MGM: fix WeightedRandomPlacement::access selectedIndex and division by zero-weight disk possible

.gitlab-ci.yml

@@ -172,7 +172,7 @@ clone_docker:
       else
         source gitlab-ci/setup_ccache.sh;
       fi
-    - rpmbuild --rebuild --with server --with eos_grpc_gateway --define "_rpmdir build/RPMS/" --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" build/SRPMS/* | (ts 2> dev/null || true; tee)
+    - rpmbuild --rebuild --with server --with eos_grpc_gateway --define "_rpmdir build/RPMS/" --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" build/SRPMS/* | (ts 2> /dev/null || true; tee)
     - ccache -s
     - if [[ -n "$CI_COMMIT_TAG" ]]; then gpg2 --batch --import $STCI_REPO_KEY; printf "" | setsid rpmsign --define='%_gpg_name stci@cern.ch' --define='%_signature gpg' --addsign build/RPMS/*.rpm; fi
     - mkdir ${BUILD_NAME}_artifacts; cp -rv build/*RPMS/ build/eos-*.tar.gz ${BUILD_NAME}_artifacts
@@ -767,6 +767,7 @@ el9_asan_docker_image:
     - exec_cmd eos-mgm1 "eos vid add gateway \"127.0.0.1\" https"
     - exec_cmd eos-mgm1 "eos vid add gateway \"[:1]\" https"
     - exec_cmd eos-mgm1 "eos vid add gateway \"[::1]\" https"
+    - exec_cmd eos-mgm1 "for ip in \$(hostname -i); do eos vid add gateway \$ip https; done"
     - exec_cmd eos-mgm1 "eos vid set map -grpc key:auth_key vuid:11  vgid:11"
     - exec_cmd eos-mgm1 "eos vid set map -https key:auth_key vuid:11  vgid:11"
     - exec_cmd eos-mgm1 "eos vid set membership 11 +sudo"
@@ -776,7 +777,11 @@ el9_asan_docker_image:
     - echo ${MGM_POD_HOSTNAME}
 
     # We connect over https, and the certificate is only valid for the hostname, so replace localhost with the MGM's hostname
-    - exec_cmd eos-mgm1 'sed -i "s/^\(master_url = \"https:\/\/\)localhost\(:[0-9][0-9]*\"\)/\1$(hostname -f)\2/" reva/tests/integration/reva-cli/config/revad-eos.toml'
+    - |
+      exec_cmd eos-mgm1 'sed -i -e "s/^\(master_url = \"https:\/\/\)localhost\(:[0-9][0-9]*\"\)/\1$(hostname -f)\2/" \
+                                -e "s/^\(master_grpc_uri = \"\)localhost\(:[0-9][0-9]*\"\)/\1$(hostname -f)\2/" \
+                                -e "s/^\(allow_insecure = \)true/\1false/" \
+                                reva/tests/integration/reva-cli/config/revad-eos.toml'
 
     # Start revad
     - exec_cmd eos-mgm1 './reva/cmd/revad/revad -c reva/tests/integration/reva-cli/config/revad-eos.toml </dev/null >revad.log 2>&1 & echo $! > revad.pid'
@@ -786,7 +791,6 @@ el9_asan_docker_image:
     - exec_cmd eos-mgm1 "eos vid ls"
     - exec_cmd eos-mgm1 "eos access ls"
     - exec_cmd eos-mgm1 "cat revad.log"
-
   artifacts:
     when: on_failure
     expire_in: 3 days
@@ -893,26 +897,35 @@ publish_koji_al8:
   variables:
     TARGET: "eos8al"
     BUILD_NAME: "el-8"
-  dependencies:
-    - build_el8
+  only:
+    - schedules
+    - tags
+  needs:
+    - job: build_el8
+      artifacts: true
 
 
 publish_koji_al9:
   <<: *publish_koji_template_definition
   variables:
     TARGET: "eos9al"
     BUILD_NAME: "el-9"
-  dependencies:
-    - build_el9
+  needs:
+    - job: build_el9
+      artifacts: true
 
 
 publish_koji_al10:
   <<: *publish_koji_template_definition
   variables:
     TARGET: "eos10al"
     BUILD_NAME: "el-10"
-  dependencies:
-    - build_el10
+  only:
+    - schedules
+    - tags
+  needs:
+    - job: build_el10
+      artifacts: true
 
 
 publish_koji_rh-8:
@@ -1044,6 +1057,21 @@ notify_cta_project:
 rpm_commit_artifacts:
   stage: publish
   image: gitlab-registry.cern.ch/linuxsupport/alma9-base
+  needs:
+    - job: build_el8
+      artifacts: true
+      optional: true
+    - job: build_el9
+      artifacts: true
+    - job: build_el10
+      artifacts: true
+      optional: true
+    - job: build_el9_arm64
+      artifacts: true
+      optional: true
+    - job: build_fedora_38
+      artifacts: true
+      optional: true
   script:
     - dnf install --nogpg -y sudo sssd-client createrepo
     - if [[ -n "$CI_COMMIT_TAG" ]]; then echo "This only works for commits"; exit 0; else BUILD_TYPE="commit"; fi
@@ -1162,7 +1190,7 @@ clean_k8s_cluster:
     - export KUBECONFIG=$K8S_CONFIG
     - set +o pipefail
     - kubectl get namespaces --no-headers | grep -v 'default\|kube-node-lease\|kube-public\|kube-system\|magnum-tiller' |
-        awk 'match($3,/[3-9][0-9]+h||[[:alnum:]]+d/) {print $1}' | xargs --no-run-if-empty kubectl delete namespaces
+        awk 'match($3,/(([3-9][0-9]|[1-9][0-9][0-9]+)h|[1-9][0-9]*d)/) {print $1}' | xargs --no-run-if-empty kubectl delete namespaces
   dependencies: []
   allow_failure: true
   only:

.gitmodules

@@ -35,3 +35,6 @@
 [submodule "fst/css_plugin"]
 	path = fst/css_plugin
 	url = https://gitlab.cern.ch/eos/css_plugin.git
+[submodule "console/parser"]
+	path = common/parser
+	url = https://github.com/CLIUtils/CLI11.git

CMakeLists.txt

@@ -94,7 +94,6 @@ endif()
 
 set(CMAKE_INSTALL_SYSCONFDIR /etc)
 include(EosFindLibs)
-
 include(CTest)
 
 #-------------------------------------------------------------------------------
@@ -142,12 +141,8 @@ add_subdirectory(misc)
 add_subdirectory(test)
 add_subdirectory(namespace/ns_quarkdb/qclient)
 
-if (GRPC_FOUND)
-  add_subdirectory(client)
-endif()
-
 if (NOT CLIENT)
-
+  add_subdirectory(client)
   add_subdirectory(mgm)
   add_subdirectory(namespace)
   add_subdirectory(utils)
@@ -185,6 +180,8 @@ set(CPACK_SOURCE_IGNORE_FILES
 ;/grpc/eos-grpc.spec;/.deps/;~$;'.'o$;/lib/;/.git/;eos.spec.in;elrepopackage.spec;.tar.gz$;\
 .tar.bz2$;${CPACK_SOURCE_IGNORE_FILES};")
 
+set(EOS_TUI_VERSION "0.2.11")
+
 configure_file(
   "${CMAKE_CURRENT_SOURCE_DIR}/cmake/config_spec.cmake.in"
   "${CMAKE_CURRENT_BINARY_DIR}/cmake/config_spec.cmake" @ONLY IMMEDIATE)
@@ -245,7 +242,6 @@ if (EOS_GRPC_GW)
   LIST(APPEND RPM_OPTIONS --with eos_grpc_gateway)
 endif()
 
-
 add_custom_target(
   srpm
   COMMAND rpmbuild -ts ${EOS_ARCHIVE} --define "_topdir ${CMAKE_BINARY_DIR}" ${SRPM_DEFINE} ${RPM_OPTIONS})
@@ -256,6 +252,7 @@ add_custom_target(
 
 add_dependencies(srpm dist)
 add_dependencies(rpm dist)
+include(EosTui)
 
 #-------------------------------------------------------------------------------
 # Custom target to build on OSX

SECURITY.md

@@ -0,0 +1,144 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take security issues seriously and appreciate responsible disclosure from the community.
+
+If you believe you have found a security vulnerability in this project, please report it privately. Do **not** open a public GitHub issue for security vulnerabilities.
+
+## How to Report
+
+Please use one of the following private reporting channels:
+
+1. **CERN GitLab — primary and preferred reporting channel**
+
+   Use CERN GitLab for vulnerability reports whenever possible. This is the primary development repository and the preferred place to submit security reports.
+
+   https://gitlab.cern.ch/dss/eos/-/security/vulnerability_report
+
+2. **GitHub — for external collaborators without CERN GitLab access**
+
+   Use GitHub private vulnerability reporting only if you are an external collaborator and do not have access to CERN GitLab.
+
+   https://github.com/cern-eos/eos/security/
+
+Please do not submit the same report through multiple channels unless requested by the maintainers.
+
+When reporting a vulnerability, please include as much detail as possible, including:
+
+- A description of the issue
+- Steps to reproduce the vulnerability
+- Affected versions, branches, or configurations
+- Any proof-of-concept code, logs, screenshots, or error messages
+- The potential impact of the vulnerability
+- Any suggested remediation, if available
+
+## Use of AI Coding Assistants in Vulnerability Research
+
+We welcome thoughtful security reports that are discovered, analyzed, validated, or documented with the help of AI coding assistants, automated scanners, or similar tools. These tools can be useful for reviewing code, identifying suspicious patterns, improving reports, and suggesting possible remediations.
+
+To help maintainers understand and reproduce the finding, please mention any AI coding assistant or automated tool that substantially contributed to the report. Where applicable, include:
+
+- The name of the AI coding assistant or tool used
+- The model, version, or service, if known
+- How the tool was used, such as discovery, code review, exploit analysis, remediation suggestions, or report writing
+- Any relevant prompts, generated output, scanner results, or tool findings needed to understand the issue
+- The steps you took to verify the vulnerability and confirm its security impact
+
+AI-assisted reports are most helpful when they include clear reasoning, reproducible steps, and evidence that the issue is real and exploitable. Reports do not need to be perfect, but they should provide enough information for maintainers to independently assess the finding.
+
+Please avoid submitting private project data, secrets, credentials, personal data, or other sensitive information to AI tools unless you are authorized to do so and the tool is approved for that use.
+
+## Use of AI Agents in Security Reporting
+
+We also welcome reports that are prepared, submitted, triaged, or followed up on with the help of AI agents, automation agents, or other delegated systems. Agent-assisted reporting can be useful when it improves clarity, consistency, and responsiveness.
+
+If an agent was used in preparing or managing a security report, please disclose this so that maintainers understand how the report and any follow-up communication are being handled. Where applicable, include:
+
+- The name or type of agent used
+- The platform, framework, or service provider, if known
+- Whether the agent was used for vulnerability discovery, code analysis, exploit testing, report generation, submission, or follow-up communication
+- Whether the agent acted autonomously or under human supervision
+- The identity or contact details of the human or organization responsible for the report
+- Any relevant limitations of the agent’s findings or communication
+
+If follow-up communication is handled by an agent, please make sure that:
+
+- The agent can provide accurate and relevant responses to maintainer questions
+- A human reviewer can join the conversation when requested
+- Communication remains focused, respectful, and useful
+- Vulnerability details are kept private and shared only with authorized parties
+- Requests for disclosure, credit, or compensation are handled appropriately and respectfully
+
+When agents are used to identify or submit multiple findings, please keep the volume of simultaneous reports to a manageable level. Reports should be prioritized and submitted in order of highest criticality and security impact first. Where several related findings exist, consider grouping them into a single report when this helps maintainers understand the overall issue and reduces duplicate or overlapping communication.
+
+Reports submitted or managed with the help of agents remain welcome under this policy, provided they follow the same responsible disclosure expectations as any other report and are backed by a responsible human contact.
+
+## Supported Versions
+
+Security updates are provided for the following versions:
+
+| Version | Supported |
+|---|---|
+| Latest stable release | Yes |
+| Older releases | No |
+| Development branches | Best effort |
+
+Only the latest stable release is guaranteed to receive security fixes unless otherwise stated.
+
+## Disclosure Process
+
+After a vulnerability is reported, we will make reasonable efforts to:
+
+1. Acknowledge receipt of the report within 5 business days.
+2. Investigate and validate the issue.
+3. Work on a fix or mitigation if the issue is confirmed.
+4. Coordinate disclosure timing with the reporter when appropriate.
+5. Publish a security advisory or release notes after a fix is available, if needed.
+
+We ask reporters to give us a reasonable amount of time to investigate and address the issue before making any information public.
+
+## Responsible Disclosure Guidelines
+
+We ask that security researchers and users:
+
+- Do not publicly disclose the vulnerability until we have had a chance to investigate and address it.
+- Do not access, modify, or delete data that does not belong to you.
+- Do not perform testing that could degrade, disrupt, or damage the project, services, users, or infrastructure.
+- Do not use social engineering, phishing, spam, physical attacks, or denial-of-service attacks.
+- Provide enough information for us to reproduce and understand the issue.
+
+Reports made in good faith under this policy are appreciated.
+
+## Scope
+
+This policy applies to the code and documentation in this repository.
+
+The following are generally out of scope unless they demonstrate a clear security impact:
+
+- Vulnerabilities in unsupported versions
+- Issues requiring physical access to a user’s device
+- Social engineering attacks
+- Denial-of-service attacks
+- Reports from automated scanners without evidence of exploitability
+- Missing security headers without a demonstrated impact
+- Issues in third-party dependencies that are not directly exploitable through this project
+
+## Security Updates
+
+Security fixes may be released as:
+
+- A patch release
+- A commit to the default branch
+- A GitHub Security Advisory
+- Updated documentation or configuration guidance
+
+Users are encouraged to keep their deployments up to date with the latest stable release.
+
+## No Bug Bounty
+
+Unless explicitly stated otherwise, this project does not offer a paid bug bounty program. We are grateful for responsible reports but cannot guarantee monetary rewards.
+
+## Contact
+
+For security-related questions or vulnerability reports, please use the private reporting channels listed above.

auth_plugin/ProtoUtils.cc

@@ -347,7 +347,7 @@ utils::ComputeHMAC(RequestProto*& req)
     return false;
   }
 
-  std::string hmac = eos::common::SymKey::HmacSha1(smsg);
+  std::string hmac = eos::common::SymKey::HmacSha256(smsg);
   XrdOucString base64hmac;
   bool do_encoding = eos::common::SymKey::Base64Encode((char*)hmac.c_str(),
                      hmac.length(), base64hmac);

client/grpc/GrpcClient.cc

@@ -21,25 +21,20 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.*
  ************************************************************************/
 
-/*----------------------------------------------------------------------------*/
+#ifdef EOS_GRPC
 #include "GrpcClient.hh"
 #include "proto/Rpc.grpc.pb.h"
 #include "common/StringConversion.hh"
 #include "common/Timing.hh"
 #include "common/Path.hh"
-/*----------------------------------------------------------------------------*/
 #include <absl/log/absl_check.h>
 #include <grpcpp/grpcpp.h>
 #include <grpc/support/log.h>
 #include <google/protobuf/util/json_util.h>
-/*----------------------------------------------------------------------------*/
 #include <sys/stat.h>
-/*----------------------------------------------------------------------------*/
 
 EOSCLIENTNAMESPACE_BEGIN
 
-//#ifdef EOS_GRPC
-
 using grpc::Channel;
 using grpc::ClientAsyncResponseReader;
 using grpc::ClientAsyncReader;
@@ -689,7 +684,5 @@ GrpcClient::ExportFs(const eos::rpc::MDResponse& response,
   return "";
 }
 
-//#endif
-
-
 EOSCLIENTNAMESPACE_END
+#endif

client/grpc/GrpcClient.hh

@@ -22,19 +22,14 @@
  ************************************************************************/
 
 #pragma once
-
-/*----------------------------------------------------------------------------*/
 #include "client/Namespace.hh"
 #include "common/AssistedThread.hh"
 #include <list>
-/*----------------------------------------------------------------------------*/
-/*----------------------------------------------------------------------------*/
+
 #ifdef EOS_GRPC
 #include <grpc++/grpc++.h>
 #include "proto/Rpc.grpc.pb.h"
 
-/*----------------------------------------------------------------------------*/
-
 EOSCLIENTNAMESPACE_BEGIN
 
 /**
@@ -99,6 +94,5 @@ private:
   std::map<uint64_t, std::string> tree;
 };
 
-#endif
-
 EOSCLIENTNAMESPACE_END
+#endif