in api/src/gmsa_service.cpp [1363:1594]
void Proceed( std::string krb_files_dir, CF_logger& cf_logger,
std::string aws_sm_secret_name )
{
if ( cookie.compare( CLASS_NAME_CallDataAddNonDomainJoinedKerberosLease ) != 0 )
{
return;
}
// Note: This path is only for ECS or opensource, not for Fargate
std::cerr << Util::getCurrentTime() << '\t' << "INFO: AddNonDomainJoinedKerberosLease "
<< this << "status: " << status_ << std::endl;
if ( status_ == CREATE )
{
// Make this instance progress to the PROCESS state.
status_ = PROCESS;
// As part of the initial CREATE state, we *request* that the system
// start processing RequestHandleNonDomainJoinedKerberosLease requests. In this
// request, "this" acts are the tag uniquely identifying the request (so that
// different CallData instances can serve different requests concurrently), in this
// case the memory address of this CallData instance.
service_->RequestAddNonDomainJoinedKerberosLease(
&add_krb_ctx_, &create_domainless_krb_request_, &handle_krb_responder_, cq_,
cq_, this );
}
else if ( status_ == PROCESS )
{
// Spawn a new CallData instance to serve new clients while we process
// the one for this CallData. The instance will deallocate itself as
// part of its FINISH state.
new CallDataAddNonDomainJoinedKerberosLease( service_, cq_ );
// The actual processing.
std::string lease_id = generate_lease_id();
std::list<krb_ticket_info_t*> krb_ticket_info_list;
std::unordered_set<std::string> krb_ticket_dirs;
std::string username = create_domainless_krb_request_.username();
std::string password = create_domainless_krb_request_.password();
std::string domain = create_domainless_krb_request_.domain();
std::string err_msg;
std::string log_message;
if ( isValidDomain( domain ) &&
!Util::contains_invalid_characters_in_ad_account_name( username ) )
{
if ( !username.empty() && !password.empty() && !domain.empty() &&
username.length() < INPUT_CREDENTIALS_LENGTH &&
password.length() < INPUT_CREDENTIALS_LENGTH &&
domain.length() < DOMAIN_LENGTH &&
create_domainless_krb_request_.credspec_contents_size() > 0 )
{
create_domainless_krb_reply_.set_lease_id( lease_id );
for ( int i = 0;
i < create_domainless_krb_request_.credspec_contents_size(); i++ )
{
std::string credspecContent =
create_domainless_krb_request_.credspec_contents( i );
if ( credspecContent.empty() )
{
err_msg = "Error: credentialspec content shouldn't be empty "
"formatted";
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
break;
}
krb_ticket_info_t* krb_ticket_info = new krb_ticket_info_t;
int parse_result = parse_cred_spec(
create_domainless_krb_request_.credspec_contents( i ),
krb_ticket_info );
if ( parse_result != 0 )
{
err_msg = "ERROR: invalid credentialspec fields";
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
break;
}
// only add the ticket info if the parsing is successful
if ( parse_result == 0 )
{
std::string krb_files_path = krb_files_dir + "/" + lease_id + "/" +
krb_ticket_info->service_account_name;
krb_ticket_info->krb_file_path = krb_files_path;
krb_ticket_info->domainless_user = username;
// handle duplicate service accounts
if ( !krb_ticket_dirs.count( krb_files_path ) )
{
krb_ticket_dirs.insert( krb_files_path );
krb_ticket_info_list.push_back( krb_ticket_info );
}
}
else
{
err_msg = "Error: credential spec provided is not properly "
"formatted";
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
break;
}
}
}
else
{
err_msg = "Error: domainless AD user credentials is not valid/ "
"credentials should not be more than 256 charaters";
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
}
}
else
{
err_msg = "Error: invalid domainName/username";
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
}
if ( err_msg.empty() )
{
// create the kerberos tickets for the service accounts
for ( auto krb_ticket : krb_ticket_info_list )
{
// invoke to get machine ticket
std::pair<int, std::string> status;
if ( username.empty() || password.empty() )
{
log_message = "Invalid credentials for domainless user " + username;
cf_logger.logger( LOG_ERR, log_message.c_str() );
err_msg = "ERROR: Invalid credentials for domainless user";
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
break;
}
status = Util::generate_krb_ticket_using_username_and_password(
domain, username, password, cf_logger );
if ( status.first < 0 )
{
err_msg = "ERROR: " + std::to_string( status.first ) +
": cannot retrieve domainless user kerberos tickets";
cf_logger.logger( LOG_ERR, err_msg.c_str() );
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
break;
}
std::string krb_file_path = krb_ticket->krb_file_path;
if ( std::filesystem::exists( krb_file_path ) )
{
log_message = "Directory already exists: " + krb_file_path;
cf_logger.logger( LOG_INFO, log_message.c_str() );
break;
}
std::filesystem::create_directories( krb_file_path );
std::string krb_ccname_str = krb_ticket->krb_file_path + "/krb5cc";
if ( !std::filesystem::exists( krb_ccname_str ) )
{
std::ofstream file( krb_ccname_str );
file.close();
krb_ticket->krb_file_path = krb_ccname_str;
}
std::string distinguished_name =
Util::retrieve_variable_from_ecs_config( ENV_CF_DISTINGUISHED_NAME );
if ( distinguished_name.empty() )
{
// Read value from secrets manager
std::pair<int, std::string> v =
Util::get_base_dn_from_secret( krb_ticket->credential_arn );
if ( v.first == 0 )
{
distinguished_name = v.second;
}
}
krb_ticket->distinguished_name = distinguished_name;
std::pair<int, std::string> gmsa_ticket_result =
fetch_gmsa_password_and_create_krb_ticket( domain, krb_ticket,
krb_ccname_str, cf_logger );
if ( gmsa_ticket_result.first != 0 )
{
err_msg =
"ERROR: Cannot get gMSA krb ticket " + gmsa_ticket_result.second;
std::cerr << Util::getCurrentTime() << '\t' << err_msg << std::endl;
cf_logger.logger( LOG_ERR, err_msg.c_str() );
break;
}
else
{
log_message = "gMSA ticket is at " + gmsa_ticket_result.second;
cf_logger.logger( LOG_INFO, log_message.c_str() );
std::cerr << Util::getCurrentTime() << '\t'
<< "INFO: gMSA ticket is created" << std::endl;
}
create_domainless_krb_reply_.add_created_kerberos_file_paths(
krb_file_path );
}
}
// And we are done! Let the gRPC runtime know we've finished, using the
// memory address of this instance as the uniquely identifying tag for
// the event.
if ( !err_msg.empty() )
{
secureClearString( username );
secureClearString( password );
// remove the directories on failure
for ( auto krb_ticket : krb_ticket_info_list )
{
std::filesystem::remove_all( krb_ticket->krb_file_path );
}
status_ = FINISH;
handle_krb_responder_.Finish(
create_domainless_krb_reply_,
grpc::Status( grpc::StatusCode::INTERNAL, err_msg ), this );
}
else
{
secureClearString( username );
secureClearString( password );
// write the ticket information to meta data file
write_meta_data_json( krb_ticket_info_list, lease_id, krb_files_dir );
status_ = FINISH;
handle_krb_responder_.Finish( create_domainless_krb_reply_, grpc::Status::OK,
this );
}
}
else
{
GPR_ASSERT( status_ == FINISH );
// Once in the FINISH state, deallocate ourselves (CallData).
delete this;
}
return;
}