/[pdpsoft]/trunk/grid-mw-security/glexec/util/lcaslcmaps_getaccount_cli/ll_certification.sh
ViewVC logotype

Diff of /trunk/grid-mw-security/glexec/util/lcaslcmaps_getaccount_cli/ll_certification.sh

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 2249 by okoeroo, Mon Apr 4 14:19:58 2011 UTC revision 2250 by okoeroo, Mon Apr 4 20:06:27 2011 UTC
# Line 36  SECONDS_TO_COMPLY=10 Line 36  SECONDS_TO_COMPLY=10
36  CLIENT_CERT="/home/okoeroo/x509up_u501"  CLIENT_CERT="/home/okoeroo/x509up_u501"
37  SUBJECT_DN=  SUBJECT_DN=
38  TEST_ACCOUNT_START="okoeroo"  TEST_ACCOUNT_START="okoeroo"
39  TEST_ACCOUNT_MAPPING_TARGET="okoeroo"  TEST_ACCOUNT_MAPPING_TARGET_LOCALACCOUNT="okoeroo"
40  LOCALACCOUNT_TEST_MAP_USER="pool005"  TEST_ACCOUNT_MAPPING_TARGET_LOCALGROUP="okoeroo"
41    TEST_ACCOUNT_MAPPING_TARGET_POOL=".pool"
42    TEST_ACCOUNT_MAPPING_TARGET_POOL_ACCOUNT="pool001"
43    TEST_ACCOUNT_MAPPING_TARGET_POOL_GROUP="pool"
44    TEST_VOMS_FQAN="/dteam/Role=NULL/Capability=NULL"
45    TEST_VOMS_FQAN_VOMS_LOCALACCOUNT="okoeroo"
46    TEST_VOMS_FQAN_VOMS_POOLACCOUNT=".pool"
47    TEST_VOMS_FQAN_VOMS_LOCALGROUP="pool"
48    
49  LLRUN="/home/okoeroo/dvl/grid-mw-security/glexec/util/lcaslcmaps_getaccount_cli/llrun"  LLRUN="/home/okoeroo/dvl/grid-mw-security/glexec/util/lcaslcmaps_getaccount_cli/llrun"
50    
# Line 49  test_lcmaps_db_path="/usr/lib64/modules" Line 56  test_lcmaps_db_path="/usr/lib64/modules"
56  CAPATH="/etc/grid-security/certificates"  CAPATH="/etc/grid-security/certificates"
57  VOMSDIR="/etc/grid-security/vomsdir"  VOMSDIR="/etc/grid-security/vomsdir"
58    
 #SCAS_ENDPOINT="https://eir.nikhef.nl:8443"  
59  SCAS_ENDPOINT="https://graszaad.nikhef.nl:8443"  SCAS_ENDPOINT="https://graszaad.nikhef.nl:8443"
60    #SCAS_SSL_CLIENT_CERT="/etc/grid-security/hostcert.pem"
61    #SCAS_SSL_CLIENT_KEY="/etc/grid-security/hostkey.pem"
62    SCAS_SSL_CLIENT_CERT="${CLIENT_CERT}"
63    SCAS_SSL_CLIENT_KEY="${CLIENT_CERT}"
64    
65  PEPD_ENDPOINT="https://argus.cr.cnaf.infn.it:8154/authz"  PEPD_ENDPOINT="https://argus.cr.cnaf.infn.it:8154/authz"
66    ARGUS_RESOURCE_ID="http://cnaf.infn.it/wn"
67    ARGUS_ACTION_ID="http://glite.org/xacml/action/execute"
68    
69  TEST_LCAS_BAN_FILE="/tmp/ban_file.db"  TEST_LCAS_BAN_FILE="/tmp/ban_file.db"
70  TEST_LCAS_TIMESLOT="/tmp/timeslot.db"  TEST_LCAS_TIMESLOT="/tmp/timeslot.db"
71  TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile"  TEST_GRID_MAPFILE="/tmp/test-grid-mapfile"
72    TEST_GROUP_MAPFILE="/tmp/test-group-mapfile"
73  TEST_GACL_FILE="/tmp/lcas.test.gacl"  TEST_GACL_FILE="/tmp/lcas.test.gacl"
74    
75    
# Line 100  touchtouch ${test_lcas_db} Line 114  touchtouch ${test_lcas_db}
114  touchtouch ${test_lcmaps_db}  touchtouch ${test_lcmaps_db}
115  touchtouch ${TEST_GACL_FILE}  touchtouch ${TEST_GACL_FILE}
116  touchtouch ${TEST_GRID_MAPFILE}  touchtouch ${TEST_GRID_MAPFILE}
117    touchtouch ${TEST_GROUP_MAPFILE}
118  touchtouch ${TEST_LCAS_BAN_FILE}  touchtouch ${TEST_LCAS_BAN_FILE}
119  touchtouch ${TEST_LCAS_TIMESLOT}  touchtouch ${TEST_LCAS_TIMESLOT}
120  statstat   ${LLRUN}  statstat   ${LLRUN}
# Line 158  echo $SUBJECT_DN Line 173  echo $SUBJECT_DN
173  exit 0  exit 0
174    
175    
176  function create_empty_lcas_db_file () {  function create_grid_mapfile() {
177    # Write a dummy grid-mapfile
178    cat > ${TEST_GRID_MAPFILE} <<End-of-message
179    "${SUBJECT_DN}" ${TEST_ACCOUNT_MAPPING_TARGET_LOCALACCOUNT}
180    "${SUBJECT_DN}" ${TEST_ACCOUNT_MAPPING_TARGET_POOL}
181    End-of-message
182    }
183    
184    
185    function create_lcas_db_file_header () {
186  cat > $test_lcas_db <<End-of-message  cat > $test_lcas_db <<End-of-message
187  # LCAS database/plugin list  # LCAS database/plugin list
 # Warning! Volatile certification testing  
188  #  #
189  pluginname="${test_lcas_db_path}/lcas_userallow.mod",pluginargs="allowed_users.db"  ### Warning! Volatile certification testing ###
190  pluginname="${test_lcas_db_path}/lcas_userban.mod",pluginargs="ban_users.db"  #
 pluginname="${test_lcas_db_path}/lcas_timeslots.mod",pluginargs="timeslots.db"  
 pluginname="${test_lcas_db_path}/lcas_voms.mod",pluginargs="-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn always"  
 # LCAS policy file/plugin definition  
 # Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl  
 pluginname=${test_lcas_db_path}lcas_userban.mod,pluginargs=ban_users.db  
191  End-of-message  End-of-message
192  }  }
193    
# Line 181  function add_lcas_db_lines() { Line 199  function add_lcas_db_lines() {
199      elif [ "$1" == "lcas_timeslots" ]; then      elif [ "$1" == "lcas_timeslots" ]; then
200          echo "pluginname=\"${test_lcas_db_path}/lcas_timeslots.mod\",pluginargs=\"${TEST_LCAS_TIMESLOT}\"" >> $test_lcas_db          echo "pluginname=\"${test_lcas_db_path}/lcas_timeslots.mod\",pluginargs=\"${TEST_LCAS_TIMESLOT}\"" >> $test_lcas_db
201      elif [ "$1" == "lcas_check_executable" ]; then      elif [ "$1" == "lcas_check_executable" ]; then
202          echo "pluginname=\"${test_lcas_db_path}/lcas_check_executable.mod\",pluginargs=\"${TEST_LCAS_TIMESLOT}\"" >> $test_lcas_db          echo "pluginname=\"${test_lcas_db_path}/lcas_check_executable.mod\",pluginargs=\"/usr/bin/id\"" >> $test_lcas_db
203      elif [ "$1" == "lcas_voms1" ]; then      elif [ "$1" == "lcas_voms1" ]; then
204          echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat simple -authfile ${TEST_GRID_MAPFILE}\"" >> $test_lcas_db          echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat simple -authfile ${TEST_GRID_MAPFILE}\"" >> $test_lcas_db
205      elif [ "$1" == "lcas_voms2" ]; then      elif [ "$1" == "lcas_voms2" ]; then
# Line 208  function add_lcas_db_lines() { Line 226  function add_lcas_db_lines() {
226          echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn no -use_user_dn\"" >> $test_lcas_db          echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn no -use_user_dn\"" >> $test_lcas_db
227      elif [ "$1" == "lcas_voms13" ]; then      elif [ "$1" == "lcas_voms13" ]; then
228          echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn no -use_user_dn\"" >> $test_lcas_db          echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn no -use_user_dn\"" >> $test_lcas_db
229        else
230            echo "error in function: add_lcas_db_lines(): No matching option for \"$1\""
231            exit 1
232      fi      fi
233  }  }
234    
235    
236  function create_lcmaps_db_file () {  function create_lcmaps_db_file_header () {
237    cat > $test_lcas_db <<End-of-message
 # Write a dummy grid-mapfile  
 cat > $GLEXEC_TEST_GRID_MAPFILE <<End-of-message  
 "$SUBJECT_DN" $LOCALACCOUNT_TEST_MAP_USER  
 End-of-message  
   
 # Write the lcmaps.db file for testing, filled with various different scenarios  
 cat > $test_lcmaps_db <<End-of-message  
238  # LCMAPS policy file/plugin definition  # LCMAPS policy file/plugin definition
239  # Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl  #
240  # The configuration file is specialized for non-root privileged processes/services, like:  ### Warning! Volatile certification testing ###
241  ### The WMProxy  #
242  ### SCAS service  End-of-message
243  ### gLExec in logging only mode (when it supports multiple evaluation policies)  }
   
   
 # default path for the modules  
 path = $test_lcmaps_db_path  
   
 # Plugin definitions:  
 #good             = "lcmaps_dummy_good.mod"  
244    
245    function add_lcmaps_plugin_defs() {
246        if [ "$1" == "lcmaps_good1" ]; then
247    cat >> $test_lcas_db <<End-of-message
248  good             = "lcmaps_dummy_good.mod"  good             = "lcmaps_dummy_good.mod"
249                     " --dummy-username nobody"  End-of-message
250                     " --dummy-group nobody"      elif [ "$1" == "lcmaps_good2" ]; then
251                     " --dummy-sec-group nobody"  cat >> $test_lcas_db <<End-of-message
252    good             = "lcmaps_dummy_good.mod"
253                       " --dummy-username ${TEST_ACCOUNT_MAPPING_TARGET_LOCALACCOUNT}"
254                       " --dummy-group ${TEST_ACCOUNT_MAPPING_TARGET_LOCALGROUP}"
255                       " --dummy-sec-group ${TEST_ACCOUNT_MAPPING_TARGET_LOCALGROUP}"
256    End-of-message
257        elif [ "$1" == "lcmaps_posix_enf1" ]; then
258    cat >> $test_lcas_db <<End-of-message
259  posix_enf        = "lcmaps_posix_enf.mod"  posix_enf        = "lcmaps_posix_enf.mod"
260                     " -maxuid 1"                     " -maxuid 1"
261                     " -maxpgid 1"                     " -maxpgid 1"
262                     " -maxsgid 32"                     " -maxsgid 32"
263    End-of-message
264        elif [ "$1" == "lcmaps_localaccount" ]; then
265    cat >> $test_lcas_db <<End-of-message
266  localaccount     = "lcmaps_localaccount.mod"  localaccount     = "lcmaps_localaccount.mod"
267                     "-gridmapfile $GLEXEC_TEST_GRID_MAPFILE"                     "-gridmapfile ${TEST_GRID_MAPFILE}"
268    End-of-message
269        elif [ "$1" == "lcmaps_scas_client1" ]; then
270    cat >> $test_lcas_db <<End-of-message
271  scasclient = "lcmaps_scas_client.mod"  scasclient = "lcmaps_scas_client.mod"
272               "-capath $CAPATH"               "-capath ${CAPATH}"
273  #             " -cert   /etc/grid-security/hostcert.pem"               "--endpoint ${SCAS_ENDPOINT}"
 #             " -key    /etc/grid-security/hostkey.pem"  
              "--endpoint $SCAS_ENDPOINT"  
 #             "--retry 5"  
 #             "--endpoint-strategy round-robin"  
 #             "--endpoint-strategy round-robin-random-start"  
 #             "--endpoint-strategy random"  
274               "-resourcetype wn"               "-resourcetype wn"
275               "-actiontype execute-now"               "-actiontype execute-now"
276    End-of-message
277        elif [ "$1" == "lcmaps_scas_client2" ]; then
278    cat >> $test_lcas_db <<End-of-message
279    scasclient = "lcmaps_scas_client.mod"
280                 "-capath ${CAPATH}"
281                 "--endpoint ${SCAS_ENDPOINT}"
282                 "-resourcetype wn"
283                 "-actiontype execute-now"
284                 "--retry 2"
285    End-of-message
286        elif [ "$1" == "lcmaps_scas_client3" ]; then
287    cat >> $test_lcas_db <<End-of-message
288    scasclient = "lcmaps_scas_client.mod"
289                 "-capath ${CAPATH}"
290                 "--endpoint https://127.0.0.42"
291                 "--endpoint ${SCAS_ENDPOINT}"
292                 "-resourcetype wn"
293                 "-actiontype execute-now"
294    End-of-message
295        elif [ "$1" == "lcmaps_scas_client4" ]; then
296    cat >> $test_lcas_db <<End-of-message
297    scasclient = "lcmaps_scas_client.mod"
298                 "-capath ${CAPATH}"
299                 "--endpoint https://127.0.0.42"
300                 "--endpoint ${SCAS_ENDPOINT}"
301                 "-resourcetype wn"
302                 "-actiontype execute-now"
303                 "--endpoint-strategy round-robin"
304    End-of-message
305        elif [ "$1" == "lcmaps_scas_client5" ]; then
306    cat >> $test_lcas_db <<End-of-message
307    scasclient = "lcmaps_scas_client.mod"
308                 "-capath ${CAPATH}"
309                 "--endpoint https://127.0.0.42"
310                 "--endpoint ${SCAS_ENDPOINT}"
311                 "-resourcetype wn"
312                 "-actiontype execute-now"
313                 "--endpoint-strategy round-robin-random-start"
314    End-of-message
315        elif [ "$1" == "lcmaps_scas_client6" ]; then
316    cat >> $test_lcas_db <<End-of-message
317    scasclient = "lcmaps_scas_client.mod"
318                 "-capath ${CAPATH}"
319                 "--endpoint https://127.0.0.42"
320                 "--endpoint ${SCAS_ENDPOINT}"
321                 "-resourcetype wn"
322                 "-actiontype execute-now"
323                 "--endpoint-strategy random"
324    End-of-message
325        elif [ "$1" == "lcmaps_scas_client7" ]; then
326    cat >> $test_lcas_db <<End-of-message
327    scasclient = "lcmaps_scas_client.mod"
328                 "-capath ${CAPATH}"
329                 "-cert  ${SCAS_SSL_CLIENT_CERT}"
330                 "-key   ${SCAS_SSL_CLIENT_KEY}"
331                 "--endpoint ${SCAS_ENDPOINT}"
332                 "-resourcetype wn"
333                 "-actiontype execute-now"
334    End-of-message
335        elif [ "$1" == "lcmaps_verify_proxy1" ]; then
336    cat >> $test_lcas_db <<End-of-message
337  verifyproxy = "lcmaps_verify_proxy.mod"  verifyproxy = "lcmaps_verify_proxy.mod"
338               " -certdir $CAPATH"                " -certdir ${CAPATH}"
339  #             "--discard_private_key_absence"  End-of-message
340  #             "--never_discard_private_key_absence"      elif [ "$1" == "lcmaps_verify_proxy2" ]; then
341    cat >> $test_lcas_db <<End-of-message
342    verifyproxy = "lcmaps_verify_proxy.mod"
343                  " -certdir ${CAPATH}"
344                  "--allow-limited-proxy"
345    End-of-message
346        elif [ "$1" == "lcmaps_verify_proxy3" ]; then
347    cat >> $test_lcas_db <<End-of-message
348    verifyproxy = "lcmaps_verify_proxy.mod"
349                  " -certdir ${CAPATH}"
350                  "--discard_private_key_absence"
351    End-of-message
352        elif [ "$1" == "lcmaps_verify_proxy4" ]; then
353    cat >> $test_lcas_db <<End-of-message
354    verifyproxy = "lcmaps_verify_proxy.mod"
355                  " -certdir ${CAPATH}"
356                  "--never_discard_private_key_absence"
357    End-of-message
358        elif [ "$1" == "lcmaps_verify_proxy5" ]; then
359    cat >> $test_lcas_db <<End-of-message
360    verifyproxy = "lcmaps_verify_proxy.mod"
361                  "--only-enforce-lifetime-checks"
362                  "--max-voms-ttl 2d-13:37"
363    End-of-message
364        elif [ "$1" == "lcmaps_verify_proxy6" ]; then
365    cat >> $test_lcas_db <<End-of-message
366    verifyproxy = "lcmaps_verify_proxy.mod"
367                  "--only-enforce-lifetime-checks"
368                  "--max-proxy-level-ttl=2d-13:37"
369    End-of-message
370        elif [ "$1" == "lcmaps_c_pep1" ]; then
371    cat >> $test_lcas_db <<End-of-message
372  pepc        = "lcmaps_c_pep.mod"  pepc        = "lcmaps_c_pep.mod"
373                "--pep-daemon-endpoint-url $PEPD_ENDPOINT"                "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
374                "--resourceid http://cnaf.infn.it/wn"                "--resourceid ${ARGUS_RESOURCE_ID}"
375                "--actionid http://glite.org/xacml/action/execute"                "--actionid ${ARGUS_ACTION_ID}"
376                "--capath /etc/grid-security/certificates"                "--capath ${CAPATH}"
377                "--pep-certificate-mode implicit"                "--pep-certificate-mode implicit"
   
