From cbe21b2af1192f5918913a876222446f3f71cbb4 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Wed, 6 Jun 2007 17:23:32 +0000 Subject: [PATCH] SlashGrid fixes --- org.gridsite.core/doc/slashgrid.8 | 28 ++++++++- org.gridsite.core/interface/gridsite.h | 2 + org.gridsite.core/src/Makefile | 29 +++++---- org.gridsite.core/src/grst_gacl.c | 4 +- org.gridsite.core/src/make-gridsite-spec | 10 +-- org.gridsite.core/src/mod_gridsite.c | 16 +++-- org.gridsite.core/src/slashgrid.c | 104 +++++++++++++++++++++---------- 7 files changed, 133 insertions(+), 60 deletions(-) diff --git a/org.gridsite.core/doc/slashgrid.8 b/org.gridsite.core/doc/slashgrid.8 index ce6f37d..f9a3360 100644 --- a/org.gridsite.core/doc/slashgrid.8 +++ b/org.gridsite.core/doc/slashgrid.8 @@ -27,6 +27,10 @@ file, either indicated by the variable X509_USER_PROXY in the environment of the user's process, or a file of the form /tmp/x509up_uUID, where UID is their Unix user ID. If none is found, an authenticated HTTPS request is made. +SlashGrid searches /etc/grid-security/certificates by default for CA root +files when verifying the host certificate of remote servers. This can be +overriden by users setting the variable X509_CERT_DIR in their environment. + .SH "SITECAST DOMAINS" If the slashgrid daemon is started with the option --domain, then URLs @@ -39,6 +43,14 @@ which will be searched in order. The SiteCast area of the virtual filesystem is read-only (to prevent corruption of replicas.) +.TP +--domain DOMAIN +SiteCast domain to use. + +.TP +--groups GROUPS +SiteCast multicast groups to query. + .SH "LOCAL FILESYSTEM" This filesystem is intended for use with GridSite/Apache webservers, which @@ -46,7 +58,21 @@ control access via .gacl policy files in each directory hierarchy. SlashGrid can interpret these files internally, and this allows other services, such as GridFTP running in chroot mode, to share access to a common file store. -.SH "OPTIONS" +.TP +--local-root PATH +Top level directory in the underlying filesystem, which will be mapped to +/grid/local/ + +.TP +--local-user USER +Local user who will own the files created in the underlying filesystem. + +.TP +--gridmapdir PATH +Private gridmapdir used for mapping of pool users back to X.509 DNs. For +example, after configuring GridFTP to use this gridmapdir. + +.SH "OTHER OPTIONS" .TP --debug diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index eecbfe0..30bb91f 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -81,6 +81,8 @@ void (*GRSTerrorLogFunc)(char *, int, int, char *, ...); #define GRST_LOG_INFO 6 #define GRST_LOG_DEBUG 7 +#define GRST_MAX_TIME_T INT32_MAX + typedef struct { char *auri; int delegation; int nist_loa; diff --git a/org.gridsite.core/src/Makefile b/org.gridsite.core/src/Makefile index 4d89818..c05f731 100644 --- a/org.gridsite.core/src/Makefile +++ b/org.gridsite.core/src/Makefile @@ -44,6 +44,10 @@ ifndef prefix export prefix=/usr/local endif +ifndef libdir +export libdir=lib +endif + ifndef MYCFLAGS export MYCFLAGS=-I. -I../interface $(HTTPD_FLAGS) -I/usr/include/httpd -I/usr/include/apr-0 -I/opt/glite/include -fPIC endif @@ -338,7 +342,7 @@ clean: install: apidoc install-lib mkdir -p $(prefix)/include \ - $(prefix)/lib \ + $(prefix)/$(libdir) \ $(prefix)/bin \ $(prefix)/sbin \ $(prefix)/share/man/man1 \ @@ -379,23 +383,23 @@ install: apidoc install-lib cp -f mod_gridsite.so $(prefix)/lib/httpd/modules install-lib: - mkdir -p $(prefix)/lib - cp -f libgridsite.a $(prefix)/lib - cp -f libgridsite.so.$(PATCH_VERSION) $(prefix)/lib + mkdir -p $(prefix)/$(libdir) + cp -f libgridsite.a $(prefix)/$(libdir) + cp -f libgridsite.so.$(PATCH_VERSION) $(prefix)/$(libdir) ln -sf libgridsite.so.$(PATCH_VERSION) \ - $(prefix)/lib/libgridsite.so + $(prefix)/$(libdir)/libgridsite.so ln -sf libgridsite.so.$(PATCH_VERSION) \ - $(prefix)/lib/libgridsite.so.$(MAJOR_VERSION) + $(prefix)/$(libdir)/libgridsite.so.$(MAJOR_VERSION) ln -sf libgridsite.so.$(PATCH_VERSION) \ - $(prefix)/lib/libgridsite.so.$(MINOR_VERSION) - cp -f libgridsite_globus.a $(prefix)/lib - cp -f libgridsite_globus.so.$(PATCH_VERSION) $(prefix)/lib + $(prefix)/$(libdir)/libgridsite.so.$(MINOR_VERSION) + cp -f libgridsite_globus.a $(prefix)/$(libdir) + cp -f libgridsite_globus.so.$(PATCH_VERSION) $(prefix)/$(libdir) ln -sf libgridsite_globus.so.$(PATCH_VERSION) \ - $(prefix)/lib/libgridsite_globus.so + $(prefix)/$(libdir)/libgridsite_globus.so ln -sf libgridsite_globus.so.$(PATCH_VERSION) \ - $(prefix)/lib/libgridsite_globus.so.$(MAJOR_VERSION) + $(prefix)/$(libdir)/libgridsite_globus.so.$(MAJOR_VERSION) ln -sf libgridsite_globus.so.$(PATCH_VERSION) \ - $(prefix)/lib/libgridsite_globus.so.$(MINOR_VERSION) + $(prefix)/$(libdir)/libgridsite_globus.so.$(MINOR_VERSION) install-slashgrid: slashgrid cp -f slashgrid $(prefix)/sbin @@ -410,7 +414,6 @@ install-slashgrid: slashgrid install-ws: gridsite-delegation.cgi htproxyput mkdir -p $(prefix)/include \ - $(prefix)/lib \ $(prefix)/bin \ $(prefix)/sbin \ $(prefix)/share/man/man1 \ diff --git a/org.gridsite.core/src/grst_gacl.c b/org.gridsite.core/src/grst_gacl.c index c093497..bbd71cb 100644 --- a/org.gridsite.core/src/grst_gacl.c +++ b/org.gridsite.core/src/grst_gacl.c @@ -958,7 +958,7 @@ int GRSTgaclUserHasCred(GRSTgaclUser *user, GRSTgaclCred *cred) if ((cred == NULL) || (cred->auri == NULL)) return 0; - if (strcmp(cred->auri, "any-user:") == 0) return 1; + if (strcmp(cred->auri, "gacl:any-user") == 0) return 1; if ((user == NULL) || (user->firstcred == NULL)) return 0; @@ -1287,7 +1287,7 @@ GRSTgaclPerm GRSTgaclAclTestUser(GRSTgaclAcl *acl, GRSTgaclUser *user) for (cred = entry->firstcred; cred != NULL; cred = cred->next) if (!GRSTgaclUserHasCred(user, cred)) flag = 0; - else if (strcmp(cred->auri, "any-user:") != 0) onlyanyuser = 0; + else if (strcmp(cred->auri, "gacl:any-user") != 0) onlyanyuser = 0; if (!flag) continue; /* flag false if a subtest failed */ diff --git a/org.gridsite.core/src/make-gridsite-spec b/org.gridsite.core/src/make-gridsite-spec index ac48fd2..d55c366 100755 --- a/org.gridsite.core/src/make-gridsite-spec +++ b/org.gridsite.core/src/make-gridsite-spec @@ -141,7 +141,7 @@ cat <>gridsite.spec %install cd src -make install prefix=\$RPM_BUILD_ROOT/%{prefix} \ +make install prefix=\$RPM_BUILD_ROOT/%{prefix} libdir=%{_lib} \ GSOAPDIR=\$GSOAPDIR OPENSSL_FLAGS=\$OPENSSL_FLAGS \ OPENSSL_LIBS=\$OPENSSL_LIBS FLAVOR_EXT=\$FLAVOR_EXT EOF @@ -180,10 +180,10 @@ if [ "\$UID" = "0" ] ; then fi %files shared -%attr(-, root, root) %{prefix}/lib/libgridsite.so.%{version} -%attr(-, root, root) %{prefix}/lib/libgridsite.so -%attr(-, root, root) %{prefix}/lib/libgridsite_globus.so.%{version} -%attr(-, root, root) %{prefix}/lib/libgridsite_globus.so +%attr(-, root, root) %{prefix}/%{_lib}/libgridsite.so.%{version} +%attr(-, root, root) %{prefix}/%{_lib}/libgridsite.so +%attr(-, root, root) %{prefix}/%{_lib}/libgridsite_globus.so.%{version} +%attr(-, root, root) %{prefix}/%{_lib}/libgridsite_globus.so %attr(-, root, root) %{prefix}/share/doc/gridsite-${MINOR_VERSION:-1.x} %files devel diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index fcbb7d2..2e27cbc 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -2259,12 +2259,14 @@ void GRST_save_ssl_creds(conn_rec *conn, GRSTx509Chain *grst_chain) apr_psprintf(conn->pool, "notbefore=%ld notafter=%ld delegation=%d nist-loa=%d", grst_cert->notbefore, - grst_cert->notafter, 0, 0)); + grst_cert->notafter, + grst_cert->delegation, 0)); if (fp != NULL) apr_file_printf(fp, "GRST_CRED_VALID_%d=notbefore=%ld notafter=%ld delegation=%d nist-loa=%d\n", i, grst_cert->notbefore, - grst_cert->notafter, 0, 0); + grst_cert->notafter, + grst_cert->delegation, 0); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server, "store GRST_CRED_AURI_%d=fqan:%s", i, grst_cert->value); @@ -2286,12 +2288,14 @@ void GRST_save_ssl_creds(conn_rec *conn, GRSTx509Chain *grst_chain) apr_psprintf(conn->pool, "notbefore=%ld notafter=%ld delegation=%d nist-loa=%d", grst_cert->notbefore, - grst_cert->notafter, 0, 0)); + grst_cert->notafter, + grst_cert->delegation, 0)); if (fp != NULL) apr_file_printf(fp, "GRST_CRED_VALID_%d=notbefore=%ld notafter=%ld delegation=%d nist-loa=%d\n", i, grst_cert->notbefore, - grst_cert->notafter, 0, 0); + grst_cert->notafter, + grst_cert->delegation, 0); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server, "store GRST_CRED_AURI_%d=dn:%s", i, grst_cert->dn); @@ -2612,6 +2616,7 @@ static int mod_gridsite_perm_handler(request_rec *r) if ((remotehost != NULL) && (*remotehost != '\0')) { cred = GRSTgaclCredCreate("dns:", remotehost); + GRSTgaclCredSetNotAfter(cred, GRST_MAX_TIME_T); if (user == NULL) user = GRSTgaclUserNew(cred); else GRSTgaclUserAddCred(user, cred); @@ -2624,6 +2629,7 @@ static int mod_gridsite_perm_handler(request_rec *r) if ((remotehost != NULL) && (*remotehost != '\0')) { cred = GRSTgaclCredCreate("ip:", r->connection->remote_ip); + GRSTgaclCredSetNotAfter(cred, GRST_MAX_TIME_T); if (user == NULL) user = GRSTgaclUserNew(cred); else GRSTgaclUserAddCred(user, cred); @@ -2649,7 +2655,7 @@ static int mod_gridsite_perm_handler(request_rec *r) apr_psprintf(r->pool, "GRST_CRED_%d", i), apr_psprintf(r->pool, "%s %ld %ld %d %s", - (i=0) ? "X509USER" : "GSIPROXY", + (i==0) ? "X509USER" : "GSIPROXY", cred->notbefore, cred->notafter, cc_delegation, diff --git a/org.gridsite.core/src/slashgrid.c b/org.gridsite.core/src/slashgrid.c index 7b3a6b2..541a970 100644 --- a/org.gridsite.core/src/slashgrid.c +++ b/org.gridsite.core/src/slashgrid.c @@ -134,6 +134,7 @@ struct grst_handle { pthread_mutex_t mutex; CURL *curl_handle; uid_t uid; char *proxyfile; + char *capath; time_t last_used; } handles[GRST_SLASH_MAX_HANDLES]; @@ -371,43 +372,72 @@ int translate_sitecast_url(char **sitecast_url, char *raw_url) return GRST_RET_FAILED; } -char *check_x509_user_proxy(pid_t pid) +static void check_user_environ(char **capath, char **proxyfile, pid_t pid) { int fd; - char file[80], *proxyfile = NULL, *pid_environ, *p; - struct stat statbuf1, statbuf2; + size_t allocated = 1024, ret = 0, count = 0; + char file[80], *pid_environ, *p; + struct stat statbuf; + + *proxyfile = NULL; + *capath = NULL; snprintf(file, sizeof(file), "/proc/%d/environ", (int) pid); - if ((fd = open(file, O_RDONLY)) == -1) return NULL; + if ((fd = open(file, O_RDONLY)) == -1) return; - if (debugmode) syslog(LOG_DEBUG, "Opened for %d environ in %s", (int) pid, file); - - fstat(fd, &statbuf1); - - pid_environ = malloc(statbuf1.st_size + 1); - - read(fd, pid_environ, statbuf1.st_size); + if (debugmode) + syslog(LOG_DEBUG, "Opened for %d environ in %s", (int) pid, file); + pid_environ = malloc(allocated + 1); /* always space for terminal NUL */ + + while ((ret = read(fd, &pid_environ[count], allocated - count)) > 0) + { + count += ret; + + if (count >= allocated) + { + allocated = count + 1024; + pid_environ = realloc(pid_environ, allocated + 1); + } + } + close(fd); - - pid_environ[statbuf1.st_size] = '\0'; + + if (ret < 0) + { + free(pid_environ); + syslog(LOG_ERR, "File error reading %s for %d", file, (int) pid); + return; + } - for (p = pid_environ; p < pid_environ + statbuf1.st_size; p += (strlen(p) + 1)) + pid_environ[count] = '\0'; /* just in case */ + + for (p = pid_environ; p < pid_environ + count; p += (strlen(p) + 1)) { if (debugmode) syslog(LOG_DEBUG, "Examine %s in environ", p); if (strncmp(p, "X509_USER_PROXY=", 16) == 0) { - if ((p[16] != '\0') && - (stat(&p[16], &statbuf2) == 0)) proxyfile = strdup(&p[16]); - break; + if ((p[16] != '\0') && (stat(&p[16], &statbuf) == 0)) + { + if (*proxyfile != NULL) free(*proxyfile); + *proxyfile = strdup(&p[16]); + if (debugmode) syslog(LOG_DEBUG, "Found proxyfile"); + } + } + else if (strncmp(p, "X509_CERT_DIR=", 14) == 0) + { + if ((p[14] != '\0') && (stat(&p[14], &statbuf) == 0)) + { + if (*capath != NULL) free(*capath); + *capath = strdup(&p[14]); + if (debugmode) syslog(LOG_DEBUG, "Found capath"); + } } } free(pid_environ); - - return proxyfile; } char *mapdir_uid_to_dn(uid_t uid) @@ -486,16 +516,18 @@ int perform_request(struct grst_request *request_data, struct fuse_context *fuse_ctx) { int ret, i, j, itry, ishttps = 0; - char *proxyfile = NULL, *range_header = NULL, *url; + char *proxyfile = NULL, *capath = NULL, *range_header = NULL, + *url; struct stat statbuf; struct curl_slist *headers_list = NULL; if (strncmp(request_data->url, "https://", 8) == 0) /* HTTPS options */ { -// check for X509_USER_PROXY in that PID's environ too ishttps = 1; - if ((proxyfile = check_x509_user_proxy(fuse_ctx->pid)) == NULL) + check_user_environ(&capath, &proxyfile, fuse_ctx->pid); + + if (proxyfile == NULL) { asprintf(&proxyfile, "/tmp/x509up_u%d", fuse_ctx->uid); /* if proxyfile is used, it will be