From c31f585ae684a284b2f01e776ec71d8c70983c6e Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Tue, 5 Jun 2007 14:05:51 +0000 Subject: [PATCH] 1.6 preparations --- org.gridsite.core/doc/slashgrid.8 | 2 +- org.gridsite.core/interface/gridsite.h | 2 + org.gridsite.core/src/Makefile | 4 +- org.gridsite.core/src/grst_admin_gacl.c | 251 +++++++++++++++++--------------- org.gridsite.core/src/grst_admin_main.c | 66 ++++----- org.gridsite.core/src/grst_gacl.c | 81 +++-------- org.gridsite.core/src/grst_x509.c | 6 +- org.gridsite.core/src/slashgrid.c | 16 +- 8 files changed, 209 insertions(+), 219 deletions(-) diff --git a/org.gridsite.core/doc/slashgrid.8 b/org.gridsite.core/doc/slashgrid.8 index 64f058f..ce6f37d 100644 --- a/org.gridsite.core/doc/slashgrid.8 +++ b/org.gridsite.core/doc/slashgrid.8 @@ -44,7 +44,7 @@ corruption of replicas.) This filesystem is intended for use with GridSite/Apache webservers, which control access via .gacl policy files in each directory hierarchy. SlashGrid can interpret these files internally, and this allows other services, such -as GridFTP running in chroot mode, to be share access to a common file store. +as GridFTP running in chroot mode, to share access to a common file store. .SH "OPTIONS" diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index 7ebb07c..eecbfe0 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -327,6 +327,8 @@ GRSTgaclCred *GRSTgaclUserFindCredtype(GRSTgaclUser *, char *); __attribute__ ((deprecated)) int GRSTgaclDNlistHasUser(char *, GRSTgaclUser *); +int GRSTgaclUserHasAURI(GRSTgaclUser *, char *); + /* #define GACLtestUserAcl(x,y) GRSTgaclAclTestUser((x),(y)) */ GRSTgaclPerm GRSTgaclAclTestUser(GRSTgaclAcl *, GRSTgaclUser *); diff --git a/org.gridsite.core/src/Makefile b/org.gridsite.core/src/Makefile index a926168..4d89818 100644 --- a/org.gridsite.core/src/Makefile +++ b/org.gridsite.core/src/Makefile @@ -60,7 +60,7 @@ endif build: apidoc build-lib \ htcp gridsite-copy.cgi mod_gridsite.so \ - urlencode findproxyfile gsexec # real-gridsite-admin.cgi + urlencode findproxyfile gsexec real-gridsite-admin.cgi build-lib: libgridsite_globus.so.$(VERSION) libgridsite_globus.a \ libgridsite.so.$(VERSION) libgridsite.a @@ -344,7 +344,6 @@ install: apidoc install-lib $(prefix)/share/man/man1 \ $(prefix)/share/man/man8 \ $(prefix)/lib/httpd/modules \ - mod_gridsite_example.c \ $(prefix)/share/doc/gridsite-$(MINOR_VERSION) cp -f ../interface/gridsite.h $(prefix)/include cp -f ../interface/gridsite-gacl.h $(prefix)/include @@ -355,6 +354,7 @@ install: apidoc install-lib cp -f ../CHANGES ../README ../INSTALL ../LICENSE ../VERSION \ $(prefix)/share/doc/gridsite-$(MINOR_VERSION) cp -f ../doc/index.html ../doc/*.conf ../doc/*.sh ../doc/*.spec \ + mod_gridsite_example.c \ $(prefix)/share/doc/gridsite-$(MINOR_VERSION) for i in htcp.1 htfind.1 htll.1 htls.1 htmkdir.1 htmv.1 htping.1 \ htrm.1 urlencode.1 findproxyfile.1 ; do \ diff --git a/org.gridsite.core/src/grst_admin_gacl.c b/org.gridsite.core/src/grst_admin_gacl.c index 6bce4fb..580060e 100644 --- a/org.gridsite.core/src/grst_admin_gacl.c +++ b/org.gridsite.core/src/grst_admin_gacl.c @@ -1,6 +1,6 @@ /* - Copyright (c) 2003-5, Shiv Kaushal, University of Manchester - All rights reserved. + Copyright (c) 2003-7, Shiv Kaushal and Andrew McNab, + University of Manchester. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following @@ -66,7 +66,7 @@ void StartHTML(GRSThttpBody *bp, char *dir_uri, char* dir_path); void StartForm(GRSThttpBody *bp, char* dir_uri, char* dir_path, char* admin_file, int timestamp, char* target_function); void EndForm(GRSThttpBody *bp); void GRSTgaclCredTableStart(GRSThttpBody *bp); -void GRSTgaclCredTableAdd(GRSTgaclUser *user, GRSTgaclEntry *entry, GRSTgaclCred *cred, GRSTgaclNamevalue *namevalue, int cred_no, int entry_no, int admin, int timestamp, GRSThttpBody *bp, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file); +void GRSTgaclCredTableAdd(GRSTgaclUser *user, GRSTgaclEntry *entry, GRSTgaclCred *cred, int cred_no, int entry_no, int admin, int timestamp, GRSThttpBody *bp, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file); void GRSTgaclCredTableEnd(GRSTgaclEntry* entry, int entry_no, int admin, int timestamp, GRSThttpBody *bp, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file); // ACL Manipulation functions @@ -90,7 +90,6 @@ void show_acl(int admin, GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char * GRSTgaclAcl *acl; GRSTgaclEntry *entry; GRSTgaclCred *cred; - GRSTgaclNamevalue *namevalue; int entry_no, cred_no, allow, deny,timestamp; GRSThttpBody bp; char* AclFilename; @@ -154,8 +153,7 @@ void show_acl(int admin, GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char * cred=entry->firstcred; cred_no=1; while (cred!=NULL){ - namevalue=cred->firstname; - GRSTgaclCredTableAdd(user, entry, cred, namevalue, cred_no, entry_no, admin, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); + GRSTgaclCredTableAdd(user, entry, cred, cred_no, entry_no, admin, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); // Change to next credential cred=cred->next; cred_no++; @@ -169,7 +167,7 @@ void show_acl(int admin, GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char * if (!admin && GRSTgaclPermHasAdmin(perm) && !history_mode) //Print a link for admin mode, if not in admin mode but the user has admin permissions GRSThttpPrintf (&bp,"Admin Mode", dir_uri, admin_file, dir_uri, timestamp ); - if (history_mode==1 && GRSTgaclDNlistHasUser(getenv("REDIRECT_GRST_ADMIN_LIST"), user)){ + if (history_mode==1 && GRSTgaclUserHasAURI(user, getenv("REDIRECT_GRST_ADMIN_LIST"))){ StartForm(&bp, dir_uri, dir_path, admin_file, timestamp, "revert_acl"); //GRSThttpPrintf (&bp,"Revert to this Version", dir_uri, admin_file, dir_uri, timestamp, file ); GRSThttpPrintf (&bp, "\n", file); @@ -188,8 +186,6 @@ void new_entry_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm,char *help_u int timestamp=atol(GRSThttpGetCGI("timestamp")); GRSTgaclCred* cred; GRSTgaclEntry *entry; - GRSTgaclNamevalue* namevalue; - if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden"); entry = GRSTgaclEntryNew(); @@ -198,7 +194,7 @@ void new_entry_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm,char *help_u GRSThttpPrintf (&bp, "NEW ENTRY IN ACL FOR %s

\n", dir_uri); GRSTgaclCredTableStart(&bp); - GRSTgaclCredTableAdd(user, entry,cred, namevalue, 0, 0, 0, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); + GRSTgaclCredTableAdd(user, entry,cred, 0, 0, 0, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); GRSTgaclCredTableEnd (entry, 0, 0, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); /*Submit and reset buttons - submit button sends the data in the form back to the script & new_entry() to be called*/ @@ -212,30 +208,29 @@ void new_entry(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_uri, GRSTgaclAcl *acl; GRSTgaclEntry *entry; GRSTgaclCred *cred; - char *type, *value; + char *cred_auri_1, *p; GRSThttpBody bp; if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden"); // Get new credential info and perform checks - type=GRSThttpGetCGI("type"); - value=GRSThttpGetCGI("cred0_value"); + cred_auri_1=GRSThttpGetCGI("cred_auri_1"); - if (strcmp(type, "not_chosen")==0){ - GRSThttpError ("500 Invalid input - credential type not chosen"); - return; - } + /* check AURI for scheme:path form */ + + for (p=cred_auri_1; *p != '\0'; ++p) if (!isalnum(*p) && (*p != '-') && (*p != '_')) break; + + if ((p == cred_auri_1) || (*p != ':')) + { + StartHTML(&bp, dir_uri, dir_path); + GRSThttpPrintf (&bp, "ERROR: CANNOT SAVE CHANGES\n\n

Attribute URIs must take the form scheme:path" + "

For example dn:/DC=com/DC=example/CN=name or " + "fqan:/voname/groupname or https://host.name/listname or dns:host.name.pattern or ip:ip.number.pattern\n

\n"); + admin_continue(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, &bp); + return; + } // Create the credential - cred=GRSTgaclCredNew(type); - if (strcmp(type, "person")==0) GRSTgaclCredAddValue(cred,"dn", value); - else if (strcmp(type, "dn-list")==0) GRSTgaclCredAddValue(cred, "url", value); - else if (strcmp(type, "voms")==0) GRSTgaclCredAddValue(cred, "fqan", value); - else if (strcmp(type, "dns")==0) GRSTgaclCredAddValue(cred, "hostname", value); - else if (strcmp(type, "any-user")==0) {} // namevalue not entered for any-user credential - else{ - GRSThttpError ("500 Invalid input - credential type not valid"); - return; - } + cred=GRSTgaclCredCreate(cred_auri_1, NULL); // Create and empty entry, add the credential and get permissions entry = GRSTgaclEntryNew(); @@ -297,8 +292,6 @@ void edit_entry_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help GRSTgaclAcl *acl; GRSTgaclEntry *entry; GRSTgaclCred *cred; - GRSTgaclNamevalue *namevalue; - // struct _GACLnamevalue *namevalue; GRSThttpBody bp; if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden"); @@ -327,13 +320,13 @@ void edit_entry_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help while (cred!=NULL){ // Start with the first namevalue in the credential - namevalue=cred->firstname; - GRSTgaclCredTableAdd(user, entry, cred, namevalue, cred_no, entry_no, admin, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); + GRSTgaclCredTableAdd(user, entry, cred, cred_no, entry_no, admin, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); // Change to next credential cred=cred->next; cred_no++; } GRSTgaclCredTableEnd (entry, entry_no, admin, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); + GRSThttpPrintf (&bp, "\n", cred_no-1); EndForm(&bp); admin_continue(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, &bp); @@ -343,12 +336,11 @@ void edit_entry_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help void edit_entry(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file){ //Processes the information entered into the form from edit_entry_form() and updates the entry corresponding to entry_no*/ - int entry_no, cred_no, i; + int entry_no, cred_no, i, last_cred_no; GRSTgaclAcl *acl; GRSTgaclEntry *entry; GRSTgaclCred *cred; - GRSTgaclNamevalue *namevalue; - char variable[30]; + char variable[30], *cred_auri_i, *p; GRSThttpBody bp; if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden"); @@ -357,28 +349,62 @@ void edit_entry(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_uri, acl = GRSTgaclAclLoadFile(GRSTgaclFileFindAclname(dir_path)); // Get pointer to the entry and perform checks - entry_no=atol(GRSThttpGetCGI("entry_no")); - entry = GACLreturnEntry(acl, entry_no); + entry_no = atol(GRSThttpGetCGI("entry_no")); + entry = GACLreturnEntry(acl, entry_no); + last_cred_no = atol(GRSThttpGetCGI("entry_no")); + if(entry==NULL || entry_no<1 || entry_no>GACLentriesInAcl(acl) ){ GRSThttpError ("500 Unable to read from ACL file"); return; } - // Start with the first credential and update each one - cred=entry->firstcred; - cred_no=1; - - while (cred!=NULL){ - if (strcmp(cred->type, "any-user")!=0){ - namevalue=cred->firstname; - sprintf(variable, "cred%d_value", cred_no); - namevalue->value=GRSThttpGetCGI(variable); - } - //Change to next credential*/ - cred=cred->next; - cred_no++; - } - + // Reset the first credential and add in each one as they are found + entry->firstcred = NULL; + cred_no = 1; + + for (cred_no = 1; cred_no <= last_cred_no; ++cred_no) + { + sprintf(variable, "cred_auri_%d", cred_no); + cred_auri_i = GRSThttpGetCGI(variable); + + if (cred_auri_i[0] != '\0') + { + /* check AURI for scheme:path form */ + + for (p=cred_auri_i; *p != '\0'; ++p) if (!isalnum(*p) && (*p != '-') && (*p != '_')) break; + + if ((p == cred_auri_i) || (*p != ':')) + { + StartHTML(&bp, dir_uri, dir_path); + GRSThttpPrintf (&bp, "ERROR: CANNOT SAVE CHANGES\n\n

Attribute URIs must take the form scheme:path" + "

For example dn:/DC=com/DC=example/CN=name or " + "fqan:/voname/groupname or https://host.name/listname or dns:host.name.pattern or ip:ip.number.pattern\n

\n"); + admin_continue(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, &bp); + return; + } + + if (entry->firstcred == NULL) + { + entry->firstcred = GRSTgaclCredCreate(cred_auri_i, NULL); + cred = entry->firstcred; + } + else + { + cred->next = GRSTgaclCredCreate(cred_auri_i, NULL); + cred = cred->next; + } + } + } + + if (entry->firstcred == NULL) + { + StartHTML(&bp, dir_uri, dir_path); + GRSThttpPrintf (&bp, "ERROR: CANNOT SAVE CHANGES\n\n

Each entry must include at least one valid credential (Attribute URI)\n

\n"); + admin_continue(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, &bp); + return; + } + + // Update permissions GACLeditGetPerms(entry); check_acl_save(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, user, acl, &bp); @@ -393,7 +419,6 @@ void add_cred_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_u GRSTgaclAcl *acl; GRSTgaclEntry* entry; GRSTgaclCred* cred; - GRSTgaclNamevalue* namevalue; if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden"); @@ -410,7 +435,7 @@ void add_cred_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_u if (strcmp(GRSThttpGetCGI("cmd"), "add_cred_form")==0){ //if not a new entry check to see if cred exists cred=entry->firstcred; while (cred!=NULL) { - if (strcmp (cred->type, "any-user")==0) { + if (strcmp (cred->auri, "gacl:any-user")==0) { StartHTML(&bp, dir_uri, dir_path); GRSThttpPrintf (&bp, "ERROR: AND-ing \"any-user\" credential with other credential does not make sense
\n"); admin_continue(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, &bp); @@ -427,7 +452,7 @@ void add_cred_form(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_u GRSThttpPrintf (&bp, " \n", entry_no); GRSTgaclCredTableStart(&bp); - GRSTgaclCredTableAdd(user, entry, cred, namevalue, 0, 0, 0, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); + GRSTgaclCredTableAdd(user, entry, cred, 0, 0, 0, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); GRSTgaclCredTableEnd (entry, 0, 0, timestamp, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); EndForm(&bp); @@ -443,7 +468,7 @@ void add_cred(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_uri, c GRSTgaclEntry *entry; GRSTgaclCred *cred; GRSThttpBody bp; - char *type, *value; + char *cred_auri_1, *p; if (!GRSTgaclPermHasAdmin(perm)) GRSThttpError ("403 Forbidden"); @@ -458,18 +483,23 @@ void add_cred(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_uri, c } // Create new credential and add it to entry - type=GRSThttpGetCGI("type"); - value=GRSThttpGetCGI("cred0_value"); - cred=GRSTgaclCredNew(type); - if (strcmp(type, "person") ==0) GRSTgaclCredAddValue(cred,"dn", value); - else if (strcmp(type, "dn-list") ==0) GRSTgaclCredAddValue(cred, "url", value); - else if (strcmp(type, "voms") ==0) GRSTgaclCredAddValue(cred, "fqan", value); - else if (strcmp(type, "dns") ==0) GRSTgaclCredAddValue(cred, "hostname", value); - else if (strcmp(type, "any-user")==0) {}// namevalue not entered for any-user credential - else{ - GRSThttpError ("500 Credential type not valid"); - return; - } + cred_auri_1=GRSThttpGetCGI("cred_auri_1"); + + /* check AURI for scheme:path form */ + + for (p=cred_auri_1; *p != '\0'; ++p) if (!isalnum(*p) && (*p != '-') && (*p != '_')) break; + + if ((p == cred_auri_1) || (*p != ':')) + { + StartHTML(&bp, dir_uri, dir_path); + GRSThttpPrintf (&bp, "ERROR: CANNOT SAVE CHANGES\n\n

Attribute URIs must take the form scheme:path" + "

For example dn:/DC=com/DC=example/CN=name or " + "fqan:/voname/groupname or https://host.name/listname or dns:host.name.pattern or ip:ip.number.pattern\n

\n"); + admin_continue(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, &bp); + return; + } + + cred=GRSTgaclCredCreate(cred_auri_1, NULL); GRSTgaclEntryAddCred(entry, cred); check_acl_save(dn, perm, help_uri, dir_path, file, dir_uri, admin_file, user, acl, &bp); @@ -532,7 +562,6 @@ void del_entry_sure(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_ GRSTgaclAcl *acl; GRSTgaclEntry *entry; GRSTgaclCred *cred; - GRSTgaclNamevalue *namevalue; int entry_no, cred_no, allow, deny, i, timestamp; GRSThttpBody bp; @@ -565,8 +594,7 @@ void del_entry_sure(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_ GRSTgaclCredTableStart(&bp); while (cred!=NULL){ // Start with the first namevalue in the credential - namevalue=cred->firstname; - GRSTgaclCredTableAdd(user, entry, cred, namevalue, cred_no, entry_no, 0, 0, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); + GRSTgaclCredTableAdd(user, entry, cred, cred_no, entry_no, 0, 0, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); // Change to next credential cred=cred->next; cred_no++; @@ -587,7 +615,6 @@ void del_cred_sure(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_u GRSTgaclAcl *acl; GRSTgaclEntry *entry; GRSTgaclCred *cred; - GRSTgaclNamevalue *namevalue; int entry_no, cred_no, allow, deny, timestamp, i; GRSThttpBody bp; @@ -626,7 +653,7 @@ void del_cred_sure(GRSTgaclUser *user, char *dn, GRSTgaclPerm perm, char *help_u // Print the credential out GRSTgaclCredTableStart(&bp); - GRSTgaclCredTableAdd(user, entry, cred, cred->firstname, cred_no, entry_no, 0, 0, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); + GRSTgaclCredTableAdd(user, entry, cred, cred_no, entry_no, 0, 0, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); GRSTgaclCredTableEnd (entry, entry_no, 0, 0, &bp, dn, perm, help_uri, dir_path, file, dir_uri, admin_file); GRSThttpPrintf (&bp,"
\n"); @@ -761,67 +788,61 @@ void EndForm(GRSThttpBody *bp){ void GRSTgaclCredTableStart(GRSThttpBody *bp){ //Starts an HTML table of credentials by setting the column widths and inputting the headings GRSThttpPrintf (bp,""); - GRSThttpPrintf (bp,""); + GRSThttpPrintf (bp,""); return; } -void GRSTgaclCredTableAdd(GRSTgaclUser *user, GRSTgaclEntry *entry, GRSTgaclCred *cred, GRSTgaclNamevalue *namevalue, int cred_no, int entry_no, int admin, int timestamp, GRSThttpBody *bp, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file){ +void GRSTgaclCredTableAdd(GRSTgaclUser *user, GRSTgaclEntry *entry, GRSTgaclCred *cred, int cred_no, int entry_no, int admin, int timestamp, GRSThttpBody *bp, char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, char *file, char *dir_uri, char *admin_file) +{ // Adds the credential "cred" to a table started byGRSTgaclCredTableStart allowing the user to edit if appropriate char* cmd = GRSThttpGetCGI("cmd"); int edit_values=0, new_cred=0, allow_new_person=1; - int site_admin=GRSTgaclDNlistHasUser(getenv("REDIRECT_GRST_ADMIN_LIST"), user); + int site_admin=GRSTgaclUserHasAURI(user, getenv("REDIRECT_GRST_ADMIN_LIST")); if (strcmp(cmd, "new_entry_form")==0 || strcmp(cmd, "add_cred_form")==0) new_cred=1; - if (new_cred || strcmp(cmd, "edit_entry_form")==0) edit_values=1; + if (new_cred || (strcmp(cmd, "edit_entry_form") == 0)) edit_values=1; - if (new_cred) { /*Print out type and descriptor*/ - if (strcmp(cmd, "add_cred_form")==0){ /*if not a new entry check to see if cred exists.*/ - cred=entry->firstcred; - while (cred!=NULL) {if (strcmp (cred->type, "person")==0) allow_new_person=0; cred=cred->next;} - } + if (new_cred) + { //create dummy credential for the user to edit - cred=GRSTgaclCredNew("new"); - GRSTgaclCredAddValue(cred, "", ""); - namevalue=cred->firstname; + cred=GRSTgaclCredCreate("", ""); //Drop down list of types GRSThttpPrintf(bp,""); - GRSThttpPrintf(bp,""); - } - - else { //Print out type and descriptor for existing cred + cred_no = 1; + } + else + { //Print out type and descriptor for existing cred - GRSThttpPrintf(bp,""); + } - if (strcmp(cred->type, "any-user")==0) GRSThttpPrintf (bp, ""); @@ -843,7 +864,7 @@ void GRSTgaclCredTableEnd(GRSTgaclEntry* entry, int entry_no, int admin, int tim if (admin) GRSThttpPrintf (bp,"Add Credential", dir_uri,admin_file,dir_uri, entry_no, timestamp); - GRSThttpPrintf (bp, "\n\n
