/** * Clone the attribute and return a copy */ xacml_attribute_t * xacml_attribute_clone(const xacml_attribute_t * attr) { xacml_attribute_t * clone; size_t nvalues; int i; if (attr == NULL) { pep_log_warn("xacml_attribute_clone: attr is NULL."); return NULL; } clone= xacml_attribute_create(attr->id); if (clone == NULL) { pep_log_error("xacml_attribute_clone: can't create clone with id: %s", attr->id); return NULL; } /* datatype */ if (xacml_attribute_setdatatype(clone,attr->datatype) != PEP_XACML_OK) { pep_log_error("xacml_attribute_clone: can't set datatype: %s",attr->datatype); xacml_attribute_delete(clone); return NULL; } /* issuer */ if (xacml_attribute_setissuer(clone,attr->issuer) != PEP_XACML_OK) { pep_log_error("xacml_attribute_clone: can't set issuer: %s",attr->issuer); xacml_attribute_delete(clone); return NULL; } /* values */ nvalues= xacml_attribute_values_length(attr); for(i= 0; i<nvalues; i++) { const char * value= xacml_attribute_getvalue(attr,i); if (xacml_attribute_addvalue(clone,value) != PEP_XACML_OK) { pep_log_error("xacml_attribute_clone: can't clone value[%d]: %s",i,value); xacml_attribute_delete(clone); return NULL; } } return clone; }
/* * Creates a new Subject/Attribute XACML_SUBJECT_KEY_INFO based on the * XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN. * Creates new Subject/Attributes XACML_GRIDWN_ATTRIBUTE_FQAN and * XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY based on XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN and * XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN. * Adds the XACML_GRIDWN_ATTRIBUTE_PROFILE_ID in the Environment if not already present. */ static int authzinterop2gridwn_pip_process(xacml_request_t ** request) { int i, j, profile_id_present; size_t subjects_l= xacml_request_subjects_length(*request); xacml_environment_t * environment; size_t environment_attrs_l; for (i= 0; i<subjects_l; i++) { xacml_subject_t * subject= xacml_request_getsubject(*request,i); size_t subject_attrs_l= xacml_subject_attributes_length(subject); for(j= 0; j<subject_attrs_l; j++) { xacml_attribute_t * attr= xacml_subject_getattribute(subject,j); const char * attr_id= xacml_attribute_getid(attr); if (strncmp(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN)) == 0) { xacml_attribute_t * keyinfo= xacml_attribute_clone(attr); pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id); if (keyinfo!=NULL) { pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_SUBJECT_KEY_INFO); xacml_attribute_setid(keyinfo,XACML_SUBJECT_KEY_INFO); pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_DATATYPE_STRING); xacml_attribute_setdatatype(keyinfo,XACML_DATATYPE_STRING); if (xacml_subject_addattribute(subject,keyinfo) != PEP_XACML_OK) { pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_SUBJECT_KEY_INFO,i); xacml_attribute_delete(keyinfo); } } else { pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j); } } else if (strncmp(XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN))==0) { xacml_attribute_t * fqan_primary= xacml_attribute_clone(attr); pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id); if (fqan_primary!=NULL) { pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); xacml_attribute_setid(fqan_primary,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_DATATYPE_FQAN); xacml_attribute_setdatatype(fqan_primary,XACML_GRIDWN_DATATYPE_FQAN); if (xacml_subject_addattribute(subject,fqan_primary) != PEP_XACML_OK) { pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY,i); xacml_attribute_delete(fqan_primary); } } else { pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j); } } else if (strncmp(XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN))==0) { xacml_attribute_t * fqans= xacml_attribute_clone(attr); pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id); if (fqans!=NULL) { pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); xacml_attribute_setid(fqans,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_DATATYPE_FQAN); xacml_attribute_setdatatype(fqans,XACML_GRIDWN_DATATYPE_FQAN); if (xacml_subject_addattribute(subject,fqans) != PEP_XACML_OK) { pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY,i); xacml_attribute_delete(fqans); } } else { pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j); } } } } /* check environment for Grid WN AuthZ Profile ID, if not present add it */ environment= xacml_request_getenvironment(*request); /* create environment if not already existing */ if (environment==NULL) { environment= xacml_environment_create(); if (environment!=NULL) { xacml_request_setenvironment(*request,environment); } else { pep_log_warn("%s: failed to create XACML Environment",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID); } } environment_attrs_l= xacml_environment_attributes_length(environment); profile_id_present= 0; for (i= 0; i<environment_attrs_l; i++) { xacml_attribute_t * attr= xacml_environment_getattribute(environment,i); const char * attr_id= xacml_attribute_getid(attr); if (strncmp(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID,attr_id,strlen(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID))==0) { pep_log_debug("%s: found environment.attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,i,attr_id); profile_id_present= 1; } } /* profile id is not present, then add it */ if (!profile_id_present && environment) { /* create env attribute */ xacml_attribute_t * env_attr= xacml_attribute_create(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID); if (env_attr!=NULL) { xacml_attribute_setdatatype(env_attr,XACML_DATATYPE_ANYURI); xacml_attribute_addvalue(env_attr,XACML_GRIDWN_PROFILE_VERSION); xacml_environment_addattribute(environment,env_attr); } else { pep_log_warn("%s: failed to create XACML Environment/Attribute{%s}",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_PROFILE_ID); } } return 0; }
/* * Creates a XACML Request containing a XACML Subject with the given subjectid, a XACML Resource * with the given resourceid and a XACML Action with the given actionid. * * @param [in/out] request address of the pointer to the XACML request object * @param [in] subjectid, a X.509 DN, attribute value of the XACML Request/Subject element * @param [in] resourceid attribute value of the XACML Request/Resource element * @param [in] actionid attribute value of the XACML Request/Action element * @return 0 on success or error code on failure. */ static int create_xacml_request(xacml_request_t ** request,const char * subjectid, const char * resourceid, const char * actionid) { xacml_subject_t * subject; xacml_attribute_t * subject_attr_id; xacml_resource_t * resource; xacml_attribute_t * resource_attr_id; xacml_action_t * action; xacml_attribute_t * action_attr_id; /* XACML Subject with subjectid Attribute value */ subject= xacml_subject_create(); if (subject == NULL) { fprintf(stderr,"can not create XACML Subject\n"); return 1; } subject_attr_id= xacml_attribute_create(XACML_SUBJECT_ID); if (subject_attr_id == NULL) { fprintf(stderr,"can not create XACML Subject/Attribute:%s\n",XACML_SUBJECT_ID); xacml_subject_delete(subject); return 1; } // set X.509 DN value xacml_attribute_addvalue(subject_attr_id,subjectid); // set attribute datatype for X.509 DN xacml_attribute_setdatatype(subject_attr_id,XACML_DATATYPE_X500NAME); xacml_subject_addattribute(subject,subject_attr_id); /* XACML Resource with resourceid Attribute value */ resource= xacml_resource_create(); if (resource == NULL) { fprintf(stderr,"can not create XACML Resource\n"); xacml_subject_delete(subject); return 2; } resource_attr_id= xacml_attribute_create(XACML_RESOURCE_ID); if (resource_attr_id == NULL) { fprintf(stderr,"can not create XACML Resource/Attribute:%s\n",XACML_RESOURCE_ID); xacml_subject_delete(subject); xacml_resource_delete(resource); return 2; } xacml_attribute_addvalue(resource_attr_id,resourceid); xacml_resource_addattribute(resource,resource_attr_id); /* XACML Action with actionid Attribute value */ action= xacml_action_create(); if (action == NULL) { fprintf(stderr,"can not create XACML Action\n"); xacml_subject_delete(subject); xacml_resource_delete(resource); return 3; } action_attr_id= xacml_attribute_create(XACML_ACTION_ID); if (action_attr_id == NULL) { fprintf(stderr,"can not create XACML Action/Attribute:%s\n",XACML_ACTION_ID); xacml_subject_delete(subject); xacml_resource_delete(resource); xacml_action_delete(action); return 3; } xacml_attribute_addvalue(action_attr_id,actionid); xacml_action_addattribute(action,action_attr_id); /* XACML Request with all elements */ *request= xacml_request_create(); if (*request == NULL) { fprintf(stderr,"can not create XACML Request\n"); xacml_subject_delete(subject); xacml_resource_delete(resource); xacml_action_delete(action); return 4; } xacml_request_addsubject(*request,subject); xacml_request_addresource(*request,resource); xacml_request_setaction(*request,action); return 0; }
static int xacml_attribute_unmarshal(xacml_attribute_t ** attr, const hessian_object_t * h_attribute) { const char * map_type; xacml_attribute_t * attribute; size_t map_l; int i; if (hessian_gettype(h_attribute) != HESSIAN_MAP) { log_error("xacml_attribute_unmarshal: wrong Hessian type: %d (%s).", hessian_gettype(h_attribute), hessian_getclassname(h_attribute)); return PEP_IO_ERROR; } map_type= hessian_map_gettype(h_attribute); if (map_type == NULL) { log_error("xacml_attribute_unmarshal: NULL Hessian map type."); return PEP_IO_ERROR; } if (strcmp(XACML_HESSIAN_ATTRIBUTE_CLASSNAME,map_type) != 0) { log_error("xacml_attribute_unmarshal: wrong Hessian map type: %s.",map_type); return PEP_IO_ERROR; } attribute= xacml_attribute_create(NULL); if (attribute == NULL) { log_error("xacml_attribute_unmarshal: can't create XACML attribute."); return PEP_IO_ERROR; } /* parse all map pair<key>s */ map_l= hessian_map_length(h_attribute); for(i= 0; i<map_l; i++) { hessian_object_t * h_map_key= hessian_map_getkey(h_attribute,i); const char * key; if (hessian_gettype(h_map_key) != HESSIAN_STRING) { log_error("xacml_attribute_unmarshal: Hessian map<key> is not an Hessian string at: %d.",i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } key= hessian_string_getstring(h_map_key); if (key == NULL) { log_error("xacml_attribute_unmarshal: Hessian map<key>: NULL string at: %d.",i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } /* id (mandatory) */ if (strcmp(XACML_HESSIAN_ATTRIBUTE_ID,key) == 0) { hessian_object_t * h_string= hessian_map_getvalue(h_attribute,i); const char * id; if (hessian_gettype(h_string) != HESSIAN_STRING) { log_error("xacml_attribute_unmarshal: Hessian map<'%s',value> is not a Hessian string at: %d.",key,i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } id= hessian_string_getstring(h_string); if (xacml_attribute_setid(attribute,id) != PEP_XACML_OK) { log_error("xacml_attribute_unmarshal: can't set id: %s to XACML attribute at: %d",id,i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } } /* datatype (optional) */ else if (strcmp(XACML_HESSIAN_ATTRIBUTE_DATATYPE,key) == 0) { const char * datatype= NULL; hessian_object_t * h_string= hessian_map_getvalue(h_attribute,i); hessian_t h_string_type= hessian_gettype(h_string); if ( h_string_type != HESSIAN_STRING && h_string_type != HESSIAN_NULL) { log_error("xacml_attribute_unmarshal: Hessian map<'%s',value> is not a Hessian string or null at: %d.",key,i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } if (h_string_type == HESSIAN_STRING) { datatype= hessian_string_getstring(h_string); } if (xacml_attribute_setdatatype(attribute,datatype) != PEP_XACML_OK) { log_error("xacml_attribute_unmarshal: can't set datatype: %s to XACML attribute at: %d",datatype,i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } } /* issuer (optional) */ else if (strcmp(XACML_HESSIAN_ATTRIBUTE_ISSUER,key) == 0) { const char * issuer = NULL; hessian_object_t * h_string= hessian_map_getvalue(h_attribute,i); hessian_t h_string_type= hessian_gettype(h_string); if ( h_string_type != HESSIAN_STRING && h_string_type != HESSIAN_NULL) { log_error("xacml_attribute_unmarshal: Hessian map<'%s',value> is not a Hessian string or null at: %d.",key,i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } if (h_string_type == HESSIAN_STRING) { issuer= hessian_string_getstring(h_string); } if (xacml_attribute_setissuer(attribute,issuer) != PEP_XACML_OK) { log_error("xacml_attribute_unmarshal: can't set issuer: %s to XACML attribute at: %d",issuer,i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } } /* values list */ else if (strcmp(XACML_HESSIAN_ATTRIBUTE_VALUES,key) == 0) { hessian_object_t * h_values= hessian_map_getvalue(h_attribute,i); size_t h_values_l; int j; if (hessian_gettype(h_values) != HESSIAN_LIST) { log_error("xacml_attribute_unmarshal: Hessian map<'%s',value> is not a Hessian list.",key); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } h_values_l= hessian_list_length(h_values); for(j= 0; j<h_values_l; j++) { const char * value; hessian_object_t * h_value= hessian_list_get(h_values,j); if (hessian_gettype(h_value) != HESSIAN_STRING) { log_error("xacml_attribute_unmarshal: Hessian map<'%s',value> is not a Hessian string at: %d.",key,i); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } value= hessian_string_getstring(h_value); if (xacml_attribute_addvalue(attribute,value) != PEP_XACML_OK) { log_error("xacml_attribute_unmarshal: can't add value: %s to XACML attribute at: %d",value,j); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } } } else { log_warn("xacml_attribute_unmarshal: unknown Hessian map<key>: %s at: %d.",key,i); } } *attr= attribute; return PEP_IO_OK; }
/* * MAIN * * usage: ./test-pep <URL> */ int main(int argc, char **argv) { PEP * pep; pep_error_t pep_rc; char * url= "http://localhost:8080/PEPd/authz?random"; if (argc == 2) { url= argv[1]; info("%s: using endpoint URL: %s",argv[0], url); } info("initialize PEP..."); pep= pep_initialize(); if (pep == NULL) { error("test_pep: pep_initialize() failed"); return -1; } info("set LOG options..."); pep_setoption(pep,PEP_OPTION_LOG_STDERR,stderr); pep_setoption(pep,PEP_OPTION_LOG_LEVEL,PEP_LOGLEVEL_DEBUG); // DEBUG, INFO, WARN and ERROR pep_setoption(pep,PEP_OPTION_LOG_HANDLER,log_handler_pep); // will override stderr log handler info("create PIP"); pep_pip_t * pip= pip_create("PIPRequestDumper",pip_init,pip_process,pip_destroy); if (pip == NULL) { error("test_pep: pip_create(...) failed"); pep_destroy(pep); return -1; } info("install PIP: %s",pip->id); pep_rc= pep_addpip(pep,pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("install PIP: %s",authzinterop2gridwn_adapter_pip->id); pep_rc= pep_addpip(pip,authzinterop2gridwn_adapter_pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("install PIP: %s",pip->id); pep_rc= pep_addpip(pep,pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("create OH and add to PEP..."); pep_obligationhandler_t * oh= oh_create("OHResponseDumper",oh_init,oh_process,oh_destroy); if (oh == NULL) { error("test_pep: oh_create(...) failed"); pep_destroy(pep); return -1; } pep_rc= pep_addobligationhandler(pep,oh); if (pep_rc != PEP_OK) { error("test_pep: pep_addobligationhandler() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } // create a XACML request info("create XACML request..."); xacml_request_t * request= xacml_request_create(); assert(request); info("add XACML subject(cert-chain)..."); xacml_subject_t * subject= xacml_subject_create(); assert(subject); xacml_attribute_t * certchain= xacml_attribute_create(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN); assert(certchain); xacml_attribute_addvalue(certchain,"PEM_ENCODE_PROXY_CERTCHAIN..."); xacml_attribute_setdatatype(certchain,XACML_DATATYPE_BASE64BINARY); xacml_subject_addattribute(subject,certchain); xacml_request_addsubject(request,subject); info("add XACML resource(resource-id)..."); xacml_resource_t * resource= xacml_resource_create(); assert(resource); xacml_attribute_t * resource_id= xacml_attribute_create(XACML_RESOURCE_ID); assert(resource_id); xacml_attribute_addvalue(resource_id,"http://authz-interop.org/xacml/resource/resource-type/wn"); xacml_resource_addattribute(resource,resource_id); xacml_request_addresource(request,resource); info("set XACML action(action-id)..."); xacml_action_t * action= xacml_action_create(); assert(action); xacml_attribute_t * action_id= xacml_attribute_create(XACML_ACTION_ID); assert(action_id); xacml_attribute_addvalue(action_id,"http://authz-interop.org/xacml/action/action-type/execute-now"); xacml_action_addattribute(action,action_id); xacml_request_setaction(request,action); info("set XACML environment(path)..."); xacml_environment_t * environment= xacml_environment_create(); assert(environment); xacml_attribute_t * path= xacml_attribute_create("x-urn:authz:env:path"); assert(path); xacml_attribute_addvalue(path,"/usr/bin"); xacml_attribute_addvalue(path,"/opt/glite/bin"); xacml_attribute_addvalue(path,"/home/johndoe/bin"); xacml_environment_addattribute(environment,path); xacml_request_setenvironment(request,environment); // add many PEPd endpoints for failover testing info("set PEPd endpoint: %s", url); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, url); info("set PEPd endpoint: %s", "http://www.google.com"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://www.google.com"); info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s7"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s7"); info("set PEPd endpoint: %s", "http://nasjflkasdjflj.com"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://nasjflkasdjflj.com"); info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s3"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s3"); info("set PEPd endpoint: %s", "http://hestia.switch.ch/PEPd/authz?s8"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://hestia.switch.ch/PEPd/authz?s8"); info("set PEPd endpoint: %s", "http://localhost:8080"); // respond OK 200 pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080"); // send authz request and process if (pep_rc != PEP_OK) { error("test_pep: pep_setoption(PEP_OPTION_ENDPOINT_URL,%s) failed: %s",url,pep_strerror(pep_rc)); pep_destroy(); return -1; } info("send XACML request to PEPd"); xacml_response_t * response= NULL; pep_rc= pep_authorize(&request,&response); if (pep_rc != PEP_OK) { error("test_pep: pep_authorize(request,response) failed: %s",pep_strerror(pep_rc)); xacml_request_delete(request); xacml_response_delete(response); pep_destroy(); pip_delete(pip); oh_delete(oh); return -1; } info("delete XACML request and response..."); xacml_request_delete(request); xacml_response_delete(response); info("destroy PEP..."); pep_rc= pep_destroy(); if (pep_rc != PEP_OK) { error("test_pep: pep_destroy() failed: %s",pep_strerror(pep_rc)); pip_delete(pip); oh_delete(oh); return pep_rc; } // WARNING: call these only AFTER pep_destroy()... info("delete PIP and OH structs..."); pip_delete(pip); oh_delete(oh); info("done."); return 0; }