Revision a3e99f53

View differences:

include/UserPool.h
251 251
                               string&          gname,
252 252
                               set<int>&        group_ids,
253 253
                               int&             umask);
254

  
255
    int parse_auth_msg(
256
            AuthRequest &ar,
257
            int         &gid,
258
            set<int>    &group_ids,
259
            string      &driver_name,
260
            string      &mad_name,
261
            string      &mad_pass,
262
            string      &error_str);
263

  
254 264
    /**
255 265
     *  Factory method to produce User objects
256 266
     *    @return a pointer to the new User
share/etc/oned.conf
1018 1018

  
1019 1019
AUTH_MAD_CONF = [
1020 1020
    NAME = "core",
1021
    PASSWORD_CHANGE = "YES"
1021
    PASSWORD_CHANGE = "YES",
1022
    DRIVER_MANAGED_GROUPS = "NO"
1022 1023
]
1023 1024

  
1024 1025
AUTH_MAD_CONF = [
1025 1026
    NAME = "public",
1026
    PASSWORD_CHANGE = "NO"
1027
    PASSWORD_CHANGE = "NO",
1028
    DRIVER_MANAGED_GROUPS = "NO"
1027 1029
]
1028 1030

  
1029 1031
AUTH_MAD_CONF = [
1030 1032
    NAME = "ssh",
1031
    PASSWORD_CHANGE = "YES"
1033
    PASSWORD_CHANGE = "YES",
1034
    DRIVER_MANAGED_GROUPS = "NO"
1032 1035
]
1033 1036

  
1034 1037
AUTH_MAD_CONF = [
1035 1038
    NAME = "x509",
1036
    PASSWORD_CHANGE = "NO"
1039
    PASSWORD_CHANGE = "NO",
1040
    DRIVER_MANAGED_GROUPS = "NO"
1037 1041
]
1038 1042

  
1039 1043
AUTH_MAD_CONF = [
1040 1044
    NAME = "ldap",
1041
    PASSWORD_CHANGE = "YES"
1045
    PASSWORD_CHANGE = "YES",
1046
    DRIVER_MANAGED_GROUPS = "YES"
1042 1047
]
1043 1048

  
1044 1049
AUTH_MAD_CONF = [
1045 1050
    NAME = "server_cipher",
1046
    PASSWORD_CHANGE = "NO"
1051
    PASSWORD_CHANGE = "NO",
1052
    DRIVER_MANAGED_GROUPS = "NO"
1047 1053
]
1048 1054

  
1049 1055
AUTH_MAD_CONF = [
1050 1056
    NAME = "server_x509",
1051
    PASSWORD_CHANGE = "NO"
1057
    PASSWORD_CHANGE = "NO",
1058
    DRIVER_MANAGED_GROUPS = "NO"
1052 1059
]
src/um/UserPool.cc
397 397
    string auth_driver;
398 398
    string username;
399 399

  
400
    bool driver_managed_groups = false;
401
    bool update_groups;
402
    const VectorAttribute* auth_conf;
403
    int      new_gid = -1;
404
    set<int> new_group_ids;
405

  
406
    set<int> groups_remove;
407
    set<int> groups_add;
408
    set<int>::iterator it;
409

  
410
    int     rc;
411

  
400 412
    Nebula&     nd      = Nebula::instance();
401 413
    AuthManager * authm = nd.get_authm();
402 414

  
415
    Group* group;
416
    GroupPool* gpool = nd.get_gpool();
417

  
403 418
    username = user->name;
404 419
    password = user->password;
405 420

  
......
430 445
        return true;
431 446
    }
432 447

  
448
    if (nd.get_auth_conf_attribute(auth_driver, auth_conf) == 0)
449
    {
450
        auth_conf->vector_value("DRIVER_MANAGED_GROUPS", driver_managed_groups);
451
    }
452

  
433 453
    AuthRequest ar(user_id, group_ids);
434 454

  
435 455
    if ( auth_driver == UserPool::CORE_AUTH )
......
457 477
        {
458 478
            goto auth_failure_driver;
459 479
        }
480

  
481
        if (driver_managed_groups)
482
        {
483
            //------------------------------------------------------------------
484
            // Parse driver response
485
            //------------------------------------------------------------------
486

  
487
            string   driver_name;
488
            string   mad_name;
489
            string   mad_pass;
490
            string   error_str;
491

  
492
            rc = parse_auth_msg(ar, new_gid, new_group_ids,
493
                    driver_name, mad_name, mad_pass, error_str);
494

  
495
            if (rc != 0)
496
            {
497
                oss << "An error ocurred parsing the driver message. "
498
                    << error_str;
499
                NebulaLog::log("AuM",Log::WARNING,oss);
500

  
501
                oss.str("");
502
            }
503
        }
460 504
    }
461 505
    else
462 506
    {
463 507
        goto auth_failure_nodriver;
464 508
    }
465 509

  
510
    update_groups = (driver_managed_groups &&
511
                     (new_gid != -1) && (new_group_ids != group_ids));
512

  
513
    if (update_groups && (new_group_ids.count(group_id) == 0))
514
    {
515
        // Old primary group disappears from the list of new groups
516
        group = gpool->get(new_gid, true);
517

  
518
        if (group != 0)
519
        {
520
            group_id = new_gid;
521
            gname    = group->get_name();
522

  
523
            group->unlock();
524
        }
525
    }
526

  
466 527
    user = get(user_id, true);
467 528

  
468 529
    if (user != 0)
469 530
    {
470 531
        user->session.set(token, _session_expiration_time);
532

  
533
        if (update_groups)
534
        {
535
            // Previous groups that were not returned this time
536
            std::set_difference(group_ids.begin(), group_ids.end(),
537
                    new_group_ids.begin(), new_group_ids.end(),
538
                    std::inserter(groups_remove, groups_remove.end()));
539

  
540
            // New groups
541
            std::set_difference(new_group_ids.begin(), new_group_ids.end(),
542
                    group_ids.begin(), group_ids.end(),
543
                    std::inserter(groups_add, groups_add.end()));
544

  
545
            // Set main group
546
            user->set_group(group_id, gname);
547

  
548
            // Add secondary group ids in the user object
549
            for(it = groups_add.begin(); it != groups_add.end(); it++)
550
            {
551
                if (gpool->get(*it, false) != 0)
552
                {
553
                    user->add_group(*it);
554
                }
555
                else
556
                {
557
                    oss << "Driver " << auth_driver
558
                        << " returned the non-existing group ID " << *it
559
                        << " for user " << uname;
560
                    NebulaLog::log("AuM",Log::WARNING,oss);
561

  
562
                    oss.str("");
563
                }
564
            }
565

  
566
            // Remove secondary group ids from the user object
567
            for(it = groups_remove.begin(); it != groups_remove.end(); it++)
568
            {
569
                user->del_group(*it);
570
            }
571

  
572
            // Update the list of groups to return
573
            group_ids = user->get_groups();
574

  
575
            update(user);
576
        }
577

  
471 578
        user->unlock();
472 579
    }
473 580

  
581
    // Add/remove user ID from the group objects
582

  
583
    for(it = groups_add.begin(); it != groups_add.end(); it++)
584
    {
585
        group = gpool->get(*it, true);
586

  
587
        if (group == 0)
588
        {
589
            continue;
590
        }
591

  
592
        group->add_user(user_id);
593

  
594
        gpool->update(group);
595

  
596
        group->unlock();
597
    }
598

  
599
    for(it = groups_remove.begin(); it != groups_remove.end(); it++)
600
    {
601
        group = gpool->get(*it, true);
602

  
603
        if (group == 0)
604
        {
605
            continue;
606
        }
607

  
608
        group->del_user(user_id);
609

  
610
        gpool->update(group);
611

  
612
        group->unlock();
613
    }
614

  
474 615
    return true;
475 616

  
476 617
auth_failure_public:
......
650 791
/* -------------------------------------------------------------------------- */
651 792
/* -------------------------------------------------------------------------- */
652 793

  
794
int UserPool::parse_auth_msg(
795
    AuthRequest &ar,
796
    int         &gid,
797
    set<int>    &group_ids,
798
    string      &driver_name,
799
    string      &mad_name,
800
    string      &mad_pass,
801
    string      &error_str)
802
{
803
    istringstream is;
804

  
805
    //--------------------------------------------------------------------------
806
    // Parse driver response format is:
807
    // <driver> <username> <passwd> [gid...]
808
    //--------------------------------------------------------------------------
809

  
810
    is.str(ar.message);
811

  
812
    if ( is.good() )
813
    {
814
        is >> driver_name >> ws;
815
    }
816

  
817
    if ( !is.fail() )
818
    {
819
        is >> mad_name >> ws;
820
    }
821

  
822
    if ( !is.fail() )
823
    {
824
        is >> mad_pass >> ws;
825
    }
826

  
827
    while ( is.good() )
828
    {
829
        int tmp_gid;
830

  
831
        is >> tmp_gid >> ws;
832

  
833
        if ( is.fail() )
834
        {
835
            error_str = "One or more group IDs are malformed";
836
            return -1;
837
        }
838

  
839
        if ( Nebula::instance().get_gpool()->get(tmp_gid, false) == 0 )
840
        {
841
            error_str = "One or more group IDs do not exist";
842
            return -1;
843
        }
844

  
845
        if ( gid == -1 ) //Keep the first id for primary group
846
        {
847
            gid = tmp_gid;
848
        }
849

  
850
        group_ids.insert(tmp_gid);
851
    }
852

  
853
    return 0;
854
}
855

  
856
/* -------------------------------------------------------------------------- */
857
/* -------------------------------------------------------------------------- */
858

  
653 859
bool UserPool::authenticate_external(const string&  username,
654 860
                                     const string&  token,
655 861
                                     string&        password,
......
661 867
                                     int&           umask)
662 868
{
663 869
    ostringstream oss;
664
    istringstream is;
665 870

  
666 871
    string driver_name;
667 872
    string mad_name;
......
678 883
    Group*  group;
679 884

  
680 885
    int     gid = -1;
886
    int     rc;
681 887

  
682 888
    set<int>::iterator it;
683 889
    set<int> empty_set;
......
702 908
        goto auth_failure_driver;
703 909
    }
704 910

  
705
    is.str(ar.message);
706

  
707 911
    user_id = -1;
708 912

  
709 913
    //--------------------------------------------------------------------------
710
    // Parse driver response format is:
711
    // <driver> <username> <passwd> [gid...]
914
    // Parse driver response
712 915
    //--------------------------------------------------------------------------
713 916

  
714
    if ( is.good() )
715
    {
716
        is >> driver_name >> ws;
717
    }
718

  
719
    if ( !is.fail() )
720
    {
721
        is >> mad_name >> ws;
722
    }
917
    rc = parse_auth_msg(ar, gid, group_ids,
918
            driver_name, mad_name, mad_pass, error_str);
723 919

  
724
    if ( !is.fail() )
920
    if (rc != 0)
725 921
    {
726
        is >> mad_pass >> ws;
727
    }
728

  
729
    while ( is.good() )
730
    {
731
        int tmp_gid;
732

  
733
        is >> tmp_gid >> ws;
734

  
735
        if ( is.fail() )
736
        {
737
            error_str = "One or more group IDs are malformed";
738
            goto auth_failure_user;
739
        }
740

  
741
        if ( gpool->get(tmp_gid, false) == 0 )
742
        {
743
            error_str = "One or more group IDs do not exist";
744
            goto auth_failure_user;
745
        }
746

  
747
        if ( gid == -1 ) //Keep the first id for primary group
748
        {
749
            gid = tmp_gid;
750
        }
751

  
752
        group_ids.insert(tmp_gid);
922
        goto auth_failure_user;
753 923
    }
754 924

  
755 925
    //--------------------------------------------------------------------------
......
780 950
        group->unlock();
781 951
    }
782 952

  
783
    if ( !is.fail() )
784
    {
785
        allocate(&user_id,
786
                 group_id,
787
                 mad_name,
788
                 gname,
789
                 mad_pass,
790
                 driver_name,
791
                 true,
792
                 error_str);
793
    }
953
    allocate(&user_id,
954
             group_id,
955
             mad_name,
956
             gname,
957
             mad_pass,
958
             driver_name,
959
             true,
960
             error_str);
794 961

  
795 962
    if ( user_id == -1 )
796 963
    {

Also available in: Unified diff