From b883d26cd1d900b4d5ccc4d95ad7773dc699fbf3 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Daniel=20Kou=C5=99il?= <kouril@ics.muni.cz>
Date: Tue, 16 Mar 2010 23:07:46 +0000
Subject: [PATCH] - support for the new authZ schema for notifications - slight
 changes to the authz API

---
 org.glite.lb.server/src/authz_policy.c    | 26 +++++++++++++++--
 org.glite.lb.server/src/authz_policy.h    |  6 +++-
 org.glite.lb.server/src/il_notification.c |  5 +++-
 org.glite.lb.server/src/il_notification.h |  1 +
 org.glite.lb.server/src/jobstat.c         | 19 +++++--------
 org.glite.lb.server/src/lcas_lb.c         | 10 ++++---
 org.glite.lb.server/src/notif_match.c     | 46 +++++++++++++++++++------------
 7 files changed, 75 insertions(+), 38 deletions(-)

diff --git a/org.glite.lb.server/src/authz_policy.c b/org.glite.lb.server/src/authz_policy.c
index 8f8abfb..136805c 100644
--- a/org.glite.lb.server/src/authz_policy.c
+++ b/org.glite.lb.server/src/authz_policy.c
@@ -41,7 +41,8 @@ static int num_attrs =
 
 
 int
-check_authz_policy(edg_wll_Context ctx, edg_wll_authz_policy policy,
+check_authz_policy(edg_wll_authz_policy policy,
+		   edg_wll_GssPrincipal principal,
 		   authz_action action)
 {
     int i;
@@ -59,11 +60,11 @@ check_authz_policy(edg_wll_Context ctx, edg_wll_authz_policy policy,
 	    return 1;
         switch (r->attr_id) {
             case ATTR_SUBJECT:
-		if (edg_wll_gss_equal_subj(r->attr_value, ctx->peerName))
+		if (edg_wll_gss_equal_subj(r->attr_value, principal->name))
 		    return 1;
 		break;
 	    case ATTR_FQAN:
-		for (f = ctx->fqans; f && *f; f++)
+		for (f = principal->fqans; f && *f; f++)
 		    if (strcmp(r->attr_value, *f) == 0)
 			return 1;
 		break;
@@ -96,3 +97,22 @@ find_authz_attr(const char *name)
 	    return attr_id_names[i].id;
     return ATTR_UNDEF;
 }
+
+int
+blacken_fields(edg_wll_JobStat *stat, int flags)
+{
+    edg_wll_JobStat new_stat;
+
+    memset(&new_stat, 0, sizeof(new_stat));
+
+    if (flags & STATUS_FOR_RTM) {
+	new_stat.state = stat->state;
+	/* XXX save anything else */
+    }
+
+    edg_wll_FreeStatus(stat);
+    memset(stat, 0, sizeof(*stat));
+    edg_wll_CpyStatus(&new_stat, stat);
+    edg_wll_FreeStatus(&new_stat);
+    return 0;
+}
diff --git a/org.glite.lb.server/src/authz_policy.h b/org.glite.lb.server/src/authz_policy.h
index 50db197..4e10969 100644
--- a/org.glite.lb.server/src/authz_policy.h
+++ b/org.glite.lb.server/src/authz_policy.h
@@ -20,6 +20,7 @@ limitations under the License.
 
 #include <glite/lb/context-int.h>
 #include <glite/lb/authz.h>
+#include <glite/security/glite_gss.h>
 
 typedef enum {
     ACTION_UNDEF	= 0,
@@ -49,7 +50,7 @@ int
 parse_server_policy(edg_wll_Context ctx, const char *filename, edg_wll_authz_policy policy);
 
 int
-check_authz_policy(edg_wll_Context, edg_wll_authz_policy, authz_action);
+check_authz_policy(edg_wll_authz_policy, edg_wll_GssPrincipal, authz_action);
 
 authz_action
 find_authz_action(const char *name);
@@ -57,4 +58,7 @@ find_authz_action(const char *name);
 authz_attr_id
 find_authz_attr(const char *name);
 
+int
+blacken_fields(edg_wll_JobStat *, int flags);
+
 #endif
diff --git a/org.glite.lb.server/src/il_notification.c b/org.glite.lb.server/src/il_notification.c
index fc855e3..ff44b33 100644
--- a/org.glite.lb.server/src/il_notification.c
+++ b/org.glite.lb.server/src/il_notification.c
@@ -40,7 +40,7 @@ limitations under the License.
 
