From f0dbd0e6fc629d26c0e03210016d63e579f79aff Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zden=C4=9Bk=20Salvet?= Date: Tue, 28 Aug 2007 14:35:00 +0000 Subject: [PATCH] Handle equivalency of different string forms of certificate subjects (Email/emailAddress etc.) using new edg_wll_gss_normalize_subj() and edg_wll_gss_equal_subj(). All upgrade scenarios except upgrading LB server on machine which already used newer SSL libraries should be handled transparently by this code. (In the mentioned case, already registered notifications will cease wrking and STD_owner indexes have to be recreated.) --- org.glite.lb.server/src/jobstat.c | 2 +- org.glite.lb.server/src/jobstat_supp.c | 9 ++++++--- org.glite.lb.server/src/notification.c | 9 ++++++--- org.glite.lb.server/src/query.c | 33 ++++++++++++++++++++++++--------- org.glite.lb.server/src/store.c.T | 27 ++++++++++++++------------- org.glite.lb.server/src/userjobs.c | 7 ++++++- 6 files changed, 57 insertions(+), 30 deletions(-) diff --git a/org.glite.lb.server/src/jobstat.c b/org.glite.lb.server/src/jobstat.c index fdf9126..68dd0d9 100644 --- a/org.glite.lb.server/src/jobstat.c +++ b/org.glite.lb.server/src/jobstat.c @@ -116,7 +116,7 @@ int edg_wll_JobStatus( /* authorization check */ if ( !(ctx->noAuth) && - (!(ctx->peerName) || strcmp(ctx->peerName, jobstat.pub.owner))) { + (!(ctx->peerName) || !edg_wll_gss_equal_subj(ctx->peerName, jobstat.pub.owner))) { intErr = (acl == NULL) || edg_wll_CheckACL(ctx, acl, EDG_WLL_PERM_READ); if (intErr) { free(string_jobid); diff --git a/org.glite.lb.server/src/jobstat_supp.c b/org.glite.lb.server/src/jobstat_supp.c index 9b80bd9..28c35ba 100644 --- a/org.glite.lb.server/src/jobstat_supp.c +++ b/org.glite.lb.server/src/jobstat_supp.c @@ -686,6 +686,7 @@ edg_wll_ErrorCode edg_wll_IColumnsSQLPart(edg_wll_Context ctx, char *names, *values; char *data; char *tmp; + char *tmpval; edg_wll_IColumnRec *job_index_cols = (edg_wll_IColumnRec *)job_index_cols_v; edg_wll_ResetError(ctx); @@ -698,9 +699,11 @@ edg_wll_ErrorCode edg_wll_IColumnsSQLPart(edg_wll_Context ctx, data = NULL; switch (job_index_cols[i].qrec.attr) { case EDG_WLL_QUERY_ATTR_OWNER: - if (stat->pub.owner) - trio_asprintf(&data, "'%|Ss'", stat->pub.owner); - else data = strdup("''"); + if (stat->pub.owner) { + tmpval = edg_wll_gss_normalize_subj(stat->pub.owner, 0); + trio_asprintf(&data, "'%|Ss'", tmpval); + free(tmpval); + } else data = strdup("''"); break; case EDG_WLL_QUERY_ATTR_LOCATION: if (stat->pub.location) diff --git a/org.glite.lb.server/src/notification.c b/org.glite.lb.server/src/notification.c index 18d6287..d664573 100644 --- a/org.glite.lb.server/src/notification.c +++ b/org.glite.lb.server/src/notification.c @@ -391,14 +391,15 @@ static char *get_user(edg_wll_Context ctx, int create) char *userid = NULL, *q = NULL; int ret; - + char *can_peername = NULL; if ( !ctx->peerName ) { edg_wll_SetError(ctx, EPERM, "Annonymous access not allowed"); goto cleanup; } - trio_asprintf(&q, "select userid from users where cert_subj='%|Ss'", ctx->peerName); + can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0); + trio_asprintf(&q, "select userid from users where cert_subj='%|Ss'", can_peername); if ( edg_wll_ExecStmt(ctx, q, &stmt) < 0 ) goto cleanup; @@ -417,7 +418,7 @@ static char *get_user(edg_wll_Context ctx, int create) } free(q); trio_asprintf(&q, "insert into users(userid,cert_subj) values ('%|Ss','%|Ss')", - userid, ctx->peerName); + userid, can_peername); if ( edg_wll_ExecStmt(ctx, q, NULL) < 0 ) { if ( edg_wll_Error(ctx,NULL,NULL) != EEXIST ) @@ -432,6 +433,7 @@ static char *get_user(edg_wll_Context ctx, int create) cleanup: if ( q ) free(q); if ( stmt ) edg_wll_FreeStmt(&stmt); + free(can_peername); return userid; } @@ -447,6 +449,7 @@ static int check_notif_request( int ret; + /* XXX: rewrite select below in order to handle cert_subj format changes */ if ( !(user = get_user(ctx, 0)) ) { if ( !edg_wll_Error(ctx, NULL, NULL) ) diff --git a/org.glite.lb.server/src/query.c b/org.glite.lb.server/src/query.c index 7cbcc6e..e67503a 100644 --- a/org.glite.lb.server/src/query.c +++ b/org.glite.lb.server/src/query.c @@ -59,7 +59,8 @@ int edg_wll_QueryEventsServer( offset = 0, limit = 0, limit_loop = 1, eperm = 0; - + char *peerid = NULL; + char *can_peername = NULL, *can_peerid = NULL; edg_wll_ResetError(ctx); @@ -86,6 +87,10 @@ int edg_wll_QueryEventsServer( !(job_where = jc_to_head_where(ctx, job_conditions, &i)) ) goto cleanup; + peerid = strdup(strmd5(ctx->peerName,NULL)); + can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0); + can_peerid = strdup(strmd5(can_peername,NULL)); + /* XXX: similar query in srv_purge.c ! They has to match due to common * convert_event_head() called on the result */ @@ -163,7 +168,7 @@ int edg_wll_QueryEventsServer( if ( !noAuth ) { - if (!ctx->peerName || strcmp(res[1],strmd5(ctx->peerName,NULL))) { + if (!ctx->peerName || (strcmp(res[1],peerid) && strcmp(res[1], can_peerid))) { edg_wll_Acl acl = NULL; char *jobid = NULL; @@ -232,6 +237,8 @@ cleanup: free(qbase); free(job_where); free(event_where); + free(peerid); + free(can_peername); free(can_peerid); return edg_wll_Error(ctx,NULL,NULL); } @@ -750,11 +757,12 @@ static char *jc_to_head_where( int ct, n, m; char *aux, *tmps, + *tmps2, *dbt, *cname = NULL, msg[100]; char *conds, *retconds; - + char *can_peername = NULL; retconds = conds = NULL; @@ -943,22 +951,28 @@ static char *jc_to_head_where( return NULL; } + tmps2 = edg_wll_gss_normalize_subj(jc[m][n].value.c); + if (!jc[m][n].value.c && !can_peername) { + can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0); + } + *where_flags |= FL_SEL_STATUS; if ( conds ) { if ( jc[m][n].value.c ) - trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), jc[m][n].value.c); + trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), tmps2); else - trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), ctx->peerName); + trio_asprintf(&tmps, "%s OR s.%s%s'%|Ss'", conds, cname, opToString(jc[m][n].op), can_peername); free(conds); conds = tmps; } else { if ( jc[m][n].value.c ) - trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), jc[m][n].value.c); + trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), tmps2); else - trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), ctx->peerName); + trio_asprintf(&conds, "s.%s%s'%|Ss'", cname, opToString(jc[m][n].op), can_peername); } + free(tmps2); break; case EDG_WLL_QUERY_ATTR_DONECODE: @@ -1026,6 +1040,7 @@ static char *jc_to_head_where( } } + free(can_peername); return retconds; } @@ -1256,11 +1271,11 @@ int match_status(edg_wll_Context ctx, const edg_wll_JobStat *stat, const edg_wll case EDG_WLL_QUERY_ATTR_OWNER: if (stat->owner) { if (conds[i][j].value.c) { - if (!strcmp(conds[i][j].value.c, stat->owner) ) { + if (edg_wll_gss_equal_subj(conds[i][j].value.c, stat->owner) ) { if ( conds[i][j].op == EDG_WLL_QUERY_OP_EQUAL ) goto or_satisfied; } else if ( conds[i][j].op == EDG_WLL_QUERY_OP_UNEQUAL ) goto or_satisfied; } else if (ctx->peerName) { - if (!strcmp(ctx->peerName, stat->owner) ) { + if (edg_wll_gss_equal_subj(ctx->peerName, stat->owner) ) { if ( conds[i][j].op == EDG_WLL_QUERY_OP_EQUAL ) goto or_satisfied; } else if ( conds[i][j].op == EDG_WLL_QUERY_OP_UNEQUAL ) goto or_satisfied; } diff --git a/org.glite.lb.server/src/store.c.T b/org.glite.lb.server/src/store.c.T index 6c99416..7875300 100644 --- a/org.glite.lb.server/src/store.c.T +++ b/org.glite.lb.server/src/store.c.T @@ -107,14 +107,13 @@ int edg_wll_StoreEvent(edg_wll_Context ctx,edg_wll_Event *e,int *seq) char *username; if (!ctx->isProxy && ctx->peerName != NULL) { - username = ctx->peerName; - userid_job = strdup(strmd5(username, NULL)); - if (strcmp(username,e->any.user)) { - if ((err = store_user(ctx,userid_job, username))) goto clean; - } + username = edg_wll_gss_normalize_subj(ctx->peerName, 0); } else { - username = e->any.user; - userid_job = strdup(userid); + username = edg_wll_gss_normalize_subj(e->any.user, 0); + } + userid_job = strdup(strmd5(username, NULL)); + if (strcmp(username,e->any.user)) { + if ((err = store_user(ctx,userid_job, username))) goto clean; } if ((err = store_user(ctx,userid,e->any.user))) goto clean; if ((err = store_job(ctx,e->any.jobId,userid_job))) goto clean; @@ -530,16 +529,18 @@ static int check_auth(edg_wll_Context ctx,edg_wll_Event *e) char *jobid = edg_wlc_JobIdGetUnique(e->any.jobId); char *q = NULL,*owner = NULL; edg_wll_Stmt stmt = NULL; - char *user; edg_wll_ResetError(ctx); + if (!ctx->isProxy && !ctx->peerName) + return edg_wll_SetError(ctx,EPERM,"can't store using unauthenticated connection"); + if (e->type == EDG_WLL_EVENT_REGJOB) - return ((ctx->isProxy || ctx->peerName) && - strcmp(e->any.user,EDG_WLL_LOG_USER_DEFAULT)) ? + return strcmp(e->any.user,EDG_WLL_LOG_USER_DEFAULT) ? 0 : edg_wll_SetError(ctx,EPERM,"can't register jobs anonymously"); - trio_asprintf(&q,"select userid from jobs where jobid='%|Ss'",jobid); + trio_asprintf(&q,"select u.cert_subj from jobs j, users u " + "where j.jobid='%|Ss' and u.userid=j.userid",jobid); if (edg_wll_ExecStmt(ctx,q,&stmt) < 0 || edg_wll_FetchRow(stmt,&owner) < 0 @@ -561,8 +562,8 @@ static int check_auth(edg_wll_Context ctx,edg_wll_Event *e) case EDG_WLL_SOURCE_USER_INTERFACE: case EDG_WLL_SOURCE_LRMS: case EDG_WLL_SOURCE_APPLICATION: - user = strmd5(e->any.user,NULL); - if (strcmp(owner,user)) edg_wll_SetError(ctx,EPERM,"check_auth()"); + if (!edg_wll_gss_equal_subj(owner,e->any.user)) + edg_wll_SetError(ctx,EPERM,"check_auth()"); break; default: /* XXX: just don't allow anonymous */ diff --git a/org.glite.lb.server/src/userjobs.c b/org.glite.lb.server/src/userjobs.c index 66448f0..977d55b 100644 --- a/org.glite.lb.server/src/userjobs.c +++ b/org.glite.lb.server/src/userjobs.c @@ -17,14 +17,19 @@ int edg_wll_UserJobs( edg_wlc_JobId **jobs, edg_wll_JobStat **states) { - char *userid = strmd5(ctx->peerName,NULL),*stmt = NULL, + char *userid, *stmt = NULL, *res = NULL; + char *can_peername; int njobs = 0,ret,i; edg_wlc_JobId *out = NULL; edg_wll_Stmt sth = NULL; edg_wll_ErrorCode err = 0; edg_wll_ResetError(ctx); + + can_peername = edg_wll_gss_normalize_subj(ctx->peerName, 0); + userid = strmd5(can_peername,NULL); + free(can_peername); trio_asprintf(&stmt,"select cert_subj from users where userid = '%|Ss'",userid); -- 1.8.2.3