XRootD
Loading...
Searching...
No Matches
XrdSecProtocolztn Class Reference
+ Inheritance diagram for XrdSecProtocolztn:
+ Collaboration diagram for XrdSecProtocolztn:

Public Member Functions

 XrdSecProtocolztn (const char *hname, XrdNetAddrInfo &endPoint, XrdSciTokensHelper *sthp)
 
 XrdSecProtocolztn (const char *parms, XrdOucErrInfo *erp, bool &aOK)
 
 ~XrdSecProtocolztn ()
 
int Authenticate (XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
 
void Delete ()
 Delete the protocol object. DO NOT use C++ delete() on this object.
 
XrdSecCredentialsgetCredentials (XrdSecParameters *parms, XrdOucErrInfo *einfo=0)
 
bool needTLS ()
 Check if this protocol requires TLS to properly function.
 
- Public Member Functions inherited from XrdSecProtocol
 XrdSecProtocol (const char *pName)
 Constructor.
 
virtual int Decrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Encrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int getKey (char *buff=0, int size=0)
 
virtual int setKey (char *buff, int size)
 
virtual int Sign (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Verify (const char *inbuff, int inlen, const char *sigbuff, int siglen)
 

Static Public Attributes

static const int ztnVersion = 0
 

Additional Inherited Members

- Public Attributes inherited from XrdSecProtocol
XrdSecEntity Entity
 
- Protected Member Functions inherited from XrdSecProtocol
virtual ~XrdSecProtocol ()
 Destructor (prevents use of direct delete).
 

Detailed Description

Definition at line 182 of file XrdSecProtocolztn.cc.

Constructor & Destructor Documentation

◆ XrdSecProtocolztn() [1/2]

XrdSecProtocolztn::XrdSecProtocolztn ( const char * parms,
XrdOucErrInfo * erp,
bool & aOK )

Definition at line 269 of file XrdSecProtocolztn.cc.

271 : XrdSecProtocol("ztn"), sthP(0),
272 tokName(""), ztnInfo(0), maxTSize(0),
273 cont(false), rtGet(false), verJWT(false)
274{
275 char *endP;
276
277// Assume we will fail
278//
279 aOK = false;
280
281// If there are no parameters then fail as the server must supply them
282//
283 if (!parms || !(*parms))
284 {Fatal(erp, "Client parameters not specified.", EINVAL);
285 return;
286 }
287
288// Server supplied parms: <opts+ver>:<maxtsz>:
289
290// The first parameter is the options and version number.
291//
292 ztnInfo = strtoll(parms, &endP, 10);
293 if (*endP != ':')
294 {Fatal(erp, "Malformed client parameters.", EINVAL);
295 return;
296 }
297 parms = endP+1;
298
299// The second parameter is the maximum token size
300//
301 maxTSize = strtol(parms, &endP, 10);
302 if (maxTSize <= 0 || *endP != ':')
303 {Fatal(erp, "Invalid or missing maxtsz parameter.", EINVAL);
304 return;
305 }
306 endP++;
307
308// All done here
309//
310 aOK = true;
311}
void Fatal(const char *op, const char *target)
Definition XrdCrc32c.cc:58
XrdSecProtocol(const char *pName)
Constructor.

References Fatal().

+ Here is the call graph for this function:

◆ XrdSecProtocolztn() [2/2]

XrdSecProtocolztn::XrdSecProtocolztn ( const char * hname,
XrdNetAddrInfo & endPoint,
XrdSciTokensHelper * sthp )
inline

Definition at line 204 of file XrdSecProtocolztn.cc.

206 : XrdSecProtocol("ztn"), sthP(sthp), tokName(""),
207 maxTSize(MaxTokSize), cont(false),
208 rtGet(false), verJWT(false)
209 {Entity.host = strdup(hname);
210 Entity.name = strdup("anon");
211 Entity.addrInfo = &endPoint;
212 }
XrdNetAddrInfo * addrInfo
Entity's connection details.
char * name
Entity's name.
char * host
Entity's host name dnr dependent.
XrdSecEntity Entity

References XrdSecEntity::addrInfo, XrdSecProtocol::Entity, XrdSecEntity::host, and XrdSecEntity::name.

◆ ~XrdSecProtocolztn()

XrdSecProtocolztn::~XrdSecProtocolztn ( )
inline

Definition at line 214 of file XrdSecProtocolztn.cc.

214 {if (Entity.host) free(Entity.host);
215 if (Entity.name) free(Entity.name);
216 if (Entity.creds)free(Entity.creds);
217 } // via Delete()
char * creds
Raw entity credentials or cert.

References XrdSecEntity::creds, XrdSecProtocol::Entity, XrdSecEntity::host, and XrdSecEntity::name.

Member Function Documentation

◆ Authenticate()

int XrdSecProtocolztn::Authenticate ( XrdSecCredentials * cred,
XrdSecParameters ** parms,
XrdOucErrInfo * einfo = 0 )
virtual

Authenticate a client.

Parameters
credCredentials supplied by the client.
parmsPlace where the address of additional authentication data is to be placed for another autrhentication handshake.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
> 0 -> parms present (more authentication needed) = 0 -> Entity present (authentication succeeded) < 0 -> einfo present (error has occurred)

Implements XrdSecProtocol.

Definition at line 590 of file XrdSecProtocolztn.cc.

593{
594 static const int pfxLen = sizeof(TokenHdr) + sizeof(uint16_t);
595 TokenResp *tResp;
596
597// Check if we have any credentials or if no credentials really needed.
598// In either case, use host name as client name
599//
600 if (cred->size < (int)sizeof(TokenHdr) || !cred->buffer)
601 {Fatal(erp, "Invalid ztn credentials", EINVAL, false);
602 return -1;
603 }
604 tResp = (TokenResp *)cred->buffer;
605
606// Check if this is our protocol
607//
608 if (strcmp(tResp->hdr.id, "ztn"))
609 {char msg[256];
610 snprintf(msg, sizeof(msg),
611 "Authentication protocol id mismatch ('ztn' != '%.4s').",
612 tResp->hdr.id);
613 Fatal(erp, msg, EINVAL, false);
614 return -1;
615 }
616
617// Check if caller wants the list of authorized issuers
618//
619 if (tResp->hdr.opr == TokenHdr::SndAI) return SendAI(erp, parms);
620
621// If this is not a token response then this is an error
622//
623 if (tResp->hdr.opr != TokenHdr::IsTkn)
624 {Fatal(erp, "Invalid ztn response code", EINVAL, false);
625 return -1;
626 }
627
628// Make sure the response is consistent
629//
630 const char *isBad = 0;
631 int tLen = ntohs(tResp->len);
632
633 if (tResp->hdr.ver != ztnVersion) isBad = "version mismatch";
634 else if (tLen < 1) isBad = "token length < 1";
635 else if (pfxLen + tLen > cred->size) isBad = "respdata > credsize";
636 else if (!(tResp->tkn[0])) isBad = "null token";
637 else if (*(tResp->tkn+(tLen-1))) isBad = "missing null byte";
638
639 if (isBad)
640 {char eText[80];
641 snprintf(eText, sizeof(eText), "'ztn' token malformed; %s", isBad);
642 Fatal(erp, eText, EINVAL, false);
643 return -1;
644 }
645
646// Validate the token
647//
648 std::string msgRC;
649 long long eTime;
650 bool validated = false;
651 if (Entity.name) {free(Entity.name); Entity.name = 0;}
652 if (tokenlib && sthP->Validate(tResp->tkn, msgRC, (expiry ? &eTime : 0), &Entity))
653 {if (expiry)
654 {if (eTime < 0 && expiry > 0)
655 {Fatal(erp, "'ztn' token expiry missing", EINVAL, false);
656 return -1;
657 }
658 if ((monotonic_time() - eTime) <= 0)
659 {Fatal(erp, "'ztn' token expired", EINVAL, false);
660 return -1;
661 }
662 }
663 validated = true;
664 }
665 if (!tokenlib || validated)
666 {
667 Entity.credslen = strlen(tResp->tkn);
668 if (Entity.creds)
669 free(Entity.creds);
670 if ((Entity.creds = (char *)malloc(Entity.credslen+1)))
671 strcpy(Entity.creds, tResp->tkn);
672 else
673 Fatal(erp, "'ztn' bad alloc", ENOMEM, false);
674 if (!Entity.name) Entity.name = strdup("anon");
675 return 0;
676 }
677
678// Validation failed, generate message and return failure
679//
680// msgRC.insert(0, "ztn validation failed; ");
681 Fatal(erp, msgRC.c_str(), EAUTH, false);
682 return -1;
683}
#define EAUTH
virtual bool Validate(const char *token, std::string &emsg, long long *expT=0, XrdSecEntity *entP=0)=0
int credslen
Length of the 'creds' data.
static const int ztnVersion
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.

References XrdSecBuffer::buffer, XrdSecEntity::creds, XrdSecEntity::credslen, EAUTH, XrdSecProtocol::Entity, Fatal(), XrdSecEntity::name, XrdSecBuffer::size, XrdSciTokensHelper::Validate(), and ztnVersion.

+ Here is the call graph for this function:

◆ Delete()

void XrdSecProtocolztn::Delete ( )
inlinevirtual

Delete the protocol object. DO NOT use C++ delete() on this object.

Implements XrdSecProtocol.

Definition at line 190 of file XrdSecProtocolztn.cc.

190{delete this;}

◆ getCredentials()

XrdSecCredentials * XrdSecProtocolztn::getCredentials ( XrdSecParameters * parm,
XrdOucErrInfo * einfo = 0 )
virtual

Generate client credentials to be used in the authentication process.

Parameters
parmPointer to the information returned by the server either in the initial login response or the authmore response.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
Success: Pointer to credentials to sent to the server. The caller is responsible for deleting the object. Failure: Null pointer with einfo, if supplied, containing the reason for the failure.

Implements XrdSecProtocol.

Definition at line 376 of file XrdSecProtocolztn.cc.

378{
379 static const char *dfltLoc[] = {"BEARER_TOKEN", "BEARER_TOKEN_FILE",
380 "XDG_RUNTIME_DIR", "/tmp/bt_u%d"};
381 static const char **dfltLocEnd = dfltLoc + sizeof(dfltLoc)/sizeof(char*);
382 static std::vector<XrdOucString> dfltVec(dfltLoc, dfltLocEnd);
383
384 XrdSecCredentials *resp;
385 bool isbad;
386
387// If this is a continuation, then handle as such
388//
389 if (cont) return getToken(error, parms);
390
391// Handle the default search
392//
393 resp = findToken(error, dfltVec, isbad);
394 if (resp || isbad) return resp;
395
396// We do not have a envar value then ask the server for a list of
397// token issuers so we can get one, if allowed. Otherwise, it's an error.
398//
399 if (rtGet)
400 {TokenHdr *tHdr = (TokenHdr *)malloc(sizeof(TokenHdr));
401 tHdr->Fill(TokenHdr::SndAI);
402 cont = true;
403 return new XrdSecCredentials((char *)tHdr, sizeof(TokenHdr));
404 }
405 Fatal(error, "No token found; runtime fetch disallowed.", ENOPROTOOPT);
406 return 0;
407}
XrdSecBuffer XrdSecCredentials
Generic structure to pass security information back and forth.

References Fatal().

+ Here is the call graph for this function:

◆ needTLS()

bool XrdSecProtocolztn::needTLS ( )
inlinevirtual

Check if this protocol requires TLS to properly function.

Reimplemented from XrdSecProtocol.

Definition at line 195 of file XrdSecProtocolztn.cc.

195{return true;}

Member Data Documentation

◆ ztnVersion

const int XrdSecProtocolztn::ztnVersion = 0
static

Definition at line 219 of file XrdSecProtocolztn.cc.

Referenced by Authenticate(), and XrdSecProtocolztnInit().


The documentation for this class was generated from the following file: