[LON-CAPA-cvs] cvs: loncom / loncapa_apache.conf loncron /lonnet/perl londns.pm lonnet.pm

raeburn raeburn at source.lon-capa.org
Wed Jul 18 09:45:04 EDT 2018


raeburn		Wed Jul 18 13:45:04 2018 EDT

  Modified files:              
    /loncom	loncron loncapa_apache.conf 
    /loncom/lonnet/perl	londns.pm lonnet.pm 
  Log:
  - Add nightly update of Certificate Revocation List (from CA) to loncron.
  
  
-------------- next part --------------
Index: loncom/loncron
diff -u loncom/loncron:1.105 loncom/loncron:1.106
--- loncom/loncron:1.105	Fri Oct 20 11:54:54 2017
+++ loncom/loncron	Wed Jul 18 13:44:55 2018
@@ -2,7 +2,7 @@
 
 # Housekeeping program, started by cron, loncontrol and loncron.pl
 #
-# $Id: loncron,v 1.105 2017/10/20 11:54:54 raeburn Exp $
+# $Id: loncron,v 1.106 2018/07/18 13:44:55 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -942,6 +942,14 @@
     }
 }
 
+sub update_revocation_list {
+    if (&Apache::lonnet::fetch_crl_pemfile() eq 'ok') {
+        print "Certificate Revocation List (from CA) updated.\n";
+    } else {
+        print "Certificate Revocation List from (CA) not updated.\n";
+    }
+}
+
 sub send_mail {
     my $defdom = $perlvar{'lonDefDomain'};
     my $origmail = $perlvar{'lonAdmEMail'};
@@ -1134,6 +1142,7 @@
 	&write_checksums();
         &write_connection_config();
         &write_hosttypes();
+        &update_revocation_list();
 	if ($totalcount>200 && !$noemail) { &send_mail(); }
     }
 }
Index: loncom/loncapa_apache.conf
diff -u loncom/loncapa_apache.conf:1.262 loncom/loncapa_apache.conf:1.263
--- loncom/loncapa_apache.conf:1.262	Fri Jan 12 13:34:08 2018
+++ loncom/loncapa_apache.conf	Wed Jul 18 13:44:55 2018
@@ -2,7 +2,7 @@
 ## loncapa_apache.conf -- Apache HTTP LON-CAPA configuration file
 ##
 
-# $Id: loncapa_apache.conf,v 1.262 2018/01/12 13:34:08 raeburn Exp $
+# $Id: loncapa_apache.conf,v 1.263 2018/07/18 13:44:55 raeburn Exp $
 
 #
 # LON-CAPA Section (extensions to httpd.conf daemon configuration)
@@ -1805,6 +1805,7 @@
 PerlSetVar lonnetCertificateAuthority loncapaCA.pem
 PerlSetVar lonnetCertificate          lonhostcert.pem
 PerlSetVar lonnetHostnameCertificate  lonhostnamecert.pem
+PerlSetVar lonnetCertRevocationList   loncapaCAcrl.pem
 
 #
 #  To generate the request for a certificate, and to negotiate the
Index: loncom/lonnet/perl/londns.pm
diff -u loncom/lonnet/perl/londns.pm:1.4 loncom/lonnet/perl/londns.pm:1.5
--- loncom/lonnet/perl/londns.pm:1.4	Thu Nov 30 14:33:35 2017
+++ loncom/lonnet/perl/londns.pm	Wed Jul 18 13:45:03 2018
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # A debugging harness.
 #
-# $Id: londns.pm,v 1.4 2017/11/30 14:33:35 raeburn Exp $
+# $Id: londns.pm,v 1.5 2018/07/18 13:45:03 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -35,8 +35,11 @@
 use Apache::lonnet;
 
 sub serve_file {
-    my ($r,$file,$type)=@_;
-    if (open(my $config,"<","$Apache::lonnet::perlvar{'lonTabDir'}/$file")) {
+    my ($r,$dir,$file,$type)=@_;
+    if (($dir eq '') || ($file eq '')) {
+        return FORBIDDEN;
+    }
+    if (open(my $config,"<","$dir/$file")) {
         my $contents = join('',<$config>);
         $r->content_type($type);
         $r->send_http_header;
@@ -52,13 +55,18 @@
     my ($r) = @_;
 
     my $command = (split('/',$r->uri))[3];
+    my $dir = $Apache::lonnet::perlvar{'lonTabDir'};
     if ($command eq 'hosts') {
-	return &serve_file($r,'dns_hosts.tab','loncapa/hosts');
+	return &serve_file($r,$dir,'dns_hosts.tab','loncapa/hosts');
     } elsif ($command eq 'domain') {
-	return &serve_file($r,'dns_domain.tab','loncapa/domain');
+	return &serve_file($r,$dir,'dns_domain.tab','loncapa/domain');
     } elsif ($command eq 'checksums') {
         my $version = (split('/',$r->uri))[4];
-        return &serve_file($r,"dns_checksums/$version.tab",'loncapa/versions');
+        return &serve_file($r,$dir,"dns_checksums/$version.tab",'loncapa/versions');
+    } elsif ($command eq 'loncapaCRL') {
+        $dir = $Apache::lonnet::perlvar{'lonCertificateDirectory'};
+        return &serve_file($r,$dir,$Apache::lonnet::perlvar{'lonnetCertRevocationList'},
+                           'application/x-pem-file');
     }
     return FORBIDDEN;
 }
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1378 loncom/lonnet/perl/lonnet.pm:1.1379
--- loncom/lonnet/perl/lonnet.pm:1.1378	Wed Jul  4 16:58:29 2018
+++ loncom/lonnet/perl/lonnet.pm	Wed Jul 18 13:45:03 2018
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.1378 2018/07/04 16:58:29 raeburn Exp $
+# $Id: lonnet.pm,v 1.1379 2018/07/18 13:45:03 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -13519,15 +13519,17 @@
     }
 
