Major
Stephen passed on the content of the wget script template (included below). I wanted to raise two issues:
1) I can see a bug in one of the if clauses:
elif [ $X509_USER_CERT ]
then
certFile=$X509_USER_PROXY;
fi
It tests for X509_USER_CERT but then sets X509_USER_PROXY. It looks like it should read instead:
elif [ $X509_USER_CERT ]
then
certFile=$X509_USER_CERT;
fi
2) Also, some SSL settings seem to be missing:
i) I can't see a setting for the CA certificates path. The wget call should include:
--ca-directory=$HOME/.esg/certificates
The MyProxyLogon WebStart should populate this directory by having the download trustroots option set. Without this option the script will not authenticate the peer.
ii) There's no option to save cookies. This is not essential but if you don't, successive calls will be inefficient since they will each require to do the round trip of HTTP redirect to SSL authentication endpoint and then back to data serving app. With cookies saved, after the initial call authenticating with SSL, security context is maintained with cookies. wget would need these options:
--keep-session-cookies --save-cookies=$HOME/.esg/cookies.txt --cookies=on
Can you confirm which version(s) of wget you're testing with? There's some variation in command line option syntax in older versions.
I have an example script which includes these options:
http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/trunk/esg_wget_script/esg-download.sh
The Gateway script obviously does not need any of the command line parsing code preamble but the essentials of the wget call are the same.
Thanks for all your work on this stuff,
Phil
#!/bin/sh
# Script was generated by the gateway: ${gateway.name}
<#-- Get the certificate files from the user only if we need them --> <#if downloadScriptData.hasCertificateDownloads()>
certFile=$HOME/.esg/credentials.pem
privateKeyFile=$HOME/.esg/credentials.pem
if [ $X509_USER_PROXY ]
then
certFile=$X509_USER_PROXY;
privateKeyFile=$X509_USER_PROXY;
elif [ $X509_USER_CERT ]
then
certFile=$X509_USER_PROXY;
fi
if [ $1 ]
then
certFile=$1;
privateKeyFile=$1;
fi
if [ $2 ]
then
privateKeyFile=$2;
fi
</#if>
<#list downloadScriptData.retrievableFiles as fileDownload> <#if fileDownload.requiresCertificateRetrieval()>
wget --certificate=$certFile --private-key=$privateKeyFile -O '${fileDownload.fi leAccessPoint.logicalFile.name}' '${fileDownload.downloadURI}'
<#else>
wget -O '${fileDownload.fileAccessPoint.logicalFile.name}' '${fileDownload.downl oadURI}'
</#if>
</#list>
1) I can see a bug in one of the if clauses:
elif [ $X509_USER_CERT ]
then
certFile=$X509_USER_PROXY;
fi
It tests for X509_USER_CERT but then sets X509_USER_PROXY. It looks like it should read instead:
elif [ $X509_USER_CERT ]
then
certFile=$X509_USER_CERT;
fi
2) Also, some SSL settings seem to be missing:
i) I can't see a setting for the CA certificates path. The wget call should include:
--ca-directory=$HOME/.esg/certificates
The MyProxyLogon WebStart should populate this directory by having the download trustroots option set. Without this option the script will not authenticate the peer.
ii) There's no option to save cookies. This is not essential but if you don't, successive calls will be inefficient since they will each require to do the round trip of HTTP redirect to SSL authentication endpoint and then back to data serving app. With cookies saved, after the initial call authenticating with SSL, security context is maintained with cookies. wget would need these options:
--keep-session-cookies --save-cookies=$HOME/.esg/cookies.txt --cookies=on
Can you confirm which version(s) of wget you're testing with? There's some variation in command line option syntax in older versions.
I have an example script which includes these options:
http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/trunk/esg_wget_script/esg-download.sh
The Gateway script obviously does not need any of the command line parsing code preamble but the essentials of the wget call are the same.
Thanks for all your work on this stuff,
Phil
#!/bin/sh
# Script was generated by the gateway: ${gateway.name}
<#-- Get the certificate files from the user only if we need them --> <#if downloadScriptData.hasCertificateDownloads()>
certFile=$HOME/.esg/credentials.pem
privateKeyFile=$HOME/.esg/credentials.pem
if [ $X509_USER_PROXY ]
then
certFile=$X509_USER_PROXY;
privateKeyFile=$X509_USER_PROXY;
elif [ $X509_USER_CERT ]
then
certFile=$X509_USER_PROXY;
fi
if [ $1 ]
then
certFile=$1;
privateKeyFile=$1;
fi
if [ $2 ]
then
privateKeyFile=$2;
fi
</#if>
<#list downloadScriptData.retrievableFiles as fileDownload> <#if fileDownload.requiresCertificateRetrieval()>
wget --certificate=$certFile --private-key=$privateKeyFile -O '${fileDownload.fi leAccessPoint.logicalFile.name}' '${fileDownload.downloadURI}'
<#else>
wget -O '${fileDownload.fileAccessPoint.logicalFile.name}' '${fileDownload.downl oadURI}'
</#if>
</#list>