Contents of /trunk/lcmaps/NEWS

Version 1.6.7
-------------
Improvements:
-   Fix warnings from cppcheck, mainly cleanup dead code, also prevent memleak
    when realloc fails.

Version 1.6.6
-------------
Improvements:
-   Extend API with two new calls
     void lcmaps_set_voms_verification_time(time_t time, int flags)
     int lcmaps_get_voms_verification_time(time_t *time, int *flags)
    which provide setting the verification time for checking the AC. In case
    flags is set to 0, the time is UNIX time, in case it is 1 the time is
    relative to the notBefore time of the leaf proxy, in case it is 2 relative
    to the notAfter time of the leaf proxy. This call uses the
    VOMS_SetVerificationTime() call of the VOMS API.
Bug fixes:
-   Few minor fixes including a memory leak.

Version 1.6.5
-------------
Bug fixes:
-   https://bugzilla.nikhef.nl/show_bug.cgi?id=21
    LCMAPS did not initialize the logs correctly in cases when it should open
    the log itself (in most scenarios it uses an externally opened logfile
    pointer).
Improvements:
-   Extend API with two new functions:
     void lcmaps_set_voms_attributes_verification (unsigned int verify_flags)
     unsigned int lcmaps_get_voms_attributes_verification (void)
    which provide more fine-grained setting of the VOMS verification:
    verify_flags should be a combination of the flags as specified in
    voms_apic.h.
    The old functions still work and behave as follows:
     lcmaps_enable_voms_attributes_verification -> sets VERIFY_FULL
     lcmaps_disable_voms_attributes_verification -> sets VERIFY_NONE
     lcmaps_is_set_to_verify_voms_attributes -> returns whether all *known*
    flags are set.

Version 1.6.4
-------------
Improvements:
-   General code cleanup.

Version 1.6.3
-------------
Bug fixes:
-   Invalid memcpy and malloc when we concatenate two string.
-   Protect a number of mallocs against out-of-memory.
-   Provide prototype of yylex when needed.
-   Properly cleanup flex and bison memory
-   When compiling older lex output with std=c99 we could get a missing
    prototype for strdup leading to a segfault.

Version 1.6.2
-------------
Bug fixes (for Fedora compliance):
-   Update pc files to use Requires.private and Libs.private instead of Requires
    and Libs
-   Only link library against its own dependencies.
-   Remove arch dependent path= from example DB file.
-   Fix segv due to a sprintf (last one)
Improvements:
-   Provide header file lcmaps_plugin_prototypes.h with plugin prototypes. To be
    included by each plugin.
-   General code cleanup: compiler warnings, includes etc. Logging from too long
    entries is cleanly truncated. No logging of error to stderr.
-   Update example lcmaps.db.ex

Version 1.6.1
-------------
-   Improve testing on using the same plugin twice:
    * test that the actual library handle is different instead of the absolute
      pathname, this extends the error checking in case of symlinks or hardlinks
      to different names (which still don't work).
    * fix the error message, to print the two shortnames.

Version 1.6.0
-------------
-   Support input of a 'desired identity' for lcmaps_run_and_return_username()
    interface. LCMAPS will make this available to the plugins, which can use it
    to support grid-mapfile entries of the form
        "/DN" user1,user2
    or
        "/FQAN" user1,user2
    Typical use is for gsissh via the lcas-lcmaps-gt4-interface, version 0.2.7
    or higher.
-   Revamped VOMS error messages because they are sometimes cryptic. They now
    also provide useful debugging hints for the admins.

Version 1.5.7
-------------
Bug fixes:
-   When LCMAPS fails at initialization, yacc/flex related resources have to be
    freed, otherwise certain systems show a segfault.

Version 1.5.6
-------------
Bug fixes:
-   running on Fedora Core 16 results in a 'undefined symbol: yywrap'.
-   few of the macros in the new interface are missing in the case of direct
    linking (i.e. not LCMAPS_USE_DLOPEN)

Version 1.5.5
-------------
Bug fixes:
-   Out-of-source builds failed for NOGSI, i.e. ../configure --disable-gsi-mode
    resulted in a missing include file.

Version 1.5.4
-------------
Bug fixes:
-   Unbalanced quotes triggered an 'out of memory' error instead of an
    'unbalanced quotes'.

Version 1.5.3
-------------
-   Replace unprintable characters in logging strings with a '?'

Bug fixes:
-   Fix a SEGV or ABRT in some interfaces due to incorrect storing of DN, which
    leads to freeing stack memory. Triggered in the lcmaps-without-gsi
    interface.
-   Fix numerous unsafe constructions in logging, also fixes a SEGV

Version 1.5.2
-------------
Added a compile option in the Makefile.am to scope the externals of the
library. This feature is mandatory for Debian.


Version 1.5.1
-------------
-   Log messages that are sent to Syslog with the priority equal to LOG_EMERG,
    LOG_ALERT or LOG_CRIT will be downplayed as LOG_ERR. Old LCMAPS plug-ins
    used a numerical range of 0-5 and this basically means that they are able
    to cast an error message of type LOG_EMERG, while universally the LOG_ERR
    is meant of even less significant then a LOG_ERR.
    A warning will be written at LOG_WARNING to upgrade your plug-ins.


Version 1.5.0
-------------
-   Changing all log messages to match the logging method used in Syslog
    and especially the log priority/levels.
-   Fixed a problem when the "poolindex" was requested. It triggered a
    segmentation fault in two of the LCMAPS interface:
     -- lcmaps_run_and_return_poolindex
     -- lcmaps_run_with_pem_and_return_account
-   Harmonized logging via the lcmaps_log(), lcmaps_log_debug(),
    lcmaps_log_time(), lcmaps_log_a_string() and
    lcmaps_log_a_string_debug() functions for both log file writing and
    syslog writing.
-   Changed #define name DEBUG_LEVEL to CONF_LCMAPS_DEBUG_LEVEL
-   Changed the default value for CONF_LCMAPS_DEBUG_LEVEL from 0 (LOG_ERR)
    to 4 (LOG_INFO).
-   Harmonized the log line writing cut-off feature of log message between
    Syslog logging and logging to a file. This is based on the build in
    default and the LCMAPS_DEBUG_LEVEL environment variable value.  Message
    that are cut-off are not even offered to Syslog anymore which speeds up
    the LCMAPS execution when the Syslog demon is hammered with info.
-   The log line output is changed to show the environment value of
    LCMAPS_LOG_IDENT in each line. The LCMAPS_LOG_IDENT value is meant to
    be set by programs like gLExec to indicate that they are running
    LCMAPS. This is default in Syslog, but missing in logging to file.
-   Log lines that log to file are prepended by the Syslog priority name.
    This allows easy filtering when needed.
-   Harmonized the credential handling for all the external LCMAPS interfaces.
    The small functional differences between the different credential input
    differences are now gone. Interfaces used by gLExec (PEM based), GT4/5
    GSI-Authz based, X.509 based and even string input handling are now 
    equalized. This reenabled the verify-proxy plug-in to work from a GT4/GT5 
    service and enabled the Xrootd interface to work with more easier 
    interfaces, and the PEM string interface from gLExec will now regain its 
    full potential for VOMS handling.
        Example: {input credential} -> {stored to use by plugins}

        Globus gss_cred_id_t object in -> X.509 stuff(*) + VOMS structs + DN
        PEM string -> X.509 stuff + VOMS structs(**) + DN
        X.509 -> VOMS struct(**) + DN
        Other string based input -> string based input stored

        (*) is new.
        (**) differed in a detailed usage pattern.
-   When the VOMS verification was disabled, either at run-time or after the
    build-in default is changed, i.e. --enabled-osg, the VOMS Generic
    Attributes were not successfully extracted. This is now fixed and plug-ins
    can use them also when the VOMS AC verification is disabled.


Version 1.4.34
--------------
Changes in the logging facility:
- All syslog() messages are lowered to LOG_CRIT or lower (and can't go below LOG_DEBUG)
- Various log functions were logging on a high priority, including the debug messages. This is to be lowered simulating the syslog() messages when writing to file.
- Not being able to write to a file descriptor results now in a syslog() message on LOG_CRIT. This was on stderr.


Version 1.4.31
--------------
Moved a lot more useless debugging output behind the LCMAPS_DEBUG option. Mostly because people who try to debug LCMAPS are not LCMAPS developers.


Version 1.4.30
--------------
Add the LCMAPS_DEBUG #define to be used to build a developer debugging version of LCMAPS. The released version will not expose the amount of pedantic logging output, even in LCMAPS_DEBUG_LEVEL = 5.


Version 1.4.27
--------------
LCMAPS framework:
- fixed a memory cleanup problem when using VOMS Generic Attributes.
- adds a SIGPIPE handler to print the caught signal, especially interesting when the VOMS api, SCAS-Client plugin or another plugin could trigger a SIGPIPE without handling it locally. The SIGPIPE handler will be set at the beginning of each run, and removed after each run, i.e. not in the initialization or terminate sequences.
- Fixed signed and unsigned conflicts in parsing routines when fullfilling rules and policys and recursion issues. This problem was hard to exploit, but a bug nontheless (unless somebody went beyond 2^31 plugins and policies)
- Fixed the poolindex interface to LCMAPS. A symbol would not have been resolved during run-time as it has been depricated last year. Only used by the Globus DAS/Workspace Service interfacing (to the best of our knowledge).
- Fixed a problem in the logging facility during the initialization phase. The value was always overridden by the next call. I've removed the previous overridden call, which might call for bug Savannah bug #61772.
- Found a more generic location for the printCredData function to log the credential data that has lead to a particular mapping decision mapping.

- (almost) all public functions are now prefixed with with "lcmaps_" to avoid symbol clashes
- Update for single lcmaps-interface for both lcmaps types.
- use enable_gsi_mode directly instead of lcmaps_gsi_mode
- Default paths in LCMAPS are set at build time. All hardcoded paths into /opt/glite or (in some places) /opt/edg are removed.
- /etc/lcmaps/lcmaps.db will be the new default path to a lcmaps.db file. Use ${LCMAPS_DB_FILE} to override or the ./configure options. 
- Building lcmaps-without-gsi doesn't require Globus libraries during the build and linking of this LCMAPS flavor.
- LCMAPS ./configure new option --with-voms-prefix instead of --with-glite-location, no glite.m4 necessary, it's done using --libdir and system defaults

- API extentions:
Function:    int lcmaps_get_major_version (void);
Function:    int lcmaps_get_minor_version (void);
Function:    int lcmaps_get_patch_version (void);
Function:    lcmaps_disable_voms_attributes_verification
    Description: Disables the verification in the VOMS API
Function:    lcmaps_enable_voms_attributes_verification
    Description: Enables the verification in the VOMS API (default)
Function:    lcmaps_is_set_to_verify_voms_attributes
    Description: Will return the current setting to enable or disable the
                 verification of the VOMS credentials by the VOMS API
Function:    lcmaps_run_with_stack_of_x509_and_return_account
    Description: LCMAPS runs receiving a certificate chain, containing at least
                  an End-Entity Certificate. A list of policies may be provided. 
                  The allocated uid, gids and the poolindex will be returned to 
                  the calling application.


Generic to all components:

- adjusted to be able to use EPEL, EMI and gLite packages and system native library installations
- cleanup of unused files and support for distribution tarball.
- provide pkg-config files
- All LCMAPS public header files are all in ${includeDir}/lcmaps/*.h


1	Version 1.6.7
2	-------------
3	Improvements:
4	- Fix warnings from cppcheck, mainly cleanup dead code, also prevent memleak
5	when realloc fails.
6
7	Version 1.6.6
8	-------------
9	Improvements:
10	- Extend API with two new calls
11	void lcmaps_set_voms_verification_time(time_t time, int flags)
12	int lcmaps_get_voms_verification_time(time_t time, int flags)
13	which provide setting the verification time for checking the AC. In case
14	flags is set to 0, the time is UNIX time, in case it is 1 the time is
15	relative to the notBefore time of the leaf proxy, in case it is 2 relative
16	to the notAfter time of the leaf proxy. This call uses the
17	VOMS_SetVerificationTime() call of the VOMS API.
18	Bug fixes:
19	- Few minor fixes including a memory leak.
20
21	Version 1.6.5
22	-------------
23	Bug fixes:
24	- https://bugzilla.nikhef.nl/show_bug.cgi?id=21
25	LCMAPS did not initialize the logs correctly in cases when it should open
26	the log itself (in most scenarios it uses an externally opened logfile
27	pointer).
28	Improvements:
29	- Extend API with two new functions:
30	void lcmaps_set_voms_attributes_verification (unsigned int verify_flags)
31	unsigned int lcmaps_get_voms_attributes_verification (void)
32	which provide more fine-grained setting of the VOMS verification:
33	verify_flags should be a combination of the flags as specified in
34	voms_apic.h.
35	The old functions still work and behave as follows:
36	lcmaps_enable_voms_attributes_verification -> sets VERIFY_FULL
37	lcmaps_disable_voms_attributes_verification -> sets VERIFY_NONE
38	lcmaps_is_set_to_verify_voms_attributes -> returns whether all known
39	flags are set.
40
41	Version 1.6.4
42	-------------
43	Improvements:
44	- General code cleanup.
45
46	Version 1.6.3
47	-------------
48	Bug fixes:
49	- Invalid memcpy and malloc when we concatenate two string.
50	- Protect a number of mallocs against out-of-memory.
51	- Provide prototype of yylex when needed.
52	- Properly cleanup flex and bison memory
53	- When compiling older lex output with std=c99 we could get a missing
54	prototype for strdup leading to a segfault.
55
56	Version 1.6.2
57	-------------
58	Bug fixes (for Fedora compliance):
59	- Update pc files to use Requires.private and Libs.private instead of Requires
60	and Libs
61	- Only link library against its own dependencies.
62	- Remove arch dependent path= from example DB file.
63	- Fix segv due to a sprintf (last one)
64	Improvements:
65	- Provide header file lcmaps_plugin_prototypes.h with plugin prototypes. To be
66	included by each plugin.
67	- General code cleanup: compiler warnings, includes etc. Logging from too long
68	entries is cleanly truncated. No logging of error to stderr.
69	- Update example lcmaps.db.ex
70
71	Version 1.6.1
72	-------------
73	- Improve testing on using the same plugin twice:
74	* test that the actual library handle is different instead of the absolute
75	pathname, this extends the error checking in case of symlinks or hardlinks
76	to different names (which still don't work).
77	* fix the error message, to print the two shortnames.
78
79	Version 1.6.0
80	-------------
81	- Support input of a 'desired identity' for lcmaps_run_and_return_username()
82	interface. LCMAPS will make this available to the plugins, which can use it
83	to support grid-mapfile entries of the form
84	"/DN" user1,user2
85	or
86	"/FQAN" user1,user2
87	Typical use is for gsissh via the lcas-lcmaps-gt4-interface, version 0.2.7
88	or higher.
89	- Revamped VOMS error messages because they are sometimes cryptic. They now
90	also provide useful debugging hints for the admins.
91
92	Version 1.5.7
93	-------------
94	Bug fixes:
95	- When LCMAPS fails at initialization, yacc/flex related resources have to be
96	freed, otherwise certain systems show a segfault.
97
98	Version 1.5.6
99	-------------
100	Bug fixes:
101	- running on Fedora Core 16 results in a 'undefined symbol: yywrap'.
102	- few of the macros in the new interface are missing in the case of direct
103	linking (i.e. not LCMAPS_USE_DLOPEN)
104
105	Version 1.5.5
106	-------------
107	Bug fixes:
108	- Out-of-source builds failed for NOGSI, i.e. ../configure --disable-gsi-mode
109	resulted in a missing include file.
110
111	Version 1.5.4
112	-------------
113	Bug fixes:
114	- Unbalanced quotes triggered an 'out of memory' error instead of an
115	'unbalanced quotes'.
116
117	Version 1.5.3
118	-------------
119	- Replace unprintable characters in logging strings with a '?'
120
121	Bug fixes:
122	- Fix a SEGV or ABRT in some interfaces due to incorrect storing of DN, which
123	leads to freeing stack memory. Triggered in the lcmaps-without-gsi
124	interface.
125	- Fix numerous unsafe constructions in logging, also fixes a SEGV
126
127	Version 1.5.2
128	-------------
129	Added a compile option in the Makefile.am to scope the externals of the
130	library. This feature is mandatory for Debian.
131
132
133	Version 1.5.1
134	-------------
135	- Log messages that are sent to Syslog with the priority equal to LOG_EMERG,
136	LOG_ALERT or LOG_CRIT will be downplayed as LOG_ERR. Old LCMAPS plug-ins
137	used a numerical range of 0-5 and this basically means that they are able
138	to cast an error message of type LOG_EMERG, while universally the LOG_ERR
139	is meant of even less significant then a LOG_ERR.
140	A warning will be written at LOG_WARNING to upgrade your plug-ins.
141
142
143	Version 1.5.0
144	-------------
145	- Changing all log messages to match the logging method used in Syslog
146	and especially the log priority/levels.
147	- Fixed a problem when the "poolindex" was requested. It triggered a
148	segmentation fault in two of the LCMAPS interface:
149	-- lcmaps_run_and_return_poolindex
150	-- lcmaps_run_with_pem_and_return_account
151	- Harmonized logging via the lcmaps_log(), lcmaps_log_debug(),
152	lcmaps_log_time(), lcmaps_log_a_string() and
153	lcmaps_log_a_string_debug() functions for both log file writing and
154	syslog writing.
155	- Changed #define name DEBUG_LEVEL to CONF_LCMAPS_DEBUG_LEVEL
156	- Changed the default value for CONF_LCMAPS_DEBUG_LEVEL from 0 (LOG_ERR)
157	to 4 (LOG_INFO).
158	- Harmonized the log line writing cut-off feature of log message between
159	Syslog logging and logging to a file. This is based on the build in
160	default and the LCMAPS_DEBUG_LEVEL environment variable value. Message
161	that are cut-off are not even offered to Syslog anymore which speeds up
162	the LCMAPS execution when the Syslog demon is hammered with info.
163	- The log line output is changed to show the environment value of
164	LCMAPS_LOG_IDENT in each line. The LCMAPS_LOG_IDENT value is meant to
165	be set by programs like gLExec to indicate that they are running
166	LCMAPS. This is default in Syslog, but missing in logging to file.
167	- Log lines that log to file are prepended by the Syslog priority name.
168	This allows easy filtering when needed.
169	- Harmonized the credential handling for all the external LCMAPS interfaces.
170	The small functional differences between the different credential input
171	differences are now gone. Interfaces used by gLExec (PEM based), GT4/5
172	GSI-Authz based, X.509 based and even string input handling are now
173	equalized. This reenabled the verify-proxy plug-in to work from a GT4/GT5
174	service and enabled the Xrootd interface to work with more easier
175	interfaces, and the PEM string interface from gLExec will now regain its
176	full potential for VOMS handling.
177	Example: {input credential} -> {stored to use by plugins}
178
179	Globus gss_cred_id_t object in -> X.509 stuff(*) + VOMS structs + DN
180	PEM string -> X.509 stuff + VOMS structs(**) + DN
181	X.509 -> VOMS struct(**) + DN
182	Other string based input -> string based input stored
183
184	(*) is new.
185	(**) differed in a detailed usage pattern.
186	- When the VOMS verification was disabled, either at run-time or after the
187	build-in default is changed, i.e. --enabled-osg, the VOMS Generic
188	Attributes were not successfully extracted. This is now fixed and plug-ins
189	can use them also when the VOMS AC verification is disabled.
190
191
192	Version 1.4.34
193	--------------
194	Changes in the logging facility:
195	- All syslog() messages are lowered to LOG_CRIT or lower (and can't go below LOG_DEBUG)
196	- Various log functions were logging on a high priority, including the debug messages. This is to be lowered simulating the syslog() messages when writing to file.
197	- Not being able to write to a file descriptor results now in a syslog() message on LOG_CRIT. This was on stderr.
198
199
200	Version 1.4.31
201	--------------
202	Moved a lot more useless debugging output behind the LCMAPS_DEBUG option. Mostly because people who try to debug LCMAPS are not LCMAPS developers.
203
204
205	Version 1.4.30
206	--------------
207	Add the LCMAPS_DEBUG #define to be used to build a developer debugging version of LCMAPS. The released version will not expose the amount of pedantic logging output, even in LCMAPS_DEBUG_LEVEL = 5.
208
209
210	Version 1.4.27
211	--------------
212	LCMAPS framework:
213	- fixed a memory cleanup problem when using VOMS Generic Attributes.
214	- adds a SIGPIPE handler to print the caught signal, especially interesting when the VOMS api, SCAS-Client plugin or another plugin could trigger a SIGPIPE without handling it locally. The SIGPIPE handler will be set at the beginning of each run, and removed after each run, i.e. not in the initialization or terminate sequences.
215	- Fixed signed and unsigned conflicts in parsing routines when fullfilling rules and policys and recursion issues. This problem was hard to exploit, but a bug nontheless (unless somebody went beyond 2^31 plugins and policies)
216	- Fixed the poolindex interface to LCMAPS. A symbol would not have been resolved during run-time as it has been depricated last year. Only used by the Globus DAS/Workspace Service interfacing (to the best of our knowledge).
217	- Fixed a problem in the logging facility during the initialization phase. The value was always overridden by the next call. I've removed the previous overridden call, which might call for bug Savannah bug #61772.
218	- Found a more generic location for the printCredData function to log the credential data that has lead to a particular mapping decision mapping.
219
220	- (almost) all public functions are now prefixed with with "lcmaps_" to avoid symbol clashes
221	- Update for single lcmaps-interface for both lcmaps types.
222	- use enable_gsi_mode directly instead of lcmaps_gsi_mode
223	- Default paths in LCMAPS are set at build time. All hardcoded paths into /opt/glite or (in some places) /opt/edg are removed.
224	- /etc/lcmaps/lcmaps.db will be the new default path to a lcmaps.db file. Use ${LCMAPS_DB_FILE} to override or the ./configure options.
225	- Building lcmaps-without-gsi doesn't require Globus libraries during the build and linking of this LCMAPS flavor.
226	- LCMAPS ./configure new option --with-voms-prefix instead of --with-glite-location, no glite.m4 necessary, it's done using --libdir and system defaults
227
228	- API extentions:
229	Function: int lcmaps_get_major_version (void);
230	Function: int lcmaps_get_minor_version (void);
231	Function: int lcmaps_get_patch_version (void);
232	Function: lcmaps_disable_voms_attributes_verification
233	Description: Disables the verification in the VOMS API
234	Function: lcmaps_enable_voms_attributes_verification
235	Description: Enables the verification in the VOMS API (default)
236	Function: lcmaps_is_set_to_verify_voms_attributes
237	Description: Will return the current setting to enable or disable the
238	verification of the VOMS credentials by the VOMS API
239	Function: lcmaps_run_with_stack_of_x509_and_return_account
240	Description: LCMAPS runs receiving a certificate chain, containing at least
241	an End-Entity Certificate. A list of policies may be provided.
242	The allocated uid, gids and the poolindex will be returned to
243	the calling application.
244
245
246
247	Generic to all components:
248
249	- adjusted to be able to use EPEL, EMI and gLite packages and system native library installations
250	- cleanup of unused files and support for distribution tarball.
251	- provide pkg-config files
252	- All LCMAPS public header files are all in ${includeDir}/lcmaps/*.h
253
254
grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.28