 #include "il_notification.h"
 #include "lb_xml_parse.h"
-
+#include "authz_policy.h"
 
 
 #define FCNTL_ATTEMPTS		5
@@ -172,6 +172,7 @@ edg_wll_NotifJobStatus(edg_wll_Context	context,
                        int              port,
 		       const char      *owner,
                        int		flags,
+		       int		authz_flags,
 		       int		expires,
 		       const edg_wll_JobStat notif_job_stat)
 {
@@ -186,6 +187,8 @@ edg_wll_NotifJobStatus(edg_wll_Context	context,
 		stat.condor_jdl = NULL;
 		stat.rsl = NULL;
 	}
+	if (authz_flags)
+		blacken_fields(&stat, authz_flags);
 
 	if(edg_wll_JobStatusToXML(context, stat, &xml_data)) 
 		goto out;
diff --git a/org.glite.lb.server/src/il_notification.h b/org.glite.lb.server/src/il_notification.h
index 22c12ba..cf1facc 100644
--- a/org.glite.lb.server/src/il_notification.h
+++ b/org.glite.lb.server/src/il_notification.h
@@ -86,6 +86,7 @@ edg_wll_NotifJobStatus(edg_wll_Context	context,
                        int              port,
 		       const char      *owner,
                        int              flags,
+		       int		authz_flags,
 		       int		expires,
 		       const edg_wll_JobStat notif_job_stat);
 
diff --git a/org.glite.lb.server/src/jobstat.c b/org.glite.lb.server/src/jobstat.c
index cd1e1df..dd54dee 100644
--- a/org.glite.lb.server/src/jobstat.c
+++ b/org.glite.lb.server/src/jobstat.c
@@ -95,6 +95,8 @@ check_jobstat_authz(edg_wll_Context ctx,
 	edg_wll_Acl acl,
 	int *flags)
 {
+	struct _edg_wll_GssPrincipal_data princ;
+
 	*flags = 0;
 	if (ctx->noAuth)
 		return 1;
@@ -103,7 +105,9 @@ check_jobstat_authz(edg_wll_Context ctx,
 	if (acl && edg_wll_CheckACL(ctx, acl, EDG_WLL_CHANGEACL_READ) == 0)
 		return 1;
 	edg_wll_ResetError(ctx);
-	if (check_authz_policy(ctx, &ctx->authz_policy, STATUS_FOR_RTM)) {
+	princ.name = ctx->peerName;
+	princ.fqans = ctx->fqans;
+	if (check_authz_policy(&ctx->authz_policy, &princ, STATUS_FOR_RTM)) {
 		*flags |= STATUS_FOR_RTM;
 		return 1;
 	}
@@ -411,17 +415,8 @@ rollback:
 	free(string_jobid);
 	free(md5_jobid);
 
-	if (authz_flags && authz_flags & STATUS_FOR_RTM) {
-		edg_wll_JobStat new_stat;
-
-		memset(&new_stat, 0, sizeof(new_stat));
-		new_stat.state = stat->state;
-		/* XXX save anything else */
-
-		edg_wll_FreeStatus(stat);
-		memset(stat, 0, sizeof(*stat));
-		edg_wll_CpyStatus(&new_stat, stat);
-	}
+	if (authz_flags)
+		blacken_fields(stat, authz_flags);
 
 	return edg_wll_Error(ctx, NULL, NULL);
 }
diff --git a/org.glite.lb.server/src/lcas_lb.c b/org.glite.lb.server/src/lcas_lb.c
index a9c2e35..57e9b34 100644
--- a/org.glite.lb.server/src/lcas_lb.c
+++ b/org.glite.lb.server/src/lcas_lb.c
@@ -46,6 +46,7 @@ plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
    char *user_dn;
    int ret;
    edg_wll_Context ctx;
+   struct _edg_wll_GssPrincipal_data princ;
    X509 *cert = NULL;
    STACK_OF(X509) * chain = NULL;
    void *cred = NULL;
@@ -53,6 +54,8 @@ plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
    int err;
    authz_action action;
 
+   memset(&princ, 0, sizeof(princ));
+
    lcas_log_debug(1,"\t%s-plugin: checking LB access policy\n",
 		  modname);
 
@@ -64,14 +67,13 @@ plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
       goto end;
    }
 
-
    user_dn = lcas_get_dn(lcas_cred);
    if (user_dn == NULL) {
       lcas_log(0, "lcas.mod-lb() error: user DN empty\n");
       ret = LCAS_MOD_FAIL;
       goto end;
    }
-   ctx->peerName = strdup(user_dn);
+   princ.name = user_dn;
 
    cred = lcas_get_gss_cred(lcas_cred);
    if (cred == NULL) {
@@ -92,10 +94,10 @@ plugin_confirm_authorization(lcas_request_t request, lcas_cred_id_t lcas_cred)
 
       ret = VOMS_RetrieveFromCred(cred, RECURSE_CHAIN, voms_info, &err);
       if (ret == 1)
-          edg_wll_get_fqans(ctx, voms_info, &ctx->fqans);
+          edg_wll_get_fqans(ctx, voms_info, &princ.fqans);
    }
 
-   ret = check_authz_policy(ctx, edg_wll_get_server_policy(), action);
+   ret = check_authz_policy(edg_wll_get_server_policy(), &princ, action);
    ret = (ret == 1) ? LCAS_MOD_SUCCESS : LCAS_MOD_FAIL;
 
 end:
diff --git a/org.glite.lb.server/src/notif_match.c b/org.glite.lb.server/src/notif_match.c
index c073a7c..2e7ca3a 100644
--- a/org.glite.lb.server/src/notif_match.c
+++ b/org.glite.lb.server/src/notif_match.c
@@ -35,9 +35,10 @@ limitations under the License.
 #include "il_notification.h"
 #include "db_supp.h"
 #include "index.h"
+#include "authz_policy.h"
 
 static int notif_match_conditions(edg_wll_Context,const edg_wll_JobStat *,const edg_wll_JobStat *,const char *);
-static int notif_check_acl(edg_wll_Context,const edg_wll_JobStat *,const char *);
+static int notif_check_acl(edg_wll_Context,const edg_wll_JobStat *,const char *, int *);
 
 extern int debug;
 
@@ -48,7 +49,7 @@ int edg_wll_NotifMatch(edg_wll_Context ctx, const edg_wll_JobStat *oldstat, cons
 	edg_wll_NotifId		nid = NULL;
 	char	*jobq,*ju = NULL,*jobc[6];
 	glite_lbu_Statement	jobs = NULL;
-	int	ret,i;
+	int	ret,i,authz_flags = 0;
 	time_t	expires,now = time(NULL);
 	
 	char *cond_where = NULL;
@@ -116,7 +117,7 @@ int edg_wll_NotifMatch(edg_wll_Context ctx, const edg_wll_JobStat *oldstat, cons
 				getpid(),jobc[0],asctime(gmtime(&expires)));
 		}
 		else if (notif_match_conditions(ctx,oldstat,stat,jobc[4]) &&
-				notif_check_acl(ctx,stat,jobc[3]))
+				notif_check_acl(ctx,stat,jobc[3], &authz_flags))
 		{
 			char			   *dest, *aux;
 			int					port;
@@ -144,7 +145,7 @@ int edg_wll_NotifMatch(edg_wll_Context ctx, const edg_wll_JobStat *oldstat, cons
 			/* XXX: only temporary hack!!!
 			 */
 			ctx->p_instance = strdup("");
-			if ( edg_wll_NotifJobStatus(ctx, nid, dest, port, jobc[3], atoi(jobc[5]), expires, *stat) )
+			if ( edg_wll_NotifJobStatus(ctx, nid, dest, port, jobc[3], atoi(jobc[5]), authz_flags, expires, *stat) )
 			{
 				free(dest);
 				for (i=0; i<sizeof(jobc)/sizeof(jobc[0]); i++) free(jobc[i]);
@@ -222,30 +223,41 @@ static int notif_match_conditions(edg_wll_Context ctx,const edg_wll_JobStat *old
  * effective VOMS groups of the recipient are not available here, should be 
  * probably stored along with the registration.
  */
-static int notif_check_acl(edg_wll_Context ctx,const edg_wll_JobStat *stat,const char *recip)
+static int notif_check_acl(edg_wll_Context ctx,const edg_wll_JobStat *stat,const char *recip, int *authz_flags)
 {
 	edg_wll_Acl	acl = calloc(1,sizeof *acl);
 	int		ret;
+	struct _edg_wll_GssPrincipal_data princ;
+
+	memset(&princ, 0, sizeof(princ));
+	*authz_flags = 0;
 
 	edg_wll_ResetError(ctx);
 	if (strcmp(stat->owner,recip) == 0
 		|| edg_wll_amIroot(recip,NULL,ctx->super_users)) return 1;
 
-	if (stat->acl == NULL) return 0;
+	if (stat->acl) {
+		ret = edg_wll_DecodeACL(stat->acl,&acl->value);
+		if (ret) {
+			edg_wll_FreeAcl(acl);
+			edg_wll_SetError(ctx,EINVAL,"decoding ACL");
+			return 0;
+		}
 
-	ret = edg_wll_DecodeACL(stat->acl,&acl->value);
-	if (ret) {
+		acl->string = stat->acl; 
+		ret = edg_wll_CheckACL(ctx, acl, EDG_WLL_CHANGEACL_READ);
+		acl->string = NULL;
 		edg_wll_FreeAcl(acl);
-		edg_wll_SetError(ctx,EINVAL,"decoding ACL");
-		return 0;
+		if (ret == 0)
+			return 1;
+		edg_wll_ResetError(ctx);
 	}
 
-	acl->string = stat->acl; 
-
-	ret = edg_wll_CheckACL(ctx, acl, EDG_WLL_CHANGEACL_READ);
-
-	acl->string = NULL;
-	edg_wll_FreeAcl(acl);
+	princ.name = (char *)recip;
+	if (check_authz_policy(&ctx->authz_policy, &princ, STATUS_FOR_RTM)) {
+		*authz_flags |= STATUS_FOR_RTM;
+                return 1;
+	}
 
-	return !ret;
+	return 0;
 }
-- 
1.8.2.3