/* * Creates a XACML Request containing a XACML Subject with the given subjectid, a XACML Resource * with the given resourceid and a XACML Action with the given actionid. * * @param [in/out] request address of the pointer to the XACML request object * @param [in] subjectid, a X.509 DN, attribute value of the XACML Request/Subject element * @param [in] resourceid attribute value of the XACML Request/Resource element * @param [in] actionid attribute value of the XACML Request/Action element * @return 0 on success or error code on failure. */ static int create_xacml_request(xacml_request_t ** request,const char * subjectid, const char * resourceid, const char * actionid) { xacml_subject_t * subject; xacml_attribute_t * subject_attr_id; xacml_resource_t * resource; xacml_attribute_t * resource_attr_id; xacml_action_t * action; xacml_attribute_t * action_attr_id; /* XACML Subject with subjectid Attribute value */ subject= xacml_subject_create(); if (subject == NULL) { fprintf(stderr,"can not create XACML Subject\n"); return 1; } subject_attr_id= xacml_attribute_create(XACML_SUBJECT_ID); if (subject_attr_id == NULL) { fprintf(stderr,"can not create XACML Subject/Attribute:%s\n",XACML_SUBJECT_ID); xacml_subject_delete(subject); return 1; } // set X.509 DN value xacml_attribute_addvalue(subject_attr_id,subjectid); // set attribute datatype for X.509 DN xacml_attribute_setdatatype(subject_attr_id,XACML_DATATYPE_X500NAME); xacml_subject_addattribute(subject,subject_attr_id); /* XACML Resource with resourceid Attribute value */ resource= xacml_resource_create(); if (resource == NULL) { fprintf(stderr,"can not create XACML Resource\n"); xacml_subject_delete(subject); return 2; } resource_attr_id= xacml_attribute_create(XACML_RESOURCE_ID); if (resource_attr_id == NULL) { fprintf(stderr,"can not create XACML Resource/Attribute:%s\n",XACML_RESOURCE_ID); xacml_subject_delete(subject); xacml_resource_delete(resource); return 2; } xacml_attribute_addvalue(resource_attr_id,resourceid); xacml_resource_addattribute(resource,resource_attr_id); /* XACML Action with actionid Attribute value */ action= xacml_action_create(); if (action == NULL) { fprintf(stderr,"can not create XACML Action\n"); xacml_subject_delete(subject); xacml_resource_delete(resource); return 3; } action_attr_id= xacml_attribute_create(XACML_ACTION_ID); if (action_attr_id == NULL) { fprintf(stderr,"can not create XACML Action/Attribute:%s\n",XACML_ACTION_ID); xacml_subject_delete(subject); xacml_resource_delete(resource); xacml_action_delete(action); return 3; } xacml_attribute_addvalue(action_attr_id,actionid); xacml_action_addattribute(action,action_attr_id); /* XACML Request with all elements */ *request= xacml_request_create(); if (*request == NULL) { fprintf(stderr,"can not create XACML Request\n"); xacml_subject_delete(subject); xacml_resource_delete(resource); xacml_action_delete(action); return 4; } xacml_request_addsubject(*request,subject); xacml_request_addresource(*request,resource); xacml_request_setaction(*request,action); return 0; }
/* * Creates a new Subject/Attribute XACML_SUBJECT_KEY_INFO based on the * XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN. * Creates new Subject/Attributes XACML_GRIDWN_ATTRIBUTE_FQAN and * XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY based on XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN and * XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN. * Adds the XACML_GRIDWN_ATTRIBUTE_PROFILE_ID in the Environment if not already present. */ static int authzinterop2gridwn_pip_process(xacml_request_t ** request) { int i, j, profile_id_present; size_t subjects_l= xacml_request_subjects_length(*request); xacml_environment_t * environment; size_t environment_attrs_l; for (i= 0; i<subjects_l; i++) { xacml_subject_t * subject= xacml_request_getsubject(*request,i); size_t subject_attrs_l= xacml_subject_attributes_length(subject); for(j= 0; j<subject_attrs_l; j++) { xacml_attribute_t * attr= xacml_subject_getattribute(subject,j); const char * attr_id= xacml_attribute_getid(attr); if (strncmp(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN)) == 0) { xacml_attribute_t * keyinfo= xacml_attribute_clone(attr); pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id); if (keyinfo!=NULL) { pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_SUBJECT_KEY_INFO); xacml_attribute_setid(keyinfo,XACML_SUBJECT_KEY_INFO); pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_DATATYPE_STRING); xacml_attribute_setdatatype(keyinfo,XACML_DATATYPE_STRING); if (xacml_subject_addattribute(subject,keyinfo) != PEP_XACML_OK) { pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_SUBJECT_KEY_INFO,i); xacml_attribute_delete(keyinfo); } } else { pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j); } } else if (strncmp(XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN))==0) { xacml_attribute_t * fqan_primary= xacml_attribute_clone(attr); pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id); if (fqan_primary!=NULL) { pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); xacml_attribute_setid(fqan_primary,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_DATATYPE_FQAN); xacml_attribute_setdatatype(fqan_primary,XACML_GRIDWN_DATATYPE_FQAN); if (xacml_subject_addattribute(subject,fqan_primary) != PEP_XACML_OK) { pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY,i); xacml_attribute_delete(fqan_primary); } } else { pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j); } } else if (strncmp(XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN))==0) { xacml_attribute_t * fqans= xacml_attribute_clone(attr); pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id); if (fqans!=NULL) { pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); xacml_attribute_setid(fqans,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY); pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_DATATYPE_FQAN); xacml_attribute_setdatatype(fqans,XACML_GRIDWN_DATATYPE_FQAN); if (xacml_subject_addattribute(subject,fqans) != PEP_XACML_OK) { pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY,i); xacml_attribute_delete(fqans); } } else { pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j); } } } } /* check environment for Grid WN AuthZ Profile ID, if not present add it */ environment= xacml_request_getenvironment(*request); /* create environment if not already existing */ if (environment==NULL) { environment= xacml_environment_create(); if (environment!=NULL) { xacml_request_setenvironment(*request,environment); } else { pep_log_warn("%s: failed to create XACML Environment",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID); } } environment_attrs_l= xacml_environment_attributes_length(environment); profile_id_present= 0; for (i= 0; i<environment_attrs_l; i++) { xacml_attribute_t * attr= xacml_environment_getattribute(environment,i); const char * attr_id= xacml_attribute_getid(attr); if (strncmp(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID,attr_id,strlen(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID))==0) { pep_log_debug("%s: found environment.attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,i,attr_id); profile_id_present= 1; } } /* profile id is not present, then add it */ if (!profile_id_present && environment) { /* create env attribute */ xacml_attribute_t * env_attr= xacml_attribute_create(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID); if (env_attr!=NULL) { xacml_attribute_setdatatype(env_attr,XACML_DATATYPE_ANYURI); xacml_attribute_addvalue(env_attr,XACML_GRIDWN_PROFILE_VERSION); xacml_environment_addattribute(environment,env_attr); } else { pep_log_warn("%s: failed to create XACML Environment/Attribute{%s}",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_PROFILE_ID); } } return 0; }
/* * MAIN * * usage: ./test-pep <URL> */ int main(int argc, char **argv) { PEP * pep; pep_error_t pep_rc; char * url= "http://localhost:8080/PEPd/authz?random"; if (argc == 2) { url= argv[1]; info("%s: using endpoint URL: %s",argv[0], url); } info("initialize PEP..."); pep= pep_initialize(); if (pep == NULL) { error("test_pep: pep_initialize() failed"); return -1; } info("set LOG options..."); pep_setoption(pep,PEP_OPTION_LOG_STDERR,stderr); pep_setoption(pep,PEP_OPTION_LOG_LEVEL,PEP_LOGLEVEL_DEBUG); // DEBUG, INFO, WARN and ERROR pep_setoption(pep,PEP_OPTION_LOG_HANDLER,log_handler_pep); // will override stderr log handler info("create PIP"); pep_pip_t * pip= pip_create("PIPRequestDumper",pip_init,pip_process,pip_destroy); if (pip == NULL) { error("test_pep: pip_create(...) failed"); pep_destroy(pep); return -1; } info("install PIP: %s",pip->id); pep_rc= pep_addpip(pep,pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("install PIP: %s",authzinterop2gridwn_adapter_pip->id); pep_rc= pep_addpip(pip,authzinterop2gridwn_adapter_pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("install PIP: %s",pip->id); pep_rc= pep_addpip(pep,pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("create OH and add to PEP..."); pep_obligationhandler_t * oh= oh_create("OHResponseDumper",oh_init,oh_process,oh_destroy); if (oh == NULL) { error("test_pep: oh_create(...) failed"); pep_destroy(pep); return -1; } pep_rc= pep_addobligationhandler(pep,oh); if (pep_rc != PEP_OK) { error("test_pep: pep_addobligationhandler() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } // create a XACML request info("create XACML request..."); xacml_request_t * request= xacml_request_create(); assert(request); info("add XACML subject(cert-chain)..."); xacml_subject_t * subject= xacml_subject_create(); assert(subject); xacml_attribute_t * certchain= xacml_attribute_create(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN); assert(certchain); xacml_attribute_addvalue(certchain,"PEM_ENCODE_PROXY_CERTCHAIN..."); xacml_attribute_setdatatype(certchain,XACML_DATATYPE_BASE64BINARY); xacml_subject_addattribute(subject,certchain); xacml_request_addsubject(request,subject); info("add XACML resource(resource-id)..."); xacml_resource_t * resource= xacml_resource_create(); assert(resource); xacml_attribute_t * resource_id= xacml_attribute_create(XACML_RESOURCE_ID); assert(resource_id); xacml_attribute_addvalue(resource_id,"http://authz-interop.org/xacml/resource/resource-type/wn"); xacml_resource_addattribute(resource,resource_id); xacml_request_addresource(request,resource); info("set XACML action(action-id)..."); xacml_action_t * action= xacml_action_create(); assert(action); xacml_attribute_t * action_id= xacml_attribute_create(XACML_ACTION_ID); assert(action_id); xacml_attribute_addvalue(action_id,"http://authz-interop.org/xacml/action/action-type/execute-now"); xacml_action_addattribute(action,action_id); xacml_request_setaction(request,action); info("set XACML environment(path)..."); xacml_environment_t * environment= xacml_environment_create(); assert(environment); xacml_attribute_t * path= xacml_attribute_create("x-urn:authz:env:path"); assert(path); xacml_attribute_addvalue(path,"/usr/bin"); xacml_attribute_addvalue(path,"/opt/glite/bin"); xacml_attribute_addvalue(path,"/home/johndoe/bin"); xacml_environment_addattribute(environment,path); xacml_request_setenvironment(request,environment); // add many PEPd endpoints for failover testing info("set PEPd endpoint: %s", url); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, url); info("set PEPd endpoint: %s", "http://www.google.com"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://www.google.com"); info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s7"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s7"); info("set PEPd endpoint: %s", "http://nasjflkasdjflj.com"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://nasjflkasdjflj.com"); info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s3"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s3"); info("set PEPd endpoint: %s", "http://hestia.switch.ch/PEPd/authz?s8"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://hestia.switch.ch/PEPd/authz?s8"); info("set PEPd endpoint: %s", "http://localhost:8080"); // respond OK 200 pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080"); // send authz request and process if (pep_rc != PEP_OK) { error("test_pep: pep_setoption(PEP_OPTION_ENDPOINT_URL,%s) failed: %s",url,pep_strerror(pep_rc)); pep_destroy(); return -1; } info("send XACML request to PEPd"); xacml_response_t * response= NULL; pep_rc= pep_authorize(&request,&response); if (pep_rc != PEP_OK) { error("test_pep: pep_authorize(request,response) failed: %s",pep_strerror(pep_rc)); xacml_request_delete(request); xacml_response_delete(response); pep_destroy(); pip_delete(pip); oh_delete(oh); return -1; } info("delete XACML request and response..."); xacml_request_delete(request); xacml_response_delete(response); info("destroy PEP..."); pep_rc= pep_destroy(); if (pep_rc != PEP_OK) { error("test_pep: pep_destroy() failed: %s",pep_strerror(pep_rc)); pip_delete(pip); oh_delete(oh); return pep_rc; } // WARNING: call these only AFTER pep_destroy()... info("delete PIP and OH structs..."); pip_delete(pip); oh_delete(oh); info("done."); return 0; }