/******************************************************************************
Function: lcas_db_fill_entry
documentation in _lcas_db_read.h
******************************************************************************/
lcas_db_entry_t * lcas_db_fill_entry(
lcas_db_entry_t ** list,
lcas_db_entry_t * entry
)
{
lcas_db_entry_t * plist;
if (entry == NULL)
{
lcas_log(0,"lcas.mod-lcas_db_fill_entry(): error null entry\n");
return NULL;
}
if (!(*list))
{
lcas_log_debug(2,"lcas.mod-lcas_db_fill_entry(): creating first list entry\n");
*list=plist=(lcas_db_entry_t *)malloc(sizeof(lcas_db_entry_t));
}
else
{
lcas_log_debug(2,"lcas.mod-lcas_db_fill_entry(): creating new list entry\n");
plist=*list;
while (plist->next) plist=plist->next;
plist=plist->next=(lcas_db_entry_t *)malloc(sizeof(lcas_db_entry_t));
}
if (!plist)
{
lcas_log(0,"lcas.mod-lcas_db_fill_entry(): error creating new list entry\n");
return NULL;
}
plist->next=NULL;
if (entry->pluginname != NULL)
{
strncpy(plist->pluginname,entry->pluginname,LCAS_MAXPATHLEN);
(plist->pluginname)[LCAS_MAXPATHLEN]=NUL;
}
else
strncpy(plist->pluginname,"",LCAS_MAXPATHLEN);
if (entry->pluginargs != NULL)
{
strncpy(plist->pluginargs,entry->pluginargs,LCAS_MAXARGSTRING);
(plist->pluginargs)[LCAS_MAXARGSTRING]=NUL;
}
else
strncpy(plist->pluginargs,"",LCAS_MAXARGSTRING);
return plist;
}
/******************************************************************************
Function: plugin_terminate
Description:
Terminate plugin
Parameters:
Returns:
LCAS_MOD_SUCCESS : succes
LCAS_MOD_FAIL : failure
******************************************************************************/
int plugin_terminate()
{
lcas_log_debug(1,"%s-plugin_terminate(): terminating\n",modname);
if (userban_db) { free(userban_db); userban_db=NULL; }
return LCAS_MOD_SUCCESS;
}
int
plugin_initialize(int argc, char *argv[])
{
lcas_log_debug(1, "%s-plugin_initialize()\n",modname);
return LCAS_MOD_SUCCESS;
}
int
plugin_terminate()
{
lcas_log_debug(1, "%s-plugin_terminate(): terminating\n",modname);
if (authfile) {
free(authfile);
authfile = NULL;
}
return LCAS_MOD_SUCCESS;
}
/*!
\fn lcas_db_read_entries(
FILE * dbstream
)
\brief Read db entries from stream and fill a lsit of db entries
\param dbstream database stream
\return the number of entries found (failure --> negative number)
\internal
*/
static int lcas_db_read_entries(
FILE * dbstream
)
{
char line[1024];
int nlines=0;
int no_entries=0;
lcas_db_entry_t * entry=NULL;
nlines=0;
no_entries=0;
/* lcas_db_fill_entry(no_entries,NULL); */
while (fgets(line, sizeof(line), dbstream))
{
++nlines;
if (! lcas_db_parse_line(line, &entry))
{
/* parse error, return line number */
if (entry != NULL) free(entry);
return -(nlines);
}
if (entry != NULL)
{
lcas_log_debug(3,"line %d: %s, %s\n",nlines,entry->pluginname,entry->pluginargs);
/* entry found */
++no_entries;
if (no_entries > MAXDBENTRIES)
{
if (entry != NULL) free(entry);
return no_entries;
}
if ( lcas_db_fill_entry(&lcas_db_list, entry)==NULL )
{
/* error filling lcas_db */
if (entry != NULL) free(entry);
return -(nlines);
}
if (entry != NULL) free(entry);
entry=NULL;
}
else
{
/* no entry found, but no error */
continue;
}
}
if (entry != NULL) free(entry);
return no_entries;
}
int plugin_initialize(int argc, char ** argv)
{
int i;
lcas_log_debug(2,"%s-plugin_initialize(): passed arguments:\n",modname);
for (i=0; i < argc; i++)
{
lcas_log_debug(2,"%s-plugin_initialize(): arg %d is %s\n",
modname,i,argv[i]);
}
disableWildCardMatching = isParamEnabled ("-disable_wildcards", argc, argv);
disableWildCardMatching ? lcas_log_debug(2,"%s-plugin_initialize(): wildcard matching is disabled\n", modname)
: lcas_log_debug(2,"%s-plugin_initialize(): wildcard matching is enabled\n", modname);
if (argc > 1)
userban_db = lcas_findfile(argv[1]);
/* Test if userban_db can be opened */
if (userban_db == NULL)
{
lcas_log(0,"\t%s-plugin_initialize() error: banned user file required !\n",
modname);
return LCAS_MOD_NOFILE;
}
if (lcas_getfexist(1,userban_db) == NULL)
{
lcas_log(0,
"\t%s-plugin_initialize() error: Cannot find banned user file: %s\n",
modname,userban_db
);
return LCAS_MOD_NOFILE;
}
return LCAS_MOD_SUCCESS;
}
/******************************************************************************
Function: lcas_db_clean_list
documentation in _lcas_db_read.h
******************************************************************************/
int lcas_db_clean_list(
lcas_db_entry_t ** list
)
{
lcas_db_entry_t * entry;
entry=*list;
while (entry)
{
lcas_db_entry_t * next_entry;
lcas_log_debug(2,"cleaning db entry for module %s\n",entry->pluginname);
next_entry=entry->next;
free(entry);
entry=next_entry;
}
*list=entry=NULL;
return 0;
}
/******************************************************************************
Function: plugin_confirm_authorization
Description:
Ask for authorization by passing RSL and user credential
Parameters:
request: RSL request
user_cred: user credential
Returns:
LCAS_MOD_SUCCESS: authorization succeeded
LCAS_MOD_FAIL : authorization failed
LCAS_MOD_NOFILE : db file not found
******************************************************************************/
int
plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
{
int rc;
char * dummy = NULL;
char * user_dn = NULL;
/*
* check credential and get the globus name
*/
if ( (user_dn = lcas_get_dn(lcas_cred)) == NULL)
{
lcas_log(0, "lcas.mod-lcas_get_fabric_authorization() error: user DN empty\n");
goto lcas_userban_noauth;
}
/* Do the check */
lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): checking banned users in %s\n",
modname,userban_db);
/*
* The new default is to perform the wildcard matching, based upon fnmatch
* You'll need to explicitly disable it in the initialization parameters
*/
if (! disableWildCardMatching)
rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_WILD_CHARS|MATCH_ONLY_DN, NULL, NULL);
else
rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_ONLY_DN, NULL, NULL);
if ( rc == LCAS_MOD_ENTRY )
{
/* Entry found for user_dn, so the user is banned */
lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): entry found for %s\n",
modname,user_dn);
goto lcas_userban_noauth;
}
else if ( rc == LCAS_MOD_NOFILE )
{
/* file not found */
lcas_log(0,
"\t%s-plugin_confirm_authorization() error: Cannot find banned user file: %s\n",
modname,userban_db);
goto lcas_userban_nofile;
}
lcas_userban_auth:
/* authorization = no entry found for user_dn */
if (dummy != NULL) free(dummy);
return LCAS_MOD_SUCCESS;
lcas_userban_noauth:
/* no authorization = entry found for user_dn */
if (dummy != NULL) free(dummy);
return LCAS_MOD_FAIL;
lcas_userban_nofile:
/* file not found */
if (dummy != NULL) free(dummy);
return LCAS_MOD_NOFILE;
}
int
plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
{
char *user_dn;
int ret;
edg_wll_Context ctx;
struct _edg_wll_GssPrincipal_data princ;
X509 *cert = NULL;
STACK_OF(X509) * chain = NULL;
void *cred = NULL;
struct vomsdata *voms_info = NULL;
int err;
authz_action action;
memset(&princ, 0, sizeof(princ));
lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n",
modname);
if (edg_wll_InitContext(&ctx) != 0) {
lcas_log(0, "Couldn't create L&B context\n");
ret = LCAS_MOD_FAIL;
goto end;
}
if ((action = find_authz_action(request)) == ACTION_UNDEF) {
lcas_log(0, "lcas.mod-lb() error: unsupported action\n");
ret = LCAS_MOD_FAIL;
goto end;
}
user_dn = lcas_get_dn(lcas_cred);
if (user_dn == NULL) {
lcas_log(0, "lcas.mod-lb() error: user DN empty\n");
ret = LCAS_MOD_FAIL;
goto end;
}
princ.name = user_dn;
cred = lcas_get_gss_cred(lcas_cred);
if (cred == NULL) {
lcas_log(0, "lcas.mod-lb() warning: user gss credential empty\n");
#if 0
ret = LCAS_MOD_FAIL;
goto end;
#endif
}
#ifndef NO_GLOBUS_GSSAPI
if (cred) {
voms_info = VOMS_Init(NULL, NULL);
if (voms_info == NULL) {
lcas_log(0, "lcas.mod-lb() failed to initialize VOMS\n");
ret = LCAS_MOD_FAIL;
goto end;
}
ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err);
if (ret == 1)
edg_wll_get_fqans(ctx, voms_info, &princ.fqans);
}
#endif
ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action);
ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL;
end:
edg_wll_FreeContext(ctx);
#ifndef NO_GLOBUS_GSSAPI
if (voms_info)
VOMS_Destroy(voms_info);
#endif
if (cert)
X509_free(cert);
if (chain)
sk_X509_pop_free(chain, X509_free);
return ret;
}
/*!
