Merge branch 'issue-19' into 'master'

[ngx-voms] configure openssl to accept proxy certs

Closes #19

See merge request storm2/ngx_http_voms_module!12

docker/assets/nginx.conf

 user build;
 worker_processes  1;
 
-env OPENSSL_ALLOW_PROXY_CERTS=1;
 env X509_VOMS_DIR=/vomsdir;
 
 error_log logs/error.log  warn;

src/ngx_http_voms_module.cpp

@@ -38,16 +38,18 @@ using MaybeVomsAc = boost::optional<VomsAc>;
 enum class EeDn { SUBJECT, ISSUER };
 
 static ngx_int_t add_variables(ngx_conf_t* cf);
+static ngx_int_t ngx_ssl_allow_proxy_certs(ngx_ssl_t* ssl);
+static char* ngx_http_voms_merge_srv_conf(ngx_conf_t* cf, void*, void*);
 
 static ngx_http_module_t ctx = {
-    add_variables,  // preconfiguration
-    NULL,           // postconfiguration
-    NULL,           // create main configuration
-    NULL,           // init main configuration
-    NULL,           // create server configuration
-    NULL,           // merge server configuration
-    NULL,           // create location configuration
-    NULL            // merge location configuration
+    add_variables,                 // preconfiguration
+    NULL,                          // postconfiguration
+    NULL,                          // create main configuration
+    NULL,                          // init main configuration
+    NULL,                          // create server configuration
+    ngx_http_voms_merge_srv_conf,  // merge server configuration
+    NULL,                          // create location configuration
+    NULL                           // merge location configuration
 };
 
 ngx_module_t ngx_http_voms_module = {
@@ -224,6 +226,36 @@ static ngx_int_t add_variables(ngx_conf_t* cf)
   return NGX_OK;
 }
 
+static ngx_int_t ngx_ssl_allow_proxy_certs(ngx_ssl_t* ssl)
+{
+  X509_STORE* store = SSL_CTX_get_cert_store(ssl->ctx);
+  if (store == NULL) {
+    ngx_ssl_error(NGX_LOG_EMERG,
+                  ssl->log,
+                  0,
+                  const_cast<char*>("SSL_CTX_get_cert_store() failed"));
+    return NGX_ERROR;
+  }
+
+  X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
+
+  return NGX_OK;
+}
+
+static char* ngx_http_voms_merge_srv_conf(ngx_conf_t* cf, void*, void*)
+{
+  auto conf = static_cast<ngx_http_ssl_srv_conf_t*>(
+      ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module));
+
+  if (conf->ssl.ctx != nullptr) {
+    if (ngx_ssl_allow_proxy_certs(&conf->ssl) != NGX_OK) {
+      return static_cast<char*>(NGX_CONF_ERROR);
+    }
+  }
+
+  return NGX_CONF_OK;
+}
+
 // return the first AC, if present
 static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
 {

t/eec_cert.t

@@ -6,7 +6,6 @@ __DATA__
 
 === TEST 1: rfc proxy certificate, no AC
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config

t/eec_subject.t

@@ -6,7 +6,6 @@ __DATA__
 
 === TEST 1: rfc proxy certificate, no AC
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config
@@ -40,7 +39,6 @@ CN=Test CA,O=IGI,C=IT
 
 === TEST 2: standard x.509 certificate 
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config
@@ -78,7 +76,6 @@ CN=Test CA,O=IGI,C=IT
 
 === TEST 3: three delegations proxy
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config
@@ -113,7 +110,6 @@ CN=Test CA,O=IGI,C=IT
 
 === TEST 4: three delegations proxy + CA cert
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config

t/encoding.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: valid AC, verification of VOMS generic attributes encoding
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config

t/expired.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: https with x509 client authentication, expired client certificate
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1; 
 --- http_config
     server {
         error_log logs/error.log debug;

t/expired_ac.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: https with x509 client authentication, valid proxy certificate with expired VOMS attributes 
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config

t/no_ac.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: https with x509 client authentication, valid proxy certificate with no VOMS attributes 
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1; 
     env X509_VOMS_DIR=t/vomsdir;
 --- http_config
     server {

t/no_ssl.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: HTTP connection, no SSL
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1; 
     env X509_VOMS_DIR=t/vomsdir;
 --- http_config
     server {

t/no_ta.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: Valid proxy, wrong client trust-anchor 
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config

t/ssl_no_client_authn.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: HTTPS with no X.509 client authentication
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1; 
     env X509_VOMS_DIR=t/vomsdir;
 --- http_config
     server {

t/untrusted_ac.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: https with x509 client authentication, untrusted AC signature LSC missing
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config
@@ -41,7 +40,6 @@ Cannot verify AC signature
 
 === TEST 2: Valid proxy, VOMS trust-anchor missing
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t;
 --- http_config

t/valid_ac.t

@@ -7,7 +7,6 @@ __DATA__
 
 === TEST 1: valid AC, verification of valid VOMS attributes extracted by ngx_http_voms_module
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
     env X509_VOMS_DIR=t/vomsdir;
     env X509_CERT_DIR=t/trust-anchors;
 --- http_config