Attachment #116986 for bug #159031

View | Details | Raw Unified | Return to bug 159031
Collapse All | Expand All

Lines 7-12 Link Here

(-)/usr/ports/devel/ice/Makefile (+1 lines)
7		7
8	PORTNAME= Ice	8	PORTNAME= Ice
9	PORTVERSION= 3.4.2	9	PORTVERSION= 3.4.2
		10	PORTREVISION= 1
10	CATEGORIES= devel	11	CATEGORIES= devel
11	MASTER_SITES= http://download.zeroc.com/Ice/3.4/	12	MASTER_SITES= http://download.zeroc.com/Ice/3.4/
12		13

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-config-PropertyNames.xml (+11 lines)
	1	--- config/PropertyNames.xml.orig Wed Jun 15 19:43:59 2011
	2	+++ config/PropertyNames.xml Tue Jul 12 15:32:00 2011
	3	@@ -437,6 +437,8 @@ generated from the section label.
	4	<property name="Registry.PermissionsVerifier" class="proxy" />
	5	<property name="Registry.ReplicaName" />
	6	<property name="Registry.ReplicaSessionTimeout" />
	7	+ <property name="Registry.RequireNodeCertCN" />
	8	+ <property name="Registry.RequireReplicaCertCN" />
	9	<property name="Registry.Server" class="objectadapter" />
	10	<property name="Registry.SessionFilters" />
	11	<property name="Registry.SessionManager" class="objectadapter" />




--- cpp/demo/IceGrid/secure/README.orig	Wed Jun 15 19:44:00 2011
+++ cpp/demo/IceGrid/secure/README	Tue Jul 12 15:32:00 2011
@@ -31,9 +31,10 @@ so you might as well use a certificate without a password and rely on
 the filesystem permissions to restrict access to the certificate.
 
 Once the certificates are generated, you can start the IceGrid
-registry, node, and Glacier2 router:
+registries, node, and Glacier2 router:
 
-$ icegridregistry --Ice.Config=config.registry
+$ icegridregistry --Ice.Config=config.master
+$ icegridregistry --Ice.Config=config.slave
 $ icegridnode --Ice.Config=config.node
 $ glacier2router --Ice.Config=config.glacier2




--- cpp/demo/IceGrid/secure/application.xml.orig	Wed Jun 15 19:43:58 2011
+++ cpp/demo/IceGrid/secure/application.xml	Tue Jul 12 15:32:00 2011
@@ -20,8 +20,9 @@
       <property name="IceSSL.DefaultDir" value="certs"/>
 
       <property name="Ice.Admin.Endpoints" value="ssl -h 127.0.0.1"/>
-      <property name="IceSSL.TrustOnly.Client" value="CN=IceGrid Registry"/>
-      <property name="IceSSL.TrustOnly.Server.Ice.Admin" value="CN=IceGrid Node"/>
+      <property name="IceSSL.TrustOnly.Client" value="CN=Master;CN=Slave"/>
+      <property name="IceSSL.TrustOnly.Client" value="CN=Master;CN=Slave"/>
+      <property name="IceSSL.TrustOnly.Server.Ice.Admin" value="CN=Node"/>
     </properties>
 
     <node name="Node">

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.admin (+11 lines)
	1	--- cpp/demo/IceGrid/secure/config.admin.orig Wed Jun 15 19:43:58 2011
	2	+++ cpp/demo/IceGrid/secure/config.admin Tue Jul 12 15:32:00 2011
	3	@@ -14,7 +14,7 @@ IceGridAdmin.Password=dummy
	4	# SSL Configuration
	5	#
	6	IceSSL.DefaultDir=certs
	7	-IceSSL.TrustOnly.Client=CN="IceGrid Registry";CN="Glacier2"
	8	+IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Glacier2"
	9
	10	# C++ configuration
	11	Ice.Plugin.IceSSL.cpp=IceSSL:createIceSSL

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.client (+11 lines)
	1	--- cpp/demo/IceGrid/secure/config.client.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/demo/IceGrid/secure/config.client Tue Jul 12 15:32:00 2011
	3	@@ -1,7 +1,7 @@
	4	#
	5	# The IceGrid locator proxy.
	6	#
	7	-Ice.Default.Locator=DemoIceGrid/Locator:tcp -p 4061
	8	+Ice.Default.Locator=DemoIceGrid/Locator:tcp -p 4061:tcp -p 14061
	9
	10	#
	11	# Trace properties.




--- /dev/null
+++ cpp/demo/IceGrid/secure/config.master	Tue Jul 12 15:32:00 2011
@@ -0,0 +1,61 @@
+#
+# The IceGrid instance name.
+#
+IceGrid.InstanceName=DemoIceGrid
+
+#
+# IceGrid registry configuration.
+#
+IceGrid.Registry.Client.Endpoints=tcp -p 4061 -t 10000:ssl -p 4062 -t 10000
+IceGrid.Registry.Server.Endpoints=ssl -t 10000
+IceGrid.Registry.Internal.Endpoints=ssl -t 10000
+IceGrid.Registry.Data=db/master
+
+#
+# Ensure that nodes and slaves connecting to this registry have a name
+# matching the certificate CN.
+#
+IceGrid.Registry.RequireNodeCertCN=1
+IceGrid.Registry.RequireReplicaCertCN=1
+
+#
+# IceGrid admin clients must use a secure connection to connect to the
+# registry or use Glacier2.
+#
+IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000
+IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier
+
+#
+# IceGrid SQL configuration if using SQL database.
+#
+#Ice.Plugin.DB=IceGridSqlDB:createSqlDB
+#IceGrid.SQL.DatabaseType=QSQLITE
+#IceGrid.SQL.DatabaseName=db/master/Registry.db
+
+#
+# Trace properties.
+#
+Ice.ProgramName=Master
+IceGrid.Registry.Trace.Node=2
+IceGrid.Registry.Trace.Replica=2
+
+#
+# SSL Configuration
+#
+Ice.Plugin.IceSSL=IceSSL:createIceSSL
+IceSSL.DefaultDir=certs
+IceSSL.CertAuthFile=ca_cert.pem
+IceSSL.CertFile=master_cert.pem
+IceSSL.KeyFile=master_key.pem
+
+#
+# Don't require certificates. This is useful for admin clients that don't
+# use certificate but still need to establish a secure connection for the
+# username/password authentication
+#
+IceSSL.VerifyPeer=1
+
+IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Node";CN="Glacier2"
+IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
+IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="Node";CN="Master";CN="Slave"
+IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2"




--- cpp/demo/IceGrid/secure/config.node.orig	Wed Jun 15 19:43:58 2011	
+++ cpp/demo/IceGrid/secure/config.node	Tue Jul 12 15:32:00 2011
@@ -1,7 +1,7 @@
 #
 # The IceGrid locator proxy.
 #
-Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000
+Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000:ssl -p 14062 -t 10000
 
 #
 # IceGrid node configuration.
@@ -26,5 +26,5 @@ IceSSL.CertAuthFile=ca_cert.pem
 IceSSL.CertFile=node_cert.pem
 IceSSL.KeyFile=node_key.pem
 
-IceSSL.TrustOnly.Client=CN="Server";CN="IceGrid Registry"
-IceSSL.TrustOnly.Server=CN="IceGrid Registry"
+IceSSL.TrustOnly.Client=CN="Server";CN="Master";CN="Slave"
+IceSSL.TrustOnly.Server=CN="Master";CN="Slave"




--- cpp/demo/IceGrid/secure/config.registry	Wed Jun 15 19:43:58 2011
+++ /dev/null
@@ -1,54 +0,0 @@
-#
-# The IceGrid instance name.
-#
-IceGrid.InstanceName=DemoIceGrid
-
-#
-# IceGrid registry configuration.
-#
-IceGrid.Registry.Client.Endpoints=tcp -p 4061 -t 10000:ssl -p 4062 -t 10000
-IceGrid.Registry.Server.Endpoints=ssl -t 10000
-IceGrid.Registry.Internal.Endpoints=ssl -t 10000
-IceGrid.Registry.Data=db/registry
-
-#
-# IceGrid admin clients must use a secure connection to connect to the
-# registry or use Glacier2.
-#
-IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000
-IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier
-
-#
-# IceGrid SQL configuration if using SQL database.
-#
-#Ice.Plugin.DB=IceGridSqlDB:createSqlDB
-#IceGrid.SQL.DatabaseType=QSQLITE
-#IceGrid.SQL.DatabaseName=db/registry/Registry.db
-
-#
-# Trace properties.
-#
-Ice.ProgramName=Registry
-IceGrid.Registry.Trace.Node=2
-IceGrid.Registry.Trace.Replica=2
-
-#
-# SSL Configuration
-#
-Ice.Plugin.IceSSL=IceSSL:createIceSSL
-IceSSL.DefaultDir=certs
-IceSSL.CertAuthFile=ca_cert.pem
-IceSSL.CertFile=registry_cert.pem
-IceSSL.KeyFile=registry_key.pem
-
-#
-# Don't require certificates. This is useful for admin clients that don't
-# use certificate but still need to establish a secure connection for the
-# username/password authentication
-#
-IceSSL.VerifyPeer=1
-
-IceSSL.TrustOnly.Client=CN="IceGrid Registry";CN="IceGrid Node";CN="Glacier2"
-IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
-IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="IceGrid Node";CN="IceGrid Registry"
-IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2"




--- /dev/null
+++ cpp/demo/IceGrid/secure/config.slave	Tue Jul 12 15:32:00 2011
@@ -0,0 +1,66 @@
+#
+# The IceGrid locator proxy.
+#
+Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000
+
+#
+# The IceGrid instance name.
+#
+IceGrid.InstanceName=DemoIceGrid
+
+#
+# IceGrid registry configuration.
+#
+IceGrid.Registry.Client.Endpoints=tcp -p 14061 -t 10000:ssl -p 14062 -t 10000
+IceGrid.Registry.Server.Endpoints=ssl -t 10000
+IceGrid.Registry.Internal.Endpoints=ssl -t 10000
+IceGrid.Registry.Data=db/slave
+IceGrid.Registry.ReplicaName=Slave
+
+#
+# Ensure that nodes connecting to this registry have a name matching
+# the certificate CN.
+#
+IceGrid.Registry.RequireNodeCertCN=1
+
+#
+# IceGrid admin clients must use a secure connection to connect to the
+# registry or use Glacier2.
+#
+IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000
+IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier
+
+#
+# IceGrid SQL configuration if using SQL database.
+#
+#Ice.Plugin.DB=IceGridSqlDB:createSqlDB
+#IceGrid.SQL.DatabaseType=QSQLITE
+#IceGrid.SQL.DatabaseName=db/slave/Registry.db
+
+#
+# Trace properties.
+#
+Ice.ProgramName=Slave
+IceGrid.Registry.Trace.Node=2
+IceGrid.Registry.Trace.Replica=2
+
+#
+# SSL Configuration
+#
+Ice.Plugin.IceSSL=IceSSL:createIceSSL
+IceSSL.DefaultDir=certs
+IceSSL.CertAuthFile=ca_cert.pem
+IceSSL.CertFile=slave_cert.pem
+IceSSL.KeyFile=slave_key.pem
+
+#
+# Don't require certificates. This is useful for admin clients that don't
+# use certificate but still need to establish a secure connection for the
+# username/password authentication
+#
+IceSSL.VerifyPeer=1
+
+IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Node";CN="Glacier2"
+IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
+IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="Node";CN="Master";CN="Slave"
+IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2"




--- cpp/demo/IceGrid/secure/makecerts.py.orig	Wed Jun 15 19:43:58 2011
+++ cpp/demo/IceGrid/secure/makecerts.py	Tue Jul 12 15:32:00 2011
@@ -44,8 +44,9 @@ runIceca("init --overwrite --no-password")
 print
 print
 
-createCertificate("registry", "IceGrid Registry")
-createCertificate("node", "IceGrid Node")
+createCertificate("master", "Master")
+createCertificate("slave", "Slave")
+createCertificate("node", "Node")
 createCertificate("glacier2", "Glacier2")
 createCertificate("server", "Server")




--- cpp/src/Ice/Network.cpp.orig	Wed Jun 15 19:43:59 2011
+++ cpp/src/Ice/Network.cpp	Fri 15 23:40:26 2011
@@ -715,7 +715,11 @@
     WSASetLastError(error);
 #else
     int error = errno;
-    if(close(fd) == SOCKET_ERROR)
+    if(close(fd) == SOCKET_ERROR
+#  if defined(__FreeBSD__)
+    && getSocketErrno() != ECONNRESET
+#  endif
+    )
     {
         SocketException ex(__FILE__, __LINE__);
         ex.error = getSocketErrno();




--- cpp/src/Ice/PropertyNames.cpp.orig	Wed Jun 15 19:43:59 2011
+++ cpp/src/Ice/PropertyNames.cpp	Tue Jul 12 15:32:00 2011
@@ -8,7 +8,7 @@
 // **********************************************************************
 
 //
-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011
 
 // IMPORTANT: Do not edit this file -- any edits made here will be lost!
 
@@ -335,6 +335,8 @@ const IceInternal::Property IceGridPropsData[] =
     IceInternal::Property("IceGrid.Registry.PermissionsVerifier", false, 0),
     IceInternal::Property("IceGrid.Registry.ReplicaName", false, 0),
     IceInternal::Property("IceGrid.Registry.ReplicaSessionTimeout", false, 0),
+    IceInternal::Property("IceGrid.Registry.RequireNodeCertCN", false, 0),
+    IceInternal::Property("IceGrid.Registry.RequireReplicaCertCN", false, 0),
     IceInternal::Property("IceGrid.Registry.Server.ACM", false, 0),
     IceInternal::Property("IceGrid.Registry.Server.AdapterId", false, 0),
     IceInternal::Property("IceGrid.Registry.Server.Endpoints", false, 0),

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-Ice-PropertyNames.h (+10 lines)
	1	--- cpp/src/Ice/PropertyNames.h.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/src/Ice/PropertyNames.h Tue Jul 12 15:32:00 2011
	3	@@ -8,7 +8,7 @@
	4	// **********************************************************************
	5
	6	//
	7	-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011
	8	+// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011
	9
	10	// IMPORTANT: Do not edit this file -- any edits made here will be lost!




--- cpp/src/IceGrid/Internal.ice.orig	Wed Jun 15 19:43:59 2011
+++ cpp/src/IceGrid/Internal.ice	Tue Jul 12 15:32:00 2011
@@ -702,7 +702,7 @@ interface InternalRegistry extends FileReader
      *
      **/
     NodeSession* registerNode(InternalNodeInfo info, Node* prx, LoadInfo loadInf)
-        throws NodeActiveException;
+        throws NodeActiveException, PermissionDeniedException;
 
     /**
      *
@@ -721,7 +721,7 @@ interface InternalRegistry extends FileReader
      *
      **/
     ReplicaSession* registerReplica(InternalReplicaInfo info, InternalRegistry* prx)
-        throws ReplicaActiveException;
+        throws ReplicaActiveException, PermissionDeniedException;
 
     /**
      *




--- cpp/src/IceGrid/InternalRegistryI.cpp.orig	Wed Jun 15 19:43:59 2011
+++ cpp/src/IceGrid/InternalRegistryI.cpp	Tue Jul 12 15:32:00 2011
@@ -19,6 +19,8 @@
 #include <IceGrid/ReplicaSessionI.h>
 #include <IceGrid/ReplicaSessionManager.h>
 #include <IceGrid/FileCache.h>
+#include <IceSSL/IceSSL.h>
+#include <IceSSL/RFC2253.h>
 
 using namespace std;
 using namespace IceGrid;
@@ -38,6 +40,8 @@ InternalRegistryI::InternalRegistryI(const RegistryIPtr& registry,
     Ice::PropertiesPtr properties = database->getCommunicator()->getProperties();
     _nodeSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.NodeSessionTimeout", 30);
     _replicaSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.ReplicaSessionTimeout", 30);
+    _requireNodeCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0);
+    _requireReplicaCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0);
 }
 
 InternalRegistryI::~InternalRegistryI()
@@ -50,7 +54,56 @@ InternalRegistryI::registerNode(const InternalNodeInfoPtr& info,
                                 const LoadInfo& load, 
                                 const Ice::Current& current)
 {
-    const Ice::LoggerPtr logger = _database->getTraceLevels()->logger;
+    const TraceLevelsPtr traceLevels = _database->getTraceLevels();
+    const Ice::LoggerPtr logger = traceLevels->logger;
+    if(!info || !node)
+    {
+        return 0;
+    }
+
+    if(_requireNodeCertCN)
+    {
+        try
+        {
+            IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo());
+            if(sslConnInfo)
+            {
+                if (sslConnInfo->certs.empty() ||
+                    !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name))
+                {
+                    if(traceLevels->node > 0)
+                    {
+                        Ice::Trace out(logger, traceLevels->nodeCat);
+                        out << "certificate CN doesn't match node name `" << info->name << "'";
+                    }
+                    throw PermissionDeniedException("certificate CN doesn't match node name `" + info->name + "'");
+                }
+            }
+            else
+            {
+                if(traceLevels->node > 0)
+                {
+                    Ice::Trace out(logger, traceLevels->nodeCat);
+                    out << "node certificate for `" << info->name << "' is required to connect to this registry";
+                }
+                throw PermissionDeniedException("node certificate is required to connect to this registry");
+            }
+        }
+        catch(const PermissionDeniedException& ex)
+        {
+            throw ex;
+        }
+        catch(const IceUtil::Exception&)
+        {
+            if(traceLevels->node > 0)
+            {
+                Ice::Trace out(logger, traceLevels->nodeCat);
+                out << "unexpected exception while verifying certificate for node `" << info->name << "'";
+            }
+            throw PermissionDeniedException("unable to verify certificate for node `" + info->name + "'");
+        }
+    }
+ 
     try
     {
         NodeSessionIPtr session = new NodeSessionI(_database, node, info, _nodeSessionTimeout, load);
@@ -68,7 +121,56 @@ InternalRegistryI::registerReplica(const InternalReplicaInfoPtr& info,
                                    const InternalRegistryPrx& prx,
                                    const Ice::Current& current)
 {
-    const Ice::LoggerPtr logger = _database->getTraceLevels()->logger;
+    const TraceLevelsPtr traceLevels = _database->getTraceLevels();
+    const Ice::LoggerPtr logger = traceLevels->logger;
+    if(!info || !prx)
+    {
+        return 0;
+    }
+
+    if(_requireReplicaCertCN)
+    {
+        try
+        {
+            IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo());
+            if(sslConnInfo)
+            {
+                if (sslConnInfo->certs.empty() ||
+                    !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name))
+                {
+                    if(traceLevels->replica > 0)
+                    {
+                        Ice::Trace out(logger, traceLevels->replicaCat);
+                        out << "certificate CN doesn't match replica name `" << info->name << "'";
+                    }
+                    throw PermissionDeniedException("certificate CN doesn't match replica name `" + info->name + "'");
+                }
+            }
+            else
+            {
+                if(traceLevels->replica > 0)
+                {
+                    Ice::Trace out(logger, traceLevels->replicaCat);
+                    out << "replica certificate for `" << info->name << "' is required to connect to this registry";
+                }
+                throw PermissionDeniedException("replica certificate is required to connect to this registry");
+            }
+        }
+        catch(const PermissionDeniedException& ex)
+        {
+            throw ex;
+        }
+        catch(const IceUtil::Exception&)
+        {
+            if(traceLevels->replica > 0)
+            {
+                Ice::Trace out(logger, traceLevels->replicaCat);
+                out << "unexpected exception while verifying certificate for replica `" << info->name << "'";
+            }
+            throw PermissionDeniedException("unable to verify certificate for replica `" + info->name + "'");
+        }
+    }
+    
     try
     {
         ReplicaSessionIPtr s = new ReplicaSessionI(_database, _wellKnownObjects, info, prx, _replicaSessionTimeout);

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-IceGrid-InternalRegistryI.h (+11 lines)
	1	--- cpp/src/IceGrid/InternalRegistryI.h.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/src/IceGrid/InternalRegistryI.h Tue Jul 12 15:32:00 2011
	3	@@ -68,6 +68,8 @@ private:
	4	ReplicaSessionManager& _session;
	5	int _nodeSessionTimeout;
	6	int _replicaSessionTimeout;
	7	+ bool _requireNodeCertCN;
	8	+ bool _requireReplicaCertCN;
	9	};
	10
	11	};




--- cpp/src/IceGrid/NodeSessionManager.cpp.orig	Wed Jun 15 19:43:59 2011
+++ cpp/src/IceGrid/NodeSessionManager.cpp	Tue Jul 12 15:32:00 2011
@@ -110,6 +110,14 @@ NodeSessionKeepAliveThread::createSession(InternalRegistryPrx& registry, IceUtil
         }
         exception.reset(ex.ice_clone());
     }
+    catch(const PermissionDeniedException& ex)
+    {
+        if(traceLevels)
+        { 
+            traceLevels->logger->error("connection to the the registry `" + _name + "' was denied:\n" + ex.reason);
+        }
+        exception.reset(ex.ice_clone());
+    }
     catch(const Ice::Exception& ex)
     {
         exception.reset(ex.ice_clone());




--- cpp/src/IceGrid/ReplicaSessionManager.cpp.orig	Wed Jun 15 19:43:59 2011
+++ cpp/src/IceGrid/ReplicaSessionManager.cpp	Tue Jul 12 15:32:00 2011
@@ -500,6 +500,14 @@ ReplicaSessionManager::createSession(InternalRegistryPrx& registry, IceUtil::Tim
         }
         exception.reset(ex.ice_clone());
     }
+    catch(const PermissionDeniedException& ex)
+    {
+        if(_traceLevels)
+        {
+            _traceLevels->logger->error("connection to the the registry `" + _name + "' was denied:\n" + ex.reason);
+        }
+        exception.reset(ex.ice_clone());
+    }
     catch(const Ice::Exception& ex)
     {
         exception.reset(ex.ice_clone());




--- cs/src/Ice/PropertyNames.cs.orig	Wed Jun 15 19:43:59 2011
+++ cs/src/Ice/PropertyNames.cs	Tue Jul 12 15:32:00 2011
@@ -8,7 +8,7 @@
 // **********************************************************************
 
 //
-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011
 
 // IMPORTANT: Do not edit this file -- any edits made here will be lost!
 
@@ -325,6 +325,8 @@ namespace IceInternal
              new Property(@"^IceGrid\.Registry\.PermissionsVerifier$", false, null),
              new Property(@"^IceGrid\.Registry\.ReplicaName$", false, null),
              new Property(@"^IceGrid\.Registry\.ReplicaSessionTimeout$", false, null),
+             new Property(@"^IceGrid\.Registry\.RequireNodeCertCN$", false, null),
+             new Property(@"^IceGrid\.Registry\.RequireReplicaCertCN$", false, null),
              new Property(@"^IceGrid\.Registry\.Server\.ACM$", false, null),
              new Property(@"^IceGrid\.Registry\.Server\.AdapterId$", false, null),
              new Property(@"^IceGrid\.Registry\.Server\.Endpoints$", false, null),




--- java/src/IceInternal/PropertyNames.java.orig	Wed Jun 15 19:43:59 2011
+++ java/src/IceInternal/PropertyNames.java	Tue Jul 12 15:32:00 2011
@@ -8,7 +8,7 @@
 // **********************************************************************
 
 //
-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011
 
 // IMPORTANT: Do not edit this file -- any edits made here will be lost!
 
@@ -325,6 +325,8 @@ public final class PropertyNames
         new Property("IceGrid\\.Registry\\.PermissionsVerifier", false, null),
         new Property("IceGrid\\.Registry\\.ReplicaName", false, null),
         new Property("IceGrid\\.Registry\\.ReplicaSessionTimeout", false, null),
+        new Property("IceGrid\\.Registry\\.RequireNodeCertCN", false, null),
+        new Property("IceGrid\\.Registry\\.RequireReplicaCertCN", false, null),
         new Property("IceGrid\\.Registry\\.Server\\.ACM", false, null),
         new Property("IceGrid\\.Registry\\.Server\\.AdapterId", false, null),
         new Property("IceGrid\\.Registry\\.Server\\.Endpoints", false, null),

Return to bug 159031

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-README (+14 lines)
	1	--- cpp/demo/IceGrid/secure/README.orig Wed Jun 15 19:44:00 2011
	2	+++ cpp/demo/IceGrid/secure/README Tue Jul 12 15:32:00 2011
	3	@@ -31,9 +31,10 @@ so you might as well use a certificate without a password and rely on
	4	the filesystem permissions to restrict access to the certificate.
	5
	6	Once the certificates are generated, you can start the IceGrid
	7	-registry, node, and Glacier2 router:
	8	+registries, node, and Glacier2 router:
	9
	10	-$ icegridregistry --Ice.Config=config.registry
	11	+$ icegridregistry --Ice.Config=config.master
	12	+$ icegridregistry --Ice.Config=config.slave
	13	$ icegridnode --Ice.Config=config.node
	14	$ glacier2router --Ice.Config=config.glacier2

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-application.xml (+14 lines)
	1	--- cpp/demo/IceGrid/secure/application.xml.orig Wed Jun 15 19:43:58 2011
	2	+++ cpp/demo/IceGrid/secure/application.xml Tue Jul 12 15:32:00 2011
	3	@@ -20,8 +20,9 @@
	4	<property name="IceSSL.DefaultDir" value="certs"/>
	5
	6	<property name="Ice.Admin.Endpoints" value="ssl -h 127.0.0.1"/>
	7	- <property name="IceSSL.TrustOnly.Client" value="CN=IceGrid Registry"/>
	8	- <property name="IceSSL.TrustOnly.Server.Ice.Admin" value="CN=IceGrid Node"/>
	9	+ <property name="IceSSL.TrustOnly.Client" value="CN=Master;CN=Slave"/>
	10	+ <property name="IceSSL.TrustOnly.Client" value="CN=Master;CN=Slave"/>
	11	+ <property name="IceSSL.TrustOnly.Server.Ice.Admin" value="CN=Node"/>
	12	</properties>
	13
	14	<node name="Node">

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.master (+64 lines)
	1	--- /dev/null
	2	+++ cpp/demo/IceGrid/secure/config.master Tue Jul 12 15:32:00 2011
	3	@@ -0,0 +1,61 @@
	4	+#
	5	+# The IceGrid instance name.
	6	+#
	7	+IceGrid.InstanceName=DemoIceGrid
	8	+
	9	+#
	10	+# IceGrid registry configuration.
	11	+#
	12	+IceGrid.Registry.Client.Endpoints=tcp -p 4061 -t 10000:ssl -p 4062 -t 10000
	13	+IceGrid.Registry.Server.Endpoints=ssl -t 10000
	14	+IceGrid.Registry.Internal.Endpoints=ssl -t 10000
	15	+IceGrid.Registry.Data=db/master
	16	+
	17	+#
	18	+# Ensure that nodes and slaves connecting to this registry have a name
	19	+# matching the certificate CN.
	20	+#
	21	+IceGrid.Registry.RequireNodeCertCN=1
	22	+IceGrid.Registry.RequireReplicaCertCN=1
	23	+
	24	+#
	25	+# IceGrid admin clients must use a secure connection to connect to the
	26	+# registry or use Glacier2.
	27	+#
	28	+IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000
	29	+IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier
	30	+
	31	+#
	32	+# IceGrid SQL configuration if using SQL database.
	33	+#
	34	+#Ice.Plugin.DB=IceGridSqlDB:createSqlDB
	35	+#IceGrid.SQL.DatabaseType=QSQLITE
	36	+#IceGrid.SQL.DatabaseName=db/master/Registry.db
	37	+
	38	+#
	39	+# Trace properties.
	40	+#
	41	+Ice.ProgramName=Master
	42	+IceGrid.Registry.Trace.Node=2
	43	+IceGrid.Registry.Trace.Replica=2
	44	+
	45	+#
	46	+# SSL Configuration
	47	+#
	48	+Ice.Plugin.IceSSL=IceSSL:createIceSSL
	49	+IceSSL.DefaultDir=certs
	50	+IceSSL.CertAuthFile=ca_cert.pem
	51	+IceSSL.CertFile=master_cert.pem
	52	+IceSSL.KeyFile=master_key.pem
	53	+
	54	+#
	55	+# Don't require certificates. This is useful for admin clients that don't
	56	+# use certificate but still need to establish a secure connection for the
	57	+# username/password authentication
	58	+#
	59	+IceSSL.VerifyPeer=1
	60	+
	61	+IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Node";CN="Glacier2"
	62	+IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
	63	+IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="Node";CN="Master";CN="Slave"
	64	+IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2"

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.node (+19 lines)
	1	--- cpp/demo/IceGrid/secure/config.node.orig Wed Jun 15 19:43:58 2011
	2	+++ cpp/demo/IceGrid/secure/config.node Tue Jul 12 15:32:00 2011
	3	@@ -1,7 +1,7 @@
	4	#
	5	# The IceGrid locator proxy.
	6	#
	7	-Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000
	8	+Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000:ssl -p 14062 -t 10000
	9
	10	#
	11	# IceGrid node configuration.
	12	@@ -26,5 +26,5 @@ IceSSL.CertAuthFile=ca_cert.pem
	13	IceSSL.CertFile=node_cert.pem
	14	IceSSL.KeyFile=node_key.pem
	15
	16	-IceSSL.TrustOnly.Client=CN="Server";CN="IceGrid Registry"
	17	-IceSSL.TrustOnly.Server=CN="IceGrid Registry"
	18	+IceSSL.TrustOnly.Client=CN="Server";CN="Master";CN="Slave"
	19	+IceSSL.TrustOnly.Server=CN="Master";CN="Slave"

