/***************************************************************************/
/* */
/* X r d S e c S e r v e r . c c */
/* */
/* (c) 2005 by the Board of Trustees of the Leland Stanford, Jr., University */
/* All Rights Reserved */
/* Produced by Andrew Hanushevsky for Stanford University under contract */
/* DE-AC02-76-SFO0515 with the Department of Energy */
/* */
/* This file is part of the XRootD software suite. */
/* */
/* XRootD is free software: you can redistribute it and/or modify it under */
/* the terms of the GNU Lesser General Public License as published by the */
/* Free Software Foundation, either version 3 of the License, or (at your */
/* option) any later version. */
/* */
/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
/* License for more details. */
/* */
/* You should have received a copy of the GNU Lesser General Public License */
/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
/* */
/* The copyright holder's institutional names and contributor's names may not */
/* be used to endorse or promote products derived from this software without */
/* specific prior written permission of the institution or contributor. */
/******************************************************************************/
#include <unistd.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <stdlib.h>
#include <strings.h>
#include <stdio.h>
#include <sys/param.h>
#include "XrdVersion.hh"
#include "XrdSys/XrdSysLogger.hh"
#include "XrdSys/XrdSysHeaders.hh"
#include "XrdSys/XrdSysError.hh"
#include "XrdOuc/XrdOucEnv.hh"
#include "XrdOuc/XrdOucErrInfo.hh"
#include "XrdNet/XrdNetAddr.hh"
#include "XrdSec/XrdSecInterface.hh"
#include "XrdSec/XrdSecProtector.hh"
#include "XrdSec/XrdSecServer.hh"
#include "XrdSec/XrdSecTrace.hh"
/******************************************************************************/
/* S e c u r i t y L e v e l s */
/******************************************************************************/
namespace
{
XrdSecProtectParms lclParms;
XrdSecProtectParms rmtParms;
}
/******************************************************************************/
/* X r d S e c P r o t B i n d */
/******************************************************************************/
class XrdSecProtBind
{
public:
XrdSecProtBind *next;
char *thost;
int tpfxlen;
char *thostsfx;
int tsfxlen;
XrdSecParameters SecToken;
XrdSecPMask_t ValidProts;
XrdSecProtBind *Find(const char *hname);
int Match(const char *hname);
XrdSecProtBind(char *th, char *st, XrdSecPMask_t pmask=0);
~XrdSecProtBind()
{free(thost);
if (SecToken.buffer) free(SecToken.buffer);
}
};
/******************************************************************************/
/* C o n s t r u c t o r */
/******************************************************************************/
XrdSecProtBind::XrdSecProtBind(char *th, char *st, XrdSecPMask_t pmask)
{
char *starp;
next = 0;
thost = th;
if (!(starp = index(thost, '*')))
{tsfxlen = -1;
thostsfx = (char *)0;
tpfxlen = 0;
} else {
*starp = '\0';
tpfxlen = strlen(thost);
thostsfx = starp+1;
tsfxlen = strlen(thostsfx);
}
if (st) {SecToken.buffer = strdup(st); SecToken.size = strlen(st);}
else {SecToken.buffer = 0; SecToken.size = 0;}
ValidProts = (pmask ? pmask : ~(XrdSecPMask_t)0);
}
/******************************************************************************/
/* F i n d */
/******************************************************************************/
XrdSecProtBind *XrdSecProtBind::Find(const char *hname)
{
XrdSecProtBind *bp = this;
while(bp && !bp->Match(hname)) bp = bp->next;
return bp;
}
/******************************************************************************/
/* M a t c h */
/******************************************************************************/
int XrdSecProtBind::Match(const char *hname)
{
int i;
// If an exact match wanted, return the result
//
if (tsfxlen < 0) return !strcmp(thost, hname);
// Try to match the prefix
//
if (tpfxlen && strncmp(thost, hname, tpfxlen)) return 0;
// If no suffix matching is wanted, then we have succeeded
//
if (!(thostsfx)) return 1;
// Try to match the suffix
//
if ((i = (strlen(hname) - tsfxlen)) < 0) return 0;
return !strcmp(&hname[i], thostsfx);
}
/******************************************************************************/
/* X r d S e c P r o t P a r m */
/******************************************************************************/
