VOMS-AA should not allow expansion of VOMS roles
Opened this issue · 1 comments
When a VOMS proxy is generated by another proxy, the VOMS roles should not be present among the attributes, if they are not present in the first proxy -- this is the current behavior in legacy VOMS.
E.g., if /vo.0/G1/R1 is a VOMS role, it will not appear in the proxy (unless explicitly requested):
$ voms-proxy-init -voms vo.0
Enter GRID pass phrase for this identity:
Contacting voms.test.example:15000 [/C=IT/O=IGI/CN=*.test.example] "vo.0"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u501.
Your proxy is valid until Tue Mar 12 04:46:06 CET 2024
$ voms-proxy-info -fqan
/vo.0/Role=NULL/Capability=NULL
/vo.0/G1/Role=NULL/Capability=NULL
/vo.0/G2/Role=NULL/Capability=NULL
/vo.0/G2/G3/Role=NULL/Capability=NULL
Thus, if we generate a new proxy from this one, the VOMS role must not be present as well:
$ voms-proxy-init -voms vo.0:/vo.0/G1/Role=R1 --valid 10:00 --noregen
Contacting voms.test.example:15000 [/C=IT/O=IGI/CN=*.test.example] "vo.0"...
Remote VOMS server contacted succesfully.
vo.0 : your certificate already contains attributes, only a subset of them can be issued.
Created proxy in /tmp/x509up_u501.
Your proxy is valid until Tue Mar 12 02:48:54 CET 2024
$ voms-proxy-info -fqan
/vo.0/G1/Role=NULL/Capability=NULL
/vo.0/Role=NULL/Capability=NULL
/vo.0/G2/Role=NULL/Capability=NULL
/vo.0/G2/G3/Role=NULL/Capability=NULL
Right now, voms-aa release nested proxies containing also VOMS roles, even if they are not present in the first proxy.
This issue is highlighted in See if voms does not allow expansion of credential set from an AC test.
Also from a plain proxy one can get roles, e.g. see test See if voms does not allow expansion of credential set from a proxy.