referenced by handles[].proxyfile @@ -508,6 +540,8 @@ int perform_request(struct grst_request *request_data, proxyfile = NULL; } } + + if (capath == NULL) capath = strdup("/etc/grid-security/certificates"); } if (debugmode && (proxyfile != NULL)) @@ -521,7 +555,10 @@ int perform_request(struct grst_request *request_data, (handles[i].uid == fuse_ctx->uid) && (((handles[i].proxyfile == NULL) && (proxyfile == NULL)) || ((handles[i].proxyfile != NULL) && (proxyfile != NULL) && - (strcmp(handles[i].proxyfile, proxyfile) == 0)))) + (strcmp(handles[i].proxyfile, proxyfile) == 0))) && + (((handles[i].capath == NULL) && (capath == NULL)) || + ((handles[i].capath != NULL) && (capath != NULL) && + (strcmp(handles[i].capath, capath) == 0)))) { break; } @@ -551,7 +588,10 @@ int perform_request(struct grst_request *request_data, (handles[i].uid != fuse_ctx->uid) || (((handles[i].proxyfile != NULL) || (proxyfile != NULL)) && ((handles[i].proxyfile == NULL) || (proxyfile == NULL) || - (strcmp(handles[i].proxyfile, proxyfile) != 0)))) + (strcmp(handles[i].proxyfile, proxyfile) != 0))) || + (((handles[i].capath != NULL) || (capath != NULL)) && + ((handles[i].capath == NULL) || (capath == NULL) || + (strcmp(handles[i].capath, capath) != 0)))) { /* we do need to initialise this handle */ @@ -561,6 +601,9 @@ int perform_request(struct grst_request *request_data, curl_easy_cleanup(handles[i].curl_handle); handles[i].curl_handle = curl_easy_init(); + if (handles[i].capath != NULL) free(handles[i].capath); + handles[i].capath = capath; /* capath might be NULL itself */ + if (handles[i].proxyfile != NULL) free(handles[i].proxyfile); handles[i].proxyfile = proxyfile; /* proxyfile might be NULL itself */ @@ -592,8 +635,7 @@ int perform_request(struct grst_request *request_data, curl_easy_setopt(handles[i].curl_handle, CURLOPT_FOLLOWLOCATION, 0); curl_easy_setopt(handles[i].curl_handle, CURLOPT_HEADERFUNCTION, headers_callback); - curl_easy_setopt(handles[i].curl_handle, CURLOPT_CAPATH, - "/etc/grid-security/certificates"); + curl_easy_setopt(handles[i].curl_handle, CURLOPT_CAPATH, handles[i].capath); curl_easy_setopt(handles[i].curl_handle, CURLOPT_SSL_VERIFYPEER, 2); curl_easy_setopt(handles[i].curl_handle, CURLOPT_SSL_VERIFYHOST, 2); @@ -656,12 +698,6 @@ int perform_request(struct grst_request *request_data, if (debugmode) curl_easy_setopt(handles[i].curl_handle, CURLOPT_DEBUGDATA, &i); -/* Move to higher up - curl_easy_setopt(handles[i].curl_handle, CURLOPT_READFUNCTION, request_data->readfunction); - curl_easy_setopt(handles[i].curl_handle, CURLOPT_READDATA, request_data->readdata); - curl_easy_setopt(handles[i].curl_handle, CURLOPT_WRITEFUNCTION, request_data->writefunction); - curl_easy_setopt(handles[i].curl_handle, CURLOPT_WRITEDATA, request_data->writedata); -*/ if ((request_data->start >= 0) && (request_data->finish >= request_data->start)) { @@ -735,11 +771,11 @@ int perform_request(struct grst_request *request_data, break; } + pthread_mutex_unlock(&(handles[i].mutex)); + if (headers_list != NULL) curl_slist_free_all(headers_list); if (range_header != NULL) free(range_header); - pthread_mutex_unlock(&(handles[i].mutex)); - return ret; } -- 1.8.2.3