class XrdSecProtParm
{
public:
void Add() {Next = First; First = this;}
int Cat(char *token);
static XrdSecProtParm *Find(char *pid, int remove=0);
int Insert(char oct);
int isProto(char *proto) {return !strcmp(ProtoID, proto);}
char *Result(int &size) {size = bp-buff; return buff;}
void setProt(char *pid) {strcpy(ProtoID, pid);}
static XrdSecProtParm *First;
XrdSecProtParm *Next;
char ProtoID[XrdSecPROTOIDSIZE+1];
XrdSecProtParm(XrdSysError *erp, const char *cid) : who(cid)
{*ProtoID = '\0';
bsize = 4096;
buff = (char *)malloc(bsize);
*buff = '\0';
bp = buff;
eDest = erp;
Next = 0;
}
~XrdSecProtParm() {free(buff);}
private:
XrdSysError *eDest;
int bsize;
char *buff;
char *bp;
const char *who;
};
XrdSecProtParm *XrdSecProtParm::First = 0;
/******************************************************************************/
/* C a t */
/******************************************************************************/
int XrdSecProtParm::Cat(char *token)
{
int alen;
alen = strlen(token);
if (alen+1 > bsize-(bp-buff))
{eDest->Emsg("Config",who,ProtoID,"argument string too long");
return 0;
}
*bp++ = ' ';
strcpy(bp, token);
bp += alen;
return 1;
}
/******************************************************************************/
/* F i n d */
/******************************************************************************/
XrdSecProtParm *XrdSecProtParm::Find(char *pid, int remove)
{
XrdSecProtParm *mp, *pp;
mp = 0; pp = First;
while(pp && !pp->isProto(pid)){mp = pp; pp = pp->Next;}
if (pp && remove)
{if (mp) mp->Next = pp->Next;
else First = pp->Next;
}
return pp;
}
/******************************************************************************/
/* I n s e r t */
/******************************************************************************/
int XrdSecProtParm::Insert(char oct)
{
if (bsize-(bp-buff) < 1)
{eDest->Emsg("Config",who,ProtoID,"argument string too long");
return 0;
}
*bp++ = oct;
return 1;
}
/******************************************************************************/
/* X r d S e c S e r v e r */
/******************************************************************************/
XrdSecPManager XrdSecServer::PManager;
/******************************************************************************/
/* C o n s t r u c t o r */
/******************************************************************************/
XrdSecServer::XrdSecServer(XrdSysLogger *lp) : eDest(lp, "sec_")
{
// Set default values
//
PManager.setErrP(&eDest);
bpFirst = 0;
bpLast = 0;
bpDefault = 0;
STBlen = 4096;
STBuff = (char *)malloc(STBlen);
*STBuff = '\0';
SToken = STBuff;
SecTrace = new XrdOucTrace(&eDest);
if (getenv("XRDDEBUG") || getenv("XrdSecDEBUG"))
{SecTrace->What = TRACE_ALL;
PManager.setDebug(1);
}
Enforce = 0;
implauth = 0;
}
/******************************************************************************/
/* g e t P a r m s */
/******************************************************************************/
const char *XrdSecServer::getParms(int &size, XrdNetAddrInfo *endPoint)
{
EPNAME("getParms")
XrdSecProtBind *bp;
char buff[256];
// Try to find a specific token binding for a host or return default binding
//
if (!endPoint || !bpFirst) bp = 0;
else {const char *hname = endPoint->Name("*unknown*");
bp = bpFirst;
do {if (bp->Match(hname)) break;} while((bp = bp->next));
}
// Get endpoint info if we are debugging
//
if (endPoint && QTRACE(Debug))
endPoint->Format(buff, sizeof(buff), XrdNetAddrInfo::fmtAuto,
XrdNetAddrInfo::noPort);
else *buff = 0;
// If we have a binding, return that else return the default
//
if (!bp) bp = bpDefault;
if (bp->SecToken.buffer)
{DEBUG(buff <<" sectoken=" <<bp->SecToken.buffer);
size = bp->SecToken.size;
return bp->SecToken.buffer;
}
DEBUG(buff <<" sectoken=''");
size = 0;
return (const char *)0;
}
/******************************************************************************/
/* g e t P r o t o c o l */
/******************************************************************************/
XrdSecProtocol *XrdSecServer::getProtocol(const char *host,
XrdNetAddrInfo &endPoint,
const XrdSecCredentials *cred,
XrdOucErrInfo *einfo)
{
XrdSecProtBind *bp;
XrdSecPMask_t pnum;
XrdSecCredentials myCreds;
const char *msgv[8];
// If null credentials supplied, default to host protocol otherwise make sure
// credentials data is actually supplied.
//
if (!cred) {myCreds.buffer=(char *)"host"; myCreds.size = 4; cred=&myCreds;}
else if (cred->size < 1 || !(cred->buffer))
{einfo->setErrInfo(EACCES,
(char *)"No authentication credentials supplied.");
return 0;
}
// If protocol binding must be enforced, make sure the host is not using a
// disallowed protocol.
//
if (Enforce)
{if ((pnum = PManager.Find(cred->buffer)))
{if (bpFirst && (bp = bpFirst->Find(host))
&& !(bp->ValidProts & pnum))
{msgv[0] = host;
msgv[1] = " not allowed to authenticate using ";
msgv[2] = cred->buffer;
msgv[3] = " protocol.";
einfo->setErrInfo(EACCES, msgv, 4);
return 0;
}
}
else {msgv[0] = cred->buffer;
msgv[1] = " security protocol is not supported.";
einfo->setErrInfo(EPROTONOSUPPORT, msgv, 2);
return 0;
}
}
// If we passed the protocol binding check, try to get an instance of the
// protocol the host is using
//
return PManager.Get(host, endPoint, cred->buffer, einfo);
}
/******************************************************************************/
/* C o n f i g F i l e P r o c e s s i n g M e t h o d s */
/******************************************************************************/
/******************************************************************************/
/* d e f i n e s */
/******************************************************************************/
#define TS_Xeq(x,m) if (!strcmp(x,var)) return m(Config,Eroute);
#define TS_Str(x,m) if (!strcmp(x,var)) {free(m); m = strdup(val); return 0;}
#define TS_Chr(x,m) if (!strcmp(x,var)) {m = val[0]; return 0;}
#define TS_Bit(x,m,v) if (!strcmp(x,var)) {m = v; return 0;}
#define Max(x,y) (x > y ? x : y)
/******************************************************************************/
/* C o n f i g u r e */
/******************************************************************************/
int XrdSecServer::Configure(const char *cfn)
/*
Function: Establish default values using a configuration file.
Input: None.
Output: 0 upon success or !0 otherwise.
*/
{
extern XrdSecProtector *XrdSecLoadProtection(XrdSysError &erP);
static const int isRlx = XrdSecProtectParms::relax;
static const int isFrc = XrdSecProtectParms::force;
XrdSecProtector *protObj;
const char *lName = "none", *rName = "none";
char *var;
int NoGo;
// Print warm-up message
//
eDest.Say("++++++ Authentication system initialization started.");
// Perform initialization
//
NoGo = ConfigFile(cfn);
// Almost done
//
var = (NoGo > 0 ? (char *)"failed." : (char *)"completed.");
eDest.Say("------ Authentication system initialization ", var);
// No need to configure protect system if authentication failed
//
if (NoGo) return 1;
// Put out another banner
//
eDest.Say("++++++ Protection system initialization started.");
// If local level if greater than remote level, issue a warning
//
if (lclParms.level > rmtParms.level)
eDest.Say("Config warning: local protection level greater than "
"remote level; are you sure?");
// Check if we need to initialize protection services
//
if (lclParms.level == XrdSecProtectParms::secNone
&& rmtParms.level == XrdSecProtectParms::secNone)
{eDest.Say("Config warning: Security level is set to none; "
"request protection disabled!");
} else {
if (!(protObj = XrdSecLoadProtection(eDest))
|| !(protObj->Config(lclParms, rmtParms, *eDest.logger()))) NoGo = 1;
else {lName = protObj->LName(lclParms.level);
rName = protObj->LName(rmtParms.level);
}
}
// Blurt out what we have
//
if (!NoGo)
{eDest.Say("Config ","Local protection level: ",
(lclParms.opts & isRlx ? "relaxed " : 0), lName,
(lclParms.opts & isFrc ? " force" : 0));
eDest.Say("Config ","Remote protection level: ",
(rmtParms.opts & isRlx ? "relaxed " : 0), rName,
(rmtParms.opts & isFrc ? " force" : 0));
}
// Now we are done
//
var = (NoGo > 0 ? (char *)"failed." : (char *)"completed.");
eDest.Say("------ Protection system initialization ", var);
return (NoGo > 0);
}
/******************************************************************************/
/* C o n f i g F i l e */
/******************************************************************************/
int XrdSecServer::ConfigFile(const char *ConfigFN)
/*
Function: Establish default values using a configuration file.
Input: None.
Output: 1 - Initialization failed.
0 - Initialization succeeded.
*/
{
char *var;
int cfgFD, retc, NoGo = 0, recs = 0;
XrdOucEnv myEnv;
XrdOucStream Config(&eDest, getenv("XRDINSTANCE"), &myEnv, "=====> ");
XrdSecProtParm *pp;
// If there is no config file, return with the defaults sets.
//
if (!ConfigFN || !*ConfigFN)
{eDest.Emsg("Config", "Authentication configuration file not specified.");
return 1;
}
// Try to open the configuration file.
//
if ( (cfgFD = open(ConfigFN, O_RDONLY, 0)) < 0)
{eDest.Emsg("Config", errno, "opening config file", ConfigFN);
return 1;
}
// Now start reading records until eof.
//
Config.Attach(cfgFD); Config.Tabs(0);
while((var = Config.GetMyFirstWord()))
{if (!strncmp(var, "sec.", 4))
{recs++;
if (ConfigXeq(var+4, Config, eDest)) {Config.Echo(); NoGo = 1;}
}
}
// Now check if any errors occured during file i/o
//
if ((retc = Config.LastError()))
NoGo = eDest.Emsg("Config",-retc,"reading config file", ConfigFN);
else {char buff[128];
snprintf(buff, sizeof(buff),
" %d authentication directives processed in ", recs);
eDest.Say("Config", buff, ConfigFN);
}
Config.Close();
// Determine whether we should initialize security
//
if (NoGo || ProtBind_Complete(eDest) ) NoGo = 1;
else if ((pp = XrdSecProtParm::First))
{NoGo = 1;
while(pp) {eDest.Emsg("Config", "protparm", pp->ProtoID,
"does not have a matching protocol.");
pp = pp->Next;
}
}
// All done
//
return NoGo;
}
/******************************************************************************/
/* P r i v a t e M e t h o d s */
/******************************************************************************/
/******************************************************************************/
/* C o n f i g X e q */
/******************************************************************************/
int XrdSecServer::ConfigXeq(char *var, XrdOucStream &Config, XrdSysError &Eroute)
{
// Fan out based on the variable
//
TS_Xeq("level", xlevel);
TS_Xeq("protbind", xpbind);
TS_Xeq("protocol", xprot);
TS_Xeq("protparm", xpparm);
TS_Xeq("trace", xtrace);
// No match found, complain.
