XRootD
XrdSecServer Class Reference

#include <XrdSecServer.hh>

+ Inheritance diagram for XrdSecServer:
+ Collaboration diagram for XrdSecServer:

Public Member Functions

 XrdSecServer (XrdSysLogger *lp)
 
 ~XrdSecServer ()
 
int Configure (const char *cfn)
 
const char * getParms (int &size, XrdNetAddrInfo *endPoint=0)
 
XrdSecProtocolgetProtocol (const char *host, XrdNetAddrInfo &endPoint, const XrdSecCredentials *cred, XrdOucErrInfo &einfo)
 
bool PostProcess (XrdSecEntity &entity, XrdOucErrInfo &einfo)
 
const char * protTLS ()
 

Detailed Description

Definition at line 45 of file XrdSecServer.hh.

Constructor & Destructor Documentation

◆ XrdSecServer()

XrdSecServer::XrdSecServer ( XrdSysLogger lp)

Definition at line 288 of file XrdSecServer.cc.

288  : eDest(lp, "sec_")
289 {
290 
291 // Set default values
292 //
293  PManager.setErrP(&eDest);
294  configFN = "";
295  bpFirst = 0;
296  bpLast = 0;
297  bpDefault = 0;
298  pinInfo = 0;
299  pidList = 0;
300  STBlen = 4096;
301  STBuff = (char *)malloc(STBlen);
302  *STBuff = '\0';
303  SToken = STBuff;
304  SecTrace = new XrdOucTrace(&eDest);
305  if (getenv("XRDDEBUG") || getenv("XrdSecDEBUG"))
306  {SecTrace->What = TRACE_ALL;
307  PManager.setDebug(1);
308  }
309  Enforce = false;
310  implauth = false;
311 }
#define TRACE_ALL
Definition: XrdTrace.hh:35
void setErrP(XrdSysError *eP)
void setDebug(int dbg)

References XrdSecPManager::setDebug(), XrdSecPManager::setErrP(), TRACE_ALL, and XrdOucTrace::What.

+ Here is the call graph for this function:

◆ ~XrdSecServer()

XrdSecServer::~XrdSecServer ( )
inline

Definition at line 67 of file XrdSecServer.hh.

67 {} // Server is never deleted

Member Function Documentation

◆ Configure()

int XrdSecServer::Configure ( const char *  cfn)

Definition at line 441 of file XrdSecServer.cc.

449 {
451  static const int isRlx = XrdSecProtectParms::relax;
452  static const int isFrc = XrdSecProtectParms::force;
453  XrdSecProtector *protObj;
454  const char *lName = "none", *rName = "none";
455  char *var;
456  int NoGo;
457 
458 // Print warm-up message
459 //
460  eDest.Say("++++++ Authentication system initialization started.");
461 
462 // Perform initialization
463 //
464  NoGo = ConfigFile(cfn);
465 
466 // Load the entity post processing plugin if we have one
467 //
468  if (pinInfo && !NoGo)
469  {XrdSecEntityPin *secPin = pinInfo->KingPin.Load("SecEntityPin");
470  delete pinInfo;
471  secEntityPin = secPin;
472  if (!secPin) return 1;
473  }
474 
475 // Export the list of security protocols that are available
476 //
477  if (pidList) XrdOucEnv::Export("XRDSECPROTOCOLS", pidList);
478 
479 // Almost done
480 //
481  var = (NoGo > 0 ? (char *)"failed." : (char *)"completed.");
482  eDest.Say("------ Authentication system initialization ", var);
483 
484 // No need to configure protect system if authentication failed
485 //
486  if (NoGo) return 1;
487 
488 // Put out another banner
489 //
490  eDest.Say("++++++ Protection system initialization started.");
491 
492 // If local level if greater than remote level, issue a warning
493 //
494  if (lclParms.level > rmtParms.level)
495  eDest.Say("Config warning: local protection level greater than "
496  "remote level; are you sure?");
497 
498 // Check if we need to initialize protection services
499 //
500  if (lclParms.level == XrdSecProtectParms::secNone
501  && rmtParms.level == XrdSecProtectParms::secNone)
502  {eDest.Say("Config warning: Security level is set to none; "
503  "request protection disabled!");
504  } else {
505  if (!(protObj = XrdSecLoadProtection(eDest))
506  || !(protObj->Config(lclParms, rmtParms, *eDest.logger()))) NoGo = 1;
507  else {lName = protObj->LName(lclParms.level);
508  rName = protObj->LName(rmtParms.level);
509  }
510  }
511 
512 // Blurt out what we have
513 //
514  if (!NoGo)
515  {eDest.Say("Config ","Local protection level: ",
516  (lclParms.opts & isRlx ? "relaxed " : 0), lName,
517  (lclParms.opts & isFrc ? " force" : 0));
518  eDest.Say("Config ","Remote protection level: ",
519  (rmtParms.opts & isRlx ? "relaxed " : 0), rName,
520  (rmtParms.opts & isFrc ? " force" : 0));
521  }
522 
523 // Now we are done
524 //
525  var = (NoGo > 0 ? (char *)"failed." : (char *)"completed.");
526  eDest.Say("------ Protection system initialization ", var);
527  return (NoGo > 0);
528 }
XrdSecProtector * XrdSecLoadProtection(XrdSysError &erP)
static int Export(const char *Var, const char *Val)
Definition: XrdOucEnv.cc:188
static const int relax
relax old clients
static const int force
Allow unencryted hash.
virtual bool Config(const XrdSecProtectParms &lclParms, const XrdSecProtectParms &rmtParms, XrdSysLogger &logr)
virtual const char * LName(XrdSecProtectParms::secLevel level)
void Say(const char *text1, const char *text2=0, const char *txt3=0, const char *text4=0, const char *text5=0, const char *txt6=0)
Definition: XrdSysError.cc:141
XrdSysLogger * logger(XrdSysLogger *lp=0)
Definition: XrdSysError.hh:141

References XrdSecProtector::Config(), XrdOucEnv::Export(), XrdSecProtectParms::force, XrdSecProtector::LName(), XrdSysError::logger(), XrdSecProtectParms::relax, XrdSysError::Say(), XrdSecProtectParms::secNone, and XrdSecLoadProtection().

Referenced by XrdSecgetService().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getParms()

const char * XrdSecServer::getParms ( int &  size,
XrdNetAddrInfo endPoint = 0 
)
virtual

Obtain security parameters to be sent to the client upon initial contact.

Parameters
sizeWhere the length of the return parameters are to be placed.
endPointThe client's address information. It may also be a null pointer if the client's host is immaterial.
Returns
EITHER The address of the parameter string (which may be host-specific if hname was supplied). The length of the string must be returned in size parameter. OR A null pointer if authentication need not occur for the client. The size parameter should be set to zero as well.

Implements XrdSecService.

Definition at line 317 of file XrdSecServer.cc.

318 {
319  EPNAME("getParms")
320  XrdSecProtBind *bp;
321  char buff[256];
322 
323 // Try to find a specific token binding for a host or return default binding
324 //
325  if (!endPoint || !bpFirst) bp = 0;
326  else {const char *hname = endPoint->Name("*unknown*");
327  bp = bpFirst;
328  do {if (bp->Match(hname)) break;} while((bp = bp->next));
329  }
330 
331 // Get endpoint info if we are debugging
332 //
333  if (endPoint && QTRACE(Debug))
334  endPoint->Format(buff, sizeof(buff), XrdNetAddrInfo::fmtAuto,
336  else *buff = 0;
337 
338 // If we have a binding, return that else return the default
339 //
340  if (!bp) bp = bpDefault;
341  if (bp->SecToken.buffer)
342  {DEBUG(buff <<" sectoken=" <<bp->SecToken.buffer);
343  size = bp->SecToken.size;
344  return bp->SecToken.buffer;
345  }
346 
347  DEBUG(buff <<" sectoken=''");
348  size = 0;
349  return (const char *)0;
350 }
#define DEBUG(x)
Definition: XrdBwmTrace.hh:54
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56
#define QTRACE(act)
Definition: XrdCmsTrace.hh:49
if(Avsz)
static const int noPort
Do not add port number.
int Format(char *bAddr, int bLen, fmtUse fmtType=fmtAuto, int fmtOpts=0)
@ fmtAuto
Hostname if already resolved o/w use fmtAddr.
const char * Name(const char *eName=0, const char **eText=0)
int Match(const char *hname)
XrdSecProtBind * next
Definition: XrdSecServer.cc:99
XrdSecParameters SecToken
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.

References XrdSecBuffer::buffer, DEBUG, Macaroons::Debug, EPNAME, XrdNetAddrInfo::fmtAuto, XrdNetAddrInfo::Format(), XrdSecProtBind::Match(), XrdNetAddrInfo::Name(), XrdSecProtBind::next, XrdNetAddrInfo::noPort, QTRACE, XrdSecProtBind::SecToken, and XrdSecBuffer::size.

+ Here is the call graph for this function:

◆ getProtocol()

XrdSecProtocol * XrdSecServer::getProtocol ( const char *  host,
XrdNetAddrInfo endPoint,
const XrdSecCredentials cred,
XrdOucErrInfo einfo 
)
virtual

Obtain a protocol object suitable for authentication based on cred and possibly based on the hostname or host address, as needed.

Parameters
hostThe client's host name or the IP address as text. An IP may be supplied if the host address is not resolvable or resolution has been suppressed (i.e. nodnr). Use endPoint to get the hostname if it's actually needed.
endPointthe XrdNetAddrInfo object describing the client end-point.
credThe initial credentials supplied by the client, the pointer may be null if the client did not supply credentials.
einfoThe structure to record any error messages. These are normally sent to the client.
Returns
Success: Address of protocol object to be used for authentication. If cred was null, a host protocol object shouldpo be returned if so allowed. Failure: Null, no protocol can be returned. The einfo parameter, if supplied, has the reason.

Implements XrdSecService.

Definition at line 356 of file XrdSecServer.cc.

360 {
361  XrdSecProtBind *bp;
362  XrdSecPMask_t pnum;
363  XrdSecCredentials myCreds;
364  const char *msgv[8];
365 
366 // If null credentials supplied, default to host protocol otherwise make sure
367 // credentials data is actually supplied.
368 //
369  if (!cred) {myCreds.buffer=(char *)"host"; myCreds.size = 4; cred=&myCreds;}
370  else if (cred->size < 1 || !(cred->buffer))
371  {einfo.setErrInfo(EACCES,"No authentication credentials supplied.");
372  return 0;
373  }
374 
375 // If protocol binding must be enforced, make sure the host is not using a
376 // disallowed protocol.
377 //
378  if (Enforce)
379  {if ((pnum = PManager.Find(cred->buffer)))
380  {if (bpFirst && (bp = bpFirst->Find(host))
381  && !(bp->ValidProts & pnum))
382  {msgv[0] = host;
383  msgv[1] = " not allowed to authenticate using ";
384  msgv[2] = cred->buffer;
385  msgv[3] = " protocol.";
386  einfo.setErrInfo(EACCES, msgv, 4);
387  return 0;
388  }
389  }
390  else {msgv[0] = cred->buffer;
391  msgv[1] = " security protocol is not supported.";
392  einfo.setErrInfo(EPROTONOSUPPORT, msgv, 2);
393  return 0;
394  }
395  }
396 
397 // If we passed the protocol binding check, try to get an instance of the
398 // protocol the host is using
399 //
400  return PManager.Get(host, endPoint, cred->buffer, &einfo);
401 }
int XrdSecPMask_t
int setErrInfo(int code, const char *emsg)
XrdSecPMask_t Find(const char *pid, char **parg=0)
XrdSecProtocol * Get(const char *hname, XrdNetAddrInfo &endPoint, const char *pname, XrdOucErrInfo *erp)
XrdSecPMask_t ValidProts
XrdSecProtBind * Find(const char *hname)
Generic structure to pass security information back and forth.

References XrdSecBuffer::buffer, XrdSecProtBind::Find(), XrdSecPManager::Find(), XrdSecPManager::Get(), XrdOucErrInfo::setErrInfo(), XrdSecBuffer::size, and XrdSecProtBind::ValidProts.

+ Here is the call graph for this function:

◆ PostProcess()

bool XrdSecServer::PostProcess ( XrdSecEntity entity,
XrdOucErrInfo einfo 
)
virtual

Post process a fully authenticated XrdSecEntity object.

Parameters
entityThe fully authenticated entity object.
einfoThe structure to record any error messages. These are normally sent to the client. If einfo is a null pointer, the messages should be sent to standard error via an XrdSysError object using the supplied XrdSysLogger when the the plugin was initialized.
Returns
Success: True should be returned. Failure: False should be returned and the einfo object should hold the reason. In this case the authentication fails.

Reimplemented from XrdSecService.

Definition at line 407 of file XrdSecServer.cc.

408 {
409 // Return correct result. Make sure there is some kind of message returned.
410 //
411  if (secEntityPin && !secEntityPin->Process(entity, einfo))
412  {if (*einfo.getErrText() == '\0')
413  einfo.setErrInfo(EAUTH, "rejected by auth post processing");
414  return false;
415  }
416 
417  return true;
418 }
#define EAUTH
Definition: XrdSecServer.cc:58
const char * getErrText()

References EAUTH, XrdOucErrInfo::getErrText(), and XrdOucErrInfo::setErrInfo().

+ Here is the call graph for this function:

◆ protTLS()

const char* XrdSecServer::protTLS ( )
inlinevirtual

Get a list of authentication protocols that require TLS.

Returns
Pointer to a list of protocols that require TLS or a nil if none.

Implements XrdSecService.

Definition at line 64 of file XrdSecServer.hh.

64 {return PManager.protTLS();}
const char * protTLS()

References XrdSecPManager::protTLS().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: