xrootd · ljanyst · Oct 21, 2014 · Oct 21, 2014 · Oct 21, 2014
diff --git a/src/XrdHttp.cmake b/src/XrdHttp.cmake
@@ -9,7 +9,7 @@ set( LIB_XRD_HTTP       XrdHttp-${PLUGIN_VERSION} )
 # Shared library version
 #-------------------------------------------------------------------------------
 
-if( BUILD_CRYPTO )
+if( BUILD_HTTP )
   #-----------------------------------------------------------------------------
   # The XrdHttp library
   #-----------------------------------------------------------------------------

diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc
@@ -28,9 +28,9 @@
 #include "XProtocol/XProtocol.hh"
 #include "XrdOuc/XrdOucStream.hh"
 #include "XrdOuc/XrdOucEnv.hh"
-#include "XrdOuc/XrdOucPinLoader.hh"
+#include "XrdOuc/XrdOucGMap.hh"
 #include "XrdSys/XrdSysTimer.hh"
-
+#include "XrdOuc/XrdOucPinLoader.hh"
 
 #include "XrdHttpTrace.hh"
 #include "XrdHttpProtocol.hh"
@@ -81,6 +81,10 @@ bool XrdHttpProtocol::selfhttps2http = false;
 bool XrdHttpProtocol::isdesthttps = false;
 char *XrdHttpProtocol::sslcafile = 0;
 char *XrdHttpProtocol::secretkey = 0;
+
+char *XrdHttpProtocol::gridmap = 0;
+XrdOucGMap *XrdHttpProtocol::servGMap = 0;  // Grid mapping service
+
 int XrdHttpProtocol::sslverifydepth = 9;
 SSL_CTX *XrdHttpProtocol::sslctx = 0;
 BIO *XrdHttpProtocol::sslbio_err = 0;
@@ -284,48 +288,64 @@ XrdProtocol *XrdHttpProtocol::Match(XrdLink *lp) {
 
 
 int XrdHttpProtocol::GetVOMSData(XrdLink *lp) {
-
-
+  TRACEI(DEBUG, " Extracting auth info.");
+  
   SecEntity.host = GetClientIPStr();
 
+  X509 *peer_cert;
+
+  // No external plugin, hence we fill our XrdSec with what we can do here
+  peer_cert = SSL_get_peer_certificate(ssl);
+  TRACEI(DEBUG, " SSL_get_peer_certificate returned :" << peer_cert);
+  if (peer_cert && peer_cert->name) {
+
+    // Add the original DN to the moninfo. Not sure if it makes sense to parametrize this or not.
+    SecEntity.moninfo = strdup(peer_cert->name);
+
+    // Here we have the user DN, we try to translate it using the XrdSec functions and the gridmap
+    if (SecEntity.name) free(SecEntity.name);
+    if (servGMap) {  
+      SecEntity.name = (char *)malloc(128);
+      int e = servGMap->dn2user(peer_cert->name, SecEntity.name, 127, 0);
+      if ( !e ) {
+	TRACEI(DEBUG, " Mapping Username: " << peer_cert->name << " --> " << SecEntity.name);
+      }
+      else {
+	TRACEI(ALL, " Mapping Username: " << peer_cert->name << " Failed. err: " << e);
+	strncpy(SecEntity.name, peer_cert->name, 127);
+      }
+    }
+    else {
+      SecEntity.name = strdup(peer_cert->name);
+    }
+
+    TRACEI(DEBUG, " Setting link name: " << SecEntity.name);
+    lp->setID(SecEntity.name, 0);
+  }
+  else return 1;
+
+  if (peer_cert) X509_free(peer_cert);
 
 
+
   // Invoke our instance of the Security exctractor plugin
   // This will fill the XrdSec thing with VOMS info, if VOMS is
   // installed. If we have no sec extractor then do nothing, just plain https
   // will work.
-  if (secxtractor) secxtractor->GetSecData(lp, SecEntity, ssl);
-  else {
-
-      X509 *peer_cert;
-
-      // No external plugin, hence we fill our XrdSec with what we can do here
-      peer_cert = SSL_get_peer_certificate(ssl);
-      TRACEI(DEBUG, " SSL_get_peer_certificate returned :" << peer_cert);
-      if (peer_cert && peer_cert->name) {
-
-          TRACEI(DEBUG, " Setting Username :" << peer_cert->name);
-          lp->setID(peer_cert->name, 0);
-
-          // Here we should fill the SecEntity instance with the DN and the voms stuff
-          SecEntity.name = strdup((char *) peer_cert->name);
-
-        }
-
-      if (peer_cert) X509_free(peer_cert);
-    }
-
+  if (secxtractor)
+    secxtractor->GetSecData(lp, SecEntity, ssl);
+
   return 0;
 }
-
+  
 char *XrdHttpProtocol::GetClientIPStr() {
   char buf[256];
   buf[0] = '\0';
   if (!Link) return strdup("unknown");
   XrdNetAddrInfo *ai = Link->AddrInfo();
   if (!ai) return strdup("unknown");
 
-  if (!Link->AddrInfo()->Format(buf, 255, XrdNetAddrInfo::fmtAddr)) return strdup("unknown");
+  if (!Link->AddrInfo()->Format(buf, 255, XrdNetAddrInfo::fmtAddr, XrdNetAddrInfo::noPort)) return strdup("unknown");
 
   return strdup(buf);
 }
@@ -407,8 +427,12 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here
       BIO_set_nbio(sbio, 0);
 
       // Get the voms string and auth information
-      GetVOMSData(Link);
-
+      if (GetVOMSData(Link)) {
+          SSL_free(ssl);
+          ssl = 0;
+          return -1;
+      }
+
       ERR_print_errors(sslbio_err);
       res = SSL_get_verify_result(ssl);
       TRACEI(DEBUG, " SSL_get_verify_result returned :" << res);
@@ -592,7 +616,11 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here
 
   // Now we have everything that is needed to try the login
   if (!Bridge) {
-    Bridge = XrdXrootd::Bridge::Login(&CurrentReq, Link, &SecEntity, "unnamed", "XrdHttp");
+    if (SecEntity.name)
+      Bridge = XrdXrootd::Bridge::Login(&CurrentReq, Link, &SecEntity, SecEntity.name, "XrdHttp");
+    else
+      Bridge = XrdXrootd::Bridge::Login(&CurrentReq, Link, &SecEntity, "unknown", "XrdHttp");
+
     if (!Bridge) {
       TRACEI(REQ, " Autorization failed.");
       return -1;
@@ -703,6 +731,7 @@ int XrdHttpProtocol::Config(const char *ConfigFN) {
       else if TS_Xeq("cert", xsslcert);
       else if TS_Xeq("key", xsslkey);
       else if TS_Xeq("cadir", xsslcadir);
+      else if TS_Xeq("gridmap", xgmap);
       else if TS_Xeq("cafile", xsslcafile);
       else if TS_Xeq("secretkey", xsecretkey);
       else if TS_Xeq("desthttps", xdesthttps);
@@ -1350,17 +1379,40 @@ int XrdHttpProtocol::InitSecurity() {
       exit(1);
     }
   }
-
+
+
+
+
+
   //eDest.Say(" Setting verify depth to ", itoa(sslverifydepth), "'.");
   SSL_CTX_set_verify_depth(sslctx, sslverifydepth);
   ERR_print_errors(sslbio_err);
   //SSL_CTX_set_verify(sslctx,
   //        SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
   SSL_CTX_set_verify(sslctx,
-          SSL_VERIFY_PEER, verify_callback);
-
-
-
+		     SSL_VERIFY_PEER, verify_callback);
+
+
+
+
+  //
+  // Check existence of GRID map file
+  if (gridmap) {
+
+    // Initialize the GMap service
+    //
+    XrdOucString pars;
+    if (XrdHttpTrace->What == TRACE_DEBUG) pars += "dbg|";
+
+    if (!(servGMap = XrdOucgetGMap(&eDest, gridmap, pars.c_str()))) {
+      	eDest.Say("Error loading grid map file:", gridmap);
+	exit(1);
+    } else {
+      TRACE(ALL, "using grid map file: "<< gridmap);        
+    } 
+
+  }
+
   if (secxtractor) secxtractor->Init(sslctx, XrdHttpTrace->What);
 
   ERR_print_errors(sslbio_err);
@@ -1386,14 +1438,13 @@ void XrdHttpProtocol::Cleanup() {
      SSL_free(ssl);
   }
 
-
   ssl = 0;
   sbio = 0;
 
-
   if (SecEntity.vorg) free(SecEntity.vorg);
   if (SecEntity.name) free(SecEntity.name);
   if (SecEntity.host) free(SecEntity.host);
+  if (SecEntity.moninfo) free(SecEntity.moninfo);
 
   memset(&SecEntity, 0, sizeof (SecEntity));
 