//
Eroute.Say("Config warning: ignoring unknown directive '",var,"'.");
Config.Echo();
return 0;
}
/******************************************************************************/
/* x l e v e l */
/******************************************************************************/
/* Function: xlevel
Purpose: To parse the directive: level [<type>] [relaxed] <level> [force]
<type> all | local | remote
<level> none | compatible | standard | intense | pedantic
Output: 0 upon success or !0 upon failure.
*/
int XrdSecServer::xlevel(XrdOucStream &Config, XrdSysError &Eroute)
{
struct lvltab {const char *lname; XrdSecProtectParms::secLevel lvl;} ltab[] =
{{"none", XrdSecProtectParms::secNone},
{"compatible", XrdSecProtectParms::secCompatible},
{"standard", XrdSecProtectParms::secStandard},
{"intense", XrdSecProtectParms::secIntense},
{"pedantic", XrdSecProtectParms::secPedantic}
};
int i, numopts = sizeof(ltab)/sizeof(struct lvltab);
bool isLcl = true, isRmt = true, isSpec = false, isRlx = false, isFRC=false;
char *val;
// Get the template host
//
val = Config.GetWord();
if (!val || !val[0])
{Eroute.Emsg("Config","level not specified"); return 1;}
// Check for optional keyword
//
if (!strcmp(val, "all")) isSpec = true;
else if (!strcmp(val, "local")) {isSpec = true; isRmt = false;}
else if (!strcmp(val, "remote")){isSpec = true; isLcl = false;}
// Check if we need another token
//
if (isSpec)
{val = Config.GetWord();
if (!val || !val[0])
{Eroute.Emsg("Config","level not specified"); return 1;}
}
// Check for optional relaxed keyword
//
if (!strcmp(val, "relaxed"))
{isRlx = true;
val = Config.GetWord();
if (!val || !val[0])
{Eroute.Emsg("Config","level not specified"); return 1;}
}
// Get the level
//
for (i = 0; i < numopts; i++) if (!strcmp(ltab[i].lname, val)) break;
if (i >= numopts)
{Eroute.Emsg("Config", "invalid level option -", val); return 1;}
// Check for final keyword
//
val = Config.GetWord();
if (val && val[0])
{if (strcmp(val, "force"))
{Eroute.Emsg("Config","invalid level modifier - ", val); return 1;}
isFRC = true;
}
// Set appropriate levels
//
if (isLcl)
{lclParms.level = ltab[i].lvl;
if (isRlx) lclParms.opts |= XrdSecProtectParms::relax;
else lclParms.opts &= ~XrdSecProtectParms::relax;
if (isFRC) lclParms.opts |= XrdSecProtectParms::force;
else lclParms.opts &= ~XrdSecProtectParms::force;
}
if (isRmt)
{rmtParms.level = ltab[i].lvl;
if (isRlx) rmtParms.opts |= XrdSecProtectParms::relax;
else rmtParms.opts &= ~XrdSecProtectParms::relax;
if (isFRC) rmtParms.opts |= XrdSecProtectParms::force;
else rmtParms.opts &= ~XrdSecProtectParms::force;
}
return 0;
}
/******************************************************************************/
/* x p b i n d */
/******************************************************************************/
/* Function: xpbind
Purpose: To parse the directive: protbind <thost> [none | [only] <plist>]
<thost> is a templated host name (e.g., bronco*.slac.stanford.edu)
<plist> are the protocols to be bound to the <thost>. A special
protocol, none, indicates that no token is to be passed.
Output: 0 upon success or !0 upon failure.
*/
int XrdSecServer::xpbind(XrdOucStream &Config, XrdSysError &Eroute)
{
EPNAME("xpbind")
char *val, *thost;
XrdSecProtBind *bnow;
char sectoken[4096], *secbuff = sectoken;
int isdflt = 0, only = 0, anyprot = 0, noprot = 0, phost = 0;
int sectlen = sizeof(sectoken)-1;
XrdSecPMask_t PMask = 0;
*secbuff = '\0';
// Get the template host
//
val = Config.GetWord();
if (!val || !val[0])
{Eroute.Emsg("Config","protbind host not specified"); return 1;}
// Verify that this host has not been bound before
//
if ((isdflt = !strcmp("*", val))) bnow = bpDefault;
else {bnow = bpFirst;
while(bnow) if (!strcmp(bnow->thost, val)) break;
else bnow = bnow->next;
}
if (bnow) {Eroute.Emsg("Config","duplicate protbind definition - ", val);
return 1;
}
thost = strdup(val);
// Now get each protocol to be used (there must be one).
//
while((val = Config.GetWord()))
{if (!strcmp(val, "none")) {noprot = 1; break;}
if (!strcmp(val, "only")) {only = 1; Enforce = 1;}
else if (!strcmp(val, "host")) {phost = 1; anyprot = 1;}
else if (!PManager.Find(val))
{Eroute.Emsg("Config","protbind", val,
"protocol not previously defined.");
return 1;
}
else if (add2token(Eroute, val, &secbuff, sectlen, PMask))
{Eroute.Emsg("Config","Unable to bind protocols to",thost);
return 1;
} else anyprot = 1;
}
// Verify that no conflicts arose
//
if (val && (val = Config.GetWord()))
{Eroute.Emsg("Config","conflicting protbind:", thost, val);
return 1;
}
// Make sure we have some protocols bound to this host
//
if (!(anyprot || noprot))
{Eroute.Emsg("Config","no protocols bound to", thost); return 1;}
DEBUG("XrdSecConfig: Bound "<< thost<< " to "
<< (noprot ? "none" : (phost ? "host" : sectoken)));
// Issue warning if the host protocol was bound to this host but other
// protocols were also bound, making them rather useless.
//
if (phost && *sectoken)
{Eroute.Say("Config warning: 'protbind", thost,
"host' negates all other bound protocols.");
*sectoken = '\0';
}
// Translate "localhost" to our local hostname, if possible.
//
if (!strcmp("localhost", thost))
{XrdNetAddr myIPAddr(0);
free(thost);
thost = strdup(myIPAddr.Name("localhost"));
}
// Create new bind object
//
bnow = new XrdSecProtBind(thost,(noprot ? 0:sectoken),(only ? PMask:0));
// Push the entry onto our bindings
//
if (isdflt) bpDefault = bnow;
else {if (bpLast) bpLast->next = bnow;
else bpFirst = bnow;
bpLast = bnow;
}
// All done
//
return 0;
}
/******************************************************************************/
/* x p r o t */
/******************************************************************************/
/* Function: xprot
Purpose: To parse the directive: protocol [<path>] <pid> [ <opts> ]
<path> is the absolute path where the protocol library resides
<pid> is the 1-to-8 character protocol id.
<opts> are the associated protocol specific options such as:
noipcheck - don't check ip address origin
keyfile <kfn> - the key file associated with protocol
args <args> - associated non-blank arguments
Additional arguments may be passed to the protocol using the
protargs directive. ALl protargs directives must appear
prior to the protocol directive for the given protocol.
Output: 0 upon success or !0 upon failure.
*/
int XrdSecServer::xprot(XrdOucStream &Config, XrdSysError &Eroute)
{
XrdSecProtParm *pp, myParms(&Eroute, "protocol");
char *pap, *val, pid[XrdSecPROTOIDSIZE+1], *args = 0;
char pathbuff[1024], *path = 0;
int psize;
XrdOucErrInfo erp;
XrdSecPMask_t mymask = 0;
// Get the protocol id
//
val = Config.GetWord();
if (val && *val == '/')
{strlcpy(pathbuff, val, sizeof(pathbuff)); path = pathbuff;
val = Config.GetWord();
}
if (!val || !val[0])
{Eroute.Emsg("Config","protocol id not specified"); return 1;}
// Verify that we don't have this protocol
//
if (strlen(val) > XrdSecPROTOIDSIZE)
{Eroute.Emsg("Config","protocol id too long - ", val); return 1;}
if (PManager.Find(val))
{Eroute.Say("Config warning: protocol ",val," previously defined.");
strcpy(pid, val);
return add2token(Eroute, pid, &STBuff, STBlen, mymask);}
// The builtin host protocol does not accept any parameters. Additionally, the
// host protocol negates any other protocols we may have in the default set.
//
if (!strcmp("host", val))
{if (Config.GetWord())
{Eroute.Emsg("Config", "Builtin host protocol does not accept parms.");
return 1;
}
implauth = 1;
return 0;
}
// Grab additional parameters that we here and that we have accumulated
//
strcpy(pid, val);
while((args = Config.GetWord())) if (!myParms.Cat(args)) return 1;
if ((pp = myParms.Find(pid, 1)))
{if ((*myParms.Result(psize) && !myParms.Insert('\n'))
|| !myParms.Cat(pp->Result(psize))) return 1;
else delete pp;
}
// Load this protocol
//
pap = myParms.Result(psize);
if (!PManager.Load(&erp, 's', pid, (psize ? pap : 0), path))
{if (*(erp.getErrText())) Eroute.Say(erp.getErrText());
return 1;
}
// Add this protocol to the default security token
//
return add2token(Eroute, pid, &STBuff, STBlen, mymask);
}
/******************************************************************************/
/* x p p a r m */
/******************************************************************************/
/* Function: xpparm
Purpose: To parse the directive: protparm <prot> <args>
<prot> is the name of the protocol to which these args apply.
<args> are the protocol specific parameters. The remaing tokens
on the line will be passed to the protocol at during
protocol initialization. Each such line is separated by
a new line character.
Output: 0 upon success or !0 upon failure.
*/
int XrdSecServer::xpparm(XrdOucStream &Config, XrdSysError &Eroute)
{
XrdSecProtParm *pp;
char *val, pid[XrdSecPROTOIDSIZE+1];
// Get the protocol name
//
val = Config.GetWord();
if (!val || !val[0])
{Eroute.Emsg("Config","protparm protocol not specified"); return 1;}
// The builtin host protocol does not accept any parameters
//
if (!strcmp("host", val))
{Eroute.Emsg("Config", "Builtin host protocol does not accept protparms.");
return 1;
}
// Verify that we don't have this protocol
//
if (strlen(val) > XrdSecPROTOIDSIZE)
{Eroute.Emsg("Config","protocol id too long - ", val); return 1;}
if (PManager.Find(val))
{Eroute.Emsg("Config warning: protparm protocol ",val," already defined.");
return 0;
}
strcpy(pid, val);
// Make sure we have at least one parameter here
//
if (!(val = Config.GetWord()))
{Eroute.Emsg("Config","protparm", pid, "parameter not specified");
return 1;
}
// Try to find a previous incarnation of this parm
//
if ((pp = XrdSecProtParm::Find(pid))) {if (!pp->Insert('\n')) return 1;}
else {pp = new XrdSecProtParm(&Eroute, "protparm");
pp->setProt(pid);
pp->Add();
}
// Grab the options for the protocol. They are pretty much opaque to us here
//
do {if (!pp->Cat(val)) return 1;} while((val = Config.GetWord()));
return 0;
}
/******************************************************************************/
/* x t r a c e */
/******************************************************************************/
/* Function: xtrace
Purpose: To parse the directive: trace <events>
<events> the blank separated list of events to trace. Trace
directives are cummalative.
Output: 0 upon success or !0 upon failure.
*/
int XrdSecServer::xtrace(XrdOucStream &Config, XrdSysError &Eroute)
{
static struct traceopts {const char *opname; int opval;} tropts[] =
{
{"all", TRACE_ALL},
{"debug", TRACE_Debug},
{"auth", TRACE_Authen},
{"authentication", TRACE_Authen}
};
int i, neg, trval = 0, numopts = sizeof(tropts)/sizeof(struct traceopts);
char *val;
val = Config.GetWord();
if (!val || !val[0])
{Eroute.Emsg("Config", "trace option not specified"); return 1;}
while (val && val[0])
{if (!strcmp(val, "off")) trval = 0;
else {if ((neg = (val[0] == '-' && val[1]))) val++;
for (i = 0; i < numopts; i++)
{if (!strcmp(val, tropts[i].opname))
{if (neg) trval &= ~tropts[i].opval;
else trval |= tropts[i].opval;
break;
}
}
if (i >= numopts)
Eroute.Say("Config warning: ignoring invalid trace option '", val, "'.");
}
val = Config.GetWord();
}
SecTrace->What = (SecTrace->What & ~TRACE_Authenxx) | trval;
// Propogate the debug option
//
#ifndef NODEBUG
if (QTRACE(Debug)) PManager.setDebug(1);
else PManager.setDebug(0);
#endif
return 0;
}
/******************************************************************************/
/* M i s c e l l a n e o u s */
/******************************************************************************/
/******************************************************************************/
/* a d d 2 t o k e n */
/******************************************************************************/
int XrdSecServer::add2token(XrdSysError &Eroute, char *pid,
char **tokbuff, int &toklen, XrdSecPMask_t &pmask)
{
int i;
char *pargs;
XrdSecPMask_t protnum;
// Find the protocol argument string
//
if (!(protnum = PManager.Find(pid, &pargs)))
{Eroute.Emsg("Config","Protocol",pid,"not found after being added!");
return 1;
}
// Make sure we have enough room to add
//
i = 4+strlen(pid)+strlen(pargs);
if (i >= toklen)
{Eroute.Emsg("Config","Protocol",pid,"parms exceed overall maximum!");
return 1;
}
// Insert protocol specification (we already checked for an overflow)
//
i = sprintf(*tokbuff, "&P=%s%s%s", pid, (*pargs ? "," : ""), pargs);
toklen -= i;
*tokbuff += i;
pmask |= protnum;
return 0;
}
/******************************************************************************/
/* P r o t B i n d _ C o m p l e t e */
/******************************************************************************/
int XrdSecServer::ProtBind_Complete(XrdSysError &Eroute)
{
EPNAME("ProtBind_Complete")
XrdOucErrInfo erp;
// Check if we have a default token, create one otherwise
//
if (!bpDefault)
{if (!*SToken) {Eroute.Say("Config warning: No protocols defined; "
"only host authentication available.");
implauth = 1;
}
else if (implauth)
{Eroute.Say("Config warning: enabled builtin host "
"protocol negates default use of any other protocols.");
*SToken = '\0';
}
bpDefault = new XrdSecProtBind(strdup("*"), SToken);
DEBUG("Default sectoken built: '" <<SToken <<"'");
}
// Add the host protocol to the set at this point to allow clients to
// actually give use "host" as a protocol id if it's allowed. We do this so
// that the right error message is generated. Otherwise, it ignored.
//
if (implauth && !PManager.Load(&erp, 's', "host", 0, 0))
{Eroute.Emsg("Config", erp.getErrText()); return 1;}
// Free up the constructed default sectoken
//
free(SToken); SToken = STBuff = 0; STBlen = 0;
return 0;
}
/******************************************************************************/
/* X r d S e c g e t S e r v i c e */
/******************************************************************************/
extern "C"
{
XrdSecService *XrdSecgetService(XrdSysLogger *lp, const char *cfn)
{
XrdSecServer *SecServer = new XrdSecServer(lp);
// Configure the server object
//
if (SecServer->Configure(cfn)) return 0;
// Return the server object
//
return (XrdSecService *)SecServer;
}
}