irods  4.2.8
About: iRODS (the integrated Rule Oriented Data System) is a distributed data-management system for creating data grids, digital libraries, persistent archives, and real-time data systems.
  Fossies Dox: irods-4.2.8.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

rsPamAuthRequest.cpp
Go to the documentation of this file.
1 
4 /* See pamAuthRequest.h for a description of this API call.*/
5 
6 #include <sys/wait.h>
7 
8 #include "pamAuthRequest.h"
9 #include "genQuery.h"
10 #include "rsPamAuthRequest.hpp"
12 #include "miscServerFunct.hpp"
14 #include "irods_log.hpp"
15 #include "sslSockComm.h"
16 #include "miscServerFunct.hpp"
17 
18 
19 int
20 rsPamAuthRequest( rsComm_t *rsComm, pamAuthRequestInp_t *pamAuthRequestInp,
21  pamAuthRequestOut_t **pamAuthRequestOut ) {
23  int status;
24 
26  rsComm,
28  ( const char* )rsComm->clientUser.rodsZone,
29  &rodsServerHost );
30  if ( status < 0 ) {
31  return status;
32  }
34  std::string svc_role;
35  irods::error ret = get_catalog_service_role(svc_role);
36  if(!ret.ok()) {
37  irods::log(PASS(ret));
38  return ret.code();
39  }
40 
41  if( irods::CFG_SERVICE_ROLE_PROVIDER == svc_role ) {
43  rsComm,
44  pamAuthRequestInp,
45  pamAuthRequestOut );
46  } else if( irods::CFG_SERVICE_ROLE_CONSUMER == svc_role ) {
48  } else {
49  rodsLog(
50  LOG_ERROR,
51  "role not supported [%s]",
52  svc_role.c_str() );
54  }
55  }
56  else {
57  /* protect the PAM plain text password by
58  using an SSL connection to the remote ICAT */
60  if ( status ) {
61  rodsLog( LOG_NOTICE, "rsPamAuthRequest: could not establish SSL connection, status %d",
62  status );
63  return status;
64  }
65 
66  status = rcPamAuthRequest( rodsServerHost->conn, pamAuthRequestInp,
67  pamAuthRequestOut );
71  if ( status < 0 ) {
72  rodsLog( LOG_NOTICE, "rsPamAuthRequest: rcPamAuthRequest to remote server failed, status %d",
73  status );
74  }
75  }
76  return status;
77 }
78 
79 /*
80  Fork and exec the irodsPamAuthCheck program, which is setuid root, to do
81  do the PAM authentication. The username is on the command line but
82  the password is sent on a pipe to be more secure.
83  */
84 #ifndef PAM_AUTH_CHECK_PROG
85 #define PAM_AUTH_CHECK_PROG "./irodsPamAuthCheck"
86 #endif
87 int
88 runPamAuthCheck( char *username, char *password ) {
89  int p2cp[2]; /* parent to child pipe */
90  int pid, i;
91  int status;
92 
93  if ( pipe( p2cp ) < 0 ) {
94  return SYS_PIPE_ERROR;
95  }
96  pid = fork();
97  if ( pid == -1 ) {
98  return SYS_FORK_ERROR;
99  }
100 
101  if ( pid ) {
102  /*
103  This is still the parent. Write the message to the child and
104  then wait for the exit and status.
105  */
106  if ( write( p2cp[1], password, strlen( password ) ) == -1 ) {
107  int errsv = errno;
108  irods::log( ERROR( errsv, "Error during write from parent to child." ) );
109  }
110  close( p2cp[1] );
111  waitpid( pid, &status, 0 );
112  return status;
113  }
114  else {
115  /* This is the child */
116  close( 0 ); /* close current stdin */
117  if ( dup2( p2cp[0], 0 ) == -1 ) { /* Make stdin come from read end of the pipe */
118  int errsv = errno;
119  irods::log( ERROR( errsv, "Error duplicating the file descriptor." ) );
120  }
121  close( p2cp[1] );
122  i = execl( PAM_AUTH_CHECK_PROG, PAM_AUTH_CHECK_PROG, username,
123  ( char * )NULL );
124  perror( "execl" );
125  printf( "execl failed %d\n", i );
126  }
127  return ( SYS_FORK_ERROR ); /* avoid compiler warning */
128 }
129 
130 int
131 _rsPamAuthRequest( rsComm_t *rsComm, pamAuthRequestInp_t *pamAuthRequestInp,
132  pamAuthRequestOut_t **pamAuthRequestOut ) {
133  int status = 0;
134  pamAuthRequestOut_t *result;
135 
136  *pamAuthRequestOut = ( pamAuthRequestOut_t * )
137  malloc( sizeof( pamAuthRequestOut_t ) );
138  memset( ( char * )*pamAuthRequestOut, 0, sizeof( pamAuthRequestOut_t ) );
139 
140  result = *pamAuthRequestOut;
141 
142  /* Normal mode, fork/exec setuid program to do the Pam check */
143  status = runPamAuthCheck( pamAuthRequestInp->pamUser,
144  pamAuthRequestInp->pamPassword );
145  if ( status == 256 ) {
147  }
148  else {
149  /* the exec failed or something (irodsPamAuthCheck not built perhaps) */
150  if ( status != 0 ) {
152  }
153  }
154 
155  if ( status ) {
156  return status;
157  }
158  result->irodsPamPassword = ( char* )malloc( 100 );
159  if ( result->irodsPamPassword == 0 ) {
160  return SYS_MALLOC_ERR;
161  }
162  memset(result->irodsPamPassword, 0, 100);
164  pamAuthRequestInp->pamUser,
165  pamAuthRequestInp->timeToLive,
166  NULL,
167  &result->irodsPamPassword );
168  return status;
169 }
rodsLog
void rodsLog(int level, const char *formatStr,...)
Definition: rodsLog.cpp:86
NULL
#define NULL
Definition: rodsDef.h:70
rsComm_t
Definition: rcConnect.h:145
irods::CFG_SERVICE_ROLE_CONSUMER
const std::string CFG_SERVICE_ROLE_CONSUMER("consumer")
rodsServerHost::localFlag
int localFlag
Definition: rodsConnect.h:68
SYS_SERVICE_ROLE_NOT_SUPPORTED
@ SYS_SERVICE_ROLE_NOT_SUPPORTED
Definition: rodsErrorTable.h:217
irods_server_properties.hpp
SYS_MALLOC_ERR
@ SYS_MALLOC_ERR
Definition: rodsErrorTable.h:84
rodsServerHost::conn
rcComm_t * conn
Definition: rodsConnect.h:64
PAM_AUTH_PASSWORD_FAILED
@ PAM_AUTH_PASSWORD_FAILED
Definition: rodsErrorTable.h:566
PASS
#define PASS(prev_error_)
Definition: irods_error.hpp:118
pamAuthRequestInp_t::pamPassword
char * pamPassword
Definition: pamAuthRequest.h:8
sslSockComm.h
LOCAL_HOST
#define LOCAL_HOST
Definition: rodsConnect.h:44
LOG_ERROR
#define LOG_ERROR
Definition: rodsLog.h:43
pamAuthRequestInp_t::pamUser
char * pamUser
Definition: pamAuthRequest.h:7
irods::error::code
long long code() const
Definition: irods_error.cpp:194
runPamAuthCheck
int runPamAuthCheck(char *username, char *password)
Definition: rsPamAuthRequest.cpp:88
rsPamAuthRequest
int rsPamAuthRequest(rsComm_t *rsComm, pamAuthRequestInp_t *pamAuthRequestInp, pamAuthRequestOut_t **pamAuthRequestOut)
Definition: rsPamAuthRequest.cpp:20
pid_age.pid
pid
Definition: pid_age.py:12
irods::CFG_SERVICE_ROLE_PROVIDER
const std::string CFG_SERVICE_ROLE_PROVIDER("provider")
genQuery.h
sslEnd
int sslEnd(rcComm_t *rcComm)
Definition: sslSockComm.cpp:95
SYS_FORK_ERROR
@ SYS_FORK_ERROR
Definition: rodsErrorTable.h:116
pamAuthRequestInp_t
Definition: pamAuthRequest.h:6
SYS_NO_RCAT_SERVER_ERR
@ SYS_NO_RCAT_SERVER_ERR
Definition: rodsErrorTable.h:110
irods.pypyodbc.status
status
Definition: pypyodbc.py:467
userInfo_t::rodsZone
char rodsZone[64]
Definition: rodsUser.h:67
irods::log
void log(const error &)
Definition: irods_log.cpp:13
rcPamAuthRequest
int rcPamAuthRequest(rcComm_t *conn, pamAuthRequestInp_t *pamAuthRequestInp, pamAuthRequestOut_t **pamAuthRequestOut)
Definition: rcPamAuthRequest.cpp:9
LOG_NOTICE
#define LOG_NOTICE
Definition: rodsLog.h:33
rsComm_t::clientUser
userInfo_t clientUser
Definition: rcConnect.h:153
ERROR
#define ERROR(code_, message_)
Definition: irods_error.hpp:117
irods::error
Definition: irods_error.hpp:23
miscServerFunct.hpp
SYS_PIPE_ERROR
@ SYS_PIPE_ERROR
Definition: rodsErrorTable.h:117
pamAuthRequestInp_t::timeToLive
int timeToLive
Definition: pamAuthRequest.h:9
getAndConnRcatHost
int getAndConnRcatHost(rsComm_t *rsComm, int rcatType, const char *rcatZoneHint, rodsServerHost_t **rodsServerHost)
Definition: rodsConnect.cpp:26
pamAuthRequest.h
sslStart
int sslStart(rcComm_t *rcComm)
Definition: sslSockComm.cpp:35
MASTER_RCAT
#define MASTER_RCAT
Definition: rodsDef.h:85
get_catalog_service_role
irods::error get_catalog_service_role(std::string &_role)
Definition: miscServerFunct.cpp:3153
rodsServerHost
Definition: rodsConnect.h:62
_rsPamAuthRequest
int _rsPamAuthRequest(rsComm_t *rsComm, pamAuthRequestInp_t *pamAuthRequestInp, pamAuthRequestOut_t **pamAuthRequestOut)
Definition: rsPamAuthRequest.cpp:131
rcDisconnect
int rcDisconnect(rcComm_t *conn)
Definition: rcConnect.cpp:246
pamAuthRequestOut_t
Definition: pamAuthRequest.h:14
PAM_AUTH_NOT_BUILT_INTO_SERVER
@ PAM_AUTH_NOT_BUILT_INTO_SERVER
Definition: rodsErrorTable.h:565
icatHighLevelRoutines.hpp
pamAuthRequestOut_t::irodsPamPassword
char * irodsPamPassword
Definition: pamAuthRequest.h:15
PAM_AUTH_CHECK_PROG
#define PAM_AUTH_CHECK_PROG
Definition: rsPamAuthRequest.cpp:85
rsPamAuthRequest.hpp
chlUpdateIrodsPamPassword
int chlUpdateIrodsPamPassword(rsComm_t *rsComm, const char *userName, int timeToLive, const char *testTime, char **irodsPassword)
Definition: icatHighLevelRoutines.cpp:2046
irods::error::ok
bool ok()
Definition: irods_error.cpp:258
irods_log.hpp