78 const char *
gsiPKH =
"-----BEGIN PRIVATE KEY-----\n";
111 : Next(Prev), theDN(vDN), theGN(vGN), theVO(vVO)
127 if (theHN && (!Host || !(theHN->NameKO(Host ))))
return 0;
128 if (theDN && (!(Who->
name) || strcmp(theDN, Who->
name)))
return 0;
129 if (theVO && (!(Who->
vorg) || strcmp(theDN, Who->
vorg)))
return 0;
130 if (!theGN)
return 1;
132 {
char gBuff[1028],
Group[64];
133 strlcpy(gBuff+1, Who->
grps,
sizeof(gBuff)-1); *gBuff =
' ';
135 return strstr(gBuff,
Group) != 0;
157 std::atomic<int> rpInst = {0};
170 if (*auth !=
'?') aOpt =
false;
174 aGSI = strcmp(
"gsi", auth) == 0;
182 for (
int i = 0; i <
fcNum; i++)
183 if (!strcmp(auth,
fcAuth[i].aProt))
193 if (
fcNum >=
fcMax)
return "Too many fcred auths";
232 return Fatal(Args,
"tpc not supported", ENOTSUP);
236 if (RPList && !(RPList->Find(Args.
Lfn)))
237 return Fatal(Args,
"tpc not allowed for path", EACCES);
248 if (Args.
Dst && !Args.
Org)
250 return Fatal(Args,
"permission denied", EACCES);
251 if (AuthOrg && !Screen(Args, AuthOrg, isPLE))
return SFS_ERROR;
253 return Fatal(Args,
"insufficient memory", ENOMEM);
254 if (!(myTPC->
Add(Args))) {
delete myTPC;
return SFS_ERROR;}
258 else if (!Args.
Org || Args.
Dst)
259 return Fatal(Args,
"conflicting tpc cgi", EINVAL);
263 if (AuthDst && !Screen(Args, AuthDst, isPLE))
return SFS_ERROR;
271 while(aP && !aP->
Match(Args.
Usr, dstHost)) aP = aP->
Next;
279 "denied tpc access to", Args.
Lfn);
281 return Fatal(Args,
"dest not authorized for tpc" ,EACCES, 1);
295 return Fatal(Args,
"authorization expired", EACCES, 1);
302 snprintf(Buff,
sizeof(Buff),
"%s granted tpc access by %s to",
304 Buff[
sizeof(Buff)-1] = 0;
340 snprintf(Buff,
sizeof(Buff),
"Unable to open %s; %s", Args.
Lfn,
eMsg);
361 const char *Colon, *cOrg = client->
tident;
367 if (!(Colon = index(cOrg,
':')))
return 0;
372 if (!(Name = Verify(
"origin", client->
host, Buff, Blen)))
return 0;
376 if (((n + 1) +
int(strlen(Name))) >= Blen)
377 {strncpy(Buff,
"origin ID too long", Blen);
385 strncpy(Buff, cOrg, n);
386 Buff += n; *Buff++ =
'@';
403 n = strtol(vTTL, &ePtr, 10);
432 for (
int i = 0; i <
fcNum; i++)
447 int n = strlen(
Auth), doEnc = (
Auth[n-1] ==
'+');
449 if (!rType || rType == reqDST)
451 if (doEnc) AuthDst->text[n-1] = 0;
454 if (!rType || rType == reqORG)
456 if (doEnc) AuthOrg->text[n-1] = 0;
469 char pBuff[MAXPATHLEN];
470 int n = strlen(
Path);
477 if (
Path[n-1] !=
'/')
478 {strcpy(pBuff,
Path);
479 pBuff[n++] =
'/'; pBuff[n] = 0;
485 if (!(plp = RPList->Match(pBuff)))
499 const char *aProt = Args.
Usr->
prot;
502 {
if (!strcmp(tP->
text, aProt))
503 {
if (tP->val && wasEnc)
return 1;
504 Fatal(Args,
"unencrypted tpc disallowed", EACCES);
510 if (!tP)
Fatal(Args,
"improper tpc authentication", EACCES);
525 if (RPList) RPList->Default(1);
560 const char *theCGI, *enVar = 0;
561 char Buff[512], myURL[4096], sVal = 0;
562 int n, doRN = 0, myURLen =
sizeof(myURL);
567 if (!
tpcOK || !Args.
Usr)
return Death(Args,
"tpc not supported", ENOTSUP);
571 for (
int i = 0; i <
fcNum; i++)
576 return Death(Args,
"no delegated credentials for tpc",EACCES);
579 if (tpcDlg) tpcSrc = tpcDlg;
587 if (!tpcSrc)
return Death(Args,
"tpc source not specified", EINVAL);
588 if (!Args.
Pfn)
return Death(Args,
"tpc pfn not specified", EINVAL);
592 if (!tpcLfn) tpcLfn = Args.
Lfn;
593 else if (
Cfg.
noids && *tpcLfn !=
'/')
594 return Death(Args,
"source lfn not absolute",EINVAL);
595 else doRN = (strcmp(Args.
Lfn, tpcLfn) != 0);
601 long nStrm = strtol(tpcStr, &eP, 10);
602 if (nStrm < 0 || *eP)
603 return Death(Args,
"tpc streams value is invalid", EINVAL);
605 sVal =
static_cast<char>(nStrm);
610 if (!enVar && !genOrg(Args.
Usr, Buff,
sizeof(Buff)))
611 return Death(Args, Buff, EINVAL);
615 const char *xProt = (!tpcSpr || strcmp(
"xroots",tpcSpr) ?
"xroot" : tpcSpr);
616 n = snprintf(myURL, myURLen,
"%s://%s/%s?", xProt, tpcSrc, tpcLfn);
617 char *cgiP = myURL+n;
618 int cgiL = myURLen-n;
619 if (cgiL < 3)
return Death(Args,
"url too long", EINVAL);
623 if (doRN) {lfnLoc[1] = strlen(tpcLfn); lfnLoc[0] = n - lfnLoc[1];}
624 else lfnLoc[1] = lfnLoc[0] = 0;
629 {
if ((
int)strlen(tpcSgi) >= cgiL)
630 return Death(Args,
"url too long", EINVAL);
639 {
if (cgiL < 3)
return Death(Args,
"url too long", EINVAL);
640 *cgiP++ =
'&'; cgiL--; *cgiP = 0;
642 if (*theCGI ==
'!')
return Death(Args, theCGI+1, EINVAL);
649 Args.
Lfn, Args.
Pfn, tpcCks, lfnLoc,
651 return Death(Args,
"insufficient memory", ENOMEM);
661 {
int inst = rpInst++;
663 snprintf(rpBuff,
sizeof(rpBuff),
Cfg.
rPath, inst);
665 Args.
Env->
Put(
"tpc.reproxy", rpBuff);
687 const char *etext, *Host;
691 if (!(etext = vAddr.
Set(Name,0)) && (Host = vAddr.
Name(0, &etext)))
696 snprintf(Buf, Blen,
"unable to verify %s %s (%s)", Who, Name, etext);
@ AOP_Read
open() r/o, prepare()
void Fatal(const char *op, const char *target)
#define XrdSecPROTOIDSIZE
const char * Name(const char *eName=0, const char **eText=0)
const char * Set(const char *hSpec, int pNum=PortInSpec)
struct XrdOfsStats::StatsData Data
XrdOfsTPCAllow(char *vDN, char *vGN, char *vHN, char *vVO, XrdOfsTPCAllow *Prev)
int Match(const XrdSecEntity *Who, const char *Host)
static int Get(Facts &Args, XrdOfsTPCAuth **theTPC)
static int RunTTL(int Init)
void SetRPath(const char *rpath)
void SetStreams(char sval)
void SetCreds(const char *evar, const char *creds, int crdsz)
static int Authorize(XrdOfsTPC **theTPC, Facts &Args, int isPLE=0)
static int Restrict(const char *Path)
static XrdOucTList * AuthOrg
static const char * AddAuth(const char *auth, const char *avar)
static char * Verify(const char *Who, const char *Name, char *Buf, int Blen)
static int getTTL(XrdOucEnv *Env)
static XrdAccAuthorize * fsAuth
static int Fatal(Facts &Args, const char *eMsg, int eCode, int nomsg=0)
static int Death(Facts &Args, const char *eMsg, int eCode, int nomsg=0)
static void Require(const char *Auth, int RType)
static void Allow(char *vDN, char *vGN, char *vHN, char *vVO)
static XrdOfsTPCAllow * ALList
static int Validate(XrdOfsTPC **theTPC, Facts &Args)
static XrdOucTList * AuthDst
static int Screen(Facts &Args, XrdOucTList *tP, int wasEnc=0)
static XrdOucPListAnchor * RPList
static int genOrg(const XrdSecEntity *client, char *Buff, int Blen)
virtual int Unlink(const char *path, int Opts=0, XrdOucEnv *envP=0)=0
static int Export(const char *Var, const char *Val)
char * Get(const char *varname)
void Put(const char *varname, const char *value)
int setErrInfo(int code, const char *emsg)
const char * getErrUser()
static const char * tpcSpr
static const char * tpcDst
static const char * tpcTpr
static const char * tpcLfn
static int copyCGI(const char *cgi, char *Buff, int Blen)
static const char * tpcDlg
static const char * tpcSrc
static const char * tpcOrg
static const char * cgiD2Src(const char *cKey, const char *cOrg, char *Buff, int Blen)
static const char * tpcSgi
static const char * tpcTtl
static const char * tpcCks
static const char * tpcStr
char * vorg
Entity's virtual organization(s)
int credslen
Length of the 'creds' data.
XrdNetAddrInfo * addrInfo
Entity's connection details.
const char * tident
Trace identifier always preset.
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
char * creds
Raw entity credentials or cert.
char * grps
Entity's group name(s)
char * name
Entity's name.
char * host
Entity's host name dnr dependent.
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
struct XrdOfsTPCParms::fcTb fcAuth[fcMax]
char aProt[XrdSecPROTOIDSIZE]