Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • alex_orange/emulab-devel
  • hakasapl/emulab-devel
  • cecchet/emulab-devel
  • srirams/emulab-devel
  • chuck/emulab-devel
  • crd/emulab-devel
  • kwebb/emulab-devel
  • moate/emulab-devel
  • grubb/emulab-devel
  • nasir/emulab-devel
  • asydney/emulab-devel
  • kdownie/emulab-devel
  • wvdemeer/emulab-devel
  • anilmr/emulab-devel
  • bvermeul/emulab-devel
  • emulab/emulab-devel
16 results
Show changes
Commits on Source (4483)
4,383 additional commits have been omitted to prevent performance issues.
Hide whitespace changes
Inline Side-by-side
Showing
with 788 additions and 116 deletions
.gitignore
View file @ 89e2e4fb
.merge-build
clientside/tmcc/cygwinseven/unattend-7pro-x86.xml.in
extendCMV
\ No newline at end of file
GNUmakefile.in
View file @ 89e2e4fb
#
# Copyright (c) 2000-2017 University of Utah and the Flux Group.
# Copyright (c) 2000-2021 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -52,14 +52,14 @@ ifeq ($(STANDALONE_CLEARINGHOUSE),0)
SUBDIRS = \
clientside/lib \
db assign www @optional_subdirs@ clientside ipod security sensors \
pxe tbsetup account tmcd utils backend tip ipod vis \
pxe tbsetup account tmcd utils wbstore backend ipod vis \
sensors os xmlrpc autofs install/newnode_sshkeys \
tools/svn collab/exp-vis node_usage install
ifeq ($(ISMAINSITE),1)
SUBDIRS += tools/rmanage tools/whol
SUBDIRS += tools/whol
endif
ifeq ($(PGENISUPPORT),1)
SUBDIRS += protogeni apt
SUBDIRS += protogeni apt powder
endif
else
SUBDIRS = db tbsetup account protogeni
......@@ -153,14 +153,12 @@ ops-install:
@$(MAKE) -C rc.d control-install
@$(MAKE) -C tbsetup control-install
@$(MAKE) -C security control-install
@$(MAKE) -C tip control-install
@$(MAKE) -C db control-install
@$(MAKE) -C utils control-install
@$(MAKE) -C clientside control-install
ifeq ($(EVENTSYS),1)
@$(MAKE) -C event control-install
endif
@$(MAKE) -C xmlrpc control-install
@$(MAKE) -C account control-install
ifeq ($(PELABSUPPORT),1)
@$(MAKE) -C pelab control-install
......@@ -211,7 +209,7 @@ just-builddirs:
tipserv-install:
-mkdir -p $(INSTALL_TOPDIR)/log/tiplogs
-mkdir -p $(INSTALL_TOPDIR)/etc
@$(MAKE) -C tip tipserv-install
@$(MAKE) -C clientside/tip tipserv-install
@$(MAKE) -C clientside/os/capture tipserv-install
@$(MAKE) -C tbsetup tipserv-install
......@@ -222,34 +220,22 @@ client-mkdirs:
client:
@$(MAKE) -C clientside client
@$(MAKE) -C os client
ifneq ($(SYSTEM),CYGWIN_NT-5.1)
@$(MAKE) -C tip client
endif
client-install: client client-mkdirs
@$(MAKE) -C clientside client-install
@$(MAKE) -C os client-install
ifneq ($(SYSTEM),CYGWIN_NT-5.1)
@$(MAKE) -C tip client-install
endif
subboss:
@$(MAKE) -C clientside subboss
@$(MAKE) -C tbsetup subboss
@$(MAKE) -C db subboss
@$(MAKE) -C os subboss
ifneq ($(SYSTEM),CYGWIN_NT-5.1)
@$(MAKE) -C tip client
endif
@$(MAKE) -C utils subboss
subboss-install: subboss
@$(MAKE) -C clientside subboss-install
@$(MAKE) -C tbsetup subboss-install
@$(MAKE) -C os subboss-install
ifneq ($(SYSTEM),CYGWIN_NT-5.1)
@$(MAKE) -C tip client-install
endif
@$(MAKE) -C utils subboss-install
@$(MAKE) -C db subboss-install
@$(MAKE) -C rc.d subboss-install
......
account/GNUmakefile.in
View file @ 89e2e4fb
#
# Copyright (c) 2000-2011, 2014 University of Utah and the Flux Group.
# Copyright (c) 2000-2024 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -31,7 +31,7 @@ include $(OBJDIR)/Makeconf
SBIN_STUFF = tbacct addsfskey addpubkey mkusercert quotamail genpubkeys \
newuser newproj mksyscert spewcert dumpuser dumpproject \
manageremote
manageremote regencerts
LIBEXEC_STUFF = webtbacct webaddsfskey webaddpubkey webmkusercert \
webnewuser webnewproj webspewcert webmanageremote
CTRLSBIN_STUFF = adduserhook accountsetup
......
account/accountsetup.in
View file @ 89e2e4fb
#!/usr/bin/perl -w
#
# Copyright (c) 2010-2018 University of Utah and the Flux Group.
# Copyright (c) 2010-2022 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -70,6 +70,7 @@ my $TB = "@prefix@";
my $USERPATH = "$TB/bin";
my $WITHZFS = @WITHZFS@;
my $ZFS_NOEXPORT = @ZFS_NOEXPORT@;
my $OPSVM_ENABLE = @OPSVM_ENABLE@;
my $OURDOMAIN = "@OURDOMAIN@";
my $ZFS_ROOT = "@ZFS_ROOT@";
my $ZFS_QUOTA_USER = "@ZFS_QUOTA_USER@";
......@@ -88,6 +89,7 @@ my $CHPASS = "/usr/bin/chpass";
my $CHOWN = "/usr/sbin/chown";
my $CHMOD = "/bin/chmod";
my $MKDIR = "/bin/mkdir";
my $CHFLAGS = "/bin/chflags";
my $NOLOGIN = "/sbin/nologin";
my $MV = "/bin/mv";
my $ZFS = "/sbin/zfs";
......@@ -95,11 +97,24 @@ my $KEYGEN = "/usr/bin/ssh-keygen";
my $SKEL = "/usr/share/skel";
my $PIDFILE = "/var/run/mountd.pid";
my $TSFILE = "/var/run/mountd.ts";
my $DISABLEFLAGS = @DISABLE_FSNODE_CHFLAGS@;
my $USEFLAGS = 0;
# XXX
my $NOSUCHUSER = 67;
my $USEREXISTS = 65;
# We use flags to prevent deletion of certain dirs, on FreeBSD 10 or greater.
# Note that when OPSVM_ENABLE=1, the file systems are actually back over
# on boss, so cannot do the chflags here. Hmm.
if (!$OPSVM_ENABLE) {
if (`uname -r` =~ /^(\d+)\.(\d+)/) {
if ($1 >= 10) {
$USEFLAGS = 1 unless ($DISABLEFLAGS);
}
}
}
#
# Testbed Support libraries
#
......@@ -118,6 +133,7 @@ my $FSPROJROOT = "@FSDIR_PROJ@";
my $FSGROUPROOT = "@FSDIR_GROUPS@";
my $FSSCRATCHROOT = "@FSDIR_SCRATCH@";
# These are duplicated in db/Project.pm.in ...
# Project subdir list
my @DIRLIST = ("exp", "images", "logs", "deltas", "tarfiles", "rpms",
"groups", "tiplogs", "images/sigs", "templates");
......@@ -148,6 +164,8 @@ sub MakeDir($$);
sub WhackDir($$);
sub mysystem($);
sub runBusyLoop($);
sub SetNoDelete($);
sub ClearNoDelete($);
#
# Check args.
......@@ -462,7 +480,7 @@ sub AddProject()
my $unix_uid = shift(@ARGV);
# Create the project unix group
if (mysystem("egrep -q -s '^${unix_name}:' /etc/group")) {
if (system("egrep -q -s '^${unix_name}:' /etc/group")) {
print "Adding group $unix_name ...\n";
if (runBusyLoop("$GROUPADD $unix_name -g $unix_gid")) {
......@@ -481,6 +499,9 @@ sub AddProject()
if (! chown($unix_uid, $unix_gid, "$path")) {
fatal("Could not chown '$path' to $unix_uid/$unix_gid: $!");
}
if (SetNoDelete($path)) {
fatal("Could not set no delete on '$path'!\n");
}
# Create required /proj subdirs
foreach my $dir (@DIRLIST) {
......@@ -494,6 +515,9 @@ sub AddProject()
if (! chown($unix_uid, $unix_gid, "$path")) {
fatal("Could not chown '$path' to $unix_uid/$unix_gid: $!");
}
if (SetNoDelete($path)) {
fatal("Could not set no delete on '$path'!\n");
}
}
# Create the /groups directory
......@@ -507,6 +531,9 @@ sub AddProject()
if (! chown($unix_uid, $unix_gid, "$path")) {
fatal("Could not chown '$path' to $unix_uid/$unix_gid: $!");
}
if (SetNoDelete($path)) {
fatal("Could not set no delete on '$path'!\n");
}
# Create a symlink for the default group
$path = "$GROUPROOT/$name/$name";
......@@ -515,6 +542,9 @@ sub AddProject()
fatal("Could not symlink $PROJROOT/$name to $path");
}
}
if (SetNoDelete($path)) {
fatal("Could not set no delete on '$path'!\n");
}
# Finally, create /scratch dir if supported
if ($SCRATCHROOT) {
......@@ -528,6 +558,9 @@ sub AddProject()
if (! chown($unix_uid, $unix_gid, "$path")) {
fatal("Could not chown '$path' to $unix_uid/$unix_gid: $!");
}
if (SetNoDelete($path)) {
fatal("Could not set no delete on '$path'!\n");
}
}
return 0;
......@@ -548,7 +581,7 @@ sub AddGroup()
my $projname = shift(@ARGV);
# Create the group unix group
if (mysystem("egrep -q -s '^${unix_name}:' /etc/group")) {
if (system("egrep -q -s '^${unix_name}:' /etc/group")) {
print "Adding group $unix_name ...\n";
if (runBusyLoop("$GROUPADD $unix_name -g $unix_gid")) {
......@@ -568,6 +601,9 @@ sub AddGroup()
if (! chown($unix_uid, $unix_gid, "$path")) {
fatal("Could not chown '$path' to $unix_uid/$unix_gid: $!");
}
if (SetNoDelete($path)) {
fatal("Could not set no delete on '$path'!\n");
}
# Create required /groups/gid subdirs
foreach my $dir (@GDIRLIST) {
......@@ -581,6 +617,9 @@ sub AddGroup()
if (! chown($unix_uid, $unix_gid, "$path")) {
fatal("Could not chown '$path' to $unix_uid/$unix_gid: $!");
}
if (SetNoDelete($path)) {
fatal("Could not set no delete on '$path'!\n");
}
}
return 0;
......@@ -867,7 +906,7 @@ sub MakeDir($$)
# If ZFS_NOEXPORT is set, then our caller will do the HUPing and waiting.
#
my $waitforit = 0;
if (!$ZFS_NOEXPORT) {
if ($WITHZFS && !$ZFS_NOEXPORT) {
#
# Note that "waiting for mountd" involves a Utah hack to mountd to
# make it record a timestamp in a file when it is done. If there is
......@@ -931,6 +970,10 @@ sub WhackDir($$)
my ($fs,$dir) = @_;
my $zfsfs = "";
if (ClearNoDelete("$fs/$dir")) {
fatal("Could not clear no delete on '$fs/$dir'!\n");
}
if ($WITHZFS) {
my $path = "${ZFS_ROOT}${fs}/$dir";
$zfsfs = $path
......@@ -1098,3 +1141,30 @@ sub fatal($) {
print STDERR "$msg\n";
exit(-1);
}
#
# Use chflags on certain directories to prevent users from deleting things.
# Just a bandaid on the real problem.
#
sub SetNoDelete($)
{
my ($filename) = @_;
return 0
if (!$USEFLAGS);
system("$CHFLAGS sunlink $filename");
return ($? ? -1 : 0);
}
sub ClearNoDelete($)
{
my ($filename) = @_;
return 0
if (!$USEFLAGS);
# Do a recursive change here since we tend to do deletions on the
# top level directories.
system("$CHFLAGS -R nosunlink $filename");
return ($? ? -1 : 0);
}
account/addpubkey.in
View file @ 89e2e4fb
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2017 University of Utah and the Flux Group.
# Copyright (c) 2000-2020 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -410,7 +410,7 @@ sub ParseKey($) {
return 0;
}
if ($keyline =~ /^(\d*\s\d*\s[0-9a-zA-Z]*) ([-\w\@\.:\ ]*)\s*$/) {
if ($keyline =~ /^(\d*\s\d*\s[0-9a-zA-Z]*) ([-\\\w\@\.:\ ]*)\s*$/) {
# Protocol 1
$type = "ssh-rsa1";
$key = $1;
......@@ -422,20 +422,20 @@ sub ParseKey($) {
$key = $1;
}
elsif ($keyline =~
/^(ssh-rsa|ssh-dss|ssh-ed25519) ([-\w\.\@\+\/\=]*) ([-\w\@\.:\ ]*)$/) {
/^(ssh-rsa|ssh-ed25519) ([-\w\.\@\+\/\=]*) ([-\\\w\@\.:\ ]*)$/) {
# Protocol 2
$type = $1;
$key = "$1 $2";
$comment = $3;
}
elsif ($keyline =~ /^(ssh-rsa|ssh-dss|ssh-ed25519) ([-\w\.\@\+\/\=:]*)$/) {
elsif ($keyline =~ /^(ssh-rsa|ssh-ed25519) ([-\w\.\@\+\/\=:]*)$/) {
# Protocol 2 but no comment field
$type = $1;
$key = "$1 $2";
}
if (!defined($key)) {
print STDERR "Key cannot be parsed!\n";
print STDERR "Key cannot be parsed, we accept rsa and ed25519 only!\n";
return 0;
}
......@@ -591,11 +591,11 @@ sub GenerateKeyFile()
}
close(AUTHKEYS);
$UID = 0;
$EUID = $UID = 0;
system("$SSH -host $CONTROL ".
"'$ACCOUNTPROXY dropfile $user_uid $user_gid 0600 $sshdir ".
"authorized_keys' < $outfile");
$UID = $SAVEUID;
$EUID = $UID = $SAVEUID;
if ($?) {
unlink($outfile);
......
account/dumpuser.in
View file @ 89e2e4fb
#!/usr/bin/perl -w
#
# Copyright (c) 2010-2013 University of Utah and the Flux Group.
# Copyright (c) 2010-2020 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -128,7 +128,7 @@ sub DumpUser($)
"URL" => {"tag" => "URL",
"optional" => 1 },
"addr" => {"tag" => "address",
"optional" => 0 },
"optional" => 1 },
"addr2" => {"tag" => "address2",
"optional" => 1 },
"city" => {"tag" => "city",
......@@ -136,13 +136,13 @@ sub DumpUser($)
"state" => {"tag" => "state",
"optional" => 0 },
"zip" => {"tag" => "zip",
"optional" => 0 },
"optional" => 1 },
"country" => {"tag" => "country",
"optional" => 0 },
"phone" => {"tag" => "phone",
"optional" => 0 },
"optional" => 1 },
"title" => {"tag" => "title",
"optional" => 0 },
"optional" => 1 },
"affil" => {"tag" => "affiliation",
"optional" => 0 },
"shell" => {"tag" => "shell",
......@@ -178,6 +178,9 @@ sub DumpUser($)
# Pubkeys are special.
if (@keys) {
foreach my $key (@keys) {
next
if ($key =~ /^ssh-dss/);
print "<pubkeys>$key</pubkeys>\n";
}
}
......
account/getipinfo.in 0 → 100644
View file @ 89e2e4fb
#!/usr/bin/perl -w
#
# Copyright (c) 2005-2022 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
use English;
use strict;
use Getopt::Std;
use Data::Dumper;
use File::Temp qw(tempfile);
use JSON;
#
# Ask https://ipinfo.io/ for IP info
#
# select cc.country,sum(t.count) as count from
# (select country,count(distinct(uid)) as count from login_history
# where IP is not null and location is not null and portal='cloudlab'
# group by country,uid) as t
# left join ccodes.ccodes as cc on cc.code=t.country
# group by cc.country order by count desc;
#
#select region,sum(t.count) as count from
# (select region,count(distinct(uid)) as count from login_history
# where IP is not null and location is not null and country='US' and
# portal='cloudlab'
# group by region,uid) as t
#group by region order by count desc;
#
#
sub usage()
{
print "Usage: getipinfo [-n]\n";
print " getipinfo [-n] -p portal\n";
exit(1);
}
my $optlist = "ndp:";
my $impotent = 0;
my $debug = 0;
my $limit = 200;
#
# Configure variables
#
my $TB = "@prefix@";
my $token = "850749cc3b77dc";
my $URL = "http://ipinfo.io/batch?token=${token}";
my $CURL = "/usr/local/bin/curl";
# Load the Testbed support stuff.
use lib "@prefix@/lib";
use emdb;
use User;
use emutil;
# Protos
sub fatal($);
sub WriteResults($);
#
# Turn off line buffering on output
#
$| = 1;
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"n"})) {
$impotent++;
}
if (defined($options{"d"})) {
$debug++;
}
if (defined($options{"p"})) {
my $portal = $options{"p"};
if ($portal ne "cloudlab" && $portal ne "powder") {
fatal("Only cloudlab or powder portal please");
}
exit(WriteResults($portal));
}
#
# Find unmatched IPs in the login_history table and batch them up
# for the request.
#
my $count = 0;
while ($limit) {
$limit--;
my $query_result =
DBQueryFatal("select distinct IP from login_history ".
"where location is null and IP is not null ".
"limit 100");
last
if ($query_result->numrows == 0);
my %IPs = ();
while (my ($IP) = $query_result->fetchrow_array()) {
$IPs{$IP} = $IP;
}
if (keys(%IPs)) {
# Create a temporary files for curl
my ($fpIn, $fnameIn) = tempfile("/tmp/iplistInXXXXX", UNLINK => 0);
if (!defined($fpIn)) {
fatal("Could not create temp file for IPs");
}
my ($fpOut, $fnameOut) = tempfile("/tmp/iplistOutXXXXX", UNLINK => 0);
if (!defined($fpOut)) {
fatal("Could not create temp file for IPs");
}
foreach my $IP (keys(%IPs)) {
print $fpIn "$IP\n";
}
my $command =
"$CURL -s -o $fnameOut -XPOST --data-binary \@${fnameIn} $URL";
if ($debug) {
print "$command\n";
}
system($command);
if ($?) {
fatal("curl failure: '$command'\n");
}
my $json = emutil::ReadFile($fnameOut);
if (!$json || $json eq "") {
fatal("No json received");
}
my $results = eval { decode_json($json) };
if ($@) {
fatal("Could not decode json data");
}
if ($debug) {
print Dumper($results);
}
foreach my $IP (keys(%IPs)) {
my $ref = $results->{$IP};
if (!defined($ref)) {
print STDERR "No data for $IP\n";
next;
}
my $loc = $ref->{'loc'};
my $country = $ref->{'country'};
my $region = $ref->{'region'};
if (!defined($loc)) {
print STDERR "No data for $IP\n";
DBQueryFatal("update login_history set ".
" location='' ".
"where IP='$IP'");
next;
}
$count++;
if ($impotent) {
print "Would set $IP: $loc,$country,$region\n";
next;
}
else {
print "$IP: $loc,$country,$region\n";
DBQueryFatal("update login_history set ".
" location=" . DBQuoteSpecial($loc) . ", ".
" country=" . DBQuoteSpecial($country) . ", ".
" region=" . DBQuoteSpecial($region) . " ".
"where IP='$IP'");
}
}
unlink($fnameIn);
unlink($fnameOut);
}
print "$count IPs completed\n";
last
if (!$count);
sleep(10);
}
exit(0);
#
# Write per portal results files. Queries take a while.
#
sub WriteResults($)
{
my ($portal) = @_;
print "These queries take time, get a cup of coffee.\n";
my $query_result =
DBQueryFatal("select cc.country,sum(t.count) as count from ".
" (select country,count(distinct(uid)) as count ".
" from login_history ".
" where IP is not null and location is not null and ".
" portal='$portal' ".
" group by country,uid) as t ".
"left join ccodes.ccodes as cc on cc.code=t.country ".
"group by cc.country order by count desc");
my $fname = "world-counts-${portal}.csv";
print "Writing $fname ... \n";
if (open(WORLD, ">$fname")) {
print WORLD "name,count\n";
while (my ($country,$count) = $query_result->fetchrow_array()) {
next
if (!defined($country));
$country = "USA"
if ($country eq "United States");
print WORLD "$country,$count\n";
}
close(WORLD);
}
else {
fatal("Could not open $fname for writing: $!\n");
}
$query_result =
DBQueryFatal("select region,sum(t.count) as count from ".
" (select region,count(distinct(uid)) as count ".
" from login_history ".
" where IP is not null and location is not null and ".
" country='US' and portal='$portal' ".
" group by region,uid) as t ".
"group by region order by count desc");
$fname = "us-counts-${portal}.csv";
print "Writing $fname ... \n";
if (open(STATES, ">$fname")) {
print STATES "name,count\n";
while (my ($region,$count) = $query_result->fetchrow_array()) {
next
if (!defined($region));
print STATES "$region,$count\n";
}
close(STATES);
}
else {
fatal("Could not open $fname for writing: $!\n");
}
exit(0);
}
sub fatal($) {
my($mesg) = $_[0];
die("*** $0:\n".
" $mesg\n");
}
account/manageremote.in
View file @ 89e2e4fb
#!/usr/bin/perl -w
#
# Copyright (c) 2010-2016 University of Utah and the Flux Group.
# Copyright (c) 2010-2016, 2019 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -78,8 +78,8 @@ my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@";
my $PGENISUPPORT = @PROTOGENI_SUPPORT@;
my $PORTAL_ENABLE = @PORTAL_ENABLE@;
my $PORTAL_PRIMARY= @PORTAL_ISPRIMARY@;
my $PEER_ENABLE = @PEER_ENABLE@;
my $PEER_PRIMARY = @PEER_ISPRIMARY@;
my $OURDOMAIN = "@OURDOMAIN@";
my $DUMPUSER = "$TB/sbin/dumpuser";
my $DUMPPROJ = "$TB/sbin/dumpproject";
......@@ -133,10 +133,10 @@ my $cmd = shift(@ARGV);
my $peername = shift(@ARGV);
my $peerurn;
if (! $PORTAL_ENABLE) {
fatal("Portal mode is not enabled");
if (! $PEER_ENABLE) {
fatal("Peer mode is not enabled");
}
if (! ($PORTAL_PRIMARY || $cmd eq "addpeer")) {
if (! ($PEER_PRIMARY || $cmd eq "addpeer")) {
fatal("You can only run addpeer on this boss");
}
......@@ -197,7 +197,7 @@ if ($cmd ne "addpeer") {
#
# All operations other then xlogin require locking to avoid a
# race with the portal_daemon.
# race with the peer_daemon.
#
if ($cmd ne "xlogin" && !$fromdaemon) {
while (TBScriptLock("portal_op", 0, 5) != TBSCRIPTLOCK_OKAY()) {
......
account/mksyscert.in
View file @ 89e2e4fb
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
# Copyright (c) 2000-2024 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -87,6 +87,7 @@ my $EMULAB_CERT = "$TB/etc/emulab.pem";
my $EMULAB_KEY = "$TB/etc/emulab.key";
my $OPENSSL = "/usr/bin/openssl";
my $WORKDIR = "$TB/ssl";
my $RANDFILE = "./.rnd";
my $SAVEUID = $UID;
my $certfile = $EMULAB_CERT;
my $keyfile = $EMULAB_KEY;
......@@ -207,6 +208,22 @@ if (!defined($email)) {
chdir("$WORKDIR") or
fatal("Could not chdir to $WORKDIR: $!");
#
# Some sillyness to deal with changes to .rnd file handling across
# versions of openssl.
#
if (! -e $RANDFILE) {
system("/bin/dd if=/dev/urandom of=${RANDFILE} bs=256 count=4");
if ($?) {
fatal("Could not generate $RANDFILE");
}
}
#
# Older versions of openssl ignore -rand option, but use this environment
# variable. New versions ignore the environment variable but use -rand.
#
$ENV{"RANDFILE"} = $RANDFILE;
#
# Need an index file, which is the openssl version of the DB.
#
......@@ -251,7 +268,9 @@ if (@urls) {
# unregistered OID 2.25.305821105408246119474742976030998643995
# (corresponding to UUID e61300a0-c4c5-11de-b14e-0002a5d5c51b)
# is used to indicate generic ProtoGENI XMLRPC servers.
print TEMP "authorityInfoAccess=2.25.305821105408246119474742976030998643995;URI:$_\n";
# print TEMP "authorityInfoAccess=2.25.305821105408246119474742976030998643995;URI:$_\n";
print TEMP
"authorityInfoAccess=2.25.305821105.408246119.47474297.603099864.3995;URI:$_\n";
}
}
......@@ -295,16 +314,23 @@ if( defined( $oldkeyfile ) ) {
#
# Create a client side private key and certificate request.
#
my $genopts =
my $genopts = " -rand $RANDFILE " .
($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
system("$OPENSSL genrsa $genopts -out syscert_key.pem 1024")
== 0 or fatal("Could generate new key");
system("$OPENSSL req -text -new -config syscert.cnf ".
($encrypted ? " -passin 'pass:${sh_password}' " : "") .
" -key syscert_key.pem -out syscert_req.pem $outline") == 0
or fatal("Could not create certificate request");
my $output =
emutil::ExecQuiet("$OPENSSL genrsa $genopts -out syscert_key.pem 2048");
if ($?) {
print STDERR $output;
fatal("Could generate new key");
}
$output =
emutil::ExecQuiet("$OPENSSL req -text -new -config syscert.cnf ".
($encrypted ? " -passin 'pass:${sh_password}' " : "") .
