Commit b695fc09 authored by Aleksandr Konstantinov's avatar Aleksandr Konstantinov

Merge branch 'anonymous_info' into 'master'

Anonymous info

See merge request !977
parents 3aff0ae8 ee3911fd
Pipeline #7687 passed with stages
in 104 minutes and 50 seconds
......@@ -300,6 +300,7 @@
## plugin = timeout path [arg1 [arg2 [arg3...]]] - Run external executable or
## function from shared library. Rule is matched if plugin returns 0.
## Any other return code or timeout are treated as rule not matched.
## In arguments following substitutions are supported:
## - "%D" - subject of certicate
## - "%P" - path to proxy
......@@ -396,6 +397,9 @@
## name to which users that belogns to specified authgroup will be mapped to.
## A rule matches if the exit code is "0" and there is a UNIX account name
## printed on stdout (optionally followed by a UNIX group name separated by colon).
## The exit code 1 designates failed mapping. Any other code or timeout means fatal
## failure and will abort any further mapping processing. That will also cause
## rejection of corresponding connection.
## Plugin execution time is limited to "timeout" seconds.
##
## In the arguments the following substitutions are applied before the plugin is started:
......
......@@ -167,16 +167,16 @@ int main(int argc,char* argv[]) {
std::string subject;
std::string filename;
if(argc > 1) subject = argv[1];
if(subject.empty()) {
if(argc < 2) {
logger.msg(Arc::ERROR, "Missing subject name");
return -1;
};
if(argc > 2) filename = argv[2];
if(filename.empty()) {
subject = argv[1]; // subject can be empty for anonymous user
if(argc < 3) {
logger.msg(Arc::ERROR, "Missing path of credentials file");
return -1;
};
filename = argv[2]; // credentials are also not required
if(argc > 3) lcas_library = argv[3];
if(lcas_library.empty()) {
logger.msg(Arc::ERROR, "Missing name of LCAS library");
......
......@@ -182,16 +182,16 @@ int main(int argc,char* argv[]) {
std::string subject;
std::string filename;
if(argc > 1) subject = argv[1];
if(subject.empty()) {
if(argc < 2) {
logger.msg(Arc::ERROR, "Missing subject name");
return -1;
};
if(argc > 2) filename = argv[2];
if(filename.empty()) {
subject = argv[1]; // subject can be empty for anonymous user
if(argc < 3) {
logger.msg(Arc::ERROR, "Missing path of credentials file");
return -1;
};
filename = argv[2]; // credentials are also not required
if(argc > 3) lcmaps_library = argv[3];
if(lcmaps_library.empty()) {
logger.msg(Arc::ERROR, "Missing name of LCMAPS library");
......
......@@ -199,11 +199,18 @@ AuthResult UnixMap::map_mapplugin(const AuthUser& /* user */ ,unix_user_t& unix_
// Plugin should print user[:group] at stdout or nothing if no suitable mapping found
unix_user.name = stdout_channel;
split_unixname(unix_user.name,unix_user.group);
if(unix_user.name.empty()) return AAA_NO_MATCH; // success but no match
if(unix_user.name.empty()) { // success but no match
logger.msg(Arc::ERROR,"Plugin %s returned no username",args.front());
return AAA_NO_MATCH;
};
return AAA_POSITIVE_MATCH;
} else {
logger.msg(Arc::ERROR,"Plugin %s returned too much: %s",args.front(),stdout_channel);
};
} else if(run.Result() == 1) {
logger.msg(Arc::ERROR,"Plugin %s returned no mapping",args.front());
if(!stderr_channel.empty()) logger.msg(Arc::ERROR,"Plugin %s error: %s",args.front(),stderr_channel);
return AAA_NO_MATCH;
} else {
logger.msg(Arc::ERROR,"Plugin %s returned: %u",args.front(),run.Result());
};
......
......@@ -435,16 +435,17 @@ Arc::MCC_Status ARexService::make_empty_response(Arc::Message& outmsg) {
return Arc::MCC_Status(Arc::STATUS_OK);
}
ARexConfigContext* ARexService::get_configuration(Arc::Message& inmsg) {
ARexConfigContext* config = NULL;
ARexGMConfig* ARexService::get_configuration(Arc::Message& inmsg) {
Arc::MessageContextElement* mcontext = (*inmsg.Context())["arex.gmconfig"];
if(mcontext) {
try {
config = dynamic_cast<ARexConfigContext*>(mcontext);
logger_.msg(Arc::DEBUG,"Using cached local account '%s'", config->User().Name());
ARexConfigContext* config = dynamic_cast<ARexConfigContext*>(mcontext);
if(config) {
logger_.msg(Arc::DEBUG,"Using cached local account '%s'", config->User().Name());
return config;
}
} catch(std::exception& e) { };
};
if(config) return config;
// TODO: do configuration detection
// TODO: do mapping to local unix name
std::string uname;
......@@ -534,16 +535,16 @@ ARexConfigContext* ARexService::get_configuration(Arc::Message& inmsg) {
};
// Create configuration for this user
config=new ARexConfigContext(config_,uname,grid_name,endpoint);
ARexConfigContext* config=new ARexConfigContext(config_,uname,grid_name,endpoint);
if(config) {
if(*config) {
inmsg.Context()->Add("arex.gmconfig",config);
} else {
delete config; config=NULL;
logger_.msg(Arc::ERROR, "Failed to acquire A-REX's configuration");
return config;
};
delete config; config=NULL;
logger_.msg(Arc::ERROR, "Failed to acquire A-REX's configuration");
};
return config;
return NULL;
}
static std::string GetPath(Arc::Message &inmsg,std::string &base) {
......@@ -672,7 +673,7 @@ Arc::MCC_Status ARexService::process(Arc::Message& inmsg,Arc::Message& outmsg) {
};
// Process grid-manager configuration if not done yet
ARexConfigContext* config = get_configuration(inmsg);
ARexGMConfig* config = get_configuration(inmsg);
if(!config) {
// Service is not operational except public information.
// But public information also has own authorization rules
......@@ -1031,6 +1032,9 @@ Arc::MCC_Status ARexService::HeadDelegation(Arc::Message& inmsg,Arc::Message& ou
}
Arc::MCC_Status ARexService::GetDelegation(Arc::Message& inmsg,Arc::Message& outmsg,ARexGMConfig& config,std::string const& id,std::string const& subpath) {
if(!&config) {
return make_http_fault(outmsg, HTTP_ERR_FORBIDDEN, "User is not identified");
};
if(!subpath.empty()) {
return make_http_fault(outmsg,500,"No additional path expected");
};
......
......@@ -16,7 +16,6 @@
namespace ARex {
class ARexGMConfig;
class ARexConfigContext;
class CountedResourceLock;
class CountedResource {
......@@ -78,7 +77,7 @@ class ARexService: public Arc::Service {
FileChunksList files_chunks_;
GMConfig config_;
GridManager* gm_;
ARexConfigContext* get_configuration(Arc::Message& inmsg);
ARexGMConfig* get_configuration(Arc::Message& inmsg);
// A-REX operations
AREXOP(CacheCheck);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment