XRootD
Loading...
Searching...
No Matches
XrdSecServer Class Reference

#include <XrdSecServer.hh>

+ Inheritance diagram for XrdSecServer:
+ Collaboration diagram for XrdSecServer:

Public Member Functions

 XrdSecServer (XrdSysLogger *lp)
 
 ~XrdSecServer ()
 
int Configure (const char *cfn)
 
const char * getParms (int &size, XrdNetAddrInfo *endPoint=0)
 
XrdSecProtocolgetProtocol (const char *host, XrdNetAddrInfo &endPoint, const XrdSecCredentials *cred, XrdOucErrInfo &einfo)
 
bool PostProcess (XrdSecEntity &entity, XrdOucErrInfo &einfo)
 
const char * protTLS ()
 

Detailed Description

Definition at line 45 of file XrdSecServer.hh.

Constructor & Destructor Documentation

◆ XrdSecServer()

XrdSecServer::XrdSecServer ( XrdSysLogger * lp)

Definition at line 288 of file XrdSecServer.cc.

288 : eDest(lp, "sec_")
289{
290
291// Set default values
292//
293 PManager.setErrP(&eDest);
294 configFN = "";
295 bpFirst = 0;
296 bpLast = 0;
297 bpDefault = 0;
298 pinInfo = 0;
299 pidList = 0;
300 STBlen = 4096;
301 STBuff = (char *)malloc(STBlen);
302 *STBuff = '\0';
303 SToken = STBuff;
304 SecTrace = new XrdOucTrace(&eDest);
305 if (getenv("XRDDEBUG") || getenv("XrdSecDEBUG"))
306 {SecTrace->What = TRACE_ALL;
307 PManager.setDebug(1);
308 }
309 Enforce = false;
310 implauth = false;
311}
#define TRACE_ALL
Definition XrdTrace.hh:35
void setErrP(XrdSysError *eP)
void setDebug(int dbg)

References XrdSecPManager::setDebug(), XrdSecPManager::setErrP(), TRACE_ALL, and XrdOucTrace::What.

+ Here is the call graph for this function:

◆ ~XrdSecServer()

XrdSecServer::~XrdSecServer ( )
inline

Definition at line 67 of file XrdSecServer.hh.

67{} // Server is never deleted

Member Function Documentation

◆ Configure()

int XrdSecServer::Configure ( const char * cfn)

Definition at line 441 of file XrdSecServer.cc.

449{
451 static const int isRlx = XrdSecProtectParms::relax;
452 static const int isFrc = XrdSecProtectParms::force;
453 XrdSecProtector *protObj;
454 const char *lName = "none", *rName = "none";
455 char *var;
456 int NoGo;
457
458// Print warm-up message
459//
460 eDest.Say("++++++ Authentication system initialization started.");
461
462// Perform initialization
463//
464 NoGo = ConfigFile(cfn);
465
466// Load the entity post processing plugin if we have one
467//
468 if (pinInfo && !NoGo)
469 {XrdSecEntityPin *secPin = pinInfo->KingPin.Load("SecEntityPin");
470 delete pinInfo;
471 secEntityPin = secPin;
472 if (!secPin) return 1;
473 }
474
475// Export the list of security protocols that are available
476//
477 if (pidList) XrdOucEnv::Export("XRDSECPROTOCOLS", pidList);
478
479// Almost done
480//
481 var = (NoGo > 0 ? (char *)"failed." : (char *)"completed.");
482 eDest.Say("------ Authentication system initialization ", var);
483
484// No need to configure protect system if authentication failed
485//
486 if (NoGo) return 1;
487
488// Put out another banner
489//
490 eDest.Say("++++++ Protection system initialization started.");
491
492// If local level if greater than remote level, issue a warning
493//
494 if (lclParms.level > rmtParms.level)
495 eDest.Say("Config warning: local protection level greater than "
496 "remote level; are you sure?");
497
498// Check if we need to initialize protection services
499//
500 if (lclParms.level == XrdSecProtectParms::secNone
501 && rmtParms.level == XrdSecProtectParms::secNone)
502 {eDest.Say("Config warning: Security level is set to none; "
503 "request protection disabled!");
504 } else {
505 if (!(protObj = XrdSecLoadProtection(eDest))
506 || !(protObj->Config(lclParms, rmtParms, *eDest.logger()))) NoGo = 1;
507 else {lName = protObj->LName(lclParms.level);
508 rName = protObj->LName(rmtParms.level);
509 }
510 }
511
512// Blurt out what we have
513//
514 if (!NoGo)
515 {eDest.Say("Config ","Local protection level: ",
516 (lclParms.opts & isRlx ? "relaxed " : 0), lName,
517 (lclParms.opts & isFrc ? " force" : 0));
518 eDest.Say("Config ","Remote protection level: ",
519 (rmtParms.opts & isRlx ? "relaxed " : 0), rName,
520 (rmtParms.opts & isFrc ? " force" : 0));
521 }
522
523// Now we are done
524//
525 var = (NoGo > 0 ? (char *)"failed." : (char *)"completed.");
526 eDest.Say("------ Protection system initialization ", var);
527 return (NoGo > 0);
528}
XrdSecProtector * XrdSecLoadProtection(XrdSysError &erP)
static int Export(const char *Var, const char *Val)
Definition XrdOucEnv.cc:170
static const int relax
relax old clients
static const int force
Allow unencryted hash.
virtual bool Config(const XrdSecProtectParms &lclParms, const XrdSecProtectParms &rmtParms, XrdSysLogger &logr)
virtual const char * LName(XrdSecProtectParms::secLevel level)
void Say(const char *text1, const char *text2=0, const char *txt3=0, const char *text4=0, const char *text5=0, const char *txt6=0)
XrdSysLogger * logger(XrdSysLogger *lp=0)

