int map_and_authorize_bad_params_test(void) { int rc; char * service = "service"; char * desired_identity = "id"; char * identity_buffer = "id"; unsigned int identity_buffer_length = 2; rc = setenv("GRIDMAP", "grid-mapfile", 1); if (rc != 0) { fprintf(stderr, "Error setting GRIDMAP location\n"); goto out; } rc = globus_gss_assist_map_and_authorize(GSS_C_NO_CONTEXT, service, desired_identity, identity_buffer, identity_buffer_length); if (rc == GLOBUS_SUCCESS) { fprintf(stderr, "Unexpected success: globus_gss_assist_map_and_authorize with null context\n"); rc = 1; goto out; } rc = globus_gss_assist_map_and_authorize(accept_ctx, NULL, desired_identity, identity_buffer, identity_buffer_length); if (rc == GLOBUS_SUCCESS) { fprintf(stderr, "Unexpected success: globus_gss_assist_map_and_authorize with null service\n"); rc = 2; goto out; } rc = globus_gss_assist_map_and_authorize(accept_ctx, service, NULL, identity_buffer, identity_buffer_length); if (rc == GLOBUS_SUCCESS) { fprintf(stderr, "Unexpected success: globus_gss_assist_map_and_authorize with null desired_identity\n"); rc = 3; goto out; } rc = 0; out: return rc; }
int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname) { //this might need to change with SSLK5 stuff //just extract username from /CN=<username>@<domain,etc> OM_uint32 major_status; char *tmp_user = NULL; char local_user[USER_NAME_MAX]; // windows gsi does not currently include this function. we use it on // unix, but implement our own on windows for now. #ifdef WIN32 major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user); #else // Switched the unix map function to _map_and_authorize, which allows access // to the Globus callout infrastructure. char condor_str[] = "condor"; major_status = globus_gss_assist_map_and_authorize( context_handle, condor_str, // Requested service name NULL, // Requested user name; NULL for non-specified local_user, USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case // Defensive programming: to protect against buffer overruns in the // unknown globus mapping module, make sure we are at least nul-term'd local_user[USER_NAME_MAX-1] = '\0'; #endif if (tmp_user) { strcpy( local_user, tmp_user ); free(tmp_user); tmp_user = NULL; } if ( major_status != GSS_S_COMPLETE) { setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); return 0; } MyString user; MyString domain; Authentication::split_canonical_name( local_user, user, domain ); setRemoteUser (user.Value()); setRemoteDomain(domain.Value()); setAuthenticatedName(GSSClientname); return 1; }
/* * Check if this user is OK to login under GSI. User has been authenticated * as identity in global 'client_name.value' and is trying to log in as passed * username in 'name'. * * Returns non-zero if user is authorized, 0 otherwise. */ static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name) { int authorized = 0; globus_result_t res; #ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE char lname[256] = ""; #endif #ifdef GLOBUS_GSI_GSS_ASSIST_MODULE if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) { return 0; } #endif /* use new globus_gss_assist_map_and_authorize() interface if available */ #ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE debug("calling globus_gss_assist_map_and_authorize()"); if (GLOBUS_SUCCESS != (res = globus_gss_assist_map_and_authorize(client->context, "ssh", name, lname, 256))) { debug("%s", globus_error_print_chain(globus_error_get(res))); } else if (lname[0] && strcmp(name, lname) != 0) { debug("GSI user maps to %s, not %s", lname, name); } else { authorized = 1; } #else debug("calling globus_gss_assist_userok()"); if (GLOBUS_SUCCESS != (res = (globus_gss_assist_userok(client->displayname.value, name)))) { debug("%s", globus_error_print_chain(globus_error_get(res))); } else { authorized = 1; } #endif logit("GSI user %s is%s authorized as target user %s", (char *) client->displayname.value, (authorized ? "" : " not"), name); return authorized; }
