If user cannot be mapped to uid, continue as anonymous (#45)

* If user cannot be mapped to uid, continue as anonymous

This allows anonymous users to access data via the root protocol.

* If user cannot be mapped to uid, and the user was generated, continue as anonymous

For names generated from DN or DN hash, treat the client as anonymous if
the username cannot be found.

If the name came from a grid-mapfile, fail if the username cannot be
found.

* If client used GSI authentication, but username was generated (DN or DN hash), continue as anonymous

Author: jthiltges

src/UserSentry.hh

@@ -79,6 +79,15 @@ public:
             return;
         }
 
+        // If we used GSI, but user was not mapped by VOMS or gridmap, consider the client anonymous
+        if (strcmp("gsi", client->prot) == 0) {
+            if (!IsGsiUserMapped(client)) {
+                log.Emsg("UserSentry", "Anonymous GSI client; cannot change FS UIDs");
+                m_is_anonymous = true;
+                return;
+            }
+        }
+
         // If we fail to get the username from the scitokens, then get it from
         // the depreciated way, client->name
         if (!got_token) {
@@ -97,6 +106,19 @@ public:
 
     static bool IsCmsd() {return m_is_cmsd;}
 
+    static bool IsGsiUserMapped(const XrdSecEntity *client) {
+        // If VOMS was used to map client, return true
+        if (client->vorg) { return true; }
+
+        // If gridmap was used, return true
+        std::string gridmap_name;
+        auto gridmap_success = client->eaAPI->Get("gridmap.name", gridmap_name);
+        if (gridmap_success && gridmap_name == "1") { return true; }
+
+        // User is a DN or DN hash, return false
+        return false;
+    }
+
     void Init(const std::string username, XrdSysError &log)
     {
         struct passwd pwd, *result = nullptr;