int
plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
{
char *user_dn;
int ret;
edg_wll_Context ctx;
struct _edg_wll_GssPrincipal_data princ;
X509 *cert = NULL;
STACK_OF(X509) * chain = NULL;
void *cred = NULL;
struct vomsdata *voms_info = NULL;
int err;
authz_action action;
memset(&princ, 0, sizeof(princ));
lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n",
modname);
if (edg_wll_InitContext(&ctx) != 0) {
lcas_log(0, "Couldn't create L&B context\n");
ret = LCAS_MOD_FAIL;
goto end;
}
if ((action = find_authz_action(request)) == ACTION_UNDEF) {
lcas_log(0, "lcas.mod-lb() error: unsupported action\n");
ret = LCAS_MOD_FAIL;
goto end;
}
user_dn = lcas_get_dn(lcas_cred);
if (user_dn == NULL) {
lcas_log(0, "lcas.mod-lb() error: user DN empty\n");
ret = LCAS_MOD_FAIL;
goto end;
}
princ.name = user_dn;
cred = lcas_get_gss_cred(lcas_cred);
if (cred == NULL) {
lcas_log(0, "lcas.mod-lb() warning: user gss credential empty\n");
#if 0
ret = LCAS_MOD_FAIL;
goto end;
#endif
}
#ifndef NO_GLOBUS_GSSAPI
if (cred) {
voms_info = VOMS_Init(NULL, NULL);
if (voms_info == NULL) {
lcas_log(0, "lcas.mod-lb() failed to initialize VOMS\n");
ret = LCAS_MOD_FAIL;
goto end;
}
ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err);
if (ret == 1)
edg_wll_get_fqans(ctx, voms_info, &princ.fqans);
}
#endif
ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action);
ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL;
end:
edg_wll_FreeContext(ctx);
#ifndef NO_GLOBUS_GSSAPI
if (voms_info)
VOMS_Destroy(voms_info);
#endif
if (cert)
X509_free(cert);
if (chain)
sk_X509_pop_free(chain, X509_free);
return ret;
}
static int
get_times(glite_renewal_core_context ctx, char *proxy_file,
time_t *not_after_x509, time_t *not_after_voms)
{
X509 *cert = NULL;
STACK_OF(X509) *chain = NULL;
int ret, i;
time_t now, end_time, end_time_x509;
struct vomsdata *voms_data = NULL;
struct voms **voms_cert = NULL;
ASN1_UTCTIME *t;
char *s, *c;
ret = load_proxy(ctx, proxy_file, &cert, NULL, &chain, NULL);
if (ret)
return ret;
ret = get_voms_cert(ctx, cert, chain, &voms_data);
if (ret)
goto end;
end_time = 0;
if (voms_data != NULL) {
for (voms_cert = voms_data->data; voms_cert && *voms_cert; voms_cert++) {
t = ASN1_UTCTIME_new();
if (t == NULL) {
glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_new() failed");
ret = 1;
goto end;
}
/* date2 contains a GENERALIZEDTIME format (YYYYMMDDHHSS[.fff]Z)
* value, which must be converted to the UTC (YYMMDDHHSSZ) format */
s = strdup((*voms_cert)->date2 + 2);
if (s == NULL) {
glite_renewal_core_set_err(ctx, "Not enough memory");
ret = ENOMEM;
goto end;
}
c = strchr(s, '.');
if (c) {
*c++ = 'Z';
*c = '\0';
}
ret = ASN1_UTCTIME_set_string(t, s);
if (ret == 0) {
glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_set_string() failed\n");
ret = 1;
free(s);
goto end;
}
if (end_time == 0 || ASN1_UTCTIME_cmp_time_t(t, end_time) < 0)
globus_gsi_cert_utils_make_time(t, &end_time);
ASN1_UTCTIME_free(t);
free(s);
}
}
globus_gsi_cert_utils_make_time(X509_get_notAfter(cert), &end_time_x509);
now = time(NULL);
if (end_time_x509 + RENEWAL_CLOCK_SKEW < now) {
glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file);
ret = EDG_WLPR_PROXY_EXPIRED;
goto end;
}
/* Myproxy seems not to do check on expiration and return expired proxies
if credentials in repository are expired */
for (i = 0; i < sk_X509_num(chain); i++) {
t = X509_get_notAfter(sk_X509_value(chain, i));
if (ASN1_UTCTIME_cmp_time_t(t, now - RENEWAL_CLOCK_SKEW) < 0) {
glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file);
ret = EDG_WLPR_PROXY_EXPIRED;
goto end;
}
}
*not_after_voms = end_time;
*not_after_x509 = end_time_x509;
ret = 0;
end:
if (voms_data)
VOMS_Destroy(voms_data);
if (chain)
sk_X509_pop_free(chain, X509_free);
if (cert)
X509_free(cert);
return ret;
}
static void
osg_extensions_init(globus_gfs_operation_t op, globus_gfs_session_info_t * session)
{
GlobusGFSName(osg_extensions_init);
globus_result_t result = globus_gridftp_server_add_command(op, "SITE USAGE",
GLOBUS_GFS_OSG_CMD_SITE_USAGE,
3,
5,
"SITE USAGE <sp> [TOKEN <sp> $name] <sp> $location: Get usage information for a location.",
GLOBUS_FALSE,
GFS_ACL_ACTION_LOOKUP);
if (result != GLOBUS_SUCCESS)
{
result = GlobusGFSErrorWrapFailed("Failed to add custom 'SITE USAGE' command", result);
globus_gridftp_server_finished_session_start(op,
result,
NULL,
NULL,
NULL);
return;
}
#ifdef VOMS_FOUND
struct vomsdata *vdata = VOMS_Init(NULL, NULL);
if (vdata)
{
int error;
if (!VOMS_RetrieveFromCred(session->del_cred, RECURSE_CHAIN, vdata, &error))
{
globus_gfs_log_message(GLOBUS_GFS_LOG_TRANSFER, "No VOMS info in credential.\n");
}
else
{
struct voms *vext;
int idx;
for (idx = 0; vdata->data[idx] != NULL; idx++)
{
char msg[1024];
char *pos = msg;
int char_remaining = 1022;
vext = vdata->data[idx];
int this_round;
if ((char_remaining > 0) && vext->voname)
{
this_round = snprintf(pos, char_remaining, "VO %s ", vext->voname);
pos += this_round;
char_remaining -= this_round;
}
char *fqan;
int count = 0;
int idx2 = 0;
for (idx2 = 0; vext->fqan[idx2] != NULL; idx2++)
{
fqan = vext->fqan[idx2];
if (char_remaining > 0)
{
count ++;
this_round = snprintf(pos, char_remaining, "%s,", fqan);
pos += this_round;
char_remaining -= this_round;
}
}
if (count && char_remaining >= 0) {pos--;}
if (char_remaining >= 0)
{
*pos = '\n';
*(pos+1) = '\0';
}
else
{
msg[1023] = '\0';
msg[1022] = '\n';
}
globus_gfs_log_message(GLOBUS_GFS_LOG_TRANSFER, msg);
}
}
VOMS_Destroy(vdata);
}
#endif // VOMS_FOUND
original_init_function(op, session);
}
