/******************************************************************************
Function: plugin_introspect
Description:
return list of required arguments
Parameters:
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
******************************************************************************/
int plugin_introspect(
int * argc,
lcmaps_argument_t ** argv
)
{
const char * logstr = "lcmaps_plugin_voms_poolgroup-plugin_introspect()";
static lcmaps_argument_t argList[] = {
{"user_dn" , "char *" , 0 , NULL},
{"fqan_list" , "char **" , 0 , NULL},
{"nfqan" , "int" , 0 , NULL},
{"requested_pgid_list" , "gid_t *" , 0 , NULL},
{"requested_npgid" , "int" , 0 , NULL},
{"requested_sgid_list" , "gid_t *" , 0 , NULL},
{"requested_nsgid" , "int" , 0 , NULL},
{NULL , NULL , -1 , NULL}
};
lcmaps_log_debug(5,"%s: introspecting\n", logstr);
*argv = argList;
*argc = lcmaps_cntArgs(argList);
lcmaps_log_debug(5,"%s: address first argument: 0x%x\n", logstr, argList);
return LCMAPS_MOD_SUCCESS;
}
/******************************************************************************
Function: plugin_introspect
Description:
return list of required arguments
Parameters:
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
******************************************************************************/
int plugin_introspect(
int * argc,
lcmaps_argument_t ** argv
)
{
const char * logstr = "lcmaps_plugin_voms_localaccount-plugin_introspect()";
static lcmaps_argument_t argList[] = {
{"user_dn" , "char *" , 0, NULL},
{"fqan_list" , "char **" , 0, NULL},
{"nfqan" , "int" , 0, NULL},
{NULL , NULL , -1, NULL},
{NULL , NULL , -1, NULL}
};
/* Get the version of LCMAPS being used: we need at least 1.5.8 to be able
* to demand "requested_username" in the argList */
int major=0,minor=0,patch=0;
/* Most UNIX now support RTLD_DEFAULT (POSIX reserved) */
#ifdef RTLD_DEFAULT
int (*lcmaps_major)(void),(*lcmaps_minor)(void),(*lcmaps_patch)(void);
dlerror();
lcmaps_major=dlsym(RTLD_DEFAULT,"lcmaps_get_major_version");
lcmaps_minor=dlsym(RTLD_DEFAULT,"lcmaps_get_minor_version");
lcmaps_patch=dlsym(RTLD_DEFAULT,"lcmaps_get_patch_version");
if (dlerror()==NULL) {
major=lcmaps_major();
minor=lcmaps_minor();
patch=lcmaps_patch();
}
#else
/* No RTLD_DEFAULT, just hope the symbol exists in LCMAPS */
major=lcmaps_get_major_version();
minor=lcmaps_get_minor_version();
patch=lcmaps_get_patch_version();
#endif
/* Too old when older than 1.5.8 */
if (major<1 || (major==1 && (minor<5 || (minor==5 && patch<8)))) {
lcmaps_log_debug(4,
"%s: Old LCMAPS found (%d.%d.%d), not using requested_username\n",
logstr,major,minor,patch);
} else {
lcmaps_log_debug(4,
"%s LCMAPS (%d.%d.%d) supports using requested_username\n",
logstr,major,minor,patch);
argList[3].argName="requested_username";
argList[3].argType="char *";
argList[3].argInOut=1;
argList[3].value=NULL;
}
lcmaps_log_debug(4,"%s: introspecting\n", logstr);
*argv = argList;
*argc = lcmaps_cntArgs(argList);
lcmaps_log_debug(5,"%s: address first argument: 0x%x\n", logstr, argList);
return LCMAPS_MOD_SUCCESS;
}
/******************************************************************************
Function: plugin_run
Description:
Launch a process tracking daemon for LCMAPS.
Basic boilerplate for a LCMAPS plugin.
Parameters:
argc: number of arguments
argv: list of arguments
Returns:
LCMAPS_MOD_SUCCESS: authorization succeeded
LCMAPS_MOD_FAIL : authorization failed
******************************************************************************/
int plugin_run(int argc, lcmaps_argument_t *argv)
{
uid_t uid;
char * username;
char **dn_array, *dn;
char time_string[TIME_BUFFER_SIZE];
time_t curtime;
size_t len;
// Update the user name.
get_user_ids(&uid, NULL, &username);
size_t username_len = strlen(username);
char * quoted_username = (char *)malloc(username_len + 2 + 1);
if (quoted_username == NULL) {
lcmaps_log(0, "%s: Malloc failed for quoted username.\n", logstr);
goto condor_update_failure;
}
snprintf(quoted_username, username_len + 3, "\"%s\"", username);
update_starter(CLASSAD_GLEXEC_USER, quoted_username);
// Update the DN.
lcmaps_log_debug(2, "%s: Acquiring information from LCMAPS framework\n", logstr);
dn_array = (char **)lcmaps_getArgValue("user_dn", "char *",argc, argv);
if ((dn_array == NULL) || ((dn = *dn_array) == NULL)) {
lcmaps_log(0, "%s: value of user_dn is empty. No user DN found by the framework in the proxy chain.\n", logstr);
goto condor_update_failure;
} else {
lcmaps_log_debug(5, "%s: user_dn = %s\n", logstr, dn);
}
size_t dn_len = strlen(dn);
char * quoted_dn = (char *)malloc(dn_len + 2 + 1);
if (quoted_dn == NULL) {
lcmaps_log(0, "%s: Malloc failed for quoted DN.\n", logstr);
goto condor_update_failure;
}
snprintf(quoted_dn, dn_len + 3, "\"%s\"", dn);
update_starter(CLASSAD_GLEXEC_DN, quoted_dn);
// Update the invocation time.
lcmaps_log_debug(2, "%s: Logging time of invocation\n", logstr);
curtime = time(NULL);
if ((len = snprintf(time_string, TIME_BUFFER_SIZE, "%ld", curtime)) >= TIME_BUFFER_SIZE) {
lcmaps_log(0, "%s: Unexpected failure in converting time to string.\n", logstr);
goto condor_update_failure;
}
update_starter(CLASSAD_GLEXEC_TIME, time_string);
return LCMAPS_MOD_SUCCESS;
condor_update_failure:
lcmaps_log_time(0, "%s: monitor process launch failed\n", logstr);
return LCMAPS_MOD_FAIL;
}
int get_user_ids(uid_t *uid, gid_t *gid, char ** username) {
int count = 0;
uid_t internal_uid;
struct passwd *user_info;
if (!uid)
uid = &internal_uid;
uid_t *uid_array;
lcmaps_log_debug(2, "%s: Acquiring the UID from LCMAPS\n", logstr);
uid_array = (uid_t *)getCredentialData(UID, &count);
if (count != 1) {
lcmaps_log(0, "%s: No UID set yet; must map to a UID before running the process tracking module.\n", logstr);
return 1;
}
*uid = uid_array[0];
if ((user_info = getpwuid(*uid)) == NULL) {
lcmaps_log(0, "%s: Fatal error: unable to find corresponding username for UID %d.\n", logstr, uid);
return 1;
}
if (username)
*username = user_info->pw_name;
if (!gid)
return 0;
gid_t *gid_array = (gid_t *)getCredentialData(PRI_GID, &count);
if (count <= 0) {
*gid = user_info->pw_gid;
} else {
*gid = gid_array[0];
}
return 0;
}
/******************************************************************************
Function: plugin_terminate
Description:
Terminate plugin
Parameters:
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
******************************************************************************/
int plugin_terminate(void)
{
const char * logstr = "lcmaps_plugin_tracking_groupid-plugin_introspect()";
lcmaps_log_debug(5,"%s: terminating\n", logstr);
return LCMAPS_MOD_SUCCESS;
}
/******************************************************************************
Function: plugin_introspect
Description:
return list of required arguments
Parameters:
Returns:
LCMAPS_MOD_SUCCESS : success
******************************************************************************/
int plugin_introspect(int *argc, lcmaps_argument_t **argv)
{
char *logstr = "\tlcmaps_plugins_condor_update-plugin_introspect()";
static lcmaps_argument_t argList[] = {
{ "user_dn" , "char *" , 1, NULL},
{NULL , NULL , -1, NULL}
};
lcmaps_log_debug(2, "%s: introspecting\n", logstr);
*argv = argList;
*argc = lcmaps_cntArgs(argList);
lcmaps_log_debug(2, "%s: address first argument: 0x%x\n", logstr, argList);
lcmaps_log_debug(2, "%s: Introspect succeeded\n", logstr);
return LCMAPS_MOD_SUCCESS;
}
/******************************************************************************
Function: plugin_introspect
Description:
return list of required arguments
Parameters:
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
******************************************************************************/
int plugin_introspect(
int * argc,
lcmaps_argument_t ** argv
)
{
const char * logstr = "lcmaps_plugin_posix_enf-plugin_introspect()";
static lcmaps_argument_t argList[] = {
{NULL , NULL , -1, NULL}
};
lcmaps_log_debug(5,"%s: introspecting\n", logstr);
*argv = argList;
*argc = lcmaps_cntArgs(argList);
lcmaps_log_debug(5,"%s: address first argument: 0x%x\n", logstr, argList);
return LCMAPS_MOD_SUCCESS;
}
/******************************************************************************
Function: plugin_terminate
Description:
Terminate plugin
Parameters:
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
******************************************************************************/
int plugin_terminate(void)
{
const char * logstr = "lcmaps_plugin_voms_localaccount-plugin_terminate()";
lcmaps_log_debug(4,"%s: terminating\n", logstr);
if (gridmapfile) free(gridmapfile);
return LCMAPS_MOD_SUCCESS;
}
/******************************************************************************
Function: plugin_terminate
Description:
Terminate plugin
Parameters:
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
******************************************************************************/
int plugin_terminate(void)
{
const char * logstr = "lcmaps_plugin_voms_poolgroup-plugin_terminate()";
lcmaps_log_debug(5,"%s: terminating\n", logstr);
if (groupmapfile) free(groupmapfile);
if (groupmapdir) free(groupmapdir);
return LCMAPS_MOD_SUCCESS;
}
/*!
\fn lcmaps_setRunVars(
const char *argName,
const char *argType,
void *value
)
\brief fill the runvars_list with a value for argName and argType
This function fills the (internal) runvars_list with the value for the variable with
name argName and type argType.
Internally lcmaps_setArgValue() is used.
\param argName name of the runvars variable
\param argType type of the runvars variable
\param value void pointer to the value
\retval 0 succes.
\retval -1 failure.
\internal
*/
int lcmaps_setRunVars(
const char *argName,
const char *argType,
void *value
)
{
lcmaps_argument_t *pargument=NULL;
#ifdef LCMAPS_DEBUG
const char * logstr = "lcmaps.mod-lcmaps_setRunVars()";
#endif
/* store address of 1st element of runvars_list in pargument,
* the address of which can be passed on to lcmaps_setArgValue
* (the address of runvars_list does not exist, since its only a symbol, not a value)
*/
pargument=runvars_list;
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(3,"%s: Address of first element of runvars_list: 0x%x\n", logstr, runvars_list);
lcmaps_log_debug(3,"%s: Address of address of first element of runvars_list: 0x%x\n", logstr, &pargument);
#endif
return lcmaps_setArgValue(argName, argType, value, NUMBER_OF_RUNVARS, &pargument);
}
static int plugin_run_or_verify(
int argc,
lcmaps_argument_t * argv,
int lcmaps_mode
)
{
const char * logstr = "lcmaps_plugin_tracking_groupid-plugin_plugin_run_or_verify()";
int i = 0;
int n_sec_groups_list = 0;
gid_t * sec_groups_list = NULL;
if (lcmaps_mode == PLUGIN_RUN)
logstr = "lcmaps_plugin_tracking_groupid-plugin_run()";
else if (lcmaps_mode == PLUGIN_VERIFY)
logstr = "lcmaps_plugin_tracking_groupid-plugin_verify()";
else
{
lcmaps_log(LOG_ERR, "lcmaps_plugin_tracking_groupid-plugin_run_or_verify(): attempt to run plugin in invalid mode: %d\n", lcmaps_mode);
goto fail_tracking_groupid;
}
lcmaps_log_debug(5, "%s: starting run\n", __func__);
/* Get the Secondary Group IDs of the process */
if (tracking_groupid_get_gidlist(&n_sec_groups_list, &sec_groups_list))
goto fail_tracking_groupid;
for (i = 0; i < n_sec_groups_list; i++) {
/* Is the Secondary GID in the Tracking Group ID range */
if ((sec_groups_list[i] >= set_groupid_min) &&
(sec_groups_list[i] <= set_groupid_max)) {
/* Adding Tracking Group ID */
addCredentialData(SEC_GID, &(sec_groups_list[i]));
}
}
/* succes */
if (sec_groups_list) free(sec_groups_list);
lcmaps_log(LOG_INFO,"%s: tracking groupid plugin succeeded\n", logstr);
return LCMAPS_MOD_SUCCESS;
fail_tracking_groupid:
if (sec_groups_list) free(sec_groups_list);
lcmaps_log(LOG_INFO,"%s: tracking groupid plugin failed\n", logstr);
return LCMAPS_MOD_FAIL;
}
/******************************************************************************
Function: plugin_initialize
Description:
Initialize plugin
Parameters:
argc, argv
argv[0]: the name of the plugin
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
LCMAPS_MOD_NOFILE : db file not found (will halt LCMAPS initialization)
******************************************************************************/
int plugin_initialize(
int argc,
char ** argv
)
{
const char * logstr = "lcmaps_plugin_voms_localaccount-plugin_initialize()";
int i;
struct stat s;
lcmaps_log_debug(5,"%s: passed arguments:\n", logstr);
for (i=0; i < argc; i++)
{
lcmaps_log_debug(5,"%s: arg %d is %s\n", logstr, i, argv[i]);
}
/*
* the first will be the thing to edit/select (gridmap(file))
* the second will be the path && filename of the gridmapfile
*/
/*
* Parse arguments, argv[0] = name of plugin, so start with i = 1
*/
for (i = 1; i < argc; i++)
{
if ( ((strcmp(argv[i], "-gridmap") == 0) ||
(strcmp(argv[i], "-GRIDMAP") == 0) ||
(strcmp(argv[i], "-gridmapfile") == 0) ||
(strcmp(argv[i], "-GRIDMAPFILE") == 0))
&& (i + 1 < argc))
{
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
{
/* check if the setting exists */
if (stat (argv[i + 1], &s) < 0)
{
lcmaps_log(LOG_ERR, "%s: Error: grid-mapfile not accessible at \"%s\"\n", logstr, argv[i + 1]);
return LCMAPS_MOD_FAIL;
}
gridmapfile = strdup(argv[i + 1]);
}
i++;
}
else if (strcmp(argv[i], "--do-not-add-primary-gid-from-mapped-account") == 0)
{
do_not_map_primary_gid = 1;
}
else if (strcmp(argv[i], "--add-primary-gid-from-mapped-account") == 0)
{
add_primary_gid_from_mapped_account = 1;
}
else if (strcmp(argv[i], "--add-primary-gid-as-secondary-gid-from-mapped-account") == 0)
{
add_primary_gid_as_secondary_gid_from_mapped_account = 1;
}
else if (strcmp(argv[i], "--add-secondary-gids-from-mapped-account") == 0)
{
add_secondary_gids_from_mapped_account = 1;
}
else if ((strcmp(argv[i], "--use-voms-gid") == 0) ||
(strcmp(argv[i], "--use_voms_gid") == 0) ||
(strcmp(argv[i], "-use_voms_gid") == 0))
{
use_voms_gid = 1;
}
else
{
lcmaps_log(LOG_ERR,"%s: Error in initialization parameter: %s (failure)\n", logstr, argv[i]);
return LCMAPS_MOD_FAIL;
}
}
/* Post mortum check */
if (do_not_map_primary_gid && add_primary_gid_from_mapped_account)
{
lcmaps_log(LOG_ERR,"%s: Error: can't set both --do-not-add-primary-gid-from-mapped-account and --add-primary-gid-from-mapped-account\n", logstr);
return LCMAPS_MOD_FAIL;
}
if (use_voms_gid && do_not_map_primary_gid)
{
lcmaps_log(LOG_ERR,"%s: Error: can't set both --use-voms-gid and --do-not-add-primary-gid-from-mapped-account\n", logstr);
return LCMAPS_MOD_FAIL;
}
if (use_voms_gid && add_primary_gid_from_mapped_account)
{
lcmaps_log(LOG_ERR,"%s: Error: can't set both --use-voms-gid and --add-primary-gid-from-mapped-account\n", logstr);
return LCMAPS_MOD_FAIL;
}
if (use_voms_gid && add_secondary_gids_from_mapped_account)
{
lcmaps_log(LOG_ERR,"%s: Error: can't set both --use-voms-gid and --add-secondary-gids-from-mapped-account\n", logstr);
return LCMAPS_MOD_FAIL;
}
return LCMAPS_MOD_SUCCESS;
}
static int plugin_run_or_verify(
int argc,
lcmaps_argument_t * argv,
int lcmaps_mode
)
{
const char * logstr = "lcmaps_plugin_voms_poolgroup-plugin_run()";
char * groupname = NULL;
struct group * group_info = NULL;
int i = 0;
unsigned short matching_type = ((unsigned short)0x0000);
int group_counter = 0;
int rc = 0;
lcmaps_vo_mapping_t * lcmaps_vo_mapping = NULL;
char ** fqan_list = NULL;
int nfqan = -1;
int requested_npgid = 0;
gid_t * requested_pgid_list = NULL;
int requested_nsgid = 0;
gid_t * requested_sgid_list = NULL;
void * value = NULL;
/*
* The beginning
*/
if (lcmaps_mode == PLUGIN_RUN)
logstr = "lcmaps_plugin_voms_poolgroup-plugin_run()";
else if (lcmaps_mode == PLUGIN_VERIFY)
logstr = "lcmaps_plugin_voms_poolgroup-plugin_verify()";
else
{
lcmaps_log(LOG_ERR, "lcmaps_plugin_voms_poolgroup-plugin_run_or_verify(): attempt to run plugin in invalid mode: %d\n", lcmaps_mode);
goto fail_voms_poolgroup;
}
lcmaps_log_debug(5,"%s:\n", logstr);
/*
* Try to fetch the list of groups the invocator of LCMAPS wants to be
* verified. (only in PLUGIN_VERIFY mode).
*/
if (lcmaps_mode == PLUGIN_VERIFY)
{
if ( (value = lcmaps_getArgValue("requested_npgid", "int", argc, argv)) != NULL )
{
requested_npgid = *(int *) value;
lcmaps_log_debug(1,"%s: the list of pgids should contain %d elements\n", logstr, requested_npgid);
if ( ( value = lcmaps_getArgValue("requested_pgid_list", "gid_t *", argc, argv) ) != NULL ) {
requested_pgid_list = *(gid_t **) value;
lcmaps_log_debug(1, "%s: found list of pgids\n", logstr);
}
else
{
lcmaps_log_debug(1, "%s: could not retrieve list of pgids (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
for (i = 0; i < requested_npgid; i++)
{
lcmaps_log_debug(3, "%s: pgid[%d]: %d\n", logstr, i, (int)(requested_pgid_list[i]));
}
}
if ( (value = lcmaps_getArgValue("requested_nsgid", "int", argc, argv)) != NULL )
{
requested_nsgid = *(int *) value;
lcmaps_log_debug(1,"%s: the list of sgids should contain %d elements\n", logstr, requested_nsgid);
if ( ( value = lcmaps_getArgValue("requested_sgid_list", "gid_t *", argc, argv) ) != NULL ) {
requested_sgid_list = *(gid_t **) value;
lcmaps_log_debug(1, "%s: found list of sgids\n", logstr);
}
else
{
lcmaps_log_debug(1, "%s: could not retrieve list of sgids (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
for (i = 0; i < requested_nsgid; i++)
{
lcmaps_log_debug(3, "%s: sgid[%d]: %d\n", logstr, i, (int)(requested_sgid_list[i]));
}
}
}
/*
* Get the VO user information.
* We can either order it by lcmaps_argument_t or use the getCredentialData() function.
* The latter case requires the voms parsing plugin (lcmaps_voms.mod) to have run beforehand.
* Unfortunately the formats of the VOMS strings (from getCredentialData()) and
* FQANs (from lcmaps_argument_t) are not the same. We may have to introduce
* two-way conversion functions.
* The VOMS info has to matched against the info in the gridmapfile
*/
lcmaps_log_debug(5,"%s: First try to get the FQAN list from input credential repository ...\n", logstr);
if ( ( value = lcmaps_getArgValue("nfqan", "int", argc, argv) ) != NULL )
{
nfqan = *(int *) value;
if (nfqan < 1) {
lcmaps_log(LOG_ERR,"%s: no (valid) VOMS groups found --> no mapping\n", logstr);
goto fail_voms_poolgroup;
}
lcmaps_log_debug(5,"%s: the list of FQANs should contain %d elements\n", logstr, nfqan);
if ( ( value = lcmaps_getArgValue("fqan_list", "char **", argc, argv) ) != NULL ) {
fqan_list = *(char ***) value;
lcmaps_log_debug(5, "%s: found list of FQANs\n", logstr);
}
else
{
lcmaps_log(LOG_NOTICE, "%s: could not retrieve list of FQANs (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
for (i = 0; i < nfqan; i++)
{
lcmaps_log_debug(3, "%s: FQAN %d: %s\n", logstr, i, fqan_list[i]);
}
}
else
{
lcmaps_log_debug(1,"%s: ... did not find input credentials in input credential repository ... trying the internal credential repository ...\n", logstr);
fqan_list = getCredentialData(LCMAPS_VO_CRED_STRING, &nfqan);
}
if (nfqan == 0)
{
lcmaps_log(LOG_ERR,"%s: no VOMS group info --> no mapping (failure)\n", logstr);
goto fail_voms_poolgroup;
}
else if (nfqan < 0)
{
lcmaps_log(LOG_ERR,"%s: negative number of VOMS groups found ! (failure)\n", logstr);
goto fail_voms_poolgroup;
}
/*
* Check the groupmapfile
*/
if ((groupmapfile != NULL) && (strlen(groupmapfile) > 0))
lcmaps_log_debug(1,"%s: groupmapfile is: %s\n", logstr, groupmapfile);
else
{
lcmaps_log(LOG_ERR,"%s: error finding the groupmapfile: %s. (use the option \"-groupmapfile <groupmapfile>\"\n", logstr, groupmapfile);
goto fail_voms_poolgroup;
}
/*
* Check groupmapdir
*/
if (groupmapdir == NULL) /* try if GROUPMAPDIR is already set */
{
char * tmpptr=NULL;
if ((tmpptr = getenv("GROUPMAPDIR")) == NULL)
{
lcmaps_log(LOG_ERR,"%s: GROUPMAPDIR unknown! Specify as option or set GROUPMAPDIR\n", logstr);
goto fail_voms_poolgroup;
}
else
{
groupmapdir = strdup(tmpptr);
}
}
if (strlen(groupmapdir) == 0)
{
lcmaps_log(LOG_ERR,"%s: cannot set MAPDIR (strlen(groupmapdir) == 0)\n", logstr);
goto fail_voms_poolgroup;
}
lcmaps_log_debug(1,"%s: setting MAPDIR to %s\n", logstr, groupmapdir);
if (setenv("MAPDIR", groupmapdir, 1))
{
lcmaps_log(LOG_ERR,"%s: cannot set MAPDIR\n", logstr);
goto fail_voms_poolgroup;
}
/*
* Try to find the unix groups from the VO info in the groupmapfile
* The first group (if found) should become the primary group
*/
matching_type = MATCH_INCLUDE|MATCH_WILD_CHARS;
/* if override_consistency is set add this to the matchin_type so it will take effect */
if (override_inconsistency)
matching_type = matching_type|OVERRIDE_INCONSISTANCY;
/* if strict_poolprefix_match is set add this to the matchin_type so it will take effect */
if (strict_poolprefix_match)
matching_type = matching_type|MATCH_STRICT_PREFIX_NUM;
/* Do not create new leases in verification mode */
if (lcmaps_mode == PLUGIN_VERIFY)
matching_type = matching_type|ONLY_USE_EXISTING_LEASE;
for (i = 0; i < nfqan; i++)
{
/* clean groupname before each call to lcmaps_gridlist */
if (groupname) free(groupname);
groupname = NULL;
if ( (rc = lcmaps_gridlist(fqan_list[i], &groupname, groupmapfile, matching_type, ".", NULL)) == 0)
{
lcmaps_log_debug(4,"%s: found groupname: %s\n", logstr, groupname);
group_counter++;
if (groupname && (strlen(groupname) > 0))
{
if ( ( group_info = getgrnam(groupname) ) )
{
