[Sec] Add support for x509 capabilities.

xrootd · May 21, 2020 · 04e6ef5 · 04e6ef5
1 parent f216d93
commit 04e6ef5
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 1 deletion.
diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc
@@ -1847,6 +1847,7 @@ void XrdHttpProtocol::Cleanup() {
   ssl = 0;
   sbio = 0;
 
+  if (SecEntity.caps) free(SecEntity.caps);
   if (SecEntity.grps) free(SecEntity.grps);
   if (SecEntity.endorsements) free(SecEntity.endorsements);
   if (SecEntity.vorg) free(SecEntity.vorg);

diff --git a/src/XrdSec/XrdSecEntity.cc b/src/XrdSec/XrdSecEntity.cc
@@ -120,7 +120,7 @@ void XrdSecEntity::Display(XrdSysError &mDest)
 
    char theprot[XrdSecPROTOIDSIZE+1];
 
-// Avoid the vulgarities of old gcc compilers thatidn't implemented full C++11
+// Avoid vulgarities of old gcc compilers that didn't implemented full C++11
 //
    typedef long long          int LLint;
    typedef long long unsigned int ULint;
@@ -138,6 +138,7 @@ void XrdSecEntity::Display(XrdSysError &mDest)
    mDest.Say(tident, " Vorg '", (vorg ? vorg : ""), "'");
    mDest.Say(tident, " Role '", (role ? role : ""), "'");
    mDest.Say(tident, " Grps '", (grps ? grps : ""), "'");
+   mDest.Say(tident, " Caps '", (caps ? caps : ""), "'");
    mDest.Say(tident, " Pidn '", (pident ? pident : ""), "'");
 
    mDest.Say(tident, " Crlen ", std::to_string((LLint)credslen).c_str());
@@ -246,6 +247,7 @@ void XrdSecEntity::Reset(bool isnew, const char *spV)
    vorg = 0;
    role = 0;
    grps = 0;
+   caps = 0;
    endorsements = 0;
    moninfo = 0;
    creds = 0;

diff --git a/src/XrdSec/XrdSecEntity.hh b/src/XrdSec/XrdSecEntity.hh
@@ -75,6 +75,7 @@ public:
          char   *vorg;                    //!< Entity's virtual organization(s)
          char   *role;                    //!< Entity's role(s)
          char   *grps;                    //!< Entity's group name(s)
+         char   *caps;                    //!< Entity's capabilities
          char   *endorsements;            //!< Protocol specific endorsements
          char   *moninfo;                 //!< Information for monitoring
          char   *creds;                   //!< Raw entity credentials or cert

diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -1031,6 +1031,7 @@ void XrdSecProtocolgsi::Delete()
    SafeFree(Entity.vorg);
    SafeFree(Entity.role);
    SafeFree(Entity.grps);
+   SafeFree(Entity.caps);
    SafeFree(Entity.endorsements);
    if (Entity.creds && Entity.credslen > 0) {
       SafeFree(Entity.creds);

diff --git a/src/XrdSecsss/XrdSecProtocolsss.cc b/src/XrdSecsss/XrdSecProtocolsss.cc
@@ -79,6 +79,7 @@ char               *host;
 char               *vorg;
 char               *role;
 char               *grps;
+char               *caps;
 char               *endo;
 char               *creds;
 int                 credslen;
@@ -239,6 +240,7 @@ int XrdSecProtocolsss::Authenticate(XrdSecCredentials *cred,
                      break;
                 case XrdSecsssRR_Data::theUser: myID.xUser    = idP; break;
                 case XrdSecsssRR_Data::theGrup: myID.xGrup    = idP; break;
+                case XrdSecsssRR_Data::theCaps: myID.caps     = idP; break;
                 default: break;
                }
         }
@@ -317,6 +319,7 @@ if (!(decKey.Data.Opts & XrdSecsssKT::ktEnt::noIPCK))
           + (myID.vorg   ? strlen(myID.vorg)+1   : 0)
           + (myID.role   ? strlen(myID.role)+1   : 0)
           + (myID.grps   ? strlen(myID.grps)+1   : 0)
+          + (myID.caps   ? strlen(myID.caps)+1   : 0)
           + (myID.endo   ? strlen(myID.endo)+1   : 0)
           + (myID.creds  ? myID.credslen         : 0)
           + (myID.pident ? strlen(myID.pident)+1 : 0);
@@ -330,6 +333,7 @@ if (!(decKey.Data.Opts & XrdSecsssKT::ktEnt::noIPCK))
    Entity.vorg         = setID(myID.vorg, &idP);
    Entity.role         = setID(myID.role, &idP);
    Entity.grps         = setID(myID.grps, &idP);
+   Entity.caps         = setID(myID.caps, &idP);
    Entity.endorsements = setID(myID.endo, &idP);
 
    if (myID.pident)

diff --git a/src/XrdSecsss/XrdSecsssEnt.cc b/src/XrdSecsss/XrdSecsssEnt.cc
@@ -185,6 +185,7 @@ bool XrdSecsssEnt::Serialize()
         + (eP->vorg         ? strlen(eP->vorg)         + 4 : 0)
         + (eP->role         ? strlen(eP->role)         + 4 : 0)
         + (eP->grps         ? strlen(eP->grps)         + 4 : 0)
+        + (eP->caps         ? strlen(eP->caps)         + 4 : 0)
         + (eP->endorsements ? strlen(eP->endorsements) + 4 : 0);
 
 // The above is always sent to V1 servers and it can't be too short
@@ -252,6 +253,8 @@ bool XrdSecsssEnt::Serialize()
       {*bP++ = XrdSecsssRR_Data::theRole; XrdOucPup::Pack(&bP,eP->role);}
    if (eP->grps)
       {*bP++ = XrdSecsssRR_Data::theGrps; XrdOucPup::Pack(&bP,eP->grps);}
+   if (eP->caps)
+      {*bP++ = XrdSecsssRR_Data::theCaps; XrdOucPup::Pack(&bP,eP->caps);}
    if (eP->endorsements)
       {*bP++ = XrdSecsssRR_Data::theEndo; XrdOucPup::Pack(&bP,eP->endorsements);}
    if (rLen)

diff --git a/src/XrdSecsss/XrdSecsssRR.hh b/src/XrdSecsss/XrdSecsssRR.hh
@@ -100,6 +100,7 @@ static const char theAKey = 0x0a; // V2: attribute key
 static const char theAVal = 0x0b; // V2: attribute value for preceeding key
 static const char theUser = 0x0c; // V2: the Unix user  name (original)
 static const char theGrup = 0x0d; // V2: the Unix group name (original)
+static const char theCaps = 0x0e; // V2: the x509 capabilities
 
 static const char theLgid = 0x10; // from server only
 static const char theHost = 0x20; // from client only (required)