 # Policies:  
 # SCAS-client  
   
 #verifyproxy ->  pepc  
 #pepc -> posix_enf  
   
 authzwg_posix:  
 verifyproxy -> pepc  
 pepc -> posix_enf  
   
 scas_posix:  
 verifyproxy -> scasclient  
 scasclient -> posix_enf  
   
 authzwg_noposix:  
 verifyproxy -> pepc  
   
 scas_noposix:  
 verifyproxy -> scasclient  
   
 localmap_posix:  
 verifyproxy -> localaccount  
 localaccount -> posix_enf  
   
 localmap_noposix:  
 verifyproxy -> localaccount  
   
378  End-of-message  End-of-message
379        elif [ "$1" == "lcmaps_c_pep2" ]; then
380    cat >> $test_lcas_db <<End-of-message
381    pepc        = "lcmaps_c_pep.mod"
382                  "--pep-daemon-endpoint-url https://127.0.0.42:1337"
383                  "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
384                  "--resourcetype wn"
385                  "--actiontype execute-now"
386                  "--capath ${CAPATH}"
387                  "--pep-certificate-mode implicit"
388    End-of-message
389        elif [ "$1" == "lcmaps_c_pep3" ]; then
390    cat >> $test_lcas_db <<End-of-message
391    pepc        = "lcmaps_c_pep.mod"
392                  "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
393                  "--resourceid ${ARGUS_RESOURCE_ID}"
394                  "--actionid ${ARGUS_ACTION_ID}"
395                  "--capath ${CAPATH}"
396                  "--pep-certificate-mode explicit"
397                  "--certificate ${CLIENT_CERT}"
398                  "--key ${CLIENT_CERT}"
399    End-of-message
400        elif [ "$1" == "lcmaps_c_pep4" ]; then
401    cat >> $test_lcas_db <<End-of-message
402    pepc        = "lcmaps_c_pep.mod"
403                  "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
404                  "--profile "http://glite.org/xacml/profile/grid-wn/1.0"
405                  "--resourceid ${ARGUS_RESOURCE_ID}"
406                  "--actionid ${ARGUS_ACTION_ID}"
407                  "--capath ${CAPATH}"
408                  "--pep-certificate-mode implicit"
409    End-of-message
410        elif [ "$1" == "lcmaps_c_pep5" ]; then
411    cat >> $test_lcas_db <<End-of-message
412    pepc        = "lcmaps_c_pep.mod"
413                  "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
414                  "--profile http://authz-interop.org/profile/1.1"
415                  "--resourcetype wn"
416                  "--actiontype execute-now"
417                  "--capath ${CAPATH}"
418                  "--pep-certificate-mode implicit"
419    End-of-message
420        else
421            echo "error in function: add_lcas_db_lines(): No matching option for \"$1\""
422            exit 1
423        fi
424  }  }
425    
426    
 #####################################################################  
   
 #The deployment scenarios:  
 #1.  setuid     / SCAS     / file logging / linger  
 #2.  setuid     / SCAS     / syslog       / linger  
 #3.  non-setuid / SCAS     / syslog       / linger  
 #4.  setuid     / non-SCAS / file logging / linger  
 #5.  setuid     / non-SCAS / syslog       / linger  
 #6.  non-setuid / non-SCAS / syslog       / linger  
 #7.  setuid     / SCAS     / file logging / don't linger  
 #8.  setuid     / SCAS     / syslog       / don't linger  
 #9.  non-setuid / SCAS     / syslog       / don't linger  
 #10. setuid     / non-SCAS / file logging / don't linger  
 #11. setuid     / non-SCAS / syslog       / don't linger  
 #12. non-setuid / non-SCAS / syslog       / don't linger  
427    
 # LCAS database/plugin list  
 # Warning! Volatile certification testing  
 #  
 pluginname="lcas_userallow.mod",pluginargs="allowed_users.db"  
 pluginname="lcas_userban.mod",pluginargs="ban_users.db"  
 pluginname="lcas_timeslots.mod",pluginargs="timeslots.db"  
 pluginname="lcas_plugin_example.mod",pluginargs="Some bogus arguments"  
 pluginname="lcas_voms.mod",pluginargs="-vomsdir /etc/grid-security -certdir /etc/grid-security/certificates -authfile /opt/edg/etc/lcas/lcas_voms.gacl -gacl_use_voms_dn always"  

Legend:
Removed from v.2249  
changed lines
  Added in v.2250

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28