/* authorization check */
if ( !(ctx->noAuth) &&
- (!(ctx->peerName) || strcmp(ctx->peerName, jobstat.pub.owner))) {
+ (!(ctx->peerName) || !edg_wll_gss_equal_subj(ctx->peerName, jobstat.pub.owner))) {
intErr = (acl == NULL) || edg_wll_CheckACL(ctx, acl, EDG_WLL_PERM_READ);
if (intErr) {
free(string_jobid);
char *names, *values;
char *data;
char *tmp;
+ char *tmpval;
edg_wll_IColumnRec *job_index_cols = (edg_wll_IColumnRec *)job_index_cols_v;
edg_wll_ResetError(ctx);
data = NULL;
switch (job_index_cols[i].qrec.attr) {
case EDG_WLL_QUERY_ATTR_OWNER:
- if (stat->pub.owner)
- trio_asprintf(&data, "'%|Ss'", stat->pub.owner);
- else data = strdup("''");
+ if (stat->pub.owner) {
+ tmpval = edg_wll_gss_normalize_subj(stat->pub.owner, 0);
+ trio_asprintf(&data, "'%|Ss'", tmpval);
+ free(tmpval);
+ } else data = strdup("''");
break;
case EDG_WLL_QUERY_ATTR_LOCATION:
if (stat->pub.location)
char *userid = NULL,
*q = NULL;
int ret;
-
+ char *can_peername = NULL;
if ( !ctx->peerName )
{
edg_wll_SetError(ctx, EPERM, "Annonymous access not allowed");
goto cleanup;
}
- trio_asprintf(&q, "select userid from users where cert_subj='%|Ss'", ctx->peerName);
+ can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0);
+ trio_asprintf(&q, "select userid from users where cert_subj='%|Ss'", can_peername);
if ( edg_wll_ExecStmt(ctx, q, &stmt) < 0 )
goto cleanup;
}
free(q);
trio_asprintf(&q, "insert into users(userid,cert_subj) values ('%|Ss','%|Ss')",
- userid, ctx->peerName);
+ userid, can_peername);
if ( edg_wll_ExecStmt(ctx, q, NULL) < 0 )
{
if ( edg_wll_Error(ctx,NULL,NULL) != EEXIST )
cleanup:
if ( q ) free(q);
if ( stmt ) edg_wll_FreeStmt(&stmt);
+ free(can_peername);
return userid;
}
int ret;
+ /* XXX: rewrite select below in order to handle cert_subj format changes */
if ( !(user = get_user(ctx, 0)) )
{
if ( !edg_wll_Error(ctx, NULL, NULL) )
offset = 0, limit = 0,
limit_loop = 1,
eperm = 0;
-
+ char *peerid = NULL;
+ char *can_peername = NULL, *can_peerid = NULL;
edg_wll_ResetError(ctx);
!(job_where = jc_to_head_where(ctx, job_conditions, &i)) )
goto cleanup;
+ peerid = strdup(strmd5(ctx->peerName,NULL));
+ can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0);
+ can_peerid = strdup(strmd5(can_peername,NULL));
+
/* XXX: similar query in srv_purge.c ! They has to match due to common
* convert_event_head() called on the result
*/
if ( !noAuth )
{
- if (!ctx->peerName || strcmp(res[1],strmd5(ctx->peerName,NULL))) {
+ if (!ctx->peerName || (strcmp(res[1],peerid) && strcmp(res[1], can_peerid))) {
edg_wll_Acl acl = NULL;
char *jobid = NULL;
free(qbase);
free(job_where);
free(event_where);
+ free(peerid);
+ free(can_peername); free(can_peerid);
return edg_wll_Error(ctx,NULL,NULL);
}
int ct, n, m;
char *aux,
*tmps,
+ *tmps2,
*dbt,
*cname = NULL,
msg[100];
char *conds, *retconds;
-
+ char *can_peername = NULL;
retconds = conds = NULL;
return NULL;
}
+ tmps2 = edg_wll_gss_normalize_subj(jc[m][n].value.c);
+ if (!jc[m][n].value.c && !can_peername) {
+ can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0);
+ }
+
*where_flags |= FL_SEL_STATUS;
if ( conds )
{
if ( jc[m][n].value.c )
- trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), jc[m][n].value.c);
+ trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), tmps2);
else
- trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), ctx->peerName);
+ trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), can_peername);
free(conds); conds = tmps;
}
else
{
if ( jc[m][n].value.c )
- trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), jc[m][n].value.c);
+ trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), tmps2);
else
- trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), ctx->peerName);
+ trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), can_peername);
}
+ free(tmps2);
break;
case EDG_WLL_QUERY_ATTR_DONECODE:
}
}
+ free(can_peername);
return retconds;
}
case EDG_WLL_QUERY_ATTR_OWNER:
if (stat->owner) {
if (conds[i][j].value.c) {
- if (!strcmp(conds[i][j].value.c, stat->owner) ) {
+ if (edg_wll_gss_equal_subj(conds[i][j].value.c, stat->owner) ) {
if ( conds[i][j].op == EDG_WLL_QUERY_OP_EQUAL ) goto or_satisfied;
} else if ( conds[i][j].op == EDG_WLL_QUERY_OP_UNEQUAL ) goto or_satisfied;
} else if (ctx->peerName) {
- if (!strcmp(ctx->peerName, stat->owner) ) {
+ if (edg_wll_gss_equal_subj(ctx->peerName, stat->owner) ) {
if ( conds[i][j].op == EDG_WLL_QUERY_OP_EQUAL ) goto or_satisfied;
} else if ( conds[i][j].op == EDG_WLL_QUERY_OP_UNEQUAL ) goto or_satisfied;
}
char *username;
if (!ctx->isProxy && ctx->peerName != NULL) {
- username = ctx->peerName;
- userid_job = strdup(strmd5(username, NULL));
- if (strcmp(username,e->any.user)) {
- if ((err = store_user(ctx,userid_job, username))) goto clean;
- }
+ username = edg_wll_gss_normalize_subj(ctx->peerName, 0);
} else {
- username = e->any.user;
- userid_job = strdup(userid);
+ username = edg_wll_gss_normalize_subj(e->any.user, 0);
+ }
+ userid_job = strdup(strmd5(username, NULL));
+ if (strcmp(username,e->any.user)) {
+ if ((err = store_user(ctx,userid_job, username))) goto clean;
}
if ((err = store_user(ctx,userid,e->any.user))) goto clean;
if ((err = store_job(ctx,e->any.jobId,userid_job))) goto clean;
char *jobid = edg_wlc_JobIdGetUnique(e->any.jobId);
char *q = NULL,*owner = NULL;
edg_wll_Stmt stmt = NULL;
- char *user;
edg_wll_ResetError(ctx);
+ if (!ctx->isProxy && !ctx->peerName)
+ return edg_wll_SetError(ctx,EPERM,"can't store using unauthenticated connection");
+
if (e->type == EDG_WLL_EVENT_REGJOB)
- return ((ctx->isProxy || ctx->peerName) &&
- strcmp(e->any.user,EDG_WLL_LOG_USER_DEFAULT)) ?
+ return strcmp(e->any.user,EDG_WLL_LOG_USER_DEFAULT) ?
0 : edg_wll_SetError(ctx,EPERM,"can't register jobs anonymously");
- trio_asprintf(&q,"select userid from jobs where jobid='%|Ss'",jobid);
+ trio_asprintf(&q,"select u.cert_subj from jobs j, users u "
+ "where j.jobid='%|Ss' and u.userid=j.userid",jobid);
if (edg_wll_ExecStmt(ctx,q,&stmt) < 0
|| edg_wll_FetchRow(stmt,&owner) < 0
case EDG_WLL_SOURCE_USER_INTERFACE:
case EDG_WLL_SOURCE_LRMS:
case EDG_WLL_SOURCE_APPLICATION:
- user = strmd5(e->any.user,NULL);
- if (strcmp(owner,user)) edg_wll_SetError(ctx,EPERM,"check_auth()");
+ if (!edg_wll_gss_equal_subj(owner,e->any.user))
+ edg_wll_SetError(ctx,EPERM,"check_auth()");
break;
default:
/* XXX: just don't allow anonymous */
edg_wlc_JobId **jobs,
edg_wll_JobStat **states)
{
- char *userid = strmd5(ctx->peerName,NULL),*stmt = NULL,
+ char *userid, *stmt = NULL,
*res = NULL;
+ char *can_peername;
int njobs = 0,ret,i;
edg_wlc_JobId *out = NULL;
edg_wll_Stmt sth = NULL;
edg_wll_ErrorCode err = 0;
edg_wll_ResetError(ctx);
+
+ can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0);
+ userid = strmd5(can_peername,NULL);
+ free(can_peername);
trio_asprintf(&stmt,"select cert_subj from users where userid = '%|Ss'",userid);
git://scientific.zcu.cz / jra1mw.git / commitdiff