SRCS:= bones_server.c soap_ops.c \
new_ftp_backend.c mysql.c file_plugin.c \
- feed.c tags.c\
+ feed.c tags.c authz.c\
is_client.c \
${ps_prefix}ServerLib.c \
${is_prefix}ClientLib.c jpps_C.c
argv[2], &r))) {
printf("FeedId: %s\nExpires: %s\n",r.feedId,ctime(&r.expires));
}
- } else if (!strcasecmp(argv[1],"GetJob")) {
- struct jpsrv__GetJobResponse r;
+ }
+#endif
+ else if (!strcasecmp(argv[1],"GetJob")) {
+ struct _jpelem__GetJob in;
+ struct _jpelem__GetJobResponse out;
if (argc != 3) usage(argv[0]);
+ in.jobid = argv[2];
- if (!check_fault(soap,soap_call_jpsrv__GetJob(soap,server,"",
- argv[2],&r)))
+ if (!check_fault(soap,soap_call___jpsrv__GetJob(soap,server,"",
+ &in,&out)))
{
int i;
printf("JobLog:\n");
- for (i=0; i<r.files->__sizefile;i++) {
+ for (i=0; i<out.__sizefiles;i++) {
printf("\tclass = %s, name = %s, url = %s\n",
- r.files->file[i]->class_,
- r.files->file[i]->name,
- r.files->file[i]->url);
+ out.files[i]->class_,
+ out.files[i]->name,
+ out.files[i]->url);
}
}
}
-#endif
else usage(argv[0]);
return 0;
--- /dev/null
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <assert.h>
+
+#include "glite/jp/types.h"
+#include "glite/jp/context.h"
+
+#include "jpps_H.h"
+
+int glite_jpps_authz(glite_jp_context_t ctx,int op,const char *job,const char *owner)
+{
+ glite_jp_error_t err;
+ char buf[200];
+ int i;
+
+ memset(&err,0,sizeof err);
+ glite_jp_clear_error(ctx);
+ err.source = __FUNCTION__;
+ err.code = EPERM;
+
+ switch (op) {
+ case SOAP_TYPE___jpsrv__RegisterJob:
+ case SOAP_TYPE___jpsrv__StartUpload:
+ case SOAP_TYPE___jpsrv__CommitUpload:
+ for (i=0; ctx->trusted_peers && ctx->trusted_peers[i]; i++)
+ if (!strcmp(ctx->trusted_peers[i],ctx->peer)) return 0;
+ err.desc = "you are not a trusted peer";
+ return glite_jp_stack_error(ctx,&err);
+
+ case SOAP_TYPE___jpsrv__GetJob:
+ assert(owner);
+ return strcmp(owner,ctx->peer) ? glite_jp_stack_error(ctx,&err) : 0;
+ break;
+
+ default:
+ snprintf(buf,sizeof buf,"%d: unknown operation",op);
+ err.desc = buf;
+ err.code = EINVAL;
+ return glite_jp_stack_error(ctx,&err);
+ }
+}
+
+int glite_jpps_readauth(glite_jp_context_t ctx,const char *file)
+{
+ FILE *f = fopen(file,"r");
+ glite_jp_error_t err;
+ int cnt = 0;
+
+ glite_jp_clear_error(ctx);
+ memset(&err,0,sizeof err);
+ err.source = __FUNCTION__;
+ if (!f) {
+ err.code = errno;
+ err.desc = file;
+ return glite_jp_stack_error(ctx,&err);
+ }
+
+ ctx->trusted_peers = NULL;
+ while (!feof(f)) {
+ char buf[BUFSIZ];
+
+ if (fscanf(f,"%[^\n]\n",buf) != 1) {
+ err.code = EINVAL;
+ err.desc = file;
+ fclose(f);
+ return glite_jp_stack_error(ctx,&err);
+ }
+
+ ctx->trusted_peers = realloc(ctx->trusted_peers, (cnt+1) * sizeof *ctx->trusted_peers);
+ ctx->trusted_peers[cnt++] = strdup(buf);
+ ctx->trusted_peers[cnt] = NULL;
+ }
+ fclose(f);
+ return 0;
+}
--- /dev/null
+/**
+ * Check authorisation of JPPS operation on job.
+ *
+ * \param[in] ctx JP context including peer name & other credentials (VOMS etc.)
+ * \param[in] op operation, one of SOAP_TYPE___jpsrv__*
+ * \param[in] job jobid of the job to decide upon
+ * \param[in] owner current known owner of the job (may be NULL), shortcut to avoid
+ * unnecessary database query.
+ *
+ * \retval 0 OK, operation permitted
+ * \retval EPERM denied
+ * \retval other error
+ */
+
+int glite_jpps_authz(glite_jp_context_t ctx,int op,const char *job,const char *owner);
+
+int glite_jpps_readauth(glite_jp_context_t ctx,const char *file);
+
b_argc = p_argc = 1;
- while ((opt = getopt(argc,argv,"B:P:")) != EOF) switch (opt) {
+ while ((opt = getopt(argc,argv,"B:P:a:")) != EOF) switch (opt) {
case 'B':
assert(b_argc < 20);
if (com = strchr(optarg,',')) *com = 0;
p_argv[p_argc++] = optarg;
break;
+ case 'a':
+ if (glite_jpps_readauth(ctx,optarg)) {
+ fprintf(stderr,"%s: %s\n",argv[0],glite_jp_error_chain(ctx));
+ exit (1);
+ }
+ break;
case '?': fprintf(stderr,"usage: %s: -Bb,val ... -Pplugin.so ...\n"
"b is backend option\n",argv[0]);
exit (1);
#include "backend.h"
#include "db.h"
+#include "jpps_H.h" /* XXX: SOAP_TYPE___jpsrv__GetJob */
+
#define FTPBE_DEFAULT_DB_CS "jpps/@localhost:jpps"
struct ftpbe_config {
glite_jp_db_freestmt(&db_res);
- /* XXX authorization */
+ /* XXX authorization done in soap_ops.c */
/* XXX name length */
if (asprintf(&data_basename, "%s%s%s", class,
char *stmt = NULL;
glite_jp_db_stmt_t db_res;
int db_retn;
- char *db_row[2] = { NULL, NULL };
+ char *db_row[3] = { NULL, NULL, NULL };
long reg_time;
glite_jp_error_t err;
if (jobid_unique_pathname(ctx, job, &ju, &ju_path, 1) != 0) {
err.code = ctx->error->code;
- err.desc = "Cannot obtain jobid unique path/name";
+ err.desc = "Cannot obtain jobid unique path/ : ""name";
return glite_jp_stack_error(ctx,&err);
}
- trio_asprintf(&stmt, "select owner, reg_time from jobs "
- "where jobid='%|Ss'", ju);
+ trio_asprintf(&stmt, "select j.owner,reg_time,u.cert_subj from jobs j, users u "
+ "where j.jobid='%|Ss' and j.owner = u.userid", ju);
if (!stmt) {
err.code = ENOMEM;
}
db_retn = glite_jp_db_fetchrow(db_res, db_row);
- if (db_retn != 2) {
+ if (db_retn != 3) {
glite_jp_db_freestmt(&db_res);
err.code = EIO;
err.desc = "DB access failed";
}
glite_jp_db_freestmt(&db_res);
+
+ if (glite_jpps_authz(ctx,SOAP_TYPE___jpsrv__GetJob,job,db_row[2])) {
+ err.code = EPERM;
+ goto error_out;
+ }
/* XXX name length */
if (asprintf(&data_basename, "%s%s%s", class,
- (name != NULL) ? "." : "", name) == -1) {
+ (name != NULL) ? "." : "",
+ (name != NULL) ? name : "") == -1) {
err.code = ENOMEM;
goto error_out;
}
struct soap *soap,
struct _jpelem__RegisterJob *in,
struct _jpelem__RegisterJobResponse *empty)
-// struct __jpsrv__RegisterJobResponse *empty)
{
CONTEXT_FROM_SOAP(soap,ctx);
glite_jp_attrval_t owner_val[2];
printf("%s %s %s\n",__FUNCTION__,in->job,in->owner);
- if (glite_jppsbe_register_job(ctx,in->job,in->owner)) {
+ if (glite_jpps_authz(ctx,SOAP_TYPE___jpsrv__RegisterJob,in->job,in->owner) ||
+ glite_jppsbe_register_job(ctx,in->job,in->owner))
+ {
err2fault(ctx,soap);
return SOAP_FAULT;
}
glite_jp_clear_error(ctx);
memset(&err,0,sizeof err);
+ if (glite_jpps_authz(ctx,SOAP_TYPE___jpsrv__StartUpload,NULL,NULL)) {
+ err2fault(ctx,soap);
+ return SOAP_FAULT;
+ }
+
switch (glite_jpps_fplug_lookup(ctx,in->class_,&pd)) {
case ENOENT:
err.code = ENOENT;
job = class = name = NULL;
- if (glite_jppsbe_commit_upload(ctx,in->destination)) {
+ if (glite_jpps_authz(ctx,SOAP_TYPE___jpsrv__CommitUpload,NULL,NULL) ||
+ glite_jppsbe_commit_upload(ctx,in->destination))
+ {
err2fault(ctx,soap);
return SOAP_FAULT;
}
git://scientific.zcu.cz / jra1mw.git / commitdiff