Skip to content

Commit

Permalink
secgsi: disable delegation by default and simplify client settings
Browse files Browse the repository at this point in the history 
Remove XrdSecGSISIGNPROXY, everything is controlled by XrdSecGSIDELEGPROXY
(0 = off, 1 = sign, 2 = forward). Default 0.
  • Loading branch information
@gganis
gganis committed Jun 19, 2018
1 parent 5d29729 commit 2189308
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 20 deletions.
27 changes: 11 additions & 16 deletions src/XrdSecgsi/XrdSecProtocolgsi.cc
View file
Expand Up @@ -967,12 +967,14 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
DefBits = opt.bits;
//
// Delegate proxy options
if (opt.dlgpxy == 1)
PxyReqOpts |= kOptsDlgPxy;
if (opt.dlgpxy == 2)
PxyReqOpts |= kOptsFwdPxy;
if (opt.sigpxy > 0 || opt.dlgpxy == 1)
if (opt.dlgpxy > 0) {
PxyReqOpts |= kOptsSigReq;
if (opt.dlgpxy == 2) {
PxyReqOpts |= kOptsFwdPxy;
} else {
PxyReqOpts |= kOptsDlgPxy;
}
}
//
// Define valid CNs for the server certificates; default is null, which means that
// the server CN must be in the form "*/<hostname>"
Expand Down Expand Up @@ -2361,11 +2363,9 @@ char *XrdSecProtocolgsiInit(const char mode,
// 2 require,
// 3 require non-expired CRL
// "XrdSecGSIDELEGPROXY" Forwarding of credentials option:
// 0 none; 1 sign request created
// 0 deny; 1 sign request created
// by server; 2 forward local proxy
// (include private key) [0]
// "XrdSecGSISIGNPROXY" permission to sign requests
// 0 no, 1 yes [1]
// (include private key) [1]
// "XrdSecGSISRVNAMES" Server names allowed: if the server CN
// does not match any of these, or it is
// explicitely denied by these, or it is
Expand Down Expand Up @@ -2455,11 +2455,6 @@ char *XrdSecProtocolgsiInit(const char mode,
if (cenv)
opts.dlgpxy = atoi(cenv);

// Sign delegate proxy requests
cenv = getenv("XrdSecGSISIGNPROXY");
if (cenv)
opts.sigpxy = atoi(cenv);

// Allowed server name formats
cenv = getenv("XrdSecGSISRVNAMES");
if (cenv)
Expand Down Expand Up @@ -2565,7 +2560,7 @@ char *XrdSecProtocolgsiInit(const char mode,
int ogmap = 1;
int gmapto = 600;
int authzto = -1;
int dlgpxy = -1;
int dlgpxy = 0;
int authzpxy = 0;
int vomsat = 1;
int moninfo = 0;
Expand Down Expand Up @@ -2652,7 +2647,7 @@ char *XrdSecProtocolgsiInit(const char mode,
opts.ogmap = ogmap;
opts.gmapto = gmapto;
opts.authzto = authzto;
opts.dlgpxy = (dlgpxy >= -1 && dlgpxy <= 1) ? dlgpxy : -1;
opts.dlgpxy = (dlgpxy >= 0 && dlgpxy <= 1) ? dlgpxy : 0;
opts.authzpxy = authzpxy;
opts.vomsat = vomsat;
opts.moninfo = moninfo;
Expand Down
8 changes: 4 additions & 4 deletions src/XrdSecgsi/XrdSecProtocolgsi.hh
View file
Expand Up @@ -187,9 +187,9 @@ public:
char *authzfun;// [s] file with the function to fill entities [0]
char *authzfunparms;// [s] parameters for the function to fill entities [0]
int authzto; // [s] validity in secs of authz cache entries [-1 => unlimited]
int ogmap; // [s] gridmap file checking option
int dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 1
// [s] ask client for proxies;default set internally to 0, do not accept delegated proxies
int ogmap; // [s] gridmap file checking option
int dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 0
// [s] ask client for proxies; default: do not accept delegated proxies
int sigpxy; // [c] accept delegated proxy requests
char *srvnames;// [c] '|' separated list of allowed server names
char *exppxy; // [s] template for the exported file with proxies
Expand All @@ -209,7 +209,7 @@ public:
proxy = 0; valid = 0; deplen = 0; bits = 512;
gridmap = 0; gmapto = 600;
gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0; authzto = -1;
ogmap = 1; dlgpxy = 1; sigpxy = 1; srvnames = 0;
ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
exppxy = 0; authzpxy = 0;
vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; trustdns = true; }
virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit
Expand Down

0 comments on commit 2189308

Please sign in to comment.