// Based on dc_schedd.C's updateGSIcredential
DCStarter::X509UpdateStatus
DCStarter::updateX509Proxy( const char * filename, char const *sec_session_id)
{
ReliSock rsock;
rsock.timeout(60);
if( ! rsock.connect(_addr) ) {
dprintf(D_ALWAYS, "DCStarter::updateX509Proxy: "
"Failed to connect to starter %s\n", _addr);
return XUS_Error;
}
CondorError errstack;
if( ! startCommand(UPDATE_GSI_CRED, &rsock, 0, &errstack, NULL, false, sec_session_id) ) {
dprintf( D_ALWAYS, "DCStarter::updateX509Proxy: "
"Failed send command to the starter: %s\n",
errstack.getFullText().c_str());
return XUS_Error;
}
// Send the gsi proxy
filesize_t file_size = 0; // will receive the size of the file
if ( rsock.put_file(&file_size,filename) < 0 ) {
dprintf(D_ALWAYS,
"DCStarter::updateX509Proxy "
"failed to send proxy file %s (size=%ld)\n",
filename, (long int)file_size);
return XUS_Error;
}
// Fetch the result
rsock.decode();
int reply = 0;
rsock.code(reply);
rsock.end_of_message();
switch(reply) {
case 0: return XUS_Error;
case 1: return XUS_Okay;
case 2: return XUS_Declined;
}
dprintf(D_ALWAYS, "DCStarter::updateX509Proxy: "
"remote side returned unknown code %d. Treating "
"as an error.\n", reply);
return XUS_Error;
}
int
DCStartd::delegateX509Proxy( const char* proxy, time_t expiration_time, time_t *result_expiration_time )
{
dprintf( D_FULLDEBUG, "Entering DCStartd::delegateX509Proxy()\n" );
setCmdStr( "delegateX509Proxy" );
if( ! claim_id ) {
newError( CA_INVALID_REQUEST,
"DCStartd::delegateX509Proxy: Called with NULL claim_id" );
return CONDOR_ERROR;
}
// if this claim is associated with a security session
ClaimIdParser cidp(claim_id);
//
// 1) begin the DELEGATE_GSI_CRED_STARTD command
//
ReliSock* tmp = (ReliSock*)startCommand( DELEGATE_GSI_CRED_STARTD,
Stream::reli_sock,
20, NULL, NULL, false,
cidp.secSessionId() );
if( ! tmp ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: Failed to send command DELEGATE_GSI_CRED_STARTD to the startd" );
return CONDOR_ERROR;
}
//
// 2) get reply from startd - OK means continue, NOT_OK means
// don't bother (the startd doesn't require a delegated
// proxy
//
tmp->decode();
int reply;
if( !tmp->code(reply) ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: failed to receive reply from startd (1)" );
delete tmp;
return CONDOR_ERROR;
}
if ( !tmp->end_of_message() ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: end of message error from startd (1)" );
delete tmp;
return CONDOR_ERROR;
}
if( reply == NOT_OK ) {
delete tmp;
return NOT_OK;
}
//
// 3) send over the claim id and delegate (or copy) the given proxy
//
tmp->encode();
int use_delegation =
param_boolean( "DELEGATE_JOB_GSI_CREDENTIALS", true ) ? 1 : 0;
if( !tmp->code( claim_id ) ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: Failed to send claim id to the startd" );
delete tmp;
return CONDOR_ERROR;
}
if ( !tmp->code( use_delegation ) ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: Failed to send use_delegation flag to the startd" );
delete tmp;
return CONDOR_ERROR;
}
int rv;
filesize_t dont_care;
if( use_delegation ) {
rv = tmp->put_x509_delegation( &dont_care, proxy, expiration_time, result_expiration_time );
}
else {
dprintf( D_FULLDEBUG,
"DELEGATE_JOB_GSI_CREDENTIALS is False; using direct copy\n");
if( ! tmp->get_encryption() ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: Cannot copy: channel does not have encryption enabled" );
delete tmp;
return CONDOR_ERROR;
}
rv = tmp->put_file( &dont_care, proxy );
}
if( rv == -1 ) {
newError( CA_FAILURE,
"DCStartd::delegateX509Proxy: Failed to delegate proxy" );
delete tmp;
return CONDOR_ERROR;
}
if ( !tmp->end_of_message() ) {
newError( CA_FAILURE,
"DCStartd::delegateX509Proxy: end of message error to startd" );
delete tmp;
return CONDOR_ERROR;
}
// command successfully sent; now get the reply
tmp->decode();
if( !tmp->code(reply) ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: failed to receive reply from startd (2)" );
delete tmp;
return CONDOR_ERROR;
}
if ( !tmp->end_of_message() ) {
newError( CA_COMMUNICATION_ERROR,
"DCStartd::delegateX509Proxy: end of message error from startd (2)" );
delete tmp;
return CONDOR_ERROR;
}
delete tmp;
dprintf( D_FULLDEBUG,
"DCStartd::delegateX509Proxy: successfully sent command, reply is: %d\n",
reply );
return reply;
}
bool
DCSchedd::updateGSIcredential(const int cluster, const int proc,
const char* path_to_proxy_file,
CondorError * errstack)
{
int reply;
ReliSock rsock;
// check the parameters
if ( cluster < 1 || proc < 0 || !path_to_proxy_file || !errstack ) {
dprintf(D_FULLDEBUG,"DCSchedd::updateGSIcredential: bad parameters\n");
return false;
}
// connect to the schedd, send the UPDATE_GSI_CRED command
rsock.timeout(20); // years of research... :)
if( ! rsock.connect(_addr) ) {
dprintf( D_ALWAYS, "DCSchedd::updateGSIcredential: "
"Failed to connect to schedd (%s)\n", _addr );
return false;
}
if( ! startCommand(UPDATE_GSI_CRED, (Sock*)&rsock, 0, errstack) ) {
dprintf( D_ALWAYS, "DCSchedd::updateGSIcredential: "
"Failed send command to the schedd: %s\n",
errstack->getFullText().c_str());
return false;
}
// If we're not already authenticated, force that now.
if (!forceAuthentication( &rsock, errstack )) {
dprintf( D_ALWAYS,
"DCSchedd:updateGSIcredential authentication failure: %s\n",
errstack->getFullText().c_str() );
return false;
}
// Send the job id
rsock.encode();
PROC_ID jobid;
jobid.cluster = cluster;
jobid.proc = proc;
if ( !rsock.code(jobid) || !rsock.end_of_message() ) {
dprintf(D_ALWAYS,"DCSchedd:updateGSIcredential: "
"Can't send jobid to the schedd\n");
return false;
}
// Send the gsi proxy
filesize_t file_size = 0; // will receive the size of the file
if ( rsock.put_file(&file_size,path_to_proxy_file) < 0 ) {
dprintf(D_ALWAYS,
"DCSchedd:updateGSIcredential "
"failed to send proxy file %s (size=%ld)\n",
path_to_proxy_file, (long) file_size);
return false;
}
// Fetch the result
rsock.decode();
reply = 0;
rsock.code(reply);
rsock.end_of_message();
if ( reply == 1 )
return true;
else
return false;
}