From 0cb71890237dcd7c562e3f7772d2fd2766dc7ef9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Daniel=20Kou=C5=99il?= <kouril@ics.muni.cz>
Date: Tue, 30 Mar 2010 22:00:28 +0000
Subject: [PATCH] Primarily use the LB internal authZ routine to check the
 access rights on the consumer side. LCAS can be configured to provide
 additional authZ.

---
 org.glite.lb.server/src/bkindex.c   |  1 +
 org.glite.lb.server/src/bkserverd.c |  2 +-
 org.glite.lb.server/src/db_store.c  |  3 +--
 org.glite.lb.server/src/lb_authz.c  | 35 +++++++++++++++++++++++++----------
 org.glite.lb.server/src/mon-db.c    |  1 +
 5 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/org.glite.lb.server/src/bkindex.c b/org.glite.lb.server/src/bkindex.c
index ffa359a..ed18343 100644
--- a/org.glite.lb.server/src/bkindex.c
+++ b/org.glite.lb.server/src/bkindex.c
@@ -47,6 +47,7 @@ char	*server_key,*server_cert;
 int	enable_lcas;
 int	proxy_purge;
 struct _edg_wll_authz_policy authz_policy;
+char    *policy_file = NULL;
 
 static struct option opts[] = {
 	{ "mysql",1,NULL,'m' },
diff --git a/org.glite.lb.server/src/bkserverd.c b/org.glite.lb.server/src/bkserverd.c
index b4dfe34..eb6ceb4 100644
--- a/org.glite.lb.server/src/bkserverd.c
+++ b/org.glite.lb.server/src/bkserverd.c
@@ -182,7 +182,7 @@ static int		con_queue = CON_QUEUE;
 static char             host[300];
 static char *           port;
 static time_t		rss_time = 60*60;
-static char *		policy_file = NULL;
+char *		policy_file = NULL;
 struct _edg_wll_authz_policy	authz_policy = { NULL, 0};
 
 
diff --git a/org.glite.lb.server/src/db_store.c b/org.glite.lb.server/src/db_store.c
index ac5df0d..bfa4c3c 100644
--- a/org.glite.lb.server/src/db_store.c
+++ b/org.glite.lb.server/src/db_store.c
@@ -41,7 +41,6 @@ limitations under the License.
 
 
 extern int unset_proxy_flag(edg_wll_Context, edg_wlc_JobId);
-extern int enable_lcas;
 extern int proxy_purge;
 
 
@@ -66,7 +65,7 @@ db_store(edg_wll_Context ctx, char *event)
 
   local_job = is_job_local(ctx, ev->any.jobId);
 
-  if (enable_lcas && check_store_authz(ctx, ev) != 0)
+  if (check_store_authz(ctx, ev) != 0)
     goto err;
 
 #ifdef LB_PERF
diff --git a/org.glite.lb.server/src/lb_authz.c b/org.glite.lb.server/src/lb_authz.c
index 85ac4b8..f4cfce9 100644
--- a/org.glite.lb.server/src/lb_authz.c
+++ b/org.glite.lb.server/src/lb_authz.c
@@ -43,6 +43,8 @@ GRSTgaclEntry *GACLparseEntry(xmlNodePtr cur);
 extern char *server_key;
 extern char *server_cert;
 extern struct _edg_wll_authz_policy authz_policy;
+extern int enable_lcas;
+extern char *policy_file;
 
 int 
 edg_wll_get_fqans(edg_wll_Context ctx, struct vomsdata *voms_info,
@@ -892,8 +894,11 @@ check_store_authz(edg_wll_Context ctx, edg_wll_Event *ev)
    const char *request = NULL;
    int ret;
    authz_action action;
+   struct _edg_wll_GssPrincipal_data princ;
 
-   /* XXX make a real RSL ? */
+   /* by default the server is open to any authenticated client */
+   if (policy_file == NULL)
+        return 0;
 
    switch (ev->any.type) {
 	case EDG_WLL_EVENT_REGJOB:
@@ -917,20 +922,30 @@ check_store_authz(edg_wll_Context ctx, edg_wll_Event *ev)
 	     break;
    }
 
-   request = (char *) action2name(action);
+   princ.name = ctx->peerName;
+   princ.fqans = ctx->fqans;
+   ret = check_authz_policy(&ctx->authz_policy, &princ, action);
+   if (ret == 1)
+      return 0;
 
-   ret = edg_wll_gss_get_client_pem(&ctx->connections->serverConnection->gss,
-				    server_cert, server_key,
-                                    &pem_string);
-   if (ret)
-      return edg_wll_SetError(ctx, ret, "Failed to extract client's PEM string");
+   ret = EPERM;
+   if (enable_lcas) {
+      /* XXX make a real RSL ? */
+      request = (char *) action2name(action);
+
+      ret = edg_wll_gss_get_client_pem(&ctx->connections->serverConnection->gss,
+				       server_cert, server_key,
+                                       &pem_string);
+      if (ret)
+         return edg_wll_SetError(ctx, ret, "Failed to extract client's PEM string");
+
+      ret = lcas_pem(pem_string, request);
+      free(pem_string);
+   }
 
-   ret = lcas_pem(pem_string, request);
    if (ret)
       ret = edg_wll_SetError(ctx, EPERM, "Not allowed to log events here");
 
-   free(pem_string);
-
    return ret;
 }
 
diff --git a/org.glite.lb.server/src/mon-db.c b/org.glite.lb.server/src/mon-db.c
index 20b6d5e..c1ccf62 100644
--- a/org.glite.lb.server/src/mon-db.c
+++ b/org.glite.lb.server/src/mon-db.c
@@ -43,6 +43,7 @@ char	*server_key,*server_cert;
 int	enable_lcas;
 int	proxy_purge;
 struct _edg_wll_authz_policy authz_policy;
+char    *policy_file;
 
 static struct option opts[] = {
 	{ "mysql",1,NULL,'m' },
-- 
1.8.2.3