1 | <?php |
||
2 | |||
3 | namespace CILogon\Service; |
||
4 | |||
5 | use CILogon\Service\Util; |
||
6 | |||
7 | /** |
||
8 | * MyProxy |
||
9 | */ |
||
10 | class MyProxy |
||
11 | { |
||
12 | /** |
||
13 | * getMyProxyCredential |
||
14 | * |
||
15 | * This function gets an X.509 credential (as a string) for a user. |
||
16 | * |
||
17 | * @param string $username The MyProxy user name (-l) |
||
18 | * @param string $passphrase (Optional) The MyProxy password for the |
||
19 | * username (-S). Defaults to empty string. NOTE: If $passphrase |
||
20 | * is non-empty, you CANNOT set a $certreq. |
||
21 | * @param string $server (Optional) The MyProxy server to connect to (-s). |
||
22 | * Defaults to MYPROXY_HOST. |
||
23 | * @param int $port (Optional) The port for the MyProxy server (-p). |
||
24 | * Defaults to MYPROXY_PORT. |
||
25 | * @param int $lifetime (Optional) The life of the proxy in hours (-t). |
||
26 | * Defaults to MYPROXY_LIFETIME hours. |
||
27 | * @param string $usercert (Optional) The X509_USER_CERT environment |
||
28 | * variable, OR the X509_USER_PROXY environment variable if |
||
29 | * $userkey is set to the empty string. Defaults to empty string. |
||
30 | * @param string $userkey (Optional) The X509_USER_KEY environment |
||
31 | * variable. Defaults to empty string. |
||
32 | * @param string $certreq (Optional) A certificate request created by the |
||
33 | * openssl req command (--certreq). Defaults to empty string. |
||
34 | * NOTE: If $certreq is non-empty, you CANNOT set a $passphrase. |
||
35 | * @param string $env (Optional) Extra environment variables in the form |
||
36 | * of space-separated 'key=value' pairs. |
||
37 | * @return string An X509 credential in a string upon success, or |
||
38 | * an empty string upon failure. |
||
39 | */ |
||
40 | public static function getMyProxyCredential( |
||
41 | $username, |
||
42 | $passphrase = '', |
||
43 | $server = MYPROXY_HOST, |
||
0 ignored issues
–
show
Bug
introduced
by
![]() |
|||
44 | $port = MYPROXY_PORT, |
||
0 ignored issues
–
show
|
|||
45 | $lifetime = MYPROXY_LIFETIME, |
||
0 ignored issues
–
show
|
|||
46 | $usercert = '', |
||
47 | $userkey = '', |
||
48 | $certreq = '', |
||
49 | $env = '' |
||
50 | ) { |
||
51 | $retstr = ''; |
||
52 | |||
53 | // Verify the myproxy-logon binary has been configured |
||
54 | if ((!defined('MYPROXY_LOGON')) || (empty(MYPROXY_LOGON))) { |
||
0 ignored issues
–
show
|
|||
55 | Util::sendErrorAlert( |
||
56 | 'getMyProxyCredential Error', |
||
57 | 'MyProxy Error = myproxy-logon binary not configured' |
||
58 | ); |
||
59 | return $retstr; |
||
60 | } |
||
61 | |||
62 | // Make sure the username passed in is not empty |
||
63 | if (strlen($username) == 0) { |
||
64 | Util::sendErrorAlert( |
||
65 | 'getMyProxyCredential Error', |
||
66 | 'MyProxy Error = Missing MyProxy username' |
||
67 | ); |
||
68 | return $retstr; |
||
69 | } |
||
70 | |||
71 | // Don't allow weird port numbers, i.e. negative or over 65535 |
||
72 | if (($port < 0) || ($port > 65535)) { |
||
73 | $port = MYPROXY_PORT; |
||
74 | } |
||
75 | |||
76 | // Don't allow weird lifetimes, i.e. negative or over 5 years |
||
77 | if (($lifetime < 0) || ($lifetime > 43800)) { |
||
78 | $lifetime = MYPROXY_LIFETIME; |
||
79 | } |
||
80 | |||
81 | // If the usercert (X509_USER_CERT) is specified, check to see if |
||
82 | // the userkey (X509_USER_KEY) was as well. If not, set userkey to |
||
83 | // usercert, in effect making usercert act like X509_USER_PROXY. Then, |
||
84 | // set the USER_CERT_ENV variable to bundle the two parameters into a |
||
85 | // single variable holding the two X509_USER_* environment variables. |
||
86 | $USER_CERT_ENV = ''; |
||
87 | if (strlen($usercert) > 0) { |
||
88 | if (strlen($userkey) == 0) { |
||
89 | $userkey = $usercert; |
||
90 | } |
||
91 | $USER_CERT_ENV = 'X509_USER_CERT=' . escapeshellarg($usercert) . |
||
92 | ' ' . |
||
93 | 'X509_USER_KEY=' . escapeshellarg($userkey); |
||
94 | } |
||
95 | |||
96 | // Run the myproxy-logon command and capture the output and any error |
||
97 | $output = array(); |
||
98 | $cmd = '/bin/env ' . |
||
99 | $USER_CERT_ENV . ' ' . |
||
100 | $env . ' ' . |
||
101 | 'MYPROXY_SOCKET_TIMEOUT=1 ' . |
||
102 | MYPROXY_LOGON . ' ' . |
||
103 | ' -s ' . escapeshellarg($server) . |
||
104 | " -p $port" . |
||
105 | " -t $lifetime" . |
||
106 | ' -l ' . escapeshellarg($username) . |
||
107 | ' -S -o -' . |
||
108 | ((strlen($certreq) > 0) ? |
||
109 | (' --certreq - <<< ' . escapeshellarg($certreq)) : '') . |
||
110 | ((strlen($passphrase) > 0) ? |
||
111 | (' <<< ' . escapeshellarg($passphrase)) : ' -n') . |
||
112 | ' 2>&1'; |
||
113 | exec($cmd, $output, $return_val); |
||
114 | $retstr = implode("\n", $output); |
||
115 | |||
116 | if ($return_val > 0) { |
||
117 | Util::sendErrorAlert( |
||
118 | 'getMyProxyCredential Error', |
||
119 | "MyProxy Error = $return_val\nMyProxy Output= $retstr" |
||
120 | ); |
||
121 | $retstr = ''; |
||
122 | } |
||
123 | |||
124 | return $retstr; |
||
125 | } |
||
126 | |||
127 | /** |
||
128 | * getDefaultLifetime |
||
129 | * |
||
130 | * This function returns the value of the class defined |
||
131 | * MYPROXY_LIFETIME as an int, which may be needed in '/secure/getuser' |
||
132 | * when getting a certificate. |
||
133 | * |
||
134 | * @return int The value of MYPROXY_LIFETIME |
||
135 | */ |
||
136 | public static function getDefaultLifetime() |
||
137 | { |
||
138 | return (int)MYPROXY_LIFETIME; |
||
0 ignored issues
–
show
|
|||
139 | } |
||
140 | } |
||
141 |