/*
* Simply dump the XACML response.
*
* @param [in] response the XAXML response
* @return 0 on success or error code on failure.
*/
static int process_xacml_response(const xacml_response_t * response) {
size_t results_l;
int i, j, k;
if (response == NULL) {
fprintf(stderr,"response is NULL\n");
return 1;
}
results_l= xacml_response_results_length(response);
fprintf(stdout,"response: %d results\n", (int)results_l);
for(i= 0; i<results_l; i++) {
xacml_result_t * result;
xacml_status_t * status;
xacml_statuscode_t * statuscode, * subcode;
size_t obligations_l;
result= xacml_response_getresult(response,i);
fprintf(stdout,"response.result[%d].decision= %s\n", i, decision_tostring(xacml_result_getdecision(result)));
fprintf(stdout,"response.result[%d].resourceid= %s\n", i, xacml_result_getresourceid(result));
status= xacml_result_getstatus(result);
fprintf(stdout,"response.result[%d].status.message= %s\n", i, xacml_status_getmessage(status));
statuscode= xacml_status_getcode(status);
fprintf(stdout,"response.result[%d].status.code.value= %s\n", i, xacml_statuscode_getvalue(statuscode));
subcode= xacml_statuscode_getsubcode(statuscode);
if (subcode != NULL) {
fprintf(stdout,"response.result[%d].status.code.subcode.value= %s\n", i, xacml_statuscode_getvalue(subcode));
}
obligations_l= xacml_result_obligations_length(result);
fprintf(stdout,"response.result[%d]: %d obligations\n", i, (int)obligations_l);
for(j= 0; j<obligations_l; j++) {
size_t attrs_l;
xacml_obligation_t * obligation= xacml_result_getobligation(result,j);
fprintf(stdout,"response.result[%d].obligation[%d].id= %s\n",i,j, xacml_obligation_getid(obligation));
fprintf(stdout,"response.result[%d].obligation[%d].fulfillOn= %s\n",i,j, fulfillon_tostring(xacml_obligation_getfulfillon(obligation)));
attrs_l= xacml_obligation_attributeassignments_length(obligation);
fprintf(stdout,"response.result[%d].obligation[%d]: %d attribute assignments\n",i,j,(int)attrs_l);
for (k= 0; k<attrs_l; k++) {
xacml_attributeassignment_t * attr= xacml_obligation_getattributeassignment(obligation,k);
fprintf(stdout,"response.result[%d].obligation[%d].attributeassignment[%d].id= %s\n",i,j,k,xacml_attributeassignment_getid(attr));
fprintf(stdout,"response.result[%d].obligation[%d].attributeassignment[%d].datatype= %s\n",i,j,k,xacml_attributeassignment_getdatatype(attr));
fprintf(stdout,"response.result[%d].obligation[%d].attributeassignment[%d].value= %s\n",i,j,k,xacml_attributeassignment_getvalue(attr));
}
}
}
return 0;
}
/*
* Dumps a XACML response.
*/
static int dump_response(xacml_response_t ** response_ptr) {
xacml_response_t * response= *response_ptr;
if (response == NULL) {
error("dump_response: response is NULL");
return 1;
}
size_t results_l= xacml_response_results_length(response);
info("response: %d results", (int)results_l);
int i= 0;
for(i= 0; i<results_l; i++) {
xacml_result_t * result= xacml_response_getresult(response,i);
info("response.result[%d].decision= %s", i, decision_str(xacml_result_getdecision(result)));
info("response.result[%d].resourceid= %s", i, xacml_result_getresourceid(result));
xacml_status_t * status= xacml_result_getstatus(result);
info("response.result[%d].status.message= %s", i, xacml_status_getmessage(status));
xacml_statuscode_t * statuscode= xacml_status_getcode(status);
info("response.result[%d].status.code.value= %s", i, xacml_statuscode_getvalue(statuscode));
xacml_statuscode_t * subcode= xacml_statuscode_getsubcode(statuscode);
if (subcode != NULL) {
info("response.result[%d].status.code.subcode.value= %s", i, xacml_statuscode_getvalue(subcode));
}
size_t obligations_l= xacml_result_obligations_length(result);
info("response.result[%d]: %d obligations", i, (int)obligations_l);
int j=0;
for(j= 0; j<obligations_l; j++) {
xacml_obligation_t * obligation= xacml_result_getobligation(result,j);
info("response.result[%d].obligation[%d].id= %s",i,j, xacml_obligation_getid(obligation));
info("response.result[%d].obligation[%d].fulfillOn= %s",i,j, decision_str(xacml_obligation_getfulfillon(obligation)));
size_t attrs_l= xacml_obligation_attributeassignments_length(obligation);
info("response.result[%d].obligation[%d]: %d attribute assignments",i,j,(int)attrs_l);
int k= 0;
for (k= 0; k<attrs_l; k++) {
xacml_attributeassignment_t * attr= xacml_obligation_getattributeassignment(obligation,k);
info("response.result[%d].obligation[%d].attributeassignment[%d].id= %s",i,j,k,xacml_attributeassignment_getid(attr));
info("response.result[%d].obligation[%d].attributeassignment[%d].datatype= %s",i,j,k,xacml_attributeassignment_getdatatype(attr));
info("response.result[%d].obligation[%d].attributeassignment[%d].value= %s",i,j,k,xacml_attributeassignment_getvalue(attr));
}
}
}
return 0;
}
/*
* Converts in the XACML response the local-environment-map/posix obligation to uidgid, secondary-gid and username obligations
* Resolve uidgid and groups by calling POSIX getpwent and getgrent
*/
static int gridwn2authzinterop_oh_process(xacml_request_t ** request,xacml_response_t ** response) {
int i, j, k, m;
size_t results_l= xacml_response_results_length(*response);
for (i= 0; i<results_l; i++) {
xacml_result_t * result= xacml_response_getresult(*response,i);
xacml_decision_t decision= xacml_result_getdecision(result);
if (decision==XACML_DECISION_PERMIT) {
size_t obligations_l= xacml_result_obligations_length(result);
for (j= 0; j<obligations_l; j++) {
xacml_obligation_t * obligation= xacml_result_getobligation(result,j);
const char * obligation_id= xacml_obligation_getid(obligation);
xacml_fulfillon_t obligation_fulfillon= xacml_obligation_getfulfillon(obligation);
if (strncmp(XACML_GRIDWN_OBLIGATION_LOCAL_ENVIRONMENT_MAP_POSIX,obligation_id,strlen(XACML_GRIDWN_OBLIGATION_LOCAL_ENVIRONMENT_MAP_POSIX))==0) {
/* do local POSIX resolve for uid/gids */
const char * username= NULL;
const char * groupname= NULL;
size_t n_groupnames= 0;
char ** groupnames= calloc(NGROUPS_MAX,sizeof(char *));
size_t attrs_l= xacml_obligation_attributeassignments_length(obligation);
pep_log_debug("%s: resolve local POSIX account mapping",GRIDWN_TO_AUTHZINTEROP_ADAPTER_ID);
for (k= 0; k<attrs_l; k++) {
xacml_attributeassignment_t * attr= xacml_obligation_getattributeassignment(obligation,k);
const char * attr_id= xacml_attributeassignment_getid(attr);
const char * attr_value= xacml_attributeassignment_getvalue(attr);
if (strcmp(XACML_GRIDWN_ATTRIBUTE_USER_ID,attr_id)==0) {
username= attr_value;
}
else if (strcmp(XACML_GRIDWN_ATTRIBUTE_GROUP_ID_PRIMARY,attr_id)==0) {
groupname= attr_value;
}
else if (strcmp(XACML_GRIDWN_ATTRIBUTE_GROUP_ID,attr_id)==0) {
groupnames[n_groupnames++]= (char *)attr_value;
}
}
/* username obligation */
if (username) {
xacml_obligation_t * username_obligation= create_username_obligation(obligation_fulfillon,username);
if (username_obligation) {
xacml_result_addobligation(result,username_obligation);
}
}
/* uidgid obligation */
if (username) {
/* resolve POSIX username and groupname id (uid and gid) */
/* if only the username (without groupname), use the user default group */
uid_t user_uid;
gid_t user_gid, group_gid;
if (resolve_user_uidgid(username,&user_uid,&user_gid)==0) {
uid_t obligation_uid= user_uid;
gid_t obligation_gid= user_gid;
xacml_obligation_t * uidgid_obligation;
if (groupname && resolve_group_gid(groupname, &group_gid)==0) {
obligation_gid= group_gid;
}
uidgid_obligation= create_uidgid_obligation(obligation_fulfillon,obligation_uid,obligation_gid);
if (uidgid_obligation) {
xacml_result_addobligation(result,uidgid_obligation);
}
}
}
/* secondary gids obligation */
if (n_groupnames>0) {
/* resolve POSIX secondary groupnames gids */
gid_t * gids= calloc(n_groupnames,sizeof(gid_t));
int resolve_error= 0;
for (m= 0; m<n_groupnames; m++) {
if (resolve_group_gid(groupnames[m],&gids[m])!=0) {
resolve_error= 1;
break;
}
}
if (!resolve_error) {
xacml_obligation_t * secgids_obligation= create_secondarygids_obligation(obligation_fulfillon,gids,n_groupnames);
if (secgids_obligation) {
xacml_result_addobligation(result,secgids_obligation);
}
}
free(gids);
}
free(groupnames);
}
}
}
}
return 0;
}