XRootD
XrdSecProtocolztn Class Reference
+ Inheritance diagram for XrdSecProtocolztn:
+ Collaboration diagram for XrdSecProtocolztn:

Public Member Functions

 XrdSecProtocolztn (const char *hname, XrdNetAddrInfo &endPoint, XrdSciTokensHelper *sthp)
 
 XrdSecProtocolztn (const char *parms, XrdOucErrInfo *erp, bool &aOK)
 
 ~XrdSecProtocolztn ()
 
int Authenticate (XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
 
void Delete ()
 Delete the protocol object. DO NOT use C++ delete() on this object. More...
 
XrdSecCredentialsgetCredentials (XrdSecParameters *parms, XrdOucErrInfo *einfo=0)
 
bool needTLS ()
 Check if this protocol requires TLS to properly function. More...
 
- Public Member Functions inherited from XrdSecProtocol
 XrdSecProtocol (const char *pName)
 Constructor. More...
 
virtual int Decrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Encrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int getKey (char *buff=0, int size=0)
 
virtual int setKey (char *buff, int size)
 
virtual int Sign (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Verify (const char *inbuff, int inlen, const char *sigbuff, int siglen)
 

Static Public Attributes

static const int ztnVersion = 0
 

Additional Inherited Members

- Public Attributes inherited from XrdSecProtocol
XrdSecEntity Entity
 
- Protected Member Functions inherited from XrdSecProtocol
virtual ~XrdSecProtocol ()
 Destructor (prevents use of direct delete). More...
 

Detailed Description

Definition at line 182 of file XrdSecProtocolztn.cc.

Constructor & Destructor Documentation

◆ XrdSecProtocolztn() [1/2]

XrdSecProtocolztn::XrdSecProtocolztn ( const char *  parms,
XrdOucErrInfo erp,
bool &  aOK 
)

Definition at line 269 of file XrdSecProtocolztn.cc.

271  : XrdSecProtocol("ztn"), sthP(0),
272  tokName(""), ztnInfo(0), maxTSize(0),
273  cont(false), rtGet(false), verJWT(false)
274 {
275  char *endP;
276 
277 // Assume we will fail
278 //
279  aOK = false;
280 
281 // If there are no parameters then fail as the server must supply them
282 //
283  if (!parms || !(*parms))
284  {Fatal(erp, "Client parameters not specified.", EINVAL);
285  return;
286  }
287 
288 // Server supplied parms: <opts+ver>:<maxtsz>:
289 
290 // The first parameter is the options and version number.
291 //
292  ztnInfo = strtoll(parms, &endP, 10);
293  if (*endP != ':')
294  {Fatal(erp, "Malformed client parameters.", EINVAL);
295  return;
296  }
297  parms = endP+1;
298 
299 // The second parameter is the maximum token size
300 //
301  maxTSize = strtol(parms, &endP, 10);
302  if (maxTSize <= 0 || *endP != ':')
303  {Fatal(erp, "Invalid or missing maxtsz parameter.", EINVAL);
304  return;
305  }
306  endP++;
307 
308 // All done here
309 //
310  aOK = true;
311 }
void Fatal(const char *op, const char *target)
Definition: XrdCrc32c.cc:58
XrdSecProtocol(const char *pName)
Constructor.

References Fatal().

+ Here is the call graph for this function:

◆ XrdSecProtocolztn() [2/2]

XrdSecProtocolztn::XrdSecProtocolztn ( const char *  hname,
XrdNetAddrInfo endPoint,
XrdSciTokensHelper sthp 
)
inline

Definition at line 204 of file XrdSecProtocolztn.cc.

206  : XrdSecProtocol("ztn"), sthP(sthp), tokName(""),
207  maxTSize(MaxTokSize), cont(false),
208  rtGet(false), verJWT(false)
209  {Entity.host = strdup(hname);
210  Entity.name = strdup("anon");
211  Entity.addrInfo = &endPoint;
212  }
XrdNetAddrInfo * addrInfo
Entity's connection details.
Definition: XrdSecEntity.hh:80
char * name
Entity's name.
Definition: XrdSecEntity.hh:69
char * host
Entity's host name dnr dependent.
Definition: XrdSecEntity.hh:70
XrdSecEntity Entity

References XrdSecEntity::addrInfo, XrdSecProtocol::Entity, XrdSecEntity::host, and XrdSecEntity::name.

◆ ~XrdSecProtocolztn()

XrdSecProtocolztn::~XrdSecProtocolztn ( )
inline

Definition at line 214 of file XrdSecProtocolztn.cc.

214  {if (Entity.host) free(Entity.host);
215  if (Entity.name) free(Entity.name);
216  if (Entity.creds)free(Entity.creds);
217  } // via Delete()
char * creds
Raw entity credentials or cert.
Definition: XrdSecEntity.hh:77

References XrdSecEntity::creds, XrdSecProtocol::Entity, XrdSecEntity::host, and XrdSecEntity::name.

Member Function Documentation

◆ Authenticate()

int XrdSecProtocolztn::Authenticate ( XrdSecCredentials cred,
XrdSecParameters **  parms,
XrdOucErrInfo einfo = 0 
)
virtual

Authenticate a client.

Parameters
credCredentials supplied by the client.
parmsPlace where the address of additional authentication data is to be placed for another autrhentication handshake.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
> 0 -> parms present (more authentication needed) = 0 -> Entity present (authentication suceeded) < 0 -> einfo present (error has occurred)

Implements XrdSecProtocol.

Definition at line 590 of file XrdSecProtocolztn.cc.

593 {
594  static const int pfxLen = sizeof(TokenHdr) + sizeof(uint16_t);
595  TokenResp *tResp;
596 
597 // Check if we have any credentials or if no credentials really needed.
598 // In either case, use host name as client name
599 //
600  if (cred->size < (int)sizeof(TokenHdr) || !cred->buffer)
601  {Fatal(erp, "Invalid ztn credentials", EINVAL, false);
602  return -1;
603  }
604  tResp = (TokenResp *)cred->buffer;
605 
606 // Check if this is our protocol
607 //
608  if (strcmp(tResp->hdr.id, "ztn"))
609  {char msg[256];
610  snprintf(msg, sizeof(msg),
611  "Authentication protocol id mismatch ('ztn' != '%.4s').",
612  tResp->hdr.id);
613  Fatal(erp, msg, EINVAL, false);
614  return -1;
615  }
616 
617 // Check if caller wants the list of authorized issuers
618 //
619  if (tResp->hdr.opr == TokenHdr::SndAI) return SendAI(erp, parms);
620 
621 // If this is not a token response then this is an error
622 //
623  if (tResp->hdr.opr != TokenHdr::IsTkn)
624  {Fatal(erp, "Invalid ztn response code", EINVAL, false);
625  return -1;
626  }
627 
628 // Make sure the response is consistent
629 //
630  const char *isBad = 0;
631  int tLen = ntohs(tResp->len);
632 
633  if (tResp->hdr.ver != ztnVersion) isBad = "version mismatch";
634  else if (tLen < 1) isBad = "token length < 1";
635  else if (pfxLen + tLen > cred->size) isBad = "respdata > credsize";
636  else if (!(tResp->tkn[0])) isBad = "null token";
637  else if (*(tResp->tkn+(tLen-1))) isBad = "missing null byte";
638 
639  if (isBad)
640  {char eText[80];
641  snprintf(eText, sizeof(eText), "'ztn' token malformed; %s", isBad);
642  Fatal(erp, eText, EINVAL, false);
643  return -1;
644  }
645 
646 // Validate the token
647 //
648  std::string msgRC;
649  long long eTime;
650  bool validated = false;
651  if (Entity.name) {free(Entity.name); Entity.name = 0;}
652  if (tokenlib && sthP->Validate(tResp->tkn, msgRC, (expiry ? &eTime : 0), &Entity))
653  {if (expiry)
654  {if (eTime < 0 && expiry > 0)
655  {Fatal(erp, "'ztn' token expiry missing", EINVAL, false);
656  return -1;
657  }
658  if ((monotonic_time() - eTime) <= 0)
659  {Fatal(erp, "'ztn' token expired", EINVAL, false);
660  return -1;
661  }
662  }
663  validated = true;
664  }
665  if (!tokenlib || validated)
666  {
667  Entity.credslen = strlen(tResp->tkn);
668  if (Entity.creds)
669  free(Entity.creds);
670  if ((Entity.creds = (char *)malloc(Entity.credslen+1)))
671  strcpy(Entity.creds, tResp->tkn);
672  else
673  Fatal(erp, "'ztn' bad alloc", ENOMEM, false);
674  if (!Entity.name) Entity.name = strdup("anon");
675  return 0;
676  }
677 
678 // Validation failed, generate message and return failure
679 //
680 // msgRC.insert(0, "ztn validation failed; ");
681  Fatal(erp, msgRC.c_str(), EAUTH, false);
682  return -1;
683 }
#define EAUTH
if(Avsz)
virtual bool Validate(const char *token, std::string &emsg, long long *expT=0, XrdSecEntity *entP=0)=0
int credslen
Length of the 'creds' data.
Definition: XrdSecEntity.hh:78
static const int ztnVersion
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.

References XrdSecBuffer::buffer, XrdSecEntity::creds, XrdSecEntity::credslen, EAUTH, XrdSecProtocol::Entity, Fatal(), if(), XrdSecEntity::name, XrdSecBuffer::size, XrdSciTokensHelper::Validate(), and ztnVersion.

+ Here is the call graph for this function:

◆ Delete()

void XrdSecProtocolztn::Delete ( )
inlinevirtual

Delete the protocol object. DO NOT use C++ delete() on this object.

Implements XrdSecProtocol.

Definition at line 190 of file XrdSecProtocolztn.cc.

190 {delete this;}

◆ getCredentials()

XrdSecCredentials * XrdSecProtocolztn::getCredentials ( XrdSecParameters parm,
XrdOucErrInfo einfo = 0 
)
virtual

Generate client credentials to be used in the authentication process.

Parameters
parmPointer to the information returned by the server either in the initial login response or the authmore response.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
Success: Pointer to credentials to sent to the server. The caller is responsible for deleting the object. Failure: Null pointer with einfo, if supplied, containing the reason for the failure.

Implements XrdSecProtocol.

Definition at line 376 of file XrdSecProtocolztn.cc.

378 {
379  static const char *dfltLoc[] = {"BEARER_TOKEN", "BEARER_TOKEN_FILE",
380  "XDG_RUNTIME_DIR", "/tmp/bt_u%d"};
381  static const char **dfltLocEnd = dfltLoc + sizeof(dfltLoc)/sizeof(char*);
382  static std::vector<XrdOucString> dfltVec(dfltLoc, dfltLocEnd);
383 
384  XrdSecCredentials *resp;
385  bool isbad;
386 
387 // If this is a continuation, then handle as such
388 //
389  if (cont) return getToken(error, parms);
390 
391 // Handle the default search
392 //
393  resp = findToken(error, dfltVec, isbad);
394  if (resp || isbad) return resp;
395 
396 // We do not have a envar value then ask the server for a list of
397 // token issuers so we can get one, if allowed. Otherwise, it's an error.
398 //
399  if (rtGet)
400  {TokenHdr *tHdr = (TokenHdr *)malloc(sizeof(TokenHdr));
401  tHdr->Fill(TokenHdr::SndAI);
402  cont = true;
403  return new XrdSecCredentials((char *)tHdr, sizeof(TokenHdr));
404  }
405  Fatal(error, "No token found; runtime fetch disallowed.", ENOPROTOOPT);
406  return 0;
407 }
XrdSecBuffer XrdSecCredentials
Generic structure to pass security information back and forth.

References Fatal().

+ Here is the call graph for this function:

◆ needTLS()

bool XrdSecProtocolztn::needTLS ( )
inlinevirtual

Check if this protocol requires TLS to properly function.

Reimplemented from XrdSecProtocol.

Definition at line 195 of file XrdSecProtocolztn.cc.

195 {return true;}

Member Data Documentation

◆ ztnVersion

const int XrdSecProtocolztn::ztnVersion = 0
static

Definition at line 219 of file XrdSecProtocolztn.cc.

Referenced by Authenticate(), and XrdSecProtocolztnInit().


The documentation for this class was generated from the following file: