/[pdpsoft]/trunk/grid-mw-security/glexec/util/lcaslcmaps_getaccount_cli/ll_certification.sh
ViewVC logotype

Contents of /trunk/grid-mw-security/glexec/util/lcaslcmaps_getaccount_cli/ll_certification.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2250 - (show annotations) (download) (as text)
Mon Apr 4 20:06:27 2011 UTC (11 years, 6 months ago) by okoeroo
File MIME type: application/x-shellscript
File size: 16391 byte(s)
Able to build most to all interesting permutation of the LCAS and LCMAPS configuration file. (Yes, this is a lot of code monkey work)
1 #!/bin/sh
2
3 #
4 # Copyright (c) Members of the EGEE Collaboration. 2009-2010.
5 # See http://www.eu-egee.org/partners/ for details on the copyright
6 # holders.
7 #
8 # Licensed under the Apache License, Version 2.0 (the "License");
9 # you may not use this file except in compliance with the License.
10 # You may obtain a copy of the License at
11 #
12 # http://www.apache.org/licenses/LICENSE-2.0
13 #
14 # Unless required by applicable law or agreed to in writing, software
15 # distributed under the License is distributed on an "AS IS" BASIS,
16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 # See the License for the specific language governing permissions and
18 # limitations under the License.
19 #
20 # Authors:
21 # 2009-
22 # Oscar Koeroo <okoeroo@nikhef.nl>
23 # Mischa Sall\'e <msalle@nikhef.nl>
24 # NIKHEF Amsterdam, the Netherlands
25 #
26
27
28 #################
29 # Setup options #
30 #################
31
32 CONTINUEONERROR=no
33 #CONTINUEONERROR=yes
34 SECONDS_TO_COMPLY=10
35
36 CLIENT_CERT="/home/okoeroo/x509up_u501"
37 SUBJECT_DN=
38 TEST_ACCOUNT_START="okoeroo"
39 TEST_ACCOUNT_MAPPING_TARGET_LOCALACCOUNT="okoeroo"
40 TEST_ACCOUNT_MAPPING_TARGET_LOCALGROUP="okoeroo"
41 TEST_ACCOUNT_MAPPING_TARGET_POOL=".pool"
42 TEST_ACCOUNT_MAPPING_TARGET_POOL_ACCOUNT="pool001"
43 TEST_ACCOUNT_MAPPING_TARGET_POOL_GROUP="pool"
44 TEST_VOMS_FQAN="/dteam/Role=NULL/Capability=NULL"
45 TEST_VOMS_FQAN_VOMS_LOCALACCOUNT="okoeroo"
46 TEST_VOMS_FQAN_VOMS_POOLACCOUNT=".pool"
47 TEST_VOMS_FQAN_VOMS_LOCALGROUP="pool"
48
49 LLRUN="/home/okoeroo/dvl/grid-mw-security/glexec/util/lcaslcmaps_getaccount_cli/llrun"
50
51 test_lcas_db="/tmp/lcas-testing.db"
52 test_lcas_db_path="/usr/lib64/modules"
53 test_lcmaps_db="/tmp/lcmaps-testing.db"
54 test_lcmaps_db_path="/usr/lib64/modules"
55
56 CAPATH="/etc/grid-security/certificates"
57 VOMSDIR="/etc/grid-security/vomsdir"
58
59 SCAS_ENDPOINT="https://graszaad.nikhef.nl:8443"
60 #SCAS_SSL_CLIENT_CERT="/etc/grid-security/hostcert.pem"
61 #SCAS_SSL_CLIENT_KEY="/etc/grid-security/hostkey.pem"
62 SCAS_SSL_CLIENT_CERT="${CLIENT_CERT}"
63 SCAS_SSL_CLIENT_KEY="${CLIENT_CERT}"
64
65 PEPD_ENDPOINT="https://argus.cr.cnaf.infn.it:8154/authz"
66 ARGUS_RESOURCE_ID="http://cnaf.infn.it/wn"
67 ARGUS_ACTION_ID="http://glite.org/xacml/action/execute"
68
69 TEST_LCAS_BAN_FILE="/tmp/ban_file.db"
70 TEST_LCAS_TIMESLOT="/tmp/timeslot.db"
71 TEST_GRID_MAPFILE="/tmp/test-grid-mapfile"
72 TEST_GROUP_MAPFILE="/tmp/test-group-mapfile"
73 TEST_GACL_FILE="/tmp/lcas.test.gacl"
74
75
76 ################ Pre Flight Checks ############################
77
78
79 if [ ! -f "${LLRUN}" ]; then
80 echo "Could not find llrun at the location: ${LLRUN}"
81 exit 1
82 fi
83
84 function touchtouch() {
85 MYFILE="$1"
86 if [ -z "${MYFILE}" ]; then
87 echo "No input for touchtouch()"
88 exit 1
89 fi
90 touch ${MYFILE} > /dev/null 2>&1
91 RETVAL=$?
92 if [ $RETVAL != 0 ]; then
93 echo "Could not touch ${MYFILE}"
94 exit 1
95 fi
96 }
97
98 function statstat() {
99 MYFILE="$1"
100 if [ -z "${MYFILE}" ]; then
101 echo "No input for statstat()"
102 exit 1
103 fi
104 stat ${MYFILE} > /dev/null 2>&1
105 RETVAL=$?
106 if [ $RETVAL != 0 ]; then
107 echo "Could not stat ${MYFILE}"
108 exit 1
109 fi
110 }
111
112 touchtouch ${CLIENT_CERT}
113 touchtouch ${test_lcas_db}
114 touchtouch ${test_lcmaps_db}
115 touchtouch ${TEST_GACL_FILE}
116 touchtouch ${TEST_GRID_MAPFILE}
117 touchtouch ${TEST_GROUP_MAPFILE}
118 touchtouch ${TEST_LCAS_BAN_FILE}
119 touchtouch ${TEST_LCAS_TIMESLOT}
120 statstat ${LLRUN}
121 statstat ${test_lcas_db_path}
122 statstat ${test_lcmaps_db_path}
123 statstat ${CAPATH}
124 statstat ${VOMSDIR}
125
126 function grab_subject_dn_from_proxy_cert () {
127 SUBJECT_DN_RAW=`openssl x509 -subject -noout -in ${CLIENT_CERT}`
128 RETVAL=$?
129 if [ "$RETVAL" != "0" ]; then
130 echo "Problems getting the Subject DN from the certificate file: ${CLIENT_CERT}"
131 exit 1
132 fi
133 SUBJECT_DN=`echo -n ${SUBJECT_DN_RAW} | sed -e 's/subject=\ //' -e 's/\/CN=proxy//g'`
134 }
135
136 if [ "${SUBJECT_DN}" == "" ]; then
137 grab_subject_dn_from_proxy_cert
138 fi
139 if [ "$SUBJECT_DN" == "" ]; then
140 echo "No Subject DN statically set or found in the \"${CLIENT_CERT}\" file, quiting"
141 exit 1
142 fi
143
144
145 ################################################################
146
147 function visual_time() {
148 clear_eol=$(tput el)
149 if [ "$1" != "" ]; then
150 for ((i=$1;i!=0;i--)); do
151 printf "$i"
152 sleep 1
153 printf "\r${clear_eol}"
154 done
155 fi
156 }
157
158 echo "*****************************************************************************************"
159 echo
160 echo "*** WARNING ***"
161 echo "This script will *RE-WRITE* and *RE-CONFIGURE* your node with *** ROOT *** privileges"
162 echo
163 echo "This script is created to test and certify LCAS, LCMAPS and their associated plug-ins."
164 echo
165 echo
166 echo "Do not run this script on a production machine - you have ${SECONDS_TO_COMPLY} seconds to kill this script"
167 echo "*****************************************************************************************"
168
169 visual_time ${SECONDS_TO_COMPLY}
170
171 echo $SUBJECT_DN
172
173 exit 0
174
175
176 function create_grid_mapfile() {
177 # Write a dummy grid-mapfile
178 cat > ${TEST_GRID_MAPFILE} <<End-of-message
179 "${SUBJECT_DN}" ${TEST_ACCOUNT_MAPPING_TARGET_LOCALACCOUNT}
180 "${SUBJECT_DN}" ${TEST_ACCOUNT_MAPPING_TARGET_POOL}
181 End-of-message
182 }
183
184
185 function create_lcas_db_file_header () {
186 cat > $test_lcas_db <<End-of-message
187 # LCAS database/plugin list
188 #
189 ### Warning! Volatile certification testing ###
190 #
191 End-of-message
192 }
193
194 function add_lcas_db_lines() {
195 if [ "$1" == "lcas_userban" ]; then
196 echo "pluginname=\"${test_lcas_db_path}/lcas_userban.mod\",pluginargs=\"${TEST_LCAS_BAN_FILE}\"" >> $test_lcas_db
197 elif [ "$1" == "lcas_user_allow" ]; then
198 echo "pluginname=\"${test_lcas_db_path}/lcas_userallow.mod\",pluginargs=\"${TEST_GRID_MAPFILE}\"" >> $test_lcas_db
199 elif [ "$1" == "lcas_timeslots" ]; then
200 echo "pluginname=\"${test_lcas_db_path}/lcas_timeslots.mod\",pluginargs=\"${TEST_LCAS_TIMESLOT}\"" >> $test_lcas_db
201 elif [ "$1" == "lcas_check_executable" ]; then
202 echo "pluginname=\"${test_lcas_db_path}/lcas_check_executable.mod\",pluginargs=\"/usr/bin/id\"" >> $test_lcas_db
203 elif [ "$1" == "lcas_voms1" ]; then
204 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat simple -authfile ${TEST_GRID_MAPFILE}\"" >> $test_lcas_db
205 elif [ "$1" == "lcas_voms2" ]; then
206 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn always\"" >> $test_lcas_db
207 elif [ "$1" == "lcas_voms3" ]; then
208 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn always\"" >> $test_lcas_db
209 elif [ "$1" == "lcas_voms4" ]; then
210 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn always -use_user_dn\"" >> $test_lcas_db
211 elif [ "$1" == "lcas_voms5" ]; then
212 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn always -use_user_dn\"" >> $test_lcas_db
213 elif [ "$1" == "lcas_voms6" ]; then
214 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn yes\"" >> $test_lcas_db
215 elif [ "$1" == "lcas_voms7" ]; then
216 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn yes\"" >> $test_lcas_db
217 elif [ "$1" == "lcas_voms8" ]; then
218 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn yes -use_user_dn\"" >> $test_lcas_db
219 elif [ "$1" == "lcas_voms9" ]; then
220 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn yes -use_user_dn\"" >> $test_lcas_db
221 elif [ "$1" == "lcas_voms10" ]; then
222 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn no\"" >> $test_lcas_db
223 elif [ "$1" == "lcas_voms11" ]; then
224 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn no\"" >> $test_lcas_db
225 elif [ "$1" == "lcas_voms12" ]; then
226 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authfile ${GACL_FILE} -gacl_use_voms_dn no -use_user_dn\"" >> $test_lcas_db
227 elif [ "$1" == "lcas_voms13" ]; then
228 echo "pluginname=\"${test_lcas_db_path}/lcas_voms.mod\",pluginargs=\"-vomsdir ${VOMSDIR} -certdir ${CAPATH} -authformat gacl -authfile ${GACL_FILE} -gacl_use_voms_dn no -use_user_dn\"" >> $test_lcas_db
229 else
230 echo "error in function: add_lcas_db_lines(): No matching option for \"$1\""
231 exit 1
232 fi
233 }
234
235
236 function create_lcmaps_db_file_header () {
237 cat > $test_lcas_db <<End-of-message
238 # LCMAPS policy file/plugin definition
239 #
240 ### Warning! Volatile certification testing ###
241 #
242 End-of-message
243 }
244
245 function add_lcmaps_plugin_defs() {
246 if [ "$1" == "lcmaps_good1" ]; then
247 cat >> $test_lcas_db <<End-of-message
248 good = "lcmaps_dummy_good.mod"
249 End-of-message
250 elif [ "$1" == "lcmaps_good2" ]; then
251 cat >> $test_lcas_db <<End-of-message
252 good = "lcmaps_dummy_good.mod"
253 " --dummy-username ${TEST_ACCOUNT_MAPPING_TARGET_LOCALACCOUNT}"
254 " --dummy-group ${TEST_ACCOUNT_MAPPING_TARGET_LOCALGROUP}"
255 " --dummy-sec-group ${TEST_ACCOUNT_MAPPING_TARGET_LOCALGROUP}"
256 End-of-message
257 elif [ "$1" == "lcmaps_posix_enf1" ]; then
258 cat >> $test_lcas_db <<End-of-message
259 posix_enf = "lcmaps_posix_enf.mod"
260 " -maxuid 1"
261 " -maxpgid 1"
262 " -maxsgid 32"
263 End-of-message
264 elif [ "$1" == "lcmaps_localaccount" ]; then
265 cat >> $test_lcas_db <<End-of-message
266 localaccount = "lcmaps_localaccount.mod"
267 "-gridmapfile ${TEST_GRID_MAPFILE}"
268 End-of-message
269 elif [ "$1" == "lcmaps_scas_client1" ]; then
270 cat >> $test_lcas_db <<End-of-message
271 scasclient = "lcmaps_scas_client.mod"
272 "-capath ${CAPATH}"
273 "--endpoint ${SCAS_ENDPOINT}"
274 "-resourcetype wn"
275 "-actiontype execute-now"
276 End-of-message
277 elif [ "$1" == "lcmaps_scas_client2" ]; then
278 cat >> $test_lcas_db <<End-of-message
279 scasclient = "lcmaps_scas_client.mod"
280 "-capath ${CAPATH}"
281 "--endpoint ${SCAS_ENDPOINT}"
282 "-resourcetype wn"
283 "-actiontype execute-now"
284 "--retry 2"
285 End-of-message
286 elif [ "$1" == "lcmaps_scas_client3" ]; then
287 cat >> $test_lcas_db <<End-of-message
288 scasclient = "lcmaps_scas_client.mod"
289 "-capath ${CAPATH}"
290 "--endpoint https://127.0.0.42"
291 "--endpoint ${SCAS_ENDPOINT}"
292 "-resourcetype wn"
293 "-actiontype execute-now"
294 End-of-message
295 elif [ "$1" == "lcmaps_scas_client4" ]; then
296 cat >> $test_lcas_db <<End-of-message
297 scasclient = "lcmaps_scas_client.mod"
298 "-capath ${CAPATH}"
299 "--endpoint https://127.0.0.42"
300 "--endpoint ${SCAS_ENDPOINT}"
301 "-resourcetype wn"
302 "-actiontype execute-now"
303 "--endpoint-strategy round-robin"
304 End-of-message
305 elif [ "$1" == "lcmaps_scas_client5" ]; then
306 cat >> $test_lcas_db <<End-of-message
307 scasclient = "lcmaps_scas_client.mod"
308 "-capath ${CAPATH}"
309 "--endpoint https://127.0.0.42"
310 "--endpoint ${SCAS_ENDPOINT}"
311 "-resourcetype wn"
312 "-actiontype execute-now"
313 "--endpoint-strategy round-robin-random-start"
314 End-of-message
315 elif [ "$1" == "lcmaps_scas_client6" ]; then
316 cat >> $test_lcas_db <<End-of-message
317 scasclient = "lcmaps_scas_client.mod"
318 "-capath ${CAPATH}"
319 "--endpoint https://127.0.0.42"
320 "--endpoint ${SCAS_ENDPOINT}"
321 "-resourcetype wn"
322 "-actiontype execute-now"
323 "--endpoint-strategy random"
324 End-of-message
325 elif [ "$1" == "lcmaps_scas_client7" ]; then
326 cat >> $test_lcas_db <<End-of-message
327 scasclient = "lcmaps_scas_client.mod"
328 "-capath ${CAPATH}"
329 "-cert ${SCAS_SSL_CLIENT_CERT}"
330 "-key ${SCAS_SSL_CLIENT_KEY}"
331 "--endpoint ${SCAS_ENDPOINT}"
332 "-resourcetype wn"
