~ubuntu-branches/ubuntu/trusty/lcmaps-plugins-voms/trusty
» Revision
1
: src/voms/lcmaps_voms_localgroup.c
« back to all changes in this revision
Viewing changes to src/voms/lcmaps_voms_localgroup.c
- browse files at revision 1
- compare with another revision
- download diff
- download tarball
- view history from revision 1
- Committer: Package Import Robot
- Author(s): Dennis van Dok
- Date: 2012-11-06 00:50:24 UTC
- Revision ID: package-import@ubuntu.com-20121106005024-0513ko4vca18a53l
Tags: upstream-1.5.5
ImportĀ upstreamĀ versionĀ 1.5.5
- files added:
- doc
- project
- src
- src/gridlist
- src/voms
added
removed
src/voms/lcmaps_voms_localgroup.c
1
/**
2
* Copyright (c) Members of the EGEE Collaboration. 2004-2010.
3
* See http://www.eu-egee.org/partners/ for details on the copyright
4
* holders.
5
*
6
* Licensed under the Apache License, Version 2.0 (the "License");
7
* you may not use this file except in compliance with the License.
8
* You may obtain a copy of the License at
9
*
10
* http://www.apache.org/licenses/LICENSE-2.0
11
*
12
* Unless required by applicable law or agreed to in writing, software
13
* distributed under the License is distributed on an "AS IS" BASIS,
14
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
* See the License for the specific language governing permissions and
16
* limitations under the License.
17
*
18
*
19
* Authors:
20
* 2009-
21
* Oscar Koeroo <okoeroo@nikhef.nl>
22
* Mischa Sall\'e <msalle@nikhef.nl>
23
* David Groep <davidg@nikhef.nl>
24
* NIKHEF Amsterdam, the Netherlands
25
* <grid-mw-security@nikhef.nl>
26
*
27
* 2007-2009
28
* Oscar Koeroo <okoeroo@nikhef.nl>
29
* David Groep <davidg@nikhef.nl>
30
* NIKHEF Amsterdam, the Netherlands
31
*
32
* 2003-2007
33
* Martijn Steenbakkers <martijn@nikhef.nl>
34
* Gerben Venekamp <venekamp@nikhef.nl>
35
* Oscar Koeroo <okoeroo@nikhef.nl>
36
* David Groep <davidg@nikhef.nl>
37
* NIKHEF Amsterdam, the Netherlands
38
*
39
*/
40
41
42
/*!
43
\page lcmaps_voms_localgroup.mod voms localgroup plugin
44
45
\section vomslocalgroupsyn SYNOPSIS
46
\b lcmaps_voms_localgroup.mod
47
-GROUPMAPFILE|-groupmapfile|-GROUPMAP|-groupmap \<groupmapfile\>
48
[-mapall] [-mapmin \<group count\>]
49
50
\section vomslocalgroupdesc DESCRIPTION
51
52
The localgroup acquisition plugin is a 'VOMS-aware' plugin.
53
It uses the VOMS information (acquired by the plugin \ref lcmaps_voms.mod "lcmaps_voms.mod")
54
to gather primary and secondary GIDs.
55
This is accomplished by matching VO-GROUP-ROLE(-CAPABILITY) combinations in the so-called
56
\e groupmapfile (gridmapfile style) and by finding the corresponding local GID.
57
Wildcards can be used in the groupmapfile to match VO-GROUP-ROLE combinations.
58
59
EXAMPLE 'groupmapfile':
60
61
\c "/VO=atlas/GROUP=mcprod" \c atmcprod
62
63
\c "/VO=atlas/GROUP=*" \c atlasgrps
64
65
66
A VO-GROUP combination /VO=atlas/GROUP=mcprod matches \c "/VO=atlas/GROUP=mcprod",
67
resulting in a mapping to the GID of the 'atmcprod' group.
68
All the other groups within the 'atlas' VO will be mapped to 'atlasgrps'.
69
A user with /VO=cms/GROUP=user will not be mapped to any local system group, unless there will
70
be an extra row in the groupmapfile like '\c "/VO=*" \c allothers'
71
resulting in a mapping from any other VO-GROUP-ROLE combination to 'allothers'.
72
The mapping is based on the first match found for a VO-GROUP-ROLE combination, implying
73
that the most significant row must be on top.
74
75
The poolgroup plugin will try to match each VO-GROUP-ROLE combination that was
76
found by the plugin \ref lcmaps_voms.mod "lcmaps_voms.mod".
77
The first VO-GROUP-ROLE combination will become the primary group, the others secondary groups.
78
As the primary GID may be used for auditing and accounting purposes it is important that
79
the user uses the correct ordering of VO-GROUP-ROLE combinations in his grid credential (X509
80
certificate).
81
82
\section options OPTIONS
83
\subsection vomslocalgroupoptie1 -GROUPMAPFILE \<groupmapfile\>
84
See \ref vomslocalgroupoptie4 "-groupmap"
85
86
\subsection vomslocalgroupoptie2 -groupmapfile \<groupmapfile\>
87
See \ref vomslocalgroupoptie4 "-groupmap"
88
89
\subsection vomslocalgroupoptie3 -GROUPMAP \<groupmapfile\>
90
See \ref vomslocalgroupoptie4 "-groupmap"
91
92
\subsection vomslocalgroupoptie4 -groupmap \<groupmapfile\>
93
If this option is set, it will override the default path to the groupmapfile.
94
It is advised to use an absolute path to the groupmapfile to avoid usage of the wrong file(path).
95
96
\subsection vomslocalgroupoptie5 -mapall
97
If this parameter is set, the plugin only succeeds if it manages to map all voms data entries
98
to (system) groups and find their GID.
99
There is no communication between different plugins (like the voms_poolgroup plugin)
100
about the failures.
101
A log entry will state the VO-GROUP-ROLE combination that made the plugin fail.
102
103
\subsection vomslocalgroupoptie6 -mapmin \<group count\>
104
This option will set a minimum amount of groups that have to be resolved for later mapping.
105
If the minimum is not set then the minimum amount is set to '0' by default.
106
If the plugin is not able to the required number of local groups it will fail.
107
Note: if the minimum is set to zero or the minimum is not set
108
the plugin will return a success if no other errors occur, even if no local groups were found.
109
110
\section vomslocalgroupReturnvalue RETURN VALUES
111
\li LCMAPS_MOD_SUCCESS : Success
112
\li LCMAPS_MOD_FAIL : Failure
113
114
115
\section vomslocalgroupErrors ERRORS
116
See bugzilla for known errors (http://marianne.in2p3.fr/datagrid/bugzilla/)
117
118
\section vomslocalgroupSeeAlso SEE ALSO
119
\ref lcmaps_voms.mod "lcmaps_voms.mod",
120
\ref lcmaps_voms_poolaccount.mod "lcmaps_voms_poolaccount.mod",
121
\ref lcmaps_voms_poolgroup.mod "lcmaps_voms_poolgroup.mod",
122
\ref lcmaps_localaccount.mod "lcmaps_localaccount.mod",
123
\ref lcmaps_poolaccount.mod "lcmaps_poolaccount.mod",
124
\ref lcmaps_posix_enf.mod "lcmaps_posix_enf.mod",
125
\ref lcmaps_ldap_enf.mod "lcmaps_ldap_enf.mod",
126
*/
127
128
/*!
129
\file lcmaps_voms_localgroup.c
130
\brief Interface to the LCMAPS plugins
131
\author Martijn Steenbakkers for the EU DataGrid.