/* When map_to_secondary_groups is true, all results will be stored as secondary Unix group IDs */
if ((i == 0) && (!map_to_secondary_groups))
{
/* First VO group */
addCredentialData(PRI_GID, (void *) &(group_info->gr_gid));
}
else
{
/* Other VO groups */
addCredentialData(SEC_GID, (void *) &(group_info->gr_gid));
}
/*
* The coupling between VO information and the GID is maintained
* in the lcmaps_vo_mapping structure, which is added to the credential data
*/
lcmaps_vo_mapping=lcmaps_createVoMapping(
fqan_list[i],
groupname,
group_info->gr_gid
);
if (! lcmaps_vo_mapping)
{
lcmaps_log(LOG_ERR,"%s: could not create VoMapping structure (failure)\n", logstr);
goto fail_voms_poolgroup;
}
/* lcmaps_printVoMapping(2, lcmaps_vo_mapping); */
/* Add credential */
addCredentialData(LCMAPS_VO_CRED_MAPPING, (void *) lcmaps_vo_mapping);
if ( lcmaps_deleteVoMapping(&lcmaps_vo_mapping) )
{
lcmaps_log(LOG_ERR,"%s: error while deleting VoMapping structure (failure)\n", logstr);
goto fail_voms_poolgroup;
}
}
else
{
lcmaps_log(LOG_ERR,"%s: no group id found in /etc/group (or equivalent, e.g. LDAP) for groupname = \"%s\"\n", logstr, groupname);
goto fail_voms_poolgroup;
}
}
else
{
lcmaps_log(LOG_ERR,"%s: error getting value of groupname (failure)!\n", logstr);
goto fail_voms_poolgroup;
}
}
else if (rc == LCMAPS_MOD_NOFILE)
{
lcmaps_log(LOG_ERR, "%s: Could not find the groupmapfile %s\n", logstr, groupmapfile);
goto fail_voms_poolgroup;
}
else
{
lcmaps_log_debug(1,"%s: could not get value of groupname !\n", logstr);
if (mapall)
{
lcmaps_log(LOG_NOTICE,"%s: no mapping for VO group %s\n", logstr, fqan_list[i]);
goto fail_voms_poolgroup;
}
}
}
if (group_counter < mapmin)
{
lcmaps_log(LOG_ERR,"%s: Not enough groups found. The minimum is set to %d. The plugin found %d\n", logstr, mapmin, group_counter);
goto fail_voms_poolgroup;
}
/* success */
/* success_voms_poolgroup:*/
if (groupname) free(groupname);
lcmaps_log(LOG_INFO,"%s: voms_poolgroup plugin succeeded\n", logstr);
return LCMAPS_MOD_SUCCESS;
fail_voms_poolgroup:
if (groupname) free(groupname);
lcmaps_log(LOG_INFO,"%s: voms_poolgroup plugin failed\n", logstr);
return LCMAPS_MOD_FAIL;
}
/******************************************************************************
Function: plugin_initialize
Description:
Initialize plugin
Parameters:
argc, argv
argv[0]: the name of the plugin
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
LCMAPS_MOD_NOFILE : db file not found (will halt LCMAPS initialization)
******************************************************************************/
int plugin_initialize(
int argc,
char ** argv
)
{
const char * logstr = "lcmaps_plugin_voms_poolgroup-plugin_initialize()";
int i;
size_t j;
struct stat s;
lcmaps_log_debug(5,"%s: passed arguments:\n", logstr);
for (i=0; i < argc; i++)
{
lcmaps_log_debug(5,"%s: arg %d is %s\n", logstr, i, argv[i]);
}
/*
* the first will be the thing to edit/select (groupmap(file))
*/
/*
* Parse arguments, argv[0] = name of plugin, so start with i = 1
*/
for (i = 1; i < argc; i++)
{
if ( ((strcmp(argv[i], "-groupmap") == 0) ||
(strcmp(argv[i], "-GROUPMAP") == 0) ||
(strcmp(argv[i], "-groupmapfile") == 0) ||
(strcmp(argv[i], "-GROUPMAPFILE") == 0))
&& (i + 1 < argc))
{
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
{
/* check if the setting exists */
if (stat (argv[i + 1], &s) < 0)
{
lcmaps_log(LOG_ERR, "%s: Error: groupmapfile not accessible at \"%s\"\n", logstr, argv[i + 1]);
return LCMAPS_MOD_FAIL;
}
groupmapfile = strdup(argv[i + 1]);
}
i++;
}
else if ( ((strcmp(argv[i], "-groupmapdir") == 0) ||
(strcmp(argv[i], "-GROUPMAPDIR") == 0))
&& (i + 1 < argc))
{
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
{
/* check if the setting exists */
if (stat (argv[i + 1], &s) < 0)
{
lcmaps_log(LOG_ERR, "%s: Error: groupmapdir not accessible at \"%s\"\n", logstr, argv[i + 1]);
return LCMAPS_MOD_FAIL;
}
groupmapdir = strdup(argv[i + 1]);
}
i++;
}
else if (strcmp(argv[i], "--map-to-secondary-groups") == 0)
{
map_to_secondary_groups = 1;
}
else if (strcmp(argv[i], "-mapall") == 0)
{
mapall = 1;
}
else if ( (strcmp(argv[i], "-override_inconsistency") == 0) ||
(strcmp(argv[i], "-OVERRIDE_INCONSISTENCY") == 0))
{
override_inconsistency = 1;
}
else if ((strcmp(argv[i], "-mapmin") == 0)
&& (i + 1 < argc))
{
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
{
/* check parameter integrety */
for (j = 0; j < (strlen(argv[i + 1])); j++)
{
if (isdigit((argv[i + 1])[j]) == 0)
{
lcmaps_log(LOG_ERR,"%s: Error in initialization parameter: %s (%s is not a number)\n", logstr, argv[i], argv[i + 1]);
return LCMAPS_MOD_FAIL;
}
}
mapmin = atoi(argv[i + 1]);
}
i++;
}
else if ( (strcmp(argv[i], "-strict_poolprefix_match") == 0)
&& (i + 1 < argc) )
{
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
{
if (strcmp(argv[i+1],"yes") == 0)
{
strict_poolprefix_match = 1;
}
else if (strcmp(argv[i+1],"no") == 0)
{
strict_poolprefix_match = 0;
}
else
{
lcmaps_log(LOG_ERR,"%s: use \"yes\" or \"no\" for option %s\n", logstr, argv[i]);
return LCMAPS_MOD_FAIL;
}
}
else
{
lcmaps_log(LOG_ERR,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
return LCMAPS_MOD_FAIL;
}
i++;
}
else
{
lcmaps_log(LOG_ERR,"%s: Error in initialization parameter: %s (failure)\n", logstr,
argv[i]);
return LCMAPS_MOD_FAIL;
}
}
return LCMAPS_MOD_SUCCESS;
}
/*!
\fn lcmaps_printCredData(int debug_level)
\brief Get pointer to a list of credential data of a certain type
\param debug_level the debug level
\return nothing
*/
void lcmaps_printCredData(int debug_level)
{
int i = 0;
size_t buflen, bufsize = 1500;
char * buffer = NULL;
int rc;
/* 2048 is the max log line for sys log, 1500 is very safe */
if ( (buffer = calloc (sizeof(char), (bufsize + 1))) == NULL) {
lcmaps_log(LOG_ERR, "%s: Out of memory\n", __func__);
return;
}
lcmaps_log_debug(5, "Credential Print:\n");
if (credData.dn != NULL)
{
buflen=strlen(buffer);
rc=snprintf (&buffer[buflen], bufsize - buflen, "DN:\"%s\"%s",
credData.dn,
(credData.cntUid > 0) || (credData.cntPriGid > 0) || (credData.cntSecGid > 0) ? "->" : "");
if (rc<0)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: error printing DN: %s\n",strerror(errno));
else if ((size_t)rc>=bufsize-buflen)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: output truncated for DN.\n");
/* lcmaps_log(debug_level, "dn: %s\n", credData.dn); */
}
for (i = 0; i < credData.cntUid; i++)
{
buflen=strlen(buffer);
rc=snprintf (&buffer[buflen], bufsize - buflen, "mapped uid:\'%d\'", credData.uid[i]);
if (rc<0)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: error printing uid: %s\n",strerror(errno));
else if ((size_t)rc>=bufsize-buflen)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: output truncated for uid.\n");
/* lcmaps_log(debug_level, "uid : %d [%d/%d]\n", credData.uid[i], i+1, credData.cntUid); */
}
for (i = 0; i < credData.cntPriGid; i++)
{
buflen=strlen(buffer);
rc=snprintf (&buffer[buflen], bufsize - buflen, ",pgid:\'%d\'", credData.priGid[i]);
if (rc<0)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: error printing pgid: %s\n",strerror(errno));
else if ((size_t)rc>=bufsize-buflen)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: output truncated for pgid.\n");
/* lcmaps_log(debug_level, "pgid : %d [%d/%d]\n", credData.priGid[i], i+1, credData.cntPriGid); */
}
for (i = 0; i < credData.cntSecGid; i++)
{
buflen=strlen(buffer);
rc=snprintf (&buffer[buflen], bufsize - buflen, ",sgid:\'%d\'", credData.secGid[i]);
if (rc<0)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: error printing sgid: %s\n",strerror(errno));
else if ((size_t)rc>=bufsize-buflen)
lcmaps_log(LOG_INFO, "LCMAPS: Warning: output truncated for sgid.\n");
/* lcmaps_log(debug_level, "sgid : %d [%d/%d]\n", credData.secGid[i], i+1, credData.cntSecGid); */
}
/* Write generic DN to UID, GID and Secondary GID mappings */
if (strlen(buffer) > 0)
lcmaps_log (LOG_NOTICE, "LCMAPS CRED FINAL: %s\n", buffer);
/* Memory liberation */
free(buffer);
buffer = NULL;
/* Trying to one line VOMS info */
for (i = 0; i < credData.cntVoCred; i++)
{
lcmaps_log_debug(debug_level, "LCMAPS CRED FINAL: VO credential : [%d/%d]\n", i+1, credData.cntVoCred);
lcmaps_printVoData(debug_level, &(credData.VoCred[i]));
}
for (i = 0; i < credData.cntVoCredString; i++)
lcmaps_log(LOG_INFO, "LCMAPS CRED FINAL: VO credential string : %s [%d/%d]\n", credData.VoCredString[i], i+1, credData.cntVoCredString);
/* Typically used */
for (i = 0; i < credData.cntVoCredMapping; i++)
{
lcmaps_log_debug(debug_level, "LCMAPS CRED FINAL: VO credential mapping : [%d/%d]\n", i+1, credData.cntVoCredMapping);
/* lcmaps_printVoMapping(debug_level, &(credData.VoCredMapping[i])); */
if (credData.VoCredMapping[i].groupname)
lcmaps_log(LOG_NOTICE,"LCMAPS CRED FINAL: FQAN:\"%s\"->mapped group:%d(%s)\n", credData.VoCredMapping[i].vostring, (int)credData.VoCredMapping[i].gid, credData.VoCredMapping[i].groupname);
else
lcmaps_log(LOG_NOTICE,"LCMAPS CRED FINAL: FQAN:\"%s\"->mapped group:%d\n", credData.VoCredMapping[i].vostring, (int)credData.VoCredMapping[i].gid);
}
/* Bonus */
if (credData.pool_index != NULL)
{
lcmaps_log(LOG_DEBUG,"LCMAPS CRED FINAL: POOL_INDEX:\"%s\"\n", credData.pool_index);
}
}
int main()
{
int argc, i, j, k;
lcmaps_argument_t *args = NULL;
char *init_argv[] = {"posix_enf", "-maxuid", "1",
"-maxpgid", "1",
"-maxsgid", "32"};
if (lcmaps_log_open(NULL,stdout,DO_USRLOG)) return 1;
lcmaps_log_debug(0,"\n");
lcmaps_log(LOG_NOTICE,"Initialization POSIX Enforcement\n");
if (plugin_initialize(7, init_argv) == LCMAPS_MOD_FAIL)
{
lcmaps_log(2, "Error on execution: plugin_initialize\n");
return LCMAPS_MOD_FAIL;
}
lcmaps_log(LOG_NOTICE, "IntroSpect POSIX Enfocement\n");
if (plugin_introspect(&argc, &args) == LCMAPS_MOD_FAIL)
{
lcmaps_log(2, "Error on execution: plugin_introspect\n");
return LCMAPS_MOD_FAIL;
}
/*
* Adding Test Credential Data
*/
i = 505;
addCredentialData(UID, &i);
j = 500;
addCredentialData(PRI_GID, &j);
k = 30;
addCredentialData(SEC_GID, &k);
k = 40;
addCredentialData(SEC_GID, &k);
k = 50;
lcmaps_log(LOG_NOTICE, "Run POSIX Enforcement\n");
if (plugin_run(argc,args) == LCMAPS_MOD_FAIL)
{
lcmaps_log(2, "Error on execution: plugin_run\n");
return LCMAPS_MOD_FAIL;
}
if (cleanCredentialData()!=0)
{
lcmaps_log(0,"lcmaps.mod-stopPluginManager() error: could not clean credential data list\n");
return LCMAPS_MOD_FAIL;
}
lcmaps_log(LOG_NOTICE, "Terminate POSIX Enforcement\n");
if (plugin_terminate() == LCMAPS_MOD_FAIL)
{
lcmaps_log(2, "Error on execution: plugin_terminate\n");
return LCMAPS_MOD_FAIL;
}
return 0;
}
static int plugin_run_or_verify(
int argc,
lcmaps_argument_t * argv,
int lcmaps_mode
)
{
const char * logstr = "lcmaps_plugin_voms_localaccount-plugin_run()";
char * dn = NULL;
int dn_cnt = 0;
char * username = NULL;
struct passwd *user_info = NULL;
int i = 0;
int cnt_sec_gid = 0;
gid_t * sec_gid = NULL;
int found = 0;
unsigned short matching_type = ((unsigned short)0x0000);
int rc = 0;
char ** fqan_list = NULL;
int nfqan = -1;
char * req_username = NULL;
const char * searchstr = NULL;
void * value = NULL;
/*
* The beginning
*/
if (lcmaps_mode == PLUGIN_RUN)
logstr = "lcmaps_plugin_voms_localaccount-plugin_run()";
else if (lcmaps_mode == PLUGIN_VERIFY)
logstr = "lcmaps_plugin_voms_localaccount-plugin_verify()";
else
{
lcmaps_log(LOG_ERR, "lcmaps_plugin_voms_localaccount-plugin_run_or_verify(): attempt to run plugin in invalid mode: %d\n", lcmaps_mode);
goto fail_voms_localaccount;
}
lcmaps_log_debug(5,"%s:\n", logstr);
/*
* Try to get the ordered values:
*/
if ( (value = lcmaps_getArgValue("user_dn", "char *", argc, argv) ) )
{
dn = *(char **)value;
lcmaps_log_debug(5,"%s: found dn: %s\n", logstr, dn);
/* Check if we don't have a DN already registered, if not, add it to the internal registry */
getCredentialData (DN, &dn_cnt);
if (dn_cnt == 0)
{
lcmaps_log_debug (5, "%s: Adding DN: %s\n", logstr, dn);
addCredentialData(DN, &dn);
}
}
else {
dn = NULL;
lcmaps_log_debug(1,"%s: could not get value of dn !\n", logstr);
}
/*
* See if we have a requested req_username: make sure not to get value
* immediately or we'll get a segfault
*/
if ( (value=lcmaps_getArgValue("requested_username", "char *", argc, argv))!=NULL )
req_username=*(char **)value;
else
req_username=NULL;
lcmaps_log_debug(1,"%s: requested username is %s\n", logstr,
req_username ? req_username : "******");
/*
* Check the gridmapfile
*/
if ((gridmapfile != NULL) && (strlen(gridmapfile) > 0))
lcmaps_log_debug(3,"%s: gridmapfile is: %s\n", logstr, gridmapfile);
else
{
if (gridmapfile) free(gridmapfile);
gridmapfile = NULL;
lcmaps_log_debug(1,"%s: No gridmapfile assigned, so function must find out for it self\n", logstr);
}
/*
* Get the VO user information.
* We can either order it by lcmaps_argument_t or use the getCredentialData() function.
* The latter case requires the voms parsing plugin (lcmaps_voms.mod) to have run beforehand.
* Unfortunately the formats of the VOMS strings (from getCredentialData()) and
* FQANs (from lcmaps_argument_t) are not the same. We may have to introduce
* two-way conversion functions.
* The VOMS info has to matched against the info in the gridmapfile
*/
lcmaps_log_debug(5,"%s: First try to get the FQAN list from input credential repository ...\n", logstr);
if ( ( value = lcmaps_getArgValue("nfqan", "int", argc, argv) ) )
{
nfqan = *(int *)value;
if (nfqan < 1) {
lcmaps_log(LOG_ERR,"%s: no (valid) VOMS groups found --> no mapping\n", logstr);
goto fail_voms_localaccount;
}
lcmaps_log_debug(5,"%s: the list of FQANs should contain %d elements\n", logstr, nfqan);
if ( ( value = lcmaps_getArgValue("fqan_list", "char **", argc, argv)) ) {
fqan_list = *(char ***)value;
lcmaps_log_debug(5, "%s: found list of FQANs\n", logstr);
}
else
{
lcmaps_log_debug(1, "%s: could not retrieve list of FQANs!\n", logstr);
goto fail_voms_localaccount;
}
for (i = 0; i < nfqan; i++)
{
lcmaps_log_debug(3, "%s: FQAN %d: %s\n", logstr, i, fqan_list[i]);
}
}
else
{
lcmaps_log_debug(1,"%s: ... did not find input credentials in input credential repository...\n", logstr);
lcmaps_log_debug(1,"%s: ... trying the internal credential repository ...\n", logstr);
fqan_list = getCredentialData(LCMAPS_VO_CRED_STRING, &nfqan);
}
if (nfqan == 0)
{
lcmaps_log(LOG_NOTICE,"%s: no VOMS group info --> no mapping\n", logstr);
goto fail_voms_localaccount;
}
else if (nfqan < 0)
{
lcmaps_log(LOG_ERR,"%s: negative number of VOMS groups found ! (failure)\n", logstr);
goto fail_voms_localaccount;
}
/*
* Try to match the VO strings with the gridmapfile info
* normally the first available VO string should match
*/
found = 0;
if ( req_username ) {
matching_type = MATCH_EXACT|MATCH_WILD_CHARS;
searchstr=req_username;
} else {
matching_type = MATCH_EXCLUDE|MATCH_WILD_CHARS;
searchstr=".";
}
for (i = 0; i < nfqan; i++)
{
/* clean username before each call to lcmaps_gridlist */
if (username) free(username);
username = NULL;
if ( (rc = lcmaps_gridlist(fqan_list[i], &username, gridmapfile, matching_type, searchstr, NULL)) == 0)
{
found = 1;
lcmaps_log_debug(3,"%s: found username: %s\n", logstr, username);
break;
}
else if (rc == LCMAPS_MOD_NOFILE)
{
lcmaps_log(LOG_ERR, "%s: Could not find the gridmapfile %s\n", logstr, gridmapfile);
goto fail_voms_localaccount;
}
else
{
if (req_username)
lcmaps_log_debug(1, "%s: no localaccount available for group (%s) and requested user %s in %s\n", logstr, fqan_list[i], req_username, gridmapfile);
else
lcmaps_log_debug(1, "%s: no localaccount available for group (%s) in %s\n", logstr, fqan_list[i], gridmapfile);
}
}
if (found != 1)
{
/* This should be at most a NOTICE */
lcmaps_log(LOG_NOTICE, "%s: Could not find a VOMS localaccount in %s (failure)\n", logstr, gridmapfile);
goto fail_voms_localaccount;
}
/*
* Get userid to pwd_t structure
*/
if (username && (strlen(username) > 0))
{
if ( ( user_info = getpwnam(username) ) )
{
lcmaps_log_debug(5,"%s: address user_info: %p\n", logstr, user_info);
lcmaps_log_debug(3,"%s: username : %s, char ptr: %p, address char ptr: %p\n", logstr, user_info->pw_name, user_info->pw_name, &(user_info->pw_name));
lcmaps_log_debug(3,"%s: password : %s\n", logstr, user_info->pw_passwd);
lcmaps_log_debug(3,"%s: user_id : %d, address uid: %p\n", logstr, user_info->pw_uid, &(user_info->pw_uid));
lcmaps_log_debug(3,"%s: group_id : %d\n", logstr, user_info->pw_gid);
lcmaps_log_debug(3,"%s: realname : %s\n", logstr, user_info->pw_gecos);
lcmaps_log_debug(3,"%s: home dir : %s\n", logstr, user_info->pw_dir);
lcmaps_log_debug(3,"%s: shellprg : %s\n", logstr, user_info->pw_shell);
/* Add this credential data to the credential data repository in the plugin manager */
addCredentialData(UID, &(user_info->pw_uid));
/* Map primary Unix GID from the account info */
if ((!do_not_map_primary_gid) &&
(add_primary_gid_from_mapped_account))
{
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
addCredentialData(PRI_GID, &(user_info->pw_gid));
}
/* Add the primary GID from the mapped account as an secondary GID to the result */
if (add_primary_gid_as_secondary_gid_from_mapped_account)
{
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account as a secondary GID to CredentialData\n", logstr, user_info->pw_gid);
addCredentialData(SEC_GID, &(user_info->pw_gid));
}
/* Add secondary Unix group IDs from the mapped local account */
if (add_secondary_gids_from_mapped_account)
{
/* Retrieve secondary group id's */
if (lcmaps_get_gidlist(username, &cnt_sec_gid, &sec_gid)==0)
{
lcmaps_log_debug(4,"%s: adding secondary GIDs (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
for (i = 0; i < cnt_sec_gid; i++)
{
addCredentialData(SEC_GID, &(sec_gid[i]));
}
free(sec_gid);
}
}
/* Old and error tolerant setting to set primary and secondary Unix
* IDs from the /etc/{passwd,groups} info */
if (use_voms_gid == 0)
{
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
addCredentialData(PRI_GID, &(user_info->pw_gid));
/* Retrieve secondary group id's */
if (lcmaps_get_gidlist(username, &cnt_sec_gid, &sec_gid)==0)
{
for (i = 0; i < cnt_sec_gid; i++)
{
addCredentialData(SEC_GID, &(sec_gid[i]));
}
free(sec_gid);
}
}
}
else
{
lcmaps_log(LOG_ERR,"%s: no user account found named \"%s\"\n", logstr, username);
goto fail_voms_localaccount;
}
}
else
{ /* error (msg is already given) */
goto fail_voms_localaccount;
}
/* succes */
/* success_voms_localaccount:*/
if (username) free(username);
lcmaps_log(LOG_INFO,"%s: voms_localaccount plugin succeeded\n", logstr);
return LCMAPS_MOD_SUCCESS;
fail_voms_localaccount:
if (username) free(username);
lcmaps_log(LOG_INFO,"%s: voms_localaccount plugin failed\n", logstr);
return LCMAPS_MOD_FAIL;
}
/*!
\fn lcmaps_extractRunVars(
lcmaps_request_t request,
lcmaps_cred_id_t lcmaps_cred
)
\brief extract the variables from user credential that can be used by the plugins
This function takes the user credential and job request (in RSL) and extracts the
information which is published in the runvars_list. These variables can be accessed
by the plugins.
\param request the job request (RSL)
\param lcmaps_cred the credential presented by the user
\retval 0 succes.
\retval 1 failure.
\internal
*/
int lcmaps_extractRunVars(
lcmaps_request_t request,
lcmaps_cred_id_t lcmaps_cred,
char *req_username
)
{
static lcmaps_request_t job_request;
static lcmaps_cred_id_t lcmaps_credential;
static char *requested_username;
int number_of_runvars=0;
const char * logstr = "lcmaps.mod-lcmaps_extractRunVars()";
/* Get the number of variables
*/
number_of_runvars = lcmaps_cntArgs(runvars_list);
if (NUMBER_OF_RUNVARS != number_of_runvars)
{
lcmaps_log(LOG_ERR,"%s: conflict in number of run variables:\n", logstr);
lcmaps_log(LOG_ERR,"%s: estimated = %d, defined = %d\n",
logstr, number_of_runvars, NUMBER_OF_RUNVARS);
return 1;
}
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Number of runvars: %d\n", logstr, NUMBER_OF_RUNVARS);
lcmaps_log_debug(2,"%s: Address of runvars_list (first element): 0x%x\n", logstr, runvars_list);
#endif
/* Save request en credential in static variables
*/
job_request=request;
lcmaps_credential=lcmaps_cred;
requested_username=req_username;
/* decompose request and credential
* for each run variable do lcmaps_setRunVars(name, type, value)
*/
/* Set user_dn */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"user_dn\": %s, address: 0x%x\n", logstr, lcmaps_credential.dn, &(lcmaps_credential.dn));
#endif
if (lcmaps_setRunVars("user_dn" , "char *", (void *) &(lcmaps_credential.dn)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"user_dn\" variable\n", logstr);
return 1;
}
/* Set the list of FQANs */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"fqan_list\", address: 0x%x\n",
logstr, &(lcmaps_credential.fqan));
#endif
if (lcmaps_setRunVars("fqan_list" , "char **", (void *) &(lcmaps_credential.fqan)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"fqan_list\" variable\n", logstr);
return 1;
}
/* Set the number of FQANs */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"nfqan\": %d, address: 0x%x\n",
logstr, lcmaps_credential.nfqan, &(lcmaps_credential.nfqan));
#endif
if (lcmaps_setRunVars("nfqan" , "int", (void *) &(lcmaps_credential.nfqan)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"nfqan\" variable\n", logstr);
return 1;
}
#ifdef LCMAPS_GSI_MODE
/* Set user_cred */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"user_cred\"\n", logstr);
#endif
if (lcmaps_setRunVars("user_cred" , "gss_cred_id_t", (void *) &(lcmaps_credential.cred)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"user_cred\" variable\n", logstr);
return 1;
}
/* Set security context */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"gss_context\"\n", logstr);
#endif
if (lcmaps_setRunVars("gss_context" , "gss_ctx_id_t", (void *) &(lcmaps_credential.context)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"gss_context\" variable\n", logstr);
return 1;
}
/* Set pointer to X509 proxy certificate */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"px509_cred\"\n", logstr);
#endif
if (lcmaps_setRunVars("px509_cred" , "X509 *", (void *) &(lcmaps_credential.px509_cred)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"px509_cred\" variable\n", logstr);
return 1;
}
/* Set pointer to X509 proxy certificate chain */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"px509_chain\"\n", logstr);
#endif
if (lcmaps_setRunVars("px509_chain" , "STACK_OF(X509) *", (void *) &(lcmaps_credential.px509_chain)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"px509_chain\" variable\n", logstr);
return 1;
}
/* Set pointer to PEM string of proxy certificate */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"pem_string\"\n", logstr);
#endif
if (lcmaps_setRunVars("pem_string" , "char *", (void *) &(lcmaps_credential.pem_string)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"pem_string\" variable\n", logstr);
return 1;
}
#endif /* LCMAPS_GSI_MODE */
/* Set job_request */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"job_request\" of type \"lcmaps_request_t\"\n", logstr);
#endif
if (lcmaps_setRunVars("job_request" , "lcmaps_request_t", (void *) &job_request) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"job_request\" variable of type \"lcmaps_request_t\"\n", logstr);
return 1;
}
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"job_request\" of type \"char *\"\n", logstr);
#endif
if (lcmaps_setRunVars("job_request" , "char *", (void *) &job_request) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"job_request\" variable of type \"char *\"\n", logstr);
return 1;
}
/* Set the mapcounter */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"mapcounter\": %d, address: 0x%x\n",
logstr, lcmaps_credential.mapcounter, &(lcmaps_credential.mapcounter));
#endif
if (lcmaps_setRunVars("mapcounter" , "int", (void *) &(lcmaps_credential.mapcounter)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"mapcounter\" variable\n", logstr);
return 1;
}
/* Set the requested uid */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"requested_uid\": %d, address: 0x%x\n",
logstr, (int) lcmaps_credential.requested_account.uid,
&(lcmaps_credential.requested_account.uid));
#endif
if (lcmaps_setRunVars("requested_uid" , "uid_t",
(void *) &(lcmaps_credential.requested_account.uid)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"requested_uid\" variable\n", logstr);
return 1;
}
/* Set the list of requested primary gids */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"requested_pgid_list\", address: 0x%x\n",
logstr, &(lcmaps_credential.requested_account.pgid_list));
#endif
if (lcmaps_setRunVars("requested_pgid_list" , "gid_t *",
(void *) &(lcmaps_credential.requested_account.pgid_list)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"requested_pgid_list\" variable\n", logstr);
return 1;
}
/* Set the number of requested primary gids */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"requested_npgid\": %d, address: 0x%x\n",
logstr, lcmaps_credential.requested_account.npgid,
&(lcmaps_credential.requested_account.npgid));
#endif
if (lcmaps_setRunVars("requested_npgid" , "int",
(void *) &(lcmaps_credential.requested_account.npgid)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"requested_npgid\" variable\n", logstr);
return 1;
}
/* Set the list of requested secondary gids */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"requested_sgid_list\", address: 0x%x\n",
logstr, &(lcmaps_credential.requested_account.sgid_list));
#endif
if (lcmaps_setRunVars("requested_sgid_list" , "gid_t *",
(void *) &(lcmaps_credential.requested_account.sgid_list)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"requested_sgid_list\" variable\n", logstr);
return 1;
}
/* Set the number of requested secondary gids */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"requested_nsgid\": %d, address: 0x%x\n",
logstr, lcmaps_credential.requested_account.nsgid,
&(lcmaps_credential.requested_account.nsgid));
#endif
if (lcmaps_setRunVars("requested_nsgid" , "int",
(void *) &(lcmaps_credential.requested_account.nsgid)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"requested_nsgid\" variable\n", logstr);
return 1;
}
/* Set the requested poolindex */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"requested_poolindex\", address: 0x%x\n",
logstr, &(lcmaps_credential.requested_account.poolindex));
lcmaps_log_debug(2,"lcmaps.mod-lcmaps_extractRunVars(): requested_poolindex value: %s\n",
(lcmaps_credential.requested_account).poolindex ? (lcmaps_credential.requested_account).poolindex : "(null)" );
#endif
if (lcmaps_setRunVars("requested_poolindex" , "char *",
(void *) &(lcmaps_credential.requested_account.poolindex)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"requested_poolindex\" variable\n", logstr);
return 1;
}
/* Set the requested username */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"requested_username\", address: 0x%x\n",
logstr, &(requested_username));
lcmaps_log_debug(2,"lcmaps.mod-lcmaps_extractRunVars(): requested_username value: %s\n",
requested_username ? requested_username : "******" );
#endif
if (lcmaps_setRunVars("requested_username" , "char *",
(void *) &(requested_username)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"requested_username\" variable\n", logstr);
return 1;
}
/* Newly added vo_data for GUMS and Job Repository */
/* Set pointer to multiple VOMS Data structures */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"voms_data_list\"\n", logstr);
#endif
if (lcmaps_setRunVars("voms_data_list" , "lcmaps_vomsdata_t *", (void *) &(lcmaps_credential.voms_data_list)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"voms_data_list\" variable\n", logstr);
return 1;
}
/* Set number of VOMS Data structures */
#ifdef LCMAPS_DEBUG
lcmaps_log_debug(2,"%s: Setting \"nvoms_data\"\n", logstr);
#endif
if (lcmaps_setRunVars("nvoms_data" , "int", (void *) &(lcmaps_credential.nvoms_data)) != 0)
{
lcmaps_log(LOG_ERR,"%s: error while setting \"nvoms_data\" variable\n", logstr);
return 1;
}
return 0;
}
/*!
\fn lcmaps_get_gidlist(
const char * username,
int * ngroups,
gid_t ** group_list
)
\brief Finds the list of gids for user in the group file (/etc/group)
Returns a list of gid_t which should be freed by calling program.
\param username the name of the user
\param ngroups ptr to int which will be filled with the number of gids
\param group_list ptr to an array of gid_t
\retval 0 success
\retval -1 realloc failure
\retval -2 getgrent failure
\retval 1 failure
*/
int lcmaps_get_gidlist(
const char * username,
int * ngroups,
gid_t ** group_list
)
{
#ifdef HAVE_GETGROUPLIST
/* New method of obtaining secondary Group IDs from the system. Using
* getgrouplist() is faster, because it performs a smarter search for
* secondary Group IDs */
int ng = 0;
#ifdef __APPLE__
int *groups = NULL;
#else
gid_t *groups = NULL;
#endif
struct passwd *pw;
if (!ngroups || !group_list) {
return 1;
}
pw = getpwnam(username);
if (pw == NULL)
return 1;
#ifdef __APPLE__
if (getgrouplist(username, (int)(pw->pw_gid), NULL, &ng) < 0) {
groups = (int *) malloc((size_t)ng * sizeof (gid_t));
if (groups == NULL) {
lcmaps_log(LOG_ERR,"lcmaps_get_gidlist(): cannot malloc\n");
return -1;
}
getgrouplist(username, (int)(pw->pw_gid), groups, &ng);
}
*group_list = (gid_t*)groups;
#else /* __APPLE__ */
if (getgrouplist(username, pw->pw_gid, NULL, &ng) < 0) {
groups = (gid_t *) malloc((size_t)ng * sizeof (gid_t));
if (groups == NULL) {
lcmaps_log(LOG_ERR,"lcmaps_get_gidlist(): cannot malloc\n");
return -1;
}
getgrouplist(username, pw->pw_gid, groups, &ng);
}
*group_list = groups;
#endif /*__APPLE__ */
*ngroups = ng;
return 0;
#else /* HAVE_GETGROUPLIST */
/* This is the old way of doing it. It was reliable, but suffers an
* increased load on LDAP based system due to the lookup of all the entries
* in the database, each time you pass here */
struct group * group_info = NULL;
gid_t * groups = NULL;
gid_t * newgroups = NULL;
int i = 0;
/* rewind the file pointer to the beginning of the /etc/group file */
setgrent();
lcmaps_log_debug(2,"lcmaps_get_gidlist(): looping through group file\n");
*ngroups = 0;
while ( ( group_info = getgrent() ) )
{
char ** pgr_mem = group_info->gr_mem;
char * gr_mem = NULL;
/* lcmaps_log_debug(4,"lcmaps_get_gidlist(): group %s\n", group_info->gr_name); */
while ( (gr_mem = *pgr_mem) )
{
/* lcmaps_log_debug(4,"lcmaps_get_gidlist(): group member %s\n", gr_mem); */
if (strncmp(username, gr_mem, strlen(username))==0)
{
/* lcmaps_log_debug(2,"lcmaps_get_gidlist(): found group %s for %s\n", group_info->gr_name, username); */
(*ngroups)++;
/* Note: *ngroups is >=0 */
newgroups = (gid_t *) realloc(groups, ((size_t)(*ngroups) * sizeof(gid_t)));
if (newgroups == NULL)
{
lcmaps_log(LOG_ERR,"lcmaps_get_gidlist(): cannot realloc\n");
free(groups);
return -1;
}
groups=newgroups;
groups[(*ngroups)-1] = group_info->gr_gid;
}
++pgr_mem;
}
}
if (errno==ENOMEM)
{
lcmaps_log(LOG_ERR,"lcmaps_get_gidlist(): Cannot read the group file, %s\n", strerror(errno));
free(groups);
groups=NULL;
/* Close the group file */
endgrent();
return -2;
}
*group_list=groups;
lcmaps_log_debug(4,"lcmaps_get_gidlist(): %d groups found for %s\n", *ngroups, username);
for (i = 0; i < *ngroups; i++)
{
lcmaps_log_debug(4,"lcmaps_get_gidlist(): group nr %d ==> gid_t %d\n", i+1, groups[i]);
}
/* Close the group file */
endgrent();
return 0;
#endif
}
/******************************************************************************
Function: plugin_initialize
Description:
Initialize plugin
Parameters:
argc, argv
argv[0]: the name of the plugin
Returns:
LCMAPS_MOD_SUCCESS : succes
LCMAPS_MOD_FAIL : failure
LCMAPS_MOD_NOFILE : db file not found (will halt LCMAPS initialization)
******************************************************************************/
int plugin_initialize(
int argc,
char ** argv
)
{
int i;
char * overflow = NULL;
const char * logstr = "lcmaps_plugin_tracking_groupid-plugin_initialize()";
long long_val;
lcmaps_log_debug(5,"%s: passed arguments:\n", logstr);
for (i=0; i < argc; i++)
{
lcmaps_log_debug(5,"%s: arg %d is %s\n", logstr, i, argv[i]);
}
/*
* Parse arguments, argv[0] = name of plugin, so start with i = 1
*/
for (i = 1; i < argc; i++)
{
if ((strcmp(argv[i], "--auto-discover") == 0) || (strcmp(argv[i], "--autodiscover") == 0)){
set_auto = 1;
}
else if (strcmp(argv[i], "--tracking-groupid-min") == 0){
overflow = NULL;
errno=0;
long_val = strtol(argv[i + 1], &overflow, 10);
if (errno!=0 || long_val <= 0) {
lcmaps_log(LOG_ERR,"%s: Error expected the Minimum Unix Group ID as a number not as a string. Got this \"%s\".\n", logstr, argv[i+1]);
goto fail_tracking_groupid;
}
set_groupid_min = (gid_t)long_val;
if ((overflow != NULL) && (strlen(overflow) > 0)) {
lcmaps_log(LOG_ERR,"%s: Error expected the Minimum Unix Group ID as a number not as a string. Got this \"%s\" and failed here \"%s\".\n", logstr, argv[i+1], overflow);
goto fail_tracking_groupid;
}
i++;
}
else if (strcmp(argv[i], "--tracking-groupid-max") == 0){
overflow = NULL;
errno=0;
long_val = strtol(argv[i + 1], &overflow, 10);
if (errno!=0 || long_val <= 0) {
lcmaps_log(LOG_ERR,"%s: Error expected the Max Unix Group ID as a number not as a string. Got this \"%s\".\n", logstr, argv[i+1]);
goto fail_tracking_groupid;
}
set_groupid_max = (gid_t)long_val;
if ((overflow != NULL) && (strlen(overflow) > 0)) {
lcmaps_log(LOG_ERR,"%s: Error expected the Max Unix Group ID as a number not as a string. Got this \"%s\" and failed here \"%s\".\n", logstr, argv[i+1], overflow);
goto fail_tracking_groupid;
}
i++;
}
else
{
lcmaps_log(LOG_ERR,"%s: Error in initialization parameter: %s (failure)\n", logstr, argv[i]);
goto fail_tracking_groupid;
}
}
if (set_auto && (set_groupid_min || set_groupid_max)){
lcmaps_log(LOG_ERR, "%s: Misconfiguarion in the LCMAPS Tracking GroupID plug-in. You can't configure a min/max tracking GID and the auto discovery of tracking Group IDs.\n", logstr);
goto fail_tracking_groupid;
}
/* TODO */
if (set_auto) {
lcmaps_log(LOG_ERR, "%s: Auto discovery of Tracking Group IDs is not yet implemented. Please send an email to: [email protected]\n", logstr);
goto fail_tracking_groupid;
}
if (!set_groupid_min) {
lcmaps_log(LOG_ERR, "%s: No minimum Unix Group ID configured.\n", logstr);
goto fail_tracking_groupid;
}
if (!set_groupid_max) {
lcmaps_log(LOG_ERR, "%s: No maximum Unix Group ID configured.\n", logstr);
goto fail_tracking_groupid;
}
return LCMAPS_MOD_SUCCESS;
fail_tracking_groupid:
return LCMAPS_MOD_FAIL;
}
