National Center for Supercomputing Applications

University of Illinois at Urbana-Champaign

MyProxy > Docs > Admin Guide > Pubcookie Integration > mod_myproxy

mod_myproxy Apache Perl Module

Logging out: Pubcookie can't guarantee that users will actively log out at the end of their sessions; in fact, Pubcookie's primary logout mechanism is simply for the user to quit their browser, thus destroying all session cookies.

However, with mod_myproxy, this will leave the X.509 credential in the application server's file system. Thus, it's important that the server's file system be secure and that the credentials have relatively short life times.

This mod_perl script:

Submits the Pubcookie granting cookie to myproxy-logon, in order to retrieve an X.509 credential.
Stores the credential in the Application Server's local file system.
Sets an Apache environment variable, X509_USER_PROXY, with the path to the credential, for retrieval by web applications.
On logout, erases the credential.

package Myproxy::Mod_Myproxy;

use strict;
use warnings;
  
use CGI::Cookie ();
use Apache2::Log ();
use Apache2::RequestRec ();
use APR::Table ();

use Apache2::Const -compile => qw(OK);

use constant GLOBUS_LOCATION => undef;
use constant MYPROXY_SERVER => undef;
#use constant MYPROXY_EXTRA_PARAMS => "-p 7513";
use constant MYPROXY_EXTRA_PARAMS => ""; # "-p 7513";

# where we will put myproxy-logon output -- change to a log file for debugging
use constant MYPROXY_LOG_FILE => "/dev/null";
#use constant MYPROXY_LOG_FILE => "/tmp/myproxy_out";

use constant LOGOUT_URI_REGEX => "_logout_";
# use constant CRED_STORE_DIR => "/var/mod_myproxy";
use constant CRED_STORE_DIR => "/tmp/mod_myproxy";

# environment/HTTP constants
use constant X509_USER_PROXY => "X509_USER_PROXY";

# for more debugging information, uncomment $r->log->notice in the
# debug() subroutine below; results will most likely show up in
# Apache's ssl_error_log

my $r;         # the current request
my $user;      # the username of the current user
my $cred_path; # where to store the credentials

sub handler {
    # 1. initialize all package variables (for semi-OO'ness)

    # Note on Apache threading and object instantiation: each Apache
    # sub-process will have an instance of this class which it will
    # reuse each time it handles an HTTP request.  So we can count on
    # being single-threaded for the duration of the call to handler(),
    # but we have to be *very thorough* about initialization/cleanup
    # because otherwise we will have leftover values from the previous
    # call to handler().  Be sure to update clear_state() whenever you
    # create a new instance variable.

    $r = shift; # ($package, $r) = $_;
    $user = $r->user();
    if (defined($user) && $user =~ m/^\W/) {
	# unfortunately, if just removing non-alphanumeric characters
	# from $user could have unintended consequences -- someone
	# with the username joe-user, for example, could impersonate
	# joeuser
	notice("Non-alphanumeric characters in username ($user) "
	       . "are not supported.");
	$user = undef;
    }

    if (defined($user)) {
	$cred_path = CRED_STORE_DIR . "/" . $user;
    } else {
	$cred_path = undef;
    }

    # 1. if granting cookie is present, use it to get a credential
    my %cookies = CGI::Cookie->fetch($r);
    my $cookies = %cookies;
    if (!defined($user)) {
	notice($r, "No username found; couldn't attempt myproxy-logon");
    } elsif (!defined($cookies)) {
	notice($r, "No cookies found; couldn't do myproxy-logon");
    } else {
	my $granting_cookie = $cookies{"pubcookie_g"};
	if (!defined($granting_cookie)) {
	    debug($r, "No granting cookie; not attempting myproxy-logon");
	} else {
	    handle_login($granting_cookie);
	}
    }

