nl.nikhef.pdp.fetchcrl/trunk/fetch-crl3.pl.cin

#! /usr/bin/perl -w
#
# @(#)$Id$
#
# Copyright 2010 David Groep, Nationaal instituut voor
#                subatomaire fysica NIKHEF
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
package main;

use strict;
use Getopt::Long qw(:config no_ignore_case bundling);
use POSIX;
eval { require LWP or die; }; $@ and die "Please install libwww-perl (LWP)\n";

my $sccsid = '@(#)$Id$';

# import modules that are needed but still external 
# (the installed version may have these packages embedded in-line)
#
require ConfigTiny and import ConfigTiny unless defined &ConfigTiny::new;
require TrustAnchor and import TrustAnchor unless defined &TrustAnchor::new;
require CRLWriter and import CRLWriter unless defined &CRLWriter::new;
require FCLog and import FCLog unless defined &FCLog::new;
require OSSL and import OSSL unless defined &OSSL::new;
require CRL and import CRL unless defined &CRL::new;

my $use_DataDumper = eval { require Data::Dumper; };
my $use_IOSelect = eval { require IO::Select; };

use vars qw/ $log $cnf /;


# ###########################################################################
#
#
($cnf,$log) = &init_configuration();

# use Net::INET6Glue if so requested (is not a default module)
if ( $cnf->{_}->{inet6glue} ) {
  eval { require Net::INET6Glue::INET_is_INET6 or die; }; 
  $@ and die "Please install Net::INET6Glue before enabling inet6glue config\n";
}

# verify local installation sanity for loaded modules
$::log->getverbose > 6 and ! $use_DataDumper and
  $::log->err("Cannot set verbosity higher than 6 without Data::Dumper") and
  exit(1);
$::cnf->{_}->{parallelism} and ! $use_IOSelect and
  $::log->err("Cannot use parallel retrieval without IO::Select") and
  exit(1);

$use_DataDumper and $::log->verb(7,Data::Dumper::Dumper($cnf));

# set safe path if so requested
$cnf->{_}->{path} and $ENV{"PATH"} = $cnf->{_}->{path} and
  $::log->verb(5,"Set PATH to",$ENV{"PATH"});

# set rcmode if present in config
defined $cnf->{_}->{rcmode} and do {
  $::log->verb(4,"Setting exit status mode to ".$cnf->{_}->{rcmode});
  $::log->setrcmode($cnf->{_}->{rcmode}) or exit($log->exitstatus);
  $::log->verb(2,"Exit status mode is set to ".$cnf->{_}->{rcmode});
};
  
# wait up to randomwait seconds to spread download load
$cnf->{_}->{randomwait} and do {
  my $wtime = int(rand($cnf->{_}->{randomwait}));
  $::log->verb(2,"Sleeping $wtime seconds before continuing");
  sleep($wtime);
};


# the list of trust anchors to process comes from the command line and 
# all files in the infodir that are metadata or crl urls
# in the next phase, the suffix will be stripped and the info file
# when present preferred over the crlurl
#
my @metafiles = @ARGV;
$::cnf->{_}->{"infodir"} and do {
  foreach my $fn ( 
      map { glob ( $::cnf->{_}->{"infodir"} . "/$_" ); } "*.info", "*.crl_url"
    ) { 
    next if $::cnf->{_}->{nosymlinks} and -l $fn;
    $fn =~ /.*\/([^\/]+)(\.crl_url|\.info)$/; 
    push @metafiles, $1 unless grep /^$1$/,@metafiles or not defined $1;
  } 
};

@metafiles or
  $log->warn("No trust anchors to process") and exit($log->exitstatus);

if ( $::cnf->{_}->{parallelism} ) {
  &parallel_metafiles($::cnf->{_}->{parallelism}, @metafiles);
} else {
  &process_metafiles( @metafiles );
}

$log->flush;
exit($log->exitstatus);


# ###########################################################################
#
#
sub init_configuration() {
  my ($cnf,$log);

  my ($configfile,$agingtolerance,$infodir,$statedir,$cadir,$httptimeout);
  my ($output);
  my @formats;
  my $verbosity;
  my $quiet=0;
  my $help=0;
  my $showversion=0;
  my $debuglevel;
  my $parallelism=0;
  my $randomwait;
  my $nosymlinks;
  my $cfgdir;
  my $inet6glue=0;
  my %directives;

  $log = FCLog->new("qualified");

  &GetOptions(
    "c|config=s" => \$configfile,
    "l|infodir=s" => \$infodir,
    "cadir=s" => \$cadir,
    "s|statedir=s" => \$statedir,
    "cfgdir=s" => \$cfgdir,
    "T|httptimeout=i" => \$httptimeout,
    "o|output=s" => \$output,
    "format=s@" => \@formats,
    "define=s" => \%directives,
    "v|verbose+" => \$verbosity,
    "h|help+" => \$help,
    "V|version+" => \$showversion,
    "q|quiet+" => \$quiet,
    "d|debug+" => \$debuglevel,
    "p|parallelism=i" => \$parallelism,
    "nosymlinks+" => \$nosymlinks,
    "a|agingtolerance=i" => \$agingtolerance,
    "r|randomwait=i" => \$randomwait,
    "inet6glue+" => \$inet6glue,
    ) or &help and exit(1);

  $help and &help and exit(0);
  $showversion and &showversion and exit(0);

  $configfile ||= ( -e "/etc/fetch-crl.conf" and "/etc/fetch-crl.conf" );
  $configfile ||= ( -e "/etc/fetch-crl.cnf" and "/etc/fetch-crl.cnf" );

  $cnf = ConfigTiny->new();
  $configfile and 
    $cnf->read($configfile) || die "Invalid config file $configfile:\n  " . 
                                   $cnf->errstr . "\n";

  ( defined $cnf->{_}->{cfgdir} and $cfgdir = $cnf->{_}->{cfgdir} ) 
    unless defined $cfgdir;
  $cfgdir ||= "/etc/fetch-crl.d";
  if ( defined $cfgdir and -d $cfgdir and opendir(my $dh,$cfgdir) ) {
    while ( my $fn = readdir $dh ) { 
      -f "$cfgdir/$fn" and -r "$cfgdir/$fn" and $cnf->read("$cfgdir/$fn");
    }
    close $dh;
  }

  # add defined from the command line to the configuration, to the
  # main section _ thereof unless there is a colon in the key
  foreach my $k ( keys %directives ) {
    my $section ="_";
    my $dvalue = $directives{$k};
    if ( $k =~ m/(\w+):(.*)/ ) {
      $section = $1;
      $k=$2;
    }
    $cnf->{$section}->{$k} = $dvalue;
  }

  # command-line option overrides
  $cnf->{_}->{agingtolerance} = $agingtolerance if defined $agingtolerance;
  $cnf->{_}->{infodir}        = $infodir if defined $infodir;
  $cnf->{_}->{cadir}          = $cadir if defined $cadir;
  $cnf->{_}->{statedir}       = $statedir if defined $statedir;
  $cnf->{_}->{httptimeout}    = $httptimeout if defined $httptimeout;
  $cnf->{_}->{verbosity}      = $verbosity if defined $verbosity;
  $cnf->{_}->{debuglevel}     = $debuglevel if defined $debuglevel;
  $cnf->{_}->{output}         = $output if defined $output;
  $cnf->{_}->{formats}        = join "\001",@formats if @formats;
  $cnf->{_}->{parallelism}    = $parallelism if $parallelism;
  $cnf->{_}->{randomwait}     = $randomwait if defined $randomwait;
  $cnf->{_}->{nosymlinks}     = $nosymlinks if defined $nosymlinks;
  $cnf->{_}->{inet6glue}      = $inet6glue if $inet6glue;

  # deal with interaction of verbosity in logfile and quiet option
  # since a noquiet config option can cancel it
  if ( not defined $cnf->{_}->{noquiet} ) {
    if ( $quiet == 1) { $cnf->{_}->{verbosity} = -1; }
  } else {
    if ( $quiet >= 2) { $cnf->{_}->{verbosity} = -1; }
  }

  # key default values
  defined $cnf->{_}->{version}  or $cnf->{_}->{version}    = "3+";
  defined $cnf->{_}->{packager} or $cnf->{_}->{packager}   = "EUGridPMA";
  defined $cnf->{_}->{openssl}  or $cnf->{_}->{openssl}    = "openssl";
  defined $cnf->{_}->{agingtolerance} or $cnf->{_}->{agingtolerance} ||= 24;
  defined $cnf->{_}->{infodir}  or $cnf->{_}->{infodir}    = '/etc/grid-security/certificates';
  defined $cnf->{_}->{output}   or $cnf->{_}->{output}     = $cnf->{_}->{infodir};
  defined $cnf->{_}->{cadir}    or $cnf->{_}->{cadir}      = $cnf->{_}->{infodir};
  defined $cnf->{_}->{statedir} or $cnf->{_}->{statedir}   = "/var/cache/fetch-crl" if -d "/var/cache/fetch-crl" and -w "/var/cache/fetch-crl";
  defined $cnf->{_}->{formats}  or $cnf->{_}->{formats}    = "openssl";
  defined $cnf->{_}->{opensslmode} or $cnf->{_}->{opensslmode} = "dual";
  defined $cnf->{_}->{httptimeout} or $cnf->{_}->{httptimeout} = 120;
  defined $cnf->{_}->{nametemplate_der} or 
    $cnf->{_}->{nametemplate_der} = "\@ANCHORNAME\@.\@R\@.crl";
  defined $cnf->{_}->{nametemplate_pem} or 
    $cnf->{_}->{nametemplate_pem} = "\@ANCHORNAME\@.\@R\@.crl.pem";
  defined $cnf->{_}->{catemplate} or 
    $cnf->{_}->{catemplate} = "\@ALIAS\@.pem\001".
                              "\@ALIAS\@.\@R\@\001\@ANCHORNAME\@.\@R\@";

  $cnf->{_}->{nonssverify}    ||= 0;
  $cnf->{_}->{nocache}        ||= 0;
  $cnf->{_}->{nosymlinks}     ||= 0;
  $cnf->{_}->{verbosity}      ||= 0;
  $cnf->{_}->{debuglevel}     ||= 0;
  $cnf->{_}->{inet6glue}      ||= 0;

  $cnf->{_}->{stateless} and delete $cnf->{_}->{statedir};

  # expand array keys in config
  defined $cnf->{_}->{formats} and 
    @{$cnf->{_}->{formats_}} = split(/[\001;,\s]+/,$cnf->{_}->{formats});

  # sanity check on configuration
  $cnf->{_}->{statedir} and ! -d $cnf->{_}->{statedir} and
    die "Invalid state directory " . $cnf->{_}->{statedir} . "\n";
  $cnf->{_}->{infodir} and ! -d $cnf->{_}->{infodir} and
    die "Invalid meta-data directory ".$cnf->{_}->{infodir}."\n";

  # initialize logging
  $log->flush;
  $cnf->{_}->{logmode} and $log->destremove("qualified") and do {
    foreach ( split(/[,\001]+/,$cnf->{_}->{logmode}) ) {
      if ( /^syslog$/ ) { $log->destadd($_,$cnf->{_}->{syslogfacility}); } 
      elsif ( /^(direct|qualified|cache)$/ ) { $log->destadd($_); } 
      else { die "Invalid log destination $_, exiting.\n"; }
    }
  };
  $log->setverbose($cnf->{_}->{verbosity});
  $log->setdebug($cnf->{_}->{debuglevel});

  return ($cnf,$log);
}

# ###########################################################################
#
#
sub showversion() {
  (my $name = $0) =~ s/.*\///;
  print "$name version @VERSION@\n";
  return 1;
}

sub help() {
  (my $name = $0) =~ s/.*\///;
print <<EOHELP;
The fetch-crl utility will retrieve certificate revocation lists (CRLs) for
a set of installed trust anchors, based on crl_url files or IGTF-style info
files. It will install these for use with OpenSSL, NSS or third-party tools.

Usage: $name [-c|--config configfile] [-l|--infodir path]
  [--cadir path] [-s|--statedir path] [-o|--output path] [--format \@formats]
  [-T|--httptimeout seconds] [-p|--parallelism n] [--nosymlinks]
  [-a|--agingtolerance hours] [-r|--randomwait seconds]
  [-v|--verbose] [-h|--help] [-q|--quiet] [-d|--debug level]

Options:
 -c | --config path
        Read configuration data from path, default: /etc/fetch-crl.conf
 -l | --infodir path
        Location of the trust anchor meta-data files (crl_url or info),
        default: /etc/grid-security/certificates
 --cadir path
        Location of the trust anchors (default to infodir)
 -s | --statedir path
        Location of the historic state data (for caching and delayed-warning)
 -T | --httptimeout sec
        Maximum time in seconds to wait for retrieval or a single URL
 -o | --output path
        Location of the CRLs written (global default, defaults to infodir
 --format \@formats
        Format(s) in which the CRLs will be written (openssl, pem, der, nss)
 --nosymlinks
        Do not include meta-data files that are symlinks
 -v | --verbose
        Become more talkative
 -q | --quiet
        Become really quiet (overrides verbosity)
 -p | --parallelism n
        Run up to n parallel trust anchor retrieval processes
 -a | --agingtolerance hours
        Be quiet for up to hours hours before raising an error. Until
        the tolerance has passed, only warnings are raised
 -r | --randomwait seconds
        Introduce a random delay of up to seconds seconds before starting
        any retrieval processes
 -h | --help 
        This help text

Version: @VERSION@
EOHELP

  return 1;
}

# ###########################################################################
#
#
sub process_metafiles(@) {
  my @metafiles = @_;

  foreach my $f ( @metafiles )  { 
      my $ta = TrustAnchor->new();
      $cnf->{_}->{"infodir"} and $ta->setInfodir($cnf->{_}->{"infodir"});
      $ta->loadAnchor($f) or next;
      $ta->saveLogMode() and $ta->setLogMode();
      $ta->loadState() or next;

      # using the HASH in the CA filename templates requires the CRL
      # is retrieved first to determinte the hash
      if ( $cnf->{_}->{"catemplate"} =~ /\@HASH\@/ ) {
        $ta->retrieve or next;
        $ta->loadCAfiles() or next;
      } else {
        $ta->loadCAfiles() or next;
        $ta->retrieve or next;
      }

      $ta->verifyAndConvertCRLs or next;
    
      my $writer = CRLWriter->new($ta);
      $writer->writeall() or next;
      $ta->saveState() or next;
      $ta->restoreLogMode();
  }

  return 1;
}

sub parallel_metafiles($@) {
  my $parallelism = shift;
  my @metafiles = @_;

  my %pids = ();           # file handle by processID
  my %metafile_by_fh = (); # reverse map
  my $readset = new IO::Select();
  my %logoutput = ();

  $| = 1;

  $::log->verb(2,"starting up to $parallelism worker processes");

  while ( @metafiles or scalar keys %pids ) {
    # loop until we have started all possible retrievals AND have
    # collected all possible output

    ( @metafiles and (scalar keys %pids < $parallelism) ) and do {
      # we have metafiles left, and have spare process slots
      my $metafile = shift @metafiles;


      $logoutput{$metafile} = "";

      my $cout;
      my $cpid = open $cout, "-|";
      defined $cpid and defined $cout or 
        $::log->err("Cannot fork ($metafile): $!") and next;

      $::log->verb(5,"LOOP: starting process $cpid for $metafile");

      if ( $cpid == 0 ) { # I'm the child that should care for $metafile
        $0 = "fetch-crl worker $metafile";
        $::log->cleanse();
        $::log->destadd("qualified");
        &process_metafiles($metafile);
        $::log->flush;
        exit($::log->exitstatus);
      } else { # parent
        $pids{$cpid} = $cout;
        $readset->add($cout);
        $metafile_by_fh{$cout} = $metafile;
      } 
    };

    # do a select loop over the outstanding requests to collect messages
    # if we are in the process of starting more processes, we just
    # briefly poll out pending output so as not to have blocking 
    # children, but if we have started as many children as we ought to
    # we put in a longer timeout -- any output on a handle will
    # get us out of the select and into flushing mode again
    my $timeout = (@metafiles && (scalar keys %pids < $parallelism) ? 0.1:1);
    
    $::log->verb(6,"PLOOP: select with timeout $timeout");
    my ( $rh_set ) = IO::Select->select($readset, undef, undef, $timeout);

    foreach my $fh ( @$rh_set ) {
      my $metafile = $metafile_by_fh{$fh};
      # we know there is at least one byte to read, but also that 
      # any client sends complete
      while (1) {
        my $char;
        my $length = sysread $fh, $char, 1;
        if ( $length ) {
          $logoutput{$metafile} .= $char;
          $char eq "\n" and last;
        } else {
          #expected a char but got eof
          $readset->remove($fh);
          close($fh);
          map { 
            $pids{$_} == $fh and 
              waitpid($_,WNOHANG) and 
              delete $pids{$_} and 
              $::log->verb(5,"Collected pid $_ (rc=$?),",
                             length($logoutput{$metafile}),"bytes log output");
            } keys %pids;
          last;
        }
      }
    }
  }

  # log out all collected log data from our children
  foreach my $metafile ( sort keys %logoutput ) {
    foreach my $line ( split(/\n/,$logoutput{$metafile}) ) {
      $line =~ /^ERROR\s+(.*)$/ and $::log->err($1);
      $line =~ /^WARN\s+(.*)$/ and $::log->warn($1);
      $line =~ /^VERBOSE\((\d+)\)\s+(.*)$/ and $::log->verb($1,$2);
      $line =~ /^DEBUG\((\d+)\)\s+(.*)$/ and $::log->debug($1,$2);
    }
  }

  return 1;
}
1	davidg	1758	#! /usr/bin/perl -w
2			#
3			# @(#)$Id$
4			#
5			# Copyright 2010 David Groep, Nationaal instituut voor
6			# subatomaire fysica NIKHEF
7			#
8			# Licensed under the Apache License, Version 2.0 (the "License");
9			# you may not use this file except in compliance with the License.
10			# You may obtain a copy of the License at
11			#
12			# http://www.apache.org/licenses/LICENSE-2.0
13			#
14			# Unless required by applicable law or agreed to in writing, software
15			# distributed under the License is distributed on an "AS IS" BASIS,
16			# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17			# See the License for the specific language governing permissions and
18			# limitations under the License.
19			#
20			#
21			package main;
22
23			use strict;
24			use Getopt::Long qw(:config no_ignore_case bundling);
25			use POSIX;
26			eval { require LWP or die; }; $@ and die "Please install libwww-perl (LWP)\n";
27
28	davidg	2649	my $sccsid = '@(#)$Id$';
29	davidg	2646
30	davidg	1758	# import modules that are needed but still external
31			# (the installed version may have these packages embedded in-line)
32			#
33			require ConfigTiny and import ConfigTiny unless defined &ConfigTiny::new;
34			require TrustAnchor and import TrustAnchor unless defined &TrustAnchor::new;
35			require CRLWriter and import CRLWriter unless defined &CRLWriter::new;
36			require FCLog and import FCLog unless defined &FCLog::new;
37			require OSSL and import OSSL unless defined &OSSL::new;
38			require CRL and import CRL unless defined &CRL::new;
39
40			my $use_DataDumper = eval { require Data::Dumper; };
41			my $use_IOSelect = eval { require IO::Select; };
42
43			use vars qw/ $log $cnf /;
44
45
46			# ###########################################################################
47			#
48			#
49			($cnf,$log) = &init_configuration();
50
51	davidg	2604	# use Net::INET6Glue if so requested (is not a default module)
52			if ( $cnf->{_}->{inet6glue} ) {
53	davidg	2605	eval { require Net::INET6Glue::INET_is_INET6 or die; };
54	davidg	2604	$@ and die "Please install Net::INET6Glue before enabling inet6glue config\n";
55			}
56
57	davidg	1758	# verify local installation sanity for loaded modules
58			$::log->getverbose > 6 and ! $use_DataDumper and
59			$::log->err("Cannot set verbosity higher than 6 without Data::Dumper") and
60			exit(1);
61			$::cnf->{_}->{parallelism} and ! $use_IOSelect and
62			$::log->err("Cannot use parallel retrieval without IO::Select") and
63			exit(1);
64
65			$use_DataDumper and $::log->verb(7,Data::Dumper::Dumper($cnf));
66
67			# set safe path if so requested
68			$cnf->{_}->{path} and $ENV{"PATH"} = $cnf->{_}->{path} and
69			$::log->verb(5,"Set PATH to",$ENV{"PATH"});
70	davidg	2690
71			# set rcmode if present in config
72	davidg	2691	defined $cnf->{_}->{rcmode} and do {
73	davidg	2692	$::log->verb(4,"Setting exit status mode to ".$cnf->{_}->{rcmode});
74			$::log->setrcmode($cnf->{_}->{rcmode}) or exit($log->exitstatus);
75	davidg	2691	$::log->verb(2,"Exit status mode is set to ".$cnf->{_}->{rcmode});
76	davidg	2690	};
77	davidg	1758
78			# wait up to randomwait seconds to spread download load
79			$cnf->{_}->{randomwait} and do {
80			my $wtime = int(rand($cnf->{_}->{randomwait}));
81			$::log->verb(2,"Sleeping $wtime seconds before continuing");
82			sleep($wtime);
83			};
84
85
86			# the list of trust anchors to process comes from the command line and
87			# all files in the infodir that are metadata or crl urls
88			# in the next phase, the suffix will be stripped and the info file
89			# when present preferred over the crlurl
90			#
91			my @metafiles = @ARGV;
92			$::cnf->{_}->{"infodir"} and do {
93			foreach my $fn (
94			map { glob ( $::cnf->{_}->{"infodir"} . "/$_" ); } ".info", ".crl_url"
95			) {
96	davidg	1878	next if $::cnf->{_}->{nosymlinks} and -l $fn;
97	davidg	1758	$fn =~ /.*\/([^\/]+)(\.crl_url\|\.info)$/;
98	davidg	2188	push @metafiles, $1 unless grep /^$1$/,@metafiles or not defined $1;
99	davidg	1758	}
100			};
101
102			@metafiles or
103	davidg	2715	$log->warn("No trust anchors to process") and exit($log->exitstatus);
104	davidg	1758
105			if ( $::cnf->{_}->{parallelism} ) {
106			&parallel_metafiles($::cnf->{_}->{parallelism}, @metafiles);
107			} else {
108			&process_metafiles( @metafiles );
109			}
110
111			$log->flush;
112			exit($log->exitstatus);
113
114
115			# ###########################################################################
116			#
117			#
118			sub init_configuration() {
119			my ($cnf,$log);
120
121			my ($configfile,$agingtolerance,$infodir,$statedir,$cadir,$httptimeout);
122			my ($output);
123			my @formats;
124			my $verbosity;
125			my $quiet=0;
126			my $help=0;
127	davidg	2646	my $showversion=0;
128	davidg	1758	my $debuglevel;
129			my $parallelism=0;
130			my $randomwait;
131	davidg	1878	my $nosymlinks;
132	davidg	2084	my $cfgdir;
133	davidg	2604	my $inet6glue=0;
134	davidg	2692	my %directives;
135	davidg	1758
136			$log = FCLog->new("qualified");
137
138			&GetOptions(
139			"c\|config=s" => \$configfile,
140			"l\|infodir=s" => \$infodir,
141			"cadir=s" => \$cadir,
142			"s\|statedir=s" => \$statedir,
143	davidg	2084	"cfgdir=s" => \$cfgdir,
144	davidg	1758	"T\|httptimeout=i" => \$httptimeout,
145			"o\|output=s" => \$output,
146			"format=s@" => \@formats,
147	davidg	2692	"define=s" => \%directives,
148	davidg	1758	"v\|verbose+" => \$verbosity,
149			"h\|help+" => \$help,
150	davidg	2646	"V\|version+" => \$showversion,
151	davidg	1758	"q\|quiet+" => \$quiet,
152			"d\|debug+" => \$debuglevel,
153			"p\|parallelism=i" => \$parallelism,
154	davidg	1878	"nosymlinks+" => \$nosymlinks,
155	davidg	1758	"a\|agingtolerance=i" => \$agingtolerance,
156			"r\|randomwait=i" => \$randomwait,
157	davidg	2604	"inet6glue+" => \$inet6glue,
158	davidg	1758	) or &help and exit(1);
159
160			$help and &help and exit(0);
161	davidg	2646	$showversion and &showversion and exit(0);
162	davidg	1758
163	davidg	1878	$configfile \|\|= ( -e "/etc/fetch-crl.conf" and "/etc/fetch-crl.conf" );
164	davidg	1758	$configfile \|\|= ( -e "/etc/fetch-crl.cnf" and "/etc/fetch-crl.cnf" );
165
166			$cnf = ConfigTiny->new();
167			$configfile and
168			$cnf->read($configfile) \|\| die "Invalid config file $configfile:\n " .
169			$cnf->errstr . "\n";
170
171	davidg	2084	( defined $cnf->{_}->{cfgdir} and $cfgdir = $cnf->{_}->{cfgdir} )
172			unless defined $cfgdir;
173			$cfgdir \|\|= "/etc/fetch-crl.d";
174			if ( defined $cfgdir and -d $cfgdir and opendir(my $dh,$cfgdir) ) {
175			while ( my $fn = readdir $dh ) {
176			-f "$cfgdir/$fn" and -r "$cfgdir/$fn" and $cnf->read("$cfgdir/$fn");
177			}
178			close $dh;
179			}
180
181	davidg	2692	# add defined from the command line to the configuration, to the
182			# main section _ thereof unless there is a colon in the key
183			foreach my $k ( keys %directives ) {
184			my $section ="_";
185			my $dvalue = $directives{$k};
186			if ( $k =~ m/(\w+):(.*)/ ) {
187			$section = $1;
188			$k=$2;
189			}
190			$cnf->{$section}->{$k} = $dvalue;
191			}
192
193	davidg	1758	# command-line option overrides
194			$cnf->{_}->{agingtolerance} = $agingtolerance if defined $agingtolerance;
195			$cnf->{_}->{infodir} = $infodir if defined $infodir;
196			$cnf->{_}->{cadir} = $cadir if defined $cadir;
197			$cnf->{_}->{statedir} = $statedir if defined $statedir;
198			$cnf->{_}->{httptimeout} = $httptimeout if defined $httptimeout;
199			$cnf->{_}->{verbosity} = $verbosity if defined $verbosity;
200			$cnf->{_}->{debuglevel} = $debuglevel if defined $debuglevel;
201			$cnf->{_}->{output} = $output if defined $output;
202	davidg	2305	$cnf->{_}->{formats} = join "\001",@formats if @formats;
203	davidg	1758	$cnf->{_}->{parallelism} = $parallelism if $parallelism;
204			$cnf->{_}->{randomwait} = $randomwait if defined $randomwait;
205	davidg	1878	$cnf->{_}->{nosymlinks} = $nosymlinks if defined $nosymlinks;
206	davidg	2604	$cnf->{_}->{inet6glue} = $inet6glue if $inet6glue;
207	davidg	1758
208	davidg	2597	# deal with interaction of verbosity in logfile and quiet option
209			# since a noquiet config option can cancel it
210			if ( not defined $cnf->{_}->{noquiet} ) {
211			if ( $quiet == 1) { $cnf->{_}->{verbosity} = -1; }
212			} else {
213			if ( $quiet >= 2) { $cnf->{_}->{verbosity} = -1; }
214			}
215
216	davidg	1758	# key default values
217			defined $cnf->{_}->{version} or $cnf->{_}->{version} = "3+";
218			defined $cnf->{_}->{packager} or $cnf->{_}->{packager} = "EUGridPMA";
219			defined $cnf->{_}->{openssl} or $cnf->{_}->{openssl} = "openssl";
220			defined $cnf->{_}->{agingtolerance} or $cnf->{_}->{agingtolerance} \|\|= 24;
221			defined $cnf->{_}->{infodir} or $cnf->{_}->{infodir} = '/etc/grid-security/certificates';
222			defined $cnf->{_}->{output} or $cnf->{_}->{output} = $cnf->{_}->{infodir};
223			defined $cnf->{_}->{cadir} or $cnf->{_}->{cadir} = $cnf->{_}->{infodir};
224			defined $cnf->{_}->{statedir} or $cnf->{_}->{statedir} = "/var/cache/fetch-crl" if -d "/var/cache/fetch-crl" and -w "/var/cache/fetch-crl";
225			defined $cnf->{_}->{formats} or $cnf->{_}->{formats} = "openssl";
226			defined $cnf->{_}->{opensslmode} or $cnf->{_}->{opensslmode} = "dual";
227			defined $cnf->{_}->{httptimeout} or $cnf->{_}->{httptimeout} = 120;
228			defined $cnf->{_}->{nametemplate_der} or
229			$cnf->{_}->{nametemplate_der} = "\@ANCHORNAME\@.\@R\@.crl";
230			defined $cnf->{_}->{nametemplate_pem} or
231			$cnf->{_}->{nametemplate_pem} = "\@ANCHORNAME\@.\@R\@.crl.pem";
232			defined $cnf->{_}->{catemplate} or
233	davidg	2305	$cnf->{_}->{catemplate} = "\@ALIAS\@.pem\001".
234			"\@ALIAS\@.\@R\@\001\@ANCHORNAME\@.\@R\@";
235	davidg	1758
236			$cnf->{_}->{nonssverify} \|\|= 0;
237			$cnf->{_}->{nocache} \|\|= 0;
238	davidg	1878	$cnf->{_}->{nosymlinks} \|\|= 0;
239	davidg	1758	$cnf->{_}->{verbosity} \|\|= 0;
240			$cnf->{_}->{debuglevel} \|\|= 0;
241	davidg	2604	$cnf->{_}->{inet6glue} \|\|= 0;
242	davidg	1758
243			$cnf->{_}->{stateless} and delete $cnf->{_}->{statedir};
244
245			# expand array keys in config
246			defined $cnf->{_}->{formats} and
247	davidg	2305	@{$cnf->{_}->{formats_}} = split(/[\001;,\s]+/,$cnf->{_}->{formats});
248	davidg	1758
249			# sanity check on configuration
250			$cnf->{_}->{statedir} and ! -d $cnf->{_}->{statedir} and
251			die "Invalid state directory " . $cnf->{_}->{statedir} . "\n";
252			$cnf->{_}->{infodir} and ! -d $cnf->{_}->{infodir} and
253			die "Invalid meta-data directory ".$cnf->{_}->{infodir}."\n";
254
255			# initialize logging
256			$log->flush;
257			$cnf->{_}->{logmode} and $log->destremove("qualified") and do {
258	davidg	2305	foreach ( split(/[,\001]+/,$cnf->{_}->{logmode}) ) {
259	davidg	1758	if ( /^syslog$/ ) { $log->destadd($_,$cnf->{_}->{syslogfacility}); }
260			elsif ( /^(direct\|qualified\|cache)$/ ) { $log->destadd($_); }
261			else { die "Invalid log destination $_, exiting.\n"; }
262			}
263			};
264			$log->setverbose($cnf->{_}->{verbosity});
265			$log->setdebug($cnf->{_}->{debuglevel});
266
267			return ($cnf,$log);
268			}
269
270			# ###########################################################################
271			#
272			#
273	davidg	2646	sub showversion() {
274			(my $name = $0) =~ s/.*\///;
275			print "$name version @VERSION@\n";
276			return 1;
277			}
278
279	davidg	1758	sub help() {
280			(my $name = $0) =~ s/.*\///;
281			print <<EOHELP;
282			The fetch-crl utility will retrieve certificate revocation lists (CRLs) for
283			a set of installed trust anchors, based on crl_url files or IGTF-style info
284			files. It will install these for use with OpenSSL, NSS or third-party tools.
285
286			Usage: $name [-c\|--config configfile] [-l\|--infodir path]
287			[--cadir path] [-s\|--statedir path] [-o\|--output path] [--format \@formats]
288	davidg	1878	[-T\|--httptimeout seconds] [-p\|--parallelism n] [--nosymlinks]
289	davidg	1758	[-a\|--agingtolerance hours] [-r\|--randomwait seconds]
290			[-v\|--verbose] [-h\|--help] [-q\|--quiet] [-d\|--debug level]
291
292			Options:
293			-c \| --config path
294	davidg	1878	Read configuration data from path, default: /etc/fetch-crl.conf
295	davidg	1758	-l \| --infodir path
296			Location of the trust anchor meta-data files (crl_url or info),
297			default: /etc/grid-security/certificates
298			--cadir path
299			Location of the trust anchors (default to infodir)
300			-s \| --statedir path
301			Location of the historic state data (for caching and delayed-warning)
302			-T \| --httptimeout sec
303			Maximum time in seconds to wait for retrieval or a single URL
304			-o \| --output path
305			Location of the CRLs written (global default, defaults to infodir
306			--format \@formats
307			Format(s) in which the CRLs will be written (openssl, pem, der, nss)
308	davidg	1878	--nosymlinks
309			Do not include meta-data files that are symlinks
310	davidg	1758	-v \| --verbose
311			Become more talkative
312			-q \| --quiet
313			Become really quiet (overrides verbosity)
314			-p \| --parallelism n
315			Run up to n parallel trust anchor retrieval processes
316			-a \| --agingtolerance hours
317			Be quiet for up to hours hours before raising an error. Until
318			the tolerance has passed, only warnings are raised
319			-r \| --randomwait seconds
320			Introduce a random delay of up to seconds seconds before starting
321			any retrieval processes
322			-h \| --help
323			This help text
324
325	davidg	2646	Version: @VERSION@
326	davidg	1758	EOHELP
327
328			return 1;
329			}
330
331			# ###########################################################################
332			#
333			#
334			sub process_metafiles(@) {
335			my @metafiles = @_;
336
337			foreach my $f ( @metafiles ) {
338			my $ta = TrustAnchor->new();
339			$cnf->{_}->{"infodir"} and $ta->setInfodir($cnf->{_}->{"infodir"});
340			$ta->loadAnchor($f) or next;
341			$ta->saveLogMode() and $ta->setLogMode();
342			$ta->loadState() or next;
343	davidg	2421
344			# using the HASH in the CA filename templates requires the CRL
345			# is retrieved first to determinte the hash
346			if ( $cnf->{_}->{"catemplate"} =~ /\@HASH\@/ ) {
347			$ta->retrieve or next;
348			$ta->loadCAfiles() or next;
349			} else {
350			$ta->loadCAfiles() or next;
351			$ta->retrieve or next;
352			}
353
354	davidg	1758	$ta->verifyAndConvertCRLs or next;
355
356			my $writer = CRLWriter->new($ta);
357			$writer->writeall() or next;
358			$ta->saveState() or next;
359			$ta->restoreLogMode();
360			}
361
362			return 1;
363			}
364
365			sub parallel_metafiles($@) {
366			my $parallelism = shift;
367			my @metafiles = @_;
368
369			my %pids = (); # file handle by processID
370			my %metafile_by_fh = (); # reverse map
371			my $readset = new IO::Select();
372			my %logoutput = ();
373
374			$\| = 1;
375
376			$::log->verb(2,"starting up to $parallelism worker processes");
377
378			while ( @metafiles or scalar keys %pids ) {
379			# loop until we have started all possible retrievals AND have
380			# collected all possible output
381
382			( @metafiles and (scalar keys %pids < $parallelism) ) and do {
383			# we have metafiles left, and have spare process slots
384			my $metafile = shift @metafiles;
385
386
387			$logoutput{$metafile} = "";
388
389			my $cout;
390			my $cpid = open $cout, "-\|";
391			defined $cpid and defined $cout or
392			$::log->err("Cannot fork ($metafile): $!") and next;
393
394			$::log->verb(5,"LOOP: starting process $cpid for $metafile");
395
396			if ( $cpid == 0 ) { # I'm the child that should care for $metafile
397			$0 = "fetch-crl worker $metafile";
398			$::log->cleanse();
399			$::log->destadd("qualified");
400			&process_metafiles($metafile);
401			$::log->flush;
402			exit($::log->exitstatus);
403			} else { # parent
404			$pids{$cpid} = $cout;
405			$readset->add($cout);
406			$metafile_by_fh{$cout} = $metafile;
407			}
408			};
409
410			# do a select loop over the outstanding requests to collect messages
411			# if we are in the process of starting more processes, we just
412			# briefly poll out pending output so as not to have blocking
413			# children, but if we have started as many children as we ought to
414			# we put in a longer timeout -- any output on a handle will
415			# get us out of the select and into flushing mode again
416			my $timeout = (@metafiles && (scalar keys %pids < $parallelism) ? 0.1:1);
417
418			$::log->verb(6,"PLOOP: select with timeout $timeout");
419			my ( $rh_set ) = IO::Select->select($readset, undef, undef, $timeout);
420
421			foreach my $fh ( @$rh_set ) {
422			my $metafile = $metafile_by_fh{$fh};
423			# we know there is at least one byte to read, but also that
424			# any client sends complete
425			while (1) {
426			my $char;
427			my $length = sysread $fh, $char, 1;
428			if ( $length ) {
429			$logoutput{$metafile} .= $char;
430			$char eq "\n" and last;
431			} else {
432			#expected a char but got eof
433			$readset->remove($fh);
434			close($fh);
435			map {
436			$pids{$_} == $fh and
437			waitpid($_,WNOHANG) and
438			delete $pids{$_} and
439			$::log->verb(5,"Collected pid $_ (rc=$?),",
440			length($logoutput{$metafile}),"bytes log output");
441			} keys %pids;
442			last;
443			}
444			}
445			}
446			}
447
448			# log out all collected log data from our children
449			foreach my $metafile ( sort keys %logoutput ) {
450			foreach my $line ( split(/\n/,$logoutput{$metafile}) ) {
451			$line =~ /^ERROR\s+(.*)$/ and $::log->err($1);
452			$line =~ /^WARN\s+(.*)$/ and $::log->warn($1);
453			$line =~ /^VERBOSE\((\d+)\)\s+(.*)$/ and $::log->verb($1,$2);
454			$line =~ /^DEBUG\((\d+)\)\s+(.*)$/ and $::log->debug($1,$2);
455			}
456			}
457
458			return 1;
459			}
grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.28