secgsi: add option to save delegated proxies as credentials

xrootd · Jun 19, 2018 · 5ad04a3 · 5ad04a3
1 parent eeded7e
commit 5ad04a3
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 7 deletions.
diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -835,13 +835,18 @@ char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
       //
       // Template for the created proxy files
       if ((PxyReqOpts & kOptsPxFile)) {
-         String TmpProxy = gUsrPxyDef;
-         if (opt.exppxy) TmpProxy = opt.exppxy;
-         if (XrdSutExpand(TmpProxy) == 0) {
-            UsrProxy = TmpProxy;
+         if (opt.exppxy && !strcmp(opt.exppxy, "=creds")) {
+            PxyReqOpts &= ~kOptsPxFile;
+            PxyReqOpts |=  kOptsPxCred;
          } else {
-            UsrProxy = gUsrPxyDef;
-            UsrProxy += "u<uid>";
+            String TmpProxy = gUsrPxyDef;
+            if (opt.exppxy) TmpProxy = opt.exppxy;
+            if (XrdSutExpand(TmpProxy) == 0) {
+               UsrProxy = TmpProxy;
+            } else {
+               UsrProxy = gUsrPxyDef;
+               UsrProxy += "u<uid>";
+            }
          }
          DEBUG("Template for exported proxy files: "<<UsrProxy);
       }
@@ -3742,6 +3747,24 @@ int XrdSecProtocolgsi::ServerDoSigpxy(XrdSutBuffer *br,  XrdSutBuffer **bm,
    // Notify
    if (QTRACE(Authen)) { proxyChain->Dump(); }
 
+   // Check if the proxy chain is to become the actual credentials
+   //
+   if ((PxyReqOpts & kOptsPxCred)) {
+      XrdCryptoX509ExportChain_t c2mem =
+                                 (sessionCF) ? sessionCF->X509ExportChain() : 0;
+      if (!c2mem) {
+         cmsg =  "chain exporter not found; proxy chain not exported";
+         return 0;
+      }
+      XrdOucString spxy;
+      XrdSutBucket *bpxy = (*c2mem)(proxyChain, true);
+      bpxy->ToString(spxy);
+      SafeFree(Entity.creds);
+      Entity.creds = strdup(spxy.c_str());
+      Entity.credslen = spxy.length();
+      return 0;
+   }
+
    //
    // Extract user login name, if any
    String user;

diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.hh b/src/XrdSecgsi/XrdSecProtocolgsi.hh
@@ -103,7 +103,8 @@ enum kgsiHandshakeOpts {
    kOptsSigReq     = 4,      // 0x0004: Accept to sign delegated proxy
    kOptsSrvReq     = 8,      // 0x0008: Server request for delegated proxy
    kOptsPxFile     = 16,     // 0x0010: Save delegated proxies in file
-   kOptsDelChn     = 32      // 0x0020: Delete chain
+   kOptsDelChn     = 32,     // 0x0020: Delete chain
+   kOptsPxCred     = 64      // 0x0040: Save delegated proxies as credentials
 };
 
 // Error codes