    # 2. Set X509_USER_PROXY, if we know what it should be
    if (defined($cred_path)) {
	if (! -e $cred_path) {
	    notice($r, "Expected to see X509 credential at $cred_path, "
		   . "but file does not exist.");
	} else {
	    # If the file exists, let's hope it's actually a
	    # credential -- if it isn't, then something is probably
	    # configured wrong.  For example, the credential storage
	    # directory may be shared with someone else.
	    set_x509_env($cred_path);
	}
    }

    # don't leave any variables set
    clear_state();

    return Apache2::Const::OK;
}

sub handle_login {
    my $granting_cookie = $_[0];

    # ensure existence of credential storage directory
    my $mkdir_result = mkdir_check_perm(CRED_STORE_DIR);
    if (!defined($mkdir_result)) { # did it fail?
	$cred_path = undef;
	return undef;
    }

    # 1. get granting cookie
    my $pubcookie_g = $granting_cookie->value();
    $pubcookie_g = cleanup_cookie($pubcookie_g);
    debug($r, "Granting cookie value = $pubcookie_g");

    # pre-2. Set up environment
    $ENV{"GLOBUS_LOCATION"} = GLOBUS_LOCATION;
    $ENV{"LD_LIBRARY_PATH"} = GLOBUS_LOCATION . "/lib";
    $ENV{"DYLD_LIBRARY_PATH"} = $ENV{"LD_LIBRARY_PATH"};
    $ENV{"LIBPATH"} = GLOBUS_LOCATION . "/lib:/usr/lib:/lib";
    $ENV{"SHLIBPATH"} = GLOBUS_LOCATION . "/lib";
    $ENV{"SASL_PATH"} = GLOBUS_LOCATION . "/lib/sasl";

    # 2. call myproxy-logon
    system("touch \"$cred_path.touched\"");
    debug($r, `whoami`);
    my $myproxy_command 
	= "| " . GLOBUS_LOCATION . "/bin/myproxy-logon"
	. " -s " . MYPROXY_SERVER 
	. ' -l "' . $user . '" --stdin_pass'
	. ' -o "' . $cred_path . '"'
	. " -k pubcookie"
	. " " . MYPROXY_EXTRA_PARAMS
#	. ' 2>&1 >> "' . MYPROXY_LOG_FILE . '"'; # send stdout, stderr to log
	. ' 2>> "' . MYPROXY_LOG_FILE . '"' # send stderr to log
	. ' >> "' . MYPROXY_LOG_FILE . '"'; # send stdout to log
    debug($r, "Myproxy command: $myproxy_command");
    my $opened = open(myproxy_handle, $myproxy_command);
    if (!$opened) {
	return notice($r, "Unable to run myproxy-logon: $!");
    }

    # 3. pass granting cookie to myproxy-logon as password
    print myproxy_handle "$pubcookie_g";
    debug($r, "Sent cookie as password to Myproxy");
    # signal end of input so that myproxy_logon can exit
    my $closed_success = close(myproxy_handle);
    debug($r, "Closed? " 
	  . ($closed_success ? "yes" : "no") 
	  . " ($closed_success)");
    my $myproxy_exit = $?; # retval stored in $? by close()
    debug($r, "Exit value = $myproxy_exit");
    if ($myproxy_exit != 0) {
	notice($r, "myproxy-logon failed -- see " . MYPROXY_LOG_FILE);
    }
    debug($r, "Stored MyProxy credential for $user in $cred_path");
}

# set the X509_USER_PROXY environment variable
sub set_x509_env {
    my $cred_path = $_[0];

    my $sub_env = $r->subprocess_env();
    my $env_x509 = $sub_env->get(X509_USER_PROXY);
    if (defined($env_x509)) {
	notice($r, "X509_USER_PROXY already defined: $env_x509");
    } else {
	# don't need to set REMOTE_USER -- pubcookie already does it
	# $sub_env->add("REMOTE_USER", $user);
	$sub_env->add(X509_USER_PROXY, $cred_path);
    }
}

# create a directory, if it doesn't exist; if it does exist, check
# that it is read/writable only by its owner; if the permissions are
# wrong, complain and fail (return undef)
#
# note that the credential file permissions will always be 0600,
# thanks to myproxy-logon
sub mkdir_check_perm {
    my $path = $_[0];

    my $mkdir_result = mkdir($path, 0700);
    my $mkdir_error = $!;
    debug($r, "mkdir result = $mkdir_result ($mkdir_error)");

    if (!(-d $path)) {
	notice($r, "unable to create " . CRED_STORE_DIR 
	       . ": $mkdir_error ($mkdir_result)");
	# would rather return DONE here, but getting language errors
	return undef;
    }

    # check directory permissions
    my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
	$atime,$mtime,$ctime,$blksize,$blocks)
	= stat($path);
    # note: we don't check ownership -- if it's wrong, we simply won't
    # be able to write to the directory
    $mode = $mode & 07777; # mask out file type
    debug($r, "file mode of $path = $mode");
    if ($mode != 0700) {
	notice($r, "directory $path has wrong permissions; it should be "
	       . "accessible only to its owner, which should match the "
	       . "uid of the web server process");
	return undef;
    }

    return 1;
}

# call this at the end of request-handling to clear instance variables
sub clear_state {
    $r = undef;
    $user = undef;
    $cred_path = undef;
}

# log something, but only in debug mode
# takes a request object and a message
sub debug {
    my $r = $_[0];
    my $msg = $_[1];
#    $r->log->notice("mod_myproxy: $msg");
}

# log something regardless of debug mode
# takes a request object and a message
sub notice {
    my $r = $_[0];
    my $msg = $_[1];
    $r->log->notice("mod_myproxy: $msg");
}

# restore Base64 characters that were HTTP-ified
sub cleanup_cookie {
    my $value = $_[0];
    $value =~ s/%20/ /g;  # space was escaped ...
    $value =~ s/ /+/g;    # ... after plus had been turned into a space
    $value =~ s|%2F|/|g;  # slash was escaped
    $value =~ s/%3D/=/g;  # equals was escaped
    return $value;
}
1;

direct link to Mod_Myproxy.pm

Installation

Install mod_perl. The easiest way will be via a package manager such as apt (Debian), yum (Fedora), or up2date (RHEL), but it can also be installed from source and compiled into Apache.
Note the use of PubcookieEncryption DES -- MyProxy is not yet compatible with the AES encryption that is new in Pubcookie 3.3.

Update Apache's configuration files. Here is a sample pubcookie.conf, that could go in a directory such as /etc/httpd/conf.d/ or simply appended to httpd.conf.

LoadModule pubcookie_module modules/mod_pubcookie.so <IfModule mod_pubcookie.c> PubcookieGrantingCertFile /usr/local/pubcookie/keys/pubcookie_granting.cert PubcookieSessionKeyFile /etc/grid-security/hostkey-readable.pem PubcookieSessionCertFile /etc/grid-security/hostcert.pem PubcookieKeyDir /usr/local/pubcookie/keys/ PubcookieLogin https://click.ncsa.uiuc.edu/ PubcookieLoginMethod POST PubcookieDomain .ncsa.uiuc.edu PubcookieEncryption DES PubcookieAuthTypeNames Basic PubcookieNoObscureCookies on <Directory "/var/www/html"> PubcookieInactiveExpire -1 </Directory> </IfModule> <IfModule mod_perl.c> Alias /perl/ /home/globus/mod_myproxy/perl/ PerlRequire /etc/httpd/conf/perl_startup.pl PerlWarn On <Location /dump> SetHandler perl-script PerlFixupHandler Myproxy::Mod_Myproxy PerlResponseHandler Myproxy::Dump </Location> <LocationMatch .*/pc_logout_clearlogin.*> AuthType Basic PerlInitHandler Myproxy::Mod_Myproxy require valid-user PubcookieEndSession clearlogin </LocationMatch> </IfModule>
direct link to pubcookie.conf
The debugging script dump.pm, referred to above, is described below in the section on debugging.
Create /etc/httpd/conf/perl_startup.pl (referred to in pubcookie.conf, above).
```
use lib qw(/home/globus/mod_myproxy/perl);
1;
```
direct link to perl_startup.pl
Copy Mod_Myproxy.pm to the application server in the directory specified in your httpd configuration. In the sample pubcookie.conf above, the directory is /home/globus/mod_myproxy/perl/, and Mod_Myproxy.pm should go in /home/globus/mod_myproxy/perl/Myproxy/Mod_Myproxy.pm. Note the Myproxy subdirectory -- it is due to Perl's package organizing system.
Configure the script by updating its constants (see below).

Script Configuration

At the top of the script are several constants that you should check against your environment.

GLOBUS_LOCATION	Globus installation directory, for locating myproxy-logon executable
MYPROXY_SERVER	The hostname of your MyProxy server
MYPROXY_EXTRA_PARAMS	Extra parameters to pass to myproxy-logon, such as a non-standard port number (useful for debugging in concert with `myproxy-server -d`)
LOGOUT_URI_REGEX	Any URL that matches this regular expression will be considered a "logout", and the user's credentials will be erased. Coordinate this with your Pubcookie configuration.
CRED_STORE_DIR	The directory on the local file system in which to store users' X.509 credentials. Each user's credential will be stored in a file in this directory named after the user. For example, user `hjones` will have credentials stored in `<CRED_STORE_DIR>/hjones`.
SESSION_STORE_DIR	This script keeps minimal session information about each user in a separate directory; this directory must be different from CRED_STORE_DIR for security reasons. Currently, the session information consists solely of the username. The filenames are generated randomly and assigned to HTTP sessions via cookies.
DIR_PERMISSIONS	Permissions to set on CRED_STORE_DIR and SESSION_STORE_DIR, but only if they don't already exist and need to be created. Default value is full access only for the owner (most likely the `apache` account).
X509_USER_PROXY	The name of the environment variable to set in Apache's internal per-thread environment, containing the path to the current user's X.509 credential.
MM_SESSION	The name of the cookie to set that contains the user's session name (see SESSION_STORE_DIR).
MYPROXY_OUT_LOG	The file to pipe myproxy-logon's `stdout` to.
MYPROXY_ERR_LOG	The file to pipe myproxy-logon's `stderr` to.

Debugging

The Dump script referred to in pubcookie.conf above is helpful for viewing Apache's environment:

package Myproxy::Dump; use strict; use warnings; use CGI::Cookie (); use Apache2::Log (); use Apache2::RequestRec (); use APR::Table (); use Apache2::Const -compile => qw(OK); use constant X509_USER_PROXY => "X509_USER_PROXY"; sub handler { my $GLOBUS_LOCATION = "/usr/local/globus-4.0"; my $MYPROXY_SERVER = "click.ncsa.uiuc.edu"; # my $MYPROXY_EXTRA_PARAMS = "-p 7513"; my $MYPROXY_EXTRA_PARAMS = ""; my $r = shift; # ($package, $r) = $_; $r->content_type('text/html'); my %cookies = CGI::Cookie->fetch($r); my $cookies = %cookies; print qq( <html> <head><title>Protection!</title></head> <body> <h1>Logged in via Pubcookie</h1> <p><a href="pc_logout_clearlogin">logout</a></p> ); #<p><a href="pc_logout_clearlogin">logout clearlogin</a> (via LocationMatch)</p> #<p><i>[doesn't work]</i> <a href="logout/">logout</a> (via .htaccess)</p> #<p><i>[doesn't work]</i> <a href="pc_logout_redirect">logout redirect</a> (via LocationMatch)</p> #<p><a href="pc_placebo">placebo</a></p> my $user = $r->user(); print("<h3>User: $user</h3>\n"); my $x509; if (defined(%ENV)) { $x509 = $ENV{X509_USER_PROXY}; } print("<h3>" . X509_USER_PROXY . ": $x509</h3>\n"); print("<h3>Cookies:</h3>\n"); if ($cookies ne '') { print("<table border=1>\n"); print("<tr><th>Name</th><th>Path</th><th>Contents</th></tr>\n"); foreach (keys %cookies) { my $cookie = $cookies{$_}; my $name = $cookie->name(); my $value = $cookie->value(); my $path = $cookie->path(); print("<tr>\n" ." <td>$name</td>\n" ." <td>$path</td>\n" ." <td><font size=-2>$value</font></td>\n" ."</tr>\n"); if ($name eq 'pubcookie_g') { print('<tr><td colspan=3 style="background:#eef">' . "<h3>Found Granting Cookie</h3>\n"); if ($user ne '') { my $myproxy_command = "| $GLOBUS_LOCATION/bin/myproxy-logon" . " -s $MYPROXY_SERVER -l $user --stdin_pass" . " " . $MYPROXY_EXTRA_PARAMS . " >> /var/log/myproxy_out" . " 2>> /var/log/myproxy_err"; # print("<p>Issuing myproxy command: $myproxy_command</p>\n"); # my $opened = open(myproxy_handle, $myproxy_command); # if ($opened) { # # replace %20 with +, %2F with /, and %3D with = # $Value =~ s/ /\+/g; # $value =~ s/\%20/\+/g; # $value =~ s/\%2F/\//g; # $value =~ s/\%3D/=/g; # print myproxy_handle "$value\n"; # print("<p>Sent password</p>\n"); # print("<blockquote><font size=-2>$value</font></blockquote></p>\n"); # my $closed_success = close(myproxy_handle); # print("<p>Closed ($closed_success)? " # . ($closed_success ? "yes" : "no") . "</p>\n"); # my $myproxy_exit = $?; # retval stored in $? by close() # print("<p>Exit value = $myproxy_exit</p>\n"); # } else { # print("<p>Unable to run myproxy-logon: $!</p>\n"); # } } else { print("<p>No username found</p>\n"); } print("</th></tr>\n"); } } print("</table>\n"); } else { print("<p><i>No cookies found.</i></p>\n"); } print("<h3>Environment:</h3>\n"); if (%ENV ne '') { print("<table border=1>\n"); foreach (keys %ENV) { my $key = $_; my $value = $ENV{$key}; print("<tr><td>$key</td>\n <td>$value</td></tr>"); } print("</table>\n"); } # my $conn = $r->connection; # print("Connection = $conn\n"); print("<h3>Subprocess Env:</h3>\n"); print("<table border=1>\n"); $r->subprocess_env->do(sub { print("<tr><td>$_[0]</td>\n <td>$_[1]</td></tr>"); }); print("</table>\n"); print("<h3>Headers:</h3>\n"); print("<table border=1>\n"); $r->headers_in->do(sub { print("<tr><td>$_[0]</td>\n <td>$_[1]</td></tr>"); }); print("</table>\n"); print qq( </body> </html> ); return Apache2::Const::OK; } 1;
direct link to Dump.pm
For more verbose debugging output from Mod_Myproxy.pm, uncomment the line in sub debug() { that contains $r->log->notice(....
Finally, to watch all the relevant log files at once, you can employ something like tail -f /var/log/httpd/*_log /var/log/secure /var/log/myproxy_*.

Future Improvements

Automatic cleanup: It should be possible to write a cleanup script to watch for expired credentials and delete them from the Application Server's local file system, run at intervals via cron. A sample script will be added here soon.

Local Decryption: Currently, decryption is done by the MyProxy server. There is a major drawback to this approach, however, in that the MyProxy server can be configured to work with only one Pubcookie application server, assuming each has its own symmetric key with which its granting cookies are encrypted. Decrypting in the mod_perl script, instead, before sending the granting cookie to the MyProxy server, would have two advantages:

Security: The MyProxy server would need to be configured only with the Pubcookie login server's public key, which it would use to verify the signatures of granting cookies, and not an application server's symmetric key.
Flexibility: Multiple application servers could use a common MyProxy server.