" -key syscert_key.pem -out syscert_req.pem $outline");
if ($?) {
print STDERR $output;
fatal("Could not create certificate request");
}
}
#
......@@ -348,7 +374,7 @@ if ($debug) {
}
if ($days > $daystoexpire) {
$days = $daystoexpire - 1;
print "Shortening certificate expiration to $days\n";
print "Shortening certificate expiration to $days days\n";
}
system("$OPENSSL ca -batch -policy policy_sslxmlrpc -startdate $startdate ".
......
account/mkusercert.in
View file @ 89e2e4fb
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
# Copyright (c) 2000-2024 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -64,6 +64,7 @@ my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@";
my $OU = "sslxmlrpc"; # orgunit
my $RANDFILE = "./.rnd";
# Locals
my $USERDIR = USERROOT();
......@@ -175,6 +176,15 @@ else {
die("Tainted argument: $user\n");
}
# Figure out what version of OpenSSL
my $sslversion = `$OPENSSL version`;
if ($sslversion =~ /^OpenSSL\s+(\d+)\.(\d+)\./) {
$sslversion = "$1.$2";
} else {
print STDERR "Cannot parse OpenSSL version, assuming 1.0\n";
$sslversion = "1.0";
}
# Map target user to object.
my $target_user = User->Lookup($user);
if (! defined($target_user)) {
......@@ -252,6 +262,22 @@ chdir("$WORKDIR") or
TBScriptLock("mkusercert") == 0 or
fatal("Could not get the lock!");
#
# Some sillyness to deal with changes to .rnd file handling across
# versions of openssl.
#
if (! -e $RANDFILE) {
system("/bin/dd if=/dev/urandom of=${RANDFILE} bs=256 count=4");
if ($?) {
fatal("Could not generate $RANDFILE");
}
}
#
# Older versions of openssl ignore -rand option, but use this environment
# variable. New versions ignore the environment variable but use -rand.
#
$ENV{"RANDFILE"} = $RANDFILE;
#
# Create a client side cert. Reuse the original key if are told to,
# and it actually exists, and the password is valid.
......@@ -367,7 +393,7 @@ sub CreateNewCert() {
# (corresponding to UUID e61300a0-c4c5-11de-b14e-0002a5d5c51b)
# is used to indicate generic ProtoGENI XMLRPC servers.
print TEMP
"authorityInfoAccess=2.25.305821105408246119474742976030998643995;URI:$url\n";
"authorityInfoAccess=2.25.305821105.408246119.47474297.603099864.3995;URI:$url\n";
}
print TEMP "\n";
......@@ -398,11 +424,11 @@ sub CreateNewCert() {
# Create a client side private key and certificate request.
#
if (!$reusekey) {
my $genopts =
my $genopts = " -rand $RANDFILE " .
($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
system("$OPENSSL genrsa $genopts -out usercert_key.pem 1024")
== 0 or fatal("Could generate new key");
system("$OPENSSL genrsa $genopts -out usercert_key.pem 2048")
== 0 or fatal("Could not generate new key");
}
my $reqopts = ($encrypted ? "-passin 'pass:${sh_password}' " : "");
......@@ -444,7 +470,7 @@ sub CreateNewCert() {
}
if ($days > $daystoexpire) {
$days = $daystoexpire - 1;
print "Shortening certificate expiration to $days\n";
print "Shortening certificate expiration to $days days\n";
}
#
......@@ -461,7 +487,11 @@ sub CreateNewCert() {
# We store the DN in the DB too, for creating the crl index file without
# having to reparse all the certs.
#
my $DN = `$OPENSSL x509 -subject -noout -in usercert_cert.pem`;
my $args = "-subject -noout";
if ($sslversion > 1.0) {
$args .= " -nameopt=compat";
}
my $DN = `$OPENSSL x509 $args -in usercert_cert.pem`;
chomp($DN);
if ($DN =~ /^subject=\s*(\/[-\/\=\w\@\.,\s]+)$/) {
$DN = $1;
......@@ -652,7 +682,7 @@ if ($encrypted) {
#
system("$OPENSSL pkcs12 -export -in usercert.pem -des3 ".
"-passin 'pass:${sh_password}' -passout 'pass:${sh_password}' ".
"-out usercert.p12 -rand ./.rnd")
"-out usercert.p12 -rand $RANDFILE")
== 0 or fatal("Could not create usercert.p12");
# Drop the file into the user .ssl directory.
......
account/newproj.in
View file @ 89e2e4fb
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
# Copyright (c) 2000-2021, 2024 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -44,6 +44,8 @@ my $impotent= 0;
my $silent = 0;
my $portal;
my $resend;
my %licenses = ();
my %nsf_awards = ();
#
# Configure variables
......@@ -53,6 +55,7 @@ my $TBOPS = "@TBOPSEMAIL@";
my $TBAUDIT = "@TBAUDITEMAIL@";
my $TBBASE = "@TBBASE@";
my $TBWWW = "@TBWWW@";
my $LICENSES = "$TB/sbin/manage_licenses";
#
# This script is setuid, so please do not run it as root. Hard to track
......@@ -205,8 +208,13 @@ my %optional = ("newuser_xml" => "newuser_xml",
"members" => "num_members",
"ron" => "num_ron",
"plab" => "num_pcplab",
"class" => "forClass",
"whynotpublic" => "public_whynot",
"user_interface" => "default_user_interface");
"user_interface" => "default_user_interface",
"nsf_funded" => "nsf_funded",
"nsf_awards" => "nsf_awards",
"nsf_supplement" => "nsf_supplement",
);
#
# This script is not audited cause we want the output to be sent back
......@@ -233,12 +241,28 @@ if (exists($xmlparse->{'attribute'}->{"portal"})) {
fatal("Bad portal: $portal");
}
}
# Licenses. Save for later, but need to delete.
foreach my $key (keys(%{ $xmlparse->{'attribute'} })) {
if ($key =~ /^license_([-\w]+)$/) {
my $value = $xmlparse->{'attribute'}->{"$key"}->{'value'};
my $name = $1;
if (lc($value) eq "yes") {
system("$LICENSES show $name");
if ($?) {
fatal("Invalid license name: $name");
}
$licenses{$name} = $name;
print "requested license $name\n";
}
delete($xmlparse->{'attribute'}->{"$key"});
}
}
#
# Make sure all the required arguments were provided.
#
foreach my $key (keys(%required)) {
fatal("Missing required attribute '$key'")
if (! exists($xmlparse->{'attribute'}->{"$key"}));
}
......@@ -355,16 +379,45 @@ if (exists($newproj_args{'newuser_xml'})) {
$newproj_args{'head_uid'} = $2;
}
# NSF award. Only one allowed. Change later.
if (exists($newproj_args{'nsf_funded'})) {
my $funded = $newproj_args{'nsf_funded'};
if ($funded == 1) {
my $award = $newproj_args{'nsf_awards'};
my $sup = $newproj_args{'nsf_supplement'};
$nsf_awards{$award} = $sup;
}
delete($newproj_args{'nsf_funded'});
delete($newproj_args{'nsf_awards'});
delete($newproj_args{'nsf_supplement'});
}
if (exists($newproj_args{'forClass'}) && $newproj_args{'forClass'} == 1) {
$newproj_args{'shared_reservations'} = 1;
}
else {
$newproj_args{'shared_reservations'} = 0;
}
#
# Now do special checks.
#
UserError("Project already exists; pick another name!")
if (Project->Lookup($newproj_args{'pid'}));
my $leader = User->Lookup($newproj_args{'head_uid'});
UserError("Project leader does not exist!")
if (!defined($leader));
#
# Need a big lock to avoid double click errors, too much stuff going on in
# Project->Create() to lock tables. This lock is automatically dropped.
#
my $lock_result = DBQueryWarn("select GET_LOCK('NewProjectLock', 60)");
if (!$lock_result ||
!$lock_result->numrows) {
fatal("Could not get the new project lock for a long time");
}
UserError("Project already exists; pick another name!")
if (Project->Lookup($newproj_args{'pid'}));
exit(0)
if ($impotent);
......@@ -385,6 +438,26 @@ if (!defined($newproj)) {
fatal("Could not create new project!");
}
my $new_idx = $newproj->pid_idx();
DBQueryWarn("select RELEASE_LOCK('NewProjectLock')");
#
# Add any licenses.
#
if (keys(%licenses)) {
foreach my $name (keys(%licenses)) {
system("$LICENSES require $name $new_pid");
if ($?) {
fatal("Invalid license name: $name");
}
}
}
# And NSF awards
if (keys(%nsf_awards)) {
foreach my $award (keys(%nsf_awards)) {
my $sup = $nsf_awards{$award};
$newproj->AddNSFAward($award, $sup);
}
}
#
# See if we are in an initial Emulab setup. If so, no email sent.
......
account/newuser.in
View file @ 89e2e4fb
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
# Copyright (c) 2000-2022 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -36,12 +36,17 @@ sub usage()
print("Usage: newuser [-s] -t <type> <xmlfile>\n");
exit(-1);
}
my $optlist = "dt:nsp";
my $optlist = "dt:nsprGP";
my $debug = 0;
my $impotent= 0;
my $type = "";
my $silent = 0;
my $relaxed = 0;
my $dopass = 0;
my $genuser = 0;
my $portal;
my $passhash;
my @keyfiles = ();
#
......@@ -117,6 +122,15 @@ if (defined($options{"s"})) {
if (defined($options{"t"})) {
$type = $options{"t"};
}
if (defined($options{"r"})) {
$relaxed = 1;
}
if (defined($options{"P"})) {
$dopass = 1;
}
if (defined($options{"G"})) {
$genuser = 1;
}
if (@ARGV != 1) {
usage();
}
......@@ -176,6 +190,13 @@ my %optional = ("uid" => "uid",
"pubkey" => undef,
"pubkeys" => undef);
my %relaxed_fields = ("affiliation_abbreviation" => 1,
"phone" => 1,
"title" => 1,
"address" => 1,
"zip" => 1,
"wikiname" => 1);
#
# These are required for most users, but are optional for wiki-only users
#
......@@ -219,28 +240,29 @@ if (exists($xmlparse->{'attribute'}->{"portal"})) {
if (!defined($brand)) {
fatal("Bad portal: $portal");
}
# Remove these, we do not require them on the APT path.
delete($required{"affiliation_abbreviation"});
delete($required{"phone"});
delete($required{"title"});
delete($required{"address"});
delete($required{"zip"});
delete($required{"wikiname"});
$relaxed = 1;
}
#
# Make sure all the required arguments were provided.
#
foreach my $key (keys(%required)) {
next
if ($relaxed && exists($relaxed_fields{$key}));
fatal("Missing required attribute '$key'")
if (! exists($xmlparse->{'attribute'}->{"$key"}));
}
#
# Always delete this. Used by the portal code but we ignore it.
# Used by the portal code but we ignore it unless explicitly told
# not to.
#
delete($xmlparse->{'attribute'}->{"passhash"})
if (exists($xmlparse->{'attribute'}->{"passhash"}));
if (exists($xmlparse->{'attribute'}->{"passhash"})) {
if ($dopass) {
$passhash = $xmlparse->{'attribute'}->{"passhash"}->{'value'};
}
delete($xmlparse->{'attribute'}->{"passhash"});
}
#
# We build up an array of arguments to pass to User->Create() as we check
......@@ -328,7 +350,8 @@ if ($WIKISUPPORT) {
# And the email address has to be unique.
#
UserError("Email address already in use; please pick another!")
if ($newuser_args{'usr_email'} ne $TBOPS &&
if (!$genuser &&
$newuser_args{'usr_email'} ne $TBOPS &&
User->LookupByEmail($newuser_args{'usr_email'}));
#
......@@ -464,6 +487,9 @@ if (!defined($newuser)) {
if (defined($portal)) {
$newuser->SetStatus(USERSTATUS_UNAPPROVED());
}
if (defined($passhash)) {
$newuser->SetPassword($passhash);
}
my $key = $newuser->verify_key();
my $usr_uid = $newuser->uid();
my $usr_idx = $newuser->uid_idx();
......@@ -476,9 +502,10 @@ my $usr_email = $newuser->email();
my $firstinitstate;
if (TBGetSiteVar("general/firstinit/state", \$firstinitstate)) {
#
# The first user gets admin status and some extra groups, etc.
# These initial users gets admin status and some extra groups, etc.
#
if ($firstinitstate eq "createproject") {
if ($firstinitstate eq "createproject" &&
$new_uid ne EmulabConstants::GENIUSER()) {
DBQueryFatal("update users set ".
" admin=1,status='". $User::USERSTATUS_UNAPPROVED . "' " .
"where uid_idx='$usr_idx'");
......
account/regencerts.in 0 → 100644
View file @ 89e2e4fb
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2024 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
use English;
use Getopt::Std;
#
# This script will generate new Emulab keys for all users who do not
# already have them or if the cert is expired.
#
sub usage()
{
print("Usage: regencerts [-n]\n");
exit(-1);
}
my $optlist = "n";
my $impotent = 0;
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBAUDIT = "@TBAUDITEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@";
my $MKCERT = "$TB/sbin/mkusercert";
my $CHECKQUOTA = "$TB/sbin/checkquota";
my $SUDO = "/usr/local/bin/sudo";
my $PROTOUSER = "elabman";
#
# Testbed Support libraries
#
use lib "@prefix@/lib";
use libaudit;
use libdb;
use libtestbed;
use emutil;
use libEmulab;
#
# Turn off line buffering on output
#
$| = 1;
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"n"})) {
$impotent = 1;
}
#
# Grab all active/frozen users.
#
my $query_result =
DBQueryFatal("select u.uid,u.uid_idx,encrypted,c.idx,s.last_activity ".
" from user_sslcerts as c ".
"left join users as u on u.uid_idx=c.uid_idx ".
"left join user_stats as s on s.uid_idx=u.uid_idx ".
"where webonly=0 and wikionly=0 and ".
" (u.status='active' or u.status='frozen') and ".
" revoked is null ".
"order by u.uid");
while (my ($uid,$uid_idx,$encrypted) = $query_result->fetchrow_array()) {
system("$CHECKQUOTA $uid");
if ($?) {
print STDERR "User $uid over quota, not generating certificate!\n";
next;
}
if (!$encrypted) {
print "Regenerating unencrypted certificate for $uid.\n";
if (!$impotent) {
system("$SUDO -u $PROTOUSER $MKCERT $uid_idx");
if ($?) {
print STDERR "Could not regenerate unencrypted cert ".
"for $uid ($uid_idx)\n";
}
}
}
else {
print "Regenerating encrypted certificate for $uid.\n";
if (!$impotent) {
system("$SUDO -u $PROTOUSER $MKCERT -P $uid_idx");
if ($?) {
print STDERR "Could not regenerate encrypted cert ".
"for $uid ($uid_idx)\n";
}
}
}
}
exit(0);
account/tbacct.in
View file @ 89e2e4fb
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
# Copyright (c) 2000-2021 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -40,14 +40,19 @@ use Getopt::Std;
# and forces the target user into that state. Eventually, this should
# be the default mode of operation (independent of web interface).
#
# Use -e with passwd to apply the default password expire interval to
# the new password, otherwise the password is expired immediately to
# force a change.
#
sub usage()
{
print("Usage: tbacct [-f] [-b] [-u] [-v] ".
print("Usage: tbacct [-e] [-f] [-b] [-u] [-v] ".
"<add|del|mod|passwd|wpasswd|email|freeze|thaw|verify|revoke|dots|deactivate|reactivate> ".
"<user> [args]\n");
exit(-1);
}
my $optlist = "fbuvs";
my $optlist = "efbuvs";
my $expok = 0;
my $force = 0;
my $batch = 0;
my $update = 0;
......@@ -78,7 +83,7 @@ my $THISHOMEBASE= "@THISHOMEBASE@";
my $PROTOUSER = 'elabman';
my $ELABINELAB = @ELABINELAB@;
my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
my $GENIRACK = @PROTOGENI_GENIRACK@;
my $CONFIG_TARGETSYS = @CONFIG_TARGETSYS@;
my $SAMBANODE = "fs"; # DNS makes this do the right thing in E-in-E.
my $SMBPASSWD = "/usr/local/bin/smbpasswd";
......@@ -201,6 +206,9 @@ if (scalar(@ARGV) == 3 && $ARGV[0] eq "passwd") {
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"e"})) {
$expok = 1;
}
if (defined($options{"f"})) {
$force = 1;
}
......@@ -301,8 +309,9 @@ my $wpswd = $target_user->w_pswd();
my $wikionly = $target_user->wikionly();
my $isnonlocal = $target_user->IsNonLocal();
my $nocollabtools = $target_user->nocollabtools();
# Geni users should not get an account on ops.
$usr_shell = "nologin"
if (!defined($usr_shell));
if (!defined($usr_shell) || $isnonlocal);
#
# Get the users earliest project membership to use as the default group
......@@ -472,7 +481,7 @@ sub AddUser()
#
# Leave the password "starred" on elabinelab; safer.
#
if (!$ELABINELAB || $GENIRACK) {
if (!$ELABINELAB && !$CONFIG_TARGETSYS) {
# shell escape.
$pswd =~ s/\$/\\\$/g;
$pswd =~ s/\*/\\\*/g;
......@@ -589,6 +598,7 @@ sub AddUser()
# do not like this.
#
if (! $batch) {
$target_user->BumpActivity();
print "Updating exports file.\n";
system("$EXPORTSSETUP");
}
......@@ -701,13 +711,13 @@ sub UpdatePassword()
}
#
# Insert into database. When changing password for someone else,
# always set the expiration to right now so that the target user
# is "forced" to change it.
# Insert into database. When changing password for someone else
# and "-e" (expok) isn't set, then set the expiration to right
# now so that the target user is "forced" to change it.
#
my $expires;
if (! $target_user->SameUser($this_user)) {
if (!$expok && ! $target_user->SameUser($this_user)) {
$expires = "now()";
}
elsif ($EXPIRE_PASSWORDS) {
......@@ -750,7 +760,7 @@ sub UpdatePassword()
# Change on ops only if there is a real account there.
# For ELABINELAB, safer to leave the password "starred".
#
if (!$wikionly && (!$ELABINELAB || $GENIRACK)) {
if (!$wikionly && !$ELABINELAB && !$CONFIG_TARGETSYS) {
#
# Grab from the DB to avoid taint checking sillyness.
#
......
apache/GNUmakefile.in
View file @ 89e2e4fb
#
# Copyright (c) 2002-2017 University of Utah and the Flux Group.
# Copyright (c) 2002-2017, 2020 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -153,6 +153,10 @@ else
install: install-dirs install-scripts httpd.conf pgeni-install
$(INSTALL_DATA) httpd.conf $(INSTALL_APACHE_CONFIG)/httpd.conf
install-utah-nets:
$(INSTALL_DATA) $(SRCDIR)/utah-nets.conf \
$(INSTALL_APACHE_CONFIG)/utah-nets.conf
control-install: install-dirs install-scripts httpd.conf-ops
$(INSTALL_DATA) httpd.conf-ops $(INSTALL_APACHE_CONFIG)/httpd.conf
......
apache/php.ini.in
View file @ 89e2e4fb
......@@ -32,3 +32,8 @@ error_log = "@prefix@/log/php-errors.log"
; How stupid is this?
;
date.timezone = @OURTIMEZONE@
;
; This is needed now to avoid SSL verify errors when talking to ourself.
[openssl]
openssl.cafile = @prefix@/etc/emulab.pem
apache/utah-nets.conf 0 → 100644
View file @ 89e2e4fb
# Flux
allow from 155.98.60.
# Flux VPN
allow from 155.98.63.
# Emulab
allow from 155.98.32.
