lcmaps_voms.c

Go to the documentation of this file.

/*                                                                                                            
 * Copyright (c) Members of the EGEE Collaboration. 2004.
 * See http://eu-egee.org/partners/ for details on the copyright holders.
 * For license conditions see the license file or
 * http://eu-egee.org/license.html
 */

/*
 * Copyright (c) 2001 EU DataGrid.                                                                             
 * For license conditions see http://www.eu-datagrid.org/license.html                                          
 *
 * Copyright (c) 2001, 2002 by 
 *     Martijn Steenbakkers <martijn@nikhef.nl>,
 *     David Groep <davidg@nikhef.nl>,
 *     NIKHEF Amsterdam, the Netherlands
 */

/*****************************************************************************
                            Include header files
******************************************************************************/
#include "lcmaps_config.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pwd.h>
#include <openssl/x509.h>
#include "gssapi.h"

#include "lcmaps_modules.h"
#include "lcmaps_arguments.h"
#include "lcmaps_cred_data.h"
#include "lcmaps_voms_utils.h"
#include "lcmaps_vo_data.h"

#include "voms_apic.h"
#include "globus_gss_assist.h"

#undef TESTBIO
#ifdef TESTBIO
#    include <openssl/pem.h>
#    include <openssl/bio.h>
#endif


/******************************************************************************
                                Definitions
******************************************************************************/

#define VOMS_BUFFER_SIZE 1024


/******************************************************************************
                          Module specific prototypes
******************************************************************************/
static void print_vomsdata(struct vomsdata *);

#ifdef TESTBIO
static STACK_OF(X509) *load_chain(char *certfile);
static char *retmsg[] = { "VERR_NONE", "VERR_NOSOCKET", "VERR_NOIDENT", "VERR_COMM", 
                          "VERR_PARAM", "VERR_NOEXT", "VERR_NOINIT",
                          "VERR_TIME", "VERR_IDCHECK", "VERR_EXTRAINFO",
                          "VERR_FORMAT", "VERR_NODATA", "VERR_PARSE",
                          "VERR_DIR", "VERR_SIGN", "VERR_SERVER", 
                          "VERR_MEM", "VERR_VERIFY", "VERR_IDENT",
                          "VERR_TYPE", "VERR_ORDER" };
#endif

/******************************************************************************
                       Define module specific variables
******************************************************************************/


static char * certdir = NULL;
static char * vomsdir = NULL;
static char   voms_buffer[VOMS_BUFFER_SIZE];

#ifdef TESTBIO
static STACK_OF(X509) *load_chain(char *certfile)
{
    STACK_OF(X509_INFO) *sk=NULL;
    STACK_OF(X509) *stack=NULL, *ret=NULL;
    BIO *in=NULL;
    X509_INFO *xi;
    int first = 1;

    if(!(stack = sk_X509_new_null()))
    {
        printf("%s: memory allocation failure\n", logstr);
        goto end;
    }

    if(!(in=BIO_new_file(certfile, "r")))
    {
        printf("%s: error opening the file, %s\n", logstr,certfile);
        goto end;
    }

    /* This loads from a file, a stack of x509/crl/pkey sets */
    if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL)))
    {
        printf("%s: error reading the file, %s\n", logstr,certfile);
        goto end;
    }

    /* scan over it and pull out the certs */
    while (sk_X509_INFO_num(sk))
    {
        /* skip first cert */
        if (first)
        {
            first = 0;
            continue;
        }
        xi=sk_X509_INFO_shift(sk);
        if (xi->x509 != NULL)
        {
            sk_X509_push(stack,xi->x509);
            xi->x509=NULL;
        }
        X509_INFO_free(xi);
    }
    if(!sk_X509_num(stack))
    {
        printf("%s: no certificates in file, %s\n", logstr,certfile);
        sk_X509_free(stack);
        goto end;
    }
    ret=stack;
end:
    BIO_free(in);
    sk_X509_INFO_free(sk);
    return(ret);
}
#endif

/******************************************************************************
Function:   plugin_initialize
Description:
    Initialize plugin
Parameters:
    argc, argv
    argv[0]: the name of the plugin
Returns:
    LCMAPS_MOD_SUCCESS : succes
    LCMAPS_MOD_FAIL    : failure
    LCMAPS_MOD_NOFILE  : db file not found (will halt LCMAPS initialization)
******************************************************************************/
int plugin_initialize(
        int argc,
        char ** argv
)
{
    char * logstr = "\tlcmaps_plugin_voms-plugin_initialize()";
    int i;
 
    lcmaps_log_debug(1,"%s: passed arguments:\n", logstr);
    for (i=0; i < argc; i++)
    {
       lcmaps_log_debug(2,"%s: arg %d is %s\n", logstr, i, argv[i]);
    }
 
    /*
     * CERTDIR = The directory which contains the CA certificates
     * VOMSDIR = The directory which contains the certificates of the VOMS servers 
     */
 
    /*
     * Parse arguments, argv[0] = name of plugin, so start with i = 1
     */
    for (i = 1; i < argc; i++)
    {
        if ( ((strcmp(argv[i], "-vomsdir") == 0) ||
              (strcmp(argv[i], "-VOMSDIR") == 0))
             && (i + 1 < argc))
        {
            if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
            {
                 vomsdir = strdup(argv[i + 1]);
            }
            i++;
        }
        else if ( ((strcmp(argv[i], "-certdir") == 0) ||
                   (strcmp(argv[i], "-CERTDIR") == 0))
                   && (i + 1 < argc))
        {
            if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
            {
                 certdir = strdup(argv[i + 1]);
            }
            i++;
        }
        else
        {
            lcmaps_log(0,"%s: Error in initialization parameter: %s (failure)\n", logstr,
                       argv[i]);
            return LCMAPS_MOD_FAIL;
        }
    }
    return LCMAPS_MOD_SUCCESS;
} 


/******************************************************************************
Function:   plugin_introspect
Description:
    return list of required arguments
Parameters:

Returns:
    LCMAPS_MOD_SUCCESS : succes
    LCMAPS_MOD_FAIL    : failure
******************************************************************************/
int plugin_introspect(
        int * argc,
        lcmaps_argument_t ** argv
)
{
    char * logstr = "\tlcmaps_plugin_voms-plugin_introspect()";
    static lcmaps_argument_t argList[] = {
        { "user_dn"   , "char *"        ,  1, NULL},
        { "user_cred" , "gss_cred_id_t" ,  0, NULL},
        { NULL        , NULL            , -1, NULL}
    };

    lcmaps_log_debug(1,"%s: introspecting\n", logstr);

    *argv = argList;
    lcmaps_log_debug(4,"%s: before lcmaps_cntArgs()\n", logstr);
    *argc = lcmaps_cntArgs(argList);
    lcmaps_log_debug(1,"%s: address first argument: 0x%x\n", logstr,argList);

    return LCMAPS_MOD_SUCCESS;
}


/******************************************************************************
Function:   plugin_run
Description:
    Gather credentials for LCMAPS
Parameters:
    argc: number of arguments
    argv: list of arguments
Returns:
    LCMAPS_MOD_SUCCESS: authorization succeeded
    LCMAPS_MOD_FAIL   : authorization failed
******************************************************************************/
int plugin_run(
        int argc,
        lcmaps_argument_t * argv
)
{
    char * logstr = "\tlcmaps_plugin_voms-plugin_run()";
    char *              dn          = NULL; 
    struct vomsdata *   vd          = NULL;
    int                 errNo       = 0;
    gss_cred_id_t *     pcred       = NULL;
    gss_cred_id_t       cred        = GSS_C_NO_CREDENTIAL;
    X509 *              px509_cred  = NULL;
    STACK_OF(X509) *    px509_chain = NULL;

#ifdef TESTBIO
    int err;
    int res;
    BIO *in = NULL;
    X509 *x = NULL;
    STACK_OF(X509) *chain;
#endif


    /*
     * The beginning
     */
    lcmaps_log_debug(1,"%s:\n", logstr);

    /*
     * Try to get the ordered values:
     */
    if ( ( dn = *(char **) lcmaps_getArgValue("user_dn", "char *", argc, argv) ) )
        lcmaps_log_debug(1,"%s: found dn: %s\n", logstr,dn);
    else
        lcmaps_log_debug(1,"%s: could not get value of dn !\n", logstr);

    /* Fetch user gss credential */
    if ( ( pcred = (gss_cred_id_t *) lcmaps_getArgValue("user_cred", "gss_cred_id_t", argc, argv) ) )
    {
        lcmaps_log_debug(2,"%s: address user_cred: %p\n", logstr,pcred);
        cred = *pcred;
        if (cred == GSS_C_NO_CREDENTIAL)
        {
            lcmaps_log(0,"%s: user gss credential is empty ! (exit voms)\n", logstr);
            goto fail_voms;
        }
    }
    else
    {
        lcmaps_log(0,"%s: could not get address of user_cred (exit voms)!\n", logstr);
        goto fail_voms;
    }

#undef EXPORT_CREDENTIAL
#if EXPORT_CREDENTIAL
    if (cred)
    {
        gss_buffer_desc                 deleg_proxy_filename;
        OM_uint32         major_status = 0;
        OM_uint32         minor_status = 0;
        
        major_status = gss_export_cred(&minor_status,
                                       cred,
                                       NULL,
                                       1,
                                       &deleg_proxy_filename);

        if (major_status == GSS_S_COMPLETE)
        {
            char *                      cp;

            lcmaps_log_debug(1,"%s: deleg_proxy_filename.value: %s\n", logstr,
                               deleg_proxy_filename.value);
            cp = strchr((char *)deleg_proxy_filename.value, '=');
            *cp = '\0';
            cp++;
            setenv((char *)deleg_proxy_filename.value, cp, 1);
            free(deleg_proxy_filename.value);
        }
        else
        {
            char *                      error_str = NULL;
            globus_object_t *           error_obj;

            error_obj = globus_error_get((globus_result_t) minor_status);
            
            error_str = globus_error_print_chain(error_obj);
            lcmaps_log(0,"%s: Error, gss_export_cred(): %s\n", logstr,error_str);
            goto fail_voms;
        }
    }
#endif /* EXPORT_CREDENTIAL */

    /*
     * Retrieve a newly created X509 struct and X509 chain from gss credential (should be freed)
     */
    if ( ( px509_cred = lcmaps_cred_to_x509(cred) ) )
    {
        lcmaps_log_debug(1,"%s: found X509 struct inside gss credential\n", logstr);
        lcmaps_log_debug(5,"%s: just for kicks: X509->name %s\n", logstr,px509_cred->name);
    }
    else
    {
        lcmaps_log(0,"%s: could not get X509 cred (exit voms)!\n", logstr);
        goto fail_voms;
    }
    if ( ( px509_chain = lcmaps_cred_to_x509_chain(cred) ) )
    {
        lcmaps_log_debug(1,"%s: found X509 chain inside gss credential\n", logstr);
    }
    else
    {
        lcmaps_log(0,"%s: could not get X509 chain (exit voms)!\n", logstr);
        goto fail_voms;
    }

    lcmaps_log_debug(1,"%s: vomsdir = %s\n", logstr, vomsdir);
    lcmaps_log_debug(1,"%s: certdir = %s\n", logstr, certdir);
    if ((vd = VOMS_Init(vomsdir, certdir)) == NULL)
    {
        lcmaps_log(0,"%s: failed to initialize voms data structure\n", logstr);
        lcmaps_log(0,"%s:  This may be because either the specified voms directory (%s)\n",logstr,vomsdir);
        lcmaps_log(0,"%s:  or the specified CA certificates directory (%s) does not exist\n", logstr, certdir);
        goto fail_voms;
    }
    lcmaps_log_debug(1,"%s: voms data structure initialized\n", logstr);

#ifdef TESTBIO
    in = BIO_new(BIO_s_file());
    chain = load_chain("/home/gridtest/cvs/fabric_mgt/gridification/lcmaps/modules/voms/x509up_u500");
    if (in)
    {
        if (BIO_read_filename(in, "/home/gridtest/cvs/fabric_mgt/gridification/lcmaps/modules/voms/x509up_u500") > 0)
        {
            x = PEM_read_bio_X509(in, NULL, 0, NULL);

            res = VOMS_Retrieve(x, chain, RECURSE_CHAIN, vd, &err);

            if (res)
                print_vomsdata(vd);
            else
                printf("%s: ERROR!\n", logstr);
        }
    }

    if (!res)
    {
        printf("%s: err: %s\n", logstr, retmsg[err]);
    }
#else
    if (VOMS_Retrieve(px509_cred, px509_chain, RECURSE_CHAIN, 
                         vd, &errNo))
#endif
    {
        lcmaps_vo_data_t * lcmaps_vo_data = NULL;
        struct voms **     volist = vd->data;
        struct voms *      vo;
        char *             bufptr = NULL;
        int k = 0;
        int j = 0;

        lcmaps_log_debug(1,"%s: We got something, errNo = %d\n", logstr, errNo);
        print_vomsdata(vd);
  
        while(volist[k]) {
            vo = volist[k++];
            lcmaps_log_debug(1,"%s: setting voms data for VO == %s\n", logstr,
                             vo->voname);

            switch (vo->type) {
                case TYPE_NODATA:
                    lcmaps_log_debug(1,"%s: NO DATA\n", logstr);
                    break;
                case TYPE_CUSTOM:
                    lcmaps_log_debug(1,"%s: %*s\n", logstr, vo->datalen - 10, vo->custom);
                    break;
                case TYPE_STD:
                    j = 0;
                    while (vo->std[j]) {
                        lcmaps_vo_data=lcmaps_createVoData(vo->voname,vo->std[j]->group,
                                                           NULL, vo->std[j]->role, vo->std[j]->cap
                        );
                        if (! lcmaps_vo_data)
                        {
                            lcmaps_log(0,"%s: could not create VoData structure (failure)\n", logstr);
                            goto fail_voms;
                        }
//                        lcmaps_printVoData(2,lcmaps_vo_data);
                        if ( lcmaps_stringVoData(lcmaps_vo_data, voms_buffer, VOMS_BUFFER_SIZE) )
                        {
                            lcmaps_log(0,"%s: error in casting VoData structure into string (failure)\n", logstr);
                            goto fail_voms;
                        }
//                        lcmaps_log_debug(1,"%s: buffer: %s\n", logstr, voms_buffer);
                        /* Add credential */
                        /* copy address of voms_buffer[0] in bufptr, because you cannot take the address of the array voms_buffer */
                        bufptr = voms_buffer;
                        addCredentialData(LCMAPS_VO_CRED_STRING, (void *) &bufptr);
                        addCredentialData(LCMAPS_VO_CRED, (void *) lcmaps_vo_data);
                        if ( lcmaps_deleteVoData(&lcmaps_vo_data) )
                        {
                            lcmaps_log(0,"%s: error while deleting VoData structure (failure)\n", logstr);
                            goto fail_voms;
                        }
                        j++;
                    }
                    break;
            }
        }
        lcmaps_log_debug(1,"%s: doing VOMS_Destroy\n", logstr);
        VOMS_Destroy(vd);
        lcmaps_log_debug(1,"%s: done\n", logstr);
    }
#ifdef TESTBIO
#else
    else if (errNo == VERR_NOEXT)
    {
        lcmaps_log(0,"%s: VOMS extensions missing from certificate (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_IDCHECK)
    {
        lcmaps_log(0,"%s: VOMS User data in extension different from the real ones (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_TIME)
    {
        lcmaps_log(0,"%s: VOMS extensions expired for at least one of the VOs (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_ORDER)
    {
        lcmaps_log(0,"%s: The ordering of the VOMS groups, as required by the client, was not delivered by VOMS (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_NOSOCKET)
    {
        lcmaps_log(0,"%s: VOMS Socket problem (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_NOIDENT)
    {
        lcmaps_log(0,"%s: VOMS Cannot identify itself (certificate problem) (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_COMM)
    {
        lcmaps_log(0,"%s: VOMS server problem (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_PARAM)
    {
        lcmaps_log(0,"%s: Wrong parameters for VOMS (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_NOINIT)
    {
        lcmaps_log(0,"%s: VOMS initialization error (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_EXTRAINFO)
    {
        lcmaps_log(0,"%s: VO name and URI missing (in proxy ?) (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_FORMAT)
    {
        lcmaps_log(0,"%s: Wrong VOMS data format (in proxy ?) (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_NODATA)
    {
        lcmaps_log(0,"%s: Empty VOMS extension (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_PARSE)
    {
        lcmaps_log(0,"%s: VOMS parse error (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_DIR)
    {
        lcmaps_log(0,"%s: VOMS directory error (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_SIGN)
    {
        lcmaps_log(0,"%s: VOMS Signature error (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_SERVER)
    {
        lcmaps_log(0,"%s: Unidentifiable VOMS server (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_MEM)
    {
        lcmaps_log(0,"%s: Memory problems in VOMS_Retrieve() (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_VERIFY)
    {
        lcmaps_log(0,"%s: Generic verification error for VOMS (failure)!\n", logstr);
        goto fail_voms;
    }
    else if (errNo == VERR_TYPE)
    {
        lcmaps_log(0,"%s: Returned VOMS data of unknown type (failure)!\n", logstr);
        goto fail_voms;
    }
    else
    {
        lcmaps_log(0,"%s: VOMS_Retrieve() error --> %d (failure)!\n", logstr, errNo);
        goto fail_voms;
    }
#endif

    /* succes */
 success_voms:
    if (px509_cred) X509_free(px509_cred);
    if (px509_chain) sk_X509_free(px509_chain);
    lcmaps_log_time(0,"%s: voms plugin succeeded\n", logstr);
    return LCMAPS_MOD_SUCCESS;

 fail_voms:
    if (px509_cred) X509_free(px509_cred);
    if (px509_chain) sk_X509_free(px509_chain);
    lcmaps_log_time(0,"%s: voms plugin failed\n", logstr);
    return LCMAPS_MOD_FAIL;
}

/******************************************************************************
Function:   plugin_terminate
Description:
    Terminate plugin
Parameters:

Returns:
    LCMAPS_MOD_SUCCESS : succes
    LCMAPS_MOD_FAIL    : failure
******************************************************************************/
int plugin_terminate()
{
    char * logstr = "\tlcmaps_plugin_voms-plugin_terminate()";
    lcmaps_log_debug(1,"%s: terminating\n", logstr);
    if (vomsdir) free(vomsdir);
    if (certdir) free(certdir);

    return LCMAPS_MOD_SUCCESS;
}

static void print_vomsdata(struct vomsdata *d)
{
    char * logstr = "\tlcmaps_plugin_voms-print_vomsdata()";
    struct voms **vo = d->data;
    struct voms *v;
    int k = 0;
    int j =0;
  
    while(vo[k])
    {
        v = vo[k++];
        lcmaps_log_debug(1,"%s: %d *******************************************\n", logstr,k);
        lcmaps_log_debug(1,"%s: SIGLEN: %d\n", logstr, v->siglen);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): USER:   %s\n", v->user);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): UCA:    %s\n", v->userca);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): SERVER: %s\n", v->server);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): SCA:    %s\n", v->serverca);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): VO:     %s\n", v->voname);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): URI:    %s\n", v->uri);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): DATE1:  %s\n", v->date1);
        lcmaps_log_a_string_debug(1, "\tlcmaps_plugin_voms-print_vomsdata(): DATE2:  %s\n", v->date2);

        switch (v->type)
        {
        case TYPE_NODATA:
            lcmaps_log_debug(1,"%s: NO DATA\n", logstr);
            break;
        case TYPE_CUSTOM:
            lcmaps_log_debug(1,"%s: VOMS custom type. Wont print.\n", logstr);
            break;
        case TYPE_STD:
            j = 0;
            if (v->fqan)
            {
                while ((v->fqan)[j] != NULL)
                {
                    lcmaps_log_a_string_debug(1,
                        "\tlcmaps_plugin_voms-print_vomsdata(): fqan:   %s\n",
                        (v->fqan)[j]);
                    j++;
                }
            }
            j = 0;
            if (v->std)
            {
                while (v->std[j])
                {
                    lcmaps_log_a_string_debug(1,
                        "\tlcmaps_plugin_voms-print_vomsdata(): GROUP:  %s\n", v->std[j]->group);
                    lcmaps_log_a_string_debug(1,
                        "\tlcmaps_plugin_voms-print_vomsdata(): ROLE:   %s\n", v->std[j]->role);
                    lcmaps_log_a_string_debug(1,
                        "\tlcmaps_plugin_voms-print_vomsdata(): CAP:    %s\n", v->std[j]->cap);
                    j++;
                }
            }
            break;
        }
        lcmaps_log_debug(1,"%s: %d *******************************************\n", logstr,k);
    }

    if (d->workvo)
    {
        lcmaps_log_a_string_debug(1,
            "\tlcmaps_plugin_voms-print_vomsdata(): WORKVO: %s\n", d->workvo);
    }

    if (d->extra_data)
    {
        lcmaps_log_a_string_debug(1,
            "\tlcmaps_plugin_voms-print_vomsdata(): EXTRA: %s\n", d->extra_data);
    }
}

/******************************************************************************
CVS Information:
    $Source: /cvs/jra1mw/org.glite.security.lcmaps-plugins-voms/src/voms/lcmaps_voms.c,v $
    $Date: 2005/02/27 01:30:42 $
    $Revision: 1.4 $
    $Author: msteenba $
******************************************************************************/

---