diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc index 490e255408d..7e904ca22c8 100644 --- a/src/XrdHttp/XrdHttpProtocol.cc +++ b/src/XrdHttp/XrdHttpProtocol.cc @@ -90,6 +90,7 @@ char *XrdHttpProtocol::secretkey = 0; char *XrdHttpProtocol::gridmap = 0; bool XrdHttpProtocol::isRequiredGridmap = false; +bool XrdHttpProtocol::compatNameGeneration = false; int XrdHttpProtocol::sslverifydepth = 9; BIO *XrdHttpProtocol::sslbio_err = 0; XrdHttpSecXtractor *XrdHttpProtocol::secxtractor = 0; @@ -1958,7 +1959,7 @@ int XrdHttpProtocol::xsslkey(XrdOucStream & Config) { /* Function: xgmap - Purpose: To parse the directive: gridmap [required] + Purpose: To parse the directive: gridmap [required] [compatNameGeneration] required optional parameter which if present treats any grimap errors as fatal. @@ -1993,6 +1994,19 @@ int XrdHttpProtocol::xgmap(XrdOucStream & Config) { } } + // Handle optional parameter "compatNameGeneration" + // + if (!strcmp(val, "compatNameGeneration")) { + compatNameGeneration = true; + val = Config.GetWord(); + if (!val || !val[0]) { + eDest.Emsg("Config", "HTTP X509 gridmap file missing after " + "[compatNameGeneration] parameter"); + return 1; + } + } + + // Record the path // if (gridmap) free(gridmap); diff --git a/src/XrdHttp/XrdHttpProtocol.hh b/src/XrdHttp/XrdHttpProtocol.hh index f14b622a1ec..51bea7e52de 100644 --- a/src/XrdHttp/XrdHttpProtocol.hh +++ b/src/XrdHttp/XrdHttpProtocol.hh @@ -161,9 +161,11 @@ private: int GetVOMSData(XrdLink *lp); // Handle gridmap file mapping if present + // Second argument is the OpenSSL hash of the EEC, if present; this allows + // a consistent fallback if the user is not in the mapfile. // // @return 0 if successful, otherwise !0 - int HandleGridMap(XrdLink* lp); + int HandleGridMap(XrdLink* lp, const char * eechash); /// Get up to blen bytes from the connection. Put them into mybuff. /// This primitive, for the way it is used, is not supposed to block @@ -366,7 +368,8 @@ protected: /// Gridmap file location. The same used by XrdSecGsi static char *gridmap;// [s] gridmap file [/etc/grid-security/gridmap] static bool isRequiredGridmap; // If true treat gridmap errors as fatal - + static bool compatNameGeneration; // If true, utilize the old algorithm for username generation for unknown users. + /// The key used to calculate the url hashes static char *secretkey; diff --git a/src/XrdHttp/XrdHttpSecurity.cc b/src/XrdHttp/XrdHttpSecurity.cc index 638045eb659..3670feac07f 100644 --- a/src/XrdHttp/XrdHttpSecurity.cc +++ b/src/XrdHttp/XrdHttpSecurity.cc @@ -116,8 +116,9 @@ XrdHttpProtocol::HandleAuthentication(XrdLink* lp) // Extract the DN for the current connection that will be used later on when // handling the gridmap file const char * dn = chain.EECname(); + const char * eechash = chain.EEChash(); - if (!dn) { + if (!dn || !eechash) { // X509Chain doesn't assume it owns the underlying certs unless // you explicitly invoke the Cleanup method TRACEI(DEBUG, "Failed to extract DN information."); @@ -130,10 +131,9 @@ XrdHttpProtocol::HandleAuthentication(XrdLink* lp) } SecEntity.moninfo = strdup(dn); - TRACEI(DEBUG, " Subject name is : '" << SecEntity.moninfo << "'"); + TRACEI(DEBUG, " Subject name is : '" << SecEntity.moninfo << "'; hash is " << eechash); // X509Chain doesn't assume it owns the underlying certs unless // you explicitly invoke the Cleanup method - chain.Cleanup(); if (GetVOMSData(lp)) { TRACEI(DEBUG, " No VOMS information for DN: " << SecEntity.moninfo); @@ -141,11 +141,14 @@ XrdHttpProtocol::HandleAuthentication(XrdLink* lp) if (isRequiredXtractor) { eDest.Emsg(epname, "Failed extracting required VOMS info for DN: ", SecEntity.moninfo); + chain.Cleanup(); return 1; } } - return HandleGridMap(lp); + auto retval = HandleGridMap(lp, eechash); + chain.Cleanup(); + return retval; } @@ -154,7 +157,7 @@ XrdHttpProtocol::HandleAuthentication(XrdLink* lp) /******************************************************************************/ int -XrdHttpProtocol::HandleGridMap(XrdLink* lp) +XrdHttpProtocol::HandleGridMap(XrdLink* lp, const char * eechash) { EPNAME("HandleGridMap"); char bufname[256]; @@ -178,6 +181,12 @@ XrdHttpProtocol::HandleGridMap(XrdLink* lp) } } + if (!SecEntity.name && !compatNameGeneration) { + TRACEI(DEBUG, " Will fallback name to subject hash: " << eechash); + SecEntity.name = strdup(eechash); + return 0; + } + if (!SecEntity.name) { // Here we have the user DN, and try to extract an useful user name from it if (SecEntity.name) free(SecEntity.name);