Credential No.TypeValue
Credential No.Attribute URI
New"); - GRSThttpPrintf (bp, "
%d", cred_no); - if (admin) GRSThttpPrintf (bp,"(Delete)", dir_uri,admin_file,dir_uri, entry_no, cred_no, timestamp); - GRSThttpPrintf(bp, "%s ", cred->type); - } + GRSThttpPrintf(bp,"
%d", cred_no); + if (admin) GRSThttpPrintf (bp,"(Delete)", dir_uri,admin_file,dir_uri, entry_no, cred_no, timestamp); + GRSThttpPrintf(bp, " "); /* Do not print out namevalue for any-user credential*/ - else{ - if (edit_values){ // Place namevalue in an editable box if appropriate - GRSThttpPrintf (bp, "auri, "gacl:any-user")==0) GRSThttpPrintf (bp, "%s", cred->auri); + else + { + if (edit_values) + { // Place AURI in an editable box if appropriate + GRSThttpPrintf (bp, "value, bp); + StringHTMLEncode(cred->auri, bp); GRSThttpPrintf (bp, "\">"); - } - else if (strcmp(cred->type, "dn-list")==0){ + } + else if ((strncmp(cred->auri, "http://", 7) == 0) || + (strncmp(cred->auri, "https://", 8) == 0)) + { GRSThttpPrintf(bp, "value, bp); + StringHTMLEncode(cred->auri, bp); GRSThttpPrintf(bp, " \">"); - StringHTMLEncode(namevalue->value, bp); + StringHTMLEncode(cred->auri, bp); GRSThttpPrintf(bp, ""); } - else { GRSThttpPrintf(bp, " "); StringHTMLEncode(namevalue->value, bp);} - - } + else + { + GRSThttpPrintf(bp, " "); + StringHTMLEncode(cred->auri, bp); + } + } //Print out warning symbol if cred being printed relates to current user - but NOT for users in site admin list if (GRSTgaclUserHasCred(user, cred) && !site_admin) GRSThttpPrintf(bp, " <--"); GRSThttpPrintf(bp, "
 "); + GRSThttpPrintf (bp, ""); if (blank_perms==1)entry->allowed=entry->denied=GRST_PERM_NONE; @@ -896,7 +917,7 @@ void check_acl_save(char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, // check users permissions in the new ACL - if (!GRSTgaclDNlistHasUser(getenv("REDIRECT_GRST_ADMIN_LIST"), user)) + if (!GRSTgaclUserHasAURI(user, getenv("REDIRECT_GRST_ADMIN_LIST"))) { new_perm = GRSTgaclAclTestUser(acl, user); if (new_perm != perm){ diff --git a/org.gridsite.core/src/grst_admin_main.c b/org.gridsite.core/src/grst_admin_main.c index a9e9f0e..069a2f4 100644 --- a/org.gridsite.core/src/grst_admin_main.c +++ b/org.gridsite.core/src/grst_admin_main.c @@ -195,10 +195,10 @@ void justfooter(char *dn, GRSTgaclPerm perm, char *help_uri, char *dir_path, int main() { - int i, gsiproxylimit_i = 1; + int i, gsiproxylimit_i = 1, delegation = 0; char *cmd, *dir_uri, *file, *dir_path, *admin_file, *dn = NULL, *help_uri, *p, *content_type, *request_uri, *button, - *grst_cred_0, *gsiproxylimit, *dn_lists, buf[12]; + *grst_auri_i, *grst_valid_i, *gsiproxylimit, buf[12]; GRSTgaclCred *cred; GRSTgaclUser *user = NULL; GRSTgaclAcl *acl; @@ -219,56 +219,54 @@ int main() GRSTgaclInit(); - grst_cred_0 = getenv("GRST_CRED_0"); + gsiproxylimit = getenv("REDIRECT_GRST_GSIPROXY_LIMIT"); + if (gsiproxylimit != NULL) sscanf(gsiproxylimit, "%d", &gsiproxylimit_i); + + grst_auri_i = getenv("GRST_CRED_AURI_0"); + grst_valid_i = getenv("GRST_CRED_VALID_0"); - if ((grst_cred_0 != NULL) && (cred = GRSTx509CompactToCred(grst_cred_0))) + if ((grst_auri_i != NULL) && (strncmp(grst_auri_i, "dn:", 3) == 0)) { - gsiproxylimit = getenv("REDIRECT_GRST_GSIPROXY_LIMIT"); - if (gsiproxylimit != NULL) sscanf(gsiproxylimit, "%d", &gsiproxylimit_i); - - if (GRSTgaclCredGetDelegation(cred) <= gsiproxylimit_i) - { + dn = &grst_auri_i[3]; + + sscanf(grst_valid_i, + "notbefore=%*ld