Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[XrdSecztn] Add security library option to configure token validation… #1921

Closed
wants to merge 1 commit into from
Closed

[XrdSecztn] Add security library option to configure token validation… #1921

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
38 changes: 27 additions & 11 deletions src/XrdSecztn/XrdSecProtocolztn.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ inline uint64_t monotonic_time() {
/******************************************************************************/

int expiry = 1;
bool tokenlib = true;
}

/******************************************************************************/
Expand Down Expand Up @@ -631,8 +632,9 @@ int XrdSecProtocolztn::Authenticate(XrdSecCredentials *cred,
//
std::string msgRC;
long long eTime;
bool validated = false;
if (Entity.name) {free(Entity.name); Entity.name = 0;}
if (sthP->Validate(tResp->tkn, msgRC, (expiry ? &eTime : 0), &Entity))
if (tokenlib && sthP->Validate(tResp->tkn, msgRC, (expiry ? &eTime : 0), &Entity))
{if (expiry)
{if (eTime < 0 && expiry > 0)
{Fatal(erp, "'ztn' token expiry missing", EINVAL, false);
Expand All @@ -642,7 +644,11 @@ int XrdSecProtocolztn::Authenticate(XrdSecCredentials *cred,
{Fatal(erp, "'ztn' token expired