "<a href=\"%s%s?cmd=managedir\">Return to "
+ "directory listing</a>\n", dir_uri, admin_file);
+
+ if (GRSTgaclPermHasList(perm))
+ adminfooter(&bp, dn, help_uri, dir_uri, admin_file);
+ else adminfooter(&bp, dn, help_uri, dir_uri, NULL);
+ GRSThttpPrintFooter(&bp, dir_path);
+
+ GRSThttpWriteOut(&bp);
+ return;
+}
+
char *storeuploadfile(char *boundary, int *bufferused)
{
// rewrite this to copy whole POSTed stdin HTTP body to disk then
#define MIMESTUPLOAD 2
#define MIMESTFILENM 3
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasWrite(perm)) GRSThttpError("403 Forbidden");
p = getenv("CONTENT_TYPE");
struct dirent *subdirfile_ent;
DIR *subDIR;
+
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
+
if ((file[0] == '\0') ||
((strcmp(file, GRST_ACL_FILE) != 0) && !GRSTgaclPermHasWrite(perm)) ||
((strcmp(file, GRST_ACL_FILE) == 0) && !GRSTgaclPermHasAdmin(perm)))
GRSThttpPrintHeader(&bp, dir_path);
GRSThttpPrintf(&bp, "<h1 align=center>Delete %s</h1>\n", file);
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
- GRSThttpPrintf(&bp,"<form action=\"%s%s\" method=post>\n",dir_uri,admin_file);
+ GRSThttpPrintf(&bp,"<form name='DeleteForm' action=\"%s%s\" method=post>\n",dir_uri,admin_file);
GRSThttpPrintf(&bp,"<h2 align=center>Do you really want to delete %s?", file);
- GRSThttpPrintf(&bp,"<p align=center><input type=submit value=\"Yes, delete %s\"></h2>\n", file);
- GRSThttpPrintf(&bp,"<input type=hidden name=file value=\"%s\">\n", file);
- GRSThttpPrintf(&bp,"<input type=hidden name=cmd value=deleteaction>\n");
- GRSThttpPrintf(&bp,"</form>\n");
+GRSThttpPrintf(&bp,"<p align=center><input type=submit value=\"Yes, delete %s\" onclick=\"return changeValue('DeleteForm');\"></h2>\n", file);
+GRSThttpPrintf(&bp,"<input type=hidden name=file value=\"%s\">\n", file);
+GRSThttpPrintf(&bp,"<input type=hidden name=passcode value=\"\">\n");
+GRSThttpPrintf(&bp,"<input type=hidden name=cmd value=deleteaction>\n");
+GRSThttpPrintf(&bp,"</form>\n");
- GRSThttpPrintf(&bp,"<p align=center>Or "
- "<a href=\"%s%s?cmd=managedir\">return to "
- "directory listing</a>\n", dir_uri, admin_file);
-
- adminfooter(&bp, dn, help_uri, dir_uri, admin_file);
- GRSThttpPrintFooter(&bp, dir_path);
+GRSThttpPrintf(&bp,"<p align=center>Or "
+ "<a href=\"%s%s?cmd=managedir\">return to "
+ "directory listing</a>\n", dir_uri, admin_file);
- GRSThttpWriteOut(&bp);
+adminfooter(&bp, dn, help_uri, dir_uri, admin_file);
+GRSThttpPrintFooter(&bp, dir_path);
+
+GRSThttpWriteOut(&bp);
}
void renameform(char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path,
- char *file, char *dir_uri, char *admin_file)
+ char *file, char *dir_uri, char *admin_file)
{
- GRSThttpBody bp;
+GRSThttpBody bp;
- if (!GRSTgaclPermHasWrite(perm)) GRSThttpError("403 Forbidden");
+if (!GRSTgaclPermHasWrite(perm)) GRSThttpError("403 Forbidden");
- puts("Status: 200 OK\nContent-Type: text/html");
-
- GRSThttpBodyInit(&bp);
+puts("Status: 200 OK\nContent-Type: text/html");
- GRSThttpPrintf(&bp, "<title>Rename %s</title>\n", file);
+GRSThttpBodyInit(&bp);
- GRSThttpPrintHeader(&bp, dir_path);
+GRSThttpPrintf(&bp, "<title>Rename %s</title>\n", file);
- GRSThttpPrintf(&bp, "<h1 align=center>Rename %s%s</h1>\n", dir_uri, file);
-
- GRSThttpPrintf(&bp,"<form action=\"%s%s\" method=post>\n",dir_uri,admin_file);
+GRSThttpPrintHeader(&bp, dir_path);
+
+GRSThttpPrintf(&bp, "<h1 align=center>Rename %s%s</h1>\n", dir_uri, file);
+GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
+
+GRSThttpPrintf(&bp,"<form name=RenameForm action=\"%s%s\" method=post>\n",dir_uri,admin_file);
GRSThttpPrintf(&bp,"<h2 align=center>What do you want to rename %s to?</h2>", file);
GRSThttpPrintf(&bp,"<input type=hidden name=file value=\"%s\">\n", file);
+ GRSThttpPrintf(&bp,"<input type=hidden name=passcode value=\"\">\n");
GRSThttpPrintf(&bp,"<p align=center>New name: <input type=text name=newfile value=\"%s\">\n", file);
- GRSThttpPrintf(&bp,"<input type=submit value=\"Rename\">\n");
+ GRSThttpPrintf(&bp,"<input type=submit value=\"Rename\" onclick=\"return changeValue('RenameForm');\"");
GRSThttpPrintf(&bp,"<input type=hidden name=cmd value=renameaction>\n");
GRSThttpPrintf(&bp,"</form>\n");
FILE *fp;
GRSThttpBody bp;
+
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if ((file[0] == '\0') ||
!GRSTgaclPermHasWrite(perm) ||
(strcmp(file, GRST_ACL_FILE) == 0)) GRSThttpError("403 Forbidden");
FILE *fp;
GRSThttpBody bp;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError("403 Forbidden");
asprintf(&tmpgacl, "%s/.tmp.XXXXXX", dir_path);
FILE *fp;
GRSThttpBody bp;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasWrite(perm) || (strcmp(file, GRST_ACL_FILE) == 0))
GRSThttpError("403 Forbidden");
FILE *fp;
GRSThttpBody bp;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if ((file[0] == '\0') ||
!GRSTgaclPermHasWrite(perm) || (strcmp(file, GRST_ACL_FILE) == 0))
GRSThttpError("403 Forbidden");
struct stat statbuf;
GRSThttpBody bp;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasWrite(perm)) GRSThttpError("403 Forbidden");
dnlistsuri = getenv("GRST_DN_LISTS_URI");
pclose(fp);
GRSThttpPrintf(&bp, "</pre></td></tr></table></center>\n");
- if (GRSTgaclPermHasWrite(perm))
+ if (GRSTgaclPermHasWrite(perm)){
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
GRSThttpPrintf(&bp,
- "<p><center><form action=\"%s%s\" method=post>"
- "<input type=submit value=\"Unzip this file\"> in %s"
+ "<p><center><form name=UnzipForm action=\"%s%s\" method=post>"
+ "<input type=submit value=\"Unzip this file\" onclick=\"return changeValue('UnzipForm');\"> in %s"
"<input type=hidden name=cmd value=unzipfile>"
+ "<input type=hidden name=passcode value=\"\">"
"<input type=hidden name=file value=\"%s\"></form>"
"<p>(All files are placed in the same directory and files "
"beginning with "." are ignored.)</center>\n",
dir_uri, admin_file, dir_uri, file);
+ }
}
else GRSThttpPrintf(&bp, "<p align=center>unzip path not defined!\n");
GRSThttpPrintHeader(&bp, dir_path);
GRSThttpPrintf(&bp, "<h1>Edit file %s</h1>\n", file);
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
- GRSThttpPrintf(&bp,"<form action=\"%s%s\" method=post>\n",dir_uri,admin_file);
- GRSThttpPrintf(&bp,"<p><input type=submit value=\"Save changes\">\n");
+ GRSThttpPrintf(&bp,"<form name=EditForm action=\"%s%s\" method=post>\n",dir_uri,admin_file);
+ GRSThttpPrintf(&bp,"<p><input type=submit value=\"Save changes\" onclick=\"return changeValue('EditForm');\">\n");
GRSThttpPrintf(&bp,"<p>File name: <input type=text name=file value=\"%s\">\n", file);
+ GRSThttpPrintf(&bp,"<input type=hidden name=passcode value=\"\">\n");
GRSThttpPrintf(&bp,"<input type=hidden name=cmd value=editaction>\n");
GRSThttpPrintf(&bp,"<p><textarea name=pagetext cols=80 rows=22>");
}
GRSThttpPrintf(&bp, "</textarea>\n");
- GRSThttpPrintf(&bp, "<p><input type=submit value=\"Save changes\">\n");
+ GRSThttpPrintf(&bp, "<p><input type=submit value=\"Save changes\" onclick=\"return changeValue('EditForm');\">\n");
+
GRSThttpPrintf(&bp, "</form>\n");
if (fp != NULL) fclose(fp);
GRSThttpPrintHeader(&bp, dir_path);
GRSThttpPrintf(&bp, "<h1>Edit DN List</h1>\n");
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
- GRSThttpPrintf(&bp,"<form action=\"%s%s\" method=post>\n",dir_uri,admin_file);
- GRSThttpPrintf(&bp,"<p><input type=submit value=\"Update\">\n");
+ GRSThttpPrintf(&bp,"<form name=UpdateForm action=\"%s%s\" method=post>\n",dir_uri,admin_file);
+ GRSThttpPrintf(&bp,"<p><input type=submit value=\"Update\" onclick=\"return changeValue('UpdateForm');\">\n");
GRSThttpPrintf(&bp,"<p>List URL: <input type=text name=file value=\"%s\" "
"size=%d>\n", file, strlen(file));
+ GRSThttpPrintf(&bp,"<input type=hidden name=passcode value=\"\">\n");
GRSThttpPrintf(&bp,"<input type=hidden name=cmd value=editdnlistaction>\n");
if (fp != NULL)
GRSThttpPrintf(&bp, "<p>Add new DN: <input type=text name=add "
"size=60 maxlength=512>\n");
- GRSThttpPrintf(&bp,"<p><input type=submit value=\"Update\">\n");
+ GRSThttpPrintf(&bp,"<p><input type=submit value=\"Update\" onclick=\"return changeValue('UpdateForm');\">\n");
GRSThttpPrintf(&bp, "</form>\n");
if (fp != NULL) fclose(fp);
GRSThttpPrintf(&bp, "<td> </td></tr>\n");
}
- else if (GRSTgaclPermHasAdmin(perm))
- GRSThttpPrintf(&bp, "<form method=post action=\"%s%s\">\n"
- "<tr><td colspan=8><input type=submit value=\"Create .gacl\"></td>\n"
+ else if (GRSTgaclPermHasAdmin(perm)){
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
+ GRSThttpPrintf(&bp, "<form name=CreateAclForm method=post action=\"%s%s\">\n"
+ "<tr><td colspan=8><input type=submit value=\"Create .gacl\" onclick=\"return changeValue('CreateAclForm');\"></td>\n"
+ "<input type=hidden name=passcode value=\"\">"
"<input type=hidden name=cmd value=\"create_acl\"></tr></form>\n",
dir_uri, admin_file);
+ }
}
if (GRSTgaclPermHasList(perm))
if (GRSTgaclPermHasWrite(perm))
{
- GRSThttpPrintf(&bp, "<form method=post action=\"%s%s\">\n"
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
+ GRSThttpPrintf(&bp, "<form name=NewfileForm method=post action=\"%s%s\">\n"
"<tr><td colspan=8><hr width=\"75%\"></td></tr>\n"
"<tr><td>New name:</td>"
"<td colspan=3><input type=text name=file size=25>\n"
- "<td colspan=2 align=center><input type=submit name=button value=\"New file\"></td>\n"
- "<td colspan=2 align=center><input type=submit name=button value=\"New directory\"></td>\n"
+ "<td colspan=2 align=center><input type=submit name=button value=\"New file\" onclick=\"return changeValue('NewfileForm');\"></td>\n"
+ "<td colspan=2 align=center><input type=submit name=button value=\"New directory\" onclick=\"return changeValue('NewfileForm');\"></td>\n"
+ "<input type=hidden name=passcode value=\"\">"
"<input type=hidden name=cmd value=edit></td></tr></form>\n",
dir_uri, admin_file);
GRSThttpPrintf(&bp,
- "<form method=post action=\"%s%s\" enctype=\"multipart/form-data\">\n"
+ "<form name=UploadfileForm method=post action=\"%s%s\" enctype=\"multipart/form-data\">\n"
"<tr><td colspan=8><hr width=\"75%\"></td></tr>\n"
"<tr><td rowspan=2>Upload file:</td>"
"<td colspan=2>New name:</td>"
"<td colspan=6><input type=text name=file size=25> "
- "<input type=submit value=Upload></td></tr>\n"
+ "<input type=hidden name=passcode value=\"\">"
+ "<input type=submit value=Upload onclick=\"return changeValue('UploadfileForm');\"></td></tr>\n"
"<tr><td colspan=2>Local name:</td>"
"<td colspan=6><input type=file name=uploadfile size=25></td></tr>\n"
"</form>\n", dir_uri, admin_file);
unencuri, unencuri,
statbuf.st_size, modified);
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
GRSThttpPrintf(&bp,
- "<form action=\"./%s\" method=post>"
- "<td><input type=submit value=Edit></td>"
+ "<form EditdnlistForm action=\"./%s\" method=post>"
+ "<td><input type=submit value=Edit onclick=\"return changeValue('EditdnlistForm');\"></td>"
"<input type=hidden name=cmd value=editdnlist>"
+ "<input type=hidden name=passcode value=\"\">"
"<input type=hidden name=file value=\"%s\">"
"</form>\n",
admin_file, unencuri);
GRSThttpPrintf(&bp,
- "<form action=\"./%s\" method=post>"
- "<td><input type=submit value=Delete></td>"
+ "<form name=DeletednlistForm action=\"./%s\" method=post>"
+ "<td><input type=submit value=Delete onclick=\"return changeValue('DeletednlistForm');\"></td>"
"<input type=hidden name=cmd value=delete>"
+ "<input type=hidden name=passcode value=\"\">"
"<input type=hidden name=file value=\"%s\">"
"</form>\n",
admin_file, unencuri);
if (has_any_admin)
{
- GRSThttpPrintf(&bp, "<form method=post action=\"./%s\">\n"
+ GRSThttpPrintf(&bp, "\n%s\n", GRST_PASSCODE_JS);
+ GRSThttpPrintf(&bp, "<form name=NewdnForm method=post action=\"./%s\">\n"
"<tr><td colspan=4>New DN list name: "
"<input type=text name=file value=\"%s\" size=%d>\n"
+ "<input type=hidden name=passcode value=\"\">"
"<input type=hidden name=cmd value=editdnlist></td>"
- "<td colspan=2 align=center><input type=submit value=Create></td>\n"
+ "<td colspan=2 align=center><input type=submit value=Create onclick=\"return changeValue('NewdnForm');\"></td>\n"
"</tr></form>\n",
admin_file, dnlistsprefix, strlen(dnlistsprefix)+8);
}
#include "grst_admin.h"
+//char *GRST_PASSCODE_JS1 = "<script type=\"text/javascript\" language=\"Javascript\"><!--\nfunction changeValue(formName){ if( document.formName.passcode.value==\"\" ) { document.formName.passcode.value=getCookie(\"GRIDHTTP_PASSCODE\"); return true; } return false;} \nfunction getCookie(c_name){ if (document.cookie.length>0) { c_start=document.cookie.indexOf(c_name + \"=\"); if (c_start!=-1) { c_start=c_start + c_name.length+1; c_end=document.cookie.indexOf(\";\",c_start); if (c_end==-1) c_end=document.cookie.length; return unescape(document.cookie.substring(c_start,c_end)); }} return \"\"; } \n-->\n</script>";
+
+
+
// CGI GACL Editor interface functions
void show_acl(int admin, GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file);
void new_entry_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file);
GRSTgaclCred *cred;
char *cred_auri_1, *p;
GRSThttpBody bp;
+
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
+
if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden");
// Get new credential info and perform checks
GRSTgaclEntry *previous, *entry;
GRSThttpBody bp;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden");
// Load the ACL
char variable[30], *cred_auri_i, *p;
GRSThttpBody bp;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden");
// Load the ACL
GRSThttpBody bp;
char *cred_auri_1, *p;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden");
acl = GRSTgaclAclLoadFile(GRSTgaclFileFindAclname(dir_path));// Load the ACL
GRSTgaclCred *previous, *cred;
GRSThttpBody bp;
+ if( verifypasscode()==0 ){
+ outputformactionerror(dn, perm, help_uri, dir_path, dir_uri, admin_file);
+ return;
+ }
if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden");
acl = GRSTgaclAclLoadFile(GRSTgaclFileFindAclname(dir_path));
void StartForm(GRSThttpBody *bp, char* dir_uri, char* dir_path, char* admin_file, int timestamp, char* target_function){
// Starts an HTML form with gridsite admin as the target and target_function as the value of cmd.
// Also inputs the dir_uri and the timestamp
- GRSThttpPrintf (bp, "<form method=\"POST\" action=\"%s%s?diruri=%s\">\n", dir_uri, admin_file, dir_uri);
+ GRSThttpPrintf (bp, "\n%s\n", GRST_PASSCODE_JS);
+// GRSThttpPrintf (bp, "\n%s\n", GRST_PASSCODE_JS1);
+// GRSThttpPrintf (bp, "<form name=%s method=\"POST\" action=\"%s%s?diruri=%s\" onsubmit=\"return false;\">\n", target_function, dir_uri, admin_file, dir_uri); //please note that we use targetfunction here to dentify the forms
+ GRSThttpPrintf (bp, "<form name=%s method=\"POST\" action=\"%s%s?diruri=%s\" onsubmit=\"return changeValue('%s');\">\n", target_function, dir_uri, admin_file, dir_uri, target_function); //please note that we use targetfunction here to dentify the forms
GRSThttpPrintf (bp, " <input type=\"hidden\" name=\"cmd\" value=\"%s\">\n", target_function);
GRSThttpPrintf (bp, " <input type=\"hidden\" name=\"timestamp\" value=\"%d\">\n", timestamp);
+ GRSThttpPrintf (bp, " <input type=\"hidden\" name=\"passcode\" value=\"\">\n");
return;
}
/*
- Copyright (c) 2003-8, Andrew McNab, Shiv Kaushal, Joseph Dada,
+ Copyright (c) 2003-9, Andrew McNab, Shiv Kaushal, Joseph Dada,
and Yibiao Li, University of Manchester. All rights reserved.
Redistribution and use in source and binary forms, with or
#include <http_log.h>
#include <http_protocol.h>
#include <http_request.h>
+
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+#ifndef _LARGEFILE64_SOURCE
+#define _LARGEFILE64_SOURCE
+#endif
+#endif
+
#include <unixd.h>
#include <stdio.h>
struct sitecast_group sitecastgroups[GRST_SITECAST_GROUPS+1];
struct sitecast_alias sitecastaliases[GRST_SITECAST_ALIASES];
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+/* SSL_app_data2_idx is private in Apache 2.2 mod_ssl but can be
+ determined at init time, and then recorded here */
+int GRST_SSL_app_data2_idx = -1;
+#endif
+
typedef struct
{
int auth;
int autopasscode;
- int requirepasscode;
+ int requirepasscode;
int zoneslashes;
int envs;
int format;
char *methods;
char *editable;
char *headfile;
- char *footfile;
+ char *footfile;
int gridhttp;
char *aclformat;
char *aclpath;
out = apr_pstrcat(r->pool, out, "<hr><small>", NULL);
- if (r->notes != NULL)
+ if (r->connection->notes != NULL)
{
- grst_cred_auri_0 = (char *)
+ grst_cred_auri_0 = (char *)
apr_table_get(r->notes, "GRST_CRED_AURI_0");
}
if (direct->loginuri != NULL) conf->loginuri = direct->loginuri;
else conf->loginuri = server->loginuri;
-
+
if (direct->dnlists != NULL) conf->dnlists = direct->dnlists;
else conf->dnlists = server->dnlists;
((mod_gridsite_dir_cfg *) cfg)->helpuri =
apr_pstrdup(a->pool, parm);
}
- else if (strcasecmp(a->cmd->name, "GridSiteLoginURI") == 0)
- {
- ((mod_gridsite_dir_cfg *) cfg)->loginuri =
- apr_pstrdup(a->pool, parm);
- }
else if (strcasecmp(a->cmd->name, "GridSiteDNlists") == 0)
{
((mod_gridsite_dir_cfg *) cfg)->dnlists =
/*
if not succeeded from passcode file, try from connection notes
if a GSI Proxy or have GridSiteAutoPasscode on (the default)
- or have GridSiteRequirePasscode off (the default).
If GridSiteAutoPasscode off and GridSiteRequirePasscode on
then interactive websites must use a login script to make passcode
and file instead.
cred = user->firstcred;
if ((cred != NULL) && (strncmp(cred->auri, "dn:", 3) == 0))
{
- apr_table_setn(r->notes, "GRST_CRED_AURI_0",
+ apr_table_setn(r->notes, "GRST_CRED_AURI_0",
apr_psprintf(r->pool, "%s", cred->auri));
}
apr_table_setn(env, "GRST_PERM", apr_psprintf(r->pool, "%d", perm));
+ if (((mod_gridsite_dir_cfg *) cfg)->requirepasscode == 0)
+ apr_table_set(env, "GRST_REQUIRE_PASSCODE", "off");
+ else apr_table_set(env, "GRST_REQUIRE_PASSCODE", "on");
+
if (((dir_path = apr_pstrdup(r->pool, r->filename)) != NULL) &&
((p = rindex(dir_path, '/')) != NULL))
{
return X509_verify_cert(ctx);
}
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+/*
+ Include this here until libgridsite functions can be used
+*/
+int GRST_ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
+{
+ server_rec *s = c->base_server;
+ SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module);
+ SSLConnRec *sslconn = (SSLConnRec *) ap_get_module_config(c->conn_config, &ssl_module);
+ modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+ X509_OBJECT obj;
+ X509_NAME *subject, *issuer;
+ X509 *cert;
+ X509_CRL *crl;
+ EVP_PKEY *pubkey;
+ int i, n, rc;
+
+ /*
+ * Unless a revocation store for CRLs was created we
+ * cannot do any CRL-based verification, of course.
+ */
+ if (!mctx->crl) {
+ return ok;
+ }
+
+ /*
+ * Determine certificate ingredients in advance
+ */
+ cert = X509_STORE_CTX_get_current_cert(ctx);
+ subject = X509_get_subject_name(cert);
+ issuer = X509_get_issuer_name(cert);
+
+ /*
+ * OpenSSL provides the general mechanism to deal with CRLs but does not
+ * use them automatically when verifying certificates, so we do it
+ * explicitly here. We will check the CRL for the currently checked
+ * certificate, if there is such a CRL in the store.
+ *
+ * We come through this procedure for each certificate in the certificate
+ * chain, starting with the root-CA's certificate. At each step we've to
+ * both verify the signature on the CRL (to make sure it's a valid CRL)
+ * and it's revocation list (to make sure the current certificate isn't
+ * revoked). But because to check the signature on the CRL we need the
+ * public key of the issuing CA certificate (which was already processed
+ * one round before), we've a little problem. But we can both solve it and
+ * at the same time optimize the processing by using the following
+ * verification scheme (idea and code snippets borrowed from the GLOBUS
+ * project):
+ *
+ * 1. We'll check the signature of a CRL in each step when we find a CRL
+ * through the _subject_ name of the current certificate. This CRL
+ * itself will be needed the first time in the next round, of course.
+ * But we do the signature processing one round before this where the
+ * public key of the CA is available.
+ *
+ * 2. We'll check the revocation list of a CRL in each step when
+ * we find a CRL through the _issuer_ name of the current certificate.
+ * This CRLs signature was then already verified one round before.
+ *
+ * This verification scheme allows a CA to revoke its own certificate as
+ * well, of course.
+ */
+
+ /*
+ * Try to retrieve a CRL corresponding to the _subject_ of
+ * the current certificate in order to verify it's integrity.
+ */
+ memset((char *)&obj, 0, sizeof(obj));
+ {
+ X509_STORE_CTX pStoreCtx;
+ X509_STORE_CTX_init(&pStoreCtx, mctx->crl, NULL, NULL);
+ rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, subject, &obj);
+ X509_STORE_CTX_cleanup(&pStoreCtx);
+ }
+
+ crl = obj.data.crl;
+
+ if ((rc > 0) && crl) {
+ /*
+ * Log information about CRL
+ * (A little bit complicated because of ASN.1 and BIOs...)
+ */
+ if (s->loglevel >= APLOG_DEBUG) {
+ char buff[512]; /* should be plenty */
+ BIO *bio = BIO_new(BIO_s_mem());
+
+ BIO_printf(bio, "CA CRL: Issuer: ");
+ X509_NAME_print(bio, issuer, 0);
+
+ BIO_printf(bio, ", lastUpdate: ");
+ ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl));
+
+ BIO_printf(bio, ", nextUpdate: ");
+ ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
+
+ n = BIO_read(bio, buff, sizeof(buff) - 1);
+ buff[n] = '\0';
+
+ BIO_free(bio);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff);
+ }
+
+ /*
+ * Verify the signature on this CRL
+ */
+ pubkey = X509_get_pubkey(cert);
+ rc = X509_CRL_verify(crl, pubkey);
+#ifdef OPENSSL_VERSION_NUMBER
+ /* Only refcounted in OpenSSL */
+ if (pubkey)
+ EVP_PKEY_free(pubkey);
+#endif
+ if (rc <= 0) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "Invalid signature on CRL");
+
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
+ X509_OBJECT_free_contents(&obj);
+ return FALSE;
+ }
+
+ /*
+ * Check date of CRL to make sure it's not expired
+ */
+ i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
+
+ if (i == 0) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "Found CRL has invalid nextUpdate field");
+
+ X509_STORE_CTX_set_error(ctx,
+ X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
+ X509_OBJECT_free_contents(&obj);
+
+ return FALSE;
+ }
+
+ if (i < 0) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "Found CRL is expired - "
+ "revoking all certificates until you get updated CRL");
+
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
+ X509_OBJECT_free_contents(&obj);
+
+ return FALSE;
+ }
+
+ X509_OBJECT_free_contents(&obj);
+ }
+
+ /*
+ * Try to retrieve a CRL corresponding to the _issuer_ of
+ * the current certificate in order to check for revocation.
+ */
+ memset((char *)&obj, 0, sizeof(obj));
+ {
+ X509_STORE_CTX pStoreCtx;
+ X509_STORE_CTX_init(&pStoreCtx, mctx->crl, NULL, NULL);
+ rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, issuer, &obj);
+ X509_STORE_CTX_cleanup(&pStoreCtx);
+ }
+
+ crl = obj.data.crl;
+ if ((rc > 0) && crl) {
+ /*
+ * Check if the current certificate is revoked by this CRL
+ */
+ n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
+
+ for (i = 0; i < n; i++) {
+ X509_REVOKED *revoked =
+ sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
+
+// ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
+ ASN1_INTEGER *sn = revoked->serialNumber;
+
+ if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
+ if (s->loglevel >= APLOG_DEBUG) {
+ char *cp = X509_NAME_oneline(issuer, NULL, 0);
+ long serial = ASN1_INTEGER_get(sn);
+
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Certificate with serial %ld (0x%lX) "
+ "revoked per CRL from issuer %s",
+ serial, serial, cp);
+ OPENSSL_free(cp);
+ }
+
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
+ X509_OBJECT_free_contents(&obj);
+
+ return FALSE;
+ }
+ }
+
+ X509_OBJECT_free_contents(&obj);
+ }
+
+ return ok;
+}
+#endif
+
int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx)
{
