Switch proxy creation to use Globus library calls. Equivalent to prox…

…y-tools.patch from HTCondor.

configure.ac

@@ -245,6 +245,7 @@ if test $have_globus = no; then
   PKG_CHECK_MODULES(GLOBUS_GSI_UTILS, globus-gsi-cert-utils, , have_globus=no)
   PKG_CHECK_MODULES(GLOBUS_GSS_ASSIST, globus-gss-assist, , have_globus=no)
   PKG_CHECK_MODULES(GLOBUS_GSI_SYSCFG, globus-gsi-sysconfig, , have_globus=no)
+  PKG_CHECK_MODULES(GLOBUS_GSSAPI_GSI, globus-gssapi-gsi, , have_globus=no)
 fi
 AC_MSG_RESULT(["GLOBUS found: $have_globus"])
 AM_CONDITIONAL([HAVE_GLOBUS], [test "x$bprserver" == "xyes" -a "x$have_globus" == "xyes"])

src/Makefile.am

@@ -57,7 +57,7 @@ blahpd_SOURCES = main.c $(common_sources)
 
 blahpd_daemon_SOURCES = main_daemon.c $(common_sources)
 
-blahpd_LDADD = $(CLASSAD_LIBS)
+blahpd_LDADD = $(CLASSAD_LIBS) $(GLOBUS_GSSSAPI_GSI_LIBS) $(GLOBUS_GSS_ASSIST_LIBS)
 
 blahpd_daemon_LDADD = $(blahpd_LDADD)
 