\fn lcas_db_parse_line(
char * line,
lcas_db_entry_t ** entry
)
\brief Parses database line and fills database structure
\param line database line
\param entry pointer to a pointer to a database structure (can/should be freed afterwards)
\retval 1 succes.
\retval 0 failure.
\internal
*/
static int lcas_db_parse_line(
char * line,
lcas_db_entry_t ** entry
)
{
char * var_val_pairs[MAXPAIRS];
char * var;
char * val;
int ipair;
int no_pairs;
size_t len;
lcas_db_entry_t * tmp_entry=NULL;
/* Check arguments */
if ((line == NULL) || (*entry != NULL))
{
lcas_log(0,"lcas.mod-lcas_db_parse_line(): something wrong with arguments\n");
goto error;
}
/* Skip over leading whitespace */
line += strspn(line, WHITESPACE_CHARS);
/* Check for comment at start of line and ignore line if present */
if (strchr(COMMENT_CHARS, *line) != NULL)
{
/* Ignore line, return NULL entry. */
*entry=NULL;
return 1;
}
/* Check for empty line */
if (*line == NUL)
{
/* Empty line, return NULL entry. */
*entry=NULL;
return 1;
}
/* Look for variable-value pairs by checking the PAIR_SEP_CHARS */
ipair=0;
len=0;
while (*line != NUL)
{
len=strcspn(line, PAIR_SEP_CHARS);
if (len > 0)
{
var_val_pairs[ipair] = line;
ipair++;
line+=len;
if (*line == NUL)
{
/* probably end of line */
continue;
}
if (strchr(PAIR_SEP_CHARS, *line) != NULL)
{
*line=NUL;
line += 1;
}
}
else
{
/* len = 0, so *line=PAIR_SEP_CHARS */
line += 1;
}
line += strspn(line, WHITESPACE_CHARS);
}
no_pairs=ipair;
if (no_pairs)
{
tmp_entry=malloc(sizeof(*tmp_entry));
if (tmp_entry == NULL)
{
lcas_log(0,"lcas.mod-lcas_db_parse_line(): error allocating memory\n");
goto error;
}
for (ipair=0; ipair < no_pairs; ipair++)
{
int rc=0;
lcas_log_debug(3,"pair %d:%s-endpair\n",ipair, var_val_pairs[ipair]);
rc=lcas_db_parse_pair(var_val_pairs[ipair], &var, &val);
if (! rc)
{
/* error parsing variable-value pair */
lcas_log(0,"lcas.mod-lcas_db_parse_line(): error parsing variable-value pair\n");
goto error;
}
lcas_log_debug(3,"var: %s, value: %s\n",var,val);
if (strncmp(var,"pluginname",strlen("pluginname")) == 0)
{
/* found plugin name */
strncpy(tmp_entry->pluginname,val,LCAS_MAXPATHLEN);
(tmp_entry->pluginname)[LCAS_MAXPATHLEN]=NUL;
}
else if (strncmp(var,"pluginargs",strlen("pluginargs")) == 0)
{
/* found plugin database */
strncpy(tmp_entry->pluginargs,val,LCAS_MAXARGSTRING);
(tmp_entry->pluginargs)[LCAS_MAXARGSTRING]=NUL;
}
else
{
/* unknown option: do nothing */
}
}
}
/* succes */
*entry=tmp_entry;
return 1;
error:
if (tmp_entry != NULL) free(tmp_entry);
return 0;
}
