int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname) { //this might need to change with SSLK5 stuff //just extract username from /CN=<username>@<domain,etc> OM_uint32 major_status; char *tmp_user = NULL; char local_user[USER_NAME_MAX]; // windows gsi does not currently include this function. we use it on // unix, but implement our own on windows for now. #ifdef WIN32 major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user); #else // Switched the unix map function to _map_and_authorize, which allows access // to the Globus callout infrastructure. char condor_str[] = "condor"; major_status = globus_gss_assist_map_and_authorize( context_handle, condor_str, // Requested service name NULL, // Requested user name; NULL for non-specified local_user, USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case // Defensive programming: to protect against buffer overruns in the // unknown globus mapping module, make sure we are at least nul-term'd local_user[USER_NAME_MAX-1] = '\0'; #endif if (tmp_user) { strcpy( local_user, tmp_user ); free(tmp_user); tmp_user = NULL; } if ( major_status != GSS_S_COMPLETE) { setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); return 0; } MyString user; MyString domain; Authentication::split_canonical_name( local_user, user, domain ); setRemoteUser (user.Value()); setRemoteDomain(domain.Value()); setAuthenticatedName(GSSClientname); return 1; }
int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname) { //this might need to change with SSLK5 stuff //just extract username from /CN=<username>@<domain,etc> OM_uint32 major_status = GSS_S_COMPLETE; char *tmp_user = NULL; char local_user[USER_NAME_MAX]; // windows gsi does not currently include this function. we use it on // unix, but implement our own on windows for now. #ifdef WIN32 major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user); #else // Switched the unix map function to _map_and_authorize, which allows access // to the Globus callout infrastructure. if (m_mapping == NULL) { // Size of hash table is purposely initialized small to prevent this // from hogging memory. This will, of course, grow at large sites. m_mapping = new GlobusMappingTable(53, hashFuncString, updateDuplicateKeys); } const char *auth_name_to_map; const char *fqan = getFQAN(); if (fqan && fqan[0]) { auth_name_to_map = fqan; } else { auth_name_to_map = GSSClientname; } globus_mapping_entry_ptr value; time_t now = 0; time_t gsi_cache_expiry = param_integer("GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION", 0); if (gsi_cache_expiry && (m_mapping->lookup(auth_name_to_map, value) == 0)) { now = time(NULL); if (now < value->expiry_time) { dprintf(D_SECURITY, "Using Globus mapping result from the cache.\n"); if (value->name.size()) { tmp_user = strdup(value->name.c_str()); } else { major_status = GSS_S_FAILURE; } } } if ((tmp_user == NULL) && (major_status == GSS_S_COMPLETE)) { char condor_str[] = "condor"; major_status = globus_gss_assist_map_and_authorize( context_handle, condor_str, // Requested service name NULL, // Requested user name; NULL for non-specified local_user, USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case // Defensive programming: to protect against buffer overruns in the // unknown globus mapping module, make sure we are at least nul-term'd local_user[USER_NAME_MAX-1] = '\0'; // More defensive programming: There is a bug in LCMAPS, (which is possibly // called by a globus callout) that sometimes returns with the euid set to // root (!?!). As a safeguard, We check for that here and return to the // condor euid. This is done "outside" of the condor priv stack since this // is essentially undoing a side effect of the library call, not // intentionally changing priv state. if (geteuid() == 0) { dprintf(D_ALWAYS, "WARNING: globus returned with euid 0\n"); // attempt to undo if (seteuid(get_condor_uid())) { // complain loudly, but continue dprintf(D_ALWAYS, "ERROR: something has gone terribly wrong: errno %i\n", errno); } } if (now == 0) { now = time(NULL); } value.reset(new globus_mapping_entry_t); value->expiry_time = now + gsi_cache_expiry; // The special name of "" indicates failed mapping. if (major_status == GSS_S_COMPLETE) { value->name = local_user; } m_mapping->insert(auth_name_to_map, value); } #endif if (tmp_user) { strcpy( local_user, tmp_user ); free(tmp_user); tmp_user = NULL; } if ( major_status != GSS_S_COMPLETE) { setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); return 0; } MyString user; MyString domain; Authentication::split_canonical_name( local_user, user, domain ); setRemoteUser (user.Value()); setRemoteDomain(domain.Value()); setAuthenticatedName(GSSClientname); return 1; }