andreaceccanti/README-unauthenticated-client-voms.md

## README-unauthenticated-client-voms.md

      
    Raw
  

              README-unauthenticated-client-voms.md
            
          
    Problem description

As reported in this
ggus-ticket, in
certain circumstances VOMS Admin accepts membership requests from users without
a valid X.509 certificate.
This has no security impact on the server, but can lead to VO admins receiving
membership request with strange user certificate subject, like the following:

Which versions of VOMS Admin could be affected by this problem?

Any VOMS Admin version >= 3.4.0
How do I check if a VOMS Admin instance is affected?

You can use the
check-vo.sh
script embedded in this gist to check if the VO is affected.
You need curl to run the script.
Run the script like in the following example:
$ VOMS_HOST=voms.hellasgrid.gr VOMS_VO=dteam sh check-vo.sh

The VO dteam at voms.hellasgrid.gr is NOT affected by the misconfigured unauthenticated client problem.

In this case the script exits with a 0.
When an instance is affected the output will be like:
$ VOMS_HOST=dev.local.io VOMS_VO=test sh check-vo.sh

The VO test at dev.local.io is AFFECTED by the misconfigured unauthenticated client problem.

and the script exits with a 1.
How do I fix a VOMS Admin instance that is affected?

You need the help of the VOMS service administrator for the VO. He can use the
check-voms-db.sh
script embedded in this gist to check and eventually fix the affected VO.
The script is simple to use, just try to run it and it will print usage
information, but here is an example (xxx,yyy,zzz stand for values that who runs
the script has to provide):
# MYSQL_USER=xxx MYSQL_PASSWORD=yyy MYSQL_DB=zzz check-voms-db.sh

Checking if VOMS database 'zzz' has the '/O=VOMS/O=System/CN=Unauthenticated Client' internal admin correctly setup.
Detected VOMS Admin database version: 4
'/O=VOMS/O=System/CN=Unauthenticated Client' internal admin found, no action required

If the internal admin is not found, the script will create it and the output
will look like:
# MYSQL_USER=xxx MYSQL_PASSWORD=yyy MYSQL_DB=zzz sh check-db.sh

Checking if VOMS database 'zzz' has the '/O=VOMS/O=System/CN=Unauthenticated Client' internal admin correctly setup.
Detected VOMS Admin database version: 4
'/O=VOMS/O=System/CN=Unauthenticated Client' internal admin not found, will create it now
VOMS db 'zzz' is now ok.

What if the method above does not work?

Submit a GGUS ticket and we will provide help.

  
## check-vo.sh
#!/bin/bash
[[ -n ${VOMS_HOST} ]] || "Please define the VOMS_HOST environment variable"
[[ -n ${VOMS_VO} ]] || "Please define the VOMS_VO environment variable"

VOMS_PORT=${VOMS_PORT:-8443}

voms_url="https://${VOMS_HOST}:${VOMS_PORT}/voms/${VOMS_VO}/register/start.action"

res=$(curl -f -k -s ${voms_url})

ret_status=$?

if [[ ${ret_status} -ne 0 ]]; then

    if [[ ${ret_status} -eq 35  ]]; then
        echo "The server aborted the SSL handshake, so it does not accept unauthenticated connections"
        echo "This means the server is currently NOT affected by misconfigured unauthenticated client problem, but could be in case is upgraded to a VOMS Admin version < 3.5.2"
        echo "To be sure that the server is not affected you will need to check the VO database"
        exit 0
    fi

    echo "Error contacting VOMS at ${voms_url}. Are you sure there's a VO ${VOMS_VO} at ${VOMS_HOST} ?"
    exit 1
fi

grepped_res=$(echo ${res} | grep "Welcome to the registration page" | wc -l)

if [[ $grepped_res -eq 0 ]]; then
    echo "The VO ${VOMS_VO} at ${VOMS_HOST} is NOT affected by the misconfigured unauthenticated client problem."
    exit 0
else
    echo "The VO ${VOMS_VO} at ${VOMS_HOST} is AFFECTED by the misconfigured unauthenticated client problem."
    exit 1
fi

## check-voms-db.sh
#!/bin/bash
trap "exit 1" TERM
export TOP_PID=$$

INTERNAL_VOMS_CA="/O=VOMS/O=System/CN=Dummy Certificate Authority"
UNAUTHENTICATED_CLIENT_SUBJ="/O=VOMS/O=System/CN=Unauthenticated Client"

terminate() {
          echo $1 && kill -s TERM $TOP_PID
}

usage() {

    echo $1
    echo
    echo "Please set AT LEAST the following environment variables in order to run this script:"
    echo
    echo "MYSQL_USER     -> the mysql user authorized to access the VOMS database."
    echo "MYSQL_PASSWORD -> the mysql user password."
    echo "MYSQL_DB       -> the name of the VOMS database you want to check."
    echo
    echo "Optional env variables"
    echo
    echo "MYSQL_HOST -> the host where mysql is running."
    echo "MYSQL_PORT -> the port where mysql is listening."
    echo "MYSQL_CMD  -> the path to the mysql client command."
    echo
    echo "Example:"
    echo
    echo "# MYSQL_HOST=db MYSQL_USER=voms MYSQL_PASSWORD=pwd MYSQL_DB=voms_test sh check-db.sh"

    terminate ""
}

MYSQL_CMD=${MYSQL_CMD:-$(which mysql)}
MYSQL_HOST=${MYSQL_HOST:-localhost}
MYSQL_PORT=${MYSQL_PORT:-3306}

[[ -n ${MYSQL_USER} ]] || usage "MYSQL_USER env variable is not set"
[[ -n ${MYSQL_PASSWORD} ]] || usage "MYSQL_PASSWORD env variable is not set"
[[ -n ${MYSQL_DB} ]] || usage "MYSQL_DB env variable is not set"
[[ ${MYSQL_CMD} =~ "*no mysql in*$" ]]  && usage "mysql client not found. This script requires the mysql client installed."

mysql_cmd="${MYSQL_CMD} -N -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${MYSQL_HOST} -P${MYSQL_PORT} ${MYSQL_DB}"

admin_version=$(echo "select admin_version from version" | ${mysql_cmd})

if [[ $? -ne 0 ]]; then
    terminate "Error connecting to VOMS database, check your configuration"
fi

echo "Checking if VOMS database '${MYSQL_DB}' has the '${UNAUTHENTICATED_CLIENT_SUBJ}' internal admin correctly setup."
echo "Detected VOMS Admin database version: ${admin_version}"

## Get internal VOMS CA id, we'll need it if we have to create the internal admin
voms_ca_id=$(echo "select cid from ca where subject_string = '${INTERNAL_VOMS_CA}'" | ${mysql_cmd})

if [[ $? -ne 0 ]]; then
    terminate "Error resolving internal VOMS CA id"
fi

unauthn_client=$(echo "select dn from admins where dn = '$UNAUTHENTICATED_CLIENT_SUBJ'" | ${mysql_cmd})

if [[ $? -ne 0 ]]; then
    terminate "Error looking up '${UNAUTHENTICATED_CLIENT_SUBJ}' in VOMS db"
fi

if [[ ${unauthn_client} == ${UNAUTHENTICATED_CLIENT_SUBJ} ]]; then
    echo "'${UNAUTHENTICATED_CLIENT_SUBJ}' internal admin found, no action required"
else

    echo "'${UNAUTHENTICATED_CLIENT_SUBJ}' internal admin not found, will create it now"
    insert_result=$(echo "insert into admins(dn,ca) values ('${UNAUTHENTICATED_CLIENT_SUBJ}', ${voms_ca_id})" | ${mysql_cmd})
    if [[ $? -ne 0 ]]; then
        terminate "Error adding uanthenticated client in VOMS Admin db"
    fi
    echo "VOMS db '${MYSQL_DB}' is now ok."
fi

exit 0

## strange-membership-request.png

      
    Raw
  

              strange-membership-request.png
	#!/bin/bash
	[[ -n ${VOMS_HOST} ]] \|\| "Please define the VOMS_HOST environment variable"
	[[ -n ${VOMS_VO} ]] \|\| "Please define the VOMS_VO environment variable"

	VOMS_PORT=${VOMS_PORT:-8443}

	voms_url="https://${VOMS_HOST}:${VOMS_PORT}/voms/${VOMS_VO}/register/start.action"

	res=$(curl -f -k -s ${voms_url})

	ret_status=$?

	if [[ ${ret_status} -ne 0 ]]; then

	if [[ ${ret_status} -eq 35 ]]; then
	echo "The server aborted the SSL handshake, so it does not accept unauthenticated connections"
	echo "This means the server is currently NOT affected by misconfigured unauthenticated client problem, but could be in case is upgraded to a VOMS Admin version < 3.5.2"
	echo "To be sure that the server is not affected you will need to check the VO database"
	exit 0
	fi

	echo "Error contacting VOMS at ${voms_url}. Are you sure there's a VO ${VOMS_VO} at ${VOMS_HOST} ?"
	exit 1
	fi

	grepped_res=$(echo ${res} \| grep "Welcome to the registration page" \| wc -l)

	if [[ $grepped_res -eq 0 ]]; then
	echo "The VO ${VOMS_VO} at ${VOMS_HOST} is NOT affected by the misconfigured unauthenticated client problem."
	exit 0
	else
	echo "The VO ${VOMS_VO} at ${VOMS_HOST} is AFFECTED by the misconfigured unauthenticated client problem."
	exit 1
	fi
	#!/bin/bash
	trap "exit 1" TERM
	export TOP_PID=$$

	INTERNAL_VOMS_CA="/O=VOMS/O=System/CN=Dummy Certificate Authority"
	UNAUTHENTICATED_CLIENT_SUBJ="/O=VOMS/O=System/CN=Unauthenticated Client"

	terminate() {
	echo $1 && kill -s TERM $TOP_PID
	}

	usage() {

	echo $1
	echo
	echo "Please set AT LEAST the following environment variables in order to run this script:"
	echo
	echo "MYSQL_USER -> the mysql user authorized to access the VOMS database."
	echo "MYSQL_PASSWORD -> the mysql user password."
	echo "MYSQL_DB -> the name of the VOMS database you want to check."
	echo
	echo "Optional env variables"
	echo
	echo "MYSQL_HOST -> the host where mysql is running."
	echo "MYSQL_PORT -> the port where mysql is listening."
	echo "MYSQL_CMD -> the path to the mysql client command."
	echo
	echo "Example:"
	echo
	echo "# MYSQL_HOST=db MYSQL_USER=voms MYSQL_PASSWORD=pwd MYSQL_DB=voms_test sh check-db.sh"

	terminate ""
	}

	MYSQL_CMD=${MYSQL_CMD:-$(which mysql)}
	MYSQL_HOST=${MYSQL_HOST:-localhost}
	MYSQL_PORT=${MYSQL_PORT:-3306}

	[[ -n ${MYSQL_USER} ]] \|\| usage "MYSQL_USER env variable is not set"
	[[ -n ${MYSQL_PASSWORD} ]] \|\| usage "MYSQL_PASSWORD env variable is not set"
	[[ -n ${MYSQL_DB} ]] \|\| usage "MYSQL_DB env variable is not set"
	[[ ${MYSQL_CMD} =~ "no mysql in$" ]] && usage "mysql client not found. This script requires the mysql client installed."

	mysql_cmd="${MYSQL_CMD} -N -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${MYSQL_HOST} -P${MYSQL_PORT} ${MYSQL_DB}"

	admin_version=$(echo "select admin_version from version" \| ${mysql_cmd})

	if [[ $? -ne 0 ]]; then
	terminate "Error connecting to VOMS database, check your configuration"
	fi

	echo "Checking if VOMS database '${MYSQL_DB}' has the '${UNAUTHENTICATED_CLIENT_SUBJ}' internal admin correctly setup."
	echo "Detected VOMS Admin database version: ${admin_version}"

	## Get internal VOMS CA id, we'll need it if we have to create the internal admin
	voms_ca_id=$(echo "select cid from ca where subject_string = '${INTERNAL_VOMS_CA}'" \| ${mysql_cmd})

	if [[ $? -ne 0 ]]; then
	terminate "Error resolving internal VOMS CA id"
	fi

	unauthn_client=$(echo "select dn from admins where dn = '$UNAUTHENTICATED_CLIENT_SUBJ'" \| ${mysql_cmd})

	if [[ $? -ne 0 ]]; then
	terminate "Error looking up '${UNAUTHENTICATED_CLIENT_SUBJ}' in VOMS db"
	fi

	if [[ ${unauthn_client} == ${UNAUTHENTICATED_CLIENT_SUBJ} ]]; then
	echo "'${UNAUTHENTICATED_CLIENT_SUBJ}' internal admin found, no action required"
	else

	echo "'${UNAUTHENTICATED_CLIENT_SUBJ}' internal admin not found, will create it now"
	insert_result=$(echo "insert into admins(dn,ca) values ('${UNAUTHENTICATED_CLIENT_SUBJ}', ${voms_ca_id})" \| ${mysql_cmd})
	if [[ $? -ne 0 ]]; then
	terminate "Error adding uanthenticated client in VOMS Admin db"
	fi
	echo "VOMS db '${MYSQL_DB}' is now ok."
	fi

	exit 0