/******************************************************************************
Function: plugin_confirm_authorization
Description:
Ask for authorization by passing RSL and user credential
Parameters:
request: RSL request
user_cred: user credential
Returns:
LCAS_MOD_SUCCESS: authorization succeeded
LCAS_MOD_FAIL : authorization failed
LCAS_MOD_NOFILE : db file not found
******************************************************************************/
int
plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
{
int rc;
char * dummy = NULL;
char * user_dn = NULL;
/*
* check credential and get the globus name
*/
if ( (user_dn = lcas_get_dn(lcas_cred)) == NULL)
{
lcas_log(0, "lcas.mod-lcas_get_fabric_authorization() error: user DN empty\n");
goto lcas_userban_noauth;
}
/* Do the check */
lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): checking banned users in %s\n",
modname,userban_db);
/*
* The new default is to perform the wildcard matching, based upon fnmatch
* You'll need to explicitly disable it in the initialization parameters
*/
if (! disableWildCardMatching)
rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_WILD_CHARS|MATCH_ONLY_DN, NULL, NULL);
else
rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_ONLY_DN, NULL, NULL);
if ( rc == LCAS_MOD_ENTRY )
{
/* Entry found for user_dn, so the user is banned */
lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): entry found for %s\n",
modname,user_dn);
goto lcas_userban_noauth;
}
else if ( rc == LCAS_MOD_NOFILE )
{
/* file not found */
lcas_log(0,
"\t%s-plugin_confirm_authorization() error: Cannot find banned user file: %s\n",
modname,userban_db);
goto lcas_userban_nofile;
}
lcas_userban_auth:
/* authorization = no entry found for user_dn */
if (dummy != NULL) free(dummy);
return LCAS_MOD_SUCCESS;
lcas_userban_noauth:
/* no authorization = entry found for user_dn */
if (dummy != NULL) free(dummy);
return LCAS_MOD_FAIL;
lcas_userban_nofile:
/* file not found */
if (dummy != NULL) free(dummy);
return LCAS_MOD_NOFILE;
}
int
plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
{
char *user_dn;
int ret;
edg_wll_Context ctx;
struct _edg_wll_GssPrincipal_data princ;
X509 *cert = NULL;
STACK_OF(X509) * chain = NULL;
void *cred = NULL;
struct vomsdata *voms_info = NULL;
int err;
authz_action action;
memset(&princ, 0, sizeof(princ));
lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n",
modname);
if (edg_wll_InitContext(&ctx) != 0) {
lcas_log(0, "Couldn't create L&B context\n");
ret = LCAS_MOD_FAIL;
goto end;
}
if ((action = find_authz_action(request)) == ACTION_UNDEF) {
lcas_log(0, "lcas.mod-lb() error: unsupported action\n");
ret = LCAS_MOD_FAIL;
goto end;
}
user_dn = lcas_get_dn(lcas_cred);
if (user_dn == NULL) {
lcas_log(0, "lcas.mod-lb() error: user DN empty\n");
ret = LCAS_MOD_FAIL;
goto end;
}
princ.name = user_dn;
cred = lcas_get_gss_cred(lcas_cred);
if (cred == NULL) {
lcas_log(0, "lcas.mod-lb() warning: user gss credential empty\n");
#if 0
ret = LCAS_MOD_FAIL;
goto end;
#endif
}
#ifndef NO_GLOBUS_GSSAPI
if (cred) {
voms_info = VOMS_Init(NULL, NULL);
if (voms_info == NULL) {
lcas_log(0, "lcas.mod-lb() failed to initialize VOMS\n");
ret = LCAS_MOD_FAIL;
goto end;
}
ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err);
if (ret == 1)
edg_wll_get_fqans(ctx, voms_info, &princ.fqans);
}
#endif
ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action);
ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL;
end:
edg_wll_FreeContext(ctx);
#ifndef NO_GLOBUS_GSSAPI
if (voms_info)
VOMS_Destroy(voms_info);
#endif
if (cert)
X509_free(cert);
if (chain)
sk_X509_pop_free(chain, X509_free);
return ret;
}
