505
505
******************************************************************************/
508
* @brief Look up the default mapping for a Grid identity in a gridmap file
512
509
* @ingroup globus_gsi_gss_assist
514
* Routines callable from globus based code to
515
* map a globusID to a local unix user
517
* GRIDMAP environment variable pointing at the
518
* map file. Defaults to ~/.gridmap
520
* A gridmap file is required if being run as root.
521
* if being run as a user,it is not required, and defaults to
522
* the current user who is running the command.
524
* This is the same file used by the gssapi_cleartext
525
* but will be used with other gssapi implementations which
526
* do not use the gridmap file.
512
* The globus_gss_assist_gridmap() function parses the default gridmap file
513
* and modifies its @a useridp parameter to point to a copy of the string
514
* containing the default local identity that the grid identity is mapped to.
515
* If successful, the caller is responsible for freeing the string pointed
518
* By default, @a globus_gss_assist_gridmap() looks for the default gridmap
519
* file defined by the value of the GRIDMAP environment variable. If that
520
* is not set, it falls back to $HOME/.gridmap.
528
522
* @param globusidp
529
* the GSSAPI name from the client who requested
523
* The GSSAPI name string of the identity who requested authorization
532
* the resulting user ID name for the local system
525
* A pointer to a string to be set to the default user ID for the local
526
* system. No validation is done to check that such a user exists.
536
* -1 if bad arguments
529
* On success, globus_gss_assist_gridmap() returns 0 and modifies the
530
* the string pointed to by the @a useridp parameter. If an error occurs,
531
* a non-zero value is returned and the value pointed to by @a useridp
534
* @retval GLOBUS_SUCCESS
540
540
globus_gss_assist_gridmap(
651
651
/* globus_gss_assist_gridmap() */
654
* @brief Gridmap entry existence check
659
655
* @ingroup globus_gsi_gss_assist
660
* Check to see if a particular globusid is authorized to access
661
* the given local user account.
658
* The @a globus_gss_assist_userok() function parses the default gridmap file
659
* and checks whether any mapping exists for the grid identity passed as the
660
* @a globusid parameter and the local user identity passed as the @ userid
663
* By default, @a globus_gss_assist_userok() looks for the default gridmap
664
* file defined by the value of the GRIDMAP environment variable. If that
665
* is not set, it falls back to $HOME/.gridmap.
663
667
* @param globusid
664
* the globus id in string form - this should be the user's subject
668
* The GSSAPI name string of the identity who requested authorization
666
* the local account that access is sought for
670
* The local account name that access is sought for.
669
* 0 on success (authorization allowed)
670
* -1 if bad arguments
673
* If @a globus_gss_assist_userok() is able to find a mapping between
674
* @a globusid and @a userid, it returns 0; otherwise it returns 1.
676
* @retval GLOBUS_SUCCESS
674
682
globus_gss_assist_userok(
772
780
/* globus_gss_assist_userok() */
776
* @name Map Local User
783
* @brief Look up the default Grid identity associated with a local user name
780
784
* @ingroup globus_gsi_gss_assist
781
* Routine for returning the default globus ID associated with
782
* a local user name. This is somewhat of a hack since there is
783
* not a guarenteed one-to-one mapping. What we do is look for
784
* the first entry in the gridmap file that has the local
785
* user as the default login. If the user is not a default on any
786
* entry, we find the first entry in which the user exists as a
787
* The @a globus_gss_assist_map_local_user() function parses the
788
* gridmap file to determine a if the user name passed as the @a local_user
789
* parameter is the default local user for a Grid ID in the gridmap file. If
790
* so, it modifies @a globusidp to point to a copy of that ID. Otherwise, it
791
* searches the gridmap file for a Grid ID that has a non-default mapping for
792
* @a local_user and modifies @a globusidp to point to a copy of that ID.
793
* If successful, the caller is responsible for freeing the string pointed to
794
* by the @a globusidp pointer.
796
* By default, @a globus_gss_assist_map_local_user() looks for the default
797
* gridmap file defined by the value of the GRIDMAP environment variable. If
798
* that is not set, it falls back to $HOME/.gridmap.
789
800
* @param local_user
790
* the local username to find the DN for
801
* The local username to find a Grid ID for
791
802
* @param globusidp
792
* the first DN found that reverse maps from the local_user
803
* A Grid ID that maps from the local_user.
795
* 0 on success, otherwise an error object identifier is returned.
796
* use globus_error_get to get the error object from the id. The
797
* resulting error object must be freed using globus_object_free
798
* when it is no longer needed.
806
* On success, @a globus_gss_assist_map_local_user() returns 0 and
807
* modifies @a globusidp to point to a Grid ID that maps to @a local_user;
808
* otherwise, @a globus_gss_assist_map_local_user() returns 1 and the
809
* value pointed to by @a globusidp is undefined.
800
* @see globus_error_get
801
* @see globus_object_free
811
* @retval GLOBUS_SUCCESS
804
817
globus_gss_assist_map_local_user(
1762
* @ingroup globus_i_gsi_gss_assist
1763
* Look up all globus ids associated with a given user id.
1774
* @brief Look up all Grid IDs associated with a local user ID
1775
* @ingroup globus_gsi_gss_assist
1778
* The @a globus_gss_assist_lookup_all_globusid() function parses a
1779
* gridmap file and finds all Grid IDs that map to a local user ID.
1780
* The @a dns parameter is modified to point to an array of Grid ID
1781
* strings from the gridmap file, and the @a dn_count parameter is
1782
* modified to point to the number of Grid ID strings in the array.
1783
* The caller is responsible for freeing the array using the macro
1784
* @a GlobusGssAssistFreeDNArray().
1786
* By default, @a globus_gss_assist_lookup_all_globusid() looks for the default
1787
* gridmap file defined by the value of the GRIDMAP environment variable. If
1788
* that is not set, it falls back to $HOME/.gridmap.
1765
1790
* @param username
1766
* The local username on which we are preforming the lookup.
1791
* The local username to look up in the gridmap file.
1769
* a pointer to an array of strings. On entrance it should be
1770
* unitialized. Upon return from this function it will point
1771
* to an array of strings. The user should use the macro
1772
* GlobusGssAssistFreeDNArray to clean up this memory.
1793
* A pointer to an array of strings. This function modifies this
1794
* to point to a newly allocated array of strings. The
1795
* caller must use the macro @a GlobusGssAssistFreeDNArray() to free
1774
1797
* @param dn_count
1775
* The number of globus_ids returned in dns.
1798
* A pointer to an integer that is modified to contain the number of
1799
* entries in the array returned via the @a dns parameter.
1778
* the value in the xdigit, or -1 if error
1802
* On success, @a globus_gss_assist_lookup_all_globusid() returns
1803
* GLOBUS_SUCCESS and modifies its @a dns and @a dn_count parameters as
1804
* described above. If an error occurs,
1805
* @a globus_gss_assist_lookup_all_globusid() returns a globus_result_t
1806
* that can be resolved to an error object and the values
1807
* pointed to by @a dns and @a dn_count are undefined.
1809
* @retval GLOBUS_SUCCESS
1811
* @retval GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_ARGUMENTS
1812
* Error with arguments
1813
* @retval GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_GRIDMAP
1814
* Invalid path to gridmap
1815
* @retval GLOBUS_GSI_GSS_ASSIST_ERROR_ERRNO
1780
1818
globus_result_t
1781
1819
globus_gss_assist_lookup_all_globusid(
1911
1949
/* globus_gss_assist_lookup_all_globusid() */
1953
* @brief Authorize the peer of a security context to use a service
1954
* @ingroup globus_gsi_gss_assist
1957
* The globus_gss_assist_map_and_authorize() function attempts to authorize
1958
* the peer of a security context to use a particular service. If
1959
* the @a desired_identity parameter is non-NULL, the authorization will
1960
* succeed only if the peer is authorized for that identity. Otherwise,
1961
* any valid authorized local user name will be used. If authorized, the
1962
* local user name will be copied to the string pointed to by the
1963
* @a identity_buffer parameter, which must be at least as long as the
1964
* value passed as the @a identity_buffer_length parameter.
1966
* If authorization callouts are defined in the callout configuration
1967
* file, @a globus_gss_assist_map_and_authorize() will invoke both the
1968
* GLOBUS_GENERIC_MAPPING_TYPE callout and the GLOBUS_GENERIC_AUTHZ_TYPE
1969
* callout; otherwise the default gridmap file will be used for mapping
1970
* and no service-specific authorization will be done.
1972
* If @a globus_gss_assist_map_and_authorize() uses a gridmap file, it
1973
* first looks for a file defined by the value of the GRIDMAP environment
1974
* variable. If that is not set, it falls back to $HOME/.gridmap.
1977
* Security context to inspect for peer identity information.
1979
* A NULL-terminated string containing the name of the service that
1980
* an authorization decision is being made for.
1981
* @param desired_identity
1982
* Optional. If non-NULL, perform an authorization to act as the
1983
* local user named by this NULL-terminated string.
1984
* @param identity_buffer
1985
* A pointer to a string buffer into which will be copied the
1986
* local user name that the peer of the context is authorized to
1988
* @param identity_buffer_length
1989
* Length of the @a identity_buffer array.
1992
* On success, @a globus_gss_assist_map_and_authorize() returns
1993
* GLOBUS_SUCCESS and copies the authorized local identity to the
1994
* @a identity_buffer parameter. If an error occurs,
1995
* @a globus_gss_assist_map_and_authorize() returns a globus_result_t
1996
* that can be resolved to an error object.
1998
* @retval GLOBUS_SUCCESS
2000
* @retval GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_CALLOUT_CONFIG
2001
* Invalid authorization configuration file
2002
* @retval GLOBUS_CALLOUT_ERROR_WITH_HASHTABLE
2003
* Hash table operation failed.
2004
* @retval GLOBUS_CALLOUT_ERROR_CALLOUT_ERROR
2005
* The callout itself returned a error.
2006
* @retval GLOBUS_CALLOUT_ERROR_WITH_DL
2007
* Dynamic library operation failed.
2008
* @retval GLOBUS_CALLOUT_ERROR_OUT_OF_MEMORY
2010
* @retval GLOBUS_GSI_GSS_ASSIST_GSSAPI_ERROR
2011
* A GSSAPI function returned an error
2012
* @retval GLOBUS_GSI_GSS_ASSIST_GRIDMAP_LOOKUP_FAILED
2013
* Gridmap lookup failure
2014
* @retval GLOBUS_GSI_GSS_ASSIST_BUFFER_TOO_SMALL
2015
* Caller provided insufficient buffer space for local identity
1914
2017
globus_result_t
1915
2018
globus_gss_assist_map_and_authorize(
1916
2019
gss_ctx_id_t context,