int
map_and_authorize_bad_params_test(void)
{
int rc;
char * service = "service";
char * desired_identity = "id";
char * identity_buffer = "id";
unsigned int identity_buffer_length = 2;
rc = setenv("GRIDMAP", "grid-mapfile", 1);
if (rc != 0)
{
fprintf(stderr, "Error setting GRIDMAP location\n");
goto out;
}
rc = globus_gss_assist_map_and_authorize(GSS_C_NO_CONTEXT, service, desired_identity, identity_buffer, identity_buffer_length);
if (rc == GLOBUS_SUCCESS)
{
fprintf(stderr, "Unexpected success: globus_gss_assist_map_and_authorize with null context\n");
rc = 1;
goto out;
}
rc = globus_gss_assist_map_and_authorize(accept_ctx, NULL, desired_identity, identity_buffer, identity_buffer_length);
if (rc == GLOBUS_SUCCESS)
{
fprintf(stderr, "Unexpected success: globus_gss_assist_map_and_authorize with null service\n");
rc = 2;
goto out;
}
rc = globus_gss_assist_map_and_authorize(accept_ctx, service, NULL, identity_buffer, identity_buffer_length);
if (rc == GLOBUS_SUCCESS)
{
fprintf(stderr, "Unexpected success: globus_gss_assist_map_and_authorize with null desired_identity\n");
rc = 3;
goto out;
}
rc = 0;
out:
return rc;
}
int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname)
{
//this might need to change with SSLK5 stuff
//just extract username from /CN=<username>@<domain,etc>
OM_uint32 major_status;
char *tmp_user = NULL;
char local_user[USER_NAME_MAX];
// windows gsi does not currently include this function. we use it on
// unix, but implement our own on windows for now.
#ifdef WIN32
major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user);
#else
// Switched the unix map function to _map_and_authorize, which allows access
// to the Globus callout infrastructure.
char condor_str[] = "condor";
major_status = globus_gss_assist_map_and_authorize(
context_handle,
condor_str, // Requested service name
NULL, // Requested user name; NULL for non-specified
local_user,
USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case
// Defensive programming: to protect against buffer overruns in the
// unknown globus mapping module, make sure we are at least nul-term'd
local_user[USER_NAME_MAX-1] = '\0';
#endif
if (tmp_user) {
strcpy( local_user, tmp_user );
free(tmp_user);
tmp_user = NULL;
}
if ( major_status != GSS_S_COMPLETE) {
setRemoteUser("gsi");
setRemoteDomain( UNMAPPED_DOMAIN );
return 0;
}
MyString user;
MyString domain;
Authentication::split_canonical_name( local_user, user, domain );
setRemoteUser (user.Value());
setRemoteDomain(domain.Value());
setAuthenticatedName(GSSClientname);
return 1;
}
/*
* Check if this user is OK to login under GSI. User has been authenticated
* as identity in global 'client_name.value' and is trying to log in as passed
* username in 'name'.
*
* Returns non-zero if user is authorized, 0 otherwise.
*/
static int
ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
{
int authorized = 0;
globus_result_t res;
#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
char lname[256] = "";
#endif
#ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
return 0;
}
#endif
/* use new globus_gss_assist_map_and_authorize() interface if available */
#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
debug("calling globus_gss_assist_map_and_authorize()");
if (GLOBUS_SUCCESS !=
(res = globus_gss_assist_map_and_authorize(client->context, "ssh",
name, lname, 256))) {
debug("%s", globus_error_print_chain(globus_error_get(res)));
} else if (lname[0] && strcmp(name, lname) != 0) {
debug("GSI user maps to %s, not %s", lname, name);
} else {
authorized = 1;
}
#else
debug("calling globus_gss_assist_userok()");
if (GLOBUS_SUCCESS !=
(res = (globus_gss_assist_userok(client->displayname.value,
name)))) {
debug("%s", globus_error_print_chain(globus_error_get(res)));
} else {
authorized = 1;
}
#endif
logit("GSI user %s is%s authorized as target user %s",
(char *) client->displayname.value, (authorized ? "" : " not"), name);
return authorized;
}
/*
* Return the local username associated with the GSI credentials.
*/
int
ssh_gssapi_gsi_localname(ssh_gssapi_client *client, char **user)
{
globus_result_t res;
#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
char lname[256] = "";
#endif
#ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
return 0;
}
#endif
/* use new globus_gss_assist_map_and_authorize() interface if available */
#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
debug("calling globus_gss_assist_map_and_authorize()");
if (GLOBUS_SUCCESS !=
(res = globus_gss_assist_map_and_authorize(client->context, "ssh",
NULL, lname, 256))) {
debug("%s", globus_error_print_chain(globus_error_get(res)));
logit("failed to map GSI user %s", (char *)client->displayname.value);
return 0;
}
*user = strdup(lname);
#else
debug("calling globus_gss_assist_gridmap()");
if (GLOBUS_SUCCESS !=
(res = globus_gss_assist_gridmap(client->displayname.value, user))) {
debug("%s", globus_error_print_chain(globus_error_get(res)));
logit("failed to map GSI user %s", (char *)client->displayname.value);
return 0;
}
#endif
logit("GSI user %s mapped to target user %s",
(char *) client->displayname.value, *user);
return 1;
}
int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname)
{
//this might need to change with SSLK5 stuff
//just extract username from /CN=<username>@<domain,etc>
OM_uint32 major_status = GSS_S_COMPLETE;
char *tmp_user = NULL;
char local_user[USER_NAME_MAX];
// windows gsi does not currently include this function. we use it on
// unix, but implement our own on windows for now.
#ifdef WIN32
major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user);
#else
// Switched the unix map function to _map_and_authorize, which allows access
// to the Globus callout infrastructure.
if (m_mapping == NULL) {
// Size of hash table is purposely initialized small to prevent this
// from hogging memory. This will, of course, grow at large sites.
m_mapping = new GlobusMappingTable(53, hashFuncString, updateDuplicateKeys);
}
const char *auth_name_to_map;
const char *fqan = getFQAN();
if (fqan && fqan[0]) {
auth_name_to_map = fqan;
}
else {
auth_name_to_map = GSSClientname;
}
globus_mapping_entry_ptr value;
time_t now = 0;
time_t gsi_cache_expiry = param_integer("GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION", 0);
if (gsi_cache_expiry && (m_mapping->lookup(auth_name_to_map, value) == 0)) {
now = time(NULL);
if (now < value->expiry_time) {
dprintf(D_SECURITY, "Using Globus mapping result from the cache.\n");
if (value->name.size()) {
tmp_user = strdup(value->name.c_str());
}
else {
major_status = GSS_S_FAILURE;
}
}
}
if ((tmp_user == NULL) && (major_status == GSS_S_COMPLETE)) {
char condor_str[] = "condor";
major_status = globus_gss_assist_map_and_authorize(
context_handle,
condor_str, // Requested service name
NULL, // Requested user name; NULL for non-specified
local_user,
USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case
// Defensive programming: to protect against buffer overruns in the
// unknown globus mapping module, make sure we are at least nul-term'd
local_user[USER_NAME_MAX-1] = '\0';
// More defensive programming: There is a bug in LCMAPS, (which is possibly
// called by a globus callout) that sometimes returns with the euid set to
// root (!?!). As a safeguard, We check for that here and return to the
// condor euid. This is done "outside" of the condor priv stack since this
// is essentially undoing a side effect of the library call, not
// intentionally changing priv state.
if (geteuid() == 0) {
dprintf(D_ALWAYS, "WARNING: globus returned with euid 0\n");
// attempt to undo
if (seteuid(get_condor_uid())) {
// complain loudly, but continue
dprintf(D_ALWAYS, "ERROR: something has gone terribly wrong: errno %i\n", errno);
}
}
if (now == 0) { now = time(NULL); }
value.reset(new globus_mapping_entry_t);
value->expiry_time = now + gsi_cache_expiry;
// The special name of "" indicates failed mapping.
if (major_status == GSS_S_COMPLETE) {
value->name = local_user;
}
m_mapping->insert(auth_name_to_map, value);
}
#endif
if (tmp_user) {
strcpy( local_user, tmp_user );
free(tmp_user);
tmp_user = NULL;
}
if ( major_status != GSS_S_COMPLETE) {
setRemoteUser("gsi");
setRemoteDomain( UNMAPPED_DOMAIN );
return 0;
}
MyString user;
MyString domain;
Authentication::split_canonical_name( local_user, user, domain );
setRemoteUser (user.Value());
setRemoteDomain(domain.Value());
setAuthenticatedName(GSSClientname);
return 1;
}
