Add support for VOMS mapfile

src/XrdHttp/XrdHttpSecurity.cc

@@ -26,6 +26,7 @@
 #include "XrdCrypto/XrdCryptoX509Chain.hh"
 #include "XrdCrypto/XrdCryptosslAux.hh"
 #include "XrdCrypto/XrdCryptoFactory.hh"
+#include "XrdSec/XrdSecEntityAttr.hh"
 #include "XrdTls/XrdTlsPeerCerts.hh"
 #include "XrdTls/XrdTlsContext.hh"
 #include "XrdOuc/XrdOucGMap.hh"
@@ -164,6 +165,7 @@ XrdHttpProtocol::HandleGridMap(XrdLink* lp)
       TRACEI(DEBUG, " Mapping name: '" << SecEntity.moninfo << "' --> " << bufname);
       if (SecEntity.name) free(SecEntity.name);
       SecEntity.name = strdup(bufname);
+      SecEntity.eaAPI->Add("gridmap.name", "1", true);
     }
     else {
       TRACEI(ALL, " Mapping name: " << SecEntity.moninfo << " Failed. err: " << mape);

src/XrdSecgsi/XrdSecProtocolgsi.cc

@@ -43,6 +43,7 @@
 #include "XrdVersion.hh"
 
 #include "XrdNet/XrdNetAddr.hh"
+#include "XrdSec/XrdSecEntityAttr.hh"
 #include "XrdSys/XrdSysHeaders.hh"
 #include "XrdSys/XrdSysLogger.hh"
 #include "XrdSys/XrdSysError.hh"
@@ -1953,6 +1954,7 @@ int XrdSecProtocolgsi::Authenticate(XrdSecCredentials *cred,
                DEBUG("user mapping lookup successful: name is '"<<name<<"'");
             }
             Entity.name = strdup(name.c_str());
+            Entity.eaAPI->Add("gridmap.name", "1", true);
          }
       }
       // If not set, use DN

src/XrdVoms.cmake

@@ -13,6 +13,7 @@ add_library(
    ${LIB_XRD_VOMS}
    MODULE
    ${CMAKE_SOURCE_DIR}/src/XrdVoms/XrdVomsFun.cc
+   ${CMAKE_SOURCE_DIR}/src/XrdVoms/XrdVomsMapfile.cc
    ${CMAKE_SOURCE_DIR}/src/XrdVoms/XrdVomsgsi.cc
    ${CMAKE_SOURCE_DIR}/src/XrdVoms/XrdVomsHttp.cc )
 