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.registry (+57 lines)
	1	--- cpp/demo/IceGrid/secure/config.registry Wed Jun 15 19:43:58 2011
	2	+++ /dev/null
	3	@@ -1,54 +0,0 @@
	4	-#
	5	-# The IceGrid instance name.
	6	-#
	7	-IceGrid.InstanceName=DemoIceGrid
	8	-
	9	-#
	10	-# IceGrid registry configuration.
	11	-#
	12	-IceGrid.Registry.Client.Endpoints=tcp -p 4061 -t 10000:ssl -p 4062 -t 10000
	13	-IceGrid.Registry.Server.Endpoints=ssl -t 10000
	14	-IceGrid.Registry.Internal.Endpoints=ssl -t 10000
	15	-IceGrid.Registry.Data=db/registry
	16	-
	17	-#
	18	-# IceGrid admin clients must use a secure connection to connect to the
	19	-# registry or use Glacier2.
	20	-#
	21	-IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000
	22	-IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier
	23	-
	24	-#
	25	-# IceGrid SQL configuration if using SQL database.
	26	-#
	27	-#Ice.Plugin.DB=IceGridSqlDB:createSqlDB
	28	-#IceGrid.SQL.DatabaseType=QSQLITE
	29	-#IceGrid.SQL.DatabaseName=db/registry/Registry.db
	30	-
	31	-#
	32	-# Trace properties.
	33	-#
	34	-Ice.ProgramName=Registry
	35	-IceGrid.Registry.Trace.Node=2
	36	-IceGrid.Registry.Trace.Replica=2
	37	-
	38	-#
	39	-# SSL Configuration
	40	-#
	41	-Ice.Plugin.IceSSL=IceSSL:createIceSSL
	42	-IceSSL.DefaultDir=certs
	43	-IceSSL.CertAuthFile=ca_cert.pem
	44	-IceSSL.CertFile=registry_cert.pem
	45	-IceSSL.KeyFile=registry_key.pem
	46	-
	47	-#
	48	-# Don't require certificates. This is useful for admin clients that don't
	49	-# use certificate but still need to establish a secure connection for the
	50	-# username/password authentication
	51	-#
	52	-IceSSL.VerifyPeer=1
	53	-
	54	-IceSSL.TrustOnly.Client=CN="IceGrid Registry";CN="IceGrid Node";CN="Glacier2"
	55	-IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
	56	-IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="IceGrid Node";CN="IceGrid Registry"
	57	-IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2"

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.slave (+69 lines)
		1	--- /dev/null
		2	+++ cpp/demo/IceGrid/secure/config.slave Tue Jul 12 15:32:00 2011
		3	@@ -0,0 +1,66 @@
		4	+#
		5	+# The IceGrid locator proxy.
		6	+#
		7	+Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000
		8	+
		9	+#
		10	+# The IceGrid instance name.
		11	+#
		12	+IceGrid.InstanceName=DemoIceGrid
		13	+
		14	+#
		15	+# IceGrid registry configuration.
		16	+#
		17	+IceGrid.Registry.Client.Endpoints=tcp -p 14061 -t 10000:ssl -p 14062 -t 10000
		18	+IceGrid.Registry.Server.Endpoints=ssl -t 10000
		19	+IceGrid.Registry.Internal.Endpoints=ssl -t 10000
		20	+IceGrid.Registry.Data=db/slave
		21	+IceGrid.Registry.ReplicaName=Slave
		22	+
		23	+#
		24	+# Ensure that nodes connecting to this registry have a name matching
		25	+# the certificate CN.
		26	+#
		27	+IceGrid.Registry.RequireNodeCertCN=1
		28	+
		29	+#
		30	+# IceGrid admin clients must use a secure connection to connect to the
		31	+# registry or use Glacier2.
		32	+#
		33	+IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000
		34	+IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier
		35	+
		36	+#
		37	+# IceGrid SQL configuration if using SQL database.
		38	+#
		39	+#Ice.Plugin.DB=IceGridSqlDB:createSqlDB
		40	+#IceGrid.SQL.DatabaseType=QSQLITE
		41	+#IceGrid.SQL.DatabaseName=db/slave/Registry.db
		42	+
		43	+#
		44	+# Trace properties.
		45	+#
		46	+Ice.ProgramName=Slave
		47	+IceGrid.Registry.Trace.Node=2
		48	+IceGrid.Registry.Trace.Replica=2
		49	+
		50	+#
		51	+# SSL Configuration
		52	+#
		53	+Ice.Plugin.IceSSL=IceSSL:createIceSSL
		54	+IceSSL.DefaultDir=certs
		55	+IceSSL.CertAuthFile=ca_cert.pem
		56	+IceSSL.CertFile=slave_cert.pem
		57	+IceSSL.KeyFile=slave_key.pem
		58	+
		59	+#
		60	+# Don't require certificates. This is useful for admin clients that don't
		61	+# use certificate but still need to establish a secure connection for the
		62	+# username/password authentication
		63	+#
		64	+IceSSL.VerifyPeer=1
65	+
66	+IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Node";CN="Glacier2"
67	+IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
68	+IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="Node";CN="Master";CN="Slave"
69	+IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2"

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-makecerts.py (+13 lines)
	1	--- cpp/demo/IceGrid/secure/makecerts.py.orig Wed Jun 15 19:43:58 2011
	2	+++ cpp/demo/IceGrid/secure/makecerts.py Tue Jul 12 15:32:00 2011
	3	@@ -44,8 +44,9 @@ runIceca("init --overwrite --no-password")
	4	print
	5	print
	6
	7	-createCertificate("registry", "IceGrid Registry")
	8	-createCertificate("node", "IceGrid Node")
	9	+createCertificate("master", "Master")
	10	+createCertificate("slave", "Slave")
	11	+createCertificate("node", "Node")
	12	createCertificate("glacier2", "Glacier2")
	13	createCertificate("server", "Server")

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-Ice-Network.cpp (+15 lines)
	1	--- cpp/src/Ice/Network.cpp.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/src/Ice/Network.cpp Fri 15 23:40:26 2011
	3	@@ -715,7 +715,11 @@
	4	WSASetLastError(error);
	5	#else
	6	int error = errno;
	7	- if(close(fd) == SOCKET_ERROR)
	8	+ if(close(fd) == SOCKET_ERROR
	9	+# if defined(__FreeBSD__)
	10	+ && getSocketErrno() != ECONNRESET
	11	+# endif
	12	+ )
	13	{
	14	SocketException ex(__FILE__, __LINE__);
	15	ex.error = getSocketErrno();

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-Ice-PropertyNames.cpp (+20 lines)
	1	--- cpp/src/Ice/PropertyNames.cpp.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/src/Ice/PropertyNames.cpp Tue Jul 12 15:32:00 2011
	3	@@ -8,7 +8,7 @@
	4	// **********************************************************************
	5
	6	//
	7	-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011
	8	+// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011
	9
	10	// IMPORTANT: Do not edit this file -- any edits made here will be lost!
	11
	12	@@ -335,6 +335,8 @@ const IceInternal::Property IceGridPropsData[] =
	13	IceInternal::Property("IceGrid.Registry.PermissionsVerifier", false, 0),
	14	IceInternal::Property("IceGrid.Registry.ReplicaName", false, 0),
	15	IceInternal::Property("IceGrid.Registry.ReplicaSessionTimeout", false, 0),
	16	+ IceInternal::Property("IceGrid.Registry.RequireNodeCertCN", false, 0),
	17	+ IceInternal::Property("IceGrid.Registry.RequireReplicaCertCN", false, 0),
	18	IceInternal::Property("IceGrid.Registry.Server.ACM", false, 0),
	19	IceInternal::Property("IceGrid.Registry.Server.AdapterId", false, 0),
	20	IceInternal::Property("IceGrid.Registry.Server.Endpoints", false, 0),

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-IceGrid-Internal.ice (+20 lines)
	1	--- cpp/src/IceGrid/Internal.ice.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/src/IceGrid/Internal.ice Tue Jul 12 15:32:00 2011
	3	@@ -702,7 +702,7 @@ interface InternalRegistry extends FileReader
	4	*
	5	**/
	6	NodeSession* registerNode(InternalNodeInfo info, Node* prx, LoadInfo loadInf)
	7	- throws NodeActiveException;
	8	+ throws NodeActiveException, PermissionDeniedException;
	9
	10	/**
	11	*
	12	@@ -721,7 +721,7 @@ interface InternalRegistry extends FileReader
	13	*
	14	**/
	15	ReplicaSession* registerReplica(InternalReplicaInfo info, InternalRegistry* prx)
	16	- throws ReplicaActiveException;
	17	+ throws ReplicaActiveException, PermissionDeniedException;
	18
	19	/**
	20	*

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-IceGrid-InternalRegistryI.cpp (+136 lines)
		1	--- cpp/src/IceGrid/InternalRegistryI.cpp.orig Wed Jun 15 19:43:59 2011
		2	+++ cpp/src/IceGrid/InternalRegistryI.cpp Tue Jul 12 15:32:00 2011
		3	@@ -19,6 +19,8 @@
		4	#include <IceGrid/ReplicaSessionI.h>
		5	#include <IceGrid/ReplicaSessionManager.h>
		6	#include <IceGrid/FileCache.h>
		7	+#include <IceSSL/IceSSL.h>
		8	+#include <IceSSL/RFC2253.h>
		9
		10	using namespace std;
		11	using namespace IceGrid;
		12	@@ -38,6 +40,8 @@ InternalRegistryI::InternalRegistryI(const RegistryIPtr& registry,
		13	Ice::PropertiesPtr properties = database->getCommunicator()->getProperties();
		14	_nodeSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.NodeSessionTimeout", 30);
		15	_replicaSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.ReplicaSessionTimeout", 30);
		16	+ _requireNodeCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0);
		17	+ _requireReplicaCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0);
		18	}
		19
		20	InternalRegistryI::~InternalRegistryI()
		21	@@ -50,7 +54,56 @@ InternalRegistryI::registerNode(const InternalNodeInfoPtr& info,
		22	const LoadInfo& load,
		23	const Ice::Current& current)
		24	{
		25	- const Ice::LoggerPtr logger = _database->getTraceLevels()->logger;
		26	+ const TraceLevelsPtr traceLevels = _database->getTraceLevels();
		27	+ const Ice::LoggerPtr logger = traceLevels->logger;
		28	+ if(!info \|\| !node)
		29	+ {
		30	+ return 0;
		31	+ }
		32	+
		33	+ if(_requireNodeCertCN)
		34	+ {
		35	+ try
		36	+ {
		37	+ IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo());
		38	+ if(sslConnInfo)
		39	+ {
		40	+ if (sslConnInfo->certs.empty() \|\|
		41	+ !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name))
		42	+ {
		43	+ if(traceLevels->node > 0)
		44	+ {
		45	+ Ice::Trace out(logger, traceLevels->nodeCat);
		46	+ out << "certificate CN doesn't match node name `" << info->name << "'";
		47	+ }
		48	+ throw PermissionDeniedException("certificate CN doesn't match node name `" + info->name + "'");
		49	+ }
		50	+ }
		51	+ else
		52	+ {
		53	+ if(traceLevels->node > 0)
		54	+ {
		55	+ Ice::Trace out(logger, traceLevels->nodeCat);
		56	+ out << "node certificate for `" << info->name << "' is required to connect to this registry";
		57	+ }
		58	+ throw PermissionDeniedException("node certificate is required to connect to this registry");
		59	+ }
		60	+ }
		61	+ catch(const PermissionDeniedException& ex)
		62	+ {
		63	+ throw ex;
		64	+ }
65	+ catch(const IceUtil::Exception&)
66	+ {
67	+ if(traceLevels->node > 0)
68	+ {
69	+ Ice::Trace out(logger, traceLevels->nodeCat);
70	+ out << "unexpected exception while verifying certificate for node `" << info->name << "'";
71	+ }
72	+ throw PermissionDeniedException("unable to verify certificate for node `" + info->name + "'");
73	+ }
74	+ }
75	+
76	try
77	{
78	NodeSessionIPtr session = new NodeSessionI(_database, node, info, _nodeSessionTimeout, load);
79	@@ -68,7 +121,56 @@ InternalRegistryI::registerReplica(const InternalReplicaInfoPtr& info,
80	const InternalRegistryPrx& prx,
81	const Ice::Current& current)
82	{
83	- const Ice::LoggerPtr logger = _database->getTraceLevels()->logger;
84	+ const TraceLevelsPtr traceLevels = _database->getTraceLevels();
85	+ const Ice::LoggerPtr logger = traceLevels->logger;
86	+ if(!info \|\| !prx)
87	+ {
88	+ return 0;
89	+ }
90	+
91	+ if(_requireReplicaCertCN)
92	+ {
93	+ try
94	+ {
95	+ IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo());
96	+ if(sslConnInfo)
97	+ {
98	+ if (sslConnInfo->certs.empty() \|\|
99	+ !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name))
100	+ {
101	+ if(traceLevels->replica > 0)
102	+ {
103	+ Ice::Trace out(logger, traceLevels->replicaCat);
104	+ out << "certificate CN doesn't match replica name `" << info->name << "'";
105	+ }
106	+ throw PermissionDeniedException("certificate CN doesn't match replica name `" + info->name + "'");
107	+ }
108	+ }
109	+ else
110	+ {
111	+ if(traceLevels->replica > 0)
112	+ {
113	+ Ice::Trace out(logger, traceLevels->replicaCat);
114	+ out << "replica certificate for `" << info->name << "' is required to connect to this registry";
115	+ }
116	+ throw PermissionDeniedException("replica certificate is required to connect to this registry");
117	+ }
118	+ }
119	+ catch(const PermissionDeniedException& ex)
120	+ {
121	+ throw ex;
122	+ }
123	+ catch(const IceUtil::Exception&)
124	+ {
125	+ if(traceLevels->replica > 0)
126	+ {
127	+ Ice::Trace out(logger, traceLevels->replicaCat);
128	+ out << "unexpected exception while verifying certificate for replica `" << info->name << "'";
129	+ }
130	+ throw PermissionDeniedException("unable to verify certificate for replica `" + info->name + "'");
131	+ }
132	+ }
133	+
134	try
135	{
136	ReplicaSessionIPtr s = new ReplicaSessionI(_database, _wellKnownObjects, info, prx, _replicaSessionTimeout);

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-IceGrid-NodeSessionManager.cpp (+17 lines)
	1	--- cpp/src/IceGrid/NodeSessionManager.cpp.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/src/IceGrid/NodeSessionManager.cpp Tue Jul 12 15:32:00 2011
	3	@@ -110,6 +110,14 @@ NodeSessionKeepAliveThread::createSession(InternalRegistryPrx& registry, IceUtil
	4	}
	5	exception.reset(ex.ice_clone());
	6	}
	7	+ catch(const PermissionDeniedException& ex)
	8	+ {
	9	+ if(traceLevels)
	10	+ {
	11	+ traceLevels->logger->error("connection to the the registry `" + _name + "' was denied:\n" + ex.reason);
	12	+ }
	13	+ exception.reset(ex.ice_clone());
	14	+ }
	15	catch(const Ice::Exception& ex)
	16	{
	17	exception.reset(ex.ice_clone());

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cpp-src-IceGrid-ReplicaSessionManager.cpp (+17 lines)
	1	--- cpp/src/IceGrid/ReplicaSessionManager.cpp.orig Wed Jun 15 19:43:59 2011
	2	+++ cpp/src/IceGrid/ReplicaSessionManager.cpp Tue Jul 12 15:32:00 2011
	3	@@ -500,6 +500,14 @@ ReplicaSessionManager::createSession(InternalRegistryPrx& registry, IceUtil::Tim
	4	}
	5	exception.reset(ex.ice_clone());
	6	}
	7	+ catch(const PermissionDeniedException& ex)
	8	+ {
	9	+ if(_traceLevels)
	10	+ {
	11	+ _traceLevels->logger->error("connection to the the registry `" + _name + "' was denied:\n" + ex.reason);
	12	+ }
	13	+ exception.reset(ex.ice_clone());
	14	+ }
	15	catch(const Ice::Exception& ex)
	16	{
	17	exception.reset(ex.ice_clone());

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-cs-src-Ice-PropertyNames.cs (+20 lines)
	1	--- cs/src/Ice/PropertyNames.cs.orig Wed Jun 15 19:43:59 2011
	2	+++ cs/src/Ice/PropertyNames.cs Tue Jul 12 15:32:00 2011
	3	@@ -8,7 +8,7 @@
	4	// **********************************************************************
	5
	6	//
	7	-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011
	8	+// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011
	9
	10	// IMPORTANT: Do not edit this file -- any edits made here will be lost!
	11
	12	@@ -325,6 +325,8 @@ namespace IceInternal
	13	new Property(@"^IceGrid\.Registry\.PermissionsVerifier$", false, null),
	14	new Property(@"^IceGrid\.Registry\.ReplicaName$", false, null),
	15	new Property(@"^IceGrid\.Registry\.ReplicaSessionTimeout$", false, null),
	16	+ new Property(@"^IceGrid\.Registry\.RequireNodeCertCN$", false, null),
	17	+ new Property(@"^IceGrid\.Registry\.RequireReplicaCertCN$", false, null),
	18	new Property(@"^IceGrid\.Registry\.Server\.ACM$", false, null),
	19	new Property(@"^IceGrid\.Registry\.Server\.AdapterId$", false, null),
	20	new Property(@"^IceGrid\.Registry\.Server\.Endpoints$", false, null),

Line 0 Link Here

(-)/usr/ports/devel/ice/files/patch-java-src-IceInternal-PropertyNames.java (+20 lines)
	1	--- java/src/IceInternal/PropertyNames.java.orig Wed Jun 15 19:43:59 2011
	2	+++ java/src/IceInternal/PropertyNames.java Tue Jul 12 15:32:00 2011
	3	@@ -8,7 +8,7 @@
	4	// **********************************************************************
	5
	6	//
	7	-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011
	8	+// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011
	9
	10	// IMPORTANT: Do not edit this file -- any edits made here will be lost!
	11
	12	@@ -325,6 +325,8 @@ public final class PropertyNames
	13	new Property("IceGrid\\.Registry\\.PermissionsVerifier", false, null),
	14	new Property("IceGrid\\.Registry\\.ReplicaName", false, null),
	15	new Property("IceGrid\\.Registry\\.ReplicaSessionTimeout", false, null),
	16	+ new Property("IceGrid\\.Registry\\.RequireNodeCertCN", false, null),
	17	+ new Property("IceGrid\\.Registry\\.RequireReplicaCertCN", false, null),
	18	new Property("IceGrid\\.Registry\\.Server\\.ACM", false, null),
	19	new Property("IceGrid\\.Registry\\.Server\\.AdapterId", false, null),
	20	new Property("IceGrid\\.Registry\\.Server\\.Endpoints", false, null),