Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
extern "C" {
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
}
#include <voms/voms_api.h>
#include <cassert>
#include <chrono>
#include <iostream>
#include <memory>
#include <numeric>
#include <string>
#include <boost/algorithm/string/join.hpp>
#include <boost/optional.hpp>
using BioPtr = std::unique_ptr<BIO, decltype(&BIO_free)>;
using X509Ptr = std::unique_ptr<X509, decltype(&X509_free)>;
using VomsAc = voms;
using MaybeVomsAc = boost::optional<VomsAc>;
static ngx_int_t add_variables(ngx_conf_t* cf);
static ngx_http_module_t ctx = {
add_variables, // preconfiguration
NULL, // postconfiguration
NULL, // create main configuration
NULL, // init main configuration
NULL, // create server configuration
NULL, // merge server configuration
NULL, // create location configuration
NULL // merge location configuration
};
ngx_module_t ngx_http_voms_module = {
NGX_MODULE_V1,
&ctx, // module context
NULL, // module directives
NGX_HTTP_MODULE, // module type
NULL, // init master
NULL, // init module
NULL, // init process
NULL, // init thread
NULL, // exit thread
NULL, // exit process
NULL, // exit master
NGX_MODULE_V1_PADDING //
};
static ngx_int_t get_voms_fqans( //
ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data);
static ngx_int_t get_voms_user( //
ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data);
static ngx_http_variable_t variables[] = {
{
ngx_string("voms_fqans"),
NULL,
get_voms_fqans,
0,
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_user"),
NULL,
get_voms_user,
0,
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
ngx_http_null_variable //
};
static ngx_int_t add_variables(ngx_conf_t* cf)
{
for (ngx_http_variable_t* v = variables; v->name.len; ++v) {
ngx_http_variable_t* var = ngx_http_add_variable(cf, &v->name, v->flags);
if (var == NULL) {
return NGX_ERROR;
}
var->get_handler = v->get_handler;
var->data = v->data;
}
return NGX_OK;
}
template <class S>
static std::string to_string(S const* s)
{
return std::string(reinterpret_cast<char const*>(s->data),
reinterpret_cast<char const*>(s->data) + s->len);
}
boost::optional<std::string> to_pem(X509& x509)
{
BioPtr bio{BIO_new(BIO_s_mem()), BIO_free};
if (PEM_write_bio_X509(bio.get(), &x509) == 0) {
return boost::none;
} else {
char* data = nullptr;
auto len = BIO_get_mem_data(bio.get(), &data);
if (len > 0) {
return std::string(data, data + len);
} else {
return boost::none;
}
}
}
// return the first AC, if present
static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
if (!r->http_connection->ssl) {
return boost::none;
}
auto client_cert = X509Ptr{
SSL_get_peer_certificate(r->connection->ssl->connection), X509_free};
if (!client_cert) {
ngx_log_error(NGX_LOG_ERR,
r->connection->log,
0,
"SSL_get_peer_certificate() failed");
return boost::none;
}
auto client_chain = SSL_get_peer_cert_chain(r->connection->ssl->connection);
if (!client_chain) {
ngx_log_error(
NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
return boost::none;
}
vomsdata vd;
auto ok = vd.Retrieve(client_cert.get(), client_chain, RECURSE_CHAIN);
if (!ok) {
// vd.error is not interpreted correctly by the logger, which probably uses
// errno
ngx_log_error(NGX_LOG_ERR,
r->connection->log,
vd.error,
"%s",
vd.ErrorMessage().c_str());
return boost::none;
}
if (vd.data.empty()) {
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "no ACs in proxy");
return boost::none;
}
return vd.data.front();
}
static void clean_voms_ac(void* data)
{
auto r = static_cast<ngx_http_request_t*>(data);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
auto p = static_cast<MaybeVomsAc*>(
ngx_http_get_module_ctx(r, ngx_http_voms_module));
