Support authentication across security domains

opal/mca/pmix/native/usock.c

@@ -347,8 +347,9 @@ int usock_send_connect_ack(void)
     pmix_usock_hdr_t hdr;
     int rc;
     size_t sdsize;
-    opal_sec_cred_t *cred;
-
+    char *cred;
+    size_t credsize;
+
     opal_output_verbose(2, opal_pmix_base_framework.framework_output,
                         "%s SEND CONNECT ACK",
                         OPAL_NAME_PRINT(OPAL_PROC_MY_NAME));
@@ -359,15 +360,15 @@ int usock_send_connect_ack(void)
     hdr.type = PMIX_USOCK_IDENT;
 
     /* get our security credential */
-    if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(NULL, opal_dstore_internal, &OPAL_PROC_MY_NAME, &cred))) {
+    if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(NULL, opal_dstore_internal, &OPAL_PROC_MY_NAME, &cred, &credsize))) {
         return rc;
     }
 
     /* set the number of bytes to be read beyond the header */
-    hdr.nbytes = strlen(opal_version_string) + 1 + strlen(cred->method) + 1 + cred->size;
+    hdr.nbytes = strlen(opal_version_string) + 1 + credsize;
 
     /* create a space for our message */
-    sdsize = (sizeof(hdr) + strlen(opal_version_string) + 1 + strlen(cred->method) + 1 + cred->size);
+    sdsize = (sizeof(hdr) + strlen(opal_version_string) + 1 + credsize);
     if (NULL == (msg = (char*)malloc(sdsize))) {
         return OPAL_ERR_OUT_OF_RESOURCE;
     }
@@ -376,9 +377,10 @@ int usock_send_connect_ack(void)
     /* load the message */
     memcpy(msg, &hdr, sizeof(hdr));
     memcpy(msg+sizeof(hdr), opal_version_string, strlen(opal_version_string));
-    memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1, cred->method, strlen(cred->method));
-    memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1+strlen(cred->method)+1, cred->credential, cred->size);
-
+    memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1, cred, credsize);
+    if (NULL != cred) {
+        free(cred);
+    }
 
     if (OPAL_SUCCESS != usock_send_blocking(msg, sdsize)) {
         free(msg);

opal/mca/pmix/native/usock_sendrecv.c

@@ -545,7 +545,8 @@ static int usock_recv_connect_ack(void)
     char *msg;
     char *version;
     int rc;
-    opal_sec_cred_t creds;
+    char *cred;
+    size_t credsize;
     pmix_usock_hdr_t hdr;
 
     opal_output_verbose(2, opal_pmix_base_framework.framework_output,
@@ -632,11 +633,14 @@ static int usock_recv_connect_ack(void)
                         OPAL_NAME_PRINT(OPAL_PROC_MY_NAME));
 
     /* check security token */
-    creds.method = (char*)(msg + strlen(version) + 1);
-    creds.credential = (char*)(msg + strlen(version) + 1 + strlen(creds.method) + 1);
-    creds.size = hdr.nbytes - strlen(version) - 1 - strlen(creds.method) - 1;
-    if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) {
+    cred = (char*)(msg + strlen(version) + 1);
+    credsize = hdr.nbytes - strlen(version) - 1;
+    if (OPAL_SUCCESS != (rc = opal_sec.authenticate(cred, credsize, NULL))) {
         OPAL_ERROR_LOG(rc);
+        mca_pmix_native_component.state = PMIX_USOCK_FAILED;
+        CLOSE_THE_SOCKET(mca_pmix_native_component.sd);
+        free(msg);
+        return OPAL_ERR_UNREACH;
     }
     free(msg);
 

opal/mca/sec/base/base.h

@@ -45,9 +45,9 @@ OPAL_DECLSPEC int opal_sec_base_select(void);
 OPAL_DECLSPEC int opal_sec_base_get_cred(char *method,
                                          int dstorehandle,
                                          opal_process_name_t *my_id,
-                                         opal_sec_cred_t **cred);
+                                         char **payload, size_t *size);
 
-OPAL_DECLSPEC int opal_sec_base_validate(opal_sec_cred_t *cred);
+OPAL_DECLSPEC int opal_sec_base_validate(char *payload, size_t size, char **method);
 
 END_C_DECLS
 

opal/mca/sec/base/sec_base_stubs.c

@@ -12,58 +12,153 @@
 #include "opal/constants.h"
 
 #include "opal/mca/mca.h"
+#include "opal/util/error.h"
 #include "opal/util/output.h"
 #include "opal/mca/base/base.h"
 #include "opal/dss/dss_types.h"
 
 #include "opal/mca/sec/base/base.h"
 
+static void cleanup_cred(opal_sec_cred_t *cred)
+{
+    if (NULL == cred) {
+        return;
+    }
+    if (NULL != cred->method) {
+        free(cred->method);
+    }
+    if (NULL != cred->credential) {
+        free(cred->credential);
+    }
+}
+
 int opal_sec_base_get_cred(char *method,
                            int dstorehandle,
                            opal_process_name_t *my_id,
-                           opal_sec_cred_t **cred)
+                           char **payload, size_t *size)
 {
     opal_sec_handle_t *hdl;
-
+    opal_sec_cred_t cred;
+    opal_buffer_t buf;
+    int rc;
+
     opal_output_verbose(5, opal_sec_base_framework.framework_output,
                         "Requesting credential from source %s",
                         (NULL == method) ? "ANY" : method);
-
+
+    OBJ_CONSTRUCT(&buf, opal_buffer_t);
     OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
         if (NULL != method && 0 != strcmp(method, hdl->component->mca_component_name)) {
             continue;
         }
-        if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, cred)) {
+        if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, &cred)) {
             opal_output_verbose(5, opal_sec_base_framework.framework_output,
                                 "Created credential from source %s", hdl->component->mca_component_name);
-            /* record the source */
-            (*cred)->method = strdup(hdl->component->mca_component_name);
-            return OPAL_SUCCESS;
+            /* pack the credential */
+            if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.method, 1, OPAL_STRING))) {
+                OPAL_ERROR_LOG(rc);
+                cleanup_cred(&cred);
+                OBJ_DESTRUCT(&buf);
+                return rc;
+            }
+            if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.size, 1, OPAL_SIZE))) {
+                OPAL_ERROR_LOG(rc);
+                cleanup_cred(&cred);
+                OBJ_DESTRUCT(&buf);
+                return rc;
+            }
+            if (0 < cred.size) {
+                if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, cred.credential, cred.size, OPAL_BYTE))) {
+                    OPAL_ERROR_LOG(rc);
+                    cleanup_cred(&cred);
+                    OBJ_DESTRUCT(&buf);
+                    return rc;
+                }
+            }
+            opal_output_verbose(5, opal_sec_base_framework.framework_output,
+                                "opal_sec: Created credential %s of size %lu",
+                                cred.credential, (unsigned long)cred.size);
+            cleanup_cred(&cred);
         }
     }
-    return OPAL_ERROR;
+    if (0 == buf.bytes_used) {
+        OBJ_DESTRUCT(&buf);
+        return OPAL_ERROR;
+    }
+    *payload = buf.base_ptr;
+    *size = buf.bytes_used;
+    buf.base_ptr = NULL;
+    buf.bytes_used = 0;
+    OBJ_DESTRUCT(&buf);
+    return OPAL_SUCCESS;
 }
 
 
-int opal_sec_base_validate(opal_sec_cred_t *cred)
+int opal_sec_base_validate(char *payload, size_t size, char **method)
 {
     opal_sec_handle_t *hdl;
-
+    opal_buffer_t buf;
+    int cnt, rc;
+    opal_sec_cred_t cred;
+
     opal_output_verbose(5, opal_sec_base_framework.framework_output,
-                        "Received credential %s from source %s",
-                        (NULL == cred->credential) ? "NULL" : cred->credential,
-                        (NULL == cred->method) ? "NULL" : cred->method);
+                        "opal_sec: Received credential of size %lu",
+                        (unsigned long)size);
 
-    OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
-        if (NULL != cred->method &&
-            0 != strcmp(cred->method, hdl->component->mca_component_name)) {
-            continue;
+    OBJ_CONSTRUCT(&buf, opal_buffer_t);
+    opal_dss.load(&buf, payload, size);
+
+    cnt = 1;
+    while (OPAL_SUCCESS == (rc = opal_dss.unpack(&buf, &cred.method, &cnt, OPAL_STRING))) {
+        opal_output_verbose(5, opal_sec_base_framework.framework_output,
+                            "Received credential from source %s", cred.method);
+        cnt=1;
+        if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, &cred.size, &cnt, OPAL_SIZE))) {
+            OPAL_ERROR_LOG(rc);
+            cleanup_cred(&cred);
+            goto done;
         }
-        if (OPAL_SUCCESS == hdl->module->authenticate(cred)) {
-            return OPAL_SUCCESS;
+        opal_output_verbose(5, opal_sec_base_framework.framework_output,
+                            "Received credential of size %lu", (unsigned long)cred.size);
+        if (0 < cred.size) {
+            cred.credential = (char*)malloc(cred.size);
+            cnt=cred.size;
+            if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, cred.credential, &cnt, OPAL_BYTE))) {
+                OPAL_ERROR_LOG(rc);
+                cleanup_cred(&cred);
+                goto done;
+            }
+            opal_output_verbose(5, opal_sec_base_framework.framework_output,
+                                "Received credential %s", cred.credential);
         }
+        OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
+            if (NULL != cred.method &&
+                0 != strcmp(cred.method, hdl->component->mca_component_name)) {
+                continue;
+            }
+            if (OPAL_SUCCESS == hdl->module->authenticate(&cred)) {
+                rc = OPAL_SUCCESS;
+                /* record the method */
+                if (NULL != method) {
+                    if (NULL != *method) {
+                        free(*method);
+                    }
+                    *method = strdup(cred.method);
+                }
+                cleanup_cred(&cred);
+                goto done;
+            }
+        }
+        cleanup_cred(&cred);
+        cnt = 1;
     }
-    return OPAL_ERROR;
+    /* if we get here, then nothing authenticated */
+    rc = OPAL_ERR_AUTHENTICATION_FAILED;
+
+ done:
+    buf.base_ptr = NULL;
+    OBJ_DESTRUCT(&buf);
+    return rc;
 }
 