132
133
This file contains the code of the voms_localgroup plugin
134
-# plugin_initialize()
135
-# plugin_run()
136
-# plugin_terminate()
137
-# plugin_introspect()
138
*/
139
140
/*****************************************************************************
141
Include header files
142
******************************************************************************/
143
#include <stdio.h>
144
#include <stdlib.h>
145
#include <string.h>
146
#include <pwd.h>
147
#include <ctype.h>
148
149
#include "lcmaps_voms_config.h"
150
#include <lcmaps/lcmaps_modules.h>
151
#include <lcmaps/lcmaps_arguments.h>
152
#include <lcmaps/lcmaps_cred_data.h>
153
#include "lcmaps_gridlist.h"
154
155
/******************************************************************************
156
Definitions
157
******************************************************************************/
158
#define PLUGIN_RUN 0
159
#define PLUGIN_VERIFY 1
160
161
/******************************************************************************
162
Module specific prototypes
163
******************************************************************************/
164
static int plugin_run_or_verify(int, lcmaps_argument_t *, int);
165
166
/******************************************************************************
167
Define module specific variables
168
******************************************************************************/
169
170
static char *groupmapfile = NULL;
171
static int mapall = 0;
172
static int mapmin = 0;
173
static int map_to_secondary_groups = 0;
174
175
/******************************************************************************
176
Function: plugin_initialize
177
Description:
178
Initialize plugin
179
Parameters:
180
argc, argv
181
argv[0]: the name of the plugin
182
Returns:
183
LCMAPS_MOD_SUCCESS : succes
184
LCMAPS_MOD_FAIL : failure
185
LCMAPS_MOD_NOFILE : db file not found (will halt LCMAPS initialization)
186
******************************************************************************/
187
int plugin_initialize(
188
int argc,
189
char ** argv
190
)
191
{
192
char * logstr = "lcmaps_plugin_voms_localgroup-plugin_initialize()";
193
int i, j;
194
195
lcmaps_log_debug(5,"%s: passed arguments:\n", logstr);
196
for (i=0; i < argc; i++)
197
{
198
lcmaps_log_debug(5,"%s: arg %d is %s\n", logstr, i, argv[i]);
199
}
200
201
/*
202
* the first will be the thing to edit/select (groupmap(file))
203
*/
204
205
/*
206
* Parse arguments, argv[0] = name of plugin, so start with i = 1
207
*/
208
for (i = 1; i < argc; i++)
209
{
210
if ( ((strcmp(argv[i], "-groupmap") == 0) ||
211
(strcmp(argv[i], "-GROUPMAP") == 0) ||
212
(strcmp(argv[i], "-groupmapfile") == 0) ||
213
(strcmp(argv[i], "-GROUPMAPFILE") == 0))
214
&& (i + 1 < argc))
215
{
216
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
217
{
218
groupmapfile = strdup(argv[i + 1]);
219
}
220
i++;
221
}
222
else if (strcmp(argv[i], "--map-to-secondary-groups") == 0)
223
{
224
map_to_secondary_groups = 1;
225
}
226
else if (strcmp(argv[i], "-mapall") == 0)
227
{
228
mapall = 1;
229
}
230
else if ((strcmp(argv[i], "-mapmin") == 0)
231
&& (i + 1 < argc))
232
{
233
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
234
{
235
/* check parameter integrety */
236
for (j = 0; j < (strlen(argv[i + 1])); j++)
237
{
238
if (isdigit((argv[i + 1])[j]) == 0)
239
{
240
lcmaps_log(LOG_ERR,"%s: Error in initialization parameter: %s (%s is not a number)\n", logstr, argv[i], argv[i + 1]);
241
return LCMAPS_MOD_FAIL;
242
}
243
}
244
245
mapmin = atoi(argv[i + 1]);
246
}
247
i++;
248
}
249
else
250
{
251
lcmaps_log(LOG_ERR,"%s: Error in initialization parameter: %s (failure)\n", logstr,
252
argv[i]);
253
return LCMAPS_MOD_FAIL;
254
}
255
}
256
257
return LCMAPS_MOD_SUCCESS;
258
}
259
260
/******************************************************************************
261
Function: plugin_introspect
262
Description:
263
return list of required arguments
264
Parameters:
265
266
Returns:
267
LCMAPS_MOD_SUCCESS : succes
268
LCMAPS_MOD_FAIL : failure
269
******************************************************************************/
270
int plugin_introspect(
271
int * argc,
272
lcmaps_argument_t ** argv
273
)
274
{
275
char * logstr = "lcmaps_plugin_voms_localgroup-plugin_introspect()";
276
static lcmaps_argument_t argList[] = {
277
{"user_dn" , "char *" , 0, NULL},
278
{"fqan_list" , "char **" , 0, NULL},
279
{"nfqan" , "int" , 0, NULL},
280
{NULL , NULL , -1, NULL}
281
};
282
283
lcmaps_log_debug(4,"%s: introspecting\n", logstr);
284
285
*argv = argList;
286
*argc = lcmaps_cntArgs(argList);
287
lcmaps_log_debug(5,"%s: address first argument: 0x%x\n", logstr,argList);
288
289
return LCMAPS_MOD_SUCCESS;
290
}
291
292
293
/******************************************************************************
294
Function: plugin_run
295
Description:
296
Gather credentials for LCMAPS
297
Parameters:
298
argc: number of arguments
299
argv: list of arguments
300
Returns:
301
LCMAPS_MOD_SUCCESS: authorization succeeded
302
LCMAPS_MOD_FAIL : authorization failed
303
******************************************************************************/
304
int plugin_run(
305
int argc,
306
lcmaps_argument_t * argv
307
308
)
309
{
310
return plugin_run_or_verify(argc, argv, PLUGIN_RUN);
311
}
312
313
/******************************************************************************
314
Function: plugin_verify
315
Description:
316
Verify if user is entitled to use local credentials based on his grid
317
credentials. This means that the site should already have been set up
318
by, e.g., LCMAPS in a previous run. This method will not try to setup
319
account leases, modify (distributed) passwd/group files, etc. etc.
320
The outcome should be identical to that of plugin_run().
321
In this particular case "plugin_verify()" is identical to "plugin_run()"
322
323
Parameters:
324
argc: number of arguments
325
argv: list of arguments
326
Returns:
327
LCMAPS_MOD_SUCCESS: authorization succeeded
328
LCMAPS_MOD_FAIL : authorization failed
329
******************************************************************************/
330
int plugin_verify(
331
int argc,
332
lcmaps_argument_t * argv
333
)
334
{
335
return plugin_run_or_verify(argc, argv, PLUGIN_VERIFY);
336
}
337
338
static int plugin_run_or_verify(
339
int argc,
340
lcmaps_argument_t * argv,
341
int lcmaps_mode
342
)
343
{
344
char * logstr = "lcmaps_plugin_voms_localgroup-plugin_run()";
345
char * dn = NULL;
346
int dn_cnt = 0;
347
char * groupname = NULL;
348
struct group * group_info = NULL;
349
int i = 0;
350
char ** vo_cred_string_list = NULL;
351
int cnt_vo_cred_string = 0;
352
int group_counter = 0;
353
int rc = 0;
354
lcmaps_vo_mapping_t * lcmaps_vo_mapping = NULL;
355
char ** fqan_list = NULL;
356
int nfqan = -1;
357
358
/*
359
* The beginning
360
*/
361
if (lcmaps_mode == PLUGIN_RUN)
362
logstr = "lcmaps_plugin_voms_localgroup-plugin_run()";
363
else if (lcmaps_mode == PLUGIN_VERIFY)
364
logstr = "lcmaps_plugin_voms_localgroup-plugin_verify()";
365
else
366
{
367
lcmaps_log(LOG_ERR, "lcmaps_plugin_voms_localgroup-plugin_run_or_verify(): attempt to run plugin in invalid mode: %d\n", lcmaps_mode);
368
goto fail_voms_localgroup;
369
}
370
lcmaps_log_debug(4,"%s:\n", logstr);
371
372
/*
373
* Try to get the ordered values:
374
*/
375
if ( (dn = *(char **) lcmaps_getArgValue("user_dn", "char *", argc, argv) ) )
376
{
377
lcmaps_log_debug(5,"%s: found dn: %s\n", logstr, dn);
378
379
/* Check if we don't have a DN already registered, if not, add it to the internal registry */
380
getCredentialData (DN, &dn_cnt);
381
if (dn_cnt == 0)
382
{
383
lcmaps_log_debug (5, "%s: Adding DN: %s\n", logstr, dn);
384
addCredentialData(DN, &dn);
385
}
386
}
387
else
388
lcmaps_log_debug(1,"%s: could not get value of dn !\n", logstr);
389
390
/*
391
* Get the VO user information.
