6
#include <arc/Logger.h>
9
#include "../../../gridftpd/auth/gacl_auth.h"
10
#include "../../../gridftpd/auth/permission_gacl.h"
12
#include <arc/security/ArcPDP/Evaluator.h>
13
#include <arc/security/ArcPDP/EvaluatorLoader.h>
14
#include <arc/message/SecAttr.h>
17
#include "jobplugin.h"
19
static Arc::Logger logger(Arc::Logger::getRootLogger(),"JobPlugin");
22
int JobPlugin::check_acl(const char* acl_file,bool spec,const std::string& id) {
24
GACLacl* acl = GACLloadAcl((char*)(acl_file));
26
logger.msg(Arc::ERROR, "Failed to read job's ACL for job %s from %s", id, config.ControlDir());
29
GACLperm perm = AuthUserGACLTest(acl,user_a);
31
if(GACLhasList(perm)) res|=IS_ALLOWED_LIST;
32
if(GACLhasRead(perm) | GACLhasWrite(perm)) res|=(IS_ALLOWED_READ | IS_ALLOWED_LIST);
33
if(GACLhasAdmin(perm)) res|=(IS_ALLOWED_READ | IS_ALLOWED_WRITE | IS_ALLOWED_LIST);
35
if(GACLhasList(perm)) res|=IS_ALLOWED_LIST;
36
if(GACLhasRead(perm)) res|=IS_ALLOWED_READ;
37
if(GACLhasWrite(perm)) res|=IS_ALLOWED_WRITE;
38
if(GACLhasAdmin(perm)) res|=(IS_ALLOWED_READ | IS_ALLOWED_WRITE | IS_ALLOWED_LIST);
45
#define EVALUATE_ACTION(request,allowed_to,action_name) {\
46
for(Arc::XMLNode entry = request["entry"];(bool)entry;++entry) {\
47
entry["allow"].Destroy();\
48
entry.NewChild("allow").NewChild(action_name);\
50
ArcSec::Response *resp = eval->evaluate(request,policy.Ptr());\
52
ArcSec::ResponseList& rlist = resp->getResponseItems();\
53
for(int n = 0; n<rlist.size(); ++n) {\
54
ArcSec::ResponseItem* ritem = rlist[n];\
56
if(ritem->res != ArcSec::DECISION_PERMIT) continue;\
57
allowed_to=true; break;\
62
int JobPlugin::check_acl(const char* acl_file,bool spec,const std::string& id) {
64
// TODO: this code is not complete yet
65
// Identify and parse policy
66
ArcSec::EvaluatorLoader eval_loader;
67
Arc::AutoPointer<ArcSec::Policy> policy(eval_loader.getPolicy(ArcSec::SourceFile(acl_file)));
69
logger.msg(Arc::ERROR, "Failed to parse user policy for job %s", id);
72
Arc::AutoPointer<ArcSec::Evaluator> eval(eval_loader.getEvaluator(policy.Ptr()));
74
logger.msg(Arc::VERBOSE, "Failed to load policy evaluator for policy of job %s", id);
77
std::string policyname = policy->getName();
78
if((policyname.length() > 7) &&
79
(policyname.substr(policyname.length()-7) == ".policy")) {
80
policyname.resize(policyname.length()-7);
82
if(policyname == "arc") {
84
} else if(policyname == "gacl") {
85
// Creating request - directly with XML
87
Arc::XMLNode request(ns,"gacl");
88
bool allowed_to_list = false;
89
bool allowed_to_read = false;
90
bool allowed_to_write = false;
91
bool allowed_to_admin = false;
92
// Collect all security attributes
94
std::string user_identity = user_a.DN();
95
const std::vector<struct voms>& user_voms = user_a.voms();
96
Arc::XMLNode entry = request.NewChild("entry");
97
if(!user_identity.empty()) entry.NewChild("person").NewChild("dn") = user_identity;
99
for(std::vector<struct voms>::const_iterator v = user_voms.begin();
100
v != user_voms.end();++v) {
101
for(std::vector<std::string>::const_iterator a = v->fqans.begin();
102
a != v->fqans.end();++a) {
103
if(!voms) voms = entry.NewChild("voms");
104
voms.NewChild("fqan") = *a;
106
voms = Arc::XMLNode(); // ??
109
// Evaluate every action separately
110
EVALUATE_ACTION(request,allowed_to_list,"list");
111
EVALUATE_ACTION(request,allowed_to_read,"read");
112
EVALUATE_ACTION(request,allowed_to_write,"write");
113
EVALUATE_ACTION(request,allowed_to_admin,"admin");
115
if(allowed_to_list) res|=IS_ALLOWED_LIST;
116
if(allowed_to_read | allowed_to_write) res|=(IS_ALLOWED_READ | IS_ALLOWED_LIST);
117
if(allowed_to_admin) res|=(IS_ALLOWED_READ | IS_ALLOWED_WRITE | IS_ALLOWED_LIST);
119
if(allowed_to_list) res|=IS_ALLOWED_LIST;
120
if(allowed_to_read) res|=IS_ALLOWED_READ;
121
if(allowed_to_write) res|=IS_ALLOWED_WRITE;
122
if(allowed_to_admin) res|=(IS_ALLOWED_READ | IS_ALLOWED_WRITE | IS_ALLOWED_LIST);
125
logger.msg(Arc::VERBOSE, "Unknown ACL policy %s for job %s", policyname, id);