Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • fornari/ngx_http_voms_module
  • cnafsd/ngx_http_voms_module
2 results
Show changes
Commits on Source (236)
136 additional commits have been omitted to prevent performance issues.
Hide whitespace changes
Inline Side-by-side
Showing
with 755 additions and 285 deletions
.clang-format
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
---
Language: Cpp
# BasedOnStyle: Google
......
.devcontainer/Dockerfile 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
FROM almalinux:9
# Allow customization of build user ID and name
ARG USERNAME=vscode
ARG USER_UID=1000
ARG USER_GID=${USER_UID}
COPY library-scripts/*.sh /tmp/library-scripts/
RUN \
sh /tmp/library-scripts/provide-dev-deps.sh && \
sh /tmp/library-scripts/provide-user.sh ${USERNAME} ${USER_UID} ${USER_GID} && \
dnf clean all && rm -rf /var/cache/dnf
USER $USERNAME
.devcontainer/README.md 0 → 100644
View file @ 6d052991
<!--
SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
SPDX-License-Identifier: EUPL-1.2
-->
# `ngx_http_voms_module` for developers
A devcontainer is ready to use for the developers. A set of packages without nginx are already installed.
## How to build and install nginx with or without httpg patch
To build and install the latest stable version of [nginx](http://nginx.org/en/download.html) you have to copy the `nginx.repo` file (it is contained in the `docker` directory) into the `/etc/yum.repos.d/` directory and install nginx with `yum`:
```shell
$ sudo cp docker/nginx.repo /etc/yum.repos.d/
$ sudo yum install -y nginx
```
Otherwise, if you want to build and install the latest stable version of [nginx](http://nginx.org/en/download.html) with the httpg patch, a bash library is ready to use. You can source it and follow the commands below:
```shell
$ source .devcontainer/assets/build-library.sh
$ downloadNginx
$ buildHttpgNginxRPM
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/nginx-*.httpg.x86_64.rpm
```
## How to build and install the `ngx_http_voms_module`
If you want to build and install the `ngx_http_voms_module`, nginx have to be installed in the container (see the previous section). When this requirement is satisfied, you can use the library contained in the `.devcontainer/assets` folder as follows (NOTE: if you have already download nginx source file, you can skip the relative command):
```shell
$ source .devcontainer/assets/build-library.sh
$ downloadNginx
$ buildVomsModuleRPM
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/nginx-module-http-voms-*.x86_64.rpm
```
## How to manage this project
If you want to understand how this project works, start from the CI. Three stages are defined:
### 1. build-rpms
Starting from a clear AlmaLinux 9, we install all the useful packages to compile nginx and to build a rpm package. The bash steps that achieves these results are defined in the `.devcontainer/assets/build-library.sh` file, so you can read that bash script to learn which nginx version we use, how to download it, how to set up the environment and how to build the rpm.
It is important to underline that to build the nginx rpm we use the spec file in the `rpm` repo, that is the official nginx 1.24.0 spec file increased by the HTTPG patch. To build the `ngx_http_voms_module` we have defined an appropriate spec file indeed. The files that are used to build the rpm module are written, called and collocated following the common practices of the nginx modules: a source file is defined in the `src` folder, the `config` and the `config.make` files are in the root project directory.
At the end of this stage, all the useful rpms are saved as job artifacts.
### 2. docker-build-rpms
In this stage we set up a docker image with nginx, the httpg patch and the `ngx_http_voms_module`. To do this, we use a set of scripts in the [`helper-scripts`](https://baltig.infn.it/mw-devel/helper-scripts.git) project.
The dockerfile and all the files needed for its compilation are in the `docker` directory. The image starts from AlmaLinux 9, defines a user and installs a set of useful packages. After that we import the nginx repo file, in this way we can download a lot of packages provided by nginx, including its last stable version. In the end we install the rpm packages that we build in the previous stage and the njs module.
### 3. push-to-dockerhub
In this last stage we push on dockerhub the image that we have builded in the previous stage. Note that this stage is run only when we push something in the master branch.
.devcontainer/assets/build-library.sh 0 → 100644
View file @ 6d052991
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
downloadNginx() {
# check if ~/rpmbuild exists and is not empty
if [ -d ${HOME}/rpmbuild ] && [ "$(ls -A ${HOME}/rpmbuild)" ]; then
>&2 echo "Error: ${HOME}/rpmbuild already exists and is not empty"
return 1
fi
# set nginx version
if [ -z ${NGINX_VERSION} ]; then
>&2 echo "Error: NGINX_VERSION variable not set"
return 1
fi
elVersion=$(rpmbuild --eval %{rhel})
echo "Downloading nginx version ${NGINX_VERSION} (EL${elVersion})"
src_package_name="nginx-${NGINX_VERSION}.el${elVersion}.ngx.src.rpm"
src_package_url="https://nginx.org/packages/centos/${elVersion}/SRPMS/${src_package_name}"
curl -O ${src_package_url}
rpm -i ${src_package_name}
}
buildHttpgNginxRPM() {
if ! printenv CI_PROJECT_DIR > /dev/null; then
>&2 echo "CI_PROJECT_DIR is not set in the environment, assuming the current working directory '${PWD}'"
export CI_PROJECT_DIR="${PWD}"
fi
sh ${CI_PROJECT_DIR}/rpm/addPatchToNginxSpec.sh
# build rpm
rpmlint ~/rpmbuild/SPECS/nginx.spec
rpmbuild -ba ~/rpmbuild/SPECS/nginx.spec
}
buildVomsModuleRPM() {
if [ -z ${CI_PROJECT_DIR} ]; then
CI_PROJECT_DIR="/workspaces/ngx_http_voms_module"
fi
# set voms modules sources
cd ~/rpmbuild/SOURCES/
mkdir ngx-http-voms-module
cp ${CI_PROJECT_DIR}/config ngx-http-voms-module/
cp ${CI_PROJECT_DIR}/config.make ngx-http-voms-module/
cp -r ${CI_PROJECT_DIR}/src ngx-http-voms-module/
cp ${CI_PROJECT_DIR}/rpm/nginx-module-http-voms.spec ~/rpmbuild/SPECS
# build rpm
rpmlint ~/rpmbuild/SPECS/nginx-module-http-voms.spec
rpmbuild --define "base_version ${VERSION}" --define "nginx_version ${NGINX_VERSION%-*}" -ba ~/rpmbuild/SPECS/nginx-module-http-voms.spec
cd ${CI_PROJECT_DIR}
}
.devcontainer/devcontainer.json 0 → 100644
View file @ 6d052991
// SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
// SPDX-License-Identifier: EUPL-1.2
// For format details, see https://aka.ms/vscode-remote/devcontainer.json or this file's README at:
// https://github.com/microsoft/vscode-dev-containers/tree/v0.159.0/containers/cpp
{
"name": "C++",
"build": {
"dockerfile": "Dockerfile",
},
"runArgs": [
"--cap-add=SYS_PTRACE",
"--security-opt",
"seccomp=unconfined"
],
// Set *default* container specific settings.json values on container create.
"settings": {
"terminal.integrated.defaultProfile.linux": "bash"
},
// Add the IDs of extensions you want installed when the container is created.
"extensions": [
"ms-vscode.cpptools",
],
// Use 'forwardPorts' to make a list of ports inside the container available locally.
// "forwardPorts": [],
// Use 'postCreateCommand' to run commands after the container is created.
//"postCreateCommand": "sudo debuginfo-install -y voms",
// Comment out this line to run as root instead.
"remoteUser": "vscode",
"remoteEnv": {"NGX_HTTP_VOMS_MODULE_ROOT": "${containerWorkspaceFolder}"}
}
.devcontainer/library-scripts/provide-dev-deps.sh 0 → 100644
View file @ 6d052991
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
set -ex
dnf install -y epel-release
dnf update -y
# https://openresty.org/en/linux-packages.html#centos
curl -o /etc/yum.repos.d/openresty.repo https://openresty.org/package/centos/openresty2.repo
dnf config-manager --set-enabled crb
dnf install -y --setopt=tsflags=nodocs \
boost-devel \
ccache \
file \
gcc-c++ \
gd-devel \
gettext \
git \
lcov \
libxslt-devel \
make \
patch \
pcre2-devel \
perl-Digest-SHA \
perl-ExtUtils-Embed \
perl-Test-Nginx \
procps-ng \
readline-devel \
rpmdevtools \
rpmlint \
sudo \
voms-clients-cpp \
voms-devel \
which \
zlib-devel
.devcontainer/library-scripts/provide-user.sh 0 → 100644
View file @ 6d052991
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
USERNAME=${1}
USER_UID=${2}
USER_GID=${3}
set -e
if [ "$(id -u)" -ne 0 ]; then
echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
exit 1
fi
groupadd --gid $USER_GID $USERNAME
useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME
chmod 0440 /etc/sudoers.d/$USERNAME
CODESPACES_BASH="$(cat \
<<'EOF'
# Codespaces bash prompt theme
__bash_prompt() {
local userpart='`export XIT=$? \
&& [ ! -z "${GITHUB_USER}" ] && echo -n "\[\033[0;32m\]@${GITHUB_USER} " || echo -n "\[\033[0;32m\]\u " \
&& [ "$XIT" -ne "0" ] && echo -n "\[\033[1;31m\]➜" || echo -n "\[\033[0m\]➜"`'
local gitbranch='`\
export BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null); \
if [ "${BRANCH}" = "HEAD" ]; then \
export BRANCH=$(git describe --contains --all HEAD 2>/dev/null); \
fi; \
if [ "${BRANCH}" != "" ]; then \
echo -n "\[\033[0;36m\](\[\033[1;31m\]${BRANCH}" \
&& if git ls-files --error-unmatch -m --directory --no-empty-directory -o --exclude-standard ":/*" > /dev/null 2>&1; then \
echo -n " \[\033[1;33m\]✗"; \
fi \
&& echo -n "\[\033[0;36m\]) "; \
fi`'
local lightblue='\[\033[1;34m\]'
local removecolor='\[\033[0m\]'
PS1="${userpart} ${lightblue}\w ${gitbranch}${removecolor}\$ "
unset -f __bash_prompt
}
__bash_prompt
EOF
)"
USER_RC_PATH="/home/${USERNAME}"
echo "${CODESPACES_BASH}" >> "${USER_RC_PATH}/.bashrc"
chown ${USERNAME}:${USER_GID} "${USER_RC_PATH}/.bashrc"
echo "Done!"
.gitignore
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
.vscode
servroot*
nginx
\ No newline at end of file
nginx
docker/artifacts
node_modules
t/*
!t/README.md
!t/*.t
!t/setup.sh
!t/conf.d
!t/proxies.d
!t/openssl.conf
!t/socket.js
.gitlab-ci.yml
View file @ 6d052991
image: storm2/ngx-voms-build:latest
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
stages:
- build
- test
- docker-build
- docker-push
- deploy
variables:
NGINX_VERSION: "1.26.3-1"
build-no-debug:
calculate-version:
stage: build
image: almalinux:latest
variables:
GIT_STRATEGY: clone
GIT_DEPTH: 0
script:
- env
- sh ${HOME}/build-install-ngx-voms.sh
- mv ${HOME}/local/openresty openresty && rm openresty/nginx/sbin/nginx.old && tar cvzf openresty-no-debug.tar.gz openresty
- |
if [[ -n ${CI_COMMIT_TAG} ]]; then
# In case is a tag, check if the tag matches v<x>.<y>.<z>+<a>.<b>.<c>(-[0-9A-Za-z-]+)?
if [[ ${CI_COMMIT_TAG} =~ ^v([0-9]+\.[0-9]+\.[0-9]+)\+([0-9]+\.[0-9]+\.[0-9]+)(-[[:alnum:]-]+)?$ ]]; then
if [[ -z ${BASH_REMATCH[3]} ]]; then
REPO='stable'
VERSION="${BASH_REMATCH[1]}"
if [[ ${BASH_REMATCH[1]} != ${NGINX_VERSION%-*} ]]; then
echo "NGINX version mismatch between tag (${BASH_REMATCH[1]}) and .gitlab-ci.yml file (${NGINX_VERSION%-*})"
exit 1
fi
if [[ ${BASH_REMATCH[2]} != "$(cat version.txt)" ]]; then
echo "Module version mismatch between tag (${BASH_REMATCH[2]}) and version.txt file ($(cat version.txt))"
exit 1
fi
VERSION="${BASH_REMATCH[1]}+${BASH_REMATCH[2]}"
else
# If the tag includes a "-" is a beta, substitute the first "-" with "~" and any other ones with "_"
REPO='beta'
PRERELEASE=$(echo ${BASH_REMATCH[3]:1} | sed 's/-/_/g')
VERSION="${BASH_REMATCH[1]}+${BASH_REMATCH[2]}~${PRERELEASE}"
fi
fi
else
dnf install -y git
# Use the output of "git describe" to create version dropping the leading "v" and substituting:
# - the last "-" with "."
# - the now last "-" with "^"
# - the first remaining "-" (if any) with "~"
# - all possible remaining "-" with "_"
VERSION=$(git describe --tags --long | sed 's/^v//' | sed -r 's/(.*)-/\1./' | sed -r 's/(.*)-/\1^/' | sed 's/-/~/' | sed 's/-/_/g')
if [[ ${CI_COMMIT_REF_NAME} = "${CI_DEFAULT_BRANCH}" ]]; then
REPO='nightly'
fi
fi
echo "VERSION=${VERSION}" >> build.env
echo "REPO=${REPO}" >> build.env
echo "Version: ${VERSION}"
echo "Repo: ${REPO:-none}"
artifacts:
paths:
- openresty-no-debug.tar.gz
reports:
dotenv: build.env
build4c:
build-rpms:
stage: build
needs: ["calculate-version"]
parallel:
matrix:
- EL_VERSION: ["8", "9"]
image: almalinux:${EL_VERSION}
script:
- env
- sh ${HOME}/build-install-ngx-voms.sh -d -c
- mv ${HOME}/local local
- mv ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6 nginx-1.13.6
- tar cvzf artifacts.tar.gz local nginx-1.13.6
- dnf -y install epel-release
- dnf install -y openssl-devel zlib-devel pcre2-devel make rpmdevtools rpmlint boost-devel voms-devel gcc-c++
- source .devcontainer/assets/build-library.sh
- CI_PROJECT_DIR=$PWD
- downloadNginx
- buildHttpgNginxRPM
- buildVomsModuleRPM
- mkdir artifacts
- cp ~/rpmbuild/SRPMS/* artifacts/
- cp ~/rpmbuild/RPMS/x86_64/* artifacts/
artifacts:
paths:
- artifacts.tar.gz
- artifacts/
test4c:
stage: test
dependencies:
- build4c
build-devcontainer:
stage: build
image: docker:latest
services:
- docker:dind
variables:
IMAGE_TAG: $CI_REGISTRY_IMAGE/devcontainer:$CI_COMMIT_REF_SLUG
script:
- rm -rf ${HOME}/local/
- rm -rf ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6/
- tar xvzf artifacts.tar.gz
- mv local ${HOME}
- mv nginx-1.13.6 ${HOME}/openresty-1.13.6.1/build/
- sh test-ngx-voms.sh
- sh cov-ngx-voms.sh
- mv /tmp/coverage-report coverage
artifacts:
paths:
- coverage
- |
cd .devcontainer
echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
docker build -t $IMAGE_TAG .
docker push $IMAGE_TAG
rules:
- changes:
- .devcontainer/**/*
pages:
stage: deploy
image: docker:latest
dependencies:
- test4c
reuse:
stage: build
image:
name: fsfe/reuse:latest
entrypoint: [""]
script:
- mv coverage/ public/
artifacts:
paths:
- public
expire_in: 30 days
- reuse lint
docker-build:
stage: docker-build
image: docker:latest
services:
- docker:dind
dependencies:
- build-no-debug
run-tests:
stage: test
image: $CI_REGISTRY_IMAGE/devcontainer:$CI_COMMIT_REF_SLUG
script:
- cp openresty-no-debug.tar.gz ${CI_PROJECT_DIR}/docker/openresty.tar.gz && cd ${CI_PROJECT_DIR}/docker && sh build-image.sh
- docker tag storm2/ngx-voms:latest ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
- docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
- docker push ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
- |
elVersion=$(rpmbuild --eval %{rhel})
sudo dnf install -y artifacts/nginx-*.el${elVersion}.httpg.x86_64.rpm
sudo dnf install -y artifacts/nginx-module-http-voms-*.el${elVersion}.x86_64.rpm
git clone https://baltig.infn.it/mw-devel/helper-scripts.git
PATH=$(pwd)/helper-scripts/x509-scripts/scripts:$PATH
(cd t && ./setup.sh)
prove
dockerhub-push:
stage: docker-push
upload-rpms:
stage: deploy
image: almalinux:latest
script:
- |
if [[ -n ${REPO} ]]; then
for file in artifacts/*.rpm; do
if [[ ${file} =~ \.el([0-9]+)\. ]]; then
curl --fail --user "${NEXUS_USERNAME}:${NEXUS_PASSWORD}" --upload-file "${file}" https://repo.cloud.cnaf.infn.it/repository/nginx-rpm-${REPO}/redhat${BASH_REMATCH[1]}/
fi
done
fi
docker-image:
stage: deploy
image: docker:latest
services:
- docker:dind
dependencies:
- docker-build
variables:
IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
DOCKERHUB_IMAGE: cnafsd/nginx-httpg-voms
script:
- docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
- docker pull ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8}
- docker tag ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8} storm2/ngx-voms:${CI_COMMIT_SHA:0:8}
- docker tag ${CI_REGISTRY_IMAGE}/ngx-voms:${CI_COMMIT_SHA:0:8} storm2/ngx-voms:latest
- docker login -u ${DOCKERHUB_USER} -p ${DOCKERHUB_PASSWORD}
- docker push storm2/ngx-voms:${CI_COMMIT_SHA:0:8}
- docker push storm2/ngx-voms:latest
only:
- master
- |
rm ${CI_PROJECT_DIR}/artifacts/*-debuginfo*.rpm
echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
docker build -t $IMAGE_TAG .
docker push $IMAGE_TAG
if [ "${REPO}" = 'stable' ]; then
echo "$DOCKERHUB_PASSWORD" | docker login -u $DOCKERHUB_USER --password-stdin
# Tag latest
docker image tag $IMAGE_TAG $CI_REGISTRY_IMAGE
docker push $CI_REGISTRY_IMAGE
docker image tag $IMAGE_TAG $DOCKERHUB_IMAGE
docker push $DOCKERHUB_IMAGE
# Commit tag
docker image tag $IMAGE_TAG $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
docker image tag $IMAGE_TAG $DOCKERHUB_IMAGE:$CI_COMMIT_TAG
docker push $DOCKERHUB_IMAGE:$CI_COMMIT_TAG
fi
Dockerfile 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
ARG EL_VERSION=9
FROM almalinux:${EL_VERSION}
# https://docs.docker.com/reference/dockerfile/#understand-how-arg-and-from-interact
ARG EL_VERSION
# Allow customization of nginx user ID and name
ARG USERNAME=nginx
ARG USER_UID=1000
ARG USER_GID=${USER_UID}
# install dependencies and create user
RUN dnf update -y && \
dnf install -y epel-release && \
groupadd --gid $USER_GID $USERNAME && \
useradd --uid $USER_UID --gid $USER_GID -m $USERNAME && \
mkdir /pkgs
COPY artifacts/*.rpm /pkgs/
# install nginx httpg + voms and njs dynamic module
COPY <<'EOF' /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
RUN dnf install -y /pkgs/nginx-*.el${EL_VERSION}.httpg.x86_64.rpm && \
dnf install -y /pkgs/nginx-module-http-voms-*.el${EL_VERSION}.x86_64.rpm && \
dnf install -y nginx-module-njs-$(rpm -q --qf %{VERSION} nginx)* \
&& rm -rf /pkgs \
&& dnf clean all && rm -rf /var/cache/dnf \
&& sed -i '1i load_module modules/ngx_http_voms_module.so;' /etc/nginx/nginx.conf \
# forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]
LICENSES/EUPL-1.2.txt 0 → 100644
View file @ 6d052991
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
— ‘The Licence’:this Licence.
— ‘The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
— ‘Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
— ‘The Work’:the Original Work or its Derivative Works.
— ‘The Source Code’:the human-readable form of the Work which is the most convenient for people to study and
modify.
— ‘The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by
a computer as a program.
— ‘The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence.
— ‘Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
— ‘The Licensee’ or ‘You’:any natural or legal person who makes any usage of the Work under the terms of the
Licence.
— ‘Distribution’ or ‘Communication’:any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstance and for all usage,
— reproduce the Work,
— modify the Work, and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example by communicating
‘EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
and may therefore contain defects or ‘bugs’ inherent to this type of development.
