slurmrestd - restrict ability of requests to use different authentication plugins.

Enforce the result of calls to rest_auth_context_apply() to ensure that any calls to slurmrestd can not potentially use a different authentication plugin. Avoid defaulting to auth/munge unless in local authentication context. Clear authentication context in parse_http() instead of calling rest_auth_context_apply() which will now fail. Bug 9206.

slurmrestd - restrict ability of requests to use different authentication plugins.
Enforce the result of calls to rest_auth_context_apply() to ensure that any calls to slurmrestd can not potentially use a different authentication plugin. Avoid defaulting to auth/munge unless in local authentication context. Clear authentication context in parse_http() instead of calling rest_auth_context_apply() which will now fail. Bug 9206.
79fb95fa · Nate Rini · Tim Wickberg · ef1f3cd2 · 79fb95fa · 79fb95fa
Commit 79fb95fa authored 4 years ago by Nate Rini Committed by Tim Wickberg 4 years ago
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ documents those changes that are of interest to users and administrators.
 -- Fix handling of job arrays in sacct when querying specific steps.
 -- slurmrestd - avoid fallback to local socket authentication if JWT
    authentication is ill-formed.
+ -- slurmrestd - restrict ability of requests to use different authentication
+    plugins.
  
 * Changes in Slurm 20.02.3
 ==========================

--- a/src/slurmrestd/http.c
+++ b/src/slurmrestd/http.c
@@ -629,7 +629,9 @@ extern int parse_http(con_mgr_fd_t *con, void *x)
 		xassert(request->context == context);
 	request->context = context;

-	rest_auth_context_apply(context->auth);
+	/* make sure there is no auth context inherited */
+	rest_auth_context_clear();
+
 	parser->data = request;

 	debug("%s: [%s] Accepted HTTP connection", __func__, con->name);

--- a/src/slurmrestd/rest_auth.c
+++ b/src/slurmrestd/rest_auth.c
@@ -314,9 +314,7 @@ extern int rest_authenticate_http_request(on_http_request_args_t *args)

 	_check_magic(context);

-	rest_auth_context_apply(context);
-
-	return SLURM_SUCCESS;
+	return rest_auth_context_apply(context);

 fail:
 	g_slurm_auth_thread_clear();
@@ -334,22 +332,24 @@ extern rest_auth_context_t *rest_auth_context_new(void)
 	return context;
 }

-extern void rest_auth_context_apply(rest_auth_context_t *context)
+extern int rest_auth_context_apply(rest_auth_context_t *context)
 {
-	bool found = false;
+	int rc = ESLURM_AUTH_CRED_INVALID;

 	if (context->type == AUTH_TYPE_INVALID) {
-		return rest_auth_context_clear();
+		rest_auth_context_clear();
 	} else if (context->type == AUTH_TYPE_LOCAL) {
-		found = true;
-		g_slurm_auth_thread_config(NULL, context->user_name);
+		/* clear any previous auth */
+		rest_auth_context_clear();
+		/* local auth relies on callers authentication already setup */
+		rc = SLURM_SUCCESS;
 	} else if (context->type == AUTH_TYPE_USER_PSK) {
-		found = true;
-		g_slurm_auth_thread_config(context->token, context->user_name);
-	}
+		rc = g_slurm_auth_thread_config(context->token,
+						context->user_name);
+	} else
+		fatal_abort("%s: invalid auth type", __func__);

-	if (!found)
-		fatal_abort("%s: invalid auth type to apply", __func__);
+	return rc;
 }

 extern void rest_auth_context_clear(void)

--- a/src/slurmrestd/rest_auth.h
+++ b/src/slurmrestd/rest_auth.h
@@ -96,9 +96,9 @@ extern int rest_authenticate_http_request(on_http_request_args_t *args);
 /*
 * Apply current auth context to thread
 * IN context - security context to apply
- * will fatal on error
+ * RET SLURM_SUCCESS or error
 */
-extern void rest_auth_context_apply(rest_auth_context_t *context);
+extern int rest_auth_context_apply(rest_auth_context_t *context);

 /*
 * Clear current auth context