Condor_Auth_X509 :: Condor_Auth_X509(ReliSock * sock)
: Condor_Auth_Base (sock, CAUTH_GSI),
credential_handle(GSS_C_NO_CREDENTIAL),
context_handle (GSS_C_NO_CONTEXT),
m_gss_server_name(NULL),
token_status (0),
ret_flags (0)
{
#ifdef WIN32
ParseMapFile();
#endif
if ( !m_globusActivated ) {
// The Globus callout module is a system-wide setting. There are several
// cases where a user may not want it to apply to Condor by default
// (for example, if it causes crashes when mixed with Condor libs!).
// Setting GSI_AUTHZ_CONF=/dev/null works for disabling the callouts.
std::string gsi_authz_conf;
if (param(gsi_authz_conf, "GSI_AUTHZ_CONF")) {
if (setenv("GSI_AUTHZ_CONF", gsi_authz_conf.c_str(), 1)) {
dprintf(D_ALWAYS, "Failed to set the GSI_AUTHZ_CONF environment variable.\n");
EXCEPT("Failed to set the GSI_AUTHZ_CONF environment variable.\n");
}
}
if ( activate_globus_gsi() < 0 ) {
dprintf( D_ALWAYS, "Can't intialize GSI, authentication will fail: %s\n", x509_error_string() );
} else {
m_globusActivated = true;
}
}
}
int Authentication::handshake(MyString my_methods, bool non_blocking) {
int shouldUseMethod = 0;
dprintf ( D_SECURITY, "HANDSHAKE: in handshake(my_methods = '%s')\n", my_methods.Value());
if ( mySock->isClient() ) {
// client
dprintf (D_SECURITY, "HANDSHAKE: handshake() - i am the client\n");
mySock->encode();
int method_bitmask = SecMan::getAuthBitmask(my_methods.Value());
if ( (method_bitmask & CAUTH_KERBEROS) && Condor_Auth_Kerberos::Initialize() == false ) {
dprintf (D_SECURITY, "HANDSHAKE: excluding KERBEROS: %s\n", "Initialization failed");
method_bitmask &= ~CAUTH_KERBEROS;
}
if ( (method_bitmask & CAUTH_SSL) && Condor_Auth_SSL::Initialize() == false ) {
dprintf (D_SECURITY, "HANDSHAKE: excluding SSL: %s\n", "Initialization failed");
method_bitmask &= ~CAUTH_SSL;
}
if ( (method_bitmask & CAUTH_GSI) && activate_globus_gsi() != 0 ) {
dprintf (D_SECURITY, "HANDSHAKE: excluding GSI: %s\n", x509_error_string());
method_bitmask &= ~CAUTH_GSI;
}
dprintf ( D_SECURITY, "HANDSHAKE: sending (methods == %i) to server\n", method_bitmask);
if ( !mySock->code( method_bitmask ) || !mySock->end_of_message() ) {
return -1;
}
mySock->decode();
if ( !mySock->code( shouldUseMethod ) || !mySock->end_of_message() ) {
return -1;
}
dprintf ( D_SECURITY, "HANDSHAKE: server replied (method = %i)\n", shouldUseMethod);
} else {
return handshake_continue(my_methods, non_blocking);
}
return( shouldUseMethod );
}
int
Authentication::handshake_continue(MyString my_methods, bool non_blocking)
{
//server
if( non_blocking && !mySock->readReady() ) {
return -2;
}
int shouldUseMethod = 0;
int client_methods = 0;
dprintf (D_SECURITY, "HANDSHAKE: handshake() - i am the server\n");
mySock->decode();
if ( !mySock->code( client_methods ) || !mySock->end_of_message() ) {
return -1;
}
dprintf ( D_SECURITY, "HANDSHAKE: client sent (methods == %i)\n", client_methods);
shouldUseMethod = selectAuthenticationType( my_methods, client_methods );
if ( (shouldUseMethod & CAUTH_KERBEROS) && Condor_Auth_Kerberos::Initialize() == false ) {
dprintf (D_SECURITY, "HANDSHAKE: excluding KERBEROS: %s\n", "Initialization failed");
shouldUseMethod &= ~CAUTH_KERBEROS;
}
if ( (shouldUseMethod & CAUTH_SSL) && Condor_Auth_SSL::Initialize() == false ) {
dprintf (D_SECURITY, "HANDSHAKE: excluding SSL: %s\n", "Initialization failed");
shouldUseMethod &= ~CAUTH_SSL;
}
if ( shouldUseMethod == CAUTH_GSI && activate_globus_gsi() != 0 ) {
dprintf (D_SECURITY, "HANDSHAKE: excluding GSI: %s\n", x509_error_string());
client_methods &= ~CAUTH_GSI;
shouldUseMethod = selectAuthenticationType( my_methods, client_methods );
}
dprintf ( D_SECURITY, "HANDSHAKE: i picked (method == %i)\n", shouldUseMethod);
mySock->encode();
if ( !mySock->code( shouldUseMethod ) || !mySock->end_of_message() ) {
return -1;
}
dprintf ( D_SECURITY, "HANDSHAKE: client received (method == %i)\n", shouldUseMethod);
return shouldUseMethod;
}
/* proxy_valid_right_now()
this function is used in this object to determine if glexec should actually
be invoked. glexec will always fail with an expired proxy, and there is
overhead in invoking it.
*/
int
GLExecPrivSepHelper::proxy_valid_right_now()
{
int result = TRUE;
/* Note that set_user_priv is a no-op if condor is running as
non-root (the "usual" mode for invoking glexec) */
priv_state priv_saved = set_user_priv();
if (!m_proxy) {
dprintf(D_FULLDEBUG, "GLExecPrivSepHelper::proxy_valid_right_now: no proxy defined\n");
result = FALSE;
} else {
time_t expiration_time = x509_proxy_expiration_time(m_proxy);
time_t now = time(NULL);
if (expiration_time == -1) {
dprintf(D_FULLDEBUG, "GLExecPrivSepHelper::proxy_valid_right_now: Globus error when getting proxy %s expiration: %s.\n", m_proxy, x509_error_string());
result = FALSE;
} else if (expiration_time < now) {
dprintf(D_FULLDEBUG, "GLExecPrivSepHelper::proxy_valid_right_now: proxy %s expired %ld seconds ago!\n", m_proxy, now - expiration_time);
result = FALSE;
}
}
set_priv(priv_saved);
return result;
}