gencrlbundle.in 4.55 KB
Newer Older
Leigh Stoller's avatar
Leigh Stoller committed
1 2
#!/usr/bin/perl -w
#
3
# Copyright (c) 2008-2018 University of Utah and the Flux Group.
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
# 
# {{{GENIPUBLIC-LICENSE
# 
# GENI Public License
# 
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
# 
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
# 
# }}}
Leigh Stoller's avatar
Leigh Stoller committed
29 30 31 32 33 34 35 36 37 38 39 40 41 42
#
use strict;
use English;
use Getopt::Std;

#
# Generate the CRL bundle and store in the www directly. This is done on
# the clearinghouse only, where all the bundles are kept.
# 
sub usage()
{
    print "Usage: gencrlbundle\n";
    exit(1);
}
43 44 45
my $optlist  = "nd";
my $debug    = 0;
my $impotent = 0;
Leigh Stoller's avatar
Leigh Stoller committed
46 47 48 49 50 51 52 53 54 55 56

#
# Configure variables
#
my $TB		  = "@prefix@";
my $TBOPS         = "@TBOPSEMAIL@";
my $TBLOGS        = "@TBLOGSEMAIL@";
my $PGENIDOMAIN   = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT  = @PROTOGENI_SUPPORT@;
my $WWWBUNDLE	  = "$TB/www/genicrl.bundle";
my $BUNDLE	  = "$TB/etc/genicrl.bundle";
57
my $CABUNDLE	  = "$TB/etc/genica.bundle";
Leigh Stoller's avatar
Leigh Stoller committed
58
my $POSTCRL       = "$TB/sbin/protogeni/postcrl";
59
my $APACHE_START  = "@APACHE_START_COMMAND@";
60
my $OPENSSL       = "/usr/bin/openssl";
Leigh Stoller's avatar
Leigh Stoller committed
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

# un-taint path
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

# Protos
sub fatal($);

#
# Turn off line buffering on output
#
$| = 1; 

if ($UID != 0) {
    fatal("Must be root to run this script\n");
}

use vars qw($GENI_DBNAME);
$GENI_DBNAME = "geni-ch";

# Now we can load the libraries after setting the proper DB.
use lib '@prefix@/lib';
use libaudit;
84
use libEmulab;
Leigh Stoller's avatar
Leigh Stoller committed
85

86 87 88
# For error log.
my $errors = 0;

Leigh Stoller's avatar
Leigh Stoller committed
89 90 91 92 93 94 95
#
# Check args.
#
my %options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
96 97 98 99 100 101
if (defined($options{"n"})) {
    $impotent = 1;
}
if (defined($options{"d"})) {
    $debug = 1;
}
Leigh Stoller's avatar
Leigh Stoller committed
102

103 104 105 106 107 108 109 110 111 112
#
# Do not run when the testbed is disabled.
#
exit(0)
    if (NoLogins());

# Leave this after the NoLogins check, for initial install.
require GeniDB;
import GeniDB;

Leigh Stoller's avatar
Leigh Stoller committed
113 114 115 116 117 118
# Record output in case of error.
LogStart(0);

#
# Post our own CRL.
#
119 120 121 122 123 124
# XXX Hack check to make sure this is a real emulab.
#
if (-d "$TB/expwork/emulab-ops") {
    system("$POSTCRL") >= 0
	or fatal("Could not post our own CRL");
}
Leigh Stoller's avatar
Leigh Stoller committed
125 126

my $query_result =
127
    DBQueryWarn("select cert,uuid,DN, ".
128 129 130
		" UNIX_TIMESTAMP(expires) < UNIX_TIMESTAMP(now()) as expired ".
		"from geni_crls ".
		"order by uuid");
Leigh Stoller's avatar
Leigh Stoller committed
131 132 133

open(BUNDLE, ">/tmp/crlbundle.$$")
    or fatal("Could not create new CRL bundle file");
134
while (my ($cert,$uuid,$DN,$expired) = $query_result->fetchrow_array()) {
135 136
    if ($expired) {
	print STDERR "*** CRL for $uuid has expired. Skipping ...\n";
137 138 139 140 141
	print STDERR "    $DN\n";
	#
	# Just delete, no point in seeing it again.
	#
	DBQueryWarn("delete from geni_crls where uuid='$uuid'");
142 143
	next;
    }
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
    #
    # Make sure we can verify the CRL against our bundle. 
    #
    if (open(OP, "| $OPENSSL crl -noout -CAfile $CABUNDLE >/dev/null 2>&1")) {
	print OP $cert;
	close(OP);
	if ($?) {
	    print STDERR "*** CRL for $uuid cannot be verified. Skipping ...\n";
	    print STDERR "    $DN\n";
	    #
	    # Just delete, no point in seeing it again.
	    #
	    DBQueryWarn("delete from geni_crls where uuid='$uuid'");
	    $errors++;
	    next;
	}
    }
Leigh Stoller's avatar
Leigh Stoller committed
161 162 163 164
    print BUNDLE $cert;
}
close(BUNDLE);

165 166 167
exit(0)
    if ($impotent);

Leigh Stoller's avatar
Leigh Stoller committed
168 169 170 171 172 173
# Don't bother if no change
system("/usr/bin/diff -q $BUNDLE /tmp/crlbundle.$$");
if ($?) {
    system("/bin/mv /tmp/crlbundle.$$ $BUNDLE") == 0
	or fatal("Could not copy to $BUNDLE!");

174 175
    system("$APACHE_START graceful") == 0
	or fatal("Could not gracefully restart apache!");
176

Leigh Stoller's avatar
Leigh Stoller committed
177 178 179 180
    system("/bin/cp $BUNDLE $WWWBUNDLE") == 0
	or fatal("Could not copy to $WWWBUNDLE!");
}
# Apache spits out stuff. No errors at this point, nothing to report.
181 182
AuditEnd()
    if (!$errors);
Leigh Stoller's avatar
Leigh Stoller committed
183 184 185 186 187 188 189 190 191
exit(0);

sub fatal($)
{
    my ($msg) = @_;

    die("*** $0:\n".
	"    $msg\n");
}