00001
00002
00003
00004
00005
00006 #include "authRequest.h"
00007 #include "authResponse.h"
00008 #include "authCheck.h"
00009 #include "miscServerFunct.h"
00010
00011
00012
00013
00014
00015 #define requireServerAuth 0
00016
00017 int
00018 rsAuthResponse (rsComm_t *rsComm, authResponseInp_t *authResponseInp)
00019 {
00020 int status;
00021 char *bufp;
00022 authCheckInp_t authCheckInp;
00023 authCheckOut_t *authCheckOut = NULL;
00024 rodsServerHost_t *rodsServerHost;
00025
00026 char digest[RESPONSE_LEN+2];
00027 char md5Buf[CHALLENGE_LEN+MAX_PASSWORD_LEN+2];
00028 char serverId[MAX_PASSWORD_LEN+2];
00029 MD5_CTX context;
00030
00031 bufp = _rsAuthRequestGetChallenge();
00032
00033
00034
00035
00036 status = getAndConnRcatHostNoLogin (rsComm, SLAVE_RCAT,
00037 rsComm->proxyUser.rodsZone, &rodsServerHost);
00038 if (status < 0) {
00039 return(status);
00040 }
00041
00042 memset (&authCheckInp, 0, sizeof (authCheckInp));
00043 authCheckInp.challenge = bufp;
00044 authCheckInp.response = authResponseInp->response;
00045 authCheckInp.username = authResponseInp->username;
00046
00047 if (rodsServerHost->localFlag == LOCAL_HOST) {
00048 status = rsAuthCheck (rsComm, &authCheckInp, &authCheckOut);
00049 } else {
00050 status = rcAuthCheck (rodsServerHost->conn, &authCheckInp, &authCheckOut);
00051
00052 rcDisconnect(rodsServerHost->conn);
00053 rodsServerHost->conn = NULL;
00054 }
00055 if (status < 0 || authCheckOut == NULL ) {
00056 rodsLog (LOG_NOTICE,
00057 "rsAuthResponse: rxAuthCheck failed, status = %d", status);
00058 return (status);
00059 }
00060
00061 if (rodsServerHost->localFlag != LOCAL_HOST) {
00062 if (authCheckOut->serverResponse == NULL) {
00063 rodsLog(LOG_NOTICE, "Warning, cannot authenticate remote server, no serverResponse field");
00064 if (requireServerAuth) {
00065 rodsLog(LOG_NOTICE, "Authentication disallowed, no serverResponse field");
00066 return(REMOTE_SERVER_AUTH_NOT_PROVIDED);
00067 }
00068 }
00069 else {
00070 char *cp;
00071 int OK, len, i;
00072 if (*authCheckOut->serverResponse == '\0') {
00073 rodsLog(LOG_NOTICE, "Warning, cannot authenticate remote server, serverResponse field is empty");
00074 if (requireServerAuth) {
00075 rodsLog(LOG_NOTICE, "Authentication disallowed, empty serverResponse");
00076 return(REMOTE_SERVER_AUTH_EMPTY);
00077 }
00078 }
00079 else {
00080 char username2[NAME_LEN+2];
00081 char userZone[NAME_LEN+2];
00082 memset(md5Buf, 0, sizeof(md5Buf));
00083 strncpy(md5Buf, authCheckInp.challenge, CHALLENGE_LEN);
00084 parseUserName(authResponseInp->username, username2, userZone);
00085 getZoneServerId(userZone, serverId);
00086 len = strlen(serverId);
00087 if (len <= 0) {
00088 rodsLog (LOG_NOTICE, "rsAuthResponse: Warning, cannot authenticate the remote server, no RemoteZoneSID defined in server.config", status);
00089 if (requireServerAuth) {
00090 rodsLog(LOG_NOTICE, "Authentication disallowed, no RemoteZoneSID defined");
00091 return(REMOTE_SERVER_SID_NOT_DEFINED);
00092 }
00093 }
00094 else {
00095 strncpy(md5Buf+CHALLENGE_LEN, serverId, len);
00096 MD5Init (&context);
00097 MD5Update (&context, (unsigned char*)md5Buf,
00098 CHALLENGE_LEN+MAX_PASSWORD_LEN);
00099 MD5Final ((unsigned char*)digest, &context);
00100 for (i=0;i<RESPONSE_LEN;i++) {
00101 if (digest[i]=='\0') digest[i]++;
00102
00103 }
00104 cp = authCheckOut->serverResponse;
00105 OK=1;
00106 for (i=0;i<RESPONSE_LEN;i++) {
00107 if (*cp++ != digest[i]) OK=0;
00108 }
00109 rodsLog(LOG_DEBUG, "serverResponse is OK/Not: %d", OK);
00110 if (OK==0) {
00111 rodsLog(LOG_NOTICE, "Server response incorrect, authentication disallowed");
00112 return(REMOTE_SERVER_AUTHENTICATION_FAILURE);
00113 }
00114 }
00115 }
00116 }
00117 }
00118
00119
00120 if (strlen(rsComm->clientUser.rodsZone)==0) {
00121 zoneInfo_t *tmpZoneInfo;
00122 status = getLocalZoneInfo (&tmpZoneInfo);
00123 if (status < 0) {
00124 free (authCheckOut);
00125 return status;
00126 }
00127 strncpy(rsComm->clientUser.rodsZone,
00128 tmpZoneInfo->zoneName, NAME_LEN);
00129 }
00130
00131
00132
00133
00134
00135
00136 if (rodsServerHost->rcatEnabled == REMOTE_ICAT) {
00137
00138 if (authCheckOut->privLevel == LOCAL_PRIV_USER_AUTH)
00139 authCheckOut->privLevel = REMOTE_PRIV_USER_AUTH;
00140 else if (authCheckOut->privLevel == LOCAL_PRIV_USER_AUTH)
00141 authCheckOut->privLevel = REMOTE_PRIV_USER_AUTH;
00142
00143
00144 if (strcmp (rsComm->proxyUser.userName, rsComm->clientUser.userName)
00145 == 0) {
00146 authCheckOut->clientPrivLevel = authCheckOut->privLevel;
00147 } else {
00148 zoneInfo_t *tmpZoneInfo;
00149 status = getLocalZoneInfo (&tmpZoneInfo);
00150 if (status < 0) {
00151 free (authCheckOut);
00152 return status;
00153 }
00154
00155 if (strcmp (tmpZoneInfo->zoneName, rsComm->clientUser.rodsZone)
00156 == 0) {
00157
00158 if (authCheckOut->clientPrivLevel == REMOTE_PRIV_USER_AUTH) {
00159 authCheckOut->clientPrivLevel = LOCAL_PRIV_USER_AUTH;
00160 } else if (authCheckOut->clientPrivLevel == REMOTE_USER_AUTH) {
00161 authCheckOut->clientPrivLevel = LOCAL_USER_AUTH;
00162 }
00163 } else {
00164
00165 if (authCheckOut->clientPrivLevel == LOCAL_PRIV_USER_AUTH) {
00166 authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
00167 } else if (authCheckOut->clientPrivLevel == LOCAL_USER_AUTH) {
00168 authCheckOut->clientPrivLevel = REMOTE_USER_AUTH;
00169 }
00170 }
00171 }
00172 } else if (strcmp (rsComm->proxyUser.userName, rsComm->clientUser.userName)
00173 == 0) {
00174 authCheckOut->clientPrivLevel = authCheckOut->privLevel;
00175 }
00176
00177 status = chkProxyUserPriv (rsComm, authCheckOut->privLevel);
00178
00179 if (status < 0) {
00180 free (authCheckOut);
00181 return status;
00182 }
00183
00184 rodsLog(LOG_NOTICE,
00185 "rsAuthResponse set proxy authFlag to %d, client authFlag to %d, user:%s proxy:%s client:%s",
00186 authCheckOut->privLevel,
00187 authCheckOut->clientPrivLevel,
00188 authCheckInp.username,
00189 rsComm->proxyUser.userName,
00190 rsComm->clientUser.userName);
00191
00192 if (strcmp (rsComm->proxyUser.userName, rsComm->clientUser.userName) != 0) {
00193 rsComm->proxyUser.authInfo.authFlag = authCheckOut->privLevel;
00194 rsComm->clientUser.authInfo.authFlag = authCheckOut->clientPrivLevel;
00195 } else {
00196 rsComm->proxyUser.authInfo.authFlag =
00197 rsComm->clientUser.authInfo.authFlag = authCheckOut->privLevel;
00198 }
00199
00200
00201 if (authCheckOut->serverResponse != NULL) free(authCheckOut->serverResponse);
00202
00203 free (authCheckOut);
00204
00205 return (status);
00206 }
00207
00208 int
00209 chkProxyUserPriv (rsComm_t *rsComm, int proxyUserPriv)
00210 {
00211 if (strcmp (rsComm->proxyUser.userName, rsComm->clientUser.userName)
00212 == 0) return 0;
00213
00214
00215
00216 if (proxyUserPriv >= LOCAL_PRIV_USER_AUTH ||
00217 (proxyUserPriv >= REMOTE_PRIV_USER_AUTH &&
00218 strcmp (rsComm->proxyUser.rodsZone,rsComm->clientUser.rodsZone) == 0)) {
00219 return 0;
00220 } else {
00221 rodsLog (LOG_ERROR,
00222 "rsAuthResponse: proxyuser %s with %d no priv to auth clientUser %s",
00223 rsComm->proxyUser.userName,
00224 proxyUserPriv,
00225 rsComm->clientUser.userName);
00226 return (SYS_PROXYUSER_NO_PRIV);
00227 }
00228 }
00229