     my %alldns;
-    open(my $config,"<","$perlvar{'lonTabDir'}/hosts.tab");
-    foreach my $dns (<$config>) {
-	next if ($dns !~ /^\^(\S*)/x);
-        my $line = $1;
-        my ($host,$protocol) = split(/:/,$line);
-        if ($protocol ne 'https') {
-            $protocol = 'http';
+    if (open(my $config,"<","$perlvar{'lonTabDir'}/hosts.tab")) {
+        foreach my $dns (<$config>) {
+	    next if ($dns !~ /^\^(\S*)/x);
+            my $line = $1;
+            my ($host,$protocol) = split(/:/,$line);
+            if ($protocol ne 'https') {
+                $protocol = 'http';
+            }
+	    $alldns{$host} = $protocol;
         }
-	$alldns{$host} = $protocol;
+        close($config);
     }
     while (%alldns) {
 	my ($dns) = sort { $b cmp $a } keys(%alldns);
@@ -13535,19 +13537,33 @@
         my $response = &LONCAPA::LWPReq::makerequest('',$request,'',\%perlvar,30,0);
         delete($alldns{$dns});
 	next if ($response->is_error());
-	my @content = split("\n",$response->content);
-	unless ($nocache) {
-	    &do_cache_new('dns',$url,\@content,30*24*60*60);
-	}
-	&$func(\@content,$hashref);
-	return;
+        if ($url eq '/adm/dns/loncapaCRL') {
+            return &$func($response);
+        } else {
+	    my @content = split("\n",$response->content);
+	    unless ($nocache) {
+	        &do_cache_new('dns',$url,\@content,30*24*60*60);
+	    }
+	    &$func(\@content,$hashref);
+            return;
+        }
+    }
+    my $which = (split('/',$url,4))[3];
+    if ($which eq 'loncapaCRL') {
+        my $diskfile = "$perlvar{'lonCertificateDirectory'}/$perlvar{'lonnetCertRevocationList'}";
+        if (-e $diskfile) {
+            &logthis("unable to contact DNS, on disk file $diskfile not updated");
+        } else {
+            &logthis("unable to contact DNS, no on disk file $diskfile available");
+        }
+    } else {
+        &logthis("unable to contact DNS defaulting to on disk file dns_$which.tab\n");
+        if (open(my $config,"<","$perlvar{'lonTabDir'}/dns_$which.tab")) {
+            my @content = <$config>;
+            close($config);
+            &$func(\@content,$hashref);
+        }
     }
-    close($config);
-    my $which = (split('/',$url))[3];
-    &logthis("unable to contact DNS defaulting to on disk file dns_$which.tab\n");
-    open($config,"<","$perlvar{'lonTabDir'}/dns_$which.tab");
-    my @content = <$config>;
-    &$func(\@content,$hashref);
     return;
 }
 
@@ -13607,6 +13623,47 @@
     return \%checksums;
 }
 
+sub fetch_crl_pemfile {
+    return &get_dns("/adm/dns/loncapaCRL",\&save_crl_pem,1,1);
+}
+
+sub save_crl_pem {
+    my ($response) = @_;
+    my $msg;
+    if (ref($response)) {
+        my $now = time;
+        my $lonca = $perlvar{'lonCertificateDirectory'}.'/'.$perlvar{'lonnetCertificateAuthority'};
+        my $tmpcrl = $tmpdir.'/'.$perlvar{'lonnetCertRevocationList'}.'_'.$now.'.'.$$.'.tmp';
+        if (open(my $fh,'>',"$tmpcrl")) {
+            print $fh $response->content;
+            close($fh);
+            if (-e $lonca) {
+                if (open(PIPE,"openssl crl -in $tmpcrl -inform pem -CAfile $lonca -noout 2>&1 |")) {
+                    my $check = <PIPE>;
+                    close(PIPE);
+                    chomp($check);
+                    if ($check eq 'verify OK') {
+                        my $dest = "$perlvar{'lonCertificateDirectory'}/$perlvar{'lonnetCertRevocationList'}";
+                        if (-e $dest) {
+                            &File::Copy::move($dest,"$dest.bak");
+                        }
+                        if (&File::Copy::move($tmpcrl,$dest)) {
+                            $msg = 'ok';
+                        }
+                    } else {
+                        unlink($tmpcrl);
+                    }
+                } else {
+                    unlink($tmpcrl);
+                }
+            } else {
+                unlink($tmpcrl);
+            }
+        }
+    }
+    return $msg;
+}
+
 # ------------------------------------------------------------ Read domain file
 {
     my $loaded;


More information about the LON-CAPA-cvs mailing list