References XrdSecProtector::Config(), XrdOucEnv::Export(), XrdSecProtectParms::force, XrdSecProtector::LName(), XrdSysError::logger(), XrdSecProtectParms::relax, XrdSysError::Say(), XrdSecProtectParms::secNone, and XrdSecLoadProtection().

Referenced by XrdSecgetService().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getParms()

const char * XrdSecServer::getParms ( int & size,
XrdNetAddrInfo * endPoint = 0 )
virtual

Obtain security parameters to be sent to the client upon initial contact.

Parameters
sizeWhere the length of the return parameters are to be placed.
endPointThe client's address information. It may also be a null pointer if the client's host is immaterial.
Returns
EITHER The address of the parameter string (which may be host-specific if hname was supplied). The length of the string must be returned in size parameter. OR A null pointer if authentication need not occur for the client. The size parameter should be set to zero as well.

Implements XrdSecService.

Definition at line 317 of file XrdSecServer.cc.

318{
319 EPNAME("getParms")
320 XrdSecProtBind *bp;
321 char buff[256];
322
323// Try to find a specific token binding for a host or return default binding
324//
325 if (!endPoint || !bpFirst) bp = 0;
326 else {const char *hname = endPoint->Name("*unknown*");
327 bp = bpFirst;
328 do {if (bp->Match(hname)) break;} while((bp = bp->next));
329 }
330
331// Get endpoint info if we are debugging
332//
333 if (endPoint && QTRACE(Debug))
334 endPoint->Format(buff, sizeof(buff), XrdNetAddrInfo::fmtAuto,
336 else *buff = 0;
337
338// If we have a binding, return that else return the default
339//
340 if (!bp) bp = bpDefault;
341 if (bp->SecToken.buffer)
342 {DEBUG(buff <<" sectoken=" <<bp->SecToken.buffer);
343 size = bp->SecToken.size;
344 return bp->SecToken.buffer;
345 }
346
347 DEBUG(buff <<" sectoken=''");
348 size = 0;
349 return (const char *)0;
350}
#define DEBUG(x)
#define EPNAME(x)
#define QTRACE(act)
bool Debug
if(ec< 0) ec
static const int noPort
Do not add port number.
int Format(char *bAddr, int bLen, fmtUse fmtType=fmtAuto, int fmtOpts=0)
@ fmtAuto
Hostname if already resolved o/w use fmtAddr.
const char * Name(const char *eName=0, const char **eText=0)
int Match(const char *hname)
XrdSecProtBind * next
XrdSecParameters SecToken
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.

References XrdSecBuffer::buffer, DEBUG, Debug, EPNAME, XrdNetAddrInfo::fmtAuto, XrdNetAddrInfo::Format(), XrdSecProtBind::Match(), XrdNetAddrInfo::Name(), XrdSecProtBind::next, XrdNetAddrInfo::noPort, QTRACE, XrdSecProtBind::SecToken, and XrdSecBuffer::size.

+ Here is the call graph for this function:

◆ getProtocol()

XrdSecProtocol * XrdSecServer::getProtocol ( const char * host,
XrdNetAddrInfo & endPoint,
const XrdSecCredentials * cred,
XrdOucErrInfo & einfo )
virtual

Obtain a protocol object suitable for authentication based on cred and possibly based on the hostname or host address, as needed.

Parameters
hostThe client's host name or the IP address as text. An IP may be supplied if the host address is not resolvable or resolution has been suppressed (i.e. nodnr). Use endPoint to get the hostname if it's actually needed.
endPointthe XrdNetAddrInfo object describing the client end-point.
credThe initial credentials supplied by the client, the pointer may be null if the client did not supply credentials.
einfoThe structure to record any error messages. These are normally sent to the client.
Returns
Success: Address of protocol object to be used for authentication. If cred was null, a host protocol object shouldpo be returned if so allowed. Failure: Null, no protocol can be returned. The einfo parameter, if supplied, has the reason.

Implements XrdSecService.

Definition at line 356 of file XrdSecServer.cc.

360{
361 XrdSecProtBind *bp;
362 XrdSecPMask_t pnum;
363 XrdSecCredentials myCreds;
364 const char *msgv[8];
365
366// If null credentials supplied, default to host protocol otherwise make sure
367// credentials data is actually supplied.
368//
369 if (!cred) {myCreds.buffer=(char *)"host"; myCreds.size = 4; cred=&myCreds;}
370 else if (cred->size < 1 || !(cred->buffer))
371 {einfo.setErrInfo(EACCES,"No authentication credentials supplied.");
372 return 0;
373 }
374
375// If protocol binding must be enforced, make sure the host is not using a
376// disallowed protocol.
377//
378 if (Enforce)
379 {if ((pnum = PManager.Find(cred->buffer)))
380 {if (bpFirst && (bp = bpFirst->Find(host))
381 && !(bp->ValidProts & pnum))
382 {msgv[0] = host;
383 msgv[1] = " not allowed to authenticate using ";
384 msgv[2] = cred->buffer;
385 msgv[3] = " protocol.";
386 einfo.setErrInfo(EACCES, msgv, 4);
387 return 0;
388 }
389 }
390 else {msgv[0] = cred->buffer;
391 msgv[1] = " security protocol is not supported.";
392 einfo.setErrInfo(EPROTONOSUPPORT, msgv, 2);
393 return 0;
394 }
395 }
396
397// If we passed the protocol binding check, try to get an instance of the
398// protocol the host is using
399//
400 return PManager.Get(host, endPoint, cred->buffer, &einfo);
401}
int XrdSecPMask_t
int setErrInfo(int code, const char *emsg)
XrdSecPMask_t Find(const char *pid, char **parg=0)
XrdSecProtocol * Get(const char *hname, XrdNetAddrInfo &endPoint, const char *pname, XrdOucErrInfo *erp)
XrdSecPMask_t ValidProts
XrdSecProtBind * Find(const char *hname)
Generic structure to pass security information back and forth.

References XrdSecBuffer::buffer, XrdSecPManager::Find(), XrdSecProtBind::Find(), XrdSecPManager::Get(), XrdOucErrInfo::setErrInfo(), XrdSecBuffer::size, and XrdSecProtBind::ValidProts.

+ Here is the call graph for this function:

◆ PostProcess()

bool XrdSecServer::PostProcess ( XrdSecEntity & entity,
XrdOucErrInfo & einfo )
virtual

Post process a fully authenticated XrdSecEntity object.

Parameters
entityThe fully authenticated entity object.
einfoThe structure to record any error messages. These are normally sent to the client. If einfo is a null pointer, the messages should be sent to standard error via an XrdSysError object using the supplied XrdSysLogger when the the plugin was initialized.
Returns
Success: True should be returned. Failure: False should be returned and the einfo object should hold the reason. In this case the authentication fails.

Reimplemented from XrdSecService.

Definition at line 407 of file XrdSecServer.cc.

408{
409// Return correct result. Make sure there is some kind of message returned.
410//
411 if (secEntityPin && !secEntityPin->Process(entity, einfo))
412 {if (*einfo.getErrText() == '\0')
413 einfo.setErrInfo(EAUTH, "rejected by auth post processing");
414 return false;
415 }
416
417 return true;
418}
#define EAUTH
const char * getErrText()

References EAUTH, XrdOucErrInfo::getErrText(), and XrdOucErrInfo::setErrInfo().

+ Here is the call graph for this function:

◆ protTLS()

const char * XrdSecServer::protTLS ( )
inlinevirtual

Get a list of authentication protocols that require TLS.

Returns
Pointer to a list of protocols that require TLS or a nil if none.

Implements XrdSecService.

Definition at line 64 of file XrdSecServer.hh.

64{return PManager.protTLS();}
const char * protTLS()

References XrdSecPManager::protTLS().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: