From 0916d15c218a65b1d7827dea66eaed58315d8e7b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Daniel=20Kou=C5=99il?= Date: Wed, 23 Mar 2005 15:19:11 +0000 Subject: [PATCH] Merged RC1 (from merge_rc1_src_1 to merge_rc1_dst_1) --- org.glite.security.proxyrenewal/Makefile | 2 +- org.glite.security.proxyrenewal/config/startup | 34 ++++----- org.glite.security.proxyrenewal/src/commands.c | 11 +-- org.glite.security.proxyrenewal/src/renew.c | 20 ++++-- org.glite.security.proxyrenewal/src/renewd.c | 3 +- org.glite.security.proxyrenewal/src/renewd_locl.h | 2 +- org.glite.security.proxyrenewal/src/voms.c | 84 +++++++++++++++-------- 7 files changed, 98 insertions(+), 58 deletions(-) diff --git a/org.glite.security.proxyrenewal/Makefile b/org.glite.security.proxyrenewal/Makefile index cf745c2..3730746 100644 --- a/org.glite.security.proxyrenewal/Makefile +++ b/org.glite.security.proxyrenewal/Makefile @@ -134,7 +134,7 @@ install: ${INSTALL} -m 644 ${top_srcdir}/LICENSE ${PREFIX}/share/doc/${package}-${version} cd ${top_srcdir}/interface && ${INSTALL} -m 644 renewal.h ${PREFIX}/include/glite/security/proxyrenewal - ${INSTALL} -m 755 ${top_srcdir}/config/startup ${PREFIX}/etc/init.d/${DAEMON} + ${INSTALL} -m 755 ${top_srcdir}/config/startup ${PREFIX}/etc/init.d/glite-proxy-renewald clean: diff --git a/org.glite.security.proxyrenewal/config/startup b/org.glite.security.proxyrenewal/config/startup index 70d1c6b..26ba757 100755 --- a/org.glite.security.proxyrenewal/config/startup +++ b/org.glite.security.proxyrenewal/config/startup @@ -32,6 +32,14 @@ start() [ -z "$creds" ] && echo $0: WARNING: No credentials specified. Using default lookup which is dangerous. >&2 + # workaround for VOMS_FindByVO that seems to always require user's own VOMS config file (bug #7511) + user_voms_config=$HOME/.glite/vomses + if [ ! -f "$user_voms_config" ]; then + rm -f /tmp/renewal_vomses + su - $GLITE_USER -c "touch /tmp/renewal_vomses && chmod 644 /tmp/renewal_vomses" + user_voms_config=/tmp/renewal_vomses + fi + echo -n Starting ProxyRenewal Daemon: glite-proxy-renewd ... if [ ! -d "$PROXY_REPOSITORY" ]; then @@ -40,32 +48,26 @@ start() chmod 0700 $PROXY_REPOSITORY fi - su - $GLITE_USER -c "$GLITE_LOCATION/bin/glite-proxy-renewd \ - -r $PROXY_REPOSITORY $creds" && echo " done" + su - $GLITE_USER -c "VOMS_USERCONF=$user_voms_config \ + $GLITE_LOCATION/bin/glite-proxy-renewd \ + -r $PROXY_REPOSITORY $creds -A" && echo " done" } stop() { echo -n "Stopping ProxyRenewal Daemon: glite-proxy-renewd ..." - PIDS=`ps -C glite-proxy-renewd -o pid --no-heading` - if [ -z "$PIDS" ]; then - echo " no process glite-proxy-renewd running" - exit 1 - else - kill $PIDS && echo " done" - fi + killall glite-proxy-renewd + echo " done" } status() { - PIDS=`ps -C glite-proxy-renewd -o pid --no-heading` - if ps p $PIDS >/dev/null 2>&1; then - echo glite-proxy-renewd running \($PIDS\) - return 0 + if netstat -an --unix | grep "^unix .* LISTEN.* /tmp/dgpr_renew_" >/dev/null 2>&1 ;then + echo glite-proxy-renewd running + else + echo glite-proxy-renewd not running + return 1 fi - - echo glite-proxy-renewd not running - return 1 } case x$1 in diff --git a/org.glite.security.proxyrenewal/src/commands.c b/org.glite.security.proxyrenewal/src/commands.c index 288c994..79b96d3 100644 --- a/org.glite.security.proxyrenewal/src/commands.c +++ b/org.glite.security.proxyrenewal/src/commands.c @@ -564,15 +564,18 @@ get_record_ext(FILE *fd, proxy_record *record, int *last_used_suffix) if (tmp_record.jobids.len == 0) { /* no jobs registered for this record, so use it initialized with the * parameters (currently myproxy location) provided by user */ - char *server = record->myproxy_server; - - memset(record, 0, sizeof(*record)); record->suffix = tmp_record.suffix; - record->myproxy_server = server; + record->next_renewal = record->end_time = 0; free_record(&tmp_record); return 0; } + /* Proxies with VOMS attributes require a separate record, which is not + * shared with another proxies. The same applies it the unique flag was + * set by the caller */ + if (record->voms_exts || record->unique) + continue; + if (tmp_record.jobids.len > 0 && record->myproxy_server && strcmp(record->myproxy_server, tmp_record.myproxy_server) != 0) continue; diff --git a/org.glite.security.proxyrenewal/src/renew.c b/org.glite.security.proxyrenewal/src/renew.c index c327280..c14b6c0 100644 --- a/org.glite.security.proxyrenewal/src/renew.c +++ b/org.glite.security.proxyrenewal/src/renew.c @@ -120,7 +120,7 @@ renew_proxy(proxy_record *record, char *basename, char **new_proxy) edg_wlpr_Log(LOG_DEBUG, "Trying to renew proxy in %s.%d", basename, record->suffix); - snprintf(tmp_proxy, sizeof(tmp_proxy), "%s.%d.renew.XXXXXX", + snprintf(tmp_proxy, sizeof(tmp_proxy), "%s.%d.myproxy.XXXXXX", basename, record->suffix); tmp_fd = mkstemp(tmp_proxy); if (tmp_fd == -1) { @@ -157,22 +157,24 @@ renew_proxy(proxy_record *record, char *basename, char **new_proxy) } else socket_attrs->psport = MYPROXY_SERVER_PORT; + verror_clear(); ret = myproxy_get_delegation(socket_attrs, client_request, server_response, tmp_proxy); if (ret == 1) { ret = EDG_WLPR_ERROR_MYPROXY; - edg_wlpr_Log(LOG_ERR, "Error contacting MyProxy server for proxy %s", - repository_file); + edg_wlpr_Log(LOG_ERR, "Error contacting MyProxy server for proxy %s: %s", + repository_file, verror_get_string()); + verror_clear(); goto end; } renewed_proxy = tmp_proxy; - if (voms_enabled) { + if (voms_enabled && record->voms_exts) { char tmp_voms_proxy[FILENAME_MAX]; int tmp_voms_fd; - snprintf(tmp_voms_proxy, sizeof(tmp_voms_proxy), "%s.%d.renew.XXXXXX", + snprintf(tmp_voms_proxy, sizeof(tmp_voms_proxy), "%s.%d.voms.XXXXXX", basename, record->suffix); tmp_voms_fd = mkstemp(tmp_voms_proxy); if (tmp_voms_fd == -1) { @@ -182,11 +184,15 @@ renew_proxy(proxy_record *record, char *basename, char **new_proxy) goto end; } - ret = renew_voms_certs(repository_file, tmp_voms_proxy); - if (ret) + ret = renew_voms_creds(repository_file, renewed_proxy, tmp_voms_proxy); + close(tmp_voms_fd); + if (ret) { + unlink(tmp_voms_proxy); goto end; + } renewed_proxy = tmp_voms_proxy; + unlink(tmp_proxy); } if (new_proxy) diff --git a/org.glite.security.proxyrenewal/src/renewd.c b/org.glite.security.proxyrenewal/src/renewd.c index 49e4b17..cd2bef8 100644 --- a/org.glite.security.proxyrenewal/src/renewd.c +++ b/org.glite.security.proxyrenewal/src/renewd.c @@ -15,8 +15,7 @@ char *vomsdir = NULL; int voms_enabled = 0; char *cert = NULL; char *key = NULL; - -char *vomsconf = "/opt/edg/etc/vomses"; +char *vomsconf = NULL; static volatile int die = 0, child_died = 0; diff --git a/org.glite.security.proxyrenewal/src/renewd_locl.h b/org.glite.security.proxyrenewal/src/renewd_locl.h index 37708c6..c4b8de4 100644 --- a/org.glite.security.proxyrenewal/src/renewd_locl.h +++ b/org.glite.security.proxyrenewal/src/renewd_locl.h @@ -75,6 +75,6 @@ int get_proxy_base_name(char *file, char **subject); int -renew_voms_certs(const char *cur_file, const char *new_file); +renew_voms_creds(const char *cur_file, const char *renewed_file, const char *new_file); #endif /* RENEWALD_LOCL_H */ diff --git a/org.glite.security.proxyrenewal/src/voms.c b/org.glite.security.proxyrenewal/src/voms.c index 70e6b4f..f570fd4 100644 --- a/org.glite.security.proxyrenewal/src/voms.c +++ b/org.glite.security.proxyrenewal/src/voms.c @@ -11,6 +11,8 @@ char * Decode(const char *, int, int *); char **listadd(char **, char *, int); +extern char *vomsconf; + static int generate_proxy(globus_gsi_cred_handle_t cur_proxy, X509_EXTENSION *voms_extension, const char *new_file) @@ -25,39 +27,39 @@ generate_proxy(globus_gsi_cred_handle_t cur_proxy, result = globus_gsi_proxy_handle_init(&proxy_handle, NULL); if (result) { - fprintf(stderr, "globus_gsi_proxy_handle_init() failed\n"); + edg_wlpr_Log(LOG_ERR, "globus_gsi_proxy_handle_init() failed\n"); goto end; } result = globus_gsi_cred_get_key(cur_proxy, &cur_proxy_priv_key); if (result) { - fprintf(stderr, "globus_gsi_cred_get_key() failed\n"); + edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_get_key() failed\n"); goto end; } /* Create and sign a new proxy */ result = globus_gsi_cred_get_cert_type(cur_proxy, &proxy_type); if (result) { - fprintf(stderr, "globus_gsi_cred_get_cert_type() failed\n"); + edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_get_cert_type() failed\n"); goto end; } result = globus_gsi_proxy_handle_set_type(proxy_handle, proxy_type); if (result) { - fprintf(stderr, "globus_gsi_proxy_handle_set_type() failed\n"); + edg_wlpr_Log(LOG_ERR, "globus_gsi_proxy_handle_set_type() failed\n"); goto end; } result = globus_gsi_proxy_create_signed(proxy_handle, cur_proxy, &proxy); if (result) { - fprintf(stderr, "globus_gsi_proxy_handle_init() failed\n"); + edg_wlpr_Log(LOG_ERR, "globus_gsi_proxy_handle_init() failed\n"); goto end; } /* Get the new proxy */ result = globus_gsi_cred_get_cert(proxy, &new_cert); if (result) { - fprintf(stderr, "globus_gsi_cred_get_cert() failed\n"); + edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_get_cert() failed\n"); goto end; } @@ -77,7 +79,7 @@ generate_proxy(globus_gsi_cred_handle_t cur_proxy, /* And put the cert back, older one is unallocated by the function */ result = globus_gsi_cred_set_cert(proxy, voms_cert); if (result) { - fprintf(stderr, "globus_gsi_cred_set_cert() failed\n"); + edg_wlpr_Log(LOG_ERR, "globus_gsi_cred_set_cert() failed\n"); goto end; } @@ -98,7 +100,7 @@ my_VOMS_Export(void *buf, int buf_len, X509_EXTENSION **extension) p = pp = buf; ac = d2i_AC(NULL, &p, buf_len+1); if (ac == NULL) { - fprintf(stderr, "d2i_AC() failed\n"); + edg_wlpr_Log(LOG_ERR, "d2i_AC() failed\n"); return 1; } @@ -120,14 +122,14 @@ create_voms_command(struct vomsdata *vd, struct voms **voms_cert, char **command for (i = 2; i < argc; i++) { ret = VOMS_Ordering(argv[i], vd, &voms_error); if (ret == 0) { - fprintf(stderr, "VOMS_Ordering() failed\n"); + edg_wlpr_Log(LOG_ERR, "VOMS_Ordering() failed\n"); return 1; } } #endif if (voms_cert == NULL || *voms_cert == NULL || (*voms_cert)->std == NULL) { - fprintf(stderr, "Invalid VOMS certificate\n"); + edg_wlpr_Log(LOG_ERR, "Invalid VOMS certificate\n"); return 1; } @@ -151,10 +153,10 @@ renew_voms_cert(struct vomsdata *vd, struct voms **voms_cert, struct contactdata **voms_contacts = NULL; char *command = NULL; - voms_contacts = VOMS_FindByVO(vd, (*voms_cert)->voname, NULL, NULL, &voms_error); + voms_contacts = VOMS_FindByVO(vd, (*voms_cert)->voname, vomsconf, NULL, &voms_error); if (voms_contacts == NULL) { - fprintf(stderr, "VOMS_FindByVO() failed\n"); + edg_wlpr_Log(LOG_ERR, "VOMS_FindByVO() failed\n"); return 1; } @@ -166,7 +168,7 @@ renew_voms_cert(struct vomsdata *vd, struct voms **voms_cert, (void**) buf, buf_len, &voms_version, vd, &voms_error); if (ret == 0) { - fprintf(stderr, "VOMS_Contact() failed\n"); + edg_wlpr_Log(LOG_ERR, "VOMS_Contact() failed\n"); return 1; } @@ -178,21 +180,26 @@ renew_voms_cert(struct vomsdata *vd, struct voms **voms_cert, return 0; } -int -renew_voms_certs(const char *cur_file, const char *new_file) +static int +renew_voms_certs(const char *cur_file, const char *renewed_file, const char *new_file) { globus_gsi_cred_handle_t cur_proxy = NULL; + globus_gsi_cred_handle_t new_proxy = NULL; struct vomsdata *vd = NULL; struct voms **voms_cert = NULL; int voms_err, ret; X509 *cert = NULL; STACK_OF(X509) *chain = NULL; char *buf = NULL; - size_t buf_len; + size_t buf_len = 0; X509_EXTENSION *extension = NULL; char *old_env_proxy = getenv("X509_USER_PROXY"); + char *old_env_cert = getenv("X509_USER_CERT"); + char *old_env_key = getenv("X509_USER_KEY"); setenv("X509_USER_PROXY", cur_file, 1); + setenv("X509_USER_CERT", renewed_file, 1); + setenv("X509_USER_KEY", renewed_file, 1); ret = load_proxy(cur_file, &cert, NULL, &chain, &cur_proxy); if (ret) @@ -200,7 +207,7 @@ renew_voms_certs(const char *cur_file, const char *new_file) vd = VOMS_Init(NULL, NULL); if (vd == NULL) { - fprintf(stderr, "VOMS_Init() failed\n"); + edg_wlpr_Log(LOG_ERR, "VOMS_Init() failed\n"); return 1; } @@ -208,11 +215,13 @@ renew_voms_certs(const char *cur_file, const char *new_file) if (ret == 0) { if (voms_err == VERR_NOEXT) { /* no VOMS cred, no problem; continue */ - fprintf(stderr, "No VOMS attributes found in proxy %s\n", cur_file); + /* XXX this part shouldn't be reachable, this call is only called + * if the proxy does contain VOMS attributes */ + edg_wlpr_Log(LOG_ERR, "No VOMS attributes found in proxy %s\n", cur_file); ret = 0; goto end; } else { - fprintf(stderr, "Cannot get VOMS certificate(s) from proxy"); + edg_wlpr_Log(LOG_ERR, "Cannot get VOMS certificate(s) from proxy"); ret = 1; goto end; } @@ -247,21 +256,42 @@ renew_voms_certs(const char *cur_file, const char *new_file) if (ret) goto end; - ret = generate_proxy(cur_proxy, extension, new_file); + ret = load_proxy(renewed_file, NULL, NULL, NULL, &new_proxy); + if (ret) + goto end; + + ret = generate_proxy(new_proxy, extension, new_file); end: -#if 0 - if (ret) - unlink(new_file); -#endif (old_env_proxy) ? setenv("X509_USER_PROXY", old_env_proxy, 1) : unsetenv("X509_USER_PROXY"); - - VOMS_Destroy(vd); + (old_env_cert) ? setenv("X509_USER_CERT", old_env_cert, 1) : + unsetenv("X509_USER_CERT"); + (old_env_key) ? setenv("X509_USER_KEY", old_env_key, 1) : + unsetenv("X509_USER_KEY"); + + if (cert) + X509_free(cert); + if (chain) + sk_X509_pop_free(chain, X509_free); + if (vd) + VOMS_Destroy(vd); + if (cur_proxy) + globus_gsi_cred_handle_destroy(cur_proxy); + if (new_proxy) + globus_gsi_cred_handle_destroy(new_proxy); + if (buf) + free(buf); return ret; } +int +renew_voms_creds(const char *cur_file, const char *renewed_file, const char *new_file) +{ + return renew_voms_certs(cur_file, renewed_file, new_file); +} + #if 0 int main(int argc, char *argv[]) @@ -277,7 +307,7 @@ main(int argc, char *argv[]) if (globus_module_activate(GLOBUS_GSI_PROXY_MODULE) != GLOBUS_SUCCESS || globus_module_activate(GLOBUS_GSI_CERT_UTILS_MODULE) != GLOBUS_SUCCESS) { - fprintf(stderr, "[%d]: Unable to initialize Globus modules\n", getpid()); + edg_wlpr_Log(LOG_ERR, "[%d]: Unable to initialize Globus modules\n", getpid()); return 1; } -- 1.8.2.3