/****************************************************************************** Function: lcas_db_fill_entry documentation in _lcas_db_read.h ******************************************************************************/ lcas_db_entry_t * lcas_db_fill_entry( lcas_db_entry_t ** list, lcas_db_entry_t * entry ) { lcas_db_entry_t * plist; if (entry == NULL) { lcas_log(0,"lcas.mod-lcas_db_fill_entry(): error null entry\n"); return NULL; } if (!(*list)) { lcas_log_debug(2,"lcas.mod-lcas_db_fill_entry(): creating first list entry\n"); *list=plist=(lcas_db_entry_t *)malloc(sizeof(lcas_db_entry_t)); } else { lcas_log_debug(2,"lcas.mod-lcas_db_fill_entry(): creating new list entry\n"); plist=*list; while (plist->next) plist=plist->next; plist=plist->next=(lcas_db_entry_t *)malloc(sizeof(lcas_db_entry_t)); } if (!plist) { lcas_log(0,"lcas.mod-lcas_db_fill_entry(): error creating new list entry\n"); return NULL; } plist->next=NULL; if (entry->pluginname != NULL) { strncpy(plist->pluginname,entry->pluginname,LCAS_MAXPATHLEN); (plist->pluginname)[LCAS_MAXPATHLEN]=NUL; } else strncpy(plist->pluginname,"",LCAS_MAXPATHLEN); if (entry->pluginargs != NULL) { strncpy(plist->pluginargs,entry->pluginargs,LCAS_MAXARGSTRING); (plist->pluginargs)[LCAS_MAXARGSTRING]=NUL; } else strncpy(plist->pluginargs,"",LCAS_MAXARGSTRING); return plist; }
/****************************************************************************** Function: plugin_terminate Description: Terminate plugin Parameters: Returns: LCAS_MOD_SUCCESS : succes LCAS_MOD_FAIL : failure ******************************************************************************/ int plugin_terminate() { lcas_log_debug(1,"%s-plugin_terminate(): terminating\n",modname); if (userban_db) { free(userban_db); userban_db=NULL; } return LCAS_MOD_SUCCESS; }
int plugin_initialize(int argc, char *argv[]) { lcas_log_debug(1, "%s-plugin_initialize()\n",modname); return LCAS_MOD_SUCCESS; }
int plugin_terminate() { lcas_log_debug(1, "%s-plugin_terminate(): terminating\n",modname); if (authfile) { free(authfile); authfile = NULL; } return LCAS_MOD_SUCCESS; }
/*! \fn lcas_db_read_entries( FILE * dbstream ) \brief Read db entries from stream and fill a lsit of db entries \param dbstream database stream \return the number of entries found (failure --> negative number) \internal */ static int lcas_db_read_entries( FILE * dbstream ) { char line[1024]; int nlines=0; int no_entries=0; lcas_db_entry_t * entry=NULL; nlines=0; no_entries=0; /* lcas_db_fill_entry(no_entries,NULL); */ while (fgets(line, sizeof(line), dbstream)) { ++nlines; if (! lcas_db_parse_line(line, &entry)) { /* parse error, return line number */ if (entry != NULL) free(entry); return -(nlines); } if (entry != NULL) { lcas_log_debug(3,"line %d: %s, %s\n",nlines,entry->pluginname,entry->pluginargs); /* entry found */ ++no_entries; if (no_entries > MAXDBENTRIES) { if (entry != NULL) free(entry); return no_entries; } if ( lcas_db_fill_entry(&lcas_db_list, entry)==NULL ) { /* error filling lcas_db */ if (entry != NULL) free(entry); return -(nlines); } if (entry != NULL) free(entry); entry=NULL; } else { /* no entry found, but no error */ continue; } } if (entry != NULL) free(entry); return no_entries; }
