Merge pull request #749 from gganis/fix-deleg-abh

Restructure GSI proxy delegation options
xrootd · Jun 19, 2018 · 02c9a0d · 02c9a0d
2 parents eeded7e + 2189308
commit 02c9a0d
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 41 deletions.
diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -800,15 +800,6 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
          DEBUG("grid-map cache entries expire after "<<GMAPCacheTimeOut<<" secs");
       }
 
-      //
-      // Request for delegated proxies
-      if (opt.dlgpxy == 1 || opt.dlgpxy == 3)
-         PxyReqOpts |= kOptsSrvReq;
-      if (opt.dlgpxy == 2 || opt.dlgpxy == 3)
-         PxyReqOpts |= kOptsPxFile;
-      // Some notification
-      DEBUG("Delegated proxies options: "<<PxyReqOpts);
-
       //
       // Request for proxy export for authorization
       // authzpxy = opt_what*10 + opt_where
@@ -833,19 +824,37 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
       }
 
       //
-      // Template for the created proxy files
-      if ((PxyReqOpts & kOptsPxFile)) {
-         String TmpProxy = gUsrPxyDef;
-         if (opt.exppxy) TmpProxy = opt.exppxy;
-         if (XrdSutExpand(TmpProxy) == 0) {
-            UsrProxy = TmpProxy;
-         } else {
-            UsrProxy = gUsrPxyDef;
-            UsrProxy += "u<uid>";
+      // Handle delegated proxies options
+      if (opt.dlgpxy == -1) {
+        // Will not accept any delegated proxies
+        DEBUG("Will not accept delegated proxies");
+      } else {
+        // Ask the client to sign a delegated proxy; client may decide to forward its proxy
+        if (opt.dlgpxy == 1)
+           PxyReqOpts |= kOptsSrvReq;
+
+        // Exporting options (default none: delegated proxy kept in memory, in proxyChain) 
+        if (opt.exppxy) {
+           if (!strcmp(opt.exppxy, "=creds")) {
+              // register the delegated proxy in Entity.creds (in HEX format)
+              PxyReqOpts |=  kOptsPxCred;
+              DEBUG("Delegated proxy saved in Entity.creds ");
+           } else {
+              String TmpProxy = gUsrPxyDef;
+              if (strcmp(opt.exppxy, "=default"))
+                 TmpProxy = opt.exppxy;
+              if (XrdSutExpand(TmpProxy) == 0) {
+                 UsrProxy = TmpProxy;
+              } else {
+                 UsrProxy = gUsrPxyDef;
+                 UsrProxy += "u<uid>";
+              }
+              DEBUG("File template for delegated proxy: "<<UsrProxy);
+           }
          }
-         DEBUG("Template for exported proxy files: "<<UsrProxy);
+         DEBUG("Delegated proxies options: "<<PxyReqOpts);
       }
-      
+
       //
       // VOMS attributes switch
       // vomsat = 0  do not look for
@@ -958,12 +967,14 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
          DefBits = opt.bits;
       //
       // Delegate proxy options
-      if (opt.dlgpxy == 1)
-         PxyReqOpts |= kOptsDlgPxy;
-      if (opt.dlgpxy == 2)
-         PxyReqOpts |= kOptsFwdPxy;
-      if (opt.sigpxy > 0 || opt.dlgpxy == 1)
+      if (opt.dlgpxy > 0) {
          PxyReqOpts |= kOptsSigReq;
+         if (opt.dlgpxy == 2) {
+            PxyReqOpts |= kOptsFwdPxy;
+         } else {
+            PxyReqOpts |= kOptsDlgPxy;
+         }
+      }
       //
       // Define valid CNs for the server certificates; default is null, which means that
       // the server CN must be in the form "*/<hostname>"
@@ -2352,11 +2363,9 @@ char *XrdSecProtocolgsiInit(const char mode,
       //                                      2 require,
       //                                      3 require non-expired CRL
       //             "XrdSecGSIDELEGPROXY"   Forwarding of credentials option:
-      //                                     0 none; 1 sign request created
+      //                                     0 deny; 1 sign request created
       //                                     by server; 2 forward local proxy
-      //                                     (include private key) [0]
-      //             "XrdSecGSISIGNPROXY"    permission to sign requests
-      //                                     0 no, 1 yes [1]
+      //                                     (include private key) [1]
       //             "XrdSecGSISRVNAMES"     Server names allowed: if the server CN
       //                                     does not match any of these, or it is
       //                                     explicitely denied by these, or it is
@@ -2446,11 +2455,6 @@ char *XrdSecProtocolgsiInit(const char mode,
       if (cenv)
          opts.dlgpxy = atoi(cenv);
 
-      // Sign delegate proxy requests
-      cenv = getenv("XrdSecGSISIGNPROXY");
-      if (cenv)
-         opts.sigpxy = atoi(cenv);
-
       // Allowed server name formats
       cenv = getenv("XrdSecGSISRVNAMES");
       if (cenv)
@@ -2643,7 +2647,7 @@ char *XrdSecProtocolgsiInit(const char mode,
       opts.ogmap = ogmap;
       opts.gmapto = gmapto;
       opts.authzto = authzto;
-      opts.dlgpxy = dlgpxy;
+      opts.dlgpxy = (dlgpxy >= 0 && dlgpxy <= 1) ? dlgpxy : 0;
       opts.authzpxy = authzpxy;
       opts.vomsat = vomsat;
       opts.moninfo = moninfo;
@@ -3742,6 +3746,26 @@ int XrdSecProtocolgsi::ServerDoSigpxy(XrdSutBuffer *br,  XrdSutBuffer **bm,
    // Notify
    if (QTRACE(Authen)) { proxyChain->Dump(); }
 
+   // Check if the proxy chain is to become the actual credentials
+   //
+   if ((PxyReqOpts & kOptsPxCred)) {
+      XrdCryptoX509ExportChain_t c2mem =
+                                 (sessionCF) ? sessionCF->X509ExportChain() : 0;
+      if (!c2mem) {
+         cmsg =  "chain exporter not found; proxy chain not exported";
+         return 0;
+      }
+      XrdOucString spxy;
+      XrdSutBucket *bpxy = (*c2mem)(proxyChain, true);
+      bpxy->ToString(spxy);
+      SafeFree(Entity.creds);
+      Entity.creds = strdup(spxy.c_str());
+      Entity.credslen = spxy.length();
+      PRINT("proxy chain exported in Entity.creds (" << Entity.credslen << " bytes)");
+      PRINT("\n\n" << spxy.c_str() << "\n\n");
+      return 0;
+   }
+
    //
    // Extract user login name, if any
    String user;
@@ -3786,6 +3810,7 @@ int XrdSecProtocolgsi::ServerDoSigpxy(XrdSutBuffer *br,  XrdSutBuffer **bm,
             cmsg += pxfile;
             return 0;
          }
+         PRINT("proxy chain dumped to "<< pxfile);
       } else {
          cmsg = "proxy chain not dumped to file: entity name undefined";
          return 0;

diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.hh b/src/XrdSecgsi/XrdSecProtocolgsi.hh
@@ -103,7 +103,8 @@ enum kgsiHandshakeOpts {
    kOptsSigReq     = 4,      // 0x0004: Accept to sign delegated proxy
    kOptsSrvReq     = 8,      // 0x0008: Server request for delegated proxy
    kOptsPxFile     = 16,     // 0x0010: Save delegated proxies in file
-   kOptsDelChn     = 32      // 0x0020: Delete chain
+   kOptsDelChn     = 32,     // 0x0020: Delete chain
+   kOptsPxCred     = 64      // 0x0040: Save delegated proxies as credentials
 };
 
 // Error codes
@@ -186,12 +187,12 @@ public:
    char  *authzfun;// [s] file with the function to fill entities [0]
    char  *authzfunparms;// [s] parameters for the function to fill entities [0]
    int    authzto; // [s] validity in secs of authz cache entries [-1 => unlimited]
-   int    ogmap;  // [s] gridmap file checking option 
-   int    dlgpxy; // [c] explicitely ask the creation of a delegated proxy 
-                  // [s] ask client for proxies
-   int    sigpxy; // [c] accept delegated proxy requests 
+   int    ogmap;  // [s] gridmap file checking option
+   int    dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 0
+                  // [s] ask client for proxies; default: do not accept delegated proxies
+   int    sigpxy; // [c] accept delegated proxy requests
    char  *srvnames;// [c] '|' separated list of allowed server names
-   char  *exppxy; // [s] template for the exported file with proxies (dlgpxy == 3)
+   char  *exppxy; // [s] template for the exported file with proxies
    int    authzpxy; // [s] if 1 make proxy available in exported form in the 'endorsement'
                     //     field of the XrdSecEntity object for use in XrdAcc
    int    vomsat; // [s] 0 do not look for; 1 extract if any

diff --git a/src/XrdSut/XrdSutAux.cc b/src/XrdSut/XrdSutAux.cc
@@ -43,6 +43,7 @@
 #include "XrdOuc/XrdOucString.hh"
 
 #include "XrdSut/XrdSutAux.hh"
+#include "XrdSut/XrdSutRndm.hh"
 #include "XrdSut/XrdSutTrace.hh"
 
 static const char *gXRSBucketTypes[] = {
@@ -447,6 +448,13 @@ int XrdSutResolve(XrdOucString &path,
    // Replace <user>, if defined
    if (us && strlen(us) > 0) path.replace("<user>", us);
 
+   // Replace <rtag>, if defined
+   if (path.find("<rtag>") != STR_NPOS) {
+      XrdOucString rtag;
+      XrdSutRndm::GetString(2,6,rtag);
+      path.replace("<rtag>", rtag);
+   }
+
    // Done
    return 0;
 }