/****************************************************************************** Function: plugin_confirm_authorization Description: Ask for authorization by passing RSL and user credential Parameters: request: RSL request user_cred: user credential Returns: LCAS_MOD_SUCCESS: authorization succeeded LCAS_MOD_FAIL : authorization failed LCAS_MOD_NOFILE : db file not found ******************************************************************************/ int plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred) { int rc; char * dummy = NULL; char * user_dn = NULL; /* * check credential and get the globus name */ if ( (user_dn = lcas_get_dn(lcas_cred)) == NULL) { lcas_log(0, "lcas.mod-lcas_get_fabric_authorization() error: user DN empty\n"); goto lcas_userban_noauth; } /* Do the check */ lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): checking banned users in %s\n", modname,userban_db); /* * The new default is to perform the wildcard matching, based upon fnmatch * You'll need to explicitly disable it in the initialization parameters */ if (! disableWildCardMatching) rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_WILD_CHARS|MATCH_ONLY_DN, NULL, NULL); else rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_ONLY_DN, NULL, NULL); if ( rc == LCAS_MOD_ENTRY ) { /* Entry found for user_dn, so the user is banned */ lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): entry found for %s\n", modname,user_dn); goto lcas_userban_noauth; } else if ( rc == LCAS_MOD_NOFILE ) { /* file not found */ lcas_log(0, "\t%s-plugin_confirm_authorization() error: Cannot find banned user file: %s\n", modname,userban_db); goto lcas_userban_nofile; } lcas_userban_auth: /* authorization = no entry found for user_dn */ if (dummy != NULL) free(dummy); return LCAS_MOD_SUCCESS; lcas_userban_noauth: /* no authorization = entry found for user_dn */ if (dummy != NULL) free(dummy); return LCAS_MOD_FAIL; lcas_userban_nofile: /* file not found */ if (dummy != NULL) free(dummy); return LCAS_MOD_NOFILE; }
int plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred) { char *user_dn; int ret; edg_wll_Context ctx; struct _edg_wll_GssPrincipal_data princ; X509 *cert = NULL; STACK_OF(X509) * chain = NULL; void *cred = NULL; struct vomsdata *voms_info = NULL; int err; authz_action action; memset(&princ, 0, sizeof(princ)); lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n", modname); if (edg_wll_InitContext(&ctx) != 0) { lcas_log(0, "Couldn't create L&B context\n"); ret = LCAS_MOD_FAIL; goto end; } if ((action = find_authz_action(request)) == ACTION_UNDEF) { lcas_log(0, "lcas.mod-lb() error: unsupported action\n"); ret = LCAS_MOD_FAIL; goto end; } user_dn = lcas_get_dn(lcas_cred); if (user_dn == NULL) { lcas_log(0, "lcas.mod-lb() error: user DN empty\n"); ret = LCAS_MOD_FAIL; goto end; } princ.name = user_dn; cred = lcas_get_gss_cred(lcas_cred); if (cred == NULL) { lcas_log(0, "lcas.mod-lb() warning: user gss credential empty\n"); #if 0 ret = LCAS_MOD_FAIL; goto end; #endif } #ifndef NO_GLOBUS_GSSAPI if (cred) { voms_info = VOMS_Init(NULL, NULL); if (voms_info == NULL) { lcas_log(0, "lcas.mod-lb() failed to initialize VOMS\n"); ret = LCAS_MOD_FAIL; goto end; } ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err); if (ret == 1) edg_wll_get_fqans(ctx, voms_info, &princ.fqans); } #endif ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action); ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL; end: edg_wll_FreeContext(ctx); #ifndef NO_GLOBUS_GSSAPI if (voms_info) VOMS_Destroy(voms_info); #endif if (cert) X509_free(cert); if (chain) sk_X509_pop_free(chain, X509_free); return ret; }