@@ -1549,6 +1600,43 @@ int XrdHttpProtocol::xsslkey(XrdOucStream & Config) {
 }
 
 
+
+
+/******************************************************************************/
+/*                                     x g m a p                              */
+/******************************************************************************/
+
+/* Function: xgmap
+
+   Purpose:  To parse the directive: gridmap <path>
+
+             <path>    the path of the gridmap file to be used. Normally
+			it's /etc/grid-security/gridmap
+			No mapfile means no translation required
+			Pointing to a non existing mapfile is an error
+
+  Output: 0 upon success or !0 upon failure.
+ */
+
+int XrdHttpProtocol::xgmap(XrdOucStream & Config) {
+  char *val;
+
+  // Get the path
+  //
+  val = Config.GetWord();
+  if (!val || !val[0]) {
+    eDest.Emsg("Config", "HTTP X509 gridmap file location not specified");
+    return 1;
+  }
+
+  // Record the path
+  //
+  if (gridmap) free(gridmap);
+  gridmap = strdup(val);
+
+  return 0;
+}
+
 /******************************************************************************/
 /*                                 x s s l c a f i l e                        */
 /******************************************************************************/

diff --git a/src/XrdHttp/XrdHttpProtocol.hh b/src/XrdHttp/XrdHttpProtocol.hh
@@ -68,6 +68,7 @@ class XrdLink;
 class XrdXrootdProtocol;
 class XrdHttpSecXtractor;
 struct XrdVersionInfo;
+class XrdOucGMap;
 
 
 class XrdHttpProtocol : public XrdProtocol {
@@ -162,6 +163,7 @@ private:
   static int xembeddedstatic(XrdOucStream &Config);
   static int xstaticredir(XrdOucStream &Config);
   static int xstaticpreload(XrdOucStream &Config);
+  static int xgmap(XrdOucStream &Config);
   static int xsslcafile(XrdOucStream &Config);
   static int xsslverifydepth(XrdOucStream &Config);
   static int xsecretkey(XrdOucStream &Config);
@@ -255,6 +257,10 @@ protected:
   /// Authentication area
   XrdSecEntity SecEntity;
 
+
+  /// The instance of the DN mapper. Created only when a valid path is given
+  static XrdOucGMap      *servGMap;  // Grid mapping service
+
   /// The Bridge that we use to exercise the xrootd internals
   XrdXrootd::Bridge *Bridge;
 
@@ -289,6 +295,9 @@ protected:
   /// OpenSSL stuff
   static char *sslcert, *sslkey, *sslcadir, *sslcafile;
 
+  /// Gridmap file location. The same used by XrdSecGsi
+  static char *gridmap;// [s] gridmap file [/etc/grid-security/gridmap]
+
   /// The key used to calculate the url hashes
   static char *secretkey;
 

diff --git a/src/XrdHttp/XrdHttpReq.cc b/src/XrdHttp/XrdHttpReq.cc
@@ -1404,18 +1404,31 @@ int XrdHttpReq::PostProcessHTTPReq(bool final_) {
           else
             stringresp += prot->Link->ID;
 
+	  if (prot->SecEntity.vorg ||
+	      prot->SecEntity.moninfo ||
+	      prot->SecEntity.role)
+		stringresp += " (";
+
           if (prot->SecEntity.vorg) {
-            stringresp += " (VO: ";
+            stringresp += " VO: ";
             stringresp += prot->SecEntity.vorg;
-
           }
-
+
+	  if (prot->SecEntity.moninfo) {
+            stringresp += " DN: ";
+            stringresp += prot->SecEntity.moninfo;
+          }
+
           if (prot->SecEntity.role) {
             stringresp += " Role: ";
             stringresp += prot->SecEntity.role;
-            stringresp += " )";
           }
 
+ 	  if (prot->SecEntity.vorg ||
+	      prot->SecEntity.moninfo ||
+	      prot->SecEntity.role)
+		stringresp += " )";
+
           if (prot->SecEntity.host) {
             stringresp += " ( ";
             stringresp += prot->SecEntity.host;

diff --git a/src/XrdHttp/xrootd-http.cf b/src/XrdHttp/xrootd-http.cf
@@ -7,14 +7,16 @@
 
 
 if exec xrootd
-   xrd.protocol XrdHttp /usr/lib64/libXrdHttp.so.1 
+   xrd.protocol XrdHttp /usr/local/lib/libXrdHttp.so
 fi
 
 http.cert /etc/grid-security/hostcert.pem
 http.key /etc/grid-security/hostkey.pem
 http.cadir /etc/grid-security/certificates
 http.secretkey CHANGEME
-#http.secxtractor /usr/lib64/libXrdHttpVOMS.so.1
+#http.gridmap /etc/grid-security/mapfile
+#http.secxtractor /usr/lib64/libXrdHttpVOMS.so
+#http.selfhttps2http yes
 
 # As an example of preloading files, let's preload in memory
 # the /etc/services and /etc/hosts files
@@ -23,6 +25,9 @@ http.staticpreload /static/services_preload1 /etc/services
 http.staticpreload /static/services_preload2 /etc/services
 http.staticpreload /static/hosts_preload /etc/hosts
 
+#
+# Usual basic xrd stuff
+#
 all.role server
 all.manager pcitgt02.cern.ch:1213
 all.export /