notafter=%*ld delegation=%d nist-loa=%*d", + &delegation); + + if (delegation <= gsiproxylimit_i) + { + cred = GRSTgaclCredCreate(grst_auri_i, NULL); user = GRSTgaclUserNew(cred); - if ((p = index(grst_cred_0, ' ')) && - (p = index(++p, ' ')) && - (p = index(++p, ' ')) && - (p = index(++p, ' '))) dn = &p[1]; - } - /* User has a cert so check for voms attributes */ - for(i=1; ; i++) - { - sprintf (buf, "GRST_CRED_%d", i); + /* User has a cert so check for VOMS attributes etc */ + for (i=1; ; i++) + { + sprintf (buf, "GRST_CRED_%d", i); + grst_auri_i = getenv(buf); + if (grst_auri_i == NULL) break; + + cred = GRSTgaclCredCreate(grst_auri_i, NULL); + GRSTgaclUserAddCred(user, cred); + } - grst_cred_0 = getenv(buf); - if (grst_cred_0==NULL) break; - - if (cred=GRSTx509CompactToCred(grst_cred_0)) - GRSTgaclUserAddCred(user, cred); + /* no more VOMS attributes etc found */ } - /* no more voms attributes found found */ } else if ((dn = getenv("SSL_CLIENT_S_DN")) != NULL) { - cred = GRSTgaclCredNew("person"); - GRSTgaclCredAddValue(cred, "dn", dn); + cred = GRSTgaclCredCreate("dn:", dn); user = GRSTgaclUserNew(cred); } - dn_lists = getenv("REDIRECT_GRST_DN_LISTS"); - if (dn_lists == NULL) dn_lists = getenv("GRST_DN_LISTS"); - if (dn_lists != NULL) GRSTgaclUserSetDNlists(user, dn_lists); - - if (GRSTgaclDNlistHasUser(getenv("REDIRECT_GRST_ADMIN_LIST"), - user)) perm = GRST_PERM_ALL; + if (GRSTgaclUserHasAURI(user, getenv("REDIRECT_GRST_ADMIN_LIST"))) + perm = GRST_PERM_ALL; else { p = getenv("REMOTE_HOST"); if (p != NULL) { - cred = GRSTgaclCredNew("dns"); - GRSTgaclCredAddValue(cred, "hostname", p); + cred = GRSTgaclCredCreate("dns:", p); if (user == NULL) user = GRSTgaclUserNew(cred); else GRSTgaclUserAddCred(user, cred); diff --git a/org.gridsite.core/src/grst_gacl.c b/org.gridsite.core/src/grst_gacl.c index 539a44e..c093497 100644 --- a/org.gridsite.core/src/grst_gacl.c +++ b/org.gridsite.core/src/grst_gacl.c @@ -298,12 +298,12 @@ int GRSTgaclEntryDelCred(GRSTgaclEntry *entry, GRSTgaclCred *cred) int GRSTgaclCredPrint(GRSTgaclCred *cred, FILE *fp) /* - GRSTgaclCredPrint - print a credential and any name-value pairs is contains + GRSTgaclCredPrint - print a credential and the AURI value it contains */ { - char *q; + char *q; - if (cred->auri != NULL) + if ((cred->auri != NULL) && (cred->auri[0] != '\0')) { fprintf(fp, "\n"); @@ -324,9 +324,11 @@ int GRSTgaclCredPrint(GRSTgaclCred *cred, FILE *fp) fprintf(fp, "%d\n", cred->delegation); fprintf(fp, "\n"); + + return 1; } - - return 1; + + return 0; } /* * @@ -644,7 +646,7 @@ static GRSTgaclCred *GRSTgaclCredParse(xmlNodePtr cur) /* backwards compatibility */ - cred = GRSTgaclCredNew((char *) cur->name); + cred = GRSTgaclCredNew((char *) cur->name); for (cur2 = cur->xmlChildrenNode; cur2 != NULL; cur2=cur2->next) { @@ -995,13 +997,14 @@ int GRSTgaclUserHasCred(GRSTgaclUser *user, GRSTgaclCred *cred) return 0; } +/* // can remove this once we preload DN Lists etc as AURIs? if ((strncmp(cred->auri, "http:", 5) == 0) || (strncmp(cred->auri, "https:", 6) == 0)) { return GRSTgaclDNlistHasUser(cred->auri, user); } - +*/ /* generic AURI = AURI test */ for (crediter=user->firstcred; crediter != NULL; crediter = crediter->next) @@ -1194,6 +1197,7 @@ int GRSTgaclUserLoadDNlists(GRSTgaclUser *user, char *dnlists) * Functions to test for access perm of an individual * * */ +#if 0 static char *recurse4file(char *dir, char *file, int recurse_level) /* try to find file[] in dir[]. try subdirs if not found. return full path to first found version or NULL on failure */ @@ -1239,62 +1243,23 @@ static char *recurse4file(char *dir, char *file, int recurse_level) return NULL; } +#endif int GRSTgaclDNlistHasUser(char *listurl, GRSTgaclUser *user) { - char *dn_lists_dirs, *dn_list_ptr, *enclisturl, *filename, *dirname, - line[512], *p; - FILE *fp; - GRSTgaclCred *cred; - - if ((listurl == NULL) || (user == NULL)) return 0; - - enclisturl = GRSThttpUrlEncode(listurl); - - if (user->dnlists != NULL) p = user->dnlists; - else p = getenv("GRST_DN_LISTS"); - - if (p == NULL) p = GRST_DN_LISTS; - dn_lists_dirs = strdup(p); /* we need to keep this for free() later! */ - dn_list_ptr = dn_lists_dirs; /* copy, for naughty function strsep() */ + return GRSTgaclUserHasAURI(user, listurl); +} - while ((dirname = strsep(&dn_list_ptr, ":")) != NULL) - { - filename = recurse4file(dirname, enclisturl, 0); - if (filename == NULL) continue; - - fp = fopen(filename, "r"); - free(filename); +int GRSTgaclUserHasAURI(GRSTgaclUser *user, char *auri) +{ + GRSTgaclCred *cred; + + if ((auri == NULL) || (user == NULL)) return 0; - if (fp == NULL) continue; - - while (fgets(line, sizeof(line), fp) != NULL) - { - p = index(line, '\n'); - if (p != NULL) *p = '\0'; - - cred = user->firstcred; - - while (cred != NULL) - { - if ((strncmp(cred->auri, "dn:", 3) == 0) && - (GRSTx509NameCmp(line, &(cred->auri[3])) == 0)) - { - fclose(fp); - free(dn_lists_dirs); - free(enclisturl); - return 1; - } - - cred = cred->next; - } - } - - fclose(fp); - } - - free(dn_lists_dirs); - free(enclisturl); + for (cred = user->firstcred; cred != NULL; cred = cred->next) + { + if (strcmp(auri, cred->auri) == 0) return 1; + } return 0; } diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index 5ab98e6..9c25bd3 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -1129,9 +1129,8 @@ GRSTgaclCred *GRSTx509CompactToCred(char *grst_cred) && (p = index(++p, ' ')) && (p = index(++p, ' '))) { - cred = GRSTgaclCredNew("person"); + cred = GRSTgaclCredCreate("dn:", &p[1]); GRSTgaclCredSetDelegation(cred, delegation); - GRSTgaclCredAddValue(cred, "dn", &p[1]); } return cred; @@ -1152,9 +1151,8 @@ GRSTgaclCred *GRSTx509CompactToCred(char *grst_cred) if (p[1] != '/') return NULL; /* must begin with / */ - cred = GRSTgaclCredNew("voms"); + cred = GRSTgaclCredCreate("fqan:", &p[1]); GRSTgaclCredSetDelegation(cred, delegation); - GRSTgaclCredAddValue(cred, "fqan", &p[1]); } return cred; diff --git a/org.gridsite.core/src/slashgrid.c b/org.gridsite.core/src/slashgrid.c index 8ae240c..7b3a6b2 100644 --- a/org.gridsite.core/src/slashgrid.c +++ b/org.gridsite.core/src/slashgrid.c @@ -795,7 +795,7 @@ size_t read_data_callback(void *ptr, size_t size, size_t nmemb, void *data) return sent; } -char *canonicalise(char *link, char *source) +static char *canonicalise(char *link, char *source) { int i, j, srclen; char *s; @@ -891,7 +891,7 @@ struct grst_dir_list *index_to_dir_list(char *text, char *source) if ((taglevel == 1) && (list[used].filename != NULL)) { ++used; - if (used >= allocated) + if (used + 1 >= allocated) /* always room for terminal NULL */ { allocated += 256; list = (struct grst_dir_list *) @@ -993,6 +993,12 @@ struct grst_dir_list *index_to_dir_list(char *text, char *source) wordnew = 0; } + + if (list[used].filename != NULL) + { + ++used; + list[used].filename = NULL; /* used+1>=allocated above allows this */ + } qsort((void *) list, used, sizeof(struct grst_dir_list), grst_dir_list_cmp); @@ -1065,8 +1071,7 @@ GRSTgaclPerm get_gaclPerm(struct fuse_context *fuse_ctx, char *path) if (dn != NULL) { - cred = GRSTgaclCredNew("person"); - GRSTgaclCredAddValue(cred, "dn", dn); + cred = GRSTgaclCredCreate("dn:", dn); user = GRSTgaclUserNew(cred); free(dn); } @@ -1375,7 +1380,7 @@ static int slashgrid_readdir(const char *path, void *buf, if (debugmode) syslog(LOG_DEBUG, "in slashgrid_readdir, list[%d].filename=%s", i, list[i].filename); - + if (strncmp(list[i].filename, "mailto:", 7) == 0) continue; len = strlen(list[i].filename); @@ -2488,5 +2493,6 @@ int main(int argc, char *argv[]) ret = fuse_main(fuse_argc, fuse_argv, &slashgrid_oper); + syslog(LOG_ERR, "fuse_main() returns and SlashGrid exits! (%d)", ret); return ret; } -- 1.8.2.3