irods  4.2.8
About: iRODS (the integrated Rule Oriented Data System) is a distributed data-management system for creating data grids, digital libraries, persistent archives, and real-time data systems.
  Fossies Dox: irods-4.2.8.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  
libosauth.cpp
Go to the documentation of this file.
1 // =-=-=-=-=-=-=-
2 // irods includes
3 #include "rodsDef.h"
4 #include "osauth.h"
5 #include "msParam.h"
6 #include "rcConnect.h"
7 #include "authRequest.h"
8 #include "authResponse.h"
9 #include "authCheck.h"
10 #include "miscServerFunct.hpp"
11 #include "authPluginRequest.h"
12 #include "authenticate.h"
13 #include "rsAuthCheck.hpp"
14 #include "rsAuthRequest.hpp"
15 
16 // =-=-=-=-=-=-=-
17 #include "irods_auth_plugin.hpp"
18 #include "irods_auth_constants.hpp"
19 #include "irods_osauth_auth_object.hpp"
20 #include "irods_stacktrace.hpp"
21 #include "irods_kvp_string_parser.hpp"
22 
23 // =-=-=-=-=-=-=-
24 // stl includes
25 #include <sstream>
26 #include <string>
27 #include <iostream>
28 #include <termios.h>
29 #include <unistd.h>
30 #include <openssl/md5.h>
31 
32 // =-=-=-=-=-=-=-
33 // local includes
34 #include "osauth.h"
35 
36 int get64RandomBytes( char *buf );
37 void setSessionSignatureClientside( char* _sig );
38 void _rsSetAuthRequestGetChallenge( const char* _c );
39 static
40 int check_proxy_user_privileges(
41  rsComm_t *rsComm,
42  int proxyUserPriv ) {
43  if ( strcmp( rsComm->proxyUser.userName, rsComm->clientUser.userName )
44  == 0 ) {
45  return 0;
46  }
47 
48  /* remote privileged user can only do things on behalf of users from
49  * the same zone */
50  if ( proxyUserPriv >= LOCAL_PRIV_USER_AUTH ||
51  ( proxyUserPriv >= REMOTE_PRIV_USER_AUTH &&
52  strcmp( rsComm->proxyUser.rodsZone, rsComm->clientUser.rodsZone ) == 0 ) ) {
53  return 0;
54  }
55  else {
56  rodsLog( LOG_ERROR,
57  "rsAuthResponse: proxyuser %s with %d no priv to auth clientUser %s",
58  rsComm->proxyUser.userName,
59  proxyUserPriv,
60  rsComm->clientUser.userName );
61  return SYS_PROXYUSER_NO_PRIV;
62  }
63 }
64 
65 // =-=-=-=-=-=-=-
66 // NOTE:: this needs to become a property
67 // Set requireServerAuth to 1 to fail authentications from
68 // un-authenticated Servers (for example, if the LocalZoneSID
69 // is not set)
70 #ifdef RODS_SERVER
71 const int requireServerAuth = 0;
72 #endif
73 
74 // =-=-=-=-=-=-=-
75 // given the client connection and context string, set up the
76 // native auth object with relevant information: user, zone, etc
77 irods::error osauth_auth_client_start(
78  irods::plugin_context& _ctx,
79  rcComm_t* _comm,
80  const char* ) {
81  // =-=-=-=-=-=-=-
82  // validate incoming parameters
83  if ( !_ctx.valid< irods::osauth_auth_object >().ok() ) {
84  return ERROR(
85  SYS_INVALID_INPUT_PARAM,
86  "invalid plugin context" );
87 
88  }
89  else if ( !_comm ) {
90  return ERROR(
91  SYS_INVALID_INPUT_PARAM,
92  "null rcConn_t ptr" );
93 
94  }
95 
96  // =-=-=-=-=-=-=-
97  // get the native auth object
98  irods::osauth_auth_object_ptr ptr = boost::dynamic_pointer_cast <
99  irods::osauth_auth_object > (
100  _ctx.fco() );
101  // =-=-=-=-=-=-=-
102  // set the user name from the conn
103  ptr->user_name( _comm->proxyUser.userName );
104 
105  // =-=-=-=-=-=-=-
106  // set the zone name from the conn
107  ptr->zone_name( _comm->proxyUser.rodsZone );
108 
109  return SUCCESS();
110 
111 } // osauth_auth_client_start
112 
113 // =-=-=-=-=-=-=-
114 // establish context - take the auth request results and massage them
115 // for the auth response call
116 irods::error osauth_auth_establish_context(
117  irods::plugin_context& _ctx ) {
118  // =-=-=-=-=-=-=-
119  // validate incoming parameters
120  if ( !_ctx.valid< irods::osauth_auth_object >().ok() ) {
121  return ERROR(
122  SYS_INVALID_INPUT_PARAM,
123  "invalid plugin context" );
124 
125  }
126 
127  // =-=-=-=-=-=-=-
128  // build a buffer for the challenge hash
129  char md5_buf[ CHALLENGE_LEN + MAX_PASSWORD_LEN + 2 ];
130  memset(
131  md5_buf,
132  0,
133  sizeof( md5_buf ) );
134 
135  // =-=-=-=-=-=-=-
136  // get the native auth object
137  irods::osauth_auth_object_ptr ptr = boost::dynamic_pointer_cast <
138  irods::osauth_auth_object > (
139  _ctx.fco() );
140  // =-=-=-=-=-=-=-
141  // copy the challenge into the md5 buffer
142  strncpy(
143  md5_buf,
144  ptr->request_result().c_str(),
145  CHALLENGE_LEN );
146 
147  // =-=-=-=-=-=-=-
148  // Save a representation of some of the challenge string for use
149  // as a session signature
150  setSessionSignatureClientside( md5_buf );
151 
152  // =-=-=-=-=-=-=-
153  // determine if a password challenge is needed,
154  // are we anonymous or not?
155  int need_password = 0;
156  if ( strncmp(
157  ANONYMOUS_USER,
158  ptr->user_name().c_str(),
159  NAME_LEN ) == 0 ) {
160  // =-=-=-=-=-=-=-
161  // its an anonymous user - set the flag
162  md5_buf[CHALLENGE_LEN + 1] = '\0';
163  need_password = 0;
164 
165  }
166  else {
167  // =-=-=-=-=-=-=-
168  // do os authentication
169  need_password = osauthGetAuth(
170  const_cast< char* >( ptr->request_result().c_str() ),
171  const_cast< char* >( ptr->user_name().c_str() ),
172  md5_buf + CHALLENGE_LEN,
173  MAX_PASSWORD_LEN );
174  }
175 
176  // =-=-=-=-=-=-=-
177  // prompt for a password if necessary
178  if ( 0 != need_password ) {
179 #ifdef WIN32
180  HANDLE hStdin = GetStdHandle( STD_INPUT_HANDLE );
181  DWORD mode;
182  GetConsoleMode( hStdin, &mode );
183  DWORD lastMode = mode;
184  mode &= ~ENABLE_ECHO_INPUT;
185  BOOL error = !SetConsoleMode( hStdin, mode );
186  int errsv = -1;
187 #else
188  struct termios tty;
189  tcgetattr( STDIN_FILENO, &tty );
190  tcflag_t oldflag = tty.c_lflag;
191  tty.c_lflag &= ~ECHO;
192  int error = tcsetattr( STDIN_FILENO, TCSANOW, &tty );
193  int errsv = errno;
194 #endif
195  if ( error ) {
196  printf( "WARNING: Error %d disabling echo mode. Password will be displayed in plaintext.", errsv );
197  }
198  printf( "Enter your current iRODS password:" );
199  std::string password = "";
200  getline( std::cin, password );
201  strncpy( md5_buf + CHALLENGE_LEN, password.c_str(), MAX_PASSWORD_LEN );
202 #ifdef WIN32
203  if ( !SetConsoleMode( hStdin, lastMode ) ) {
204  printf( "Error reinstating echo mode." );
205  }
206 #else
207  tty.c_lflag = oldflag;
208  if ( tcsetattr( STDIN_FILENO, TCSANOW, &tty ) ) {
209  printf( "Error reinstating echo mode." );
210  }
211 #endif
212  } // if need_password
213 
214  // =-=-=-=-=-=-=-
215  // create a md5 hash of the challenge
216  MD5_CTX context;
217  MD5_Init( &context );
218  MD5_Update(
219  &context,
220  ( unsigned char* )md5_buf,
221  CHALLENGE_LEN + MAX_PASSWORD_LEN );
222 
223  char digest[ RESPONSE_LEN + 2 ];
224  MD5_Final( ( unsigned char* )digest, &context );
225 
226  // =-=-=-=-=-=-=-
227  // make sure 'string' doesn't end early -
228  // scrub out any errant terminating chars
229  // by incrementing their value by one
230  for ( int i = 0; i < RESPONSE_LEN; ++i ) {
231  if ( digest[ i ] == '\0' ) {
232  digest[ i ]++;
233  }
234  }
235 
236  // =-=-=-=-=-=-=-
237  // cache the digest for the response
238  ptr->digest( digest );
239 
240  return SUCCESS();
241 
242 } // osauth_auth_establish_context
243 
244 // =-=-=-=-=-=-=-
245 // handle a client-side auth request call
246 irods::error osauth_auth_client_request(
247  irods::plugin_context& _ctx,
248  rcComm_t* _comm ) {
249  // =-=-=-=-=-=-=-
250  // validate incoming parameters
251  if ( !_ctx.valid< irods::osauth_auth_object >().ok() ) {
252  return ERROR(
253  SYS_INVALID_INPUT_PARAM,
254  "invalid plugin context" );
255  }
256 
257  // =-=-=-=-=-=-=-
258  // copy the auth scheme to the req in struct
259  authPluginReqInp_t req_in;
260  strncpy(
261  req_in.auth_scheme_,
262  irods::AUTH_OSAUTH_SCHEME.c_str(),
263  irods::AUTH_OSAUTH_SCHEME.size() + 1 );
264 
265  // =-=-=-=-=-=-=-
266  // make the call to our auth request
267  authPluginReqOut_t* req_out = 0;
268  int status = rcAuthPluginRequest(
269  _comm,
270  &req_in,
271  &req_out );
272  if ( status < 0 ) {
273  free( req_out );
274  return ERROR(
275  status,
276  "call to rcAuthRequest failed." );
277 
278  }
279  else {
280  // =-=-=-=-=-=-=-
281  // get the auth object
282  irods::osauth_auth_object_ptr ptr = boost::dynamic_pointer_cast <
283  irods::osauth_auth_object > ( _ctx.fco() );
284  // =-=-=-=-=-=-=-
285  // cache the challenge
286  ptr->request_result( req_out->result_ );
287  free( req_out );
288  return SUCCESS();
289 
290  }
291 
292 } // osauth_auth_client_request
293 
294 #ifdef RODS_SERVER
295 // =-=-=-=-=-=-=-
296 // handle an agent-side auth request call
297 irods::error osauth_auth_agent_request(
298  irods::plugin_context& _ctx ) {
299 
300  // =-=-=-=-=-=-=-
301  // validate incoming parameters
302  if ( !_ctx.valid< irods::osauth_auth_object >().ok() ) {
303  return ERROR( SYS_INVALID_INPUT_PARAM, "invalid plugin context" );
304  }
305 
306  // =-=-=-=-=-=-=-
307  // generate a random buffer and copy it to the challenge
308  char buf[ CHALLENGE_LEN + 2 ];
309  get64RandomBytes( buf );
310 
311  // =-=-=-=-=-=-=-
312  // get the auth object
313  irods::osauth_auth_object_ptr ptr = boost::dynamic_pointer_cast <
314  irods::osauth_auth_object > ( _ctx.fco() );
315  // =-=-=-=-=-=-=-
316  // cache the challenge
317  ptr->request_result( buf );
318 
319  // =-=-=-=-=-=-=-
320  // cache the challenge in the server for later usage
321  _rsSetAuthRequestGetChallenge( buf );
322 
323  if ( _ctx.comm()->auth_scheme != NULL ) {
324  free( _ctx.comm()->auth_scheme );
325  }
326  _ctx.comm()->auth_scheme = strdup( irods::AUTH_OSAUTH_SCHEME.c_str() );
327 
328  // =-=-=-=-=-=-=-
329  // win!
330  return SUCCESS();
331 
332 } // osauth_auth_agent_request
333 #endif
334 
335 // =-=-=-=-=-=-=-
336 // handle a client-side auth request call
337 irods::error osauth_auth_client_response(
338  irods::plugin_context& _ctx,
339  rcComm_t* _comm ) {
340  // =-=-=-=-=-=-=-
341  // validate incoming parameters
342  if ( !_ctx.valid< irods::osauth_auth_object >().ok() ) {
343  return ERROR(
344  SYS_INVALID_INPUT_PARAM,
345  "invalid plugin context" );
346  }
347  else if ( !_comm ) {
348  return ERROR(
349  SYS_INVALID_INPUT_PARAM,
350  "null rcComm_t ptr" );
351  }
352 
353  // =-=-=-=-=-=-=-
354  // get the auth object
355  irods::osauth_auth_object_ptr ptr = boost::dynamic_pointer_cast <
356  irods::osauth_auth_object > (
357  _ctx.fco() );
358  char response[ RESPONSE_LEN + 2 ];
359  snprintf(
360  response,
361  RESPONSE_LEN + 2,
362  "%s",
363  ptr->digest().c_str() );
364 
365  // =-=-=-=-=-=-=-
366  // build the username#zonename string
367  std::string user_name = ptr->user_name() +
368  "#" +
369  ptr->zone_name();
370  char username[ MAX_NAME_LEN ];
371  snprintf(
372  username,
373  MAX_NAME_LEN,
374  "%s",
375  user_name.c_str() );
376 
377  authResponseInp_t auth_response;
378  auth_response.response = response;
379  auth_response.username = username;
380  int status = rcAuthResponse(
381  _comm,
382  &auth_response );
383  if ( status < 0 ) {
384  return ERROR(
385  status,
386  "call to rcAuthResponse failed." );
387  }
388  else {
389  return SUCCESS();
390 
391  }
392 
393 } // osauth_auth_client_response
394 
395 #ifdef RODS_SERVER
396 // =-=-=-=-=-=-=-
397 // handle an agent-side auth request call
398 irods::error osauth_auth_agent_response(
399  irods::plugin_context& _ctx,
400  authResponseInp_t* _resp ) {
401  // =-=-=-=-=-=-=-
402  // validate incoming parameters
403  if ( !_ctx.valid().ok() ) {
404  return ERROR(
405  SYS_INVALID_INPUT_PARAM,
406  "invalid plugin context" );
407  }
408  else if ( !_resp ) {
409  return ERROR(
410  SYS_INVALID_INPUT_PARAM,
411  "null authResponseInp_t ptr" );
412  }
413 
414  int status;
415  char *bufp;
416  authCheckInp_t authCheckInp;
417  rodsServerHost_t *rodsServerHost;
418 
419  char digest[RESPONSE_LEN + 2];
420  char md5Buf[CHALLENGE_LEN + MAX_PASSWORD_LEN + 2];
421  char serverId[MAX_PASSWORD_LEN + 2];
422  MD5_CTX context;
423 
424  bufp = _rsAuthRequestGetChallenge();
425 
426  // =-=-=-=-=-=-=-
427  // need to do NoLogin because it could get into inf loop for cross
428  // zone auth
429  status = getAndConnRcatHostNoLogin(
430  _ctx.comm(),
431  MASTER_RCAT,
432  _ctx.comm()->proxyUser.rodsZone,
433  &rodsServerHost );
434  if ( status < 0 ) {
435  return ERROR(
436  status,
437  "getAndConnRcatHostNoLogin failed" );
438  }
439 
440  memset( &authCheckInp, 0, sizeof( authCheckInp ) );
441  authCheckInp.challenge = bufp;
442  authCheckInp.username = _resp->username;
443 
444  std::string resp_str = irods::AUTH_SCHEME_KEY +
445  irods::kvp_association() +
446  irods::AUTH_OSAUTH_SCHEME +
447  irods::kvp_delimiter() +
448  irods::AUTH_RESPONSE_KEY +
449  irods::kvp_association() +
450  _resp->response;
451  authCheckInp.response = const_cast<char*>( resp_str.c_str() );
452 
453  authCheckOut_t *authCheckOut = NULL;
454  if ( rodsServerHost->localFlag == LOCAL_HOST ) {
455  status = rsAuthCheck( _ctx.comm(), &authCheckInp, &authCheckOut );
456  }
457  else {
458  status = rcAuthCheck( rodsServerHost->conn, &authCheckInp, &authCheckOut );
459  /* not likely we need this connection again */
460  rcDisconnect( rodsServerHost->conn );
461  rodsServerHost->conn = NULL;
462  }
463  if ( status < 0 || authCheckOut == NULL ) { // JMC cppcheck
464  if ( authCheckOut != NULL ) {
465  free( authCheckOut->serverResponse );
466  }
467  free( authCheckOut );
468  return ERROR(
469  status,
470  "rxAuthCheck failed" );
471  }
472 
473  if ( rodsServerHost->localFlag != LOCAL_HOST ) {
474  if ( authCheckOut->serverResponse == NULL ) {
475  rodsLog( LOG_NOTICE, "Warning, cannot authenticate remote server, no serverResponse field" );
476  if ( requireServerAuth ) {
477  free( authCheckOut );
478  return ERROR(
479  REMOTE_SERVER_AUTH_NOT_PROVIDED,
480  "Authentication disallowed, no serverResponse field" );
481  }
482  }
483  else {
484  char *cp;
485  int OK, len, i;
486  if ( *authCheckOut->serverResponse == '\0' ) {
487  rodsLog( LOG_NOTICE, "Warning, cannot authenticate remote server, serverResponse field is empty" );
488  if ( requireServerAuth ) {
489  free( authCheckOut->serverResponse );
490  free( authCheckOut );
491  return ERROR(
492  REMOTE_SERVER_AUTH_EMPTY,
493  "Authentication disallowed, empty serverResponse" );
494  }
495  }
496  else {
497  char username2[NAME_LEN + 2];
498  char userZone[NAME_LEN + 2];
499  memset( md5Buf, 0, sizeof( md5Buf ) );
500  strncpy( md5Buf, authCheckInp.challenge, CHALLENGE_LEN );
501  parseUserName( _resp->username, username2, userZone );
502  getZoneServerId( userZone, serverId );
503  len = strlen( serverId );
504  if ( len <= 0 ) {
505  rodsLog( LOG_NOTICE, "rsAuthResponse: Warning, cannot authenticate the remote server, no RemoteZoneSID defined in server_config.json", status );
506  if ( requireServerAuth ) {
507  free( authCheckOut->serverResponse );
508  free( authCheckOut );
509  return ERROR(
510  REMOTE_SERVER_SID_NOT_DEFINED,
511  "Authentication disallowed, no RemoteZoneSID defined" );
512  }
513  }
514  else {
515  strncpy( md5Buf + CHALLENGE_LEN, serverId, len );
516  MD5_Init( &context );
517  MD5_Update( &context, ( unsigned char* )md5Buf,
518  CHALLENGE_LEN + MAX_PASSWORD_LEN );
519  MD5_Final( ( unsigned char* )digest, &context );
520  for ( i = 0; i < RESPONSE_LEN; i++ ) {
521  if ( digest[i] == '\0' ) {
522  digest[i]++;
523  } /* make sure 'string' doesn't
524  end early*/
525  }
526  cp = authCheckOut->serverResponse;
527  OK = 1;
528  for ( i = 0; i < RESPONSE_LEN; i++ ) {
529  if ( *cp++ != digest[i] ) {
530  OK = 0;
531  }
532  }
533  rodsLog( LOG_DEBUG, "serverResponse is OK/Not: %d", OK );
534  if ( OK == 0 ) {
535  free( authCheckOut->serverResponse );
536  free( authCheckOut );
537  return ERROR(
538  REMOTE_SERVER_AUTHENTICATION_FAILURE,
539  "Server response incorrect, authentication disallowed" );
540  }
541  }
542  }
543  }
544  }
545 
546  /* Set the clientUser zone if it is null. */
547  if ( strlen( _ctx.comm()->clientUser.rodsZone ) == 0 ) {
548  zoneInfo_t *tmpZoneInfo;
549  status = getLocalZoneInfo( &tmpZoneInfo );
550  if ( status < 0 ) {
551  free( authCheckOut->serverResponse );
552  free( authCheckOut );
553  return ERROR(
554  status,
555  "getLocalZoneInfo failed" );
556  }
557  strncpy( _ctx.comm()->clientUser.rodsZone,
558  tmpZoneInfo->zoneName, NAME_LEN );
559  }
560 
561 
562  /* have to modify privLevel if the icat is a foreign icat because
563  * a local user in a foreign zone is not a local user in this zone
564  * and vice versa for a remote user
565  */
566  if ( rodsServerHost->rcatEnabled == REMOTE_ICAT ) {
567  /* proxy is easy because rodsServerHost is based on proxy user */
568  if ( authCheckOut->privLevel == LOCAL_PRIV_USER_AUTH ) {
569  authCheckOut->privLevel = REMOTE_PRIV_USER_AUTH;
570  }
571  else if ( authCheckOut->privLevel == LOCAL_USER_AUTH ) {
572  authCheckOut->privLevel = REMOTE_USER_AUTH;
573  }
574 
575  /* adjust client user */
576  if ( strcmp( _ctx.comm()->proxyUser.userName, _ctx.comm()->clientUser.userName )
577  == 0 ) {
578  authCheckOut->clientPrivLevel = authCheckOut->privLevel;
579  }
580  else {
581  zoneInfo_t *tmpZoneInfo;
582  status = getLocalZoneInfo( &tmpZoneInfo );
583  if ( status < 0 ) {
584  free( authCheckOut->serverResponse );
585  free( authCheckOut );
586  return ERROR(
587  status,
588  "getLocalZoneInfo failed" );
589  }
590 
591  if ( strcmp( tmpZoneInfo->zoneName, _ctx.comm()->clientUser.rodsZone )
592  == 0 ) {
593  /* client is from local zone */
594  if ( authCheckOut->clientPrivLevel == REMOTE_PRIV_USER_AUTH ) {
595  authCheckOut->clientPrivLevel = LOCAL_PRIV_USER_AUTH;
596  }
597  else if ( authCheckOut->clientPrivLevel == REMOTE_USER_AUTH ) {
598  authCheckOut->clientPrivLevel = LOCAL_USER_AUTH;
599  }
600  }
601  else {
602  /* client is from remote zone */
603  if ( authCheckOut->clientPrivLevel == LOCAL_PRIV_USER_AUTH ) {
604  authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
605  }
606  else if ( authCheckOut->clientPrivLevel == LOCAL_USER_AUTH ) {
607  authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
608  }
609  }
610  }
611  }
612  else if ( strcmp( _ctx.comm()->proxyUser.userName, _ctx.comm()->clientUser.userName )
613  == 0 ) {
614  authCheckOut->clientPrivLevel = authCheckOut->privLevel;
615  }
616 
617  status = check_proxy_user_privileges( _ctx.comm(), authCheckOut->privLevel );
618 
619  if ( status < 0 ) {
620  free( authCheckOut->serverResponse );
621  free( authCheckOut );
622  return ERROR(
623  status,
624  "check_proxy_user_privileges failed" );
625  }
626 
627  rodsLog( LOG_DEBUG,
628  "rsAuthResponse set proxy authFlag to %d, client authFlag to %d, user:%s proxy:%s client:%s",
629  authCheckOut->privLevel,
630  authCheckOut->clientPrivLevel,
631  authCheckInp.username,
632  _ctx.comm()->proxyUser.userName,
633  _ctx.comm()->clientUser.userName );
634 
635  if ( strcmp( _ctx.comm()->proxyUser.userName, _ctx.comm()->clientUser.userName ) != 0 ) {
636  _ctx.comm()->proxyUser.authInfo.authFlag = authCheckOut->privLevel;
637  _ctx.comm()->clientUser.authInfo.authFlag = authCheckOut->clientPrivLevel;
638  }
639  else { /* proxyUser and clientUser are the same */
640  _ctx.comm()->proxyUser.authInfo.authFlag =
641  _ctx.comm()->clientUser.authInfo.authFlag = authCheckOut->privLevel;
642  }
643 
644  free( authCheckOut->serverResponse );
645  free( authCheckOut );
646  return SUCCESS();
647 
648 } // osauth_auth_agent_response
649 
650 // =-=-=-=-=-=-=-
651 // operation to verify the response on the agent side
652 irods::error osauth_auth_agent_auth_verify(
653  irods::plugin_context&,
654  const char* _challenge,
655  const char* _user_name,
656  const char* _response ) {
657  // =-=-=-=-=-=-=-
658  // delegate auth verify to osauth lib
659  int status = osauthVerifyResponse(
660  const_cast< char* >( _challenge ),
661  const_cast< char* >( _user_name ),
662  const_cast< char* >( _response ) );
663  if ( status ) {
664  return ERROR(
665  status,
666  "osauthVerifyResponse failed" );
667  }
668  else {
669  return SUCCESS();
670 
671  }
672 
673 } // osauth_auth_agent_auth_verify
674 
675 
676 // =-=-=-=-=-=-=-
677 // stub for ops that the native plug does
678 // not need to support
679 irods::error osauth_auth_agent_start(
680  irods::plugin_context&,
681  const char*) {
682  return SUCCESS();
683 
684 } // osauth_auth_success_stub
685 
686 irods::error osauth_auth_agent_verify(
687  irods::plugin_context& ,
688  const char* ,
689  const char* ,
690  const char* ) {
691  return SUCCESS();
692 
693 } // osauth_auth_agent_verify
694 #endif
695 
696 // =-=-=-=-=-=-=-
697 // derive a new osauth_auth auth plugin from
698 // the auth plugin base class for handling
699 // native authentication
700 class osauth_auth_plugin : public irods::auth {
701  public:
702  osauth_auth_plugin(
703  const std::string& _nm,
704  const std::string& _ctx ) :
705  irods::auth(
706  _nm,
707  _ctx ) {
708  } // ctor
709 
710  ~osauth_auth_plugin() {
711  }
712 
713 }; // class osauth_auth_plugin
714 
715 // =-=-=-=-=-=-=-
716 // factory function to provide instance of the plugin
717 extern "C"
718 irods::auth* plugin_factory(
719  const std::string& _inst_name,
720  const std::string& _context ) {
721  // =-=-=-=-=-=-=-
722  // create an auth object
723  osauth_auth_plugin* nat = new osauth_auth_plugin(
724  _inst_name,
725  _context );
726 
727  // =-=-=-=-=-=-=-
728  // fill in the operation table mapping call
729  // names to function names
730  using namespace irods;
731  using namespace std;
732  nat->add_operation<rcComm_t*,const char*>(
733  AUTH_CLIENT_START,
734  function<error(plugin_context&,rcComm_t*,const char*)>(
735  osauth_auth_client_start ) );
736  nat->add_operation(
737  AUTH_ESTABLISH_CONTEXT,
738  function<error(plugin_context&)>(
739  osauth_auth_establish_context ) );
740  nat->add_operation<rcComm_t*>(
741  AUTH_CLIENT_AUTH_REQUEST,
742  function<error(plugin_context&,rcComm_t*)>(
743  osauth_auth_client_request ) );
744  nat->add_operation<rcComm_t*>(
745  AUTH_CLIENT_AUTH_RESPONSE,
746  function<error(plugin_context&,rcComm_t*)>(
747  osauth_auth_client_response ) );
748 #ifdef RODS_SERVER
749  nat->add_operation<const char*>(
750  AUTH_AGENT_START,
751  function<error(plugin_context&,const char*)>(
752  osauth_auth_agent_start ) );
753  nat->add_operation(
754  AUTH_AGENT_AUTH_REQUEST,
755  function<error(plugin_context&)>(
756  osauth_auth_agent_request ) );
757  nat->add_operation<authResponseInp_t*>(
758  AUTH_AGENT_AUTH_RESPONSE,
759  function<error(plugin_context&,authResponseInp_t*)>(
760  osauth_auth_agent_response ) );
761  nat->add_operation<const char*,const char*,const char*>(
762  AUTH_AGENT_AUTH_VERIFY,
763  function<error(plugin_context&,const char*,const char*,const char*)>(
764  osauth_auth_agent_verify ) );
765 #endif
766 
767  irods::auth* auth = dynamic_cast< irods::auth* >( nat );
768 
769  return auth;
770 
771 } // plugin_factory
rodsLog
void rodsLog(int level, const char *formatStr,...)
Definition: rodsLog.cpp:86
rcComm_t
Definition: rcConnect.h:95
NULL
#define NULL
Definition: rodsDef.h:70
rsComm_t
Definition: rcConnect.h:145
rodsServerHost::localFlag
int localFlag
Definition: rodsConnect.h:68
authCheckInp_t::challenge
char * challenge
Definition: authCheck.h:7
irods::AUTH_ESTABLISH_CONTEXT
const std::string AUTH_ESTABLISH_CONTEXT("auth_establish_context")
osauth.h
irods::AUTH_CLIENT_START
const std::string AUTH_CLIENT_START("auth_client_start")
authPluginRequest.h
msParam.h
irods::plugin_context::valid
virtual error valid()
Definition: irods_plugin_context.hpp:77
rodsServerHost::conn
rcComm_t * conn
Definition: rodsConnect.h:64
userInfo_t::userName
char userName[64]
Definition: rodsUser.h:66
rcComm_t::proxyUser
userInfo_t proxyUser
Definition: rcConnect.h:103
rodsServerHost::rcatEnabled
int rcatEnabled
Definition: rodsConnect.h:65
irods::osauth_auth_object_ptr
boost::shared_ptr< osauth_auth_object > osauth_auth_object_ptr
Definition: irods_osauth_auth_object.hpp:87
irods_stacktrace.hpp
rsComm_t::auth_scheme
char * auth_scheme
Definition: rcConnect.h:177
getAndConnRcatHostNoLogin
int getAndConnRcatHostNoLogin(rsComm_t *rsComm, int rcatType, char *rcatZoneHint, rodsServerHost_t **rodsServerHost)
Definition: rodsConnect.cpp:62
authenticate.h
irods::auth::auth
auth(const std::string &_inst, const std::string &_ctx)
Definition: irods_auth_plugin.hpp:19
osauth_auth_plugin
Definition: libosauth.cpp:700
rcConnect.h
setSessionSignatureClientside
void setSessionSignatureClientside(char *_sig)
Definition: clientLogin.cpp:48
authCheckOut_t::serverResponse
char * serverResponse
Definition: authCheck.h:15
osauth_auth_establish_context
irods::error osauth_auth_establish_context(irods::plugin_context &_ctx)
Definition: libosauth.cpp:116
irods::AUTH_OSAUTH_SCHEME
const std::string AUTH_OSAUTH_SCHEME("osauth")
irods::kvp_delimiter
std::string kvp_delimiter()
Definition: irods_kvp_string_parser.cpp:17
irods::AUTH_AGENT_AUTH_RESPONSE
const std::string AUTH_AGENT_AUTH_RESPONSE("auth_agent_auth_response")
LOCAL_HOST
#define LOCAL_HOST
Definition: rodsConnect.h:44
zoneInfo::zoneName
char zoneName[64]
Definition: rodsConnect.h:75
irods::AUTH_RESPONSE_KEY
const std::string AUTH_RESPONSE_KEY("a_resp")
AuthPluginReqOut
Definition: authPluginRequest.h:12
REMOTE_USER_AUTH
#define REMOTE_USER_AUTH
Definition: rodsUser.h:33
irods::plugin_context
Definition: irods_plugin_context.hpp:18
LOG_ERROR
#define LOG_ERROR
Definition: rodsLog.h:43
authCheckOut_t::clientPrivLevel
int clientPrivLevel
Definition: authCheck.h:14
irods::AUTH_CLIENT_AUTH_REQUEST
const std::string AUTH_CLIENT_AUTH_REQUEST("auth_agent_client_request")
SYS_INVALID_INPUT_PARAM
@ SYS_INVALID_INPUT_PARAM
Definition: rodsErrorTable.h:195
authCheckOut_t
Definition: authCheck.h:12
osauth_auth_client_start
irods::error osauth_auth_client_start(irods::plugin_context &_ctx, rcComm_t *_comm, const char *)
Definition: libosauth.cpp:77
REMOTE_ICAT
#define REMOTE_ICAT
Definition: rodsConnect.h:54
authRequest.h
MAX_PASSWORD_LEN
#define MAX_PASSWORD_LEN
Definition: authenticate.h:9
REMOTE_SERVER_AUTH_NOT_PROVIDED
@ REMOTE_SERVER_AUTH_NOT_PROVIDED
Definition: rodsErrorTable.h:505
irods::AUTH_AGENT_AUTH_REQUEST
const std::string AUTH_AGENT_AUTH_REQUEST("auth_agent_auth_request")
irods_auth_constants.hpp
irods::auth
Definition: irods_auth_plugin.hpp:17
OK
#define OK
Definition: base64.cpp:7
SUCCESS
#define SUCCESS()
Definition: irods_error.hpp:121
irods::plugin_context::comm
virtual rsComm_t * comm()
Definition: irods_plugin_context.hpp:95
LOCAL_USER_AUTH
#define LOCAL_USER_AUTH
Definition: rodsUser.h:34
REMOTE_SERVER_AUTH_EMPTY
@ REMOTE_SERVER_AUTH_EMPTY
Definition: rodsErrorTable.h:506
LOG_DEBUG
#define LOG_DEBUG
Definition: rodsLog.h:23
authCheckOut_t::privLevel
int privLevel
Definition: authCheck.h:13
rsComm_t::proxyUser
userInfo_t proxyUser
Definition: rcConnect.h:152
AuthPluginReqOut::result_
char result_[(1024+64)]
Definition: authPluginRequest.h:13
check_proxy_user_privileges
static int check_proxy_user_privileges(rsComm_t *rsComm, int proxyUserPriv)
Definition: libosauth.cpp:40
irods::osauth_auth_object
Definition: irods_osauth_auth_object.hpp:21
ANONYMOUS_USER
#define ANONYMOUS_USER
Definition: rodsDef.h:133
irods
Definition: apiHandler.hpp:35
getline
int getline(char *s, int n, FILE *f)
Definition: ruleAdmin.cpp:317
authResponseInp_t
Definition: authResponse.h:6
rodsDef.h
osauth_auth_plugin::osauth_auth_plugin
osauth_auth_plugin(const std::string &_nm, const std::string &_ctx)
Definition: libosauth.cpp:702
osauthVerifyResponse
int osauthVerifyResponse(char *challenge, char *username, char *response)
Definition: osauth.cpp:36
osauthGetAuth
int osauthGetAuth(char *challenge, char *username, char *authenticator, int authenticator_buflen)
Definition: osauth.cpp:242
authCheck.h
REMOTE_PRIV_USER_AUTH
#define REMOTE_PRIV_USER_AUTH
Definition: rodsUser.h:35
MAX_NAME_LEN
#define MAX_NAME_LEN
Definition: rodsDef.h:61
rcAuthCheck
int rcAuthCheck(rcComm_t *conn, authCheckInp_t *authCheckInp, authCheckOut_t **authCheckOut)
Definition: rcAuthCheck.cpp:37
rsAuthCheck.hpp
authCheckInp_t::username
char * username
Definition: authCheck.h:9
getLocalZoneInfo
int getLocalZoneInfo(zoneInfo_t **outZoneInfo)
Definition: rodsConnect.cpp:666
authResponseInp_t::username
char * username
Definition: authResponse.h:8
LOCAL_PRIV_USER_AUTH
#define LOCAL_PRIV_USER_AUTH
Definition: rodsUser.h:36
irods::auth_object::request_result
virtual std::string request_result() const
Definition: irods_auth_object.hpp:30
irods.pypyodbc.status
status
Definition: pypyodbc.py:467
userInfo_t::rodsZone
char rodsZone[64]
Definition: rodsUser.h:67
LOG_NOTICE
#define LOG_NOTICE
Definition: rodsLog.h:33
irods::AUTH_AGENT_START
const std::string AUTH_AGENT_START("auth_agent_start")
rsComm_t::clientUser
userInfo_t clientUser
Definition: rcConnect.h:153
plugin_factory
irods::auth * plugin_factory(const std::string &_inst_name, const std::string &_context)
Definition: libosauth.cpp:718
ERROR
#define ERROR(code_, message_)
Definition: irods_error.hpp:117
irods::error
Definition: irods_error.hpp:23
AuthPluginReqInp
Definition: authPluginRequest.h:6
rsAuthRequest.hpp
miscServerFunct.hpp
_rsSetAuthRequestGetChallenge
void _rsSetAuthRequestGetChallenge(const char *_c)
Definition: rsAuthRequest.cpp:31
rcAuthResponse
int rcAuthResponse(rcComm_t *conn, authResponseInp_t *authResponseInp)
Definition: rcAuthResponse.cpp:35
authCheckInp_t::response
char * response
Definition: authCheck.h:8
irods_auth_plugin.hpp
MASTER_RCAT
#define MASTER_RCAT
Definition: rodsDef.h:85
authResponse.h
rsAuthCheck
int rsAuthCheck(rsComm_t *rsComm, authCheckInp_t *authCheckInp, authCheckOut_t **authCheckOut)
Definition: rsAuthCheck.cpp:21
irods_osauth_auth_object.hpp
irods::AUTH_SCHEME_KEY
const std::string AUTH_SCHEME_KEY("a_scheme")
authResponseInp_t::response
char * response
Definition: authResponse.h:7
rodsServerHost
Definition: rodsConnect.h:62
RESPONSE_LEN
#define RESPONSE_LEN
Definition: authenticate.h:11
rcDisconnect
int rcDisconnect(rcComm_t *conn)
Definition: rcConnect.cpp:246
error
int error
Definition: filesystem.cpp:101
irods::plugin_base::add_operation
error add_operation(const std::string &_op, std::function< error(plugin_context &)> _f)
Definition: irods_plugin_base.hpp:122
irods::plugin_context::fco
virtual first_class_object_ptr fco()
Definition: irods_plugin_context.hpp:102
irods_kvp_string_parser.hpp
osauth_auth_client_request
irods::error osauth_auth_client_request(irods::plugin_context &_ctx, rcComm_t *_comm)
Definition: libosauth.cpp:246
getZoneServerId
void getZoneServerId(char *zoneName, char *zoneSID)
Definition: miscServerFunct.cpp:1945
irods::kvp_association
std::string kvp_association()
Definition: irods_kvp_string_parser.cpp:23
osauth_auth_client_response
irods::error osauth_auth_client_response(irods::plugin_context &_ctx, rcComm_t *_comm)
Definition: libosauth.cpp:337
irods::AUTH_AGENT_AUTH_VERIFY
const std::string AUTH_AGENT_AUTH_VERIFY("auth_agent_auth_verify")
AuthPluginReqInp::auth_scheme_
char auth_scheme_[(1024+64)]
Definition: authPluginRequest.h:7
REMOTE_SERVER_AUTHENTICATION_FAILURE
@ REMOTE_SERVER_AUTHENTICATION_FAILURE
Definition: rodsErrorTable.h:504
CHALLENGE_LEN
#define CHALLENGE_LEN
Definition: authenticate.h:10
authCheckInp_t
Definition: authCheck.h:6
userInfo_t::authInfo
authInfo_t authInfo
Definition: rodsUser.h:70
_rsAuthRequestGetChallenge
char * _rsAuthRequestGetChallenge()
Definition: rsAuthRequest.cpp:25
mode
int mode
Definition: filesystem.cpp:104
rcAuthPluginRequest
int rcAuthPluginRequest(rcComm_t *server_comm_ptr, authPluginReqInp_t *incoming_struct_with_scheme, authPluginReqOut_t **response_from_agent)
Definition: rcAuthPluginRequest.cpp:6
zoneInfo
Definition: rodsConnect.h:74
NAME_LEN
#define NAME_LEN
Definition: rodsDef.h:55
authInfo_t::authFlag
int authFlag
Definition: rodsUser.h:42
irods::AUTH_CLIENT_AUTH_RESPONSE
const std::string AUTH_CLIENT_AUTH_RESPONSE("auth_agent_client_response")
irods::error::ok
bool ok()
Definition: irods_error.cpp:258
buf
static char buf[64+50+1]
Definition: rsAuthRequest.cpp:21
parseUserName
int parseUserName(const char *fullUserNameIn, char *userName, char *userZone)
Definition: rcMisc.cpp:204
get64RandomBytes
int get64RandomBytes(char *buf)
Definition: rcMisc.cpp:1371
irods::osauth_auth_object::user_name
std::string user_name() const
Definition: irods_osauth_auth_object.hpp:49
osauth_auth_plugin::~osauth_auth_plugin
~osauth_auth_plugin()
Definition: libosauth.cpp:710
REMOTE_SERVER_SID_NOT_DEFINED
@ REMOTE_SERVER_SID_NOT_DEFINED
Definition: rodsErrorTable.h:507
SYS_PROXYUSER_NO_PRIV
@ SYS_PROXYUSER_NO_PRIV
Definition: rodsErrorTable.h:106