 

opal/mca/sec/basic/sec_basic.c

@@ -29,7 +29,7 @@ static int init(void);
 static void finalize(void);
 static int get_my_cred(int dstorehandle,
                        opal_process_name_t *my_id,
-                       opal_sec_cred_t **cred);
+                       opal_sec_cred_t *cred);
 static int authenticate(opal_sec_cred_t *cred);
 
 opal_sec_base_module_t opal_sec_basic_module = {
@@ -56,7 +56,7 @@ static void finalize(void)
 
 static int get_my_cred(int dstorehandle,
                        opal_process_name_t *my_id,
-                       opal_sec_cred_t **cred)
+                       opal_sec_cred_t *cred)
 {
     opal_list_t vals;
     opal_value_t *kv;
@@ -77,26 +77,31 @@ static int get_my_cred(int dstorehandle,
                 my_cred.size = strlen(my_cred.credential)+1;  // include the NULL
             } else {
                 my_cred.credential = strdup(kv->data.string);
-                my_cred.size = strlen(kv->data.string);
+                my_cred.size = strlen(kv->data.string)+1;  // include the NULL
                 OBJ_RELEASE(kv);
             }
         } else {
-            my_cred.credential = strdup("12345");
+            my_cred.credential = strdup("1234567");
             my_cred.size = strlen(my_cred.credential)+1;  // include the NULL
         }
         OPAL_LIST_DESTRUCT(&vals);
     }
     initialized = true;
 
-    *cred = &my_cred;
+    cred->method = strdup("basic");
+    cred->credential = strdup(my_cred.credential);
+    cred->size = my_cred.size;
 
     return OPAL_SUCCESS;
 }
 
 static int authenticate(opal_sec_cred_t *cred)
 {
+    opal_output_verbose(5, opal_sec_base_framework.framework_output,
+                        "opal_sec:basic Received credential %s of size %lu",
+                        cred->credential, (unsigned long)cred->size);
 
-    if (0 == strncmp(cred->credential, "12345", strlen("12345"))) {
+    if (0 == strncmp(cred->credential, "1234567", strlen("1234567"))) {
         return OPAL_SUCCESS;
     }
     return OPAL_ERR_AUTHENTICATION_FAILED;

opal/mca/sec/keystone/sec_keystone.c

@@ -34,7 +34,7 @@ static int init(void);
 static void finalize(void);
 static int get_my_cred(int dstorehandle,
                        opal_process_name_t *my_id,
-                       opal_sec_cred_t **cred);
+                       opal_sec_cred_t *cred);
 static int authenticate(opal_sec_cred_t *cred);
 
 opal_sec_base_module_t opal_sec_keystone_module = {
@@ -66,7 +66,7 @@ static size_t op_cbfunc(void *ptr, size_t size, size_t count, void *stream)
 
 static int get_my_cred(int dstorehandle,
                        opal_process_name_t *my_id,
-                       opal_sec_cred_t **cred)
+                       opal_sec_cred_t *cred)
 {
     char *cmd;
     CURL *curl;

opal/mca/sec/munge/sec_munge.c

@@ -32,7 +32,7 @@ static int init(void);
 static void finalize(void);
 static int get_my_cred(int dstorehandle,
                        opal_process_name_t *my_id,
-                       opal_sec_cred_t **cred);
+                       opal_sec_cred_t *cred);
 static int authenticate(opal_sec_cred_t *cred);
 
 opal_sec_base_module_t opal_sec_munge_module = {
@@ -79,13 +79,12 @@ static void finalize(void)
 
 static int get_my_cred(int dstorehandle,
                        opal_process_name_t *my_id,
-                       opal_sec_cred_t **cred)
+                       opal_sec_cred_t *cred)
 {
     int rc;
 
     if (initialized) {
         if (!refresh) {
-            *cred = &my_cred;
             refresh = true;
         } else {
             /* get a new credential as munge will not
@@ -98,10 +97,12 @@ static int get_my_cred(int dstorehandle,
             }
             /* include the '\0' termination string character */
             my_cred.size = strlen(my_cred.credential)+1;
-            *cred = &my_cred;
         }
+        cred->method = strdup("munge");
+        cred->credential = strdup(my_cred.credential);
+        cred->size = my_cred.size;
     } else {
-        *cred = NULL;
+        rc = OPAL_ERROR;
     }
 
     return OPAL_SUCCESS;