XRootD
XrdSecProtector Class Reference

#include <XrdSecProtector.hh>

+ Collaboration diagram for XrdSecProtector:

Public Types

enum  lrType {
  isLcl =0 ,
  isRmt =1 ,
  isLR =2
}
 

Public Member Functions

virtual ~XrdSecProtector ()
 Destructor. More...
 
virtual bool Config (const XrdSecProtectParms &lclParms, const XrdSecProtectParms &rmtParms, XrdSysLogger &logr)
 
virtual const char * LName (XrdSecProtectParms::secLevel level)
 
virtual XrdSecProtectNew4Client (XrdSecProtocol &aprot, const ServerResponseReqs_Protocol &inReqs, unsigned int reqLen)
 
virtual XrdSecProtectNew4Server (XrdSecProtocol &aprot, int plvl)
 
virtual int ProtResp (ServerResponseReqs_Protocol &resp, XrdNetAddrInfo &nai, int pver)
 

Protected Member Functions

 XrdSecProtector ()
 

Detailed Description

Definition at line 72 of file XrdSecProtector.hh.

Member Enumeration Documentation

◆ lrType

Enumerator
isLcl 
isRmt 
isLR 

Definition at line 152 of file XrdSecProtector.hh.

Constructor & Destructor Documentation

◆ ~XrdSecProtector()

virtual XrdSecProtector::~XrdSecProtector ( )
inlinevirtual

Destructor.

Definition at line 150 of file XrdSecProtector.hh.

150 {}

◆ XrdSecProtector()

XrdSecProtector::XrdSecProtector ( )
inlineprotected

Definition at line 156 of file XrdSecProtector.hh.

156 {}

Member Function Documentation

◆ Config()

bool XrdSecProtector::Config ( const XrdSecProtectParms lclParms,
const XrdSecProtectParms rmtParms,
XrdSysLogger logr 
)
virtual

Configure protect for server-side use (not need for client)

Parameters
lclParmsReference to local client parameters.
rmtParmsReference to remote client parameters.
logrReference to the message logging object.
Returns
true upon success and false upon failure.

Definition at line 100 of file XrdSecProtector.cc.

103 {
104 
105 // Set the logger right off
106 //
107  Say.logger(&logr);
108 
109 // Setup local protection
110 //
111  if (lclParms.level != XrdSecProtectParms::secNone)
112  {Config(lclParms, lrTab[isLcl].reqs);
113  lrTab[isLcl].theProt = new XrdSecProtect;
114  lrTab[isLcl].theProt->SetProtection(lrTab[isLcl].reqs);
115  }
116 
117 // Setup remote protection (check for reuse of local protection)
118 //
119  if (rmtParms.level == lclParms.level)
120  {lrTab[isRmt] = lrTab[isLcl];
121  lrSame = true;
122  } else {
123  lrSame = false;
124  if (rmtParms.level != XrdSecProtectParms::secNone)
125  {Config(rmtParms, lrTab[isRmt].reqs);
126  lrTab[isRmt].theProt = new XrdSecProtect;
127  lrTab[isRmt].theProt->SetProtection(lrTab[isRmt].reqs);
128  }
129  }
130 
131 // Record relax flags
132 //
133  lrTab[isLcl].relaxed = (lclParms.opts & XrdSecProtectParms::relax) != 0;
134  lrTab[isLcl].force = (lclParms.opts & XrdSecProtectParms::force) != 0;
135  lrTab[isRmt].relaxed = (rmtParms.opts & XrdSecProtectParms::relax) != 0;
136  lrTab[isRmt].force = (rmtParms.opts & XrdSecProtectParms::force) != 0;
137 
138 // Setup shortcut flag
139 //
140  noProt = (lrTab[isLcl].theProt == 0) && (lrTab[isRmt].theProt == 0);
141 
142 // All done
143 //
144  return true;
145 }
static const int relax
relax old clients
secLevel level
In: The desired level.
static const int force
Allow unencryted hash.
int opts
In: Options:
void SetProtection(const ServerResponseReqs_Protocol &inReqs)
virtual bool Config(const XrdSecProtectParms &lclParms, const XrdSecProtectParms &rmtParms, XrdSysLogger &logr)
XrdSysLogger * logger(XrdSysLogger *lp=0)
Definition: XrdSysError.hh:141
XrdSysError Say

References XrdSecProtectParms::force, isLcl, isRmt, XrdSecProtectParms::level, XrdSysError::logger(), XrdSecProtectParms::opts, XrdSecProtectParms::relax, XrdCms::Say, XrdSecProtectParms::secNone, and XrdSecProtect::SetProtection().

Referenced by XrdSecServer::Configure().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ LName()

const char * XrdSecProtector::LName ( XrdSecProtectParms::secLevel  level)
virtual

Convert protection level to its corresponding name.

Parameters
levelThe level value.
Returns
Pointer to the name of the level.

Definition at line 182 of file XrdSecProtector.cc.

183 {
184  static const char *lvlVec[] = {"none", "compatible", "standard",
185  "intense", "pedantic"};
186 
187 // Validate the level
188 //
190  else if (level > XrdSecProtectParms::secPedantic)
192 
193 // Return the level name
194 //
195  return lvlVec[level];
196 }

References XrdSecProtectParms::secNone, and XrdSecProtectParms::secPedantic.

Referenced by XrdSecServer::Configure().

+ Here is the caller graph for this function:

◆ New4Client()

XrdSecProtect * XrdSecProtector::New4Client ( XrdSecProtocol aprot,
const ServerResponseReqs_Protocol inReqs,
unsigned int  reqLen 
)
virtual

Obtain a new instance of a protection object based on protocol response. This is meant to be used client-side.

Parameters
aprotSets the authentication protocol used and is the protocol used to secure requests. It must be supplied. Security is meaningless unless successful authentication has occurred.
inReqsReference to the security information returned in the kXR_protocol request.
reqLenThe actual length of inReqs (is validated).
Returns
Pointer to a security object upon success and nil if security is not needed.

Definition at line 202 of file XrdSecProtector.cc.

205 {
206  static const unsigned int hdrLen = sizeof(ServerResponseBody_Protocol)
207  - sizeof(ServerResponseSVec_Protocol);
208  XrdSecProtect *secP;
209  unsigned int vLen = static_cast<unsigned int>(inReqs.secvsz)
210  * sizeof(ServerResponseSVec_Protocol);
211  bool okED;
212 
213 // Validate the incoming struct (if it's bad skip the security) and that any
214 // security is actually wanted.
215 //
216  if (vLen+hdrLen > reqLen
217  || (inReqs.secvsz == 0 && inReqs.seclvl == kXR_secNone)) return 0;
218 
219 // If the auth protocol doesn't support encryption, see if we still need to
220 // send off signed requests (mostly for testng)
221 //
222  okED = aprot.getKey() > 0;
223  if (!okED && (inReqs.secopt & kXR_secOFrce) == 0) return 0;
224 
225 // Get a new security object and set its security level
226 //
227  secP = new XrdSecProtect(&aprot, okED);
228  secP->SetProtection(inReqs);
229 
230 // All done
231 //
232  return secP;
233 }
#define kXR_secOFrce
Definition: XProtocol.hh:1127
#define kXR_secNone
Definition: XProtocol.hh:1131
virtual int getKey(char *buff=0, int size=0)

References XrdSecProtocol::getKey(), kXR_secNone, kXR_secOFrce, ServerResponseReqs_Protocol::seclvl, ServerResponseReqs_Protocol::secopt, ServerResponseReqs_Protocol::secvsz, and XrdSecProtect::SetProtection().

Referenced by XrdSecGetProtection().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ New4Server()

XrdSecProtect * XrdSecProtector::New4Server ( XrdSecProtocol aprot,
int  plvl 
)
virtual

Obtain a new instance of a security object based on security setting for this object. This is meant to be used severt-side.

Parameters
aprotSets the authentication protocol used and is the protocol used to secure requests. It must be supplied.
plvlThe client's protocol level.
Returns
Pointer to a security object upon success and nil if security is not needed.

Definition at line 239 of file XrdSecProtector.cc.

240 {
241  static const char *wFrc = "authentication can't encrypt; "
242  "continuing without it!";
243  static const char *wIgn = "authentication can't encrypt; "
244  "allowing unsigned requests!";
245  XrdSecProtect *secP;
246  lrType theLR;
247  bool okED;
248 
249 // Check if we need any security at all
250 //
251  if (noProt) return 0;
252 
253 // Now we need to see whether this is local or remote of if it matters
254 //
255  if (lrSame) theLR = isLcl;
256  else theLR = (XrdNetIF::InDomain(aprot.Entity.addrInfo) ? isLcl : isRmt);
257 
258 // Now check again, as may not need any protection for the domain
259 //
260  if (lrTab[theLR].theProt == 0) return 0;
261 
262 // Check for relaxed processing
263 //
264  if (plvl < kXR_PROTSIGNVERSION && lrTab[theLR].relaxed) return 0;
265 
266 // Check if protocol supports encryption
267 //
268  okED = aprot.getKey() > 0;
269  if (!okED)
270  {char pName[XrdSecPROTOIDSIZE+1];
271  const char *action;
272  strncpy(pName, aprot.Entity.prot, XrdSecPROTOIDSIZE);
273  pName[XrdSecPROTOIDSIZE] = 0;
274  action = (lrTab[theLR].force ? wFrc : wIgn);
275  Say.Emsg("Protect", aprot.Entity.tident, pName, action);
276  if (!lrTab[theLR].force) return 0;
277  }
278 
279 // Get a new security object and make it a clone of this right one
280 //
281  secP = new XrdSecProtect(&aprot, *lrTab[theLR].theProt, okED);
282 
283 // All done
284 //
285  return secP;
286 }
#define kXR_PROTSIGNVERSION
Definition: XProtocol.hh:74
#define XrdSecPROTOIDSIZE
Definition: XrdSecEntity.hh:47
static bool InDomain(XrdNetAddrInfo *epaddr)
Definition: XrdNetIF.cc:622
XrdNetAddrInfo * addrInfo
Entity's connection details.
Definition: XrdSecEntity.hh:80
const char * tident
Trace identifier always preset.
Definition: XrdSecEntity.hh:81
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
Definition: XrdSecEntity.hh:67
XrdSecEntity Entity
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
Definition: XrdSysError.cc:95

References XrdSecEntity::addrInfo, XrdSysError::Emsg(), XrdSecProtocol::Entity, XrdSecProtocol::getKey(), XrdNetIF::InDomain(), isLcl, isRmt, kXR_PROTSIGNVERSION, XrdSecEntity::prot, XrdCms::Say, XrdSecEntity::tident, and XrdSecPROTOIDSIZE.

+ Here is the call graph for this function:

◆ ProtResp()

int XrdSecProtector::ProtResp ( ServerResponseReqs_Protocol resp,
XrdNetAddrInfo nai,
int  pver 
)
virtual

Obtain the proper kXR_protocol response (server-side only)

Parameters
respReference to the place where the response is to be placed.
naiReference to the client's network address.
pverClient's protocol version in host byte order.
Returns
The length of the protocol response security information.

Definition at line 292 of file XrdSecProtector.cc.

294 {
295  static const int rsplen = sizeof(ServerResponseReqs_Protocol)
296  - sizeof(ServerResponseSVec_Protocol);
298 
299 // Check if we need any response at all
300 //
301  if (noProt) return 0;
302 
303 // Get the right response
304 //
305  if (lrSame || XrdNetIF::InDomain(&nai)) myResp = &lrTab[isLcl].reqs;
306  else myResp = &lrTab[isRmt].reqs;
307 
308 // Return result
309 //
310  memcpy(&resp, myResp, rsplen);
311  return rsplen;
312 }

References XrdNetIF::InDomain(), isLcl, and isRmt.

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: