/* Given a username and password, expected to return AUTH_GRANTED if we can validate this user/password combination. */
static authn_status authn_crowd_check_password(request_rec *r, const char *user, const char *password)
{
authnz_crowd_dir_config *config = get_config(r);
if (config == NULL) {
return AUTH_GENERAL_ERROR;
}
apr_array_header_t *basic_auth_xlates = config->basic_auth_xlates;
int i;
for (i = 0; i < basic_auth_xlates->nelts; i++) {
apr_xlate_t *xlate = APR_ARRAY_IDX(basic_auth_xlates, i, apr_xlate_t *);
char xlated_user[XLATE_BUFFER_SIZE] = {};
char xlated_password[XLATE_BUFFER_SIZE] = {};
if (!xlate_string(xlate, user, xlated_user) || !xlate_string(xlate, password, xlated_password)) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Failed to translate basic authentication credentials");
} else {
crowd_authenticate_result result = CROWD_AUTHENTICATE_NOT_ATTEMPTED;
if (config->create_sso) {
crowd_cookie_config_t *cookie_config = crowd_get_cookie_config(r, config->crowd_config);
if (cookie_config != NULL && (!cookie_config->secure || is_https(r))) {
const char *token;
result = crowd_create_session(r, config->crowd_config, xlated_user, xlated_password, &token);
if (result == CROWD_AUTHENTICATE_SUCCESS && token != NULL) {
char *domain = "";
if (cookie_config->domain != NULL && cookie_config->domain[0] == '.') {
int domainlen = strlen(cookie_config->domain);
int hostlen = strlen(r->hostname);
if (hostlen > domainlen
&& strcmp(cookie_config->domain, r->hostname + hostlen - domainlen) == 0) {
domain = apr_psprintf(r->pool, ";Domain=%s", cookie_config->domain);
}
}
char *cookie = log_ralloc(r,
apr_psprintf(r->pool, "%s=%s%s%s;Version=1", cookie_config->cookie_name, token, domain,
cookie_config->secure ? ";Secure" : ""));
if (cookie != NULL) {
apr_table_add(r->err_headers_out, "Set-Cookie", cookie);
}
}
}
}
if (result == CROWD_AUTHENTICATE_NOT_ATTEMPTED) {
result = crowd_authenticate(r, config->crowd_config, xlated_user, xlated_password);
}
switch (result) {
case CROWD_AUTHENTICATE_SUCCESS:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Authenticated '%s'.", xlated_user);
return AUTH_GRANTED;
case CROWD_AUTHENTICATE_FAILURE:
break;
default:
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Crowd authentication failed due to system exception");
}
}
}
return AUTH_DENIED;
}
static int open_socket(struct connection *conn, char *host)
{
char *port, *p;
if (proxy)
return connect_socket(conn, proxy, proxy_port);
p = strchr(host, ':');
if (p) {
/* port specified */
*p++ = '\0';
port = p;
} else
port = is_https(conn->url) ? "443" : "80";
return connect_socket(conn, host, port);
}
HttpRet is_http_conn_allowed(const char *url,
const char *proxy_addr, int proxy_port,
const char *proxy_login, const char *proxy_passwd,
NETLIB_BOOLEAN ssl, int timeout)
{
char url_buf[1024];
char auth_buf[1024];
char proxy_buf[1024];
CURL *mcurl;
int ret;
long http_resp_code;
mcurl = curl_easy_init();
curl_easy_setopt(mcurl, CURLOPT_VERBOSE, 1);
curl_easy_setopt(mcurl, CURLOPT_WRITEFUNCTION, _curlsilentwritecbk);
curl_easy_setopt(mcurl, CURLOPT_DEBUGFUNCTION, _curloutputcbk);
if (ssl)
{
snprintf(url_buf, sizeof(url_buf), "https://%s", url);
curl_easy_setopt(mcurl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
curl_easy_setopt(mcurl, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(mcurl, CURLOPT_SSL_VERIFYHOST, 0);
#ifdef OS_WIN32
curl_easy_setopt(mcurl, CURLOPT_RANDOM_FILE, getRandomFileName() ); //VOXOX - JRT - 2009.09.30 - Improve OpenSSL initialization time.
#endif
}
else
{
snprintf(url_buf, sizeof(url_buf), "http://%s", url);
}
curl_easy_setopt(mcurl, CURLOPT_URL, url_buf);
if (timeout > 0) {
curl_easy_setopt(mcurl, CURLOPT_TIMEOUT, timeout);
}
/* FOLLOW REDIRECTION */
curl_easy_setopt(mcurl, CURLOPT_FOLLOWLOCATION, 1);
curl_easy_setopt(mcurl, CURLOPT_UNRESTRICTED_AUTH, 1);
/* ****************** */
if (proxy_addr && *proxy_addr != 0) {
if (proxy_login && *proxy_login != 0) {
if (!_LocalProxy.proxy_auth_type)
_get_proxy_auth_type2(url, proxy_addr, proxy_port, timeout);
snprintf(auth_buf, sizeof(auth_buf), "%s:%s", proxy_login, proxy_passwd);
curl_easy_setopt(mcurl, CURLOPT_PROXYUSERPWD, auth_buf);
if ((_LocalProxy.proxy_auth_type & CURLAUTH_BASIC) == CURLAUTH_BASIC) {
curl_easy_setopt(mcurl, CURLOPT_PROXYAUTH, CURLAUTH_BASIC);
}
else if ((_LocalProxy.proxy_auth_type & CURLAUTH_DIGEST) == CURLAUTH_DIGEST) {
curl_easy_setopt(mcurl, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST);
}
else if ((_LocalProxy.proxy_auth_type & CURLAUTH_NTLM) == CURLAUTH_NTLM) {
curl_easy_setopt(mcurl, CURLOPT_PROXYAUTH, CURLAUTH_NTLM);
}
}
snprintf(proxy_buf, sizeof(proxy_buf), "%s:%d", proxy_addr, proxy_port);
curl_easy_setopt(mcurl, CURLOPT_PROXY, proxy_buf);
}
else {
if (proxy_login && *proxy_login != 0) {
if (!_LocalProxy.auth_type) {
_get_auth_type(url, timeout);
}
snprintf(auth_buf, sizeof(auth_buf), "%s:%s", proxy_login, proxy_passwd);
curl_easy_setopt(mcurl, CURLOPT_USERPWD, auth_buf);
if ((_LocalProxy.proxy_auth_type & CURLAUTH_BASIC) == CURLAUTH_BASIC) {
curl_easy_setopt(mcurl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
}
else if ((_LocalProxy.proxy_auth_type & CURLAUTH_DIGEST) == CURLAUTH_DIGEST) {
curl_easy_setopt(mcurl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
}
else if ((_LocalProxy.proxy_auth_type & CURLAUTH_NTLM) == CURLAUTH_NTLM) {
curl_easy_setopt(mcurl, CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
}
}
}
ret = curl_easy_perform(mcurl);
curl_easy_getinfo(mcurl, CURLINFO_RESPONSE_CODE, &http_resp_code);
if (!_LocalProxy.proxy_auth_type) {
curl_easy_getinfo(mcurl, CURLINFO_PROXYAUTH_AVAIL, &(_LocalProxy.proxy_auth_type));
}
HttpRet http_ret;
/* If this is a redirection */
if ((http_resp_code / 100) == 3) {
NETLIB_BOOLEAN is_ssl;
char *redir_tmp = 0;
char *redir_url = 0;
char *tmp;
curl_easy_getinfo(mcurl, CURLINFO_EFFECTIVE_URL, &redir_tmp);
if (redir_tmp) {
redir_url = strdup(redir_tmp);
curl_easy_cleanup(mcurl);
if ((is_ssl = is_https(redir_url)) == NETLIB_TRUE) {
tmp = redir_url + 8;
}
else {
tmp = redir_url + 7;
}
if (is_url_proxyless_exception(tmp)) {
http_ret = is_http_conn_allowed(tmp, NULL, 0, proxy_login, proxy_passwd, is_ssl, timeout);
}
else {
http_ret = is_http_conn_allowed(tmp, proxy_addr, proxy_port, proxy_login, proxy_passwd, is_ssl, timeout);
}
free(redir_url);
}
else {
curl_easy_cleanup(mcurl);
http_ret = HTTP_NOK;
}
return http_ret;
}
if (http_resp_code == 200) {
http_ret = HTTP_OK;
}
