int plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred) { char *user_dn; int ret; edg_wll_Context ctx; struct _edg_wll_GssPrincipal_data princ; X509 *cert = NULL; STACK_OF(X509) * chain = NULL; void *cred = NULL; struct vomsdata *voms_info = NULL; int err; authz_action action; memset(&princ, 0, sizeof(princ)); lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n", modname); if (edg_wll_InitContext(&ctx) != 0) { lcas_log(0, "Couldn't create L&B context\n"); ret = LCAS_MOD_FAIL; goto end; } if ((action = find_authz_action(request)) == ACTION_UNDEF) { lcas_log(0, "lcas.mod-lb() error: unsupported action\n"); ret = LCAS_MOD_FAIL; goto end; } user_dn = lcas_get_dn(lcas_cred); if (user_dn == NULL) { lcas_log(0, "lcas.mod-lb() error: user DN empty\n"); ret = LCAS_MOD_FAIL; goto end; } princ.name = user_dn; cred = lcas_get_gss_cred(lcas_cred); if (cred == NULL) { lcas_log(0, "lcas.mod-lb() warning: user gss credential empty\n"); #if 0 ret = LCAS_MOD_FAIL; goto end; #endif } #ifndef NO_GLOBUS_GSSAPI if (cred) { voms_info = VOMS_Init(NULL, NULL); if (voms_info == NULL) { lcas_log(0, "lcas.mod-lb() failed to initialize VOMS\n"); ret = LCAS_MOD_FAIL; goto end; } ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err); if (ret == 1) edg_wll_get_fqans(ctx, voms_info, &princ.fqans); } #endif ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action); ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL; end: edg_wll_FreeContext(ctx); #ifndef NO_GLOBUS_GSSAPI if (voms_info) VOMS_Destroy(voms_info); #endif if (cert) X509_free(cert); if (chain) sk_X509_pop_free(chain, X509_free); return ret; }
static int get_times(glite_renewal_core_context ctx, char *proxy_file, time_t *not_after_x509, time_t *not_after_voms) { X509 *cert = NULL; STACK_OF(X509) *chain = NULL; int ret, i; time_t now, end_time, end_time_x509; struct vomsdata *voms_data = NULL; struct voms **voms_cert = NULL; ASN1_UTCTIME *t; char *s, *c; ret = load_proxy(ctx, proxy_file, &cert, NULL, &chain, NULL); if (ret) return ret; ret = get_voms_cert(ctx, cert, chain, &voms_data); if (ret) goto end; end_time = 0; if (voms_data != NULL) { for (voms_cert = voms_data->data; voms_cert && *voms_cert; voms_cert++) { t = ASN1_UTCTIME_new(); if (t == NULL) { glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_new() failed"); ret = 1; goto end; } /* date2 contains a GENERALIZEDTIME format (YYYYMMDDHHSS[.fff]Z) * value, which must be converted to the UTC (YYMMDDHHSSZ) format */ s = strdup((*voms_cert)->date2 + 2); if (s == NULL) { glite_renewal_core_set_err(ctx, "Not enough memory"); ret = ENOMEM; goto end; } c = strchr(s, '.'); if (c) { *c++ = 'Z'; *c = '\0'; } ret = ASN1_UTCTIME_set_string(t, s); if (ret == 0) { glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_set_string() failed\n"); ret = 1; free(s); goto end; } if (end_time == 0 || ASN1_UTCTIME_cmp_time_t(t, end_time) < 0) globus_gsi_cert_utils_make_time(t, &end_time); ASN1_UTCTIME_free(t); free(s); } } globus_gsi_cert_utils_make_time(X509_get_notAfter(cert), &end_time_x509); now = time(NULL); if (end_time_x509 + RENEWAL_CLOCK_SKEW < now) { glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file); ret = EDG_WLPR_PROXY_EXPIRED; goto end; } /* Myproxy seems not to do check on expiration and return expired proxies if credentials in repository are expired */ for (i = 0; i < sk_X509_num(chain); i++) { t = X509_get_notAfter(sk_X509_value(chain, i)); if (ASN1_UTCTIME_cmp_time_t(t, now - RENEWAL_CLOCK_SKEW) < 0) { glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file); ret = EDG_WLPR_PROXY_EXPIRED; goto end; } } *not_after_voms = end_time; *not_after_x509 = end_time_x509; ret = 0; end: if (voms_data) VOMS_Destroy(voms_data); if (chain) sk_X509_pop_free(chain, X509_free); if (cert) X509_free(cert); return ret; }
static void osg_extensions_init(globus_gfs_operation_t op, globus_gfs_session_info_t * session) { GlobusGFSName(osg_extensions_init); globus_result_t result = globus_gridftp_server_add_command(op, "SITE USAGE", GLOBUS_GFS_OSG_CMD_SITE_USAGE, 3, 5, "SITE USAGE <sp> [TOKEN <sp> $name] <sp> $location: Get usage information for a location.", GLOBUS_FALSE, GFS_ACL_ACTION_LOOKUP); if (result != GLOBUS_SUCCESS) { result = GlobusGFSErrorWrapFailed("Failed to add custom 'SITE USAGE' command", result); globus_gridftp_server_finished_session_start(op, result, NULL, NULL, NULL); return; } #ifdef VOMS_FOUND struct vomsdata *vdata = VOMS_Init(NULL, NULL); if (vdata) { int error; if (!VOMS_RetrieveFromCred(session->del_cred, RECURSE_CHAIN, vdata, &error)) { globus_gfs_log_message(GLOBUS_GFS_LOG_TRANSFER, "No VOMS info in credential.\n"); } else { struct voms *vext; int idx; for (idx = 0; vdata->data[idx] != NULL; idx++) { char msg[1024]; char *pos = msg; int char_remaining = 1022; vext = vdata->data[idx]; int this_round; if ((char_remaining > 0) && vext->voname) { this_round = snprintf(pos, char_remaining, "VO %s ", vext->voname); pos += this_round; char_remaining -= this_round; } char *fqan; int count = 0; int idx2 = 0; for (idx2 = 0; vext->fqan[idx2] != NULL; idx2++) { fqan = vext->fqan[idx2]; if (char_remaining > 0) { count ++; this_round = snprintf(pos, char_remaining, "%s,", fqan); pos += this_round; char_remaining -= this_round; } } if (count && char_remaining >= 0) {pos--;} if (char_remaining >= 0) { *pos = '\n'; *(pos+1) = '\0'; } else { msg[1023] = '\0'; msg[1022] = '\n'; } globus_gfs_log_message(GLOBUS_GFS_LOG_TRANSFER, msg); } } VOMS_Destroy(vdata); } #endif // VOMS_FOUND original_init_function(op, session); }