src/XrdVoms/README.md

@@ -0,0 +1,91 @@
+
+VOMS Mapping
+============
+
+The VOMS plugin can now populate the XRootD session's `name` attribute from a
+mapping file (the "voms-mapfile").  Filesystems which rely on the username
+in addition to the XRootD authorization can utilize this name to make authorization
+and file ownership decisions.
+
+Note the plugins have the following precedence for the `name` attribute:
+
+- Explicit entry in the grid-mapfile.
+- Entry in the voms-mapfile.
+- Default auto-generated name for the grid mapfile.
+
+Administrators may desire to disable the auto-generated name as it likely does
+not match any Unix username on the system.
+
+Configuration
+-------------
+
+There are two configuration options that control the plugin:
+
+```
+voms.mapfile FILENAME
+```
+
+Enables the mapping functionality and uses the file at FILENAME as the voms-mapfile.
+The mapfile is reloaded every 30 seconds; the daemon does not need to be restarted
+to pick up changes.
+
+```
+voms.trace [none|all|debug|info|warning|error]+
+```
+
+Enable debugging of the VOMS mapfile logic.  Options are additive and multiple can be
+given.
+
+Format and Matching Details
+---------------------------
+
+The file format ignores empty lines; a line beginning with the hash (`#`) are considered
+comments and ignored.
+
+Otherwise, each line specifies a mapping from an expression to a Unix username in the
+following form:
+
+```
+"EXPRESSION" USERNAME
+```
+
+If the session has a VOMS FQAN matching EXPRESSION then the session's name will be set
+to USERNAME.
+
+Examples of the EXPRESSION include:
+
+```
+/cms/Role=production/Capability=NULL
+/atlas/usatlas/Role=pilot/Capability=NULL
+```
+
+Expressions may also have wildcards (`*`) present.  The wildcard can serve as
+two roles:
+
+- If the expression ends with `/*`, then any remaining portion of the attribute
+  is matched.  For example, `/cms/*` matches `/cms/Role=NULL/Capability=NULL` and
+  `/cms/uscms/Role=pilot/Capability=NULL`.
+- If the wildcard is inside a path hierarchy, it allows any character inisde the
+  path.  For example, `/fermilab/*/Role=pilot/Capability=NULL` matches both
+  `/fermilab/dune/Role=pilot/Capability=NULL` and `/fermilab/des/Role=pilot/Capability=NULL`
+  but not `/fermilab/Role=pilot/Capability=NULL`.
+
+Several escape sequences are supported within the expression:
+
+- `\'`: a single quote character (`'`).
+- `\"`: a double quote character (`"`).
+- `\\`: a backwards slash (`\`).
+- `\/`: a forward slash that is not a path separator (`/`)
+- `\f`: a formfeed
+- `\n`: a newline
+- `\r`: a carriage return
+- `\t`: a tab character.
+
+The use of these escape sequences are discouraged as it's unclear whether other software
+is able to safely handle them.  Unicode and extended 8-bit ASCII are not supported at this
+time.
+
+Note, as is tradition, the name of the VO in the VOMS FQAN must match the first group name.
+That is, if the `cms` VO issues a FQAN of the form `/atlas/Role=pilot/Capability=NULL` then
+the FQAN is ignored.
+

src/XrdVoms/XrdVomsFun.cc

@@ -41,6 +41,7 @@
 #include "XrdVoms.hh"
 #include "XrdVomsFun.hh"
 #include "XrdVomsTrace.hh"
+#include "XrdVomsMapfile.hh"
 
 #ifdef HAVE_XRDCRYPTO
 #include "XrdCrypto/XrdCryptoX509.hh"
@@ -380,7 +381,13 @@ int XrdVomsFun::VOMSFun(XrdSecEntity &ent)
    // Success or failure?
    int rc = !ent.vorg ? -1 : 0;
    if (rc == 0 && gGrps.Num() && !ent.grps) rc = -1;
-
+
+   // If we have a mapfile object, apply the mapping now.
+   if (m_mapfile) {
+       auto mapfile_rc = m_mapfile->Apply(ent);
+       rc = rc ? rc : mapfile_rc;
+   }
+
    // Done
    return rc;
 }
@@ -592,6 +599,13 @@ int XrdVomsFun::VOMSInit(const char *cfg)
    if (gVOs.Num() > 0) {PRINT("+++ VO(s):        "<< voss);}
       else             {PRINT("+++ VO(s):         all");}
    PRINT("+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
+
+   m_mapfile = XrdVomsMapfile::Configure(&gDest);
+   if (m_mapfile == VOMS_MAP_FAILED) {
+      aOK = false;
+      PRINT("VOMS mapfile requested but initialization failed; failing VOMS plugin config.");
+   }
+
    // Done
    return (aOK ? gCertFmt : -1);
 }

src/XrdVoms/XrdVomsFun.hh

@@ -38,6 +38,7 @@
 class XrdSecEntity;
 class XrdSysError;
 class XrdSysLogger;
+class XrdVomsMapfile;
 
 class XrdVomsFun
 {
@@ -82,5 +83,7 @@ XrdOucString    gVoFmt;           // format contents of XrdSecEntity::vorg
 
 XrdSysError    &gDest;
 XrdSysLogger   *gLogger;
+
+XrdVomsMapfile *m_mapfile{nullptr};
 };
 #endif