From 6d1d038a3a4b4d55a8e0f11a4118ff3fd3e2e3f3 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Wed, 13 Jun 2007 13:17:25 +0000 Subject: [PATCH] Sync --- org.gridsite.core/CHANGES | 2 + org.gridsite.core/doc/httpd-fileserver.conf | 19 ++-- org.gridsite.core/doc/httpd-storage.conf | 164 ++++++++++++++++++++++++++++ org.gridsite.core/doc/httpd-webserver.conf | 19 ++-- org.gridsite.core/src/htproxyput.c | 1 - org.gridsite.core/src/mod_gridsite.c | 61 +++++++---- 6 files changed, 224 insertions(+), 42 deletions(-) create mode 100644 org.gridsite.core/doc/httpd-storage.conf diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index 3f2825b..bd0f444 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,6 +1,8 @@ * Wed Jun 13 2007 Andrew McNab - Include ctx->param->flags fix in mod_gridsite for OpenSSL 0.9.8 from Bruno Harbulot. +- Restrict export of VOMS attributes to ones present + in the last proxy of the chain to contain attributes * Fri May 10 2007 Andrew McNab - ==== GridSite version 1.5.1 ==== * Fri Feb 16 2007 Andrew McNab diff --git a/org.gridsite.core/doc/httpd-fileserver.conf b/org.gridsite.core/doc/httpd-fileserver.conf index fbc170c..c71e337 100644 --- a/org.gridsite.core/doc/httpd-fileserver.conf +++ b/org.gridsite.core/doc/httpd-fileserver.conf @@ -12,11 +12,8 @@ ## This file should be renamed /etc/httpd/conf/httpd.conf and Apache ## restarted to use Apache2/GridSite as a simple HTTP(S) fileserver. ## -## You do not need to install the GridSite mod_ssl.so module if you -## do not wish to use Globus Proxies or VOMS attributes, but you must -## have the mod_gridsite.so in /usr/lib/httpd/modules -## -## We're assuming you have (a) the host's hostcert.pem and hostkey.pem +## We assume that you have mod_gridsite.so in /usr/lib/httpd/modules +## and that you have (a) the host's hostcert.pem and hostkey.pem ## in /etc/grid-security/ and (b) the Certification Authorities' you ## trust have their root certs in /etc/grid-security/certificates ## @@ -26,7 +23,7 @@ ## If you want to use DN Lists in ACLs, they should be placed/downloaded ## in /etc/grid-security/dn-lists/ ## -## To start serving files, make a directory /var/www/htdocs owned by +## To start serving files, make a directory /var/www/html owned by ## apache.apache, including the file .gacl containing: ## ## @@ -95,7 +92,7 @@ TypesConfig /etc/mime.types User apache Group apache -DocumentRoot "/var/www/htdocs" +DocumentRoot "/var/www/html" AllowOverride None @@ -117,7 +114,7 @@ Listen 80 Listen 777 - + GridSiteIndexes on GridSiteAuth on GridSiteDNlists /etc/grid-security/dn-lists/ @@ -144,12 +141,12 @@ SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +ExportCertData +StdEnvVars - + GridSiteIndexes on GridSiteAuth on GridSiteDNlists /etc/grid-security/dn-lists/ - GridSiteGSIProxyLimit 0 -# GridSiteMethods GET PUT DELETE MOVE + GridSiteGSIProxyLimit 9 + GridSiteMethods GET PUT DELETE MOVE diff --git a/org.gridsite.core/doc/httpd-storage.conf b/org.gridsite.core/doc/httpd-storage.conf new file mode 100644 index 0000000..600102c --- /dev/null +++ b/org.gridsite.core/doc/httpd-storage.conf @@ -0,0 +1,164 @@ +############################################################################## +## GridSite httpd-storage.conf - Andrew McNab +## +## For GridSite documentation, see http://www.gridsite.org/ +## +## Example configuration file for GridSite as an HTTP(S) storage server, +## listening on ports 80/777 (HTTP) and 443/488 (HTTPS) +## +## (777/488 is to allow firewalls to distinguish between Grid and +## Web HTTP(S) traffic. See http://www.gridsite.org/wiki/IP_Ports ) +## +## This file should be renamed /etc/httpd/conf/httpd.conf and Apache +## restarted to use Apache2/GridSite as a simple HTTP(S) fileserver. +## +## We assume that you have mod_gridsite.so in /usr/lib/httpd/modules +## and that you have (a) the host's hostcert.pem and hostkey.pem +## in /etc/grid-security/ and (b) the Certification Authorities' you +## trust have their root certs in /etc/grid-security/certificates +## +## (You can get RPMs for many European and North American Grid CAs +## from https://datagrid.in2p3.fr/distribution/datagrid/security/ ) +## +## If you want to use DN Lists in ACLs, they should be placed/downloaded +## in /etc/grid-security/dn-lists/ +## +## To start serving files, make a directory /var/www/html owned by +## apache.apache, including the file .gacl containing: +## +## +## +## +## +## +## +## +## To enable writing, add DN List, Person or VOMS entries to the GACL +## (see the GridSite GACL document for the syntax.) For example: +## +## +## +## +## +## +## +## +## /C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab +## +## +## +## +## +## and add the following directive to the HTTPS section: +## +## GridSiteMethods GET PUT DELETE MOVE +## +## If you wish to accept Globus GSI Proxies as well as full X.509 user +## certificates, set GridSiteGSIProxyLimit to the depth of proxy you +## wish to accept. +## +## (As a _rough_ guide: 0=No Proxies; 1=Proxy on user's machine; 2=Proxy +## owned by running Globus job; 3=Proxy delegated by a Globus job.) +## +## With this done and Apache restarted, you can upload a file with: +## +## curl -v --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem \ +## --capath /etc/grid-security/certificates --upload-file /tmp/tmp.txt \ +## https://INSERT.HOSTNAME.HERE/tmp.txt +## +## (or with --cert /tmp/x509up_u`id -u` --key /tmp/x509up_u`id -u` to use +## a Globus GSI Proxy created with grid-proxy-init.) +## +############################################################################## + +ServerRoot "/etc/httpd" + +#######!!!!!!!!!!!!!!!!!!!! +ServerName pc63.hep.man.ac.uk + +PidFile logs/httpd.pid + +Timeout 300 +KeepAlive On +MaxKeepAliveRequests 100 +KeepAliveTimeout 15 + +LoadModule log_config_module /usr/lib/httpd/modules/mod_log_config.so +LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so +LoadModule gridsite_module /usr/lib/httpd/modules/mod_gridsite.so +LoadModule mime_module /usr/lib/httpd/modules/mod_mime.so +LoadModule dir_module /usr/lib/httpd/modules/mod_dir.so + +TypesConfig /etc/mime.types + +# User and group who will own files created by Apache +User apache +Group apache + +DocumentRoot "/var/www/html" + + + AllowOverride None + + +LogLevel debug +LogFormat "%h \"%{SSL_CLIENT_S_DN}x\" %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + +CustomLog logs/httpd-gridsite-access combined +ErrorLog logs/httpd-gridsite-errors + +HostnameLookups On + +# Enable SiteCast location of files via multicast +GridSiteCastGroup 224.0.1.111:777 + +###################################################################### +# Plain unauthenticated HTTP on ports 80 and 777 +###################################################################### + +Listen 80 +Listen 777 + + +GridSiteGridHTTP on +GridSiteCastAlias http://sitecast.domain:777/ /var/www/html + + + GridSiteIndexes on + GridSiteAuth on + GridSiteDNlists /etc/grid-security/dn-lists/ + + + + +###################################################################### +# Secured and possibly authenticated HTTPS on ports 443 and 488 +###################################################################### +Listen 443 +Listen 488 +SSLSessionCacheTimeout 300 +SSLSessionCache shm:/var/cache/mod_ssl/shm_cache + + + +SSLEngine on +SSLCertificateFile /etc/grid-security/hostcert.pem +SSLCertificateKeyFile /etc/grid-security/hostkey.pem +SSLCACertificatePath /etc/grid-security/certificates +#SSLCARevocationPath YOUR CRL DIRECTORY WOULD GO HERE +SSLVerifyClient optional +SSLVerifyDepth 10 +SSLOptions +ExportCertData +StdEnvVars + +GridSiteGridHTTP on +GridSiteCastAlias https://sitecast.domain:777/ /var/www/html + + + GridSiteIndexes on + GridSiteAuth on + GridSiteDNlists /etc/grid-security/dn-lists/ + GridSiteGSIProxyLimit 9 + GridSiteMethods GET PUT DELETE MOVE + + + diff --git a/org.gridsite.core/doc/httpd-webserver.conf b/org.gridsite.core/doc/httpd-webserver.conf index 710bb12..f51c6a3 100644 --- a/org.gridsite.core/doc/httpd-webserver.conf +++ b/org.gridsite.core/doc/httpd-webserver.conf @@ -13,11 +13,8 @@ ## This file should be renamed /etc/httpd/conf/httpd.conf and Apache ## restarted to use Apache2/GridSite as a webserver. ## -## You do not need to install the GridSite mod_ssl.so module if you -## do not wish to use Globus Proxies or VOMS attributes, but you must -## have the mod_gridsite.so in /usr/lib/httpd/modules -## -## We're assuming you have (a) the host's hostcert.pem and hostkey.pem +## We assume you have mod_gridsite.so in /usr/lib/httpd/modules +## and that you have (a) the host's hostcert.pem and hostkey.pem ## in /etc/grid-security/ and (b) the Certification Authorities' you ## trust have their root certs in /etc/grid-security/certificates ## @@ -25,10 +22,10 @@ ## from https://datagrid.in2p3.fr/distribution/datagrid/security/ ) ## ## If you want to use DN Lists in ACLs, they should be placed/downloaded -## in /etc/grid-security/dn-lists/ or /var/www/htdocs/dn-lists/ +## in /etc/grid-security/dn-lists/ or /var/www/html/dn-lists/ ## (Lists in /etc/grid-security/dn-lists/ override lists elsewhere.) ## -## To start serving files, make a directory /var/www/htdocs owned by +## To start serving files, make a directory /var/www/html owned by ## apache.apache, including the file .gacl containing: ## ## @@ -102,7 +99,7 @@ TypesConfig /etc/mime.types User apache Group apache -DocumentRoot "/var/www/htdocs" +DocumentRoot "/var/www/html" AllowOverride None @@ -128,7 +125,7 @@ Listen 777 ## and to allow you to edit files and ACLs via your browser. ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi - + ## This sets up GACL authorization for this server. GridSiteAuth on @@ -177,7 +174,7 @@ SSLOptions +ExportCertData +StdEnvVars ## and to allow you to edit files and ACLs via your browser. ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi - + ## This sets up GACL authorization for this server. GridSiteAuth on @@ -197,7 +194,7 @@ ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi ## GACL to search when it encounters a dn-list credential. The DN List ## files are plain text, one DN per line, and must have the full url ## as the file name, but URL Encoded - eg with urlencode(1) - GridSiteDNlists /etc/grid-security/dn-lists/:/var/www/htdocs/dn-lists/ + GridSiteDNlists /etc/grid-security/dn-lists/:/var/www/html/dn-lists/ ## This is used to form the URL at which DN Lists "owned" by this ## server are exported. https://FULL.SERVER.NAME/dn-lists/file diff --git a/org.gridsite.core/src/htproxyput.c b/org.gridsite.core/src/htproxyput.c index 6680fbb..df1ff8b 100644 --- a/org.gridsite.core/src/htproxyput.c +++ b/org.gridsite.core/src/htproxyput.c @@ -1,4 +1,3 @@ -#define HT_LEAK_TEST /* Copyright (c) 2002-6, Andrew McNab, University of Manchester All rights reserved. diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index a0fe7ef..0841f76 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -62,6 +62,7 @@ #include #include +#include #include #include @@ -1885,7 +1886,7 @@ static const char *mod_gridsite_take2_cmds(cmd_parms *a, void *cfg, const char *parm1, const char *parm2) { int i; - char *p, *q; + char *p, *q, buf[APRMAXHOSTLEN + 1] = "localhost"; if (strcasecmp(a->cmd->name, "GridSiteUserGroup") == 0) { @@ -1951,7 +1952,13 @@ static const char *mod_gridsite_take2_cmds(cmd_parms *a, void *cfg, sitecastaliases[i].sitecast_url = apr_pstrdup(a->pool, parm1); sitecastaliases[i].local_path = apr_pstrdup(a->pool, parm2); - sitecastaliases[i].local_hostname = apr_pstrdup(a->pool, + + if (a->server->server_hostname == NULL) + { + apr_gethostname(buf, APRMAXHOSTLEN + 1, a->pool); + sitecastaliases[i].local_hostname = apr_pstrdup(a->pool, buf); + } + else sitecastaliases[i].local_hostname = apr_pstrdup(a->pool, a->server->server_hostname); break; @@ -2203,7 +2210,7 @@ int GRST_load_ssl_creds(SSL *ssl, conn_rec *conn) void GRST_save_ssl_creds(conn_rec *conn, GRSTx509Chain *grst_chain) { - int i, lastcred; + int i, lastcred, lowest_voms_delegation = 65535; char envname[14], *tempfile = NULL, *sessionfile, session_id[(SSL_MAX_SSL_SESSION_ID_LENGTH+1)*2]; apr_file_t *fp = NULL; @@ -2241,64 +2248,80 @@ void GRST_save_ssl_creds(conn_rec *conn, GRSTx509Chain *grst_chain) APR_CREATE | APR_WRITE | APR_EXCL, conn->pool); } - grst_cert = grst_chain->firstcert; + i=0; - for (i=0; grst_cert != NULL; grst_cert = grst_cert->next) + for (grst_cert = grst_chain->firstcert; + grst_cert != NULL; grst_cert = grst_cert->next) { if (grst_cert->type == GRST_CERT_TYPE_VOMS) { + /* want to record the delegation level + of the last proxy with VOMS attributes */ + + lowest_voms_delegation = grst_cert->delegation; + } + else if ((grst_cert->type == GRST_CERT_TYPE_EEC) || + (grst_cert->type == GRST_CERT_TYPE_PROXY)) + { apr_table_setn(conn->notes, apr_psprintf(conn->pool, "GRST_CRED_AURI_%d", i), - apr_pstrcat(conn->pool, "fqan:", grst_cert->value, NULL)); + apr_pstrcat(conn->pool, "dn:", grst_cert->dn, NULL)); - if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=fqan:%s\n", - i, grst_cert->value); + if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=dn:%s\n", + i, grst_cert->dn); apr_table_setn(conn->notes, apr_psprintf(conn->pool, "GRST_CRED_VALID_%d", i), apr_psprintf(conn->pool, "notbefore=%ld notafter=%ld delegation=%d nist-loa=%d", grst_cert->notbefore, - grst_cert->notafter, + grst_cert->notafter, grst_cert->delegation, 0)); if (fp != NULL) apr_file_printf(fp, "GRST_CRED_VALID_%d=notbefore=%ld notafter=%ld delegation=%d nist-loa=%d\n", i, grst_cert->notbefore, - grst_cert->notafter, + grst_cert->notafter, grst_cert->delegation, 0); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server, - "store GRST_CRED_AURI_%d=fqan:%s", i, grst_cert->value); + "store GRST_CRED_AURI_%d=dn:%s", i, grst_cert->dn); ++i; } - else if ((grst_cert->type == GRST_CERT_TYPE_EEC) || - (grst_cert->type == GRST_CERT_TYPE_PROXY)) + } + + for (grst_cert = grst_chain->firstcert; + grst_cert != NULL; grst_cert = grst_cert->next) + { + if ((grst_cert->type == GRST_CERT_TYPE_VOMS) && + (grst_cert->delegation == lowest_voms_delegation)) { + /* only export attributes from the last proxy to contain them */ + apr_table_setn(conn->notes, apr_psprintf(conn->pool, "GRST_CRED_AURI_%d", i), - apr_pstrcat(conn->pool, "dn:", grst_cert->dn, NULL)); + apr_pstrcat(conn->pool, "fqan:", grst_cert->value, NULL)); - if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=dn:%s\n", - i, grst_cert->dn); + if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=fqan:%s\n", + i, grst_cert->value); apr_table_setn(conn->notes, apr_psprintf(conn->pool, "GRST_CRED_VALID_%d", i), apr_psprintf(conn->pool, "notbefore=%ld notafter=%ld delegation=%d nist-loa=%d", grst_cert->notbefore, - grst_cert->notafter, + grst_cert->notafter, grst_cert->delegation, 0)); if (fp != NULL) apr_file_printf(fp, "GRST_CRED_VALID_%d=notbefore=%ld notafter=%ld delegation=%d nist-loa=%d\n", i, grst_cert->notbefore, - grst_cert->notafter, + grst_cert->notafter, grst_cert->delegation, 0); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server, - "store GRST_CRED_AURI_%d=dn:%s", i, grst_cert->dn); + "store GRST_CRED_AURI_%d=fqan:%s", i, grst_cert->value); ++i; } -- 1.8.2.3