int authenticate_user(struct batch_request *preq, struct connection *pcred) { char uath[PBS_MAXUSER + PBS_MAXHOSTNAME + 1]; #if defined(PBS_SECURITY) && ((PBS_SECURITY == KAUTH ) || (PBS_SECURITY == KCRYPT ) ) strcpy(pcred->cn_username, preq->rq_user); strcpy(pcred->cn_hostname, preq->rq_host); #endif if (strncmp(preq->rq_user, pcred->cn_username, PBS_MAXUSER)) return (PBSE_BADCRED); if (strncasecmp(preq->rq_host, pcred->cn_hostname, PBS_MAXHOSTNAME)) return (PBSE_BADCRED); if (pcred->cn_timestamp) { if ((pcred->cn_timestamp - CREDENTIAL_TIME_DELTA > time_now) || (pcred->cn_timestamp + CREDENTIAL_LIFETIME < time_now)) return (PBSE_EXPIRED); } /* If Server's Acl_User enabled, check if user in list */ if (server.sv_attr[SRV_ATR_AclUserEnabled].at_val.at_long) { (void)strcpy(uath, preq->rq_user); (void)strcat(uath, "@"); (void)strcat(uath, preq->rq_host); if (acl_check(&server.sv_attr[SRV_ATR_AclUsers], uath, ACL_User) == 0) { /* not in list, next check if listed as a manager */ if ((svr_get_privilege(preq->rq_user, preq->rq_host) & (ATR_DFLAG_MGWR | ATR_DFLAG_OPWR)) == 0) return (PBSE_PERM); } } /* A site stub for additional checking */ return (site_allow_u(preq->rq_user, preq->rq_host)); }
int authenticate_user( struct batch_request *preq, /* I */ struct credential *pcred, char **autherr) /* O */ { int rc; char uath[PBS_MAXUSER + PBS_MAXHOSTNAME + 1]; time_t time_now = time(NULL); char error_msg[1024]; bool acl_enabled = false; #ifdef MUNGE_AUTH if (strncmp(preq->rq_user, pcred->username, PBS_MAXUSER)) { /* extra check for munge */ struct array_strings *my_acl = NULL; char uh[PBS_MAXUSER + PBS_MAXHOSTNAME + 2]; sprintf(uh, "%s@%s", preq->rq_user, pcred->hostname); get_svr_attr_arst(SRV_ATR_authusers, &my_acl); if ((acl_check_my_array_string(my_acl, uh, ACL_User_Host)) == 0) { *autherr = strdup("User not in authorized user list."); sprintf(error_msg, "%s Requested user %s: requested from host %s", *autherr, preq->rq_user, preq->rq_host); log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg); return(PBSE_BADCRED); } } #else if (strncmp(preq->rq_user, pcred->username, PBS_MAXUSER)) { *autherr = strdup("Users do not match"); sprintf(error_msg, "%s: Requested user %s: credential user %s: requested from host %s", *autherr, preq->rq_user, pcred->username, preq->rq_host); log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg); return(PBSE_BADCRED); } #endif if (strncmp(preq->rq_host, pcred->hostname, PBS_MAXHOSTNAME)) { struct sockaddr_in *sai1; struct sockaddr_in *sai2; struct addrinfo *addr_info1 = NULL; struct addrinfo *addr_info2 = NULL; sai1 = get_cached_addrinfo(preq->rq_host); sai2 = get_cached_addrinfo(pcred->hostname); if ((sai1 == NULL) && (pbs_getaddrinfo(preq->rq_host, NULL, &addr_info1) == PBSE_NONE)) { sai1 = (struct sockaddr_in *)addr_info1->ai_addr; } if ((sai2 == NULL) && (pbs_getaddrinfo(pcred->hostname, NULL, &addr_info2) == PBSE_NONE)) { sai2 = (struct sockaddr_in *)addr_info2->ai_addr; } if ((sai1 == NULL) || (sai2 == NULL) || (memcmp(sai1, sai2, sizeof(struct sockaddr_in)))) { *autherr = strdup("Hosts do not match"); sprintf(error_msg, "%s: Requested host %s: credential host: %s", *autherr, preq->rq_host, pcred->hostname); log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg); return(PBSE_BADCRED); } } if (pcred->timestamp) { long lifetime = 0; if (get_svr_attr_l(SRV_ATR_CredentialLifetime, &lifetime) == PBSE_NONE) { /* use configured value if set */ } else { /* if not use the default */ lifetime = CREDENTIAL_LIFETIME; } /* negative values mean that credentials have an infinite lifetime */ if (lifetime > -1) { if ((pcred->timestamp - CREDENTIAL_TIME_DELTA > time_now) || (pcred->timestamp + lifetime < time_now)) { return(PBSE_EXPIRED); } } } /* If Server's Acl_User enabled, check if user in list */ get_svr_attr_b(SRV_ATR_AclUserEnabled, &acl_enabled); if (acl_enabled) { struct array_strings *acl_users = NULL; snprintf(uath, sizeof(uath), "%s@%s", preq->rq_user, preq->rq_host); get_svr_attr_arst(SRV_ATR_AclUsers, &acl_users); if (acl_check_my_array_string(acl_users, uath, ACL_User) == 0) { int my_err; pbs_net_t connect_addr = get_hostaddr(&my_err, preq->rq_host); pbs_net_t server_addr = get_hostaddr(&my_err, server_host); #ifdef __CYGWIN__ if ((!IamAdminByName(preq->rq_user)) || (connect_addr != server_addr)) { return(PBSE_PERM); } #else /* __CYGWIN__ */ #ifdef PBS_ROOT_ALWAYS_ADMIN if ((strcmp(preq->rq_user, PBS_DEFAULT_ADMIN) != 0) || (connect_addr != server_addr)) { return(PBSE_PERM); } #else /* PBS_ROOT_ALWAYS_ADMIN */ return(PBSE_PERM); #endif /* PBS_ROOT_ALWAYS_ADMIN */ #endif /* __CYGWIN__ */ } } /* A site stub for additional checking */ rc = site_allow_u(preq->rq_user, preq->rq_host); return(rc); } /* END authenticate_user() */