Module: Backends::Opennebula::Authn::CloudAuth::VomsCloudAuth

Defined in:
lib/backends/opennebula/authn/cloud_auth/voms_cloud_auth.rb

Instance Method Summary collapse

Instance Method Details

#do_auth(params = {}) ⇒ String, NilClass

Performs authentication for VOMS-based user credentials supplied in the `params` argument. Returns `nil` on failure or username on success. In case of multiple VOMS attribute sets, the first successful match is accepted (i.e., the most generic one).


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/backends/opennebula/authn/cloud_auth/voms_cloud_auth.rb', line 27

def do_auth(params = {})
  fail Backends::Errors::AuthenticationError, 'Credentials for X.509 not set!' unless params && params[:client_cert_dn]
  fail Backends::Errors::AuthenticationError, 'Attributes for VOMS not set!' unless params[:client_cert_voms_attrs] && params[:client_cert_voms_attrs].first

  # loop through available credentials and find a match in OpenNebula
  username = nil
  params[:client_cert_voms_attrs].each do |voms_attr_set|
    if voms_attr_set[:vo].blank? || voms_attr_set[:role].blank? || voms_attr_set[:capability].blank?
      fail Backends::Errors::AuthenticationError, "Invalid VOMS attributes! #{voms_attr_set.inspect}"
    end

    # password should be a DN with VOMS attrs appended and whitespaces removed
    constructed_dn = "#{params[:client_cert_dn]}/VO=#{voms_attr_set[:vo]}/Role=#{voms_attr_set[:role]}/Capability=#{voms_attr_set[:capability]}"

    # try an escaped DN or a DN with whitespace chars removed
    # TODO: remove this hack after Perun propagation scripts are updated
    username = get_username(X509Auth.escape_dn(constructed_dn)) || get_username(constructed_dn.gsub(/\s+/, ''))
    username = nil if username.blank?

    # found a user with matching credentials, stop looking
    # TODO: is this an acceptable approach?
    break if username
  end

  username.blank? ? nil : username
end