# APT boss
allow from 128.110.100.4
# Wisc boss
allow from 128.104.222.9
# Cloudlab boss
allow from 128.110.156.4
# Clemson boss
allow from 130.127.132.51
# Utah University VPN
allow from 155.101.240.
allow from 155.101.241.
allow from 155.101.242.
# Leigh Comcast
allow from 24.21.143.27
apache/v2/httpd.conf-ops.in
View file @ 89e2e4fb
......@@ -689,6 +689,8 @@ ScriptAlias /spewrpmtar /usr/testbed/cgi-bin/spewrpmtar_cgi
ScriptAlias /spewrpmtar.php3 /usr/testbed/cgi-bin/spewrpmtar_cgi
ScriptAlias /d77e8041d1ad /usr/testbed/cgi-bin/shellinabox.pl
Alias /accept_cert.html /usr/testbed/www/accept_cert.html
# Letsencrypt
Alias /.well-known/acme-challenge/ "@prefix@/www/.well-known/acme-challenge/"
<Directory "/usr/testbed/cgi-bin">
Options FollowSymLinks
......@@ -1158,7 +1160,12 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:!MD5:!AECDH:+HIGH:+MEDIUM:!LOW
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
<IfDefine LETSENCRYPT>
SSLCertificateFile /usr/local/etc/letsencrypt/live/@USERNODE@/cert.pem
</IfDefine>
<IfDefine !LETSENCRYPT>
SSLCertificateFile /usr/local/etc/apache22/ssl.crt/@USERNODE@.crt
</IfDefine>
# Server Private Key:
# If the key is not combined with the certificate, use this
......@@ -1166,7 +1173,12 @@ SSLCertificateFile /usr/local/etc/apache22/ssl.crt/@USERNODE@.crt
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<IfDefine LETSENCRYPT>
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/@USERNODE@/privkey.pem
</IfDefine>
<IfDefine !LETSENCRYPT>
SSLCertificateKeyFile /usr/local/etc/apache22/ssl.key/@USERNODE@.key
</IfDefine>
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
......
apache/v2/httpd.conf.in
View file @ 89e2e4fb
......@@ -1122,7 +1122,12 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:!MD5:!AECDH:+HIGH:+MEDIUM:!LOW
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
<IfDefine LETSENCRYPT>
SSLCertificateFile /usr/local/etc/letsencrypt/live/@OURDOMAIN@/cert.pem
</IfDefine>
<IfDefine !LETSENCRYPT>
SSLCertificateFile /usr/local/etc/apache22/ssl.crt/www.@OURDOMAIN@.crt
</IfDefine>
# Server Private Key:
# If the key is not combined with the certificate, use this
......@@ -1130,7 +1135,12 @@ SSLCertificateFile /usr/local/etc/apache22/ssl.crt/www.@OURDOMAIN@.crt
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<IfDefine LETSENCRYPT>
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/@OURDOMAIN@/privkey.pem
</IfDefine>
<IfDefine !LETSENCRYPT>
SSLCertificateKeyFile /usr/local/etc/apache22/ssl.key/www.@OURDOMAIN@.key
</IfDefine>
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
......@@ -1140,12 +1150,16 @@ SSLCertificateKeyFile /usr/local/etc/apache22/ssl.key/www.@OURDOMAIN@.key
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
<IfDefine LETSENCRYPT>
SSLCertificateChainFile /usr/local/etc/letsencrypt/live/@OURDOMAIN@/chain.pem
</IfDefine>
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
<IfDefine !LETSENCRYPT>
SSLCACertificateFile @prefix@/etc/emulab.pem
</IfDefine>
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
......
apache/v24/httpd-geni.conf.in
View file @ 89e2e4fb
......@@ -97,7 +97,6 @@ KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
# prefork MPM
......@@ -216,13 +215,13 @@ LoadModule access_compat_module libexec/apache24/mod_access_compat.so
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
#LoadModule php5_module libexec/apache24/libphp5.so
# Starting with 11.3 server installs, we switched from php 5 to php7 so
# we have to check for that here. We use the relatively new IfFile directive
# which appeared in 2.4.34. Fortunately, we started using apache 2.4 at
# version 35, so we can count on this directive being present.
#
# Cause the PHP interpreter to handle files with a .php extension.
# XXX no PHP in the GENI config.
#
#AddHandler php5-script .php .php3
#AddType text/html .php .php3
#
# Add index.php to the list of files that will be served as directory
......@@ -230,13 +229,6 @@ LoadModule access_compat_module libexec/apache24/mod_access_compat.so
#
#DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps .php3s
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
......@@ -842,7 +834,7 @@ CustomLog @prefix@/log/apache_ssl_request_log.geni \
SSLCACertificateFile @prefix@/etc/genica.bundle
# Another bundle of CRLs.
SSLCARevocationFile @prefix@/etc/genicrl.bundle
SSLCARevocationCheck chain
SSLCARevocationCheck chain no_crl_for_cert_ok
# Reject the unencrypted certs that all users get.
<Location />
......@@ -909,7 +901,7 @@ SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
......@@ -1040,7 +1032,7 @@ CustomLog @prefix@/log/apache_ssl_request_log.geni \
SSLCACertificateFile @prefix@/etc/genica.bundle
# Another bundle of CRLs.
SSLCARevocationFile @prefix@/etc/genicrl.bundle
SSLCARevocationCheck chain
SSLCARevocationCheck chain no_crl_for_cert_ok
ScriptAlias /protogeni/pubxmlrpc @prefix@/protogeni/pubxmlrpc/pubgeni-wrapper.pl
......@@ -1051,7 +1043,7 @@ ScriptAlias /protogeni/gtw/pubxmlrpc @prefix@/devel/gtw/protogeni/pubxmlrpc/pubg
SSLRequireSSL
Order deny,allow
allow from all
SSLOptions +StdEnvVars +LegacyDNStringFormat
SSLOptions +StdEnvVars +ExportCertData +LegacyDNStringFormat
Options +ExecCGI +FollowSymLinks
SetHandler cgi-script
SetEnv USER "nobody"
......@@ -1080,7 +1072,7 @@ SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
......@@ -1210,7 +1202,7 @@ CustomLog @prefix@/log/apache_ssl_request_log.geni \
SSLCACertificateFile @prefix@/etc/genica.bundle
# Another bundle of CRLs.
SSLCARevocationFile @prefix@/etc/genicrl.bundle
SSLCARevocationCheck chain
SSLCARevocationCheck chain no_crl_for_cert_ok
WSGIDaemonProcess localstore processes=5 threads=1 python-eggs=/usr/local/ops-monitoring/local/eggs
WSGIScriptAlias / /usr/local/ops-monitoring/local/wsgi/localstore.wsgi
......