myproxy_server.c

代理服务器源代码 供大家学习使用,希望大家喜欢

	 * and if the user exists in the mapfile if not using the
	 * external program callout.
	 */
	if (!myproxy_creds_exist(client_request->username,
				 client_request->credname)) {
	    use_ca_callout = 1;
	}
	if (use_ca_callout) {
	    if ( (context->certificate_issuer_program == NULL) && 
		 (context->certificate_issuer == NULL) ) {
		verror_put_string("No stored credentials and CA not enabled");
		respond_with_error_and_die(attrs, verror_get_string());
	    }

	    if (context->certificate_issuer != NULL) {

	      if ( user_dn_lookup( client_request->username,
				   &userdn, context ) ) {
		verror_put_string("Internal CA enabled, user:%s unknown", 
				  client_request->username);
		respond_with_error_and_die(attrs, verror_get_string());
	      }
	      if (userdn) {
		free(userdn);
		userdn = NULL;
	      }
	    }
	}
	/* fall through to MYPROXY_RETRIEVE_CERT */

    case MYPROXY_RETRIEVE_CERT:

        myproxy_log("Received %s request from %s", 
                        (client_request->command_type == MYPROXY_GET_PROXY)
                            ? "GET"
                            : "RETRIEVE", 
                         client_name);

	if (!use_ca_callout) {
	  /* Retrieve the credentials from the repository */
	  if (myproxy_creds_retrieve(client_creds) < 0) {
	    respond_with_error_and_die(attrs, verror_get_string());
	  }

	  myproxy_debug("  Owner: %s", client_creds->username);
	  myproxy_debug("  Username: %s", client_creds->username);
	  myproxy_debug("  Location: %s", client_creds->location);
	  myproxy_debug("  Requested lifetime: %d seconds",
			client_request->proxy_lifetime);
	  myproxy_debug("  Max. delegation lifetime: %d seconds",
			client_creds->lifetime);
	  if (context->max_proxy_lifetime) {
	      myproxy_debug("  Server max_proxy_lifetime: %d seconds",
			    context->max_proxy_lifetime);
	  }

	  /* Are credentials expired? */
	  now = time(0);
	  if (client_creds->start_time > now) {
	    myproxy_debug("  warning: credentials not yet valid! "
			  "(problem with local clock?)");
	  } else if (client_creds->end_time < now) {
	    respond_with_error_and_die(attrs,
				       "requested credentials have expired");
	  }

	  /* Are credentials locked? */
	  if (client_creds->lockmsg) {
	    char *error, *msg="credential locked\n";
	    error = malloc(strlen(msg)+strlen(client_creds->lockmsg)+1);
	    strcpy(error, msg);
	    strcat(error, client_creds->lockmsg);
	    respond_with_error_and_die(attrs, error);
	  }
	}

	if (client_request->want_trusted_certs) {
	    if (context->cert_dir) {
		server_response->trusted_certs =
		    myproxy_get_certs(context->cert_dir);
		myproxy_log("Sending trust roots to %s", client_name);
	    } else {
		myproxy_debug("  client requested trusted certificates but"
			      "cert_dir not configured");
	    }
	}

	/* Send initial OK response */
	send_response(attrs, server_response, client_name);
        if( client_request->command_type == MYPROXY_GET_PROXY )
        {	
	  /* Delegate the credential and set final server_response */

	  if (use_ca_callout) {
	    myproxy_debug("using CA callout");
	    get_certificate_authority(attrs, client_creds, client_request,
				      server_response, context);
	  } else {
	    myproxy_debug("retrieving proxy");
	    get_proxy(attrs, client_creds, client_request, server_response,
		      context->max_proxy_lifetime);
	  }
        } 
	else if( client_request->command_type == MYPROXY_RETRIEVE_CERT )
        {
          /* Delegate the credential and set final server_response */
          get_credentials(attrs, client_creds, client_request, server_response,
                          context->max_proxy_lifetime);
        }
        break;


    case MYPROXY_PUT_PROXY:
        myproxy_log("Received PUT request from %s", client_name);
	myproxy_debug("  Username: %s", client_creds->username);
	myproxy_debug("  Max. delegation lifetime: %d seconds",
		      client_creds->lifetime);
	if (client_creds->retrievers != NULL)
	    myproxy_debug("  Retriever policy: %s", client_creds->retrievers);
	if (client_creds->renewers != NULL)
    	    myproxy_debug("  Renewer policy: %s", client_creds->renewers); 

	if (myproxy_check_passphrase_policy(client_request->passphrase,
					    context->passphrase_policy_pgm,
					    client_request->username,
					    client_request->credname,
					    client_request->retrievers,
					    client_request->renewers,
					    client_name) < 0) {
	    respond_with_error_and_die(attrs, verror_get_string());
	}

	/* Send initial OK response */
	send_response(attrs, server_response, client_name);

	/* Store the credentials in the repository and
	   set final server_response */
        put_proxy(attrs, client_creds, server_response);
        break;

    case MYPROXY_INFO_PROXY:
        myproxy_log("Received client %s command: INFO", client_name);
	myproxy_debug("  Username is \"%s\"", client_request->username);
        info_proxy(client_creds, server_response);
	if (server_response->info_creds == client_creds) {
	    client_creds = NULL; /* avoid potential double-free */
	}
        break;
    case MYPROXY_DESTROY_PROXY:
        myproxy_log("Received client %s command: DESTROY", client_name);
	myproxy_debug("  Username is \"%s\"", client_request->username);
        destroy_proxy(client_creds, server_response);
        break;

    case MYPROXY_CHANGE_CRED_PASSPHRASE:
	/* change credential passphrase*/
	myproxy_log("Received client %s command: CHANGE_PASS", client_name);
	myproxy_debug("  Username is \"%s\"", client_request->username);

	if (myproxy_check_passphrase_policy(client_request->new_passphrase,
					    context->passphrase_policy_pgm,
					    client_request->username,
					    client_request->credname,
					    client_request->retrievers,
					    client_request->renewers,
					    client_name) < 0) {
	    respond_with_error_and_die(attrs, verror_get_string());
	}

	change_passwd(client_creds, client_request->new_passphrase,
		      server_response);
        break;

      case MYPROXY_STORE_CERT:
          /* Store the end-entity credential */
          myproxy_log("Received STORE request from %s", client_name);
          myproxy_debug("  Username: %s", client_creds->username);
          myproxy_debug("  Max. delegation lifetime: %d seconds",
                        client_creds->lifetime);
          if (client_creds->retrievers != NULL)
              myproxy_debug("  Retriever policy: %s", client_creds->retrievers);
          if (client_creds->renewers != NULL)
              myproxy_debug("  Renewer policy: %s", client_creds->renewers);
          if (client_creds->keyretrieve != NULL)
              myproxy_debug("  Key Retriever policy: %s", client_creds->keyretrieve);
 
          /* Send initial OK response */
          send_response(attrs, server_response, client_name);
 
          /* Store the credentials in the repository and
             set final server_response */
          put_credentials(attrs, client_creds, server_response);
          break;

    default:
        server_response->error_string = strdup("Unknown command.\n");
        break;
    }

    /* return server response */
    send_response(attrs, server_response, client_name);

    /* Log request */
    myproxy_log("Client %s disconnected", client_name);
   
    /* free stuff up */
    if (client_creds != NULL) {
	myproxy_creds_free(client_creds);
    }

    myproxy_free(attrs, client_request, server_response);

    return 0;
}

int 
init_arguments(int argc, char *argv[], 
               myproxy_socket_attrs_t *attrs, 
               myproxy_server_context_t *context) 
{   
    extern char *optarg;

    int arg;
    int arg_error = 0;

    char *last_directory_seperator;
    char directory_seperator = '/';
    
    /* Could do something smarter to get FQDN */
    attrs->pshost = strdup("localhost");
    
    attrs->psport = MYPROXY_SERVER_PORT;

    /* Get my name, removing any preceding path */
    last_directory_seperator = strrchr(argv[0], directory_seperator);
    
    if (last_directory_seperator == NULL)
    {
	context->my_name = strdup(argv[0]);
    }
    else
    {
	context->my_name = strdup(last_directory_seperator + 1);
    }
    
    while((arg = getopt_long(argc, argv, short_options, 
			     long_options, NULL)) != EOF) 
    {
        switch(arg) 
        {
        case 'p': 	/* port */
            attrs->psport = atoi(optarg);
            break;
        case 'P': 	/* pidfile */
            context->pidfile = strdup(optarg);
            break;
        case 'h': 	/* print help and exit */
            fprintf(stderr, usage);
            exit(1);
            break;
        case 'c':
            context->config_file =  malloc(strlen(optarg) + 1);
            strcpy(context->config_file, optarg);   
            break;
	case 'v':
	    myproxy_debug_set_level(1);
	    break;
        case 'V': /* print version and exit */
            fprintf(stderr, version);
            exit(1);
            break;
        case 's': /* set the credential storage directory */
            myproxy_set_storage_dir(optarg);
            break;
	case 'u': /* print version and exit */
            fprintf(stderr, usage);
            exit(1);
            break;
        case 'd':
            debug = 1;
            break;
        default:        /* print usage and exit */ 
            fprintf(stderr, usage);
	    exit(1);
            break;
        }
    }

    if (optind != argc) {
	fprintf(stderr, "%s: invalid option -- %s\n", argv[0],
		argv[optind]);
	arg_error = -1;
    }

    return arg_error;
}

/*
 * myproxy_init_server()
 *
 * Create a generic server socket ready on the given port ready to accept.
 *
 * returns the listener fd on success 
 */
int 
myproxy_init_server(myproxy_socket_attrs_t *attrs) 
{
    int on = 1;
    int listen_sock;
    struct sockaddr_in sin;
    struct linger lin = {0,0};
    GSI_SOCKET *tmp_gsi_sock;

    if ((tmp_gsi_sock = GSI_SOCKET_new(0)) == NULL) {
	failure("malloc() failed in GSI_SOCKET_new()");
    }
    if (GSI_SOCKET_check_creds(tmp_gsi_sock) == GSI_SOCKET_ERROR) {
	char error_string[1024];
	GSI_SOCKET_get_error_string(tmp_gsi_sock, error_string,
				    sizeof(error_string));
	myproxy_log("Problem with server credentials.\n%s\n",
		    error_string);
	exit(1);
    }
    GSI_SOCKET_destroy(tmp_gsi_sock);
    
    listen_sock = socket(AF_INET, SOCK_STREAM, 0);

    if (listen_sock == -1) {
        failure("Error in socket()");
    } 

    /* Allow reuse of socket */
    setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, (void *) &on, sizeof(on));
    setsockopt(listen_sock, SOL_SOCKET, SO_LINGER, (char *) &lin, sizeof(lin));

    memset(&sin, 0, sizeof(sin));
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = INADDR_ANY;
    sin.sin_port = htons(attrs->psport);

    if (bind(listen_sock, (struct sockaddr *) &sin, sizeof(sin)) < 0) {
	if (errno == EADDRINUSE) {
	    myproxy_log("Port %d already in use, probably by another "
			"myproxy-server instance.\nUse the -p option to run "
			"multiple myproxy-server instances on different "
			"ports.", attrs->psport);
	}
	failure("Error in bind()");
    }
    if (listen(listen_sock, INT_MAX) < 0) {
	    failure("Error in listen()");
    }
    return listen_sock;
}

void
respond_with_error_and_die(myproxy_socket_attrs_t *attrs,
			   const char *error)
{
    myproxy_response_t		response = {0}; /* initialize with 0s */
    int				responselen;
    char			*response_buffer = NULL;
    

    memset (&response, 0, sizeof (response));
    response.version = strdup(MYPROXY_VERSION);
    response.response_type = MYPROXY_ERROR_RESPONSE;
    response.authorization_data = NULL;
    response.error_string = strdup(error);
    
    responselen = myproxy_serialize_response_ex(&response,
						&response_buffer);
    
    if (responselen < 0) {
        my_failure("error in myproxy_serialize_response()");
    }

    if (myproxy_send(attrs, response_buffer, responselen) < 0) {
        my_failure("error in myproxy_send()\n");
    } 

    myproxy_log_verror();
    myproxy_log("Exiting: %s", error);
    
    exit(1);
}

void send_response(myproxy_socket_attrs_t *attrs, myproxy_response_t *response,
		   char *client_name)
{
    char *server_buffer = NULL;
    int responselen;
    assert(response != NULL);

    /* set version */
    response->version = malloc(strlen(MYPROXY_VERSION) + 1);
    sprintf(response->version, "%s", MYPROXY_VERSION);

    responselen = myproxy_serialize_response_ex(response, &server_buffer);
    
    if (responselen < 0) {
        my_failure("error in myproxy_serialize_response()");
    }

    /* Log response */
    if (response->response_type == MYPROXY_OK_RESPONSE) {
      myproxy_debug("Sending OK response to client %s", client_name);
    } else if (response->response_type == MYPROXY_ERROR_RESPONSE) {
      myproxy_debug("Sending ERROR response \"%s\" to client %s",