For the above reason, the Work is provided under the Licence on an ‘as is’ basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
and the way it may be accessible, concluded, stored and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides or has his registered office,
— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
a European Union Member State.
Appendix
‘Compatible Licences’ according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.
README.md
View file @ 6d052991
# ngx_http_voms_module
<!--
SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
[![pipeline status](https://baltig.infn.it/storm2/ngx_http_voms_module/badges/master/pipeline.svg)](https://baltig.infn.it/storm2/ngx_http_voms_module/commits/master)
SPDX-License-Identifier: EUPL-1.2
-->
## Description
_ngx_http_voms_module_ is a module for the [Nginx web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxy certificates augmented with VOMS Attribute Certificates, typically obtained from a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS) server.
# `ngx_http_voms_module`
The module defines a set of [_embedded_ variables](~embedded-variables), whose values are extracted from the first Attribute Certificate found in the certificate chain.
[![pipeline status](https://baltig.infn.it/cnafsd/ngx_http_voms_module/badges/master/pipeline.svg)](https://baltig.infn.it/cnafsd/ngx_http_voms_module/commits/master)
## Installation
The generic installation instructions are:
$ cd nginx-1.x.y
$ ./configure --add-module=/path/to/ngx_http_voms_module
$ make && make install
## Description
A Docker image is available for use in the context of the StoRM2 project, where the OpenResty distribution is used:
`ngx_http_voms_module` is a module for the [Nginx web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxy certificates augmented with VOMS Attribute Certificates, typically obtained from a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS) server.
$ docker run --rm -it -v /path/to/ngx_http_voms_module:/home/build/ngx_http_voms_module storm2/ngx-voms-build
% cd openresty-1.x.y
% ./configure ${RESTY_CONFIG_OPTIONS} --add-module=../ngx_http_voms_module
% make && make install
The module defines a set of *embedded* variables, whose values are extracted from the first Attribute Certificate found in the certificate chain.
## Embedded Variables
### Embedded Variables
The module makes the following embedded variables available for use in an Nginx configuration file:
### voms_user
#### voms_user
The Subject of the End-Entity certificate, used to sign the proxy.
_Example_: ``/C=IT/O=IGI/CN=test0``
### ssl_client_ee_s_dn
#### ssl_client_ee_s_dn
Like `voms_user`, the Subject of the End-Entity certificate. Unlike `voms_user`, it is available even for non-VOMS proxies and is formatted according to RFC 2253.
_Example_: ``CN=test0,O=IGI,C=IT``
_Example_: `CN=test0,O=IGI,C=IT`
### voms_user_ca
#### voms_user_ca
The Issuer (Certificate Authority) of the End-Entity certificate.
_Example_: ``/C=IT/O=IGI/CN=Test CA``
_Example_: `/C=IT/O=IGI/CN=Test CA`
### ssl_client_ee_i_dn
#### ssl_client_ee_i_dn
Like `voms_user_ca`, the Issuer of the End-Entity certificate. Unlike `voms_user_ca`, it is available even for non-VOMS proxies and is formatted according to RFC 2253.
_Example_: ``CN=Test CA,O=IGI,C=IT``
_Example_: `CN=Test CA,O=IGI,C=IT`
### voms_fqans
#### voms_fqans
A comma-separated list of Fully Qualified Attribute Names. See [The VOMS Attribute Certificate Format](http://ogf.org/documents/GFD.182.pdf) for more details.
_Example_: ``/test/exp1,/test/exp2,/test/exp3/Role=PIPPO``
_Example_: `/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO`
### voms_server
#### voms_server
The Subject of the VOMS server certificate, used to sign the Attribute Certificate.
_Example_: ``/C=IT/O=IGI/CN=voms.example``
_Example_: `/C=IT/O=IGI/CN=voms.example`
### voms_server_ca
#### voms_server_ca
The Issuer (Certificate Authority) of the VOMS server certificate.
_Example_: ``/C=IT/O=IGI/CN=Test CA``
_Example_: `/C=IT/O=IGI/CN=Test CA`
### voms_vo
#### voms_vo
The name of the Virtual Organization (VO) to which the End Entity belongs.
_Example_: ``test.vo``
_Example_: `test.vo`
### voms_server_uri
#### voms_server_uri
The hostname and port of the VOMS network service that issued the Attribute Certificate, in the form _hostname_ :_port_.
