/* This function will now accept a argument sock_port and will pass it to
* PBSD_authenticate, which will invoke pbs_iff passing this port as a command
* line argument. (both on unix and windows)
* This change is done because getsockname() fails sometimes on Windows.
*/
static int
engage_authentication(int sd,
char *server_name,
int server_port,
struct sockaddr_in *clnt_paddr)
{
int ret;
char errbuf[ERR_BUF_SIZE];
char ebuf[PBS_MAXHOSTNAME + PBS_MAXPORTNUM + 128] = {'\0'};
if ((sd < 0) || (clnt_paddr == NULL)) {
cs_logerr(-1, __func__, "Bad arguments, unable to authenticate.");
return (-1);
}
switch (pbs_conf.auth_method) {
case AUTH_MUNGE:
if ((ret = engage_external_authentication(sd, AUTH_MUNGE, 0, errbuf, sizeof(errbuf))) != 0)
cs_logerr(-1, __func__, errbuf);
return (ret);
case AUTH_RESV_PORT:
if ((ret = CS_client_auth(sd)) == CS_SUCCESS)
return (0);
if ((ret == CS_AUTH_USE_IFF)) {
/* CS_client_auth that got called was the one for STD security */
/*sock_port needs to be passed only for Windows.*/
if (PBSD_authenticate(sd, server_name, server_port, clnt_paddr) == 0)
return (0);
}
break;
default:
cs_logerr(-1, __func__, "Unrecognized authentication method");
return (-1);
}
sprintf(ebuf, "Unable to authenticate connection (%s:%d)", server_name, server_port);
cs_logerr(-1, __func__, ebuf);
/* Remove any associated per-connection security context
* remark: when using pbs_iff security there is none
*/
if (CS_close_socket(sd) != CS_SUCCESS) {
sprintf(ebuf, "Problem closing context (%s:%d)", server_name, server_port);
cs_logerr(-1, __func__, ebuf);
}
return (-1);
}
static int
engage_authentication(int sd, struct in_addr addr, int port, int authport_flags)
{
int ret;
int mode;
char ebuf[128];
char errbuf[1024];
#if !defined(WIN32) && !defined(__hpux)
char dst[INET_ADDRSTRLEN+1]; /* for inet_ntop */
#endif
if (sd < 0) {
cs_logerr(-1, __func__, "Bad arguments, unable to authenticate.");
return (-1);
}
mode = (authport_flags & B_SVR) ? CS_MODE_SERVER:CS_MODE_CLIENT;
if (authport_flags & B_EXTERNAL) {
if ((ret = engage_external_authentication(sd, pbs_conf.auth_method, mode, errbuf, sizeof(errbuf))) != 0)
cs_logerr(-1, __func__, errbuf);
return (ret);
} else {
if (mode == CS_MODE_SERVER) {
ret = CS_server_auth(sd);
if (ret == CS_SUCCESS || ret == CS_AUTH_CHECK_PORT)
return (0);
} else if (mode == CS_MODE_CLIENT) {
ret = CS_client_auth(sd);
if (ret == CS_SUCCESS || ret == CS_AUTH_USE_IFF) {
/*
* For authentication via iff CS_client_auth
* temporarily returning CS_AUTH_USE_IFF until such
* time as iff becomes a part of CS_client_auth
*/
return (0);
}
}
}
#if defined(WIN32) || defined(__hpux)
/*inet_ntoa is thread-safe on windows & hpux*/
sprintf(ebuf,
"Unable to authenticate with (%s:%d)",
inet_ntoa(addr), port);
#else
sprintf(ebuf,
"Unable to authenticate with (%s:%d)",
inet_ntop(AF_INET, (void *) &addr, dst,
INET_ADDRSTRLEN), port);
#endif
cs_logerr(-1, __func__, ebuf);
if ((ret = CS_close_socket(sd)) != CS_SUCCESS) {
#if defined(WIN32) || defined(__hpux)
sprintf(ebuf, "Problem closing context (%s:%d)",
inet_ntoa(addr), port);
#else
sprintf(ebuf,
"Problem closing context (%s:%d)",
inet_ntop(AF_INET, (void *) &addr, dst,
INET_ADDRSTRLEN), port);
#endif
cs_logerr(-1, __func__, ebuf);
}
return (-1);
}
/**
* @brief
* Generate munge key specific to the user and send PBS batch request
* (PBS_BATCH_AuthExternal)to PBS server to authenticate user.
*
* @param[in] sock - socket fd
* @param[in] auth_type - Authentication type (Munge/AMS etc)
* @param[in] fromsvr - connection initiated from server?
*
* @return int
* @retval 0 on success
* @retval -1 on failure
* @retval -2 on unsupported auth_type
*
*/
int
engage_external_authentication(int sock, int auth_type, int fromsvr, char *ebuf, int ebufsz)
{
int cred_len = 0, rc = 0, ret = 0;
char *cred = NULL;
struct batch_reply *reply = NULL;
switch (auth_type) {
#ifndef WIN32
case AUTH_MUNGE:
ebuf[0] = '\0';
cred = pbs_get_munge_auth_data(fromsvr, ebuf, ebufsz);
if (!cred)
goto err;
break;
#endif
default:
snprintf(ebuf, ebufsz, "Authentication type not supported");
ret = -2;
}
if (cred) {
ret = -1;
cred_len = strlen(cred);
DIS_tcp_setup(sock);
if (encode_DIS_ReqHdr(sock, PBS_BATCH_AuthExternal, pbs_current_user) ||
diswuc(sock, auth_type) || /* authentication_type */
diswsi(sock, cred_len) || /* credential length */
diswcs(sock, cred, cred_len) || /* credential data */
encode_DIS_ReqExtend(sock, NULL)) {
pbs_errno = PBSE_SYSTEM;
goto err;
}
if (DIS_tcp_wflush(sock)) {
pbs_errno = PBSE_SYSTEM;
goto err;
}
memset(cred, 0, cred_len);
reply = PBSD_rdrpy_sock(sock, &rc);
if ((reply != NULL) && (reply->brp_code != 0)) {
pbs_errno = PBSE_BADCRED;
PBSD_FreeReply(reply);
goto err;
}
PBSD_FreeReply(reply);
free(cred);
return 0;
}
/* else fall through */
err:
if (ebuf[0] != '\0') {
fprintf(stderr, "%s\n", ebuf);
cs_logerr(-1, __func__, ebuf);
}
free(cred);
return ret;
}
