Merge pull request #90 from italiangrid/develop

Align develop-2.1.x with develop

Author: andreaceccanti

.devcontainer.json

@@ -0,0 +1,7 @@
+{
+  "name": "VOMS core development",
+  "dockerComposeFile": "compose/docker-compose.yml",
+  "service": "voms_build",
+  "workspaceFolder": "/home/build/workspace",
+  "shutdownAction": "stopCompose"
+}

.github/workflows/centos7-build.yml

@@ -0,0 +1,33 @@
+#
+# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2020
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: CENTOS 7 build
+
+on:
+  push:
+    branches: '*'
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container: italiangrid/voms-build-centos7
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build
+      run: ./autogen.sh && ./configure && make && make install 

Jenkinsfile

@@ -1,24 +1,28 @@
 #!/usr/bin/env groovy
 
+@Library('sd')_
+def kubeLabel = getKubeLabel()
+
 pipeline {
 
   agent {
       kubernetes {
-          label "voms-${env.JOB_BASE_NAME}-${env.BUILD_NUMBER}"
-          cloud 'Kube mwdevel'
-          defaultContainer 'jnlp'
-          inheritFrom 'ci-template'
-          containerTemplate {
-            name 'runner'
-              image 'voms/voms-build:centos6'
-              ttyEnabled true
-              command 'cat'
-          }
+
+        label "${kubeLabel}"
+        cloud 'Kube mwdevel'
+        defaultContainer 'runner'
+        inheritFrom 'ci-template'
+        containerTemplate {
+          name 'runner'
+          image 'italiangrid/voms-build-centos7:latest'
+          ttyEnabled true
+          command 'cat'
+        }
       }
   }
 
   options {
-    timeout(time: 1, unit: 'HOURS')
+    timeout(time: 10, unit: 'MINUTES')
     buildDiscarder(logRotator(numToKeepStr: '5'))
   }
 
@@ -27,10 +31,15 @@ pipeline {
   stages {
     stage ('build') {
       steps {
-        container('runner') {
-          sh "./autogen.sh"
-          sh "./configure && make"
-        }
+
+        sh '''#!/bin/bash
+        set -ex
+        pwd
+        ls -lR
+        ./autogen.sh 
+        ./configure
+        make
+        '''
       }
     }
 

compose/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=voms-core

compose/docker-compose.yml

@@ -0,0 +1,38 @@
+version: '3.5'
+
+volumes:
+  vscode-server:
+  dotlocal:
+
+services:
+
+  init:
+    image: italiangrid/voms-build-centos7:latest
+    volumes:
+      - vscode-server:/home/build/.vscode-server
+      - dotlocal:/home/build/.local
+    command: sudo chown -R build:build /home/build/.vscode-server /home/build/.local
+
+  voms_build:
+    image: italiangrid/voms-build-centos7:latest
+
+    depends_on:
+      - init
+
+    environment:
+      - TZ=Europe/Rome
+
+    volumes:
+      - vscode-server:/home/build/.vscode-server
+      - dotlocal:/home/build/.local
+      - $HOME/grid-security:/etc/grid-security/certificates
+      - $HOME/ca-bundle:/etc/pki
+      - $HOME/vomsdir:/etc/grid-security/vomsdir:ro
+      - $HOME/vomses:/etc/vomses
+      - $HOME/.globus:/home/build/.globus:ro
+      - ..:/home/build/workspace:cached
+
+    entrypoint: /tini -- sleep infinity
+
+    extra_hosts:
+      - "dev.local.io: 192.168.65.2"

docker/.env

@@ -0,0 +1,3 @@
+DOCKER_IMAGE=italiangrid/voms-build-centos7
+DOCKER_GIT_TAG_ENABLED=y
+DOCKER_OPTS="--rm=true --no-cache"

docker/Dockerfile

@@ -0,0 +1,28 @@
+FROM centos:7
+
+# Allow customization of build user ID and name
+ARG BUILD_USER=build
+ARG BUILD_USER_UID=501
+
+RUN echo "include_only=.garr.it,.cern.ch" >> /etc/yum/pluginconf.d/fastestmirror.conf && \
+  yum clean all && \
+  yum install -y hostname epel-release && \
+  yum -y update && \
+  yum -y install which wget tar sudo file && \
+  yum -y install which wget tar sudo file && \
+  echo '%wheel ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && \
+  adduser --uid ${BUILD_USER_UID} ${BUILD_USER} && \
+  usermod -a -G wheel ${BUILD_USER} && \
+  yum -y install \
+  gdb git expat-devel autoconf automake make libtool pkgconfig openssl-devel gsoap-devel \
+  mysql-devel libxslt docbook-style-xsl doxygen bison gcc-c++ gcc && \
+  yum clean all && \
+  rm -rf /var/cache/yum
+
+ENV TINI_VERSION v0.18.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+RUN chmod +x /tini
+ENTRYPOINT ["/tini", "--"]
+
+# USER $BUILD_USER
+# WORKDIR /home/$BUILD_USER

spec/voms-all.spec

@@ -1,5 +1,5 @@
 Name: voms
-Version: 2.1.0
+Version: 2.1.1
 Release: 0%{?dist}
 Summary: The Virtual Organisation Membership Service C++ APIs
 

src/ac/validate.cc

@@ -113,7 +113,7 @@ std::string get_error(int e)
     return "VOMS Server contact data missing from AC.";
     break;
   case AC_ERR_ATTRIB_FQAN:
-    return "VOMS Attributes absent or misformed.";
+    return "VOMS Attributes absent or malformed.";
     break;
   case AC_ERR_EXTS_ABSENT:
     return "Required AC extensions missing (NoRevAvail and AuthorityKeyIdentifier)";
@@ -392,6 +392,8 @@ static int checkAttributes(STACK_OF(AC_ATTR) *atts, voms &v)
   else
     return AC_ERR_ATTRIB_URI;
 
+  std::string top_group = "/" + v.voname;
+
   /* scan the stack of IETFATTRVAL to put attribute in voms struct */
   for (int i=0; i<sk_AC_IETFATTRVAL_num(values); i++) {
     capname = sk_AC_IETFATTRVAL_value(values, i);
@@ -400,6 +402,18 @@ static int checkAttributes(STACK_OF(AC_ATTR) *atts, voms &v)
       return AC_ERR_ATTRIB_FQAN;
 
     std::string str  = std::string((char*)capname->data, capname->length);
+    std::string::size_type top_group_size = top_group.size();
+    std::string::size_type str_size = str.size();
+
+    /* The top level group name must be identical to the VO name.
+       An attribute may end right after the group name, or may continue on
+       (separated by a "/"). */
+    if (str.compare(0, top_group_size, top_group)) {
+      return AC_ERR_ATTRIB_FQAN;
+    }
+    else if (str_size > top_group_size && str[top_group_size] != '/') {
+      return AC_ERR_ATTRIB_FQAN;
+    }
 
     v.fqan.push_back(str);
 

src/api/ccapi/api_util.cc

@@ -614,7 +614,13 @@ X509 *vomsdata::check_from_file(AC *ac, std::ifstream &file, const std::string &
   X509_EXTENSION *ext=sk_X509_EXTENSION_value(exts, pos);
 
   AC_CERTS *certs = (AC_CERTS *)X509V3_EXT_d2i(ext);
-  STACK_OF(X509) *certstack = certs->stackcert;
+  STACK_OF(X509) *certstack = certs != NULL ? certs->stackcert : NULL;
+
+  if (certs == NULL || certstack == NULL) {
+    AC_CERTS_free(certs);
+    seterror(VERR_SIGN, "Malformed AC: the AC does not contain the issuer certificate chain");
+    return NULL;
+  }                  
 
   bool success = false;
   bool final = false;

src/client/vomsclient.cc

@@ -439,15 +439,9 @@ Client::Client(int argc, char ** argv) :
     exit(1);
   }
   else if (proxyver==0) {
-    if (version<30)
-      proxyver = 2;
-    else if (version < 40)
-      proxyver = 3;
-    else
-      proxyver = 4;
+    proxyver = 4;
 
-    Print(DEBUG) << "Unspecified proxy version, settling on Globus version: " 
-                 << proxyver << std::endl;
+    Print(DEBUG) << "Unspecified proxy version, settling on version 4 (RFC)" << std::endl;
   }
 
   /* PCI extension option */ 

src/socklib/Client.cpp

@@ -296,6 +296,7 @@ GSISocketClient::Open()
     ssl = SSL_new(ctx);
     setup_SSL_proxy_handler(ssl, cacertdir);
     SSL_set_bio(ssl, conn, conn);
+    SSL_set_tlsext_host_name(ssl, host.c_str());
 
     conn = NULL;
 

src/socklib/Server.cpp

@@ -390,12 +390,16 @@ GSISocketServer::AcceptGSIAuthentication()
   SSL_CTX_load_verify_locations(ctx, NULL, cacertdir);
   SSL_CTX_use_certificate(ctx, ucert);
   SSL_CTX_use_PrivateKey(ctx,upkey);
-  SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2");    
+  SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2:!3DES:!RC4:!IDEA");
   SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);
   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback);
   SSL_CTX_set_verify_depth(ctx, 100);
   SSL_CTX_set_cert_verify_callback(ctx, proxy_app_verify_callback, 0);
+  if (!SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1)) {
+    SetErrorOpenSSL("Cannot set minimum TLS protocol version");
+    goto err;
+  }
 
   if (own_stack) {
     /*

systemd/voms@.service

@@ -1,12 +1,12 @@
 [Unit]
-Description=VOMS service for VO %I
+Description=VOMS service for VO %i
 
 [Service]
 WorkingDirectory=/
 EnvironmentFile=/etc/sysconfig/voms
 User=voms
 Type=forking
-ExecStart=/usr/sbin/voms --conf /etc/voms/%I/voms.conf
+ExecStart=/usr/sbin/voms --conf /etc/voms/%i/voms.conf
 KillMode=process
 SuccessExitStatus=1