srm: Make supported SRM protocol versions configurable

Motivation:

SRM 1 and 1.1 is not supposed to be used anymore. As a first step towards
removing this legacy code from dCache, we need to allow sites to disable
support for it.  Later we may disable it by default and eventually remove it
entirely.

Modification:

Adds the srm.version property. It defaults to 1,2, i.e. all supported protocol
versions are enabled.

Result:

No observable change in default behaviour, but if a particular version is
disabled, clients using that version will receive an error.

Target: trunk
Require-notes: yes
Require-book: yes
Acked-by: Paul Millar <paul.millar@desy.de>
Patch: https://rb.dcache.org/r/8293/

modules/dcache-srm/src/main/resources/diskCacheV111/srm/srm.xml

@@ -245,6 +245,7 @@
               value="#{T(java.util.concurrent.TimeUnit).SECONDS.convert(
                      ${srm.limits.external-copy-script.timeout},
                      '${srm.limits.external-copy-script.timeout.unit}')}" />
+    <property name="versions" value="${srm.version}"/>
     <property name="srmHost" value="${srm.net.host}"/>
     <property name="srmHostsAsArray" value="${srm.net.local-hosts}"/>
     <property name="caCertificatePath" value="${srm.authn.capath}"/>

modules/srm-server/src/main/java/org/dcache/srm/SrmCommandLineInterface.java

@@ -72,6 +72,8 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.Callable;
@@ -94,6 +96,8 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 import org.dcache.srm.util.Configuration;
 import org.dcache.util.Args;
 
+import static java.util.Arrays.asList;
+
 public class SrmCommandLineInterface
         implements CellCommandListener
 {
@@ -652,17 +656,41 @@ private <T extends Request> void listRequests(StringBuilder sb, Class<T> clazz)
 
     public String ac_print_srm_counters_$_0(Args args)
     {
-        return srm.getSrmServerV1Counters().toString() +
-                '\n' +
-                srm.getSrmServerV2Counters().toString() +
-                '\n' +
-                srm.getAbstractStorageElementCounters().toString() +
-                '\n' +
-                srm.getSrmServerV1Gauges().toString() +
-                '\n' +
-                srm.getSrmServerV2Gauges().toString() +
-                '\n' +
-                srm.getAbstractStorageElementGauges().toString();
+        List<String> versions = asList(config.getVersions());
+        boolean isVersion1Enabled = versions.contains("1");
+        boolean isVersion2Enabled = versions.contains("2");
+        if (isVersion2Enabled && isVersion1Enabled) {
+            return srm.getSrmServerV1Counters().toString() +
+                   '\n' +
+                   srm.getSrmServerV2Counters().toString() +
+                   '\n' +
+                   srm.getAbstractStorageElementCounters().toString() +
+                   '\n' +
+                   srm.getSrmServerV1Gauges().toString() +
+                   '\n' +
+                   srm.getSrmServerV2Gauges().toString() +
+                   '\n' +
+                   srm.getAbstractStorageElementGauges().toString();
+        }
+        if (isVersion2Enabled && !isVersion1Enabled) {
+            return srm.getSrmServerV2Counters().toString() +
+                   '\n' +
+                   srm.getAbstractStorageElementCounters().toString() +
+                   '\n' +
+                   srm.getSrmServerV2Gauges().toString() +
+                   '\n' +
+                   srm.getAbstractStorageElementGauges().toString();
+        }
+        if (!isVersion2Enabled && isVersion1Enabled) {
+            return srm.getSrmServerV1Counters().toString() +
+                   '\n' +
+                   srm.getAbstractStorageElementCounters().toString() +
+                   '\n' +
+                   srm.getSrmServerV1Gauges().toString() +
+                   '\n' +
+                   srm.getAbstractStorageElementGauges().toString();
+        }
+        return "";
     }
 
     public static final String fh_db_history_log = " Syntax: db history log [on|off] " +

modules/srm-server/src/main/java/org/dcache/srm/server/SRMServerV1.java

@@ -5,6 +5,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.rmi.RemoteException;
+
 import org.dcache.commons.stats.RequestCounters;
 import org.dcache.commons.stats.RequestExecutionTimeGauges;
 import org.dcache.srm.SRM;
@@ -25,6 +27,7 @@ public class SRMServerV1 implements org.dcache.srm.client.axis.ISRM_PortType{
     private final RequestCounters<String> srmServerCounters;
     private final RequestExecutionTimeGauges<String> srmServerGauges;
     private final boolean isClientDNSLookup;
+    private final boolean isEnabled;
 
     public SRMServerV1()
     {
@@ -42,6 +45,15 @@ public SRMServerV1()
          srmServerGauges = srm.getSrmServerV1Gauges();
     }
 
+    private void checkEnabled() throws RemoteException
+    {
+        if (!isEnabled) {
+            log.warn("Rejecting SRM v1 client request from '{}' by '{}' because SRM v1 is disabled.",
+                     Axis.getRemoteAddress(), Axis.getDN().orElse(""));
+            throw new java.rmi.RemoteException("SRM version 1 is not supported by this server.");
+        }
+    }
+
     private String getRemoteHost() {
         String remoteIP = Axis.getRemoteAddress();
         return isClientDNSLookup ?
@@ -60,6 +72,7 @@ private void incrementRequest(String operation) {
     public org.dcache.srm.client.axis.RequestStatus put(java.lang.String[] arg0,
             java.lang.String[] arg1, long[] arg2, boolean[] arg3, java.lang.String[] arg4)
             throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "put";
       try (JDC ignored = JDC.createSession("srm1:put")) {
@@ -97,6 +110,7 @@ public org.dcache.srm.client.axis.RequestStatus put(java.lang.String[] arg0,
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus get(java.lang.String[] arg0, java.lang.String[] arg1) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "get";
       incrementRequest(methodName);
@@ -134,6 +148,7 @@ public org.dcache.srm.client.axis.RequestStatus get(java.lang.String[] arg0, jav
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus copy(java.lang.String[] arg0, java.lang.String[] arg1, boolean[] arg2) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "copy";
       incrementRequest(methodName);
@@ -172,6 +187,7 @@ public org.dcache.srm.client.axis.RequestStatus copy(java.lang.String[] arg0, ja
 
     @Override
     public boolean ping() throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "ping";
       incrementRequest(methodName);
@@ -194,6 +210,7 @@ public boolean ping() throws java.rmi.RemoteException {
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus pin(java.lang.String[] arg0) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "pin";
       incrementRequest(methodName);
@@ -217,6 +234,7 @@ public org.dcache.srm.client.axis.RequestStatus pin(java.lang.String[] arg0) thr
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus unPin(java.lang.String[] arg0, int arg1) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "unPin";
       incrementRequest(methodName);
@@ -240,6 +258,7 @@ public org.dcache.srm.client.axis.RequestStatus unPin(java.lang.String[] arg0, i
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus setFileStatus(int arg0, int arg1, java.lang.String arg2) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "setFileStatus";
       incrementRequest(methodName);
@@ -271,6 +290,7 @@ public org.dcache.srm.client.axis.RequestStatus setFileStatus(int arg0, int arg1
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus getRequestStatus(int arg0) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "getRequestStatus";
       incrementRequest(methodName);
@@ -303,7 +323,8 @@ public org.dcache.srm.client.axis.RequestStatus getRequestStatus(int arg0) throw
     @Override
     public org.dcache.srm.client.axis.FileMetaData[] getFileMetaData(
     java.lang.String[] arg0) throws java.rmi.RemoteException {
-              log.debug("Entering ISRMImpl.getFileMetaData");
+      checkEnabled();
+      log.debug("Entering ISRMImpl.getFileMetaData");
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "mkPermanent";
       incrementRequest(methodName);
@@ -337,6 +358,7 @@ public org.dcache.srm.client.axis.FileMetaData[] getFileMetaData(
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus mkPermanent(java.lang.String[] arg0) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "mkPermanent";
       incrementRequest(methodName);
@@ -369,6 +391,7 @@ public org.dcache.srm.client.axis.RequestStatus mkPermanent(java.lang.String[] a
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus getEstGetTime(java.lang.String[] arg0, java.lang.String[] arg1) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "getEstGetTime";
       incrementRequest(methodName);
@@ -402,6 +425,7 @@ public org.dcache.srm.client.axis.RequestStatus getEstGetTime(java.lang.String[]
 
     @Override
     public org.dcache.srm.client.axis.RequestStatus getEstPutTime(java.lang.String[] arg0, java.lang.String[] arg1, long[] arg2, boolean[] arg3, java.lang.String[] arg4) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "getEstPutTime";
       incrementRequest(methodName);
@@ -435,6 +459,7 @@ public org.dcache.srm.client.axis.RequestStatus getEstPutTime(java.lang.String[]
 
     @Override
     public void advisoryDelete(java.lang.String[] arg0) throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "advisoryDelete";
       incrementRequest(methodName);
@@ -466,6 +491,7 @@ public void advisoryDelete(java.lang.String[] arg0) throws java.rmi.RemoteExcept
 
     @Override
     public java.lang.String[] getProtocols() throws java.rmi.RemoteException {
+      checkEnabled();
       long startTimeStamp = System.currentTimeMillis();
       String methodName = "getProtocols";
       incrementRequest(methodName);

modules/srm-server/src/main/java/org/dcache/srm/server/SRMServerV2.java

@@ -89,6 +89,7 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
@@ -191,6 +192,7 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 import org.dcache.srm.v2_2.TStatusCode;
 import org.dcache.util.NetLoggerBuilder;
 
+import static java.util.Arrays.asList;
 import static org.dcache.srm.v2_2.TStatusCode.*;
 
 public class SRMServerV2 implements ISRM  {
@@ -215,6 +217,7 @@ public class SRMServerV2 implements ISRM  {
             { new RequestExecutionTimeGaugeLogger(), new CounterLogger(), new AccessLogger() };
 
     private final ArrayOfTExtraInfo pingExtraInfo;
+    private final boolean isEnabled;
 
     public SRMServerV2()
     {
@@ -228,6 +231,7 @@ public SRMServerV2()
         srmServerGauges = srm.getSrmServerV2Gauges();
         pingExtraInfo = buildExtraInfo(config.getPingExtraInfo());
         isClientDNSLookup = config.isClientDNSLookup();
+        isEnabled = asList(config.getVersions()).contains("2");
     }
 
     private ArrayOfTExtraInfo buildExtraInfo(Map<String,String> items)
@@ -246,7 +250,13 @@ private ArrayOfTExtraInfo buildExtraInfo(Map<String,String> items)
         return new ArrayOfTExtraInfo(extraInfo);
     }
 
-    private Object handleRequest(String requestName, Object request)  throws RemoteException {
+    private Object handleRequest(String requestName, Object request)  throws RemoteException
+    {
+        if (!isEnabled) {
+            LOGGER.warn("Rejecting SRM v2 client request from '{}' by '{}' because SRM v2 is disabled.",
+                        Axis.getRemoteAddress(), Axis.getDN().orElse(""));
+            throw new java.rmi.RemoteException("SRM version 2 is not supported by this server.");
+        }
         long startTimeStamp = System.currentTimeMillis();
         // requestName values all start "srm".  This is redundant, so may
         // be removed when creating the session id.  The initial character is

modules/srm-server/src/main/java/org/dcache/srm/util/Configuration.java

@@ -211,6 +211,7 @@ public class Configuration {
     private String vomsdir;
 
     private ImmutableMap<String,String> pingExtraInfo = ImmutableMap.of();
+    private String[] versions;
 
     /** Creates a new instance of Configuration */
     public Configuration() {
@@ -1150,6 +1151,16 @@ public String getVomsdir()
         return vomsdir;
     }
 
+    public String[] getVersions()
+    {
+        return versions;
+    }
+
+    public void setVersions(String[] versions)
+    {
+        this.versions = versions;
+    }
+
     public class DatabaseParameters
     {
         private final String name;

skel/share/defaults/srm.properties

@@ -21,6 +21,13 @@ srm.cell.subscribe=${srm.loginbroker.update-topic},${srm.loginbroker.request-top
 srm.cell.limits.message.threads.max = 10
 srm.cell.limits.message.queue.max = 100
 
+#
+# SRM versions to support.
+#
+# Comma separated list of SRM versions to support.
+#
+(any-of?1|2)srm.version=1,2
+
 #  ---- TCP Port
 #
 #  The port SRM will listen on for GSI-based communication.  GSI is an

skel/share/services/srm.batch

@@ -9,6 +9,7 @@ check -strong srm.cell.export
 check srm.cell.subscribe
 check -strong srm.cell.limits.message.threads.max
 check -strong srm.cell.limits.message.queue.max
+check -strong srm.version
 
 check -strong srm.net.port
 check -strong srm.net.ssl-port