SSL *ssl = (SSL *) X509_STORE_CTX_get_app_data(ctx);
conn_rec *conn = (conn_rec *) SSL_get_app_data(ssl);
server_rec *s = conn->base_server;
SSLConnRec *sslconn =
- (SSLConnRec *) ap_get_module_config(conn->conn_config, &ssl_module);
+ (SSLConnRec *) ap_get_module_config(conn->conn_config, &ssl_module);
int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
int returned_ok;
int first_non_ca;
#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
- request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
- SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
- int verify;
+ request_rec *r = (request_rec *) SSL_get_ex_data(ssl, GRST_SSL_app_data2_idx);
+ SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module);
+ SSLDirConfigRec *dc = r ? (SSLDirConfigRec *) ap_get_module_config(r->per_dir_config, &ssl_module) : NULL;
+ modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+ int verify, depth;
#endif
STACK_OF(X509) *certstack;
GRSTx509Chain *grst_chain;
sname ? sname : "-unknown-",
iname ? iname : "-unknown-");
- if (sname) modssl_free(sname);
+ if (sname) OPENSSL_free(sname);
- if (iname) modssl_free(iname);
+ if (iname) OPENSSL_free(iname);
}
/*
*/
if (ok)
{
- if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn)))
+ if (!(ok = GRST_ssl_callback_SSLVerify_CRL(ok, ctx, conn)))
{
errnum = X509_STORE_CTX_get_error(ctx);
}
ap_add_version_component(pPool,
apr_psprintf(pPool, "mod_gridsite/%s", VERSION));
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+ /* establish value of SSL_app_data2_idx and record it */
+ GRST_SSL_app_data2_idx = SSL_get_ex_new_index(0,
+ "Dummy Application Data for mod_gridsite",
+ NULL, NULL, NULL) - 1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,
+ "mod_gridsite: GRST_SSL_app_data2_idx=%d",
+ GRST_SSL_app_data2_idx);
+#endif
+
for (this_server = main_server;
this_server != NULL;
this_server = this_server->next)
SSL_ENABLED_OPTIONAL = 3
} ssl_enabled_t;
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+typedef enum {
+ SSL_CVERIFY_UNSET = -1,
+ SSL_CVERIFY_NONE = 0,
+ SSL_CVERIFY_OPTIONAL = 1,
+ SSL_CVERIFY_REQUIRE = 2,
+ SSL_CVERIFY_OPTIONAL_NO_CA = 3
+} ssl_verify_t;
+
+#define ssl_verify_error_is_optional(errnum) \
+ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
+ || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
+ || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
+ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
+ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+
+#endif
+
typedef struct {
SSL *ssl;
const char *client_dn;
int non_ssl_request;
} SSLConnRec;
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+typedef struct {
+ const char *ca_cert_path;
+ const char *ca_cert_file;
+
+ const char *cipher_suite;
+
+ int verify_depth;
+ ssl_verify_t verify_mode;
+} modssl_auth_ctx_t;
+#endif
+
typedef struct {
void *sc; /* pointer back to server config */
SSL_CTX *ssl_ctx;
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+ void *pks;
+ void *pkp;
+
+ int protocol;
+
+ int pphrase_dialog_type;
+ const char *pphrase_dialog_path;
+
+ const char *cert_chain;
+
+ const char *crl_path;
+ const char *crl_file;
+ X509_STORE *crl;
+
+ modssl_auth_ctx_t auth;
+#endif
} modssl_ctx_t;
typedef struct {
modssl_ctx_t *proxy;
} SSLSrvConfigRec;
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+typedef struct {
+ BOOL bSSLRequired;
+ apr_array_header_t *aRequirement;
+ int nOptions;
+ int nOptionsAdd;
+ int nOptionsDel;
+ const char *szCipherSuite;
+ ssl_verify_t nVerifyClient;
+ int nVerifyDepth;
+ const char *szCACertificatePath;
+ const char *szCACertificateFile;
+ const char *szUserName;
+} SSLDirConfigRec;
+#endif
+
+
extern module AP_MODULE_DECLARE_DATA ssl_module;
git://scientific.zcu.cz / jra1mw.git / commitdiff