int
-check_authz_policy(edg_wll_Context ctx, edg_wll_authz_policy policy,
+check_authz_policy(edg_wll_authz_policy policy,
+ edg_wll_GssPrincipal principal,
authz_action action)
{
int i;
return 1;
switch (r->attr_id) {
case ATTR_SUBJECT:
- if (edg_wll_gss_equal_subj(r->attr_value, ctx->peerName))
+ if (edg_wll_gss_equal_subj(r->attr_value, principal->name))
return 1;
break;
case ATTR_FQAN:
- for (f = ctx->fqans; f && *f; f++)
+ for (f = principal->fqans; f && *f; f++)
if (strcmp(r->attr_value, *f) == 0)
return 1;
break;
return attr_id_names[i].id;
return ATTR_UNDEF;
}
+
+int
+blacken_fields(edg_wll_JobStat *stat, int flags)
+{
+ edg_wll_JobStat new_stat;
+
+ memset(&new_stat, 0, sizeof(new_stat));
+
+ if (flags & STATUS_FOR_RTM) {
+ new_stat.state = stat->state;
+ /* XXX save anything else */
+ }
+
+ edg_wll_FreeStatus(stat);
+ memset(stat, 0, sizeof(*stat));
+ edg_wll_CpyStatus(&new_stat, stat);
+ edg_wll_FreeStatus(&new_stat);
+ return 0;
+}
#include <glite/lb/context-int.h>
#include <glite/lb/authz.h>
+#include <glite/security/glite_gss.h>
typedef enum {
ACTION_UNDEF = 0,
parse_server_policy(edg_wll_Context ctx, const char *filename, edg_wll_authz_policy policy);
int
-check_authz_policy(edg_wll_Context, edg_wll_authz_policy, authz_action);
+check_authz_policy(edg_wll_authz_policy, edg_wll_GssPrincipal, authz_action);
authz_action
find_authz_action(const char *name);
authz_attr_id
find_authz_attr(const char *name);
+int
+blacken_fields(edg_wll_JobStat *, int flags);
+
#endif
#include "il_notification.h"
#include "lb_xml_parse.h"
-
+#include "authz_policy.h"
#define FCNTL_ATTEMPTS 5
int port,
const char *owner,
int flags,
+ int authz_flags,
int expires,
const edg_wll_JobStat notif_job_stat)
{
stat.condor_jdl = NULL;
stat.rsl = NULL;
}
+ if (authz_flags)
+ blacken_fields(&stat, authz_flags);
if(edg_wll_JobStatusToXML(context, stat, &xml_data))
goto out;
int port,
const char *owner,
int flags,
+ int authz_flags,
int expires,
const edg_wll_JobStat notif_job_stat);
edg_wll_Acl acl,
int *flags)
{
+ struct _edg_wll_GssPrincipal_data princ;
+
*flags = 0;
if (ctx->noAuth)
return 1;
if (acl && edg_wll_CheckACL(ctx, acl, EDG_WLL_CHANGEACL_READ) == 0)
return 1;
edg_wll_ResetError(ctx);
- if (check_authz_policy(ctx, &ctx->authz_policy, STATUS_FOR_RTM)) {
+ princ.name = ctx->peerName;
+ princ.fqans = ctx->fqans;
+ if (check_authz_policy(&ctx->authz_policy, &princ, STATUS_FOR_RTM)) {
*flags |= STATUS_FOR_RTM;
return 1;
}
free(string_jobid);
free(md5_jobid);
- if (authz_flags && authz_flags & STATUS_FOR_RTM) {
- edg_wll_JobStat new_stat;
-
- memset(&new_stat, 0, sizeof(new_stat));
- new_stat.state = stat->state;
- /* XXX save anything else */
-
- edg_wll_FreeStatus(stat);
- memset(stat, 0, sizeof(*stat));
- edg_wll_CpyStatus(&new_stat, stat);
- }
+ if (authz_flags)
+ blacken_fields(stat, authz_flags);
return edg_wll_Error(ctx, NULL, NULL);
}
char *user_dn;
int ret;
edg_wll_Context ctx;
+ struct _edg_wll_GssPrincipal_data princ;
X509 *cert = NULL;
STACK_OF(X509) * chain = NULL;
void *cred = NULL;
int err;
authz_action action;
+ memset(&princ, 0, sizeof(princ));
+
lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n",
modname);
goto end;
}
-
user_dn = lcas_get_dn(lcas_cred);
if (user_dn == NULL) {
lcas_log(0, "lcas.mod-lb() error: user DN empty\n");
ret = LCAS_MOD_FAIL;
goto end;
}
- ctx->peerName = strdup(user_dn);
+ princ.name = user_dn;
cred = lcas_get_gss_cred(lcas_cred);
if (cred == NULL) {
ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err);
if (ret == 1)
- edg_wll_get_fqans(ctx, voms_info, &ctx->fqans);
+ edg_wll_get_fqans(ctx, voms_info, &princ.fqans);
}
- ret = check_authz_policy(ctx, edg_wll_get_server_policy(), action);
+ ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action);
ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL;
end:
#include "il_notification.h"
#include "db_supp.h"
#include "index.h"
+#include "authz_policy.h"
static int notif_match_conditions(edg_wll_Context,const edg_wll_JobStat *,const edg_wll_JobStat *,const char *);
-static int notif_check_acl(edg_wll_Context,const edg_wll_JobStat *,const char *);
+static int notif_check_acl(edg_wll_Context,const edg_wll_JobStat *,const char *, int *);
extern int debug;
edg_wll_NotifId nid = NULL;
char *jobq,*ju = NULL,*jobc[6];
glite_lbu_Statement jobs = NULL;
- int ret,i;
+ int ret,i,authz_flags = 0;
time_t expires,now = time(NULL);
char *cond_where = NULL;
getpid(),jobc[0],asctime(gmtime(&expires)));
}
else if (notif_match_conditions(ctx,oldstat,stat,jobc[4]) &&
- notif_check_acl(ctx,stat,jobc[3]))
+ notif_check_acl(ctx,stat,jobc[3], &authz_flags))
{
char *dest, *aux;
int port;
/* XXX: only temporary hack!!!
*/
ctx->p_instance = strdup("");
- if ( edg_wll_NotifJobStatus(ctx, nid, dest, port, jobc[3], atoi(jobc[5]), expires, *stat) )
+ if ( edg_wll_NotifJobStatus(ctx, nid, dest, port, jobc[3], atoi(jobc[5]), authz_flags, expires, *stat) )
{
free(dest);
for (i=0; i<sizeof(jobc)/sizeof(jobc[0]); i++) free(jobc[i]);
* effective VOMS groups of the recipient are not available here, should be
* probably stored along with the registration.
*/
-static int notif_check_acl(edg_wll_Context ctx,const edg_wll_JobStat *stat,const char *recip)
+static int notif_check_acl(edg_wll_Context ctx,const edg_wll_JobStat *stat,const char *recip, int *authz_flags)
{
edg_wll_Acl acl = calloc(1,sizeof *acl);
int ret;
+ struct _edg_wll_GssPrincipal_data princ;
+
+ memset(&princ, 0, sizeof(princ));
+ *authz_flags = 0;
edg_wll_ResetError(ctx);
if (strcmp(stat->owner,recip) == 0
|| edg_wll_amIroot(recip,NULL,ctx->super_users)) return 1;
- if (stat->acl == NULL) return 0;
+ if (stat->acl) {
+ ret = edg_wll_DecodeACL(stat->acl,&acl->value);
+ if (ret) {
+ edg_wll_FreeAcl(acl);
+ edg_wll_SetError(ctx,EINVAL,"decoding ACL");
+ return 0;
+ }
- ret = edg_wll_DecodeACL(stat->acl,&acl->value);
- if (ret) {
+ acl->string = stat->acl;
+ ret = edg_wll_CheckACL(ctx, acl, EDG_WLL_CHANGEACL_READ);
+ acl->string = NULL;
edg_wll_FreeAcl(acl);
- edg_wll_SetError(ctx,EINVAL,"decoding ACL");
- return 0;
+ if (ret == 0)
+ return 1;
+ edg_wll_ResetError(ctx);
}
- acl->string = stat->acl;
-
- ret = edg_wll_CheckACL(ctx, acl, EDG_WLL_CHANGEACL_READ);
-
- acl->string = NULL;
- edg_wll_FreeAcl(acl);
+ princ.name = (char *)recip;
+ if (check_authz_policy(&ctx->authz_policy, &princ, STATUS_FOR_RTM)) {
+ *authz_flags |= STATUS_FOR_RTM;
+ return 1;
+ }
- return !ret;
+ return 0;
}
git://scientific.zcu.cz / jra1mw.git / commitdiff