/* * Return the local username associated with the GSI credentials. */ int ssh_gssapi_gsi_localname(ssh_gssapi_client *client, char **user) { globus_result_t res; #ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE char lname[256] = ""; #endif #ifdef GLOBUS_GSI_GSS_ASSIST_MODULE if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) { return 0; } #endif /* use new globus_gss_assist_map_and_authorize() interface if available */ #ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE debug("calling globus_gss_assist_map_and_authorize()"); if (GLOBUS_SUCCESS != (res = globus_gss_assist_map_and_authorize(client->context, "ssh", NULL, lname, 256))) { debug("%s", globus_error_print_chain(globus_error_get(res))); logit("failed to map GSI user %s", (char *)client->displayname.value); return 0; } *user = strdup(lname); #else debug("calling globus_gss_assist_gridmap()"); if (GLOBUS_SUCCESS != (res = globus_gss_assist_gridmap(client->displayname.value, user))) { debug("%s", globus_error_print_chain(globus_error_get(res))); logit("failed to map GSI user %s", (char *)client->displayname.value); return 0; } #endif logit("GSI user %s mapped to target user %s", (char *) client->displayname.value, *user); return 1; }
int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname) { //this might need to change with SSLK5 stuff //just extract username from /CN=<username>@<domain,etc> OM_uint32 major_status = GSS_S_COMPLETE; char *tmp_user = NULL; char local_user[USER_NAME_MAX]; // windows gsi does not currently include this function. we use it on // unix, but implement our own on windows for now. #ifdef WIN32 major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user); #else // Switched the unix map function to _map_and_authorize, which allows access // to the Globus callout infrastructure. if (m_mapping == NULL) { // Size of hash table is purposely initialized small to prevent this // from hogging memory. This will, of course, grow at large sites. m_mapping = new GlobusMappingTable(53, hashFuncString, updateDuplicateKeys); } const char *auth_name_to_map; const char *fqan = getFQAN(); if (fqan && fqan[0]) { auth_name_to_map = fqan; } else { auth_name_to_map = GSSClientname; } globus_mapping_entry_ptr value; time_t now = 0; time_t gsi_cache_expiry = param_integer("GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION", 0); if (gsi_cache_expiry && (m_mapping->lookup(auth_name_to_map, value) == 0)) { now = time(NULL); if (now < value->expiry_time) { dprintf(D_SECURITY, "Using Globus mapping result from the cache.\n"); if (value->name.size()) { tmp_user = strdup(value->name.c_str()); } else { major_status = GSS_S_FAILURE; } } } if ((tmp_user == NULL) && (major_status == GSS_S_COMPLETE)) { char condor_str[] = "condor"; major_status = globus_gss_assist_map_and_authorize( context_handle, condor_str, // Requested service name NULL, // Requested user name; NULL for non-specified local_user, USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case // Defensive programming: to protect against buffer overruns in the // unknown globus mapping module, make sure we are at least nul-term'd local_user[USER_NAME_MAX-1] = '\0'; // More defensive programming: There is a bug in LCMAPS, (which is possibly // called by a globus callout) that sometimes returns with the euid set to // root (!?!). As a safeguard, We check for that here and return to the // condor euid. This is done "outside" of the condor priv stack since this // is essentially undoing a side effect of the library call, not // intentionally changing priv state. if (geteuid() == 0) { dprintf(D_ALWAYS, "WARNING: globus returned with euid 0\n"); // attempt to undo if (seteuid(get_condor_uid())) { // complain loudly, but continue dprintf(D_ALWAYS, "ERROR: something has gone terribly wrong: errno %i\n", errno); } } if (now == 0) { now = time(NULL); } value.reset(new globus_mapping_entry_t); value->expiry_time = now + gsi_cache_expiry; // The special name of "" indicates failed mapping. if (major_status == GSS_S_COMPLETE) { value->name = local_user; } m_mapping->insert(auth_name_to_map, value); } #endif if (tmp_user) { strcpy( local_user, tmp_user ); free(tmp_user); tmp_user = NULL; } if ( major_status != GSS_S_COMPLETE) { setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); return 0; } MyString user; MyString domain; Authentication::split_canonical_name( local_user, user, domain ); setRemoteUser (user.Value()); setRemoteDomain(domain.Value()); setAuthenticatedName(GSSClientname); return 1; }