openmpi/opal/mca/sec/munge/sec_munge.c

/*
 * Copyright (c) 2015      Intel, Inc. All rights reserved.
 * Copyright (c) 2015      Research Organization for Information Science
 *                         and Technology (RIST). All rights reserved.
 * $COPYRIGHT$
 * 
 * Additional copyrights may follow
 * 
 * $HEADER$
 *
 */

#include "opal_config.h"
#include "opal/constants.h"

#ifdef HAVE_STRING_H
#include <string.h>
#endif
#include <munge.h>

#include "opal_stdint.h"
#include "opal/dss/dss_types.h"
#include "opal/util/error.h"
#include "opal/util/output.h"
#include "opal/util/show_help.h"
#include "opal/mca/dstore/dstore.h"

#include "opal/mca/sec/base/base.h"
#include "sec_munge.h"

static int init(void);
static void finalize(void);
static int get_my_cred(int dstorehandle,
                       opal_process_name_t *my_id,
                       opal_sec_cred_t *cred);
static int authenticate(opal_sec_cred_t *cred);

opal_sec_base_module_t opal_sec_munge_module = {
    init,
    finalize,
    get_my_cred,
    authenticate
};

static opal_sec_cred_t my_cred;
static bool initialized = false;
static bool refresh = false;

static int init(void)
{
    int rc;
    
    opal_output_verbose(2, opal_sec_base_framework.framework_output,
                        "sec: munge init");
    
    /* attempt to get a credential as a way of checking that
     * the munge server is available - cache the credential
     * for later use */
    
    if (EMUNGE_SUCCESS != (rc = munge_encode(&my_cred.credential, NULL, NULL, 0))) {
        opal_output_verbose(2, opal_sec_base_framework.framework_output,
                            "sec: munge failed to create credential: %s",
                            munge_strerror(rc));
        return OPAL_ERR_SERVER_NOT_AVAIL;
    }
    /* include the '\0' termination string character */
    my_cred.size = strlen(my_cred.credential)+1;
    initialized = true;
    
    return OPAL_SUCCESS;
}

static void finalize(void)
{
    if (initialized) {
        free(my_cred.credential);
    }
}

static int get_my_cred(int dstorehandle,
                       opal_process_name_t *my_id,
                       opal_sec_cred_t *cred)
{
    int rc;
    
    if (initialized) {
        if (!refresh) {
            refresh = true;
        } else {
            /* get a new credential as munge will not
             * allow us to reuse them */
            if (EMUNGE_SUCCESS != (rc = munge_encode(&my_cred.credential, NULL, NULL, 0))) {
                opal_output_verbose(2, opal_sec_base_framework.framework_output,
                                    "sec: munge failed to create credential: %s",
                                    munge_strerror(rc));
                return OPAL_ERR_SERVER_NOT_AVAIL;
            }
            /* include the '\0' termination string character */
            my_cred.size = strlen(my_cred.credential)+1;
        }
        cred->method = strdup("munge");
        cred->credential = strdup(my_cred.credential);
        cred->size = my_cred.size;
    } else {
        rc = OPAL_ERROR;
    }
    
    return OPAL_SUCCESS;
}

static int authenticate(opal_sec_cred_t *cred)
{
    munge_err_t rc;
    
    opal_output_verbose(2, opal_sec_base_framework.framework_output,
                        "sec: munge validate_cred %s", cred->credential);

    /* parse the inbound string */
    if (EMUNGE_SUCCESS != (rc = munge_decode(cred->credential, NULL, NULL, NULL, NULL, NULL))) {
        opal_output_verbose(2, opal_sec_base_framework.framework_output,
                            "sec: munge failed to decode credential: %s",
                            munge_strerror(rc));
        return OPAL_ERR_AUTHENTICATION_FAILED;
    }

    opal_output_verbose(2, opal_sec_base_framework.framework_output,
                        "sec: munge credential valid");
    return OPAL_SUCCESS;
}
Add munge security 2015-02-07 12:01:36 -08:00			`/*`
			`* Copyright (c) 2015 Intel, Inc. All rights reserved.`
sec/munge: send NULL terminated strings 2015-03-02 12:19:46 +09:00			`* Copyright (c) 2015 Research Organization for Information Science`
			`* and Technology (RIST). All rights reserved.`
Add munge security 2015-02-07 12:01:36 -08:00			`* $COPYRIGHT$`
			`*`
			`* Additional copyrights may follow`
			`*`
			`* $HEADER$`
			`*`
			`*/`

			`#include "opal_config.h"`
			`#include "opal/constants.h"`

			`#ifdef HAVE_STRING_H`
			`#include <string.h>`
			`#endif`
			`#include <munge.h>`

			`#include "opal_stdint.h"`
			`#include "opal/dss/dss_types.h"`
			`#include "opal/util/error.h"`
			`#include "opal/util/output.h"`
			`#include "opal/util/show_help.h"`
			`#include "opal/mca/dstore/dstore.h"`

			`#include "opal/mca/sec/base/base.h"`
			`#include "sec_munge.h"`

			`static int init(void);`
			`static void finalize(void);`
			`static int get_my_cred(int dstorehandle,`
			`opal_process_name_t *my_id,`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`opal_sec_cred_t *cred);`
Add munge security 2015-02-07 12:01:36 -08:00			`static int authenticate(opal_sec_cred_t *cred);`

			`opal_sec_base_module_t opal_sec_munge_module = {`
			`init,`
			`finalize,`
			`get_my_cred,`
			`authenticate`
			`};`

			`static opal_sec_cred_t my_cred;`
			`static bool initialized = false;`
Cleanup the munge support - the credential cannot be reused for multiple connections 2015-02-10 20:34:35 -08:00			`static bool refresh = false;`
Add munge security 2015-02-07 12:01:36 -08:00
			`static int init(void)`
			`{`
			`int rc;`

			`opal_output_verbose(2, opal_sec_base_framework.framework_output,`
			`"sec: munge init");`

			`/* attempt to get a credential as a way of checking that`
			`* the munge server is available - cache the credential`
			`* for later use */`

			`if (EMUNGE_SUCCESS != (rc = munge_encode(&my_cred.credential, NULL, NULL, 0))) {`
			`opal_output_verbose(2, opal_sec_base_framework.framework_output,`
			`"sec: munge failed to create credential: %s",`
			`munge_strerror(rc));`
			`return OPAL_ERR_SERVER_NOT_AVAIL;`
			`}`
sec/munge: send NULL terminated strings 2015-03-02 12:19:46 +09:00			`/* include the '\0' termination string character */`
			`my_cred.size = strlen(my_cred.credential)+1;`
Add munge security 2015-02-07 12:01:36 -08:00			`initialized = true;`

			`return OPAL_SUCCESS;`
			`}`

			`static void finalize(void)`
			`{`
			`if (initialized) {`
			`free(my_cred.credential);`
			`}`
			`}`

			`static int get_my_cred(int dstorehandle,`
			`opal_process_name_t *my_id,`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`opal_sec_cred_t *cred)`
Add munge security 2015-02-07 12:01:36 -08:00			`{`
Cleanup the munge support - the credential cannot be reused for multiple connections 2015-02-10 20:34:35 -08:00			`int rc;`

Add munge security 2015-02-07 12:01:36 -08:00			`if (initialized) {`
Cleanup the munge support - the credential cannot be reused for multiple connections 2015-02-10 20:34:35 -08:00			`if (!refresh) {`
			`refresh = true;`
			`} else {`
			`/* get a new credential as munge will not`
			`* allow us to reuse them */`
			`if (EMUNGE_SUCCESS != (rc = munge_encode(&my_cred.credential, NULL, NULL, 0))) {`
			`opal_output_verbose(2, opal_sec_base_framework.framework_output,`
			`"sec: munge failed to create credential: %s",`
			`munge_strerror(rc));`
			`return OPAL_ERR_SERVER_NOT_AVAIL;`
			`}`
sec/munge: send NULL terminated strings 2015-03-02 12:19:46 +09:00			`/* include the '\0' termination string character */`
			`my_cred.size = strlen(my_cred.credential)+1;`
Cleanup the munge support - the credential cannot be reused for multiple connections 2015-02-10 20:34:35 -08:00			`}`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`cred->method = strdup("munge");`
			`cred->credential = strdup(my_cred.credential);`
			`cred->size = my_cred.size;`
Add munge security 2015-02-07 12:01:36 -08:00			`} else {`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`rc = OPAL_ERROR;`
Add munge security 2015-02-07 12:01:36 -08:00			`}`

			`return OPAL_SUCCESS;`
			`}`

			`static int authenticate(opal_sec_cred_t *cred)`
			`{`
			`munge_err_t rc;`

			`opal_output_verbose(2, opal_sec_base_framework.framework_output,`
Fix debug output 2015-02-09 08:48:24 -08:00			`"sec: munge validate_cred %s", cred->credential);`
Add munge security 2015-02-07 12:01:36 -08:00
			`/* parse the inbound string */`
			`if (EMUNGE_SUCCESS != (rc = munge_decode(cred->credential, NULL, NULL, NULL, NULL, NULL))) {`
			`opal_output_verbose(2, opal_sec_base_framework.framework_output,`
			`"sec: munge failed to decode credential: %s",`
			`munge_strerror(rc));`
			`return OPAL_ERR_AUTHENTICATION_FAILED;`
			`}`

			`opal_output_verbose(2, opal_sec_base_framework.framework_output,`
			`"sec: munge credential valid");`
			`return OPAL_SUCCESS;`
			`}`