From d738e62a6bc1fdb7f750974b4503e05cc83562dd Mon Sep 17 00:00:00 2001
From: =?utf8?q?Daniel=20Kou=C5=99il?= <kouril@ics.muni.cz>
Date: Wed, 14 May 2008 13:29:02 +0000
Subject: [PATCH] base authorization on the internal path not on the whole URL

---
 org.glite.jp.primary/src/jp_callouts.c | 55 +++++++++++++++++++++++-----------
 1 file changed, 38 insertions(+), 17 deletions(-)

diff --git a/org.glite.jp.primary/src/jp_callouts.c b/org.glite.jp.primary/src/jp_callouts.c
index 3504e5b..f0387c6 100644
--- a/org.glite.jp.primary/src/jp_callouts.c
+++ b/org.glite.jp.primary/src/jp_callouts.c
@@ -82,16 +82,26 @@ authz_read(authz_jp_system_state_struct *state, char *object, char *client)
 	int db_retn;
 	glite_lbu_Statement db_res;
 	char *db_row[1] = { NULL };
+	char *p;
+
+        /* skip the gsiftp:// or ftp:// prefix */
+        p = strstr(object, "ftp://");
+        if (p == NULL) {
+           result = GLOBUS_FAILURE;
+           GLOBUS_GSI_AUTHZ_CALLOUT_ERROR(
+              result,
+              GLOBUS_GSI_AUTHZ_CALLOUT_AUTHZ_DENIED_BY_CALLOUT,
+              ("Unsupported file type, access denied"));
+           goto out;
+        }
+        p += 6;
+
+        /* find where the filename starts in the URL */
+        p = strchr(p, '/');
 
         result = query_db(state->jp_ctx, &db_res,
                           "select j.owner from jobs j,files f where "
-                          "f.ext_url='%|Ss' and j.jobid=f.jobid", object);
-        if (result != GLOBUS_SUCCESS) {
-            /* XXX clear error stack ?*/
-            result = query_db(state->jp_ctx, &db_res,
-                               "select j.owner from jobs j,files f where "
-                               "f.ext_url='gsi%|Ss' and j.jobid=f.jobid", object);
-        }
+                          "f.int_path='%|Ss' and j.jobid=f.jobid", p);
         if (result != GLOBUS_SUCCESS)
             return result;
 
@@ -129,19 +139,30 @@ authz_write(authz_jp_system_state_struct *state, char *object, char *client)
 	int db_retn;
 	glite_lbu_Statement db_res;
 	char *db_row[1] = { NULL };
+        char *p;
+
+        /* skip the gsiftp:// or ftp:// prefix */
+        p = strstr(object, "ftp://");
+        if (p == NULL) {
+           result = GLOBUS_FAILURE;
+           GLOBUS_GSI_AUTHZ_CALLOUT_ERROR(
+              result,
+              GLOBUS_GSI_AUTHZ_CALLOUT_AUTHZ_DENIED_BY_CALLOUT,
+              ("Unsupported file type, access denied"));
+           goto out;
+        }
+        p += 6;
+
+        /* find where the filename starts in the URL */
+        p = strchr(p, '/');
 
 	result = query_db(state->jp_ctx, &db_res,
-                           "select state from files where ext_url='%|Ss' and ul_userid='%|Ss'",
-                           object, client);
-        if (result != GLOBUS_SUCCESS) {
-            /* XXX clear error stack ? */
-            result = query_db(state->jp_ctx, &db_res,
-                              "select state from files where ext_url='gsi%|Ss' and ul_userid='%|Ss'",
-                              object, client);
-        }
-        if (result != GLOBUS_SUCCESS) {
+                           "select f.state from files f, users u "
+			   "where f.int_path='%|Ss' and f.ul_userid=u.userid "
+			   "and u.cert_subj='%|Ss'",
+                           p, client);
+        if (result != GLOBUS_SUCCESS)
             return result;
-        }
 
 	db_retn = glite_jp_db_FetchRow(state->jp_ctx, db_res, 1, NULL, db_row);
 	if (db_retn != 1) {
-- 
1.8.2.3