int plugin_initialize(int argc, char ** argv) { int i; lcas_log_debug(2,"%s-plugin_initialize(): passed arguments:\n",modname); for (i=0; i < argc; i++) { lcas_log_debug(2,"%s-plugin_initialize(): arg %d is %s\n", modname,i,argv[i]); } disableWildCardMatching = isParamEnabled ("-disable_wildcards", argc, argv); disableWildCardMatching ? lcas_log_debug(2,"%s-plugin_initialize(): wildcard matching is disabled\n", modname) : lcas_log_debug(2,"%s-plugin_initialize(): wildcard matching is enabled\n", modname); if (argc > 1) userban_db = lcas_findfile(argv[1]); /* Test if userban_db can be opened */ if (userban_db == NULL) { lcas_log(0,"\t%s-plugin_initialize() error: banned user file required !\n", modname); return LCAS_MOD_NOFILE; } if (lcas_getfexist(1,userban_db) == NULL) { lcas_log(0, "\t%s-plugin_initialize() error: Cannot find banned user file: %s\n", modname,userban_db ); return LCAS_MOD_NOFILE; } return LCAS_MOD_SUCCESS; }
/****************************************************************************** Function: lcas_db_clean_list documentation in _lcas_db_read.h ******************************************************************************/ int lcas_db_clean_list( lcas_db_entry_t ** list ) { lcas_db_entry_t * entry; entry=*list; while (entry) { lcas_db_entry_t * next_entry; lcas_log_debug(2,"cleaning db entry for module %s\n",entry->pluginname); next_entry=entry->next; free(entry); entry=next_entry; } *list=entry=NULL; return 0; }
/****************************************************************************** Function: plugin_confirm_authorization Description: Ask for authorization by passing RSL and user credential Parameters: request: RSL request user_cred: user credential Returns: LCAS_MOD_SUCCESS: authorization succeeded LCAS_MOD_FAIL : authorization failed LCAS_MOD_NOFILE : db file not found ******************************************************************************/ int plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred) { int rc; char * dummy = NULL; char * user_dn = NULL; /* * check credential and get the globus name */ if ( (user_dn = lcas_get_dn(lcas_cred)) == NULL) { lcas_log(0, "lcas.mod-lcas_get_fabric_authorization() error: user DN empty\n"); goto lcas_userban_noauth; } /* Do the check */ lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): checking banned users in %s\n", modname,userban_db); /* * The new default is to perform the wildcard matching, based upon fnmatch * You'll need to explicitly disable it in the initialization parameters */ if (! disableWildCardMatching) rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_WILD_CHARS|MATCH_ONLY_DN, NULL, NULL); else rc = lcas_gridlist(user_dn, &dummy, userban_db, MATCH_ONLY_DN, NULL, NULL); if ( rc == LCAS_MOD_ENTRY ) { /* Entry found for user_dn, so the user is banned */ lcas_log_debug(0,"\t%s-plugin_confirm_authorization(): entry found for %s\n", modname,user_dn); goto lcas_userban_noauth; } else if ( rc == LCAS_MOD_NOFILE ) { /* file not found */ lcas_log(0, "\t%s-plugin_confirm_authorization() error: Cannot find banned user file: %s\n", modname,userban_db); goto lcas_userban_nofile; } lcas_userban_auth: /* authorization = no entry found for user_dn */ if (dummy != NULL) free(dummy); return LCAS_MOD_SUCCESS; lcas_userban_noauth: /* no authorization = entry found for user_dn */ if (dummy != NULL) free(dummy); return LCAS_MOD_FAIL; lcas_userban_nofile: /* file not found */ if (dummy != NULL) free(dummy); return LCAS_MOD_NOFILE; }
int plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred) { char *user_dn; int ret; edg_wll_Context ctx; struct _edg_wll_GssPrincipal_data princ; X509 *cert = NULL; STACK_OF(X509) * chain = NULL; void *cred = NULL; struct vomsdata *voms_info = NULL; int err; authz_action action; memset(&princ, 0, sizeof(princ)); lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n", modname); if (edg_wll_InitContext(&ctx) != 0) { lcas_log(0, "Couldn't create L&B context\n"); ret = LCAS_MOD_FAIL; goto end; } if ((action = find_authz_action(request)) == ACTION_UNDEF) { lcas_log(0, "lcas.mod-lb() error: unsupported action\n"); ret = LCAS_MOD_FAIL; goto end; } user_dn = lcas_get_dn(lcas_cred); if (user_dn == NULL) { lcas_log(0, "lcas.mod-lb() error: user DN empty\n"); ret = LCAS_MOD_FAIL; goto end; } princ.name = user_dn; cred = lcas_get_gss_cred(lcas_cred); if (cred == NULL) { lcas_log(0, "lcas.mod-lb() warning: user gss credential empty\n"); #if 0 ret = LCAS_MOD_FAIL; goto end; #endif } #ifndef NO_GLOBUS_GSSAPI if (cred) { voms_info = VOMS_Init(NULL, NULL); if (voms_info == NULL) { lcas_log(0, "lcas.mod-lb() failed to initialize VOMS\n"); ret = LCAS_MOD_FAIL; goto end; } ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err); if (ret == 1) edg_wll_get_fqans(ctx, voms_info, &princ.fqans); } #endif ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action); ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL; end: edg_wll_FreeContext(ctx); #ifndef NO_GLOBUS_GSSAPI if (voms_info) VOMS_Destroy(voms_info); #endif if (cert) X509_free(cert); if (chain) sk_X509_pop_free(chain, X509_free); return ret; }
/*! \fn lcas_db_parse_line( char * line, lcas_db_entry_t ** entry ) \brief Parses database line and fills database structure \param line database line \param entry pointer to a pointer to a database structure (can/should be freed afterwards) \retval 1 succes. \retval 0 failure. \internal */ static int lcas_db_parse_line( char * line, lcas_db_entry_t ** entry ) { char * var_val_pairs[MAXPAIRS]; char * var; char * val; int ipair; int no_pairs; size_t len; lcas_db_entry_t * tmp_entry=NULL; /* Check arguments */ if ((line == NULL) || (*entry != NULL)) { lcas_log(0,"lcas.mod-lcas_db_parse_line(): something wrong with arguments\n"); goto error; } /* Skip over leading whitespace */ line += strspn(line, WHITESPACE_CHARS); /* Check for comment at start of line and ignore line if present */ if (strchr(COMMENT_CHARS, *line) != NULL) { /* Ignore line, return NULL entry. */ *entry=NULL; return 1; } /* Check for empty line */ if (*line == NUL) { /* Empty line, return NULL entry. */ *entry=NULL; return 1; } /* Look for variable-value pairs by checking the PAIR_SEP_CHARS */ ipair=0; len=0; while (*line != NUL) { len=strcspn(line, PAIR_SEP_CHARS); if (len > 0) { var_val_pairs[ipair] = line; ipair++; line+=len; if (*line == NUL) { /* probably end of line */ continue; } if (strchr(PAIR_SEP_CHARS, *line) != NULL) { *line=NUL; line += 1; } } else { /* len = 0, so *line=PAIR_SEP_CHARS */ line += 1; } line += strspn(line, WHITESPACE_CHARS); } no_pairs=ipair; if (no_pairs) { tmp_entry=malloc(sizeof(*tmp_entry)); if (tmp_entry == NULL) { lcas_log(0,"lcas.mod-lcas_db_parse_line(): error allocating memory\n"); goto error; } for (ipair=0; ipair < no_pairs; ipair++) { int rc=0; lcas_log_debug(3,"pair %d:%s-endpair\n",ipair, var_val_pairs[ipair]); rc=lcas_db_parse_pair(var_val_pairs[ipair], &var, &val); if (! rc) { /* error parsing variable-value pair */ lcas_log(0,"lcas.mod-lcas_db_parse_line(): error parsing variable-value pair\n"); goto error; } lcas_log_debug(3,"var: %s, value: %s\n",var,val); if (strncmp(var,"pluginname",strlen("pluginname")) == 0) { /* found plugin name */ strncpy(tmp_entry->pluginname,val,LCAS_MAXPATHLEN); (tmp_entry->pluginname)[LCAS_MAXPATHLEN]=NUL; } else if (strncmp(var,"pluginargs",strlen("pluginargs")) == 0) { /* found plugin database */ strncpy(tmp_entry->pluginargs,val,LCAS_MAXARGSTRING); (tmp_entry->pluginargs)[LCAS_MAXARGSTRING]=NUL; } else { /* unknown option: do nothing */ } } } /* succes */ *entry=tmp_entry; return 1; error: if (tmp_entry != NULL) free(tmp_entry); return 0; }