else if (http_resp_code != 404 && http_resp_code != 200 && http_resp_code != 0) {
http_ret = HTTP_AUTH;
}
else {
http_ret = HTTP_NOK;
}
curl_easy_cleanup(mcurl);
return http_ret;
}
void handle_request(worker_type_t wtype) {
const char *param, *p_method, *p_uri;
char *argp;
unsigned int plen;
int cluster_readonly = 0, s2sreq = 0;
if(sx_hashfs_cluster_get_mode(hashfs, &cluster_readonly)) {
CRIT("Failed to get cluster operating mode");
quit_errmsg(500, "Internal error: failed to check cluster operating mode");
}
if(sx_hashfs_distcheck(hashfs) < 0) {
CRIT("Failed to reload distribution");
quit_errmsg(503, "Internal error: failed to load distribution");
}
if(sx_hashfs_is_orphan(hashfs))
quit_errmsg(410, "This node is no longer a cluster member");
msg_new_id();
verb = VERB_UNSUP;
p_method = FCGX_GetParam("REQUEST_METHOD", envp);
if(p_method) {
plen = strlen(p_method);
switch(plen) {
case 3:
if(!memcmp(p_method, "GET", 4))
verb = VERB_GET;
else if(!memcmp(p_method, "PUT", 4))
verb = VERB_PUT;
break;
case 4:
if(!memcmp(p_method, "HEAD", 5))
verb = VERB_HEAD;
else if(!memcmp(p_method, "POST", 5))
verb = VERB_POST;
break;
case 6:
if(!memcmp(p_method, "DELETE", 7))
verb = VERB_DELETE;
break;
case 7:
if(!memcmp(p_method, "OPTIONS", 8)) {
CGI_PUTS("Allow: GET,HEAD,OPTIONS,PUT,DELETE\r\nContent-Length: 0\r\n\r\n");
return;
}
break;
}
}
if(verb == VERB_UNSUP)
quit_errmsg(405, "Method Not Allowed");
if(content_len()<0 || (verb != VERB_PUT && content_len()))
quit_errmsg(400, "Invalid Content-Length: must be positive and method must be PUT");
p_uri = param = FCGX_GetParam("REQUEST_URI", envp);
if(!p_uri)
quit_errmsg(400, "No URI provided");
plen = strlen(p_uri);
if(*p_uri != '/')
quit_errmsg(400, "URI must start with /");
if(plen > sizeof(reqbuf) - 1)
quit_errmsg(414, "URL too long: request line must be <8k");
do {
param++;
plen--;
} while(*param == '/');
if(!strncmp(param, ".s2s/", lenof(".s2s/"))) {
param += lenof(".s2s/");
plen -= lenof(".s2s/");
while(*param == '/') {
param++;
plen--;
}
s2sreq = 1;
}
if(wtype == WORKER_S2S && !s2sreq)
WARN("Misconfiguration detected. Please make sure your restricted-socket config option is properly set.");
/* FIXME: we could detect the opposite kind of mismatch
* at the cost of extra complications in the wtype definition
* I prefer to privilege simplicity at this point */
memcpy(reqbuf, param, plen+1);
argp = memchr(reqbuf, '?', plen);
nargs = 0;
if(argp) {
unsigned int argslen = plen - (argp - reqbuf);
plen = argp - reqbuf;
do {
*argp = '\0';
argp++;
argslen--;
} while(*argp == '?');
if(!argslen)
argp = NULL;
else {
do {
char *nextarg;
if(nargs >= MAX_ARGS)
quit_errmsg(414, "Too many parameters");
nextarg = memchr(argp, '&', argslen);
if(nextarg) {
do {
*nextarg = '\0';
nextarg++;
} while(*nextarg == '&');
}
if(*argp) {
if(!(args[nargs] = inplace_urldecode(argp, 0, 0, NULL, 1)))
quit_errmsg(400, "Invalid URL encoding");
if(sxi_utf8_validate_len(args[nargs]) < 0)
quit_errmsg(400, "Parameters with invalid utf-8 encoding");
nargs++;
}
argslen -= nextarg - argp;
argp = nextarg;
} while (argp);
}
}
while(plen && reqbuf[plen-1] == '/') {
plen--;
reqbuf[plen] = '\0';
}
path = memchr(reqbuf, '/', plen);
if(path) {
do {
*path = '\0';
path ++;
} while(*path == '/');
if(!*path)
path = NULL;
}
volume = *reqbuf ? reqbuf : NULL;
int forbidden = 0;
if((volume && !inplace_urldecode(volume, '/', 0, &forbidden, 0)) || (path && !inplace_urldecode(path, '/', '/', &forbidden, 0))) {
if (forbidden)
quit_errmsg(400, "Volume or path with forbidden %2f or %00");
else
quit_errmsg(400, "Invalid URL encoding");
}
int vlen = volume ? sxi_utf8_validate_len(volume) : 0;
int flen = path ? strlen(path) : 0;
if (vlen < 0 || flen < 0)
quit_errmsg(400, "URL with invalid utf-8 encoding");
if (is_reserved()) {
/* No UTF8/url-encoding used on reserved volumes, allow higher limit.
* Otherwise we hit the 1024 limit with batch requests already */
if (path && strlen(path) > SXLIMIT_MAX_FILENAME_LEN * 3) {
msg_set_reason("Path too long: filename must be <%d bytes (%ld)",
SXLIMIT_MAX_FILENAME_LEN*3+ 1, strlen(path));
quit_errmsg(414, msg_get_reason());
}
} else {
if (flen > SXLIMIT_MAX_FILENAME_LEN) {
msg_set_reason("Path too long: filename must be <%d bytes (%d)",
SXLIMIT_MAX_FILENAME_LEN + 1, flen);
quit_errmsg(414, msg_get_reason());
}
}
if (volume && strlen(volume) > SXLIMIT_MAX_VOLNAME_LEN) {
msg_set_reason("Volume name too long: must be <= %d bytes", SXLIMIT_MAX_VOLNAME_LEN);
quit_errmsg(414, msg_get_reason());
}
body_ctx = sxi_md_init();
if (!body_ctx || !sxi_sha1_init(body_ctx))
quit_errmsg(500, "Failed to initialize crypto engine");
hmac_ctx = sxi_hmac_sha1_init();
if (!hmac_ctx)
quit_errmsg(503, "Cannot initialize crypto library");
authed = AUTH_NOTAUTH;
role = PRIV_NONE;
/* Begin auth check */
uint8_t buf[AUTHTOK_BIN_LEN], key[AUTH_KEY_LEN];
unsigned int blen = sizeof(buf);
time_t reqdate, now;
param = FCGX_GetParam("HTTP_AUTHORIZATION", envp);
if(!param || strlen(param) != lenof("SKY ") + AUTHTOK_ASCII_LEN || strncmp(param, "SKY ", 4)) {
if(volume) {
send_authreq();
return;
}
quit_home();
}
if(sxi_b64_dec_core(param+4, buf, &blen) || blen != sizeof(buf)) {
send_authreq();
return;
}
memcpy(user, buf, sizeof(user));
memcpy(rhmac, buf+20, sizeof(rhmac));
if(sx_hashfs_get_user_info(hashfs, user, &uid, key, &role, NULL, &user_quota) != OK) /* no such user */ {
DEBUG("No such user: %s", param+4);
send_authreq();
return;
}
DEBUG("Request from uid %lld", (long long)uid);
if(cluster_readonly && (verb == VERB_PUT || verb == VERB_DELETE) && !has_priv(PRIV_CLUSTER) && !has_priv(PRIV_ADMIN))
quit_errmsg(503, "Cluster is in read-only mode");
if(s2sreq && !has_priv(PRIV_CLUSTER)) {
send_authreq();
return;
}
if(!sxi_hmac_sha1_init_ex(hmac_ctx, key, sizeof(key))) {
WARN("hmac_init failed");
quit_errmsg(500, "Failed to initialize crypto engine");
}
if(!sxi_hmac_sha1_update_str(hmac_ctx, p_method))
quit_errmsg(500, "Crypto error authenticating the request");
if(!sxi_hmac_sha1_update_str(hmac_ctx, p_uri+1))
quit_errmsg(500, "Crypto error authenticating the request");
param = FCGX_GetParam("HTTP_DATE", envp);
if(!param)
quit_errmsg(400, "Missing Date: header");
if(httpdate_to_time_t(param, &reqdate))
quit_errmsg(400, "Date header in wrong format");
now = time(NULL);
if(reqdate < now - MAX_CLOCK_DRIFT * 60 || reqdate > now + MAX_CLOCK_DRIFT * 60) {
CGI_PUTS("WWW-Authenticate: SKY realm=\"SXCLOCK\"\r\n");
quit_errmsg(401, "Client clock drifted more than "STRIFY(MAX_CLOCK_DRIFT)" minutes");
}
if(!sxi_hmac_sha1_update_str(hmac_ctx, param))
quit_errmsg(500, "Crypto error authenticating the request");
if(!content_len()) {
/* If no body is present, complete authentication now */
uint8_t chmac[20];
unsigned int chmac_len = 20;
if(!sxi_hmac_sha1_update_str(hmac_ctx, "da39a3ee5e6b4b0d3255bfef95601890afd80709"))
quit_errmsg(500, "Crypto error authenticating the request");
if(!sxi_hmac_sha1_final(hmac_ctx, chmac, &chmac_len))
quit_errmsg(500, "Crypto error authenticating the request");
if(!hmac_compare(chmac, rhmac, sizeof(rhmac))) {
authed = AUTH_OK;
} else {
/* WARN("auth mismatch"); */
send_authreq();
return;
}
} else /* Otherwise set it as pending */
authed = AUTH_BODYCHECK;
if(has_priv(PRIV_CLUSTER) && sx_hashfs_uses_secure_proto(hashfs) != is_https() &&
!sx_storage_is_bare(hashfs)) {
/* programmed nodes: must obey cluster SSL mode
* unprogrammed nodes: can use SSL instead of non-SSL,
* it is the cluster's responsibility to initiate programming via SSL,
* as the unprogrammed node would accept both *
* */
WARN("hashfs use-ssl: %d, https: %d, is_bare: %d",
sx_hashfs_uses_secure_proto(hashfs), is_https(),
sx_storage_is_bare(hashfs));
quit_errmsg(403, sx_hashfs_uses_secure_proto(hashfs) ? "Cluster operations require SECURE mode" : "Cluster operations require INSECURE mode");
}
if(!volume)
cluster_ops();
else if(!path)
volume_ops();
else
file_ops();
if(authed == AUTH_BODYCHECKING)
DEBUG("Bad request signature");
sxi_hmac_sha1_cleanup(&hmac_ctx);
sxi_md_cleanup(&body_ctx);
}
static int check_for_cookie(void *rec, const char *key, const char *value) {
if (strcasecmp("Cookie", key) == 0) {
check_for_cookie_data_t *data = rec;
if (data->cookie_name == NULL) {
crowd_cookie_config_t *cookie_config = crowd_get_cookie_config(data->r, data->config->crowd_config);
if (cookie_config == NULL || cookie_config->cookie_name == NULL || (cookie_config->secure && !is_https(data->r))) {
return 0;
}
data->cookie_name = log_ralloc(data->r, apr_pstrcat(data->r->pool, cookie_config->cookie_name, "=", NULL));
if (data->cookie_name == NULL) {
return 0;
}
data->cookie_name_len = strlen(data->cookie_name);
}
char *cookies = log_ralloc(data->r, apr_pstrdup(data->r->pool, value));
if (cookies == NULL) {
return 0;
}
apr_collapse_spaces(cookies, cookies);
char *last;
char *cookie = apr_strtok(cookies, ";,", &last);
while (cookie != NULL) {
if (strncasecmp(cookie, data->cookie_name, data->cookie_name_len) == 0) {
data->token = log_ralloc(data->r, apr_pstrdup(data->r->pool, cookie + data->cookie_name_len));
return 0;
}
cookie = apr_strtok(NULL, ";,", &last);
}
}
return 1;
}
void handle_request(void) {
const char *param;
char *argp;
unsigned int plen;
msg_new_id();
verb = VERB_UNSUP;
param = FCGX_GetParam("REQUEST_METHOD", envp);
if(param) {
plen = strlen(param);
switch(plen) {
case 3:
if(!memcmp(param, "GET", 4))
verb = VERB_GET;
else if(!memcmp(param, "PUT", 4))
verb = VERB_PUT;
break;
case 4:
if(!memcmp(param, "HEAD", 5))
verb = VERB_HEAD;
else if(!memcmp(param, "POST", 5))
verb = VERB_POST;
break;
case 6:
if(!memcmp(param, "DELETE", 7))
verb = VERB_DELETE;
break;
case 7:
if(!memcmp(param, "OPTIONS", 8)) {
CGI_PUTS("Allow: GET,HEAD,OPTIONS,PUT,DELETE\r\nContent-Length: 0\r\n\r\n");
return;
}
break;
}
}
if(verb == VERB_UNSUP)
quit_errmsg(405, "Method Not Allowed");
if(content_len()<0 || (verb != VERB_PUT && content_len()))
quit_errmsg(400, "Invalid Content-Length: must be positive and method must be PUT");
param = FCGX_GetParam("REQUEST_URI", envp);
if(!param)
quit_errmsg(400, "No URI provided");
plen = strlen(param);
if(*param != '/')
quit_errmsg(400, "URI must start with /");
if(plen > sizeof(reqbuf) - 1)
quit_errmsg(414, "URL too long: request line must be <8k");
do {
param++;
plen--;
} while(*param == '/');
memcpy(reqbuf, param, plen+1);
argp = memchr(reqbuf, '?', plen);
nargs = 0;
if(argp) {
unsigned int argslen = plen - (argp - reqbuf);
plen = argp - reqbuf;
do {
*argp = '\0';
argp++;
argslen--;
} while(*argp == '?');
if(!argslen)
argp = NULL;
else {
do {
char *nextarg;
if(nargs >= MAX_ARGS)
quit_errmsg(414, "Too many parameters");
nextarg = memchr(argp, '&', argslen);
if(nextarg) {
do {
*nextarg = '\0';
nextarg++;
} while(*nextarg == '&');
}
if(*argp) {
if(!(args[nargs] = inplace_urldecode(argp, 0, 0, NULL)))
quit_errmsg(400, "Invalid URL encoding");
if(utf8_validate_len(args[nargs]) < 0)
quit_errmsg(400, "Parameters with invalid utf-8 encoding");
nargs++;
}
argslen -= nextarg - argp;
argp = nextarg;
} while (argp);
}
}
while(plen && reqbuf[plen-1] == '/') {
plen--;
reqbuf[plen] = '\0';
}
path = memchr(reqbuf, '/', plen);
if(path) {
do {
*path = '\0';
path ++;
} while(*path == '/');
if(!*path)
path = NULL;
}
volume = *reqbuf ? reqbuf : NULL;
int forbidden = 0;
if((volume && !inplace_urldecode(volume, '/', 0, &forbidden)) || (path && !inplace_urldecode(path, '/', '/', &forbidden))) {
if (forbidden)
quit_errmsg(400, "Volume or path with forbidden %2f or %00");
else
quit_errmsg(400, "Invalid URL encoding");
}
int vlen = volume ? utf8_validate_len(volume) : 0;
int flen = path ? utf8_validate_len(path) : 0;
if (vlen < 0 || flen < 0)
quit_errmsg(400, "URL with invalid utf-8 encoding");
if (is_reserved()) {
/* No UTF8 used on reserved volumes, allow higher limit.
* Otherwise we hit the 512 limit with batch requests already */
if (path && strlen(path) > SXLIMIT_MAX_FILENAME_LEN * 12) {
msg_set_reason("Path too long: filename must be <%d characters (%ld)",
SXLIMIT_MAX_FILENAME_LEN*12+ 1, strlen(path));
quit_errmsg(414, msg_get_reason());
}
} else {
if (flen > SXLIMIT_MAX_FILENAME_LEN) {
msg_set_reason("Path too long: filename must be <%d UTF8 characters (%d)",
SXLIMIT_MAX_FILENAME_LEN + 1, flen);
quit_errmsg(414, msg_get_reason());
}
}
if (volume && strlen(volume) > SXLIMIT_MAX_VOLNAME_LEN) {
msg_set_reason("Volume name too long: must be <= %d bytes", SXLIMIT_MAX_VOLNAME_LEN);
quit_errmsg(414, msg_get_reason());
}
if(!EVP_DigestInit(&body_ctx, EVP_sha1()))
quit_errmsg(500, "Failed to initialize crypto engine");
HMAC_CTX_init(&hmac_ctx);
authed = AUTH_NOTAUTH;
role = PRIV_NONE;
auth_begin();
if(has_priv(PRIV_CLUSTER) && sx_hashfs_uses_secure_proto(hashfs) != is_https() &&
!sx_storage_is_bare(hashfs)) {
/* programmed nodes: must obey cluster SSL mode
* unprogrammed nodes: can use SSL instead of non-SSL,
* it is the cluster's responsibility to initiate programming via SSL,
* as the unprogrammed node would accept both *
* */
WARN("hashfs use-ssl: %d, https: %d, is_bare: %d",
sx_hashfs_uses_secure_proto(hashfs), is_https(),
sx_storage_is_bare(hashfs));
quit_errmsg(403, sx_hashfs_uses_secure_proto(hashfs) ? "Cluster operations require SECURE mode" : "Cluster operations require INSECURE mode");
}
int dc = sx_hashfs_distcheck(hashfs);
if(dc < 0) {
CRIT("Failed to reload distribution");
/* MODHDIST: should die here */
}
if(!volume)
cluster_ops();
else if(!path)
volume_ops();
else
file_ops();
if(authed == AUTH_BODYCHECKING)
WARN("FIXME: Security fail");
HMAC_CTX_cleanup(&hmac_ctx);
EVP_MD_CTX_cleanup(&body_ctx);
}
glite_delegation_ctx *glite_delegation_new(const char *endpoint)
{
int ret;
glite_delegation_ctx *ctx;
ctx = calloc(sizeof(*ctx), 1);
if(!ctx)
return NULL;
if( (! is_http(endpoint)) && (! is_https(endpoint)) && (! is_httpg(endpoint)) )
{
char *error;
char *sd_type = getenv(GLITE_DELEGATION_SD_ENV);
if(!sd_type)
sd_type = GLITE_DELEGATION_SD_TYPE;
ctx->endpoint = glite_discover_endpoint(sd_type, endpoint, &error);
if (!ctx->endpoint)
{
glite_delegation_set_error(ctx, "glite_delegation: service discovery error %s", error);
free(error);
return ctx;
}
}
else
{
ctx->endpoint = strdup(endpoint);
if (!ctx->endpoint)
{
glite_delegation_set_error(ctx, "glite_delegation: out of memory");
return ctx;
}
}
ctx->soap = soap_new();
/* Register the CGSI plugin if secure communication is requested */
if (is_https(ctx->endpoint))
ret = soap_cgsi_init(ctx->soap,
CGSI_OPT_DISABLE_NAME_CHECK |
CGSI_OPT_SSL_COMPATIBLE);
else if (is_httpg(ctx->endpoint))
ret = soap_cgsi_init(ctx->soap,
CGSI_OPT_DISABLE_NAME_CHECK);
else
ret = 0;
if (ret)
{
glite_delegation_set_error(ctx, "Failed to initialize the GSI plugin");
return ctx;
}
/* Namespace setup should happen after CGSI plugin initialization */
if ( soap_set_namespaces(ctx->soap, delegation_namespaces) )
{
_fault_to_error(ctx, "Setting SOAP namespaces");
return ctx;
}
return ctx;
}
