myproxy_server.c

代理服务器源代码 供大家学习使用,希望大家喜欢

   }

   if (credentials_exist) {
       if (myproxy_creds_retrieve(&creds) < 0) {
	   verror_put_string("Unable to retrieve credential information");
	   goto end;
       }

       if (strcmp(creds.owner_name, client_name) == 0) {
	   client_owns_credentials = 1;
       }
   }

   switch (client_request->command_type) {
   case MYPROXY_RETRIEVE_CERT:
       myproxy_debug("applying authorized_key_retrievers policy");
       authorization_ok =
	   myproxy_server_check_policy_list((const char **)context->authorized_key_retrievers_dns, client_name);
       if (authorization_ok != 1) {
	   verror_put_string("\"%s\" not authorized by server's authorized_key_retrievers policy", client_name);
	   goto end;
       }
       if (!credentials_exist) {
	   if (client_request->credname) {
	       verror_put_string("No credentials exist for username \"%s\".",
				 client_request->username);
	   } else {
	       verror_put_string("No credentials exist with username \"%s\" and credential name \"%s\".", client_request->username, client_request->credname);
	   }
	   goto end;
       }
       if (creds.keyretrieve) {
	   authorization_ok =
	       myproxy_server_check_policy(creds.keyretrieve, client_name);
	   if (authorization_ok != 1) {
	       verror_put_string("\"%s\" not authorized by credential's key retriever policy", client_name);
	       goto end;
	   }
       } else if (context->default_key_retrievers_dns) {
	   authorization_ok =
	       myproxy_server_check_policy_list((const char **)context->default_key_retrievers_dns, client_name);
	   if (authorization_ok != 1) {
	       verror_put_string("\"%s\" not authorized by server's default_key_retrievers policy", client_name);
	       goto end;
	   }
       }
       /* fall through to MYPROXY_GET_PROXY */

   case MYPROXY_GET_PROXY:
       /* check trusted_retrievers */
       if (context->trusted_retriever_dns) {
	   authorization_ok =
	       myproxy_server_check_policy_list((const char **)context->trusted_retriever_dns, client_name);
	   if (authorization_ok == 1) {
	       myproxy_debug("passed trusted_retrievers policy");
	       /* check per-credential policy */
	       if (creds.trusted_retrievers) {
		   authorization_ok =
		       myproxy_server_check_policy(creds.trusted_retrievers,
						   client_name);
		   if (authorization_ok == 1) {
		       myproxy_debug("passed per-credential trusted retrieval policy");
		       trusted_retriever = 1;
		       myproxy_log("trusted retrievers policy matched");
		   } else {
		       verror_put_string("failed per-credential trusted retrieval policy");
		   }
	       } else if (context->default_trusted_retriever_dns) {
		   authorization_ok =
		       myproxy_server_check_policy_list((const char **)context->default_trusted_retriever_dns, client_name);
		   if (authorization_ok == 1) {
		       myproxy_debug("passed default_trusted_retrievers policy");
		       trusted_retriever = 1;
		       myproxy_log("trusted retrievers policy matched");
		   } else {
		       verror_put_string("failed default_trusted_retrievers policy");
		   }
	       }
	   } else {
	       verror_put_string("failed trusted_retrievers policy");
	   }
       }

       authorization_ok =
	   authenticate_client(attrs, &creds, client_request, client_name,
			       context, trusted_retriever);
       if (authorization_ok < 0) {
	   goto end;		/* authentication failed */
       } else if (authorization_ok == 1) {
	   credential_renewal = 1;
       }

       if (!credential_renewal) {
	   myproxy_debug("retrieval authorization");
	   /* check server-wide policy */
	   authorization_ok =
	       myproxy_server_check_policy_list((const char **)context->authorized_retriever_dns, client_name);
	   if (authorization_ok != 1) {
	       verror_put_string("\"%s\" not authorized by server's authorized_retrievers policy", client_name);
	       goto end;
	   }
	   /* check per-credential policy */
	   if (creds.retrievers) {
	       authorization_ok =
		   myproxy_server_check_policy(creds.retrievers, client_name);
	       if (authorization_ok != 1) {
		   verror_put_string("\"%s\" not authorized by credential's retriever policy", client_name);
		   goto end;
	       }
	   } else if (context->default_retriever_dns) {
	       authorization_ok =
		   myproxy_server_check_policy_list((const char **)context->default_retriever_dns, client_name);
	       if (authorization_ok != 1) {
		   verror_put_string("\"%s\" not authorized by server's default_retrievers policy", client_name);
		   goto end;
	       }
	   }
	   break;
       } else {
	   myproxy_debug("renewal authorization");
	   /* check server-wide policy */
	   authorization_ok =
	       myproxy_server_check_policy_list((const char **)context->authorized_renewer_dns, client_name);
	   if (authorization_ok != 1) {
	       verror_put_string("\"%s\" not authorized by server's authorized_renewers policy", client_name);
	       goto end;
	   }
	   /* check per-credential policy */
	   if (creds.renewers) {
	       authorization_ok =
		   myproxy_server_check_policy(creds.renewers, client_name);
	       if (authorization_ok != 1) {
		   verror_put_string("\"%s\" not authorized by credential's renewer policy", client_name);
		   goto end;
	       }
	   } else if (context->default_renewer_dns) {
	       authorization_ok =
		   myproxy_server_check_policy_list((const char **)context->default_renewer_dns, client_name);
	       if (authorization_ok != 1) {
		   verror_put_string("\"%s\" not authorized by server's default_renewers policy");
		   goto end;
	       }
	   }
	   break;
       }
       break;

   case MYPROXY_PUT_PROXY:
   case MYPROXY_STORE_CERT:
   case MYPROXY_DESTROY_PROXY:
       /* Is this client authorized to store credentials here? */
       authorization_ok =
	   myproxy_server_check_policy_list((const char **)context->accepted_credential_dns, client_name);
       if (authorization_ok != 1) {
	   verror_put_string("\"%s\" not authorized to store credentials on this server (accepted_credentials policy)", client_name);
	   goto end;
       }

       if (credentials_exist == 1) {
	   if (!client_owns_credentials) {
	       if ((client_request->command_type == MYPROXY_PUT_PROXY) ||
                   (client_request->command_type == MYPROXY_STORE_CERT)) {
		   verror_put_string("Username and credential name in use by someone else.");
	       } else {
		   verror_put_string("Credentials owned by someone else.");
	       }
	       goto end;
	   }
       }
       break;

   case MYPROXY_INFO_PROXY:
       /* Authorization checking done inside the processing of the
	  INFO request, since there may be multiple credentials stored
	  under this username. */
       authorization_ok = 1;
       break;

   case MYPROXY_CHANGE_CRED_PASSPHRASE:
       if (!client_owns_credentials) {
	   verror_put_string("'%s' does not own the credentials",
			     client_name);
	   goto end;
       }

       authorization_ok = verify_passphrase(&creds, client_request,
					    client_name, context);
       if (!authorization_ok) {
	   verror_put_string("invalid pass phrase");
	   goto end;
       }
       break;

   default:
       verror_put_string("unknown command");
       goto end;
   }

   if (authorization_ok == -1) {
      verror_put_string("Error checking authorization");
      goto end;
   }

   if (authorization_ok != 1) {
      verror_put_string("Authorization failed");
      goto end;
   }

   return_status = 0;

end:
   if (creds.passphrase)
      memset(creds.passphrase, 0, strlen(creds.passphrase));
   myproxy_creds_free_contents(&creds);

   return return_status;
}

static int
do_authz_handshake(myproxy_socket_attrs_t *attrs,
		   struct myproxy_creds *creds,
		   myproxy_request_t *client_request,
		   char *client_name,
		   myproxy_server_context_t* config,
		   author_method_t methods[],
		   authorization_data_t *auth_data)
{
   myproxy_response_t server_response = {0};
   char  *client_buffer = NULL;
   int   client_length;
   int   return_status = -1;
   authorization_data_t *client_auth_data = NULL;
   author_method_t client_auth_method;

   assert(auth_data != NULL);
   
   memset(&server_response, 0, sizeof(server_response));

   myproxy_debug("sending MYPROXY_AUTHORIZATION_RESPONSE");
   authorization_init_server(&server_response.authorization_data, methods);
   server_response.response_type = MYPROXY_AUTHORIZATION_RESPONSE;
   send_response(attrs, &server_response, client_name);

   /* Wait for client's response. Its first four bytes are supposed to
      contain a specification of the method that the client chose for
      authorization. */
   client_length = myproxy_recv_ex(attrs, &client_buffer);
   if (client_length <= 0)
      goto end;

   client_auth_method = (author_method_t)(*client_buffer);
   myproxy_debug("client chose %s",
		 authorization_get_name(client_auth_method));
   /* fill in the client's response and return pointer to filled data */
   client_auth_data = authorization_store_response(
	                  client_buffer + sizeof(client_auth_method),
			  client_length - sizeof(client_auth_method),
			  client_auth_method,
			  server_response.authorization_data);
   if (client_auth_data == NULL) 
      goto end;

   if (auth_data->server_data) free(auth_data->server_data);
   auth_data->server_data = strdup(client_auth_data->server_data);
   if (auth_data->client_data) free(auth_data->client_data);
   auth_data->client_data = malloc(client_auth_data->client_data_len);
   if (auth_data->client_data == NULL) {
      verror_put_string("malloc() failed");
      verror_put_errno(errno);
      goto end;
   }
   memcpy(auth_data->client_data, client_auth_data->client_data, 
	  client_auth_data->client_data_len);
   auth_data->client_data_len = client_auth_data->client_data_len;
   auth_data->method = client_auth_data->method;

#if defined(HAVE_LIBSASL2)
   if (auth_data->method == AUTHORIZETYPE_SASL) {
       if (auth_sasl_negotiate_server(attrs, client_request) < 0) {
	   verror_put_string("SASL authentication failed");
	   goto end;
       }
   }
#endif
   
   if (authorization_check_ex(auth_data, creds,
			      client_name, config) == 1) {
       return_status = 0;
   }

end:
   authorization_data_free(server_response.authorization_data);
   if (client_buffer) free(client_buffer);

   return return_status;
}

static int
verify_passphrase(struct myproxy_creds *creds,
		  myproxy_request_t *client_request,
		  char *client_name,
		  myproxy_server_context_t* config)
{
    authorization_data_t auth_data = { 0 };
    int return_status;
    auth_data.server_data = NULL;
    auth_data.client_data = strdup(client_request->passphrase);
    auth_data.client_data_len =
	strlen(client_request->passphrase) + 1;
    auth_data.method = AUTHORIZETYPE_PASSWD;
    return_status = authorization_check_ex(&auth_data, creds,
					   client_name, config);
    free(auth_data.client_data);
    return return_status;
}

/* returns -1 if authentication failed,
            0 if authentication succeeded,
	    1 if certificate-based (renewal) authentication succeeded */
static int
authenticate_client(myproxy_socket_attrs_t *attrs,
		    struct myproxy_creds *creds,
                    myproxy_request_t *client_request,
		    char *client_name,
		    myproxy_server_context_t* config,
		    int already_authenticated)
{
   int return_status = -1, authcnt, certauth = 0;
   int i, j;
   author_method_t methods[AUTHORIZETYPE_NUMMETHODS] = { 0 };
   author_status_t status[AUTHORIZETYPE_NUMMETHODS] = { 0 };
   authorization_data_t auth_data = { 0 };

   authcnt = already_authenticated; /* if already authenticated, just
				       do required methods */
   for (i=0; i < AUTHORIZETYPE_NUMMETHODS; i++) {
       status[i] = authorization_get_status(i, creds, client_name, config);
   }

   /* First, check any required methods. */
   for (i=0; i < AUTHORIZETYPE_NUMMETHODS; i++) {
       if (status[i] == AUTHORIZEMETHOD_REQUIRED) {
	   /* password is a special case for now.
	      don't send password challenges. */
	   if (i == AUTHORIZETYPE_PASSWD) {
	       if (verify_passphrase(creds, client_request,
				     client_name, config) != 1) {
		   verror_put_string("invalid pass phrase");
		   goto end;
	       }
	       authcnt++;
	   } else {
	       methods[0] = i;
	       if (do_authz_handshake(attrs, creds, client_request,
				      client_name, config,
				      methods, &auth_data) < 0) {
		   verror_put_string("authentication failed");
		   goto end;
	       }
	       if (i == AUTHORIZETYPE_CERT) {
		   certauth = 1;
	       }
	       authcnt++;
	   }
       }
   }

   /* if none required, try sufficient */
   if (authcnt == 0) {
       /* if we already have a password, try it now */
       if (status[AUTHORIZETYPE_PASSWD] == AUTHORIZEMETHOD_SUFFICIENT &&
	   client_request->passphrase &&
	   client_request->passphrase[0] != '\0') {
	   if (verify_passphrase(creds, client_request,
				 client_name, config) == 1) {
	       authcnt++;
	   }
       }
   }
   if (authcnt == 0) {
       for (i=0, j=0; i < AUTHORIZETYPE_NUMMETHODS; i++) {
	   if (status[i] == AUTHORIZEMETHOD_SUFFICIENT &&
	       i != AUTHORIZETYPE_PASSWD) {
	       methods[j++] = i;
	   }
       }
       if (j > 0) {
	   if (do_authz_handshake(attrs, creds, client_request, client_name,
				  config, methods, &auth_data) < 0) {
	       verror_put_string("authentication failed");
	       goto end;
	   }
	   if (auth_data.method == AUTHORIZETYPE_CERT) {
	       certauth = 1;
	   }
	   authcnt++;
       }
   }

   if (certauth) {
       return_status = 1;
   } else if (authcnt) {
       return_status = 0;
   }

end:
   authorization_data_free_contents(&auth_data);
   return return_status;
}