39 #include <sys/param.h>
41 #include "XrdVersion.hh"
109 int Match(
const char *hname);
127 if (!(starp = index(
thost,
'*')))
150 while(bp && !bp->
Match(hname)) bp = bp->
next;
177 if ((i = (strlen(hname) -
tsfxlen)) < 0)
return 0;
178 return !strcmp(&hname[i],
thostsfx);
191 int Cat(
char *token);
199 char *
Result(
int &size) {size = bp-buff;
return buff;}
211 buff = (
char *)malloc(bsize);
236 alen = strlen(token);
237 if (alen+1 > bsize-(bp-buff))
238 {eDest->
Emsg(
"Config",who,
ProtoID,
"argument string too long");
256 while(pp && !pp->
isProto(pid)){mp = pp; pp = pp->
Next;}
270 if (bsize-(bp-buff) < 1)
271 {eDest->
Emsg(
"Config",who,
ProtoID,
"argument string too long");
301 STBuff = (
char *)malloc(STBlen);
305 if (getenv(
"XRDDEBUG") || getenv(
"XrdSecDEBUG"))
325 if (!endPoint || !bpFirst) bp = 0;
326 else {
const char *hname = endPoint->
Name(
"*unknown*");
328 do {
if (bp->
Match(hname))
break;}
while((bp = bp->
next));
340 if (!bp) bp = bpDefault;
347 DEBUG(buff <<
" sectoken=''");
349 return (
const char *)0;
369 if (!cred) {myCreds.
buffer=(
char *)
"host"; myCreds.
size = 4; cred=&myCreds;}
371 {einfo.
setErrInfo(EACCES,
"No authentication credentials supplied.");
380 {
if (bpFirst && (bp = bpFirst->
Find(host))
383 msgv[1] =
" not allowed to authenticate using ";
385 msgv[3] =
" protocol.";
390 else {msgv[0] = cred->
buffer;
391 msgv[1] =
" security protocol is not supported.";
400 return PManager.
Get(host, endPoint, cred->
buffer, &einfo);
411 if (secEntityPin && !secEntityPin->Process(entity, einfo))
427 #define TS_Xeq(x,m) if (!strcmp(x,var)) return m(Config,Eroute);
429 #define TS_Str(x,m) if (!strcmp(x,var)) {free(m); m = strdup(val); return 0;}
431 #define TS_Chr(x,m) if (!strcmp(x,var)) {m = val[0]; return 0;}
433 #define TS_Bit(x,m,v) if (!strcmp(x,var)) {m = v; return 0;}
435 #define Max(x,y) (x > y ? x : y)
454 const char *lName =
"none", *rName =
"none";
460 eDest.
Say(
"++++++ Authentication system initialization started.");
464 NoGo = ConfigFile(cfn);
468 if (pinInfo && !NoGo)
471 secEntityPin = secPin;
472 if (!secPin)
return 1;
481 var = (NoGo > 0 ? (
char *)
"failed." : (
char *)
"completed.");
482 eDest.
Say(
"------ Authentication system initialization ", var);
490 eDest.
Say(
"++++++ Protection system initialization started.");
494 if (lclParms.level > rmtParms.level)
495 eDest.
Say(
"Config warning: local protection level greater than "
496 "remote level; are you sure?");
502 {eDest.
Say(
"Config warning: Security level is set to none; "
503 "request protection disabled!");
506 || !(protObj->
Config(lclParms, rmtParms, *eDest.
logger()))) NoGo = 1;
507 else {lName = protObj->
LName(lclParms.level);
508 rName = protObj->
LName(rmtParms.level);
515 {eDest.
Say(
"Config ",
"Local protection level: ",
516 (lclParms.opts & isRlx ?
"relaxed " : 0), lName,
517 (lclParms.opts & isFrc ?
" force" : 0));
518 eDest.
Say(
"Config ",
"Remote protection level: ",
519 (rmtParms.opts & isRlx ?
"relaxed " : 0), rName,
520 (rmtParms.opts & isFrc ?
" force" : 0));
525 var = (NoGo > 0 ? (
char *)
"failed." : (
char *)
"completed.");
526 eDest.
Say(
"------ Protection system initialization ", var);
534 int XrdSecServer::ConfigFile(
const char *ConfigFN)
545 int cfgFD, retc, NoGo = 0, recs = 0;
552 if (!ConfigFN || !*ConfigFN)
553 {eDest.
Emsg(
"Config",
"Authentication configuration file not specified.");
560 if ( (cfgFD =
open(ConfigFN, O_RDONLY, 0)) < 0)
561 {eDest.
Emsg(
"Config", errno,
"opening config file", ConfigFN);
568 static const char *cvec[] = {
"*** sec plugin config:", 0 };
570 while((var =
Config.GetMyFirstWord()))
571 {
if (!strncmp(var,
"sec.", 4))
573 if (ConfigXeq(var+4,
Config, eDest)) {
Config.Echo(); NoGo = 1;}
579 if ((retc =
Config.LastError()))
580 NoGo = eDest.
Emsg(
"Config",-retc,
"reading config file", ConfigFN);
581 else {
char buff[128];
582 snprintf(buff,
sizeof(buff),
583 " %d authentication directives processed in ", recs);
584 eDest.
Say(
"Config", buff, ConfigFN);
590 if (NoGo || ProtBind_Complete(eDest) ) NoGo = 1;
593 while(pp) {eDest.
Emsg(
"Config",
"protparm", pp->
ProtoID,
594 "does not have a matching protocol.");
616 TS_Xeq(
"entitylib", xenlib);
618 TS_Xeq(
"protbind", xpbind);
619 TS_Xeq(
"protocol", xprot);
620 TS_Xeq(
"protparm", xpparm);
625 Eroute.
Say(
"Config warning: ignoring unknown directive '",var,
"'.");
647 char *val, parms[2048];
652 if ((val =
Config.GetWord()))
653 {
if (!strcmp(val,
"++"))
662 {Eroute.
Emsg(
"Config",
"entitylib not specified");
return 1;}
667 {Eroute.
Emsg(
"Config",
"entitylib path is not absolute");
return 1;}
675 if (!
Config.GetRest(parms,
sizeof(parms)))
676 {Eroute.
Emsg(
"Config",
"entitylib parameters too long");
return 1;}
680 if (!pinInfo) pinInfo =
new XrdSecPinInfo(
"sec.entitylib",configFN,Eroute);
684 pinInfo->KingPin.Add(path.c_str(), (*parms ? parms : 0), push);
714 int i, numopts =
sizeof(ltab)/
sizeof(
struct lvltab);
715 bool isLcl =
true, isRmt =
true, isSpec =
false, isRlx =
false, isFRC=
false;
722 {Eroute.
Emsg(
"Config",
"level not specified");
return 1;}
726 if (!strcmp(val,
"all")) isSpec =
true;
727 else if (!strcmp(val,
"local")) {isSpec =
true; isRmt =
false;}
728 else if (!strcmp(val,
"remote")){isSpec =
true; isLcl =
false;}
735 {Eroute.
Emsg(
"Config",
"level not specified");
return 1;}
740 if (!strcmp(val,
"relaxed"))
744 {Eroute.
Emsg(
"Config",
"level not specified");
return 1;}
749 for (i = 0; i < numopts; i++)
if (!strcmp(ltab[i].lname, val))
break;
751 {Eroute.
Emsg(
"Config",
"invalid level option -", val);
return 1;}
757 {
if (strcmp(val,
"force"))
758 {Eroute.
Emsg(
"Config",
"invalid level modifier - ", val);
return 1;}
765 {lclParms.level = ltab[i].lvl;
772 {rmtParms.
level = ltab[i].lvl;
801 char sectoken[4096], *secbuff = sectoken;
802 int isdflt = 0, only = 0, anyprot = 0, noprot = 0, phost = 0;
803 int sectlen = sizeof(sectoken)-1;
811 {Eroute.
Emsg(
"Config",
"protbind host not specified");
return 1;}
815 if ((isdflt = !strcmp(
"*", val))) bnow = bpDefault;
816 else {bnow = bpFirst;
817 while(bnow)
if (!strcmp(bnow->
thost, val))
break;
818 else bnow = bnow->
next;
820 if (bnow) {Eroute.
Emsg(
"Config",
"duplicate protbind definition - ", val);
827 while((val =
Config.GetWord()))
828 {
if (!strcmp(val,
"none")) {noprot = 1;
break;}
829 if (!strcmp(val,
"only")) {only = 1; Enforce =
true;}
830 else if (!strcmp(val,
"host")) {phost = 1; anyprot = 1;}
831 else if (!PManager.
Find(val))
832 {Eroute.
Emsg(
"Config",
"protbind", val,
833 "protocol not previously defined.");
836 else if (add2token(Eroute, val, &secbuff, sectlen, PMask))
837 {Eroute.
Emsg(
"Config",
"Unable to bind protocols to",thost);
844 if (val && (val =
Config.GetWord()))
845 {Eroute.
Emsg(
"Config",
"conflicting protbind:", thost, val);
851 if (!(anyprot || noprot))
852 {Eroute.
Emsg(
"Config",
"no protocols bound to", thost);
return 1;}
853 DEBUG(
"XrdSecConfig: Bound "<< thost<<
" to "
854 << (noprot ?
"none" : (phost ?
"host" : sectoken)));
859 if (phost && *sectoken)
860 {Eroute.
Say(
"Config warning: 'protbind", thost,
861 "host' negates all other bound protocols.");
867 if (!strcmp(
"localhost", thost))
870 thost = strdup(myIPAddr.Name(
"localhost"));
875 bnow =
new XrdSecProtBind(thost,(noprot ? 0:sectoken),(only ? PMask:0));
879 if (isdflt) bpDefault = bnow;
880 else {
if (bpLast) bpLast->
next = bnow;
915 char pathbuff[1024], *path = 0;
923 if (val && *val ==
'/')
924 {
strlcpy(pathbuff, val,
sizeof(pathbuff)); path = pathbuff;
928 {Eroute.
Emsg(
"Config",
"protocol id not specified");
return 1;}
933 {Eroute.
Emsg(
"Config",
"protocol id too long - ", val);
return 1;}
935 if (PManager.
Find(val))
936 {Eroute.
Say(
"Config warning: protocol ",val,
" previously defined.");
938 return add2token(Eroute, pid, &STBuff, STBlen, mymask);
945 strcpy(pName+1, val);
946 if (!pidList) pidList = strdup(pName);
947 else {std::string pids = pidList;
950 pidList = strdup(pids.c_str());
956 if (!strcmp(
"host", val))
958 {Eroute.
Emsg(
"Config",
"Builtin host protocol does not accept parms.");
968 while((args =
Config.GetWord()))
if (!myParms.Cat(args))
return 1;
969 if ((pp = myParms.Find(pid, 1)))
970 {
if ((*myParms.Result(psize) && !myParms.Insert(
'\n'))
971 || !myParms.Cat(pp->
Result(psize)))
return 1;
977 pap = myParms.
Result(psize);
978 if (!PManager.
Load(&erp,
's', pid, (psize ? pap : 0), path))
980 Eroute.
Say(
"Config Failed to load ", pid,
" authentication protocol!");
986 return add2token(Eroute, pid, &STBuff, STBlen, mymask);
1014 if (!val || !val[0])
1015 {Eroute.
Emsg(
"Config",
"protparm protocol not specified");
return 1;}
1019 if (!strcmp(
"host", val))
1020 {Eroute.
Emsg(
"Config",
"Builtin host protocol does not accept protparms.");
1027 {Eroute.
Emsg(
"Config",
"protocol id too long - ", val);
return 1;}
1029 if (PManager.
Find(val))
1030 {Eroute.
Emsg(
"Config warning: protparm protocol ",val,
" already defined.");
1038 if (!(val =
Config.GetWord()))
1039 {Eroute.
Emsg(
"Config",
"protparm", pid,
"parameter not specified");
1053 do {
if (!pp->
Cat(val))
return 1;}
while((val =
Config.GetWord()));
1073 static struct traceopts {
const char *opname;
int opval;} tropts[] =
1080 int i, neg, trval = 0, numopts =
sizeof(tropts)/
sizeof(
struct traceopts);
1084 if (!val || !val[0])
1085 {Eroute.
Emsg(
"Config",
"trace option not specified");
return 1;}
1086 while (val && val[0])
1087 {
if (!strcmp(val,
"off")) trval = 0;
1088 else {
if ((neg = (val[0] ==
'-' && val[1]))) val++;
1089 for (i = 0; i < numopts; i++)
1090 {
if (!strcmp(val, tropts[i].opname))
1091 {
if (neg) trval &= ~tropts[i].opval;
1092 else trval |= tropts[i].opval;
1097 Eroute.
Say(
"Config warning: ignoring invalid trace option '", val,
"'.");
1120 int XrdSecServer::add2token(
XrdSysError &Eroute,
char *pid,
1129 if (!(protnum = PManager.
Find(pid, &pargs)))
1130 {Eroute.
Emsg(
"Config",
"Protocol",pid,
"not found after being added!");
1136 i = 4+strlen(pid)+strlen(pargs);
1138 {Eroute.
Emsg(
"Config",
"Protocol",pid,
"parms exceed overall maximum!");
1144 i = sprintf(*tokbuff,
"&P=%s%s%s", pid, (*pargs ?
"," :
""), pargs);
1155 int XrdSecServer::ProtBind_Complete(
XrdSysError &Eroute)
1157 EPNAME(
"ProtBind_Complete")
1163 {
if (!*SToken) {Eroute.
Say(
"Config warning: No protocols defined; "
1164 "only host authentication available.");
1168 {Eroute.
Say(
"Config warning: enabled builtin host "
1169 "protocol negates default use of any other protocols.");
1173 DEBUG(
"Default sectoken built: '" <<SToken <<
"'");
1180 if (implauth && !PManager.
Load(&erp,
's',
"host", 0, 0))
1185 free(SToken); SToken = STBuff = 0; STBlen = 0;
1201 if (SecServer->
Configure(cfn))
return 0;
static XrdSysError eDest(0,"crypto_")
int open(const char *path, int oflag,...)
#define XrdSecPROTOIDSIZE
XrdSecProtector * XrdSecLoadProtection(XrdSysError &erP)
XrdSecService * XrdSecgetService(XrdSysLogger *lp, const char *cfn)
static const int noPort
Do not add port number.
int Format(char *bAddr, int bLen, fmtUse fmtType=fmtAuto, int fmtOpts=0)
@ fmtAuto
Hostname if already resolved o/w use fmtAddr.
const char * Name(const char *eName=0, const char **eText=0)
static int Export(const char *Var, const char *Val)
void Put(const char *varname, const char *value)
const char * getErrText()
int setErrInfo(int code, const char *emsg)
XrdSecPMask_t Find(const char *pid, char **parg=0)
XrdSecProtocol * Get(const char *hname, XrdNetAddrInfo &endPoint, const char *pname, XrdOucErrInfo *erp)
int Load(XrdOucErrInfo *eMsg, const char pmode, const char *pid, const char *parg, const char *path)
void setErrP(XrdSysError *eP)
XrdSecPinInfo(const char *drctv, const char *cfn, XrdSysError &errR)
XrdOucPinKing< XrdSecEntityPin > KingPin
int Match(const char *hname)
XrdSecProtBind(char *th, char *st, XrdSecPMask_t pmask=0)
XrdSecProtBind * Find(const char *hname)
XrdSecParameters SecToken
char ProtoID[XrdSecPROTOIDSIZE+1]
static XrdSecProtParm * Find(char *pid, int remove=0)
XrdSecProtParm(XrdSysError *erp, const char *cid)
static XrdSecProtParm * First
static const int relax
relax old clients
secLevel level
In: The desired level.
static const int force
Allow unencryted hash.
virtual bool Config(const XrdSecProtectParms &lclParms, const XrdSecProtectParms &rmtParms, XrdSysLogger &logr)
virtual const char * LName(XrdSecProtectParms::secLevel level)
XrdSecProtocol * getProtocol(const char *host, XrdNetAddrInfo &endPoint, const XrdSecCredentials *cred, XrdOucErrInfo &einfo)
const char * getParms(int &size, XrdNetAddrInfo *endPoint=0)
XrdSecServer(XrdSysLogger *lp)
int Configure(const char *cfn)
bool PostProcess(XrdSecEntity &entity, XrdOucErrInfo &einfo)
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
void Say(const char *text1, const char *text2=0, const char *txt3=0, const char *text4=0, const char *text5=0, const char *txt6=0)
XrdSysLogger * logger(XrdSysLogger *lp=0)
XrdVERSIONINFODEF(myVersion, cmsclient, XrdVNUMBER, XrdVERSION)
Generic structure to pass security information back and forth.
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.