/******************************************************************************
Function: lcas_db_fill_entry
documentation in _lcas_db_read.h
******************************************************************************/
lcas_db_entry_t * lcas_db_fill_entry(
lcas_db_entry_t ** list,
lcas_db_entry_t * entry
)
{
lcas_db_entry_t * plist;
if (entry == NULL)
{
lcas_log(0,"lcas.mod-lcas_db_fill_entry(): error null entry\n");
return NULL;
}
if (!(*list))
{
lcas_log_debug(2,"lcas.mod-lcas_db_fill_entry(): creating first list entry\n");
*list=plist=(lcas_db_entry_t *)malloc(sizeof(lcas_db_entry_t));
}
else
{
lcas_log_debug(2,"lcas.mod-lcas_db_fill_entry(): creating new list entry\n");
plist=*list;
while (plist->next) plist=plist->next;
plist=plist->next=(lcas_db_entry_t *)malloc(sizeof(lcas_db_entry_t));
}
if (!plist)
{
lcas_log(0,"lcas.mod-lcas_db_fill_entry(): error creating new list entry\n");
return NULL;
}
plist->next=NULL;
if (entry->pluginname != NULL)
{
strncpy(plist->pluginname,entry->pluginname,LCAS_MAXPATHLEN);
(plist->pluginname)[LCAS_MAXPATHLEN]=NUL;
}
else
strncpy(plist->pluginname,"",LCAS_MAXPATHLEN);
if (entry->pluginargs != NULL)
{
strncpy(plist->pluginargs,entry->pluginargs,LCAS_MAXARGSTRING);
(plist->pluginargs)[LCAS_MAXARGSTRING]=NUL;
}
else
strncpy(plist->pluginargs,"",LCAS_MAXARGSTRING);
return plist;
}
/*!
\fn lcas_db_parse_string(
char ** pstring
)
\brief Takes a string and removes prepending and trailing spaces and quotes (unless escaped)
\param pstring pointer to a pointer to a char
\retval 1 succes.
\retval 0 failure.
\internal
*/
static int lcas_db_parse_string(
char ** pstring
)
{
char * end;
char * string;
string=*pstring;
if (*string==NUL)
{
lcas_log(0,"lcas.mod-lcas_db_parse_string(): error parsing null string\n");
return 0;
}
/* Is string quoted ? */
if (strchr(QUOTING_CHARS, *string) != NULL)
{
/*
* Yes, skip over opening quote and look for unescaped
* closing double quote
*/
string++;
end=string;
do
{
end += strcspn(end, QUOTING_CHARS);
if (*end == NUL)
{
lcas_log(0,"lcas.mod-lcas_db_parse_string(): missing closing quote\n");
return 0; /* Missing closing quote */
}
/* Make sure it's not escaped */
}
while (strchr(ESCAPING_CHARS, *(end - 1)) != NULL);
}
else
{
end = string + strcspn(string, WHITESPACE_CHARS);
}
*end=NUL;
*pstring=string;
return 1;
}
/******************************************************************************
Function: lcas_db_clean
documentation in _lcas_db_read.h
******************************************************************************/
int lcas_db_clean()
{
if(lcas_db_clean_list(&lcas_db_list) != 0)
{
lcas_log(0,"lcas.mod-lcas_db_clean() error: could not clean list\n");
return 1;
}
return 0;
}
int plugin_initialize(int argc, char ** argv)
{
int i;
lcas_log_debug(2,"%s-plugin_initialize(): passed arguments:\n",modname);
for (i=0; i < argc; i++)
{
lcas_log_debug(2,"%s-plugin_initialize(): arg %d is %s\n",
modname,i,argv[i]);
}
disableWildCardMatching = isParamEnabled ("-disable_wildcards", argc, argv);
disableWildCardMatching ? lcas_log_debug(2,"%s-plugin_initialize(): wildcard matching is disabled\n", modname)
: lcas_log_debug(2,"%s-plugin_initialize(): wildcard matching is enabled\n", modname);
if (argc > 1)
userban_db = lcas_findfile(argv[1]);
/* Test if userban_db can be opened */
if (userban_db == NULL)
{
lcas_log(0,"\t%s-plugin_initialize() error: banned user file required !\n",
modname);
return LCAS_MOD_NOFILE;
}
if (lcas_getfexist(1,userban_db) == NULL)
{
lcas_log(0,
"\t%s-plugin_initialize() error: Cannot find banned user file: %s\n",
modname,userban_db
);
return LCAS_MOD_NOFILE;
}
return LCAS_MOD_SUCCESS;
}
/******************************************************************************
Function: plugin_confirm_authorization
Description:
Ask for authorization by passing RSL and user credential
Parameters:
request: RSL request
user_cred: user credential
Returns:
LCAS_MOD_SUCCESS: authorization succeeded
LCAS_MOD_FAIL : authorization failed
LCAS_MOD_NOFILE : db file not found
******************************************************************************/
int
plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
{
int rc;
char * dummy = NULL;
char * user_dn = NULL;
/*
* check credential and get the globus name
*/
if ( (user_dn = lcas_get_dn(lcas_cred)) == NULL)
{
lcas_log(0, "lcas.mod-lcas_get_fabric_authorization() error: user DN empty\n");
goto lcas_userban_noauth;
}
/* Do the check */
lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): checking banned users in %s\n",
modname,userban_db);
/*
* The new default is to perform the wildcard matching, based upon fnmatch
* You'll need to explicitly disable it in the initialization parameters
*/
if (! disableWildCardMatching)
rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_WILD_CHARS|MATCH_ONLY_DN, NULL, NULL);
else
rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_ONLY_DN, NULL, NULL);
if ( rc == LCAS_MOD_ENTRY )
{
/* Entry found for user_dn, so the user is banned */
lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): entry found for %s\n",
modname,user_dn);
goto lcas_userban_noauth;
}
else if ( rc == LCAS_MOD_NOFILE )
{
/* file not found */
lcas_log(0,
"\t%s-plugin_confirm_authorization() error: Cannot find banned user file: %s\n",
modname,userban_db);
goto lcas_userban_nofile;
}
lcas_userban_auth:
/* authorization = no entry found for user_dn */
if (dummy != NULL) free(dummy);
return LCAS_MOD_SUCCESS;
lcas_userban_noauth:
/* no authorization = entry found for user_dn */
if (dummy != NULL) free(dummy);
return LCAS_MOD_FAIL;
lcas_userban_nofile:
/* file not found */
if (dummy != NULL) free(dummy);
return LCAS_MOD_NOFILE;
}
int
plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
{
char *user_dn;
int ret;
edg_wll_Context ctx;
struct _edg_wll_GssPrincipal_data princ;
X509 *cert = NULL;
STACK_OF(X509) * chain = NULL;
void *cred = NULL;
struct vomsdata *voms_info = NULL;
int err;
authz_action action;
memset(&princ, 0, sizeof(princ));
lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n",
modname);
if (edg_wll_InitContext(&ctx) != 0) {
lcas_log(0, "Couldn't create L&B context\n");
ret = LCAS_MOD_FAIL;
goto end;
}
if ((action = find_authz_action(request)) == ACTION_UNDEF) {
lcas_log(0, "lcas.mod-lb() error: unsupported action\n");
ret = LCAS_MOD_FAIL;
goto end;
}
user_dn = lcas_get_dn(lcas_cred);
if (user_dn == NULL) {
lcas_log(0, "lcas.mod-lb() error: user DN empty\n");
ret = LCAS_MOD_FAIL;
goto end;
}
princ.name = user_dn;
cred = lcas_get_gss_cred(lcas_cred);
if (cred == NULL) {
lcas_log(0, "lcas.mod-lb() warning: user gss credential empty\n");
#if 0
ret = LCAS_MOD_FAIL;
goto end;
#endif
}
#ifndef NO_GLOBUS_GSSAPI
if (cred) {
voms_info = VOMS_Init(NULL, NULL);
if (voms_info == NULL) {
lcas_log(0, "lcas.mod-lb() failed to initialize VOMS\n");
ret = LCAS_MOD_FAIL;
goto end;
}
ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err);
if (ret == 1)
edg_wll_get_fqans(ctx, voms_info, &princ.fqans);
}
#endif
ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action);
ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL;
end:
edg_wll_FreeContext(ctx);
#ifndef NO_GLOBUS_GSSAPI
if (voms_info)
VOMS_Destroy(voms_info);
#endif
if (cert)
X509_free(cert);
if (chain)
sk_X509_pop_free(chain, X509_free);
return ret;
}
/*!
\fn lcas_db_parse_pair(
char * pair,
char ** pvar,
char ** pval
)
\brief Parses a database variable-value pair and returns the variable name and its value
\param pair string containing the pair
\param pvar pointer to the variable string
\param pval pointer to the value string
\retval 1 succes.
\retval 0 failure.
\internal
*/
static int lcas_db_parse_pair(
char * pair,
char ** pvar,
char ** pval
)
{
int len;
char * var;
char * val;
if (pair == NULL)
{
lcas_log(0,"lcas.mod-lcas_db_parse_pair(): cannot parse empty pair\n");
return 0;
}
/* Skip over leading whitespace */
pair += strspn(pair, WHITESPACE_CHARS);
if (*pair == NUL)
{
lcas_log(0,"lcas.mod-lcas_db_parse_pair(): cannot parse empty pair\n");
return 0;
}
var=pair;
len=strcspn(pair, VARVAL_SEP_CHARS);
pair+=len;
if (*pair == NUL)
{
/* Cannot find '=' */
lcas_log(0,"lcas.mod-lcas_db_parse_pair(): cannot find =\n");
return 0;
}
if (strchr(VARVAL_SEP_CHARS, *pair) != NULL)
{
/* Found ' var =' and replace '=' with NUL*/
*pair=NUL;
if (! lcas_db_parse_string(&var))
{
/* error parsing variable name */
return 0;
}
pair+=1;
if (*pair==NUL)
{
/* No value found */
/* val=NULL; */
val=pair;
*pvar=var;
*pval=val;
return 1;
}
else
{
/* Skip over leading whitespace */
pair += strspn(pair, WHITESPACE_CHARS);
if (*pair == NUL)
{
/* No value found */
/* val=NULL; */
val=pair;
*pvar=var;
*pval=val;
return 1;
}
val=pair;
if (! lcas_db_parse_string(&val))
{
/* error parsing value */
return 0;
}
}
}
else
{
/* Cannot find '=' */
lcas_log(0,"lcas.mod-lcas_db_parse_pair(): cannot find =\n");
return 0;
}
/* success */
*pvar=var;
*pval=val;
return 1;
}
/*!
\fn lcas_db_parse_line(
char * line,
lcas_db_entry_t ** entry
)
\brief Parses database line and fills database structure
\param line database line
\param entry pointer to a pointer to a database structure (can/should be freed afterwards)
\retval 1 succes.
\retval 0 failure.
\internal
*/
static int lcas_db_parse_line(
char * line,
lcas_db_entry_t ** entry
)
{
char * var_val_pairs[MAXPAIRS];
char * var;
char * val;
int ipair;
int no_pairs;
size_t len;
lcas_db_entry_t * tmp_entry=NULL;
/* Check arguments */
if ((line == NULL) || (*entry != NULL))
{
lcas_log(0,"lcas.mod-lcas_db_parse_line(): something wrong with arguments\n");
goto error;
}
/* Skip over leading whitespace */
line += strspn(line, WHITESPACE_CHARS);
/* Check for comment at start of line and ignore line if present */
if (strchr(COMMENT_CHARS, *line) != NULL)
{
/* Ignore line, return NULL entry. */
*entry=NULL;
return 1;
}
/* Check for empty line */
if (*line == NUL)
{
/* Empty line, return NULL entry. */
*entry=NULL;
return 1;
}
/* Look for variable-value pairs by checking the PAIR_SEP_CHARS */
ipair=0;
len=0;
while (*line != NUL)
{
len=strcspn(line, PAIR_SEP_CHARS);
if (len > 0)
{
var_val_pairs[ipair] = line;
ipair++;
line+=len;
if (*line == NUL)
{
/* probably end of line */
continue;
}
if (strchr(PAIR_SEP_CHARS, *line) != NULL)
{
*line=NUL;
line += 1;
}
}
else
{
/* len = 0, so *line=PAIR_SEP_CHARS */
line += 1;
}
line += strspn(line, WHITESPACE_CHARS);
}
no_pairs=ipair;
if (no_pairs)
{
tmp_entry=malloc(sizeof(*tmp_entry));
if (tmp_entry == NULL)
{
lcas_log(0,"lcas.mod-lcas_db_parse_line(): error allocating memory\n");
goto error;
}
for (ipair=0; ipair < no_pairs; ipair++)
{
int rc=0;
lcas_log_debug(3,"pair %d:%s-endpair\n",ipair, var_val_pairs[ipair]);
rc=lcas_db_parse_pair(var_val_pairs[ipair], &var, &val);
if (! rc)
{
/* error parsing variable-value pair */
lcas_log(0,"lcas.mod-lcas_db_parse_line(): error parsing variable-value pair\n");
goto error;
}
lcas_log_debug(3,"var: %s, value: %s\n",var,val);
if (strncmp(var,"pluginname",strlen("pluginname")) == 0)
{
/* found plugin name */
strncpy(tmp_entry->pluginname,val,LCAS_MAXPATHLEN);
(tmp_entry->pluginname)[LCAS_MAXPATHLEN]=NUL;
}
else if (strncmp(var,"pluginargs",strlen("pluginargs")) == 0)
{
/* found plugin database */
strncpy(tmp_entry->pluginargs,val,LCAS_MAXARGSTRING);
(tmp_entry->pluginargs)[LCAS_MAXARGSTRING]=NUL;
}
else
{
/* unknown option: do nothing */
}
}
}
/* succes */
*entry=tmp_entry;
return 1;
error:
if (tmp_entry != NULL) free(tmp_entry);
return 0;
}