_Example_: ``voms.example:15000``
_Example_: `voms.example:15000`
### voms_not_before
#### voms_not_before
The date before which the Attribute Certificate is not yet valid, in the form _YYYYMMDDhhmmss_ ``Z``.
The date before which the Attribute Certificate is not yet valid, in the form _YYYYMMDDhhmmss_ `Z`.
_Example_: ``20180101000000Z``
_Example_: `20180101000000Z`
### voms_not_after
#### voms_not_after
The date after which the Attribute Certificate is not valid anymore, in the form _YYYYMMDDhhmmss_ ``Z``.
The date after which the Attribute Certificate is not valid anymore, in the form _YYYYMMDDhhmmss_ `Z`.
_Example_: ``20180101120000Z``
_Example_: `20180101120000Z`
### voms_generic_attributes
#### voms_generic_attributes
A comma-separated list of attributes, each defined by three properties and formatted as ``n=``_name_ ``v=``_value_ ``q=``_qualifier_. The qualifier typically coincides with the name of the VO.
A comma-separated list of attributes, each defined by three properties and formatted as `n=`_name_ `v=`_value_ `q=`_qualifier_. The qualifier typically coincides with the name of the VO.
_Example_: ``n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo``
_Example_: `n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo`
### voms_serial
#### voms_serial
The serial number of the Attribute Certificate in hexadecimal format.
_Example_: ``7B``
_Example_: `7B`
## Installation
### prerequisites
The software dependencies are listed in the [provide-dev-deps](.devcontainer/library-scripts/provide-dev-deps.sh) script in the `.devcontainer` directory.
The nginx source files are also needed. To download them in `/tmp/nginx-x.y.z` you can execute:
```shell
$ ngxVersion=<version>
$ curl -o /tmp/nginx-$ngxVersion.tar.gz https://nginx.org/download/nginx-$ngxVersion.tar.gz
$ cd /tmp && tar -xzvf /tmp/nginx-$ngxVersion.tar.gz && cd -
```
### Generic installation
The generic installation instructions are:
```shell
$ cd /tmp/nginx-x.y.z
$ ./configure --add-module=/path/to/ngx_http_voms_module
$ make && make install
```
### Docker container
A Docker image with nginx and the `ngx_http_voms_module` is available, you can find it [here](https://hub.docker.com/r/cnafsd/nginx-httpg-voms).
### For the developers
A [.devcontainer](.devcontainer) is provided for the developers with all the instructions on how to use it, how to build the rpm module and how to install it.
## Testing
Setup and files to test the *ngx\_http\_voms\_module* are contained in the `t` folder.
Setup and files to test the `ngx_http_voms_module` are contained in the [`t`](t) folder.
REUSE.toml 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
version = 1
[[annotations]]
path = ["nginx-httpg_no_delegation.patch", "version.txt", "t/proxies.d/*"]
SPDX-FileCopyrightText = "2018 Istituto Nazionale di Fisica Nucleare"
SPDX-License-Identifier = "EUPL-1.2"
config
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
ngx_addon_name=ngx_http_voms_module
ngx_module_type=HTTP
ngx_addon_name=voms
ngx_module_name=ngx_http_voms_module
ngx_module_srcs="$ngx_addon_dir/src/ngx_http_voms_module.cpp"
ngx_module_libs="-lvomsapi -lstdc++"
......
config.make 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
echo "objs/addon/src/ngx_http_voms_module.o: CFLAGS += -Werror" >> $NGX_MAKEFILE
cov-ngx-voms.sh deleted 100755 → 0
View file @ 75b5b147
#!/bin/sh
# Copyright 2018 Istituto Nazionale di Fisica Nucleare
#
# Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the
# European Commission - subsequent versions of the EUPL (the "Licence"). You may
# not use this work except in compliance with the Licence. You may obtain a copy
# of the Licence at:
#
# https://joinup.ec.europa.eu/software/page/eupl
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the Licence is distributed on an "AS IS" basis, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# Licence for the specific language governing permissions and limitations under
