Newer
Older
// Copyright 2018 Istituto Nazionale di Fisica Nucleare
//
// Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
// the European Commission - subsequent versions of the EUPL (the "Licence").
// You may not use this work except in compliance with the Licence. You may
// obtain a copy of the Licence at:
//
// https://joinup.ec.europa.eu/software/page/eupl
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the Licence is distributed on an "AS IS" basis, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// Licence for the specific language governing permissions and limitations under
// the Licence.
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
extern "C" {
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
}
#include <voms/voms_api.h>
#include <cassert>
#include <chrono>
#include <iostream>
#include <memory>
#include <numeric>
#include <string>
#include <boost/algorithm/string/join.hpp>
#include <boost/optional.hpp>
using BioPtr = std::unique_ptr<BIO, decltype(&BIO_free)>;
using X509Ptr = std::unique_ptr<X509, decltype(&X509_free)>;
using VomsAc = voms;
using MaybeVomsAc = boost::optional<VomsAc>;
static ngx_int_t add_variables(ngx_conf_t* cf);
static ngx_http_module_t ctx = {
add_variables, // preconfiguration
NULL, // postconfiguration
NULL, // create main configuration
NULL, // init main configuration
NULL, // create server configuration
NULL, // merge server configuration
NULL, // create location configuration
NULL // merge location configuration
};
ngx_module_t ngx_http_voms_module = {
NGX_MODULE_V1,
&ctx, // module context
NULL, // module directives
NGX_HTTP_MODULE, // module type
NULL, // init master
NULL, // init module
NULL, // init process
NULL, // init thread
NULL, // exit thread
NULL, // exit process
NULL, // exit master
NGX_MODULE_V1_PADDING //
};
static std::unique_ptr<vomsdata> vomsdata_ptr;
static ngx_int_t generic_getter( //
ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data);
static ngx_int_t get_ssl_client_ee_s_dn( //
ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data);
using getter_t = std::string(VomsAc const& voms);
static getter_t get_voms_user;
static getter_t get_voms_user_ca;
static getter_t get_voms_fqans;
static getter_t get_voms_server;
static getter_t get_voms_server_ca;
static getter_t get_voms_vo;
static getter_t get_voms_server_uri;
static getter_t get_voms_not_before;
static getter_t get_voms_not_after;
static getter_t get_voms_generic_attributes;
static getter_t get_voms_serial;
{
ngx_string("voms_user"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_user),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_user_ca"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_user_ca),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_fqans),
ngx_string("voms_server"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_server),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_server_ca"),
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_server_ca),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_vo"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_vo),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_server_uri"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_server_uri),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_not_before"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_not_before),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_not_after"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_not_after),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_generic_attributes"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_generic_attributes),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
ngx_string("voms_serial"),
NULL,
generic_getter,
reinterpret_cast<uintptr_t>(&get_voms_serial),
{
ngx_string("ssl_client_ee_s_dn"),
NULL,
get_ssl_client_ee_s_dn,
0,
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
static std::string to_rfc2253(X509_NAME* name)
{
std::string result;
BioPtr bio(BIO_new(BIO_s_mem()), &BIO_free);
if (!bio) {
return result;
}
if (X509_NAME_print_ex(bio.get(), name, 0, XN_FLAG_RFC2253) < 0) {
return result;
}
auto len = BIO_pending(bio.get());
result.resize(len);
BIO_read(bio.get(), &result[0], result.size());
return result;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
uint32_t X509_get_extension_flags(X509* x)
{
return x->ex_flags;
}
#endif
static bool is_proxy(X509* cert)
{
return X509_get_extension_flags(cert) & EXFLAG_PROXY;
}
static ngx_int_t get_ssl_client_ee_s_dn(ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data)
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
v->not_found = 1;
v->valid = 0;
auto chain = SSL_get_peer_cert_chain(r->connection->ssl->connection);
if (!chain) {
ngx_log_error(
NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
return NGX_OK;
}
if (sk_X509_num(chain) == 0) {
ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
} else {
// find first non-proxy
for (int i = 0; i != sk_X509_num(chain); ++i) {
auto cert = sk_X509_value(chain, i);
if (cert && !is_proxy(cert)) {
ee_cert = cert;
break;
}
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
}
}
if (!ee_cert) {
ngx_log_error(NGX_LOG_DEBUG,
r->connection->log,
0,
"cannot identify end-entity certificate");
return NGX_OK;
}
auto dn = X509_get_subject_name(ee_cert);
if (!dn) {
ngx_log_error(NGX_LOG_DEBUG,
r->connection->log,
0,
"cannot get subject dn from certificate");
return NGX_OK;
}
std::string value = to_rfc2253(dn);
auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
if (!buffer) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
return NGX_OK;
}
ngx_memcpy(buffer, value.c_str(), value.size());
v->data = buffer;
v->len = value.size();
v->valid = 1;
v->not_found = 0;
v->no_cacheable = 0;
return NGX_OK;
}
static ngx_int_t add_variables(ngx_conf_t* cf)
{
for (ngx_http_variable_t* v = variables; v->name.len; ++v) {
ngx_http_variable_t* var = ngx_http_add_variable(cf, &v->name, v->flags);
if (var == NULL) {
return NGX_ERROR;
}
var->get_handler = v->get_handler;
var->data = v->data;
}
return NGX_OK;
}
// return the first AC, if present
static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
ngx_log_error(NGX_LOG_ERR,
r->connection->log,
0,
"SSL not enabled");
return boost::none;
}
auto client_cert = X509Ptr{
SSL_get_peer_certificate(r->connection->ssl->connection), X509_free};
if (!client_cert) {
ngx_log_error(NGX_LOG_ERR,
r->connection->log,
0,
"no SSL peer certificate available");
return boost::none;
}
auto client_chain = SSL_get_peer_cert_chain(r->connection->ssl->connection);
if (!client_chain) {
ngx_log_error(
NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
return boost::none;
}
if (!vomsdata_ptr) {
vomsdata_ptr.reset(new vomsdata);
}
auto ok =
vomsdata_ptr->Retrieve(client_cert.get(), client_chain, RECURSE_CHAIN);
auto msg = vomsdata_ptr->ErrorMessage().c_str();
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "%s", msg);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "no ACs in proxy");
return boost::none;
}
}
static void clean_voms_ac(void* data)
{
auto r = static_cast<ngx_http_request_t*>(data);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
auto p = static_cast<MaybeVomsAc*>(
ngx_http_get_module_ctx(r, ngx_http_voms_module));
delete p;
}
static void cache_voms_ac(ngx_http_request_t* r, MaybeVomsAc* ac)
{
ngx_http_set_ctx(r, ac, ngx_http_voms_module);
auto cln = ngx_http_cleanup_add(r, 0);
if (cln) {
cln->handler = clean_voms_ac;
cln->data = r;
} else {
ngx_log_error(
NGX_LOG_ERR, r->connection->log, 0, "ngx_http_cleanup_add() failed");
}
}
static MaybeVomsAc* get_voms_ac_from_cache(ngx_http_request_t* r)
{
return static_cast<MaybeVomsAc*>(
ngx_http_get_module_ctx(r, ngx_http_voms_module));
}
static MaybeVomsAc const& get_voms_ac(ngx_http_request_t* r)
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
MaybeVomsAc* acp = get_voms_ac_from_cache(r);
if (!acp) {
acp = new MaybeVomsAc(retrieve_voms_ac_from_proxy(r));
cache_voms_ac(r, acp);
}
return *acp;
}
static ngx_int_t generic_getter(ngx_http_request_t* r,
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
v->not_found = 1;
v->valid = 0;
auto& ac = get_voms_ac(r);
if (!ac) {
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "get_voms_ac() failed");
return NGX_OK;
}
using getter_p = std::string (*)(VomsAc const& voms);
auto getter = reinterpret_cast<getter_p>(data);
std::string const value = getter(*ac);
auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
if (!buffer) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
return NGX_OK;
}
ngx_memcpy(buffer, value.c_str(), value.size());
v->data = buffer;
v->len = value.size();
v->valid = 1;
v->not_found = 0;
v->no_cacheable = 0;
return NGX_OK;
}
std::string get_voms_user(VomsAc const& ac)
std::string get_voms_user_ca(VomsAc const& ac)
{
return ac.userca;
}
std::string get_voms_fqans(VomsAc const& ac)
{
return boost::algorithm::join(ac.fqan, ",");
}
std::string get_voms_server(VomsAc const& ac)
{
return ac.server;
}
std::string get_voms_server_ca(VomsAc const& ac)
{
return ac.serverca;
}
std::string get_voms_vo(VomsAc const& ac)
{
return ac.voname;
}
std::string get_voms_server_uri(VomsAc const& ac)
{
return ac.uri;
}
std::string get_voms_not_before(VomsAc const& ac)
{
return ac.date1;
}
std::string get_voms_not_after(VomsAc const& ac)
{
return ac.date2;
}
static std::string escape_uri(std::string const& src)
// the following just counts the number of characters that need escaping
auto const n_escape =
ngx_escape_uri(nullptr, // <--
reinterpret_cast<u_char*>(const_cast<char*>(src.data())),
src.size(),
NGX_ESCAPE_URI_COMPONENT);
if (n_escape > 0) {
result.resize(src.size() + 2 * n_escape);
ngx_escape_uri(reinterpret_cast<u_char*>(const_cast<char*>(result.data())),
reinterpret_cast<u_char*>(const_cast<char*>(src.data())),
src.size(),
NGX_ESCAPE_URI_COMPONENT);
static std::string encode(attribute const& a)
{
return "n=" + a.name + " v=" + escape_uri(a.value) + " q=" + a.qualifier;
std::string get_voms_generic_attributes(VomsAc const& ac)
{
// the GetAttributes method is not declared const
auto const attributes = const_cast<VomsAc&>(ac).GetAttributes();
if (!attributes.empty()) {
auto& gas = attributes.front().attributes;
bool first = true;
for (auto& a : gas) {
if (first) {
first = false;
} else {
}
std::string get_voms_serial(VomsAc const& ac)
{
return ac.serial;