prepare containers for webdav tests

Install voms-client into the dev container: xrdgsiproxy generates wrong proxy
certificates, which don't work with standart SSL.

Rework the webdav container:
- move compilation of mod-want-digest into a deb package. This way, the correct
configuration for usage with a2enmod is created by existing helper scripts.
- add a self-written module which enables support of gsi proxy certificates
in mod_ssl.
- rework and simplify the dockerfile.

dev/Dockerfile

@@ -47,6 +47,7 @@ RUN dnf -y install yum-utils epel-release.noarch && \
         rclone \
         rsync \
         vim \
+        voms-clients-java \
         which \
         xmlsec1-devel \
         xmlsec1-openssl-devel \

webdav/Dockerfile

@@ -1,84 +1,55 @@
-FROM httpd:latest
 
-# These variables are inherited from the httpd:alpine image:
-# ENV HTTPD_PREFIX /usr/local/apache2
-# WORKDIR "$HTTPD_PREFIX"
+FROM ubuntu:noble as deb_builder
+RUN set -ex; \
+    apt-get update; \
+    apt-get install -y \
+      apache2-dev \
+      apache2-ssl-dev \
+      build-essential \
+      curl \
+      libaprutil1-dev \
+      libapr1-dev \
+      libtool \
+      zlib1g-dev
+
+COPY libapache2-mod-want-digest/ mod-want-digest/
+RUN cd mod-want-digest/; dpkg-buildpackage
+
+COPY libapache2-mod-gsiproxy mod-gsiproxy
+RUN cd mod-gsiproxy; dpkg-buildpackage
 
-# Copy in our configuration files.
-COPY conf/ conf/
+
+FROM ubuntu:noble
 
 RUN set -ex; \
-    # Download current `mod_want_digest.c` file (and store into root dir)
-    cd /;\
     apt-get update; \
-    apt-get install -y curl; \
-    curl -LJ https://github.com/wetzel-desy/mod_want_digest/tarball/main -o wetzel-desy-tarball; \
-    tar -xf wetzel-desy-tarball; \
-    FILENAME=$(find . -name mod_want_digest.c); \
-    mv $FILENAME .; \
-    rm -rf wetzel-desy-*; \
-    cd $HTTPD_PREFIX;\
-    \
-    # Create empty default DocumentRoot.
-    mkdir -p "/var/www/html"; \
-    # Create directories for Dav data and lock database.
-    mkdir -p "/var/lib/dav/data"; \
-    touch "/var/lib/dav/DavLock"; \
-    chown -R www-data:www-data "/var/lib/dav"; \
-    \
-    # Enable DAV modules.
-    for i in dav dav_fs; do \
-        sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \
-    done; \
-    \
-    # Make sure authentication modules are enabled.
-    for i in authn_core authn_file authz_core authz_user auth_basic auth_digest; do \
-        sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \
-    done; \
-    \
-    # Make sure other modules are enabled.
-    for i in alias headers mime setenvif; do \
-        sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \
-    done; \
-    \
-    # Run httpd as "www-data" (instead of "daemon").
-    for i in User Group; do \
-        sed -i -e "s|^$i .*|$i www-data|" "conf/httpd.conf"; \
-    done; \
-    \
-    # Include enabled configs and sites.
-    printf '%s\n' "Include conf/conf-enabled/*.conf" \
-        >> "conf/httpd.conf"; \
-    printf '%s\n' "Include conf/sites-enabled/*.conf" \
-        >> "conf/httpd.conf"; \
-    \
-    # Write output to file and to std(err|out)???
-    sed -i -e 's/\/proc\/self\/fd\/2/"|\$tee -a \/proc\/self\/fd\/2 \/usr\/local\/apache2\/logs\/apacheerrors.log"/g' conf/httpd.conf; \
-    sed -i -e 's/LogLevel warn/LogLevel debug/g' conf/httpd.conf; \
-    touch logs/apacheerrors.log; \
-    \
-    # Enable dav and default site.
-    mkdir -p "conf/conf-enabled"; \
-    mkdir -p "conf/sites-enabled"; \
-    ln -s ../conf-available/dav.conf "conf/conf-enabled"; \
-    ln -s ../sites-available/default.conf "conf/sites-enabled"; \
-    # Install openssl if we need to generate a self-signed certificate.
-    # apk add --no-cache openssl
-    apt-get install openssl; \
-    \
-    # install mod_want_digest
-    mv /mod_want_digest.c mod_want_digest.c; \
-    apt-get install -y libtool libaprutil1-dev libapr1-dev zlib1g-dev build-essential; \
-    ln -s /usr/lib/x86_64-linux-gnu/libz.so /usr/lib/x86_64-linux-gnu/libzlib.so; \
-    apxs -c -lzlib mod_want_digest.c; \
-    apxs -ia mod_want_digest.la; \
-    \
-    # enable SSL
-    ln -s "../sites-available/default-ssl.conf" "conf/sites-enabled"; \
-    sed -i -e "/^#LoadModule ssl_module.*/s/^#//" "conf/httpd.conf"
+    apt-get install -y \
+      apache2 \
+      apache2-dev \
+      libapache2-mod-auth-openidc \
+      libapache2-mod-oauth2 \
+      gridsite \
+    ; \
+    apt-get clean
+
+
+# Configure apache
+COPY conf/ conf/
+RUN set -ex; \
+    cp -R conf/* /etc/apache2/; \
+    # Create directory for webdav
+    mkdir -p /var/www/webdav/digests /var/www/webdav/data; \
+    chown -R www-data:www-data /var/www/webdav; \
+    \
+    a2enmod dav dav_fs auth_basic auth_digest auth_openidc alias headers mime setenvif; \
+    a2dismod zgridsite; \
+    a2dissite 000-default
 
+# Install compiled modules
+COPY --from=deb_builder /*.deb /tmp/
+RUN dpkg -i /tmp/*.deb
 
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 EXPOSE 80/tcp 443/tcp
 ENTRYPOINT [ "docker-entrypoint.sh" ]
-CMD [ "httpd-foreground" ]
+CMD ["apache2","-D","FOREGROUND"]

webdav/conf/sites-available/default-ssl.conf

@@ -1,18 +1,29 @@
-Listen 443
 <VirtualHost *:443>
-  Protocols h2 http/1.1
   ServerName localhost
-  DocumentRoot "/var/www/html/"
-  <Directory "/var/www/html/">
-    Require all denied
-  </Directory>
+  DocumentRoot /var/www/webdav/data/
+
   CustomLog /proc/self/fd/1 combined
   ErrorLog /proc/self/fd/2
+
   SSLEngine on
-  SSLCertificateFile /web1cert.pem
-  SSLCertificateKeyFile /web1key.pem
-  SSLProtocol all -SSLv3
+  SSLCertificateFile /etc/grid-security/hostcert.pem
+  SSLCertificateKeyFile /etc/grid-security/hostkey.pem
+  SSLCACertificatePath /etc/grid-security/certificates/
+  SSLVerifyClient require
+  SSLVerifyDepth 10
+  SSLOptions +StdEnvVars
+  SSLProtocol TLSv1.2
   SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-  SSLHonorCipherOrder on
-  SSLSessionTickets off
+
+  AllowEncodedSlashes on
+
+  <Location />
+    Dav On
+    Options Indexes FollowSymLinks
+    DigestRootDir /var/www/webdav/digests/
+
+    <RequireAny>
+      Require all granted
+    </RequireAny>
+  </Location>
 </VirtualHost>

webdav/conf/sites-available/default.conf

@@ -1,11 +1,19 @@
 <VirtualHost *:80>
   ServerName localhost
-  DocumentRoot "/var/www/html/"
-  <Directory "/var/www/html/">
-    Require all denied
-  </Directory>
+  DocumentRoot /var/www/webdav/data/
+
   CustomLog /proc/self/fd/1 combined
   ErrorLog /proc/self/fd/2
-  # This lets certain DAV methods work behind an SSL reverse proxy.
-  RequestHeader edit Destination ^https http early
+
+  AllowEncodedSlashes on
+
+  <Location />
+    Dav On
+    Options Indexes FollowSymLinks
+    DigestRootDir /var/www/webdav/digests/
+
+    <RequireAny>
+      Require all granted
+    </RequireAny>
+  </Location>
 </VirtualHost>

webdav/docker-entrypoint.sh

@@ -1,61 +1,14 @@
 #!/bin/sh
 set -e
 
+. /etc/apache2/envvars
 
-# Just in case this environment variable has gone missing.
-HTTPD_PREFIX="${HTTPD_PREFIX:-/usr/local/apache2}"
-
-# Configure vhosts.
-if [ "x$SERVER_NAMES" != "x" ]; then
-    # Use first domain as Apache ServerName.
-    SERVER_NAME="${SERVER_NAMES%%,*}"
-    sed -e "s|ServerName .*|ServerName $SERVER_NAME|" \
-        -i "$HTTPD_PREFIX"/conf/sites-available/default*.conf
-
-    # Replace commas with spaces and set as Apache ServerAlias.
-    SERVER_ALIAS="`printf '%s\n' "$SERVER_NAMES" | tr ',' ' '`"
-    sed -e "/ServerName/a\ \ ServerAlias $SERVER_ALIAS" \
-        -i "$HTTPD_PREFIX"/conf/sites-available/default*.conf
-fi
-
-# Configure dav.conf
-if [ "x$LOCATION" != "x" ]; then
-    sed -e "s|Alias .*|Alias $LOCATION /var/lib/dav/data/|" \
-        -i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
-fi
-if [ "x$REALM" != "x" ]; then
-    sed -e "s|AuthName .*|AuthName \"$REALM\"|" \
-        -i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
+# Certificates have been mounted by the user.
+a2dismod zgridsite
+if [ -e /etc/grid-security/hostcert.pem ] && [ -e /etc/grid-security/hostkey.pem ]; then
+  a2ensite default-ssl
 else
-    REALM="WebDAV"
+  a2dissite default
 fi
-if [ "x$AUTH_TYPE" != "x" ]; then
-    # Only support "Basic" and "Digest".
-    if [ "$AUTH_TYPE" != "Basic" ] && [ "$AUTH_TYPE" != "Digest" ]; then
-        printf '%s\n' "$AUTH_TYPE: Unknown AuthType" 1>&2
-        exit 1
-    fi
-    sed -e "s|AuthType .*|AuthType $AUTH_TYPE|" \
-        -i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
-fi
-
-# This will either be the self-signed certificate generated above or one that
-# has been bind mounted in by the user.
-if [ -e /privkey.pem ] && [ -e /cert.pem ]; then
-    # Enable SSL Apache modules.
-    for i in http2 ssl; do
-        sed -e "/^#LoadModule ${i}_module.*/s/^#//" \
-            -i "$HTTPD_PREFIX/conf/httpd.conf"
-    done
-    # Enable SSL vhost.
-    ln -sf ../sites-available/default-ssl.conf \
-        "$HTTPD_PREFIX/conf/sites-enabled"
-fi
-
-# Create directories for Dav data and lock database.
-[ ! -d "/var/lib/dav/data" ] && mkdir -p "/var/lib/dav/data"
-[ ! -d "/var/lib/dav/data/rucio" ] && mkdir -p "/var/lib/dav/data/rucio"
-[ ! -e "/var/lib/dav/DavLock" ] && touch "/var/lib/dav/DavLock"
-chown -R www-data:www-data "/var/lib/dav"
 
 exec "$@"

webdav/libapache2-mod-gsiproxy/debian/apache2

@@ -0,0 +1,2 @@
+mod .libs/mod_gsiproxy.so
+mod debian/conf/zgsiproxy.load

webdav/libapache2-mod-gsiproxy/debian/changelog

@@ -0,0 +1,5 @@
+libapache2-mod-gsiproxy (1.0.0) stable; urgency=medium
+
+  * Initial commit
+
+ -- Radu Carpa <radu.carpa@cern.ch>  Fri, 22 Dec 2023 11:39:22 +0100

webdav/libapache2-mod-gsiproxy/debian/compat

@@ -0,0 +1 @@
+12

webdav/libapache2-mod-gsiproxy/debian/conf/zgsiproxy.load

@@ -0,0 +1,2 @@
+# Depends: ssl
+LoadModule gsi_proxy_certs_module /usr/lib/apache2/modules/mod_gsiproxy.so

webdav/libapache2-mod-gsiproxy/debian/control

@@ -0,0 +1,15 @@
+Source: libapache2-mod-gsiproxy
+Maintainer: Rucio
+Section: web
+Priority: optional
+Standards-Version: 1.0.0
+Build-Depends:
+ apache2-dev,
+ apache2-ssl-dev
+
+Package: libapache2-mod-gsiproxy
+Architecture: any
+Depends:
+ ${shlibs:Depends},
+ ${misc:Depends}
+Description: Apache2 module which activates support for GSI X509 proxy certificates in mod_ssl

webdav/libapache2-mod-gsiproxy/debian/rules

@@ -0,0 +1,11 @@
+#!/usr/bin/make -f
+
+override_dh_auto_build:
+	apxs -Wc,-ffile-prefix-map=$(CURDIR)=. -lz -c mod_gsiproxy.c
+
+override_dh_clean:
+	rm -rf .libs
+	dh_clean
+
+%:
+	dh $@ --with apache2

webdav/libapache2-mod-gsiproxy/debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

webdav/libapache2-mod-gsiproxy/mod_gsiproxy.c

@@ -0,0 +1,66 @@
+#include "http_core.h"
+#include "openssl/ssl.h"
+#include "openssl/x509.h"
+#include "mod_ssl.h"
+
+extern module AP_MODULE_DECLARE_DATA ssl_module;
+
+#ifndef BOOL
+#define BOOL unsigned int
+#endif
+
+typedef struct {
+    void    *sc;
+    SSL_CTX *ssl_ctx;
+} modssl_ctx_t;
+
+typedef enum {
+    SSL_ENABLED_UNSET    = -1,
+    SSL_ENABLED_FALSE    = 0,
+    SSL_ENABLED_TRUE     = 1,
+    SSL_ENABLED_OPTIONAL = 3
+} ssl_enabled_t;
+
+typedef struct {
+    void            *mc;
+    ssl_enabled_t    enabled;
+    BOOL             proxy_enabled;
+    const char      *vhost_id;
+    int              vhost_id_len;
+    int              session_cache_timeout;
+    BOOL             cipher_server_pref;
+    BOOL             insecure_reneg;
+    modssl_ctx_t    *server;
+    modssl_ctx_t    *proxy;
+} SSLSrvConfigRec;
+
+int hook_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *base_server)
+{
+    SSLSrvConfigRec *sc;
+    server_rec *s;
+    for (s = base_server; s; s = s->next) {
+        sc = (SSLSrvConfigRec *)ap_get_module_config(s->module_config,  &ssl_module);
+        if (sc && sc->enabled && sc->server && sc->server->ssl_ctx){
+            X509_VERIFY_PARAM *param = SSL_CTX_get0_param(sc->server->ssl_ctx);
+            X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS);
+        }
+    }
+    return OK;
+}
+
+static void register_hooks(apr_pool_t *pool)
+{
+    static const char * const dep[] = { "mod_ssl.c", NULL };
+    ap_hook_post_config(hook_post_config, dep, NULL, APR_HOOK_MIDDLE);
+}
+
+module AP_MODULE_DECLARE_DATA gsi_proxy_certs_module =
+{
+    STANDARD20_MODULE_STUFF,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    register_hooks
+};

webdav/libapache2-mod-want-digest/debian/apache2

@@ -0,0 +1,2 @@
+mod .libs/mod_want_digest.so
+mod debian/conf/want_digest.load