# the Licence.
# This script builds in debug mode and installs openresty together with the
# ngx_http_voms_module.
#
# The script requires the locations of the openresty bundle and of the
# ngx_http_voms_module code (for example as checked-out from git). The locations
# are expressed by the environment variables OPENRESTY_ROOT and
# NGX_HTTP_VOMS_MODULE_ROOT respectively, if available. If they are not set,
# they are guessed:
# * a unique openresty bundle is looked for in ${HOME}
# * the ngx_http_voms_module code is looked for in the working directory of the
# continuous integration environment first and then in ${HOME}
#
# The script works best (i.e. it is tested) if run within a docker container
# started from the storm2/ngx-voms-build image.
#geninfo --base-directory ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6/objs/addon/src/ --output-filename coverage.info ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6/objs/addon/src/
geninfo --output-filename /tmp/coverage.info ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6/objs/addon/src/
genhtml --prefix ${HOME}/openresty-1.13.6.1/build/nginx-1.13.6/objs/addon/src/ --ignore-errors source --demangle-cpp /tmp/coverage.info \
--legend --title "coverage ngix" --output-directory=/tmp/coverage-report
exit_status=$?
if [ ! $exit_status -eq 0 ]; then
echo "check output"
fi
echo $exit_status
docker/Dockerfile deleted 100644 → 0
View file @ 75b5b147
FROM storm2/base:latest
RUN sudo yum -y install voms zlib pcre readline gettext && \
sudo yum clean all && rm -rf /var/cache/yum && \
mkdir -p /etc/nginx/conf.d && \
mkdir -p /home/build/local && \
chown -R build:build /etc/nginx/conf.d /home/build/local
USER build
ADD openresty.tar.gz /home/build/local
RUN ls -lR /home/build && sudo chown -R build:build /home/build
RUN \
touch /home/build/local/openresty/nginx/logs/access.log && \
touch /home/build/local/openresty/nginx/logs/error.log && \
ln -sf /dev/stdout /home/build/local/openresty/nginx/logs/access.log && \
ln -sf /dev/stderr /home/build/local/openresty/nginx/logs/error.log
COPY assets/nginx.conf /home/build/local/openresty/nginx/conf/nginx.conf
COPY assets/srm.conf /etc/nginx/conf.d/
USER root
# Embed TINI since compose v3 syntax do not support the init
# option to run docker --init
#
ENV TINI_VERSION v0.18.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
RUN chmod +x /tini
ENTRYPOINT ["/tini", "--"]
CMD ["/home/build/local/openresty/bin/openresty", "-g", "daemon off;"]
docker/README.md deleted 100644 → 0
View file @ 75b5b147
This folder contains a Dockerfile to run an instance of Openresty/NGINX
compiled and linked against the ngx_voms_http_module.
For more details see the [Dockerfile](./Dockerfile)
The default configuration for NGINX is provided in [this conf file](
./assets/nginx.conf).
A configuration for the `/srm` endpoint useful for the storm docker compose
file is provided in [this conf file](./assets/srm.conf).
docker/assets/nginx.conf deleted 100644 → 0
View file @ 75b5b147
user build;
worker_processes 1;
env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=/vomsdir;
error_log logs/error.log warn;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format storm '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> '
'$ssl_protocol/$ssl_cipher '
'"$ssl_client_s_dn" '
'[$voms_fqans] '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log storm;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
docker/assets/srm.conf deleted 100644 → 0
View file @ 75b5b147
server {
error_log logs/error.log debug;
access_log logs/access.log storm;
listen 443 ssl;
server_name storm.example;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /certs/cert.pem;
ssl_certificate_key /certs/key.pem;
ssl_client_certificate /etc/pki/tls/certs/ca-bundle.crt;
ssl_verify_client optional;
ssl_verify_depth 100;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location /srm {
proxy_pass http://fe:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
# Simple tracing via request_id
proxy_set_header X-Request-Id $request_id;
# VOMS headers
proxy_set_header x-ssl_client_ee_s_dn $ssl_client_ee_s_dn;
proxy_set_header x-ssl_client_ee_i_dn $ssl_client_ee_i_dn;
proxy_set_header x-voms_fqans $voms_fqans;
proxy_set_header x-voms_user $voms_user;
proxy_set_header x-voms_user_ca $voms_user_ca;
proxy_set_header x-voms_vo $voms_vo;
proxy_set_header x-voms_not_before $voms_not_before;
proxy_set_header x-voms_not_after $voms_not_after;
proxy_set_header x-voms_generic_attributes $voms_generic_attributes;
proxy_set_header x-voms_serial $voms_serial;
}
}