333 "-actiontype execute-now"
334 End-of-message
335 elif [ "$1" == "lcmaps_verify_proxy1" ]; then
336 cat >> $test_lcas_db <<End-of-message
337 verifyproxy = "lcmaps_verify_proxy.mod"
338 " -certdir ${CAPATH}"
339 End-of-message
340 elif [ "$1" == "lcmaps_verify_proxy2" ]; then
341 cat >> $test_lcas_db <<End-of-message
342 verifyproxy = "lcmaps_verify_proxy.mod"
343 " -certdir ${CAPATH}"
344 "--allow-limited-proxy"
345 End-of-message
346 elif [ "$1" == "lcmaps_verify_proxy3" ]; then
347 cat >> $test_lcas_db <<End-of-message
348 verifyproxy = "lcmaps_verify_proxy.mod"
349 " -certdir ${CAPATH}"
350 "--discard_private_key_absence"
351 End-of-message
352 elif [ "$1" == "lcmaps_verify_proxy4" ]; then
353 cat >> $test_lcas_db <<End-of-message
354 verifyproxy = "lcmaps_verify_proxy.mod"
355 " -certdir ${CAPATH}"
356 "--never_discard_private_key_absence"
357 End-of-message
358 elif [ "$1" == "lcmaps_verify_proxy5" ]; then
359 cat >> $test_lcas_db <<End-of-message
360 verifyproxy = "lcmaps_verify_proxy.mod"
361 "--only-enforce-lifetime-checks"
362 "--max-voms-ttl 2d-13:37"
363 End-of-message
364 elif [ "$1" == "lcmaps_verify_proxy6" ]; then
365 cat >> $test_lcas_db <<End-of-message
366 verifyproxy = "lcmaps_verify_proxy.mod"
367 "--only-enforce-lifetime-checks"
368 "--max-proxy-level-ttl=2d-13:37"
369 End-of-message
370 elif [ "$1" == "lcmaps_c_pep1" ]; then
371 cat >> $test_lcas_db <<End-of-message
372 pepc = "lcmaps_c_pep.mod"
373 "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
374 "--resourceid ${ARGUS_RESOURCE_ID}"
375 "--actionid ${ARGUS_ACTION_ID}"
376 "--capath ${CAPATH}"
377 "--pep-certificate-mode implicit"
378 End-of-message
379 elif [ "$1" == "lcmaps_c_pep2" ]; then
380 cat >> $test_lcas_db <<End-of-message
381 pepc = "lcmaps_c_pep.mod"
382 "--pep-daemon-endpoint-url https://127.0.0.42:1337"
383 "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
384 "--resourcetype wn"
385 "--actiontype execute-now"
386 "--capath ${CAPATH}"
387 "--pep-certificate-mode implicit"
388 End-of-message
389 elif [ "$1" == "lcmaps_c_pep3" ]; then
390 cat >> $test_lcas_db <<End-of-message
391 pepc = "lcmaps_c_pep.mod"
392 "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
393 "--resourceid ${ARGUS_RESOURCE_ID}"
394 "--actionid ${ARGUS_ACTION_ID}"
395 "--capath ${CAPATH}"
396 "--pep-certificate-mode explicit"
397 "--certificate ${CLIENT_CERT}"
398 "--key ${CLIENT_CERT}"
399 End-of-message
400 elif [ "$1" == "lcmaps_c_pep4" ]; then
401 cat >> $test_lcas_db <<End-of-message
402 pepc = "lcmaps_c_pep.mod"
403 "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
404 "--profile "http://glite.org/xacml/profile/grid-wn/1.0"
405 "--resourceid ${ARGUS_RESOURCE_ID}"
406 "--actionid ${ARGUS_ACTION_ID}"
407 "--capath ${CAPATH}"
408 "--pep-certificate-mode implicit"
409 End-of-message
410 elif [ "$1" == "lcmaps_c_pep5" ]; then
411 cat >> $test_lcas_db <<End-of-message
412 pepc = "lcmaps_c_pep.mod"
413 "--pep-daemon-endpoint-url ${PEPD_ENDPOINT}"
414 "--profile http://authz-interop.org/profile/1.1"
415 "--resourcetype wn"
416 "--actiontype execute-now"
417 "--capath ${CAPATH}"
418 "--pep-certificate-mode implicit"
419 End-of-message
420 else
421 echo "error in function: add_lcas_db_lines(): No matching option for \"$1\""
422 exit 1
423 fi
424 }
425
426
427

Properties

Name Value
svn:executable *

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28