From 5cc155737611f922bade635e6fe3f8dace23f3d6 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Tue, 27 Jun 2006 15:39:25 +0000 Subject: [PATCH] Add gridsite-ws back in --- org.gridsite.core/doc/delegation-1.1.0.wsdl | 459 ++++++++++++++++++++++++++++ org.gridsite.core/doc/gridsite-delegation.8 | 19 ++ org.gridsite.core/doc/htproxydestroy.1 | 1 + org.gridsite.core/doc/htproxyput.1 | 109 +++++++ org.gridsite.core/doc/htproxyrenew.1 | 1 + org.gridsite.core/doc/htproxytime.1 | 1 + org.gridsite.core/doc/htproxyunixtime.1 | 1 + 7 files changed, 591 insertions(+) create mode 100644 org.gridsite.core/doc/delegation-1.1.0.wsdl create mode 100644 org.gridsite.core/doc/gridsite-delegation.8 create mode 100644 org.gridsite.core/doc/htproxydestroy.1 create mode 100644 org.gridsite.core/doc/htproxyput.1 create mode 100644 org.gridsite.core/doc/htproxyrenew.1 create mode 100644 org.gridsite.core/doc/htproxytime.1 create mode 100644 org.gridsite.core/doc/htproxyunixtime.1 diff --git a/org.gridsite.core/doc/delegation-1.1.0.wsdl b/org.gridsite.core/doc/delegation-1.1.0.wsdl new file mode 100644 index 0000000..df7e1f2 --- /dev/null +++ b/org.gridsite.core/doc/delegation-1.1.0.wsdl @@ -0,0 +1,459 @@ + + + + + + + + + + The cause of the delegation exception on the server side. + + + + + + + + + + New proxy certificate request, containing the certificate + request and a generated delegation ID. + + + + + + + The new RFC 3280 style proxy certificate request + in PEM format with Base64 encoding. + + + + + + + The ID associated with the new delegation session. + + + + + + + + + + + + The ID of the new delegation session, specified by the client. + The ID can be empty. + + + + + + + The new RFC 3280 style proxy certificate request + in PEM format with Base64 encoding. + + + + + + + + The ID of an already existing delegation session, + initiated by getProxyReq() or getNewProxyReq(). + + + + + RFC 3280 style proxy certificate, signed by the + client, in PEM format with Base64 encoding. + + + + + + + + + The ID of an already existing delegation session, + where the client wants to renew the delegated + credential. + + + + + + + The new RFC 3280 style proxy certificate request, + which is to replace the existing one, + in PEM format with Base64 encoding. + + + + + + + + + The server side generated ID of the new delegation + session and the new RFC 3280 style proxy certificate + request in PEM format with Base64 encoding. + + + + + + + + The ID of an already existing delegation session to be queried. + + + + + + + The date and time when the delegated credentials will expire. + + + + + + + + The ID of an already existing delegation session to be destroyed. + + + + + + + + + + + + Delegation interface. + + + + + + Starts the delegation procedure by asking for a certificate + signing request from the server. The server answers with a + certificate signing request which includes the public key + for the new delegated credentials. putProxy() has to be + called to finish the procedure. + + + + Check if a delegation ID was provided. If not, generate a delegation + id by hashing the client DN and client VOMS attributes. + + + Check if the delegation ID already exists in the + storage-area. If it does + (a credential renewal is happening), check + existing info (DN and VOMS attributes) against client info. + Throw exception if they do not match. + + + Create a new private/public key-pair (see also Key + Generation Semantics). + + + Generate a new proxy certificate request. + + + Store private key and cert request in + storage-cache-area, along with the + requesting DN and VOMS attributes. + + + + + + + + The client's DN and VOMS attributes do not match the stored ones, + i.e. the client is not authorized. + + + + + + + + Starts the delegation procedure by asking for a certificate + signing request from the server. The server answers with a + certificate signing request which includes the public key + for the new delegated credentials. putProxy() has to be + called to finish the procedure. + + + + Generate a delegation + ID by hashing the client DN and client VOMS attributes. + + + Check if the delegation ID already exists in the + storage-area. If it does, check + existing info (DN and VOMS attributes) against client info. + Throw exception if they do not match, because then this is + the rare case of hash collision, i.e. two different clients + are mapped to the same delegation ID. + + + Create a new private/public key-pair (see also Key + Generation Semantics). + + + Generate a new certificate request. + + + Store private key and cert request in + storage-cache-area, along with the + requesting DN and VOMS attributes. + + + + + + + + There were already credentials associated to the delegation ID. + + + + + + + + Finishes the delegation procedure by sending the signed + proxy certificate to the server. + + + + Check if a delegation ID was provided. If not, generate a + delegation id by hashing the client DN and client VOMS + attributes. + + + Check if the delegation ID already exists in the + storage-area. If it does, check + existing info (DN and VOMS attributes) against client info. + Throw exception if it does not match. + + + Check, if client information matches proxy information. + + + Check given proxy against private key of delegation ID in + storage-cache-area. If they do not + match, throw exception. + + + Store proxy in storage-area + and clean up the storage-cache-area. + + + + + + + + + There were no cached credentials associated to the delegation ID + (neither + getNewProxyReq() nor + + renewProxyReq() was called previously), + or the client's DN and VOMS attributes do not match the stored ones, + i.e. the client is not authorized. + + + + + + + + + Restarts the delegation procedure by asking for a certificate + signing request from the server for an already existing delegation ID. + The server answers with a certificate signing request which includes + the public key for new delegated credentials. putProxy() has to be + called to finish the procedure. + + + + Check if a delegation ID was provided. If not, generate a delegation + id by hashing the client DN and client VOMS attributes. + + + Check if the delegation ID already exists in the + storage-area. If it does + not, then throw an exception. + + + Check if the existing info (DN and VOMS attributes) against client info. + Throw exception if they do not match. + + + Create a new private/public key-pair (see also Key + Generation Semantics). + + + Generate a new certificate request. + + + Store private key and cert request in + storage-cache-area, along with the + requesting DN and VOMS attributes. + + + + + + + + There were no credentials associated to the delegation ID, or the + client's DN and VOMS attributes do not match the stored ones, i.e. + the client is not authorized. + + + + + + + Returns the termination (expiration) date and time of the credential, + associated with the given delegaion ID. If there was no delegation ID, + then generate one by hashing the client DN and client VOMS attributes. + + + + + + There were no credentials associated to the delegation ID, or the + client's DN and VOMS attributes do not match the stored ones, i.e. + the client is not authorized. + + + + + + + + Destroys the delegated credentials associated with the + given delegation ID immediately. If there was no delegation ID, + then generate one by hashing the client DN and client VOMS attributes. + + + + + + There were no credentials associated to the delegation ID, or the + client's DN and VOMS attributes do not match the stored ones, i.e. + the client is not authorized. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/org.gridsite.core/doc/gridsite-delegation.8 b/org.gridsite.core/doc/gridsite-delegation.8 new file mode 100644 index 0000000..41ce1e3 --- /dev/null +++ b/org.gridsite.core/doc/gridsite-delegation.8 @@ -0,0 +1,19 @@ +.TH gridsite-delegation 8 "March 2006" "gridsite-delegation" "GridSite Manual" +.SH NAME +.B gridsite-delegation.cgi +\- CGI implementation of GridSite/gLite GSI delegation Web Service +.SH SYNOPSIS +.B gridsite-delegation.cgi + +.SH DESCRIPTION +.B gridsite-delegation.cgi +is a server-side implementation of the GridSite/gLite GSI delegation Web +Service + +.SH AUTHOR +Andrew McNab + +gridsite-delegation.cgi is part of GridSite: http://www.gridsite.org/ + +.SH "SEE ALSO" +.BR htproxyput(1) diff --git a/org.gridsite.core/doc/htproxydestroy.1 b/org.gridsite.core/doc/htproxydestroy.1 new file mode 100644 index 0000000..57f80ce --- /dev/null +++ b/org.gridsite.core/doc/htproxydestroy.1 @@ -0,0 +1 @@ +.so man1/htproxyput.1 diff --git a/org.gridsite.core/doc/htproxyput.1 b/org.gridsite.core/doc/htproxyput.1 new file mode 100644 index 0000000..3d2bf04 --- /dev/null +++ b/org.gridsite.core/doc/htproxyput.1 @@ -0,0 +1,109 @@ +.TH HTPROXYPUT 1 "March 2006" "htproxyput" "GridSite Manual" +.SH NAME +.B htproxyput, htproxydestroy, htproxytime, htproxyunixtime, htproxyrenew +\- GSI proxy delegations and querying, using GridSite/gLite delegation API +.SH SYNOPSIS +.B htproxyput, htproxydestroy, htproxytime, htproxyunixtime, htproxyrenew +[options] Service-URL + +.SH DESCRIPTION +.B htproxyput +is a client to perform GSI proxy delegations using the GridSite/gLite +delegation Web Service portType. The gridsite-delegation(8) CGI program is +the complementary server-side implementation. + +.SH OPTIONS +.IP "-v/--verbose" +Turn on debugging information. + +.IP "--delegation-id " +Explicitly specify the Delegation ID to use. + +.IP "--destroy" +Instead of delegating a proxy, delete the proxy from the service's proxy +cache. Calling the program as htproxydestroy has the same effect. + +.IP "--time" +Instead of delegating a proxy, report the expiration time of the proxy, +in the local time of the client. Calling the program as htproxytime has the +same effect. + +.IP "--unixtime" +Instead of delegating a proxy, report the expiration time of the proxy, as +the number of seconds since 00:00:00 1970-01-01 UTC. Calling the program as +htproxyunixtime has the same effect. + +.IP "--renew" +Delegate an updated version of an existing proxy. The Delegation ID +.B must +be given when using this option. Calling the program as htproxyrenew has the +same effect. + +.IP "--cert and --key " +Path to the PEM-encoded +X.509 or GSI Proxy user certificate and key to use for HTTPS +connections, intead of "anonymous mode." If only one of --key or --cert +is given, then that will be tried for both. If neither is given, then the +following order of precedence is used: +the file name held by the variable X509_USER_PROXY; the file +/tmp/x509up_uID (with Unix UID equal to ID); the file names held by +X509_USER_CERT / X509_USER_KEY; the files ~/.globus/usercert.pem and +~/.globus/userkey.pem (where ~/ is the home directory of the user.) + +.IP "--capath " +Path to the PEM-encoded CA root certificates to use when +verifying remote servers' host certificates in HTTPS connections. Ideally +this should be a directory of hash.0 files as described in the OpenSSL +verify(1) man page, but a file may be used instead. If --capath is not +given, the value of the environment variable X509_CERT_DIR will be tried. +If this is not valid, then /etc/grid-security/certificates will be used. + +.IP "--no-verify" +Do not use CA root certificates to verify remote servers' host certificates. +This is useful for testing sites before their certificate is set up properly, +but leaves you vulnerable to "man in the middle" attacks by hostile servers +masquerading as your target. + +.SH FILES +.IP /tmp/x509up_uID +Default GSI Proxy file for Unix UID equal to ID. + +.IP /etc/grid-security/certificates +Default location for trusted Certification Authority root certificates to use +when checking server certificates. + +.IP /tmp/.ca-roots-XXXXXX +Prior to 7.9.8, the underlying curl library did not support the CA root +certificates directory. +If built with an old version of libcurl, htproxyput will concatenate the +certificates in the CA roots directory into a unique temporary file and use +that. + +.SH ENVIRONMENT + +.IP X509_CERT_DIR +Holds directory to search for Certification Authority root certificates when +verifying server certificates. (Tried if --capath is not given on the +command line.) + +.IP X509_USER_PROXY +Holds file name of a GSI Proxy to use as user certificate. (Tried if --cert or +--key are not given on the command line.) + +.IP "X509_USER_CERT and X509_USER_KEY" +Holds file name of X.509 user certificate and key. (Tried if X509_USER_PROXY +is not valid.) + +.SH EXIT CODES +0 is returned on complete success, and non-zero on error. + +.SH TO DO +Better error recovery. + +.SH AUTHOR +Andrew McNab + +htproxyput is part of GridSite: http://www.gridsite.org/ +.SH "SEE ALSO" +.BR htcp(1), +.BR gridsite-delegation(8) diff --git a/org.gridsite.core/doc/htproxyrenew.1 b/org.gridsite.core/doc/htproxyrenew.1 new file mode 100644 index 0000000..57f80ce --- /dev/null +++ b/org.gridsite.core/doc/htproxyrenew.1 @@ -0,0 +1 @@ +.so man1/htproxyput.1 diff --git a/org.gridsite.core/doc/htproxytime.1 b/org.gridsite.core/doc/htproxytime.1 new file mode 100644 index 0000000..57f80ce --- /dev/null +++ b/org.gridsite.core/doc/htproxytime.1 @@ -0,0 +1 @@ +.so man1/htproxyput.1 diff --git a/org.gridsite.core/doc/htproxyunixtime.1 b/org.gridsite.core/doc/htproxyunixtime.1 new file mode 100644 index 0000000..57f80ce --- /dev/null +++ b/org.gridsite.core/doc/htproxyunixtime.1 @@ -0,0 +1 @@ +.so man1/htproxyput.1 -- 1.8.2.3