static int plugin_run_or_verify(
int argc,
lcmaps_argument_t * argv,
int lcmaps_mode
)
{
const char * logstr = "lcmaps_plugin_voms_localaccount-plugin_run()";
char * dn = NULL;
int dn_cnt = 0;
char * username = NULL;
struct passwd *user_info = NULL;
int i = 0;
int cnt_sec_gid = 0;
gid_t * sec_gid = NULL;
int found = 0;
unsigned short matching_type = ((unsigned short)0x0000);
int rc = 0;
char ** fqan_list = NULL;
int nfqan = -1;
char * req_username = NULL;
const char * searchstr = NULL;
void * value = NULL;
/*
* The beginning
*/
if (lcmaps_mode == PLUGIN_RUN)
logstr = "lcmaps_plugin_voms_localaccount-plugin_run()";
else if (lcmaps_mode == PLUGIN_VERIFY)
logstr = "lcmaps_plugin_voms_localaccount-plugin_verify()";
else
{
lcmaps_log(LOG_ERR, "lcmaps_plugin_voms_localaccount-plugin_run_or_verify(): attempt to run plugin in invalid mode: %d\n", lcmaps_mode);
goto fail_voms_localaccount;
}
lcmaps_log_debug(5,"%s:\n", logstr);
/*
* Try to get the ordered values:
*/
if ( (value = lcmaps_getArgValue("user_dn", "char *", argc, argv) ) )
{
dn = *(char **)value;
lcmaps_log_debug(5,"%s: found dn: %s\n", logstr, dn);
/* Check if we don't have a DN already registered, if not, add it to the internal registry */
getCredentialData (DN, &dn_cnt);
if (dn_cnt == 0)
{
lcmaps_log_debug (5, "%s: Adding DN: %s\n", logstr, dn);
addCredentialData(DN, &dn);
}
}
else {
dn = NULL;
lcmaps_log_debug(1,"%s: could not get value of dn !\n", logstr);
}
/*
* See if we have a requested req_username: make sure not to get value
* immediately or we'll get a segfault
*/
if ( (value=lcmaps_getArgValue("requested_username", "char *", argc, argv))!=NULL )
req_username=*(char **)value;
else
req_username=NULL;
lcmaps_log_debug(1,"%s: requested username is %s\n", logstr,
req_username ? req_username : "******");
/*
* Check the gridmapfile
*/
if ((gridmapfile != NULL) && (strlen(gridmapfile) > 0))
lcmaps_log_debug(3,"%s: gridmapfile is: %s\n", logstr, gridmapfile);
else
{
if (gridmapfile) free(gridmapfile);
gridmapfile = NULL;
lcmaps_log_debug(1,"%s: No gridmapfile assigned, so function must find out for it self\n", logstr);
}
/*
* Get the VO user information.
* We can either order it by lcmaps_argument_t or use the getCredentialData() function.
* The latter case requires the voms parsing plugin (lcmaps_voms.mod) to have run beforehand.
* Unfortunately the formats of the VOMS strings (from getCredentialData()) and
* FQANs (from lcmaps_argument_t) are not the same. We may have to introduce
* two-way conversion functions.
* The VOMS info has to matched against the info in the gridmapfile
*/
lcmaps_log_debug(5,"%s: First try to get the FQAN list from input credential repository ...\n", logstr);
if ( ( value = lcmaps_getArgValue("nfqan", "int", argc, argv) ) )
{
nfqan = *(int *)value;
if (nfqan < 1) {
lcmaps_log(LOG_ERR,"%s: no (valid) VOMS groups found --> no mapping\n", logstr);
goto fail_voms_localaccount;
}
lcmaps_log_debug(5,"%s: the list of FQANs should contain %d elements\n", logstr, nfqan);
if ( ( value = lcmaps_getArgValue("fqan_list", "char **", argc, argv)) ) {
fqan_list = *(char ***)value;
lcmaps_log_debug(5, "%s: found list of FQANs\n", logstr);
}
else
{
lcmaps_log_debug(1, "%s: could not retrieve list of FQANs!\n", logstr);
goto fail_voms_localaccount;
}
for (i = 0; i < nfqan; i++)
{
lcmaps_log_debug(3, "%s: FQAN %d: %s\n", logstr, i, fqan_list[i]);
}
}
else
{
lcmaps_log_debug(1,"%s: ... did not find input credentials in input credential repository...\n", logstr);
lcmaps_log_debug(1,"%s: ... trying the internal credential repository ...\n", logstr);
fqan_list = getCredentialData(LCMAPS_VO_CRED_STRING, &nfqan);
}
if (nfqan == 0)
{
lcmaps_log(LOG_NOTICE,"%s: no VOMS group info --> no mapping\n", logstr);
goto fail_voms_localaccount;
}
else if (nfqan < 0)
{
lcmaps_log(LOG_ERR,"%s: negative number of VOMS groups found ! (failure)\n", logstr);
goto fail_voms_localaccount;
}
/*
* Try to match the VO strings with the gridmapfile info
* normally the first available VO string should match
*/
found = 0;
if ( req_username ) {
matching_type = MATCH_EXACT|MATCH_WILD_CHARS;
searchstr=req_username;
} else {
matching_type = MATCH_EXCLUDE|MATCH_WILD_CHARS;
searchstr=".";
}
for (i = 0; i < nfqan; i++)
{
/* clean username before each call to lcmaps_gridlist */
if (username) free(username);
username = NULL;
if ( (rc = lcmaps_gridlist(fqan_list[i], &username, gridmapfile, matching_type, searchstr, NULL)) == 0)
{
found = 1;
lcmaps_log_debug(3,"%s: found username: %s\n", logstr, username);
break;
}
else if (rc == LCMAPS_MOD_NOFILE)
{
lcmaps_log(LOG_ERR, "%s: Could not find the gridmapfile %s\n", logstr, gridmapfile);
goto fail_voms_localaccount;
}
else
{
if (req_username)
lcmaps_log_debug(1, "%s: no localaccount available for group (%s) and requested user %s in %s\n", logstr, fqan_list[i], req_username, gridmapfile);
else
lcmaps_log_debug(1, "%s: no localaccount available for group (%s) in %s\n", logstr, fqan_list[i], gridmapfile);
}
}
if (found != 1)
{
/* This should be at most a NOTICE */
lcmaps_log(LOG_NOTICE, "%s: Could not find a VOMS localaccount in %s (failure)\n", logstr, gridmapfile);
goto fail_voms_localaccount;
}
/*
* Get userid to pwd_t structure
*/
if (username && (strlen(username) > 0))
{
if ( ( user_info = getpwnam(username) ) )
{
lcmaps_log_debug(5,"%s: address user_info: %p\n", logstr, user_info);
lcmaps_log_debug(3,"%s: username : %s, char ptr: %p, address char ptr: %p\n", logstr, user_info->pw_name, user_info->pw_name, &(user_info->pw_name));
lcmaps_log_debug(3,"%s: password : %s\n", logstr, user_info->pw_passwd);
lcmaps_log_debug(3,"%s: user_id : %d, address uid: %p\n", logstr, user_info->pw_uid, &(user_info->pw_uid));
lcmaps_log_debug(3,"%s: group_id : %d\n", logstr, user_info->pw_gid);
lcmaps_log_debug(3,"%s: realname : %s\n", logstr, user_info->pw_gecos);
lcmaps_log_debug(3,"%s: home dir : %s\n", logstr, user_info->pw_dir);
lcmaps_log_debug(3,"%s: shellprg : %s\n", logstr, user_info->pw_shell);
/* Add this credential data to the credential data repository in the plugin manager */
addCredentialData(UID, &(user_info->pw_uid));
/* Map primary Unix GID from the account info */
if ((!do_not_map_primary_gid) &&
(add_primary_gid_from_mapped_account))
{
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
addCredentialData(PRI_GID, &(user_info->pw_gid));
}
/* Add the primary GID from the mapped account as an secondary GID to the result */
if (add_primary_gid_as_secondary_gid_from_mapped_account)
{
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account as a secondary GID to CredentialData\n", logstr, user_info->pw_gid);
addCredentialData(SEC_GID, &(user_info->pw_gid));
}
/* Add secondary Unix group IDs from the mapped local account */
if (add_secondary_gids_from_mapped_account)
{
/* Retrieve secondary group id's */
if (lcmaps_get_gidlist(username, &cnt_sec_gid, &sec_gid)==0)
{
lcmaps_log_debug(4,"%s: adding secondary GIDs (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
for (i = 0; i < cnt_sec_gid; i++)
{
addCredentialData(SEC_GID, &(sec_gid[i]));
}
free(sec_gid);
}
}
/* Old and error tolerant setting to set primary and secondary Unix
* IDs from the /etc/{passwd,groups} info */
if (use_voms_gid == 0)
{
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
addCredentialData(PRI_GID, &(user_info->pw_gid));
/* Retrieve secondary group id's */
if (lcmaps_get_gidlist(username, &cnt_sec_gid, &sec_gid)==0)
{
for (i = 0; i < cnt_sec_gid; i++)
{
addCredentialData(SEC_GID, &(sec_gid[i]));
}
free(sec_gid);
}
}
}
else
{
lcmaps_log(LOG_ERR,"%s: no user account found named \"%s\"\n", logstr, username);
goto fail_voms_localaccount;
}
}
else
{ /* error (msg is already given) */
goto fail_voms_localaccount;
}
/* succes */
/* success_voms_localaccount:*/
if (username) free(username);
lcmaps_log(LOG_INFO,"%s: voms_localaccount plugin succeeded\n", logstr);
return LCMAPS_MOD_SUCCESS;
fail_voms_localaccount:
if (username) free(username);
lcmaps_log(LOG_INFO,"%s: voms_localaccount plugin failed\n", logstr);
return LCMAPS_MOD_FAIL;
}
static int plugin_run_or_verify(
int argc,
lcmaps_argument_t * argv,
int lcmaps_mode
)
{
const char * logstr = "lcmaps_plugin_voms_poolgroup-plugin_run()";
char * groupname = NULL;
struct group * group_info = NULL;
int i = 0;
unsigned short matching_type = ((unsigned short)0x0000);
int group_counter = 0;
int rc = 0;
lcmaps_vo_mapping_t * lcmaps_vo_mapping = NULL;
char ** fqan_list = NULL;
int nfqan = -1;
int requested_npgid = 0;
gid_t * requested_pgid_list = NULL;
int requested_nsgid = 0;
gid_t * requested_sgid_list = NULL;
void * value = NULL;
/*
* The beginning
*/
if (lcmaps_mode == PLUGIN_RUN)
logstr = "lcmaps_plugin_voms_poolgroup-plugin_run()";
else if (lcmaps_mode == PLUGIN_VERIFY)
logstr = "lcmaps_plugin_voms_poolgroup-plugin_verify()";
else
{
lcmaps_log(LOG_ERR, "lcmaps_plugin_voms_poolgroup-plugin_run_or_verify(): attempt to run plugin in invalid mode: %d\n", lcmaps_mode);
goto fail_voms_poolgroup;
}
lcmaps_log_debug(5,"%s:\n", logstr);
/*
* Try to fetch the list of groups the invocator of LCMAPS wants to be
* verified. (only in PLUGIN_VERIFY mode).
*/
if (lcmaps_mode == PLUGIN_VERIFY)
{
if ( (value = lcmaps_getArgValue("requested_npgid", "int", argc, argv)) != NULL )
{
requested_npgid = *(int *) value;
lcmaps_log_debug(1,"%s: the list of pgids should contain %d elements\n", logstr, requested_npgid);
if ( ( value = lcmaps_getArgValue("requested_pgid_list", "gid_t *", argc, argv) ) != NULL ) {
requested_pgid_list = *(gid_t **) value;
lcmaps_log_debug(1, "%s: found list of pgids\n", logstr);
}
else
{
lcmaps_log_debug(1, "%s: could not retrieve list of pgids (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
for (i = 0; i < requested_npgid; i++)
{
lcmaps_log_debug(3, "%s: pgid[%d]: %d\n", logstr, i, (int)(requested_pgid_list[i]));
}
}
if ( (value = lcmaps_getArgValue("requested_nsgid", "int", argc, argv)) != NULL )
{
requested_nsgid = *(int *) value;
lcmaps_log_debug(1,"%s: the list of sgids should contain %d elements\n", logstr, requested_nsgid);
if ( ( value = lcmaps_getArgValue("requested_sgid_list", "gid_t *", argc, argv) ) != NULL ) {
requested_sgid_list = *(gid_t **) value;
lcmaps_log_debug(1, "%s: found list of sgids\n", logstr);
}
else
{
lcmaps_log_debug(1, "%s: could not retrieve list of sgids (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
for (i = 0; i < requested_nsgid; i++)
{
lcmaps_log_debug(3, "%s: sgid[%d]: %d\n", logstr, i, (int)(requested_sgid_list[i]));
}
}
}
/*
* Get the VO user information.
* We can either order it by lcmaps_argument_t or use the getCredentialData() function.
* The latter case requires the voms parsing plugin (lcmaps_voms.mod) to have run beforehand.
* Unfortunately the formats of the VOMS strings (from getCredentialData()) and
* FQANs (from lcmaps_argument_t) are not the same. We may have to introduce
* two-way conversion functions.
* The VOMS info has to matched against the info in the gridmapfile
*/
lcmaps_log_debug(5,"%s: First try to get the FQAN list from input credential repository ...\n", logstr);
if ( ( value = lcmaps_getArgValue("nfqan", "int", argc, argv) ) != NULL )
{
nfqan = *(int *) value;
if (nfqan < 1) {
lcmaps_log(LOG_ERR,"%s: no (valid) VOMS groups found --> no mapping\n", logstr);
goto fail_voms_poolgroup;
}
lcmaps_log_debug(5,"%s: the list of FQANs should contain %d elements\n", logstr, nfqan);
if ( ( value = lcmaps_getArgValue("fqan_list", "char **", argc, argv) ) != NULL ) {
fqan_list = *(char ***) value;
lcmaps_log_debug(5, "%s: found list of FQANs\n", logstr);
}
else
{
lcmaps_log(LOG_NOTICE, "%s: could not retrieve list of FQANs (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
for (i = 0; i < nfqan; i++)
{
lcmaps_log_debug(3, "%s: FQAN %d: %s\n", logstr, i, fqan_list[i]);
}
}
else
{
lcmaps_log_debug(1,"%s: ... did not find input credentials in input credential repository ... trying the internal credential repository ...\n", logstr);
fqan_list = getCredentialData(LCMAPS_VO_CRED_STRING, &nfqan);
}
if (nfqan == 0)
{
lcmaps_log(LOG_ERR,"%s: no VOMS group info --> no mapping (failure)\n", logstr);
goto fail_voms_poolgroup;
}
else if (nfqan < 0)
{
lcmaps_log(LOG_ERR,"%s: negative number of VOMS groups found ! (failure)\n", logstr);
goto fail_voms_poolgroup;
}
/*
* Check the groupmapfile
*/
if ((groupmapfile != NULL) && (strlen(groupmapfile) > 0))
lcmaps_log_debug(1,"%s: groupmapfile is: %s\n", logstr, groupmapfile);
else
{
lcmaps_log(LOG_ERR,"%s: error finding the groupmapfile: %s. (use the option \"-groupmapfile <groupmapfile>\"\n", logstr, groupmapfile);
goto fail_voms_poolgroup;
}
/*
* Check groupmapdir
*/
if (groupmapdir == NULL) /* try if GROUPMAPDIR is already set */
{
char * tmpptr=NULL;
if ((tmpptr = getenv("GROUPMAPDIR")) == NULL)
{
lcmaps_log(LOG_ERR,"%s: GROUPMAPDIR unknown! Specify as option or set GROUPMAPDIR\n", logstr);
goto fail_voms_poolgroup;
}
else
{
groupmapdir = strdup(tmpptr);
}
}
if (strlen(groupmapdir) == 0)
{
lcmaps_log(LOG_ERR,"%s: cannot set MAPDIR (strlen(groupmapdir) == 0)\n", logstr);
goto fail_voms_poolgroup;
}
lcmaps_log_debug(1,"%s: setting MAPDIR to %s\n", logstr, groupmapdir);
if (setenv("MAPDIR", groupmapdir, 1))
{
lcmaps_log(LOG_ERR,"%s: cannot set MAPDIR\n", logstr);
goto fail_voms_poolgroup;
}
/*
* Try to find the unix groups from the VO info in the groupmapfile
* The first group (if found) should become the primary group
*/
matching_type = MATCH_INCLUDE|MATCH_WILD_CHARS;
/* if override_consistency is set add this to the matchin_type so it will take effect */
if (override_inconsistency)
matching_type = matching_type|OVERRIDE_INCONSISTANCY;
/* if strict_poolprefix_match is set add this to the matchin_type so it will take effect */
if (strict_poolprefix_match)
matching_type = matching_type|MATCH_STRICT_PREFIX_NUM;
/* Do not create new leases in verification mode */
if (lcmaps_mode == PLUGIN_VERIFY)
matching_type = matching_type|ONLY_USE_EXISTING_LEASE;
for (i = 0; i < nfqan; i++)
{
/* clean groupname before each call to lcmaps_gridlist */
if (groupname) free(groupname);
groupname = NULL;
if ( (rc = lcmaps_gridlist(fqan_list[i], &groupname, groupmapfile, matching_type, ".", NULL)) == 0)
{
lcmaps_log_debug(4,"%s: found groupname: %s\n", logstr, groupname);
group_counter++;
if (groupname && (strlen(groupname) > 0))
{
if ( ( group_info = getgrnam(groupname) ) )
{
/* When map_to_secondary_groups is true, all results will be stored as secondary Unix group IDs */
if ((i == 0) && (!map_to_secondary_groups))
{
/* First VO group */
addCredentialData(PRI_GID, (void *) &(group_info->gr_gid));
}
else
{
/* Other VO groups */
addCredentialData(SEC_GID, (void *) &(group_info->gr_gid));
}
/*
* The coupling between VO information and the GID is maintained
* in the lcmaps_vo_mapping structure, which is added to the credential data
*/
lcmaps_vo_mapping=lcmaps_createVoMapping(
fqan_list[i],
groupname,
group_info->gr_gid
);
if (! lcmaps_vo_mapping)
{
lcmaps_log(LOG_ERR,"%s: could not create VoMapping structure (failure)\n", logstr);
goto fail_voms_poolgroup;
}
/* lcmaps_printVoMapping(2, lcmaps_vo_mapping); */
/* Add credential */
addCredentialData(LCMAPS_VO_CRED_MAPPING, (void *) lcmaps_vo_mapping);
if ( lcmaps_deleteVoMapping(&lcmaps_vo_mapping) )
{
lcmaps_log(LOG_ERR,"%s: error while deleting VoMapping structure (failure)\n", logstr);
goto fail_voms_poolgroup;
}
}
else
{
lcmaps_log(LOG_ERR,"%s: no group id found in /etc/group (or equivalent, e.g. LDAP) for groupname = \"%s\"\n", logstr, groupname);
goto fail_voms_poolgroup;
}
}
else
{
lcmaps_log(LOG_ERR,"%s: error getting value of groupname (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
}
else if (rc == LCMAPS_MOD_NOFILE)
{
lcmaps_log(LOG_ERR, "%s: Could not find the groupmapfile %s\n", logstr, groupmapfile);
goto fail_voms_poolgroup;
}
else
{
lcmaps_log_debug(1,"%s: could not get value of groupname !\n", logstr);
if (mapall)
{
lcmaps_log(LOG_NOTICE,"%s: no mapping for VO group %s\n", logstr, fqan_list[i]);
goto fail_voms_poolgroup;
}
}
}
if (group_counter < mapmin)
{
lcmaps_log(LOG_ERR,"%s: Not enough groups found. The minimum is set to %d. The plugin found %d\n", logstr, mapmin, group_counter);
goto fail_voms_poolgroup;
}
/* success */
/* success_voms_poolgroup:*/
if (groupname) free(groupname);
lcmaps_log(LOG_INFO,"%s: voms_poolgroup plugin succeeded\n", logstr);
return LCMAPS_MOD_SUCCESS;
fail_voms_poolgroup:
if (groupname) free(groupname);
lcmaps_log(LOG_INFO,"%s: voms_poolgroup plugin failed\n", logstr);
return LCMAPS_MOD_FAIL;
}