[XrdHttp] Add "required" parameter to the http.secxtractor and http.g…

…ridmap configuration directives

Conflicts:
	src/XrdHttp/XrdHttpProtocol.cc

src/XrdHttp/XrdHttpProtocol.cc

@@ -87,13 +87,15 @@ char *XrdHttpProtocol::secretkey = 0;
 
 char *XrdHttpProtocol::gridmap = 0;
 XrdOucGMap *XrdHttpProtocol::servGMap = 0;  // Grid mapping service
+bool XrdHttpProtocol::isRequiredGridmap = false;
 int XrdHttpProtocol::sslverifydepth = 9;
 XrdSysRWLock XrdHttpProtocol::x509_store_lock;
 X509_STORE *XrdHttpProtocol::verify_store = NULL;
 SSL_CTX *XrdHttpProtocol::sslctx = 0;
 BIO *XrdHttpProtocol::sslbio_err = 0;
 XrdCryptoFactory *XrdHttpProtocol::myCryptoFactory = 0;
 XrdHttpSecXtractor *XrdHttpProtocol::secxtractor = 0;
+bool XrdHttpProtocol::isRequiredXtractor = false;
 struct XrdHttpProtocol::XrdHttpExtHandlerInfo XrdHttpProtocol::exthandler[MAX_XRDHTTPEXTHANDLERS];
 int XrdHttpProtocol::exthandlercnt = 0;
 std::map< std::string, std::string > XrdHttpProtocol::hdr2cgimap; 
@@ -1927,12 +1929,13 @@ int XrdHttpProtocol::xsslkey(XrdOucStream & Config) {
 
 /* Function: xgmap
 
-   Purpose:  To parse the directive: gridmap <path>
+   Purpose:  To parse the directive: gridmap [required] <path>
 
-             <path>    the path of the gridmap file to be used. Normally
-                       it's /etc/grid-security/gridmap
-                       No mapfile means no translation required
-                       Pointing to a non existing mapfile is an error
+     required   optional parameter which if present treats any grimap errors
+                as fatal.
+     <path>     the path of the gridmap file to be used. Normally it's
+                /etc/grid-security/gridmap. No mapfile means no translation
+                required. Pointing to a non existing mapfile is an error.
 
   Output: 0 upon success or !0 upon failure.
  */
@@ -1948,11 +1951,23 @@ int XrdHttpProtocol::xgmap(XrdOucStream & Config) {
     return 1;
   }
 
+  // Handle optional parameter "required"
+  //
+  if (!strncmp(val, "required", 8)) {
+    isRequiredGridmap = true;
+    val = Config.GetWord();
+
+    if (!val || !val[0]) {
+      eDest.Emsg("Config", "HTTP X509 gridmap file missing after [required] "
+                 "parameter");
+      return 1;
+    }
+  }
+
   // Record the path
   //
   if (gridmap) free(gridmap);
   gridmap = strdup(val);
-
   return 0;
 }
 
@@ -2366,14 +2381,17 @@ int XrdHttpProtocol::xselfhttps2http(XrdOucStream & Config) {
 
 /* Function: xsecxtractor
 
-   Purpose:  To parse the directive: secxtractor <path>
+   Purpose:  To parse the directive: secxtractor [required] <path> <params>
 
-             <path>    the path of the plugin to be loaded
+     required    optional parameter which if present treats any secxtractor
+                 errors as fatal.
+     <path>      the path of the plugin to be loaded
+     <params>    parameters passed to the secxtractor library
 
   Output: 0 upon success or !0 upon failure.
  */
 
-int XrdHttpProtocol::xsecxtractor(XrdOucStream & Config) {
+int XrdHttpProtocol::xsecxtractor(XrdOucStream& Config) {
   char *val;
 
   // Get the path
@@ -2382,24 +2400,38 @@ int XrdHttpProtocol::xsecxtractor(XrdOucStream & Config) {
   if (!val || !val[0]) {
     eDest.Emsg("Config", "No security extractor plugin specified.");
     return 1;
-  } else {
-
-      // Try to load the plugin (if available) that extracts info from the user cert/proxy
-      //
-      if (LoadSecXtractor(&eDest, val, 0))
-          return 1;
   }
 
+  // Handle optional parameter [required]
+  //
+  if (!strncmp(val, "required", 8)) {
+    isRequiredXtractor = true;
+    val = Config.GetWord();
 
-  return 0;
-}
-
-
-
+    if (!val || !val[0]) {
+      eDest.Emsg("Config", "No security extractor plugin after [required] "
+                 "parameter");
+      return 1;
+    }
+  }
 
+  char libName[4096];
+  strncpy(libName, val, sizeof(libName));
+  libName[sizeof(libName) - 1] = '\0';
+  char libParms[4096];
 
+  if (!Config.GetRest(libParms, 4095)) {
+    eDest.Emsg("Config", "secxtractor config params longer than 4k");
+    return 1;
+  }
 
+  // Try to load the plugin (if available) that extracts info from the user cert/proxy
+  //
+  if (LoadSecXtractor(&eDest, val, 0))
+    return 1;
 
+  return 0;
+}
 
 
 /******************************************************************************/

src/XrdHttp/XrdHttpProtocol.hh

@@ -165,7 +165,9 @@ private:
   int GetVOMSData(XrdLink *lp);
 
   // Handle gridmap file mapping if present
-  void HandleGridMap(XrdLink* lp);
+  //
+  // @return 0 if successful, otherwise !0
+  int HandleGridMap(XrdLink* lp);
 
   /// Get up to blen bytes from the connection. Put them into mybuff.
   /// This primitive, for the way it is used, is not supposed to block
@@ -196,6 +198,7 @@ private:
   static int xsecretkey(XrdOucStream &Config);
   static int xheader2cgi(XrdOucStream &Config);
 
+  static bool isRequiredXtractor; // If true treat secxtractor errors as fatal
   static XrdHttpSecXtractor *secxtractor;
 
   // Loads the SecXtractor plugin, if available
@@ -359,6 +362,7 @@ protected:
 
   /// Gridmap file location. The same used by XrdSecGsi
   static char *gridmap;// [s] gridmap file [/etc/grid-security/gridmap]
+  static bool isRequiredGridmap; // If true treat gridmap errors as fatal
 
   /// The key used to calculate the url hashes
   static char *secretkey;

src/XrdHttp/XrdHttpSecurity.cc

@@ -34,6 +34,7 @@
 int
 XrdHttpProtocol::HandleAuthentication(XrdLink* lp)
 {
+  EPNAME("HandleAuthentication");
   int rc_ssl = SSL_get_verify_result(ssl);
 
   if (rc_ssl) {
@@ -77,20 +78,26 @@ XrdHttpProtocol::HandleAuthentication(XrdLink* lp)
 
   if (GetVOMSData(lp)) {
     TRACEI(DEBUG, " No VOMS information for DN: " << SecEntity.moninfo);
+
+    if (isRequiredXtractor) {
+      eDest.Emsg(epname, "Failed extracting required VOMS info for DN: ",
+                 SecEntity.moninfo);
+      return 1;
+    }
   }
 
-  HandleGridMap(lp);
-  return 0;
+  return HandleGridMap(lp);
 }
 
 
 /******************************************************************************/
 /*                          H a n d l e G r i d M a p                         */
 /******************************************************************************/
 
-void
+int
 XrdHttpProtocol::HandleGridMap(XrdLink* lp)
 {
+  EPNAME("HandleGridMap");
   char bufname[256];
 
   if (servGMap) {
@@ -102,6 +109,12 @@ XrdHttpProtocol::HandleGridMap(XrdLink* lp)
     }
     else {
       TRACEI(ALL, " Mapping name: " << SecEntity.moninfo << " Failed. err: " << mape);
+
+      if (isRequiredGridmap) {
+        eDest.Emsg(epname, "Required gridmap mapping failed for DN:",
+                   SecEntity.moninfo);
+        return 1;
+      }
     }
   }
 
@@ -151,10 +164,11 @@ XrdHttpProtocol::HandleGridMap(XrdLink* lp)
         j--;
         SecEntity.name[j] = SecEntity.moninfo[i];
         if (j == 0) break;
-
       }
     }
   }
+
+  return 0;
 }
 
 
@@ -166,26 +180,22 @@ int XrdHttpProtocol::GetVOMSData(XrdLink *lp)
 {
   TRACEI(DEBUG, " Extracting auth info.");
 
-  // Invoke our instance of the Security exctractor plugin
-  // This will fill the XrdSec thing with VOMS info, if VOMS is
-  // installed. If we have no sec extractor then do nothing, just plain https
-  // will work.
+  // Invoke the Security exctractor plugin which will fill in the XrdSecEntity
+  // with VOMS info, if VOMS is installed. If we have no sec extractor then do
+  // nothing, just plain https will work.
   if (secxtractor) {
-    // We assume that if the sysadmin has assigned a gridmap file then he
-    // is interested in the mapped name, not the original one that would be
-    // overwritten inside the plugin
+    // Note: this is kept for compatibility with XrdHttpVOMS which modified the
+    // SecEntity.name filed
     char *savestr = 0;
+
     if (servGMap && SecEntity.name) {
       savestr = strdup(SecEntity.name);
     }
 
     int r = secxtractor->GetSecData(lp, SecEntity, ssl);
-    // Note: this is kept for compatilibyt with XrdHttpVOMS which modified the
-    // SecEntity.name filed.
+
     if (servGMap && savestr) {
-      if (SecEntity.name) {
-        free(SecEntity.name);
-      }
+      if (SecEntity.name) free(SecEntity.name);
       SecEntity.name = savestr;
     }
 

src/XrdHttp/XrdHttpTrace.hh

@@ -84,6 +84,7 @@ extern const char *XrdHttpTraceID;
        XrdHttpTrace->End();}
 
 #define TRACING(x) XrdHttpTrace->What & x
+#define EPNAME(x)  static const char* epname = x;
 
 #else
 
@@ -92,6 +93,7 @@ extern const char *XrdHttpTraceID;
 #define TRACEP(act,x)
 #define TRACES(act,x)
 #define TRACING(x) 0
+#define EPNAME(x)
 #endif
 
 #endif