delete p;
}
static void cache_voms_ac(ngx_http_request_t* r, MaybeVomsAc* ac)
{
ngx_http_set_ctx(r, ac, ngx_http_voms_module);
auto cln = ngx_http_cleanup_add(r, 0);
if (cln) {
cln->handler = clean_voms_ac;
cln->data = r;
} else {
ngx_log_error(
NGX_LOG_ERR, r->connection->log, 0, "ngx_http_cleanup_add() failed");
}
}
static MaybeVomsAc* get_voms_ac_from_cache(ngx_http_request_t* r)
{
return static_cast<MaybeVomsAc*>(
ngx_http_get_module_ctx(r, ngx_http_voms_module));
}
static MaybeVomsAc const& get_voms_ac(ngx_http_request_t* r)
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
MaybeVomsAc* acp = get_voms_ac_from_cache(r);
if (!acp) {
acp = new MaybeVomsAc(retrieve_voms_ac_from_proxy(r));
cache_voms_ac(r, acp);
}
return *acp;
}
static ngx_int_t get_voms_fqans(ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t)
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
v->not_found = 1;
v->valid = 0;
auto& ac = get_voms_ac(r);
if (!ac) {
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "get_voms_ac() failed");
return NGX_OK;
}
auto fqans = boost::algorithm::join(ac->fqans, ",");
auto data = static_cast<u_char*>(ngx_pnalloc(r->pool, fqans.size()));
if (!data) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
return NGX_OK;
}
ngx_memcpy(data, fqans.c_str(), fqans.size());
v->data = data;
v->len = fqans.size();
v->valid = 1;
v->not_found = 0;
v->no_cacheable = 0;
return NGX_OK;
}
static ngx_int_t get_voms_user(ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t)
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
v->not_found = 1;
v->valid = 0;
auto& ac = get_voms_ac(r);
if (!ac) {
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "get_voms_ac() failed");
return NGX_OK;
}
auto const& user = ac->user;
auto data = static_cast<u_char*>(ngx_pnalloc(r->pool, user.size()));
if (!data) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
return NGX_OK;
}
ngx_memcpy(data, user.c_str(), user.size());
v->data = data;
v->len = user.size();
v->valid = 1;
v->not_found = 0;
v->no_cacheable = 0;
return NGX_OK;
}
ngx_int_t get_voms(ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data)
{
// to show that get_voms gets called only once, even if the variable is used
// twice in the configuration file
static int count = 0;
assert(count == 0);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "get_voms");
{
auto t0 = std::chrono::high_resolution_clock::now();
static ngx_str_t var = ngx_string("ssl_client_raw_cert");
u_char unused[sizeof("ssl_client_raw_cert")];
auto hash = ngx_hash_strlow(unused, var.data, var.len);
ngx_http_variable_value_t* raw_cert = ngx_http_get_variable(r, &var, hash);
// da rivedere gli errori ritornati (sempre che siano errori)
if (!raw_cert || raw_cert->not_found || !raw_cert->valid) {
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "invalid raw_cert");
return NGX_OK;
}
BioPtr bio{BIO_new(BIO_s_mem()), BIO_free};
if (BIO_write(bio.get(), raw_cert->data, raw_cert->len) != raw_cert->len) {
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "BIO_write() failed");
return NGX_OK;
}
X509Ptr x509{PEM_read_bio_X509(bio.get(), NULL, NULL, NULL), X509_free};
if (!x509) {
ngx_log_error(
NGX_LOG_DEBUG, r->connection->log, 0, "PEM_read_bio_X509() failed");
return NGX_OK;
}
auto t1 = std::chrono::high_resolution_clock::now();
ngx_log_error(NGX_LOG_DEBUG,
r->connection->log,
0,
"time 1: %f us",
std::chrono::duration<double, std::micro>(t1 - t0).count());
ngx_log_error(NGX_LOG_DEBUG,
r->connection->log,
0,
"raw_cert: %s",
to_string(raw_cert).c_str());
}
v->valid = 1;
v->no_cacheable = 1;
v->not_found = 0;
v->data = (u_char*)"VOMS";
v->len = 4;
return NGX_OK;
}