392
* We can either order it by lcmaps_argument_t or use the getCredentialData() function.
393
* The latter case requires the voms parsing plugin (lcmaps_voms.mod) to have run beforehand.
394
* Unfortunately the formats of the VOMS strings (from getCredentialData()) and
395
* FQANs (from lcmaps_argument_t) are not the same. We may have to introduce
396
* two-way conversion functions.
397
* The VOMS info has to matched against the info in the gridmapfile
398
*/
399
lcmaps_log_debug(1,"%s: First try to get the FQAN list from input credential repository ...\n", logstr);
400
if ( ( nfqan = *(int *) lcmaps_getArgValue("nfqan", "int", argc, argv) ) )
401
{
402
lcmaps_log_debug(1,"%s: the list of FQANs should contain %d elements\n", logstr, nfqan);
403
if ( ( fqan_list = *(char ***) lcmaps_getArgValue("fqan_list", "char **", argc, argv) ) )
404
lcmaps_log_debug(1, "%s: found list of FQANs\n", logstr);
405
else
406
{
407
lcmaps_log_debug(1, "%s: could not retrieve list of FQANs (failure)!\n", logstr);
408
goto fail_voms_localgroup;
409
}
410
for (i = 0; i < nfqan; i++)
411
{
412
lcmaps_log_debug(3, "%s: FQAN %d: %s\n", logstr, i, fqan_list[i]);
413
}
414
vo_cred_string_list = fqan_list;
415
cnt_vo_cred_string = nfqan;
416
}
417
else
418
{
419
lcmaps_log_debug(1,"%s: ... did not find input credentials in input credential repository...\n", logstr);
420
lcmaps_log_debug(1,"%s: ... trying the internal credential repository ...\n", logstr);
421
422
vo_cred_string_list = getCredentialData(LCMAPS_VO_CRED_STRING, &cnt_vo_cred_string);
423
}
424
425
if (cnt_vo_cred_string == 0)
426
{
427
lcmaps_log(LOG_INFO,"%s: no VOMS group info --> no mapping\n", logstr);
428
goto fail_voms_localgroup;
429
}
430
else if (cnt_vo_cred_string < 0)
431
{
432
lcmaps_log(LOG_ERR,"%s: negative number of VOMS groups found ! (failure)\n", logstr);
433
goto fail_voms_localgroup;
434
}
435
436
/*
437
* Check the groupmapfile
438
*/
439
440
if ((groupmapfile != NULL) && (strlen(groupmapfile) > 0))
441
lcmaps_log_debug(1,"%s: groupmapfile is: %s\n", logstr, groupmapfile);
442
else
443
{
444
lcmaps_log(LOG_ERR,"%s: error finding the groupmapfile: %s (hint: use the option \"-groupmapfile <groupmapfile>\")\n", logstr, groupmapfile);
445
goto fail_voms_localgroup;
446
}
447
448
/*
449
* Try to find the unix groups from the VO info in the groupmapfile
450
* The first group (if found) should become the primary group
451
*/
452
for (i = 0; i < cnt_vo_cred_string; i++)
453
{
454
/* clean groupname before each call to lcmaps_gridlist */
455
if (groupname) free(groupname);
456
groupname = NULL;
457
if ( (rc = lcmaps_gridlist(vo_cred_string_list[i], &groupname, groupmapfile, MATCH_EXCLUDE|MATCH_WILD_CHARS, ".", NULL) ) == 0)
458
{
459
lcmaps_log_debug(1,"%s: found groupname: %s\n", logstr, groupname);
460
group_counter++;
461
462
if (groupname && (strlen(groupname) > 0))
463
{
464
if ( ( group_info = getgrnam(groupname) ) )
465
{
466
/* When map_to_secondary_groups is true, all results will be stored as secondary Unix group IDs */
467
if ((i == 0) && (!map_to_secondary_groups))
468
{
469
/* First VO group */
470
addCredentialData(PRI_GID, (void *) &(group_info->gr_gid));
471
}
472
else
473
{
474
/* Other VO groups */
475
addCredentialData(SEC_GID, (void *) &(group_info->gr_gid));
476
}
477
/*
478
* The coupling between VO information and the GID is maintained
479
* in the lcmaps_vo_mapping structure, which is added to the credential data
480
*/
481
lcmaps_vo_mapping=lcmaps_createVoMapping(
482
vo_cred_string_list[i],
483
groupname,
484
group_info->gr_gid
485
);
486
if (! lcmaps_vo_mapping)
487
{
488
lcmaps_log(LOG_ERR,"%s: could not create VoMapping structure (failure)\n", logstr);
489
goto fail_voms_localgroup;
490
}
491
// lcmaps_printVoMapping(2, lcmaps_vo_mapping);
492
/* Add credential */
493
addCredentialData(LCMAPS_VO_CRED_MAPPING, (void *) lcmaps_vo_mapping);
494
if ( lcmaps_deleteVoMapping(&lcmaps_vo_mapping) )
495
{
496
lcmaps_log(LOG_ERR,"%s: error while deleting VoMapping structure (failure)\n", logstr);
497
goto fail_voms_localgroup;
498
}
499
}
500
else
501
{
502
lcmaps_log(LOG_ERR,"%s: no Unix group id found for groupname = \"%s\"\n", logstr, groupname);
503
goto fail_voms_localgroup;
504
}
505
}
506
else
507
{
508
lcmaps_log(LOG_ERR,"%s: error getting value of groupname (failure)!\n", logstr);
509
goto fail_voms_localgroup;
510
}
511
}
512
else if (rc == LCMAPS_MOD_NOFILE)
513
{
514
lcmaps_log(LOG_ERR, "%s: Could not find the groupmapfile %s\n", logstr, groupmapfile);
515
goto fail_voms_localgroup;
516
}
517
else
518
{
519
lcmaps_log_debug(1,"%s: could not get value of groupname !\n", logstr);
520
if (mapall)
521
{
522
lcmaps_log(LOG_INFO,"%s: no mapping for VO group %s\n", logstr, vo_cred_string_list[i]);
523
goto fail_voms_localgroup;
524
}
525
}
526
}
527
528
if (group_counter < mapmin)
529
{
530
lcmaps_log(LOG_ERR,"%s: Not enough groups found. The minimum is set to %d. The plugin found %d\n", logstr, mapmin, group_counter);
531
goto fail_voms_localgroup;
532
}
533
534
/* success */
535
success_voms_localgroup:
536
if (groupname) free(groupname);
537
lcmaps_log(LOG_INFO,"%s: voms_localgroup plugin succeeded\n", logstr);
538
return LCMAPS_MOD_SUCCESS;
539
540
fail_voms_localgroup:
541
if (groupname) free(groupname);
542
lcmaps_log(LOG_INFO,"%s: voms_localgroup plugin failed\n", logstr);
543
return LCMAPS_MOD_FAIL;
544
}
545
546
/******************************************************************************
547
Function: plugin_terminate
548
Description:
549
Terminate plugin
550
Parameters:
551
552
Returns:
553
LCMAPS_MOD_SUCCESS : succes
554
LCMAPS_MOD_FAIL : failure
555
******************************************************************************/
556
int plugin_terminate()
557
{
558
char * logstr = "lcmaps_plugin_voms_localgroup-plugin_terminate()";
559
560
lcmaps_log_debug(4,"%s: terminating\n", logstr);
561
562
if (groupmapfile) free(groupmapfile);
563
564
return LCMAPS_MOD_SUCCESS;
565
}
566
567
/******************************************************************************
568
CVS Information:
569
$Source: /srv/home/dennisvd/svn/mw-security/lcmaps-plugins-voms/src/voms/lcmaps_voms_localgroup.c,v $
570
$Date: 2010-02-19 06:01:37 $
571
$Revision: 1.8 $
572
$Author: okoeroo $
573
******************************************************************************/
Loggerhead is a web-based interface for Breezy
Version: 2.0.1