From 5ad04a3a328f587c84ac80a04f2c7dc0f35a7531 Mon Sep 17 00:00:00 2001 From: Andrew Hanushevsky Date: Thu, 24 May 2018 12:20:31 +0200 Subject: [PATCH 1/7] secgsi: add option to save delegated proxies as credentials --- src/XrdSecgsi/XrdSecProtocolgsi.cc | 35 +++++++++++++++++++++++++----- src/XrdSecgsi/XrdSecProtocolgsi.hh | 3 ++- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc index d2c5648c08d..dd614598af4 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.cc +++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc @@ -835,13 +835,18 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp) // // Template for the created proxy files if ((PxyReqOpts & kOptsPxFile)) { - String TmpProxy = gUsrPxyDef; - if (opt.exppxy) TmpProxy = opt.exppxy; - if (XrdSutExpand(TmpProxy) == 0) { - UsrProxy = TmpProxy; + if (opt.exppxy && !strcmp(opt.exppxy, "=creds")) { + PxyReqOpts &= ~kOptsPxFile; + PxyReqOpts |= kOptsPxCred; } else { - UsrProxy = gUsrPxyDef; - UsrProxy += "u"; + String TmpProxy = gUsrPxyDef; + if (opt.exppxy) TmpProxy = opt.exppxy; + if (XrdSutExpand(TmpProxy) == 0) { + UsrProxy = TmpProxy; + } else { + UsrProxy = gUsrPxyDef; + UsrProxy += "u"; + } } DEBUG("Template for exported proxy files: "<Dump(); } + // Check if the proxy chain is to become the actual credentials + // + if ((PxyReqOpts & kOptsPxCred)) { + XrdCryptoX509ExportChain_t c2mem = + (sessionCF) ? sessionCF->X509ExportChain() : 0; + if (!c2mem) { + cmsg = "chain exporter not found; proxy chain not exported"; + return 0; + } + XrdOucString spxy; + XrdSutBucket *bpxy = (*c2mem)(proxyChain, true); + bpxy->ToString(spxy); + SafeFree(Entity.creds); + Entity.creds = strdup(spxy.c_str()); + Entity.credslen = spxy.length(); + return 0; + } + // // Extract user login name, if any String user; diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.hh b/src/XrdSecgsi/XrdSecProtocolgsi.hh index de78af26179..51830955937 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.hh +++ b/src/XrdSecgsi/XrdSecProtocolgsi.hh @@ -103,7 +103,8 @@ enum kgsiHandshakeOpts { kOptsSigReq = 4, // 0x0004: Accept to sign delegated proxy kOptsSrvReq = 8, // 0x0008: Server request for delegated proxy kOptsPxFile = 16, // 0x0010: Save delegated proxies in file - kOptsDelChn = 32 // 0x0020: Delete chain + kOptsDelChn = 32, // 0x0020: Delete chain + kOptsPxCred = 64 // 0x0040: Save delegated proxies as credentials }; // Error codes From f2237437a1c83be60fadf0301018361043448292 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Fri, 1 Jun 2018 10:52:48 +0200 Subject: [PATCH 2/7] secgsi: improve notifications for delegated proxy --- src/XrdSecgsi/XrdSecProtocolgsi.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc index dd614598af4..eb4a99febdd 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.cc +++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc @@ -3762,6 +3762,8 @@ int XrdSecProtocolgsi::ServerDoSigpxy(XrdSutBuffer *br, XrdSutBuffer **bm, SafeFree(Entity.creds); Entity.creds = strdup(spxy.c_str()); Entity.credslen = spxy.length(); + PRINT("proxy chain exported in Entity.creds (" << Entity.credslen << " bytes)"); + PRINT("\n\n" << spxy.c_str() << "\n\n"); return 0; } @@ -3809,6 +3811,7 @@ int XrdSecProtocolgsi::ServerDoSigpxy(XrdSutBuffer *br, XrdSutBuffer **bm, cmsg += pxfile; return 0; } + PRINT("proxy chain dumped to "<< pxfile); } else { cmsg = "proxy chain not dumped to file: entity name undefined"; return 0; From e7feb106369df3c11b612573eb35a3b24b05e5ac Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Thu, 7 Jun 2018 16:46:12 +0200 Subject: [PATCH 3/7] secgsi: change server default for delegated proxy If not specified refuse any proxy delegation. --- src/XrdSecgsi/XrdSecProtocolgsi.