int Authentication::authenticate( char *hostAddr, KeyInfo *& key, const char* auth_methods, CondorError* errstack, int timeout) { int retval = authenticate(hostAddr, auth_methods, errstack, timeout); #if !defined(SKIP_AUTHENTICATION) if (retval) { // will always try to exchange key! // This is a hack for now, when we have only one authenticate method // this will be gone mySock->allow_empty_message_flag = FALSE; retval = exchangeKey(key); if ( !retval ) { errstack->push("AUTHENTICATE",AUTHENTICATE_ERR_KEYEXCHANGE_FAILED, "Failed to securely exchange session key"); } mySock->allow_one_empty_message(); } #endif return retval; }
int Authentication::authenticate_finish(CondorError *errstack) { //if none of the methods succeeded, we fall thru to default "none" from above int retval = ( auth_status != CAUTH_NONE ); if (IsDebugVerbose(D_SECURITY)) { dprintf(D_SECURITY, "AUTHENTICATE: auth_status == %i (%s)\n", auth_status, (method_used?method_used:"?!?") ); } dprintf(D_SECURITY, "Authentication was a %s.\n", retval == 1 ? "Success" : "FAILURE" ); // at this point, all methods have set the raw authenticated name available // via getAuthenticatedName(). if(authenticator_) { dprintf (D_SECURITY, "ZKM: setting default map to %s\n", authenticator_->getRemoteFQU()?authenticator_->getRemoteFQU():"(null)"); } // check to see if CERTIFICATE_MAPFILE was defined. if so, use it. if // not, do nothing. the user and domain have been filled in by the // authentication method itself, so just leave that alone. char * cert_map_file = param("CERTIFICATE_MAPFILE"); bool use_mapfile = (cert_map_file != NULL); if (cert_map_file) { free(cert_map_file); cert_map_file = 0; } // if successful so far, invoke the security MapFile. the output of that // is the "canonical user". if that has an '@' sign, split it up on the // last '@' and set the user and domain. if there is more than one '@', // the user will contain the leftovers after the split and the domain // always has none. if (retval && use_mapfile) { const char * name_to_map = authenticator_->getAuthenticatedName(); if (name_to_map) { dprintf (D_SECURITY, "ZKM: name to map is '%s'\n", name_to_map); dprintf (D_SECURITY, "ZKM: pre-map: current user is '%s'\n", authenticator_->getRemoteUser()?authenticator_->getRemoteUser():"(null)"); dprintf (D_SECURITY, "ZKM: pre-map: current domain is '%s'\n", authenticator_->getRemoteDomain()?authenticator_->getRemoteDomain():"(null)"); map_authentication_name_to_canonical_name(auth_status, method_used, name_to_map); } else { dprintf (D_SECURITY, "ZKM: name to map is null, not mapping.\n"); } #if defined(HAVE_EXT_GLOBUS) } else if (auth_status == CAUTH_GSI ) { // Fall back to using the globus mapping mechanism. GSI is a bit unique in that // it may be horribly expensive - or cause a SEGFAULT - to do an authorization callout. // Hence, we delay it until after we apply a mapfile or, here, have no map file. // nameGssToLocal calls setRemoteFoo directly. const char * name_to_map = authenticator_->getAuthenticatedName(); if (name_to_map) { int retval = ((Condor_Auth_X509*)authenticator_)->nameGssToLocal(name_to_map); dprintf(D_SECURITY, "nameGssToLocal returned %s\n", retval ? "success" : "failure"); } else { dprintf (D_SECURITY, "ZKM: name to map is null, not calling GSI authorization.\n"); } #endif } // for now, let's be a bit more verbose and print this to D_SECURITY. // yeah, probably all of the log lines that start with ZKM: should be // updated. oh, i wish there were a D_ZKM, but alas, we're out of bits. if( authenticator_ ) { dprintf (D_SECURITY, "ZKM: post-map: current user is '%s'\n", authenticator_->getRemoteUser()?authenticator_->getRemoteUser():"(null)"); dprintf (D_SECURITY, "ZKM: post-map: current domain is '%s'\n", authenticator_->getRemoteDomain()?authenticator_->getRemoteDomain():"(null)"); dprintf (D_SECURITY, "ZKM: post-map: current FQU is '%s'\n", authenticator_->getRemoteFQU()?authenticator_->getRemoteFQU():"(null)"); } mySock->allow_one_empty_message(); #if !defined(SKIP_AUTHENTICATION) if (retval && retval != 2 && m_key != NULL) { // will always try to exchange key! // This is a hack for now, when we have only one authenticate method // this will be gone mySock->allow_empty_message_flag = FALSE; retval = exchangeKey(*m_key); if ( !retval ) { errstack->push("AUTHENTICATE",AUTHENTICATE_ERR_KEYEXCHANGE_FAILED, "Failed to securely exchange session key"); } dprintf(D_SECURITY, "AUTHENTICATE: Result of end of authenticate is %d.\n", retval); mySock->allow_one_empty_message(); } #endif return ( retval ); }