src/server.c

@@ -84,6 +84,9 @@
 #include <fcntl.h>
 #include <signal.h>
 
+#include "globus_gsi_credential.h"
+#include "globus_gsi_proxy.h"
+
 #include "blahpd.h"
 #include "config.h"
 #include "job_registry.h"
@@ -2591,14 +2594,167 @@ set_cmd_list_option(char **command, classad_context cad, const char *attribute,
 	if (to_append) free (to_append);
 	return(result);
 }
+
+const char *grid_proxy_errmsg = NULL;
+
+int activate_globus()
+{
+	static int active = 0;
+
+	if (active) {
+		return 0;
+	}
+
+	if ( globus_thread_set_model( "pthread" ) ) {
+		grid_proxy_errmsg = "failed to activate Globus";
+		return -1;
+	}
+
+	if ( globus_module_activate(GLOBUS_GSI_CREDENTIAL_MODULE) ) {
+		grid_proxy_errmsg = "failed to activate Globus";
+		return -1;
+	}
+
+	if ( globus_module_activate(GLOBUS_GSI_PROXY_MODULE) ) {
+		grid_proxy_errmsg = "failed to activate Globus";
+		return -1;
+	}
+
+	active = 1;
+	return 0;
+}
+
+/* Returns lifetime left on proxy, in seconds.
+ * 0 means proxy is expired.
+ * -1 means an error occurred.
+ */
+int grid_proxy_info(const char *proxy_filename)
+{
+	globus_gsi_cred_handle_t handle = NULL;
+	time_t time_left = -1;
+
+	if ( activate_globus() < 0 ) {
+		return -1;
+	}
+
+	if (globus_gsi_cred_handle_init(&handle, NULL)) {
+		grid_proxy_errmsg = "failed to initialize Globus data structures";
+		goto cleanup;
+	}
+
+	// We should have a proxy file, now, try to read it
+	if (globus_gsi_cred_read_proxy(handle, proxy_filename)) {
+		grid_proxy_errmsg = "unable to read proxy file";
+		goto cleanup;
+	}
+
+	if (globus_gsi_cred_get_lifetime(handle, &time_left)) {
+		grid_proxy_errmsg = "unable to extract expiration time";
+		goto cleanup;
+	}
+
+	if ( time_left < 0 ) {
+		time_left = 0;
+	}
+
+ cleanup:
+	if (handle) {
+		globus_gsi_cred_handle_destroy(handle);
+	}
+
+	return time_left;
+}
+
+/* Writes new proxy derived from existing one. Argument lifetime is the
+ * number of seconds until expiration for the new proxy. A 0 lifetime
+ * means the same expiration time as the source proxy.
+ * Returns 0 on success and -1 on error.
+ */
+int grid_proxy_init(const char *src_filename, char *dst_filename,
+					int lifetime)
+{
+	globus_gsi_cred_handle_t src_handle = NULL;
+	globus_gsi_cred_handle_t dst_handle = NULL;
+	globus_gsi_proxy_handle_t dst_proxy_handle = NULL;
+	int rc = -1;
+	time_t src_time_left = -1;
+	globus_gsi_cert_utils_cert_type_t cert_type = GLOBUS_GSI_CERT_UTILS_TYPE_LIMITED_PROXY;
+
+	if ( activate_globus() < 0 ) {
+		return -1;
+	}
+
+	if (globus_gsi_cred_handle_init(&src_handle, NULL)) {
+		grid_proxy_errmsg = "failed to initialize Globus data structures";
+		goto cleanup;
+	}
+
+	// We should have a proxy file, now, try to read it
+	if (globus_gsi_cred_read_proxy(src_handle, src_filename)) {
+		grid_proxy_errmsg = "unable to read proxy file";
+		goto cleanup;
+	}
+
+	if (globus_gsi_cred_get_lifetime(src_handle, &src_time_left)) {
+		grid_proxy_errmsg = "unable to extract expiration time";
+		goto cleanup;
+	}
+	if ( src_time_left < 0 ) {
+		src_time_left = 0;
+	}
+
+	if (globus_gsi_proxy_handle_init( &dst_proxy_handle, NULL )) {
+		grid_proxy_errmsg = "failed to initialize Globus data structures";
+		goto cleanup;
+	}
+
+		// lifetime == desired dst lifetime
+		// src_time_left == time left on src
+	if ( lifetime == 0 || lifetime > src_time_left ) {
+		lifetime = src_time_left;
+	}
+	if (globus_gsi_proxy_handle_set_time_valid( dst_proxy_handle, lifetime/60 )) {
+		grid_proxy_errmsg = "unable to set proxy expiration time";
+		goto cleanup;
+	}
+
+	if (globus_gsi_proxy_handle_set_type( dst_proxy_handle, cert_type)) {
+		grid_proxy_errmsg = "unable to set proxy type";
+		goto cleanup;
+	}
+
+	if (globus_gsi_proxy_create_signed( dst_proxy_handle, src_handle, &dst_handle)) {
+		grid_proxy_errmsg = "unable to generate proxy";
+		goto cleanup;
+	}
+
+	if (globus_gsi_cred_write_proxy( dst_handle, dst_filename )) {
+		grid_proxy_errmsg = "unable to write proxy file";
+		goto cleanup;
+	}
+
+	rc = 0;
+
+ cleanup:
+	if (src_handle) {
+		globus_gsi_cred_handle_destroy(src_handle);
+	}
+	if (dst_handle) {
+		globus_gsi_cred_handle_destroy(dst_handle);
+	}
+	if ( dst_handle ) {
+		globus_gsi_proxy_handle_destroy( dst_proxy_handle );
+	}
+
+	return rc;
+}
 
 static char *
 limit_proxy(char* proxy_name, char *limited_proxy_name, char **error_message)
 {
 	int seconds_left, hours_left, minutes_left;
 	char *limcommand;
 	int res;
-	char* globuslocation;
 	char *limit_command_output;
 	int tmpfd;
 	exec_cmd_t exe_command = EXEC_CMD_DEFAULT;
@@ -2639,31 +2795,15 @@ limit_proxy(char* proxy_name, char *limited_proxy_name, char **error_message)
 		if (error_message) *error_message = errmsg; else if (errmsg) free(errmsg);
 		return NULL;
 	}
-
-	globuslocation = (getenv("GLOBUS_LOCATION") ? getenv("GLOBUS_LOCATION") : "/opt/globus");
-	exe_command.command = make_message("%s/bin/grid-proxy-info -timeleft -file %s",
-	                          globuslocation, proxy_name);
-	if (exe_command.command == NULL)
+	else
 	{
-		fprintf(stderr, "blahpd: out of memory\n");
-		exit(1);
+		close(tmpfd);
 	}
-	res = execute_cmd(&exe_command);
-	free(exe_command.command);
 
-	if (res != 0)
-	{
-		perror("blahpd error invoking grid-proxy-info");
-		char * errmsg = make_message("blahpd error invoking grid-proxy-info; "
-		    "exit code %d from grid-proxy-info");
-		if (limited_proxy_made_up_name != NULL) free(limited_proxy_made_up_name);
-		if (error_message && errmsg) *error_message = errmsg; else if (errmsg) free(errmsg);
-		return(NULL);
-	}
-	else
-	{
-		seconds_left = atoi(exe_command.output);
-		cleanup_cmd(&exe_command);
+	seconds_left = grid_proxy_info( proxy_name );
+	if ( seconds_left < 0 ) {
+		perror("blahpd error reading proxy lifetime");
+		return NULL;
 	}
 
 	limit_command_output = make_message("%s_XXXXXX", limited_proxy_name);
@@ -2686,18 +2826,9 @@ limit_proxy(char* proxy_name, char *limited_proxy_name, char **error_message)
 
 	get_lock_on_limited_proxy = config_test_boolean(config_get("blah_get_lock_on_limited_proxies",blah_config_handle));
 
-	if (seconds_left <= 0)
-	{
+	if (seconds_left <= 0) {
 		/* Something's wrong with the current proxy - use defaults */
-		exe_command.command = make_message("%s/bin/grid-proxy-init -limited -cert %s -key %s -out %s",
-	                          globuslocation, proxy_name, proxy_name, limit_command_output);
-	} 
-	else
-	{
-		hours_left = (int)(seconds_left/3600);
-		minutes_left = (int)((seconds_left%3600)/60) + 1;
-		exe_command.command = make_message("%s/bin/grid-proxy-init -limited -valid %d:%d -cert %s -key %s -out %s",
-	                          globuslocation, hours_left, minutes_left, proxy_name, proxy_name, limit_command_output);
+		seconds_left = 12*60*60;
 	}
 
  	if ((limit_command_output == limited_proxy_name) &&
@@ -2728,8 +2859,7 @@ limit_proxy(char* proxy_name, char *limited_proxy_name, char **error_message)
 		}
 	} 
 
-	res = execute_cmd(&exe_command);
-	free(exe_command.command);
+	res = grid_proxy_init( proxy_name, limit_command_output, seconds_left );
 
  	if ((limit_command_output == limited_proxy_name) &&
 	    get_lock_on_limited_proxy)
@@ -2746,29 +2876,6 @@ limit_proxy(char* proxy_name, char *limited_proxy_name, char **error_message)
 		return(NULL);
 	}
 
-	/* If exitcode != 0 there may be a problem due to a warning by grid-proxy-init but */
-	/* the call may have been successful. We just check the temporary proxy  */
-	if (exe_command.exit_code != 0)
-	{
-		int orig_exit_code = exe_command.exit_code;
-		cleanup_cmd(&exe_command);
-		exe_command.command = make_message("%s/bin/grid-proxy-info -f %s", globuslocation, limit_command_output);
-		res = execute_cmd(&exe_command);
-		free(exe_command.command);
-		if (res != 0 || exe_command.exit_code != 0) 
-		{
-			char * errmsg = make_message("Failed to create limited proxy %s (grid-proxy-init "
-			    "exit_code = %d; grid-proxy-info exit code %d)", limit_command_output, orig_exit_code, res != 0 ? res : exe_command.exit_code);
-			if (limit_command_output != limited_proxy_name)
-				free(limit_command_output);
-			if (limited_proxy_made_up_name != NULL) free(limited_proxy_made_up_name);
-			if (error_message && errmsg) *error_message= errmsg; else if(errmsg) free(errmsg);
-			return(NULL);
-		}
-	}
-
-	cleanup_cmd(&exe_command);
-
 	if (limit_command_output != limited_proxy_name)
 	{
  		if (get_lock_on_limited_proxy)