From 6adec45fe0412b06292f14573303426738e4a7b0 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Daniel=20Kou=C5=99il?= <kouril@ics.muni.cz>
Date: Fri, 18 Feb 2011 10:26:11 +0000
Subject: [PATCH] Honour payload owner in access control checks

---
 org.glite.lb.server/src/db_store.c    |  7 +++++++
 org.glite.lb.server/src/jobstat.c     | 11 ++++++++---
 org.glite.lb.server/src/notif_match.c |  2 ++
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/org.glite.lb.server/src/db_store.c b/org.glite.lb.server/src/db_store.c
index cbbff6a..60cd29f 100644
--- a/org.glite.lb.server/src/db_store.c
+++ b/org.glite.lb.server/src/db_store.c
@@ -121,6 +121,13 @@ db_store(edg_wll_Context ctx, char *event)
 			if (edg_wll_PurgeServerProxy(ctx, ev->any.jobId)) goto rollback;
 	}
 
+	if ((ev->any.type == EDG_WLL_EVENT_TAKEPAYLOADOWNERSHIP || ev->any.type == EDG_WLL_EVENT_GRANTPAYLOADOWNERSHIP) &&
+		oldstat.payload_owner != newstat.payload_owner)
+			edg_wll_UpdateACL(ctx, ev->any.jobId,
+				newstat.payload_owner, EDG_WLL_CHANGEACL_DN,
+				EDG_WLL_CHANGEACL_TAG, EDG_WLL_CHANGEACL_ALLOW,
+				EDG_WLL_CHANGEACL_ADD);
+
 
 	if (ev->any.type == EDG_WLL_EVENT_REGJOB &&
 		(ev->regJob.jobtype == EDG_WLL_REGJOB_DAG ||
diff --git a/org.glite.lb.server/src/jobstat.c b/org.glite.lb.server/src/jobstat.c
index 283ef35..47d684a 100644
--- a/org.glite.lb.server/src/jobstat.c
+++ b/org.glite.lb.server/src/jobstat.c
@@ -91,16 +91,21 @@ static char* matched_substr(char *in, regmatch_t match)
 
 static int
 check_jobstat_authz(edg_wll_Context ctx,
-	char *owner,
+	edg_wll_JobStat *stat,
 	edg_wll_Acl acl,
 	int *flags)
 {
 	struct _edg_wll_GssPrincipal_data princ;
 
 	*flags = 0;
+
 	if (ctx->noAuth)
 		return 1;
-	if (ctx->peerName && edg_wll_gss_equal_subj(ctx->peerName, owner))
+	if (ctx->peerName == NULL)
+		return 0;
+	if (edg_wll_gss_equal_subj(ctx->peerName, stat->owner))
+		return 1;
+	if (stat->payload_owner && edg_wll_gss_equal_subj(ctx->peerName, stat->payload_owner))
 		return 1;
 	if (acl && edg_wll_CheckACL(ctx, acl, EDG_WLL_CHANGEACL_READ) == 0)
 		return 1;
@@ -170,7 +175,7 @@ int edg_wll_JobStatusServer(
 		
 		if (edg_wll_GetACL(ctx, job, &acl)) goto rollback;
 
-		if (check_jobstat_authz(ctx, stat->owner, acl, &authz_flags) == 0) {
+		if (check_jobstat_authz(ctx, stat, acl, &authz_flags) == 0) {
 			edg_wll_SetError(ctx, EPERM, "not owner");
 			goto rollback;
 		}
diff --git a/org.glite.lb.server/src/notif_match.c b/org.glite.lb.server/src/notif_match.c
index 961c87c..f27428c 100644
--- a/org.glite.lb.server/src/notif_match.c
+++ b/org.glite.lb.server/src/notif_match.c
@@ -220,6 +220,8 @@ int edg_wll_NotifCheckACL(edg_wll_Context ctx,const edg_wll_JobStat *stat,const
 	edg_wll_ResetError(ctx);
 	if (strcmp(stat->owner,recip) == 0
 		|| edg_wll_amIroot(recip,NULL,&ctx->authz_policy)) return 1;
+	if (stat->payload_owner && strcmp(stat->payload_owner,recip) == 0)
+		return 1;
 	princ.name = (char *)recip;
 	if (check_authz_policy(&ctx->authz_policy, &princ, READ_ALL))
 		return 1;
-- 
1.8.2.3