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc index eb4a99febdd..7423b54657b 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.cc +++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc @@ -2561,7 +2561,7 @@ char *XrdSecProtocolgsiInit(const char mode, int ogmap = 1; int gmapto = 600; int authzto = -1; - int dlgpxy = 0; + int dlgpxy = -1; int authzpxy = 0; int vomsat = 1; int moninfo = 0; @@ -2648,7 +2648,7 @@ char *XrdSecProtocolgsiInit(const char mode, opts.ogmap = ogmap; opts.gmapto = gmapto; opts.authzto = authzto; - opts.dlgpxy = dlgpxy; + opts.dlgpxy = (dlgpxy >= -1 && dlgpxy <= 1) ? dlgpxy : -1; opts.authzpxy = authzpxy; opts.vomsat = vomsat; opts.moninfo = moninfo; From 9950520d9768212338db9fd3c68c847c7559b00c Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Fri, 8 Jun 2018 11:59:02 +0200 Subject: [PATCH 4/7] secgsi: review delegated proxy options for servers --- src/XrdSecgsi/XrdSecProtocolgsi.cc | 54 ++++++++++++++++-------------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc index 7423b54657b..9ea11d85f1c 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.cc +++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc @@ -800,15 +800,6 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp) DEBUG("grid-map cache entries expire after "< Date: Thu, 14 Jun 2018 13:05:53 +0200 Subject: [PATCH 5/7] sutresolve: add support for a random tag A template will be replaced by a string of 6 random hex characters --- src/XrdSut/XrdSutAux.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/XrdSut/XrdSutAux.cc b/src/XrdSut/XrdSutAux.cc index 499f2e5d2c6..b50d32f5383 100644 --- a/src/XrdSut/XrdSutAux.cc +++ b/src/XrdSut/XrdSutAux.cc @@ -43,6 +43,7 @@ #include "XrdOuc/XrdOucString.hh" #include "XrdSut/XrdSutAux.hh" +#include "XrdSut/XrdSutRndm.hh" #include "XrdSut/XrdSutTrace.hh" static const char *gXRSBucketTypes[] = { @@ -447,6 +448,13 @@ int XrdSutResolve(XrdOucString &path, // Replace , if defined if (us && strlen(us) > 0) path.replace("", us); + // Replace , if defined + if (path.find("") != STR_NPOS) { + XrdOucString rtag; + XrdSutRndm::GetString(2,6,rtag); + path.replace("", rtag); + } + // Done return 0; } From 5d2972911f408c0fc1b9ad8fa749e605069d36c1 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Tue, 19 Jun 2018 11:00:45 +0200 Subject: [PATCH 6/7] secgsi: change default and fix comments Default value for dlgpxy should be 1 on clients, 0 on servers --- src/XrdSecgsi/XrdSecProtocolgsi.hh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.hh b/src/XrdSecgsi/XrdSecProtocolgsi.hh index 51830955937..32f859d4746 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.hh +++ b/src/XrdSecgsi/XrdSecProtocolgsi.hh @@ -188,11 +188,11 @@ public: char *authzfunparms;// [s] parameters for the function to fill entities [0] int authzto; // [s] validity in secs of authz cache entries [-1 => unlimited] int ogmap; // [s] gridmap file checking option - int dlgpxy; // [c] explicitely ask the creation of a delegated proxy - // [s] ask client for proxies - int sigpxy; // [c] accept delegated proxy requests + int dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 1 + // [s] ask client for proxies;default set internally to 0, do not accept delegated proxies + int sigpxy; // [c] accept delegated proxy requests char *srvnames;// [c] '|' separated list of allowed server names - char *exppxy; // [s] template for the exported file with proxies (dlgpxy == 3) + char *exppxy; // [s] template for the exported file with proxies int authzpxy; // [s] if 1 make proxy available in exported form in the 'endorsement' // field of the XrdSecEntity object for use in XrdAcc int vomsat; // [s] 0 do not look for; 1 extract if any @@ -209,7 +209,7 @@ public: proxy = 0; valid = 0; deplen = 0; bits = 512; gridmap = 0; gmapto = 600; gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0; authzto = -1; - ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0; + ogmap = 1; dlgpxy = 1; sigpxy = 1; srvnames = 0; exppxy = 0; authzpxy = 0; vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; trustdns = true; } virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit From 2189308e55537fff2633c3c810cda0a73bceef60 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Tue, 19 Jun 2018 19:09:31 +0200 Subject: [PATCH 7/7] secgsi: disable delegation by default and simplify client settings Remove XrdSecGSISIGNPROXY, everything is controlled by XrdSecGSIDELEGPROXY (0 = off, 1 = sign, 2 = forward). Default 0. --- src/XrdSecgsi/XrdSecProtocolgsi.cc | 27 +++++++++++---------------- src/XrdSecgsi/XrdSecProtocolgsi.hh | 8 ++++---- 2 files changed, 15 insertions(+), 20 deletions(-) diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc index 9ea11d85f1c..9699f3db088 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.cc +++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc @@ -967,12 +967,14 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp) DefBits = opt.bits; // // Delegate proxy options - if (opt.dlgpxy == 1) - PxyReqOpts |= kOptsDlgPxy; - if (opt.dlgpxy == 2) - PxyReqOpts |= kOptsFwdPxy; - if (opt.sigpxy > 0 || opt.dlgpxy == 1) + if (opt.dlgpxy > 0) { PxyReqOpts |= kOptsSigReq; + if (opt.dlgpxy == 2) { + PxyReqOpts |= kOptsFwdPxy; + } else { + PxyReqOpts |= kOptsDlgPxy; + } + } // // Define valid CNs for the server certificates; default is null, which means that // the server CN must be in the form "*/" @@ -2361,11 +2363,9 @@ char *XrdSecProtocolgsiInit(const char mode, // 2 require, // 3 require non-expired CRL // "XrdSecGSIDELEGPROXY" Forwarding of credentials option: - // 0 none; 1 sign request created + // 0 deny; 1 sign request created // by server; 2 forward local proxy - // (include private key) [0] - // "XrdSecGSISIGNPROXY" permission to sign requests - // 0 no, 1 yes [1] + // (include private key) [1] // "XrdSecGSISRVNAMES" Server names allowed: if the server CN // does not match any of these, or it is // explicitely denied by these, or it is @@ -2455,11 +2455,6 @@ char *XrdSecProtocolgsiInit(const char mode, if (cenv) opts.dlgpxy = atoi(cenv); - // Sign delegate proxy requests - cenv = getenv("XrdSecGSISIGNPROXY"); - if (cenv) - opts.sigpxy = atoi(cenv); - // Allowed server name formats cenv = getenv("XrdSecGSISRVNAMES"); if (cenv) @@ -2565,7 +2560,7 @@ char *XrdSecProtocolgsiInit(const char mode, int ogmap = 1; int gmapto = 600; int authzto = -1; - int dlgpxy = -1; + int dlgpxy = 0; int authzpxy = 0; int vomsat = 1; int moninfo = 0; @@ -2652,7 +2647,7 @@ char *XrdSecProtocolgsiInit(const char mode, opts.ogmap = ogmap; opts.gmapto = gmapto; opts.authzto = authzto; - opts.dlgpxy = (dlgpxy >= -1 && dlgpxy <= 1) ? dlgpxy : -1; + opts.dlgpxy = (dlgpxy >= 0 && dlgpxy <= 1) ? dlgpxy : 0; opts.authzpxy = authzpxy; opts.vomsat = vomsat; opts.moninfo = moninfo; diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.hh b/src/XrdSecgsi/XrdSecProtocolgsi.hh index 32f859d4746..060eff0a027 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.hh +++ b/src/XrdSecgsi/XrdSecProtocolgsi.hh @@ -187,9 +187,9 @@ public: char *authzfun;// [s] file with the function to fill entities [0] char *authzfunparms;// [s] parameters for the function to fill entities [0] int authzto; // [s] validity in secs of authz cache entries [-1 => unlimited] - int ogmap; // [s] gridmap file checking option - int dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 1 - // [s] ask client for proxies;default set internally to 0, do not accept delegated proxies + int ogmap; // [s] gridmap file checking option + int dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 0 + // [s] ask client for proxies; default: do not accept delegated proxies int sigpxy; // [c] accept delegated proxy requests char *srvnames;// [c] '|' separated list of allowed server names char *exppxy; // [s] template for the exported file with proxies @@ -209,7 +209,7 @@ public: proxy = 0; valid = 0; deplen = 0; bits = 512; gridmap = 0; gmapto = 600; gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0; authzto = -1; - ogmap = 1; dlgpxy = 1; sigpxy = 1; srvnames = 0; + ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0; exppxy = 0; authzpxy = 0; vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; trustdns = true; } virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit