int Authentication::authenticate( char *hostAddr, KeyInfo *& key,
const char* auth_methods, CondorError* errstack, int timeout)
{
int retval = authenticate(hostAddr, auth_methods, errstack, timeout);
#if !defined(SKIP_AUTHENTICATION)
if (retval) { // will always try to exchange key!
// This is a hack for now, when we have only one authenticate method
// this will be gone
mySock->allow_empty_message_flag = FALSE;
retval = exchangeKey(key);
if ( !retval ) {
errstack->push("AUTHENTICATE",AUTHENTICATE_ERR_KEYEXCHANGE_FAILED,
"Failed to securely exchange session key");
}
mySock->allow_one_empty_message();
}
#endif
return retval;
}
int Authentication::authenticate_finish(CondorError *errstack)
{
//if none of the methods succeeded, we fall thru to default "none" from above
int retval = ( auth_status != CAUTH_NONE );
if (IsDebugVerbose(D_SECURITY)) {
dprintf(D_SECURITY, "AUTHENTICATE: auth_status == %i (%s)\n", auth_status,
(method_used?method_used:"?!?") );
}
dprintf(D_SECURITY, "Authentication was a %s.\n", retval == 1 ? "Success" : "FAILURE" );
// at this point, all methods have set the raw authenticated name available
// via getAuthenticatedName().
if(authenticator_) {
dprintf (D_SECURITY, "ZKM: setting default map to %s\n",
authenticator_->getRemoteFQU()?authenticator_->getRemoteFQU():"(null)");
}
// check to see if CERTIFICATE_MAPFILE was defined. if so, use it. if
// not, do nothing. the user and domain have been filled in by the
// authentication method itself, so just leave that alone.
char * cert_map_file = param("CERTIFICATE_MAPFILE");
bool use_mapfile = (cert_map_file != NULL);
if (cert_map_file) {
free(cert_map_file);
cert_map_file = 0;
}
// if successful so far, invoke the security MapFile. the output of that
// is the "canonical user". if that has an '@' sign, split it up on the
// last '@' and set the user and domain. if there is more than one '@',
// the user will contain the leftovers after the split and the domain
// always has none.
if (retval && use_mapfile) {
const char * name_to_map = authenticator_->getAuthenticatedName();
if (name_to_map) {
dprintf (D_SECURITY, "ZKM: name to map is '%s'\n", name_to_map);
dprintf (D_SECURITY, "ZKM: pre-map: current user is '%s'\n",
authenticator_->getRemoteUser()?authenticator_->getRemoteUser():"(null)");
dprintf (D_SECURITY, "ZKM: pre-map: current domain is '%s'\n",
authenticator_->getRemoteDomain()?authenticator_->getRemoteDomain():"(null)");
map_authentication_name_to_canonical_name(auth_status, method_used, name_to_map);
} else {
dprintf (D_SECURITY, "ZKM: name to map is null, not mapping.\n");
}
#if defined(HAVE_EXT_GLOBUS)
} else if (auth_status == CAUTH_GSI ) {
// Fall back to using the globus mapping mechanism. GSI is a bit unique in that
// it may be horribly expensive - or cause a SEGFAULT - to do an authorization callout.
// Hence, we delay it until after we apply a mapfile or, here, have no map file.
// nameGssToLocal calls setRemoteFoo directly.
const char * name_to_map = authenticator_->getAuthenticatedName();
if (name_to_map) {
int retval = ((Condor_Auth_X509*)authenticator_)->nameGssToLocal(name_to_map);
dprintf(D_SECURITY, "nameGssToLocal returned %s\n", retval ? "success" : "failure");
} else {
dprintf (D_SECURITY, "ZKM: name to map is null, not calling GSI authorization.\n");
}
#endif
}
// for now, let's be a bit more verbose and print this to D_SECURITY.
// yeah, probably all of the log lines that start with ZKM: should be
// updated. oh, i wish there were a D_ZKM, but alas, we're out of bits.
if( authenticator_ ) {
dprintf (D_SECURITY, "ZKM: post-map: current user is '%s'\n",
authenticator_->getRemoteUser()?authenticator_->getRemoteUser():"(null)");
dprintf (D_SECURITY, "ZKM: post-map: current domain is '%s'\n",
authenticator_->getRemoteDomain()?authenticator_->getRemoteDomain():"(null)");
dprintf (D_SECURITY, "ZKM: post-map: current FQU is '%s'\n",
authenticator_->getRemoteFQU()?authenticator_->getRemoteFQU():"(null)");
}
mySock->allow_one_empty_message();
#if !defined(SKIP_AUTHENTICATION)
if (retval && retval != 2 && m_key != NULL) { // will always try to exchange key!
// This is a hack for now, when we have only one authenticate method
// this will be gone
mySock->allow_empty_message_flag = FALSE;
retval = exchangeKey(*m_key);
if ( !retval ) {
errstack->push("AUTHENTICATE",AUTHENTICATE_ERR_KEYEXCHANGE_FAILED,
"Failed to securely exchange session key");
}
dprintf(D_SECURITY, "AUTHENTICATE: Result of end of authenticate is %d.\n", retval);
mySock->allow_one_empty_message();
}
#endif
return ( retval );
}
