Esempio n. 1
0
Condor_Auth_X509 :: Condor_Auth_X509(ReliSock * sock)
    : Condor_Auth_Base (sock, CAUTH_GSI),
      credential_handle(GSS_C_NO_CREDENTIAL),
      context_handle   (GSS_C_NO_CONTEXT),
      m_gss_server_name(NULL),
      token_status     (0),
      ret_flags        (0)
{
#ifdef WIN32
	ParseMapFile();
#endif
	if ( !m_globusActivated ) {
		// The Globus callout module is a system-wide setting.  There are several
		// cases where a user may not want it to apply to Condor by default
		// (for example, if it causes crashes when mixed with Condor libs!).
		// Setting GSI_AUTHZ_CONF=/dev/null works for disabling the callouts.
		std::string gsi_authz_conf;
		if (param(gsi_authz_conf, "GSI_AUTHZ_CONF")) {
			if (setenv("GSI_AUTHZ_CONF", gsi_authz_conf.c_str(), 1)) {
				dprintf(D_ALWAYS, "Failed to set the GSI_AUTHZ_CONF environment variable.\n");
				EXCEPT("Failed to set the GSI_AUTHZ_CONF environment variable.\n");
			}
		}
		if ( activate_globus_gsi() < 0 ) {
			dprintf( D_ALWAYS, "Can't intialize GSI, authentication will fail: %s\n", x509_error_string() );
		} else {
			m_globusActivated = true;
		}
	}
}
Esempio n. 2
0
int Authentication::handshake(MyString my_methods, bool non_blocking) {

    int shouldUseMethod = 0;
    
    dprintf ( D_SECURITY, "HANDSHAKE: in handshake(my_methods = '%s')\n", my_methods.Value());

    if ( mySock->isClient() ) {

		// client

        dprintf (D_SECURITY, "HANDSHAKE: handshake() - i am the client\n");
        mySock->encode();
		int method_bitmask = SecMan::getAuthBitmask(my_methods.Value());
		if ( (method_bitmask & CAUTH_KERBEROS) && Condor_Auth_Kerberos::Initialize() == false ) {
			dprintf (D_SECURITY, "HANDSHAKE: excluding KERBEROS: %s\n", "Initialization failed");
			method_bitmask &= ~CAUTH_KERBEROS;
		}
		if ( (method_bitmask & CAUTH_SSL) && Condor_Auth_SSL::Initialize() == false ) {
			dprintf (D_SECURITY, "HANDSHAKE: excluding SSL: %s\n", "Initialization failed");
			method_bitmask &= ~CAUTH_SSL;
		}
		if ( (method_bitmask & CAUTH_GSI) && activate_globus_gsi() != 0 ) {
			dprintf (D_SECURITY, "HANDSHAKE: excluding GSI: %s\n", x509_error_string());
			method_bitmask &= ~CAUTH_GSI;
		}
        dprintf ( D_SECURITY, "HANDSHAKE: sending (methods == %i) to server\n", method_bitmask);
        if ( !mySock->code( method_bitmask ) || !mySock->end_of_message() ) {
            return -1;
        }

    	mySock->decode();
    	if ( !mySock->code( shouldUseMethod ) || !mySock->end_of_message() )  {
        	return -1;
    	}
    	dprintf ( D_SECURITY, "HANDSHAKE: server replied (method = %i)\n", shouldUseMethod);

    } else {

	return handshake_continue(my_methods, non_blocking);

    }

    return( shouldUseMethod );
}
Esempio n. 3
0
int
Authentication::handshake_continue(MyString my_methods, bool non_blocking)
{
	//server
	if( non_blocking && !mySock->readReady() ) {
		return -2;
	}

	int shouldUseMethod = 0;
	int client_methods = 0;
	dprintf (D_SECURITY, "HANDSHAKE: handshake() - i am the server\n");
	mySock->decode();
	if ( !mySock->code( client_methods ) || !mySock->end_of_message() ) {
		return -1;
	}
	dprintf ( D_SECURITY, "HANDSHAKE: client sent (methods == %i)\n", client_methods);

	shouldUseMethod = selectAuthenticationType( my_methods, client_methods );
	if ( (shouldUseMethod & CAUTH_KERBEROS) && Condor_Auth_Kerberos::Initialize() == false ) {
		dprintf (D_SECURITY, "HANDSHAKE: excluding KERBEROS: %s\n", "Initialization failed");
		shouldUseMethod &= ~CAUTH_KERBEROS;
	}
	if ( (shouldUseMethod & CAUTH_SSL) && Condor_Auth_SSL::Initialize() == false ) {
		dprintf (D_SECURITY, "HANDSHAKE: excluding SSL: %s\n", "Initialization failed");
		shouldUseMethod &= ~CAUTH_SSL;
	}
	if ( shouldUseMethod == CAUTH_GSI && activate_globus_gsi() != 0 ) {
		dprintf (D_SECURITY, "HANDSHAKE: excluding GSI: %s\n", x509_error_string());
		client_methods &= ~CAUTH_GSI;
		shouldUseMethod = selectAuthenticationType( my_methods, client_methods );
	}

	dprintf ( D_SECURITY, "HANDSHAKE: i picked (method == %i)\n", shouldUseMethod);


	mySock->encode();
	if ( !mySock->code( shouldUseMethod ) || !mySock->end_of_message() ) {
		return -1;
	}

	dprintf ( D_SECURITY, "HANDSHAKE: client received (method == %i)\n", shouldUseMethod);
	return shouldUseMethod;
}
/* proxy_valid_right_now()

   this function is used in this object to determine if glexec should actually
   be invoked.  glexec will always fail with an expired proxy, and there is
   overhead in invoking it.
*/
int
GLExecPrivSepHelper::proxy_valid_right_now()
{

	int result = TRUE;
		/* Note that set_user_priv is a no-op if condor is running as
		   non-root (the "usual" mode for invoking glexec) */
	priv_state priv_saved = set_user_priv();
	if (!m_proxy) {
		dprintf(D_FULLDEBUG, "GLExecPrivSepHelper::proxy_valid_right_now: no proxy defined\n");
		result = FALSE;
	} else {

		time_t expiration_time = x509_proxy_expiration_time(m_proxy);
		time_t now = time(NULL);

		if (expiration_time == -1) {
			dprintf(D_FULLDEBUG, "GLExecPrivSepHelper::proxy_valid_right_now: Globus error when getting proxy %s expiration: %s.\n", m_proxy, x509_error_string());
			result = FALSE;
		} else if (expiration_time < now) {
			dprintf(D_FULLDEBUG, "GLExecPrivSepHelper::proxy_valid_right_now: proxy %s expired %ld seconds ago!\n", m_proxy, now - expiration_time);
			result = FALSE;
		}
	}

	set_priv(priv_saved);

	return result;
}