Пример #1
0
/*
 * Simply dump the XACML response.
 *
 * @param [in] response the XAXML response
 * @return 0 on success or error code on failure. 
 */
static int process_xacml_response(const xacml_response_t * response) {
    size_t results_l;
    int i, j, k;
    if (response == NULL) {
        fprintf(stderr,"response is NULL\n");
        return 1;
    }
    results_l= xacml_response_results_length(response);
    fprintf(stdout,"response: %d results\n", (int)results_l);
    for(i= 0; i<results_l; i++) {
        xacml_result_t * result;
        xacml_status_t * status;
        xacml_statuscode_t * statuscode, * subcode;
        size_t obligations_l;
        
        result= xacml_response_getresult(response,i);
        fprintf(stdout,"response.result[%d].decision= %s\n", i, decision_tostring(xacml_result_getdecision(result)));
        fprintf(stdout,"response.result[%d].resourceid= %s\n", i, xacml_result_getresourceid(result));
        
        status= xacml_result_getstatus(result);
        fprintf(stdout,"response.result[%d].status.message= %s\n", i, xacml_status_getmessage(status));
        statuscode= xacml_status_getcode(status);
        fprintf(stdout,"response.result[%d].status.code.value= %s\n", i, xacml_statuscode_getvalue(statuscode));
        subcode= xacml_statuscode_getsubcode(statuscode);
        if (subcode != NULL) {
            fprintf(stdout,"response.result[%d].status.code.subcode.value= %s\n", i, xacml_statuscode_getvalue(subcode));
        }
        obligations_l= xacml_result_obligations_length(result);
        fprintf(stdout,"response.result[%d]: %d obligations\n", i, (int)obligations_l);
        for(j= 0; j<obligations_l; j++) {
            size_t attrs_l;
            xacml_obligation_t * obligation= xacml_result_getobligation(result,j);
            fprintf(stdout,"response.result[%d].obligation[%d].id= %s\n",i,j, xacml_obligation_getid(obligation));
            fprintf(stdout,"response.result[%d].obligation[%d].fulfillOn= %s\n",i,j, fulfillon_tostring(xacml_obligation_getfulfillon(obligation)));
            attrs_l= xacml_obligation_attributeassignments_length(obligation);
            fprintf(stdout,"response.result[%d].obligation[%d]: %d attribute assignments\n",i,j,(int)attrs_l);
            for (k= 0; k<attrs_l; k++) {
                xacml_attributeassignment_t * attr= xacml_obligation_getattributeassignment(obligation,k);
                fprintf(stdout,"response.result[%d].obligation[%d].attributeassignment[%d].id= %s\n",i,j,k,xacml_attributeassignment_getid(attr));
                fprintf(stdout,"response.result[%d].obligation[%d].attributeassignment[%d].datatype= %s\n",i,j,k,xacml_attributeassignment_getdatatype(attr));
                fprintf(stdout,"response.result[%d].obligation[%d].attributeassignment[%d].value= %s\n",i,j,k,xacml_attributeassignment_getvalue(attr));
            }
        }
    }
    return 0;
}
Пример #2
0
/*
 * Dumps a XACML response.
 */
static int dump_response(xacml_response_t ** response_ptr) {
	xacml_response_t * response= *response_ptr;
	if (response == NULL) {
		error("dump_response: response is NULL");
		return 1;
	}
	size_t results_l= xacml_response_results_length(response);
	info("response: %d results", (int)results_l);
	int i= 0;
	for(i= 0; i<results_l; i++) {
		xacml_result_t * result= xacml_response_getresult(response,i);
		info("response.result[%d].decision= %s", i, decision_str(xacml_result_getdecision(result)));
		info("response.result[%d].resourceid= %s", i, xacml_result_getresourceid(result));
		xacml_status_t * status= xacml_result_getstatus(result);
		info("response.result[%d].status.message= %s", i, xacml_status_getmessage(status));
		xacml_statuscode_t * statuscode= xacml_status_getcode(status);
		info("response.result[%d].status.code.value= %s", i, xacml_statuscode_getvalue(statuscode));
		xacml_statuscode_t * subcode= xacml_statuscode_getsubcode(statuscode);
		if (subcode != NULL) {
			info("response.result[%d].status.code.subcode.value= %s", i, xacml_statuscode_getvalue(subcode));
		}
		size_t obligations_l= xacml_result_obligations_length(result);
		info("response.result[%d]: %d obligations", i, (int)obligations_l);
		int j=0;
		for(j= 0; j<obligations_l; j++) {
			xacml_obligation_t * obligation= xacml_result_getobligation(result,j);
			info("response.result[%d].obligation[%d].id= %s",i,j, xacml_obligation_getid(obligation));
			info("response.result[%d].obligation[%d].fulfillOn= %s",i,j, decision_str(xacml_obligation_getfulfillon(obligation)));
			size_t attrs_l= xacml_obligation_attributeassignments_length(obligation);
			info("response.result[%d].obligation[%d]: %d attribute assignments",i,j,(int)attrs_l);
			int k= 0;
			for (k= 0; k<attrs_l; k++) {
				xacml_attributeassignment_t * attr= xacml_obligation_getattributeassignment(obligation,k);
				info("response.result[%d].obligation[%d].attributeassignment[%d].id= %s",i,j,k,xacml_attributeassignment_getid(attr));
				info("response.result[%d].obligation[%d].attributeassignment[%d].datatype= %s",i,j,k,xacml_attributeassignment_getdatatype(attr));
			    info("response.result[%d].obligation[%d].attributeassignment[%d].value= %s",i,j,k,xacml_attributeassignment_getvalue(attr));
			}
		}
	}
	return 0;
}
Пример #3
0
/*
 * Converts in the XACML response the local-environment-map/posix obligation to uidgid, secondary-gid and username obligations
 * Resolve uidgid and groups by calling POSIX getpwent and getgrent
 */
static int gridwn2authzinterop_oh_process(xacml_request_t ** request,xacml_response_t ** response) {
    int i, j, k, m;
    size_t results_l= xacml_response_results_length(*response);
    for (i= 0; i<results_l; i++) {
        xacml_result_t * result= xacml_response_getresult(*response,i);
        xacml_decision_t decision= xacml_result_getdecision(result);
        if (decision==XACML_DECISION_PERMIT) {
            size_t obligations_l= xacml_result_obligations_length(result);
            for (j= 0; j<obligations_l; j++) {
                xacml_obligation_t * obligation= xacml_result_getobligation(result,j);
                const char * obligation_id= xacml_obligation_getid(obligation);
                xacml_fulfillon_t obligation_fulfillon= xacml_obligation_getfulfillon(obligation);
                if (strncmp(XACML_GRIDWN_OBLIGATION_LOCAL_ENVIRONMENT_MAP_POSIX,obligation_id,strlen(XACML_GRIDWN_OBLIGATION_LOCAL_ENVIRONMENT_MAP_POSIX))==0) {
                    /* do local POSIX resolve for uid/gids */
                    const char * username= NULL;
                    const char * groupname= NULL;
                    size_t n_groupnames= 0;
                    char ** groupnames= calloc(NGROUPS_MAX,sizeof(char *));
                    size_t attrs_l= xacml_obligation_attributeassignments_length(obligation);
                    pep_log_debug("%s: resolve local POSIX account mapping",GRIDWN_TO_AUTHZINTEROP_ADAPTER_ID);
                    for (k= 0; k<attrs_l; k++) {
                        xacml_attributeassignment_t * attr= xacml_obligation_getattributeassignment(obligation,k);
                        const char * attr_id= xacml_attributeassignment_getid(attr);
                        const char * attr_value= xacml_attributeassignment_getvalue(attr);
                        if (strcmp(XACML_GRIDWN_ATTRIBUTE_USER_ID,attr_id)==0) {
                            username= attr_value;
                        }
                        else if (strcmp(XACML_GRIDWN_ATTRIBUTE_GROUP_ID_PRIMARY,attr_id)==0) {
                            groupname= attr_value;
                        }
                        else if (strcmp(XACML_GRIDWN_ATTRIBUTE_GROUP_ID,attr_id)==0) {
                            groupnames[n_groupnames++]= (char *)attr_value;
                        }
                    }

                    /* username obligation */
                    if (username) {
                        xacml_obligation_t * username_obligation= create_username_obligation(obligation_fulfillon,username);
                        if (username_obligation) {
                            xacml_result_addobligation(result,username_obligation);
                        }
                    }
                    /* uidgid obligation */
                    if (username) {
                        /* resolve POSIX username and groupname id (uid and gid) */
                        /* if only the username (without groupname), use the user default group */
                        uid_t user_uid;
                        gid_t user_gid, group_gid;
                        if (resolve_user_uidgid(username,&user_uid,&user_gid)==0) {
                            uid_t obligation_uid= user_uid;
                            gid_t obligation_gid= user_gid;
                            xacml_obligation_t * uidgid_obligation;
                            if (groupname && resolve_group_gid(groupname, &group_gid)==0) {
                                obligation_gid= group_gid;
                            }
                            uidgid_obligation= create_uidgid_obligation(obligation_fulfillon,obligation_uid,obligation_gid);
                            if (uidgid_obligation) {
                                xacml_result_addobligation(result,uidgid_obligation);
                            }
                        }
                    }
                    /* secondary gids obligation */
                    if (n_groupnames>0) {
                        /* resolve POSIX secondary groupnames gids */
                        gid_t * gids= calloc(n_groupnames,sizeof(gid_t));
                        int resolve_error= 0;
                        for (m= 0; m<n_groupnames; m++) {
                            if (resolve_group_gid(groupnames[m],&gids[m])!=0) {
                                resolve_error= 1;
                                break;
                            }
                        }
                        if (!resolve_error) {
                            xacml_obligation_t * secgids_obligation= create_secondarygids_obligation(obligation_fulfillon,gids,n_groupnames);
                            if (secgids_obligation) {
                                xacml_result_addobligation(result,secgids_obligation);
                            }
                        }
                        free(gids);
                    }
                    free(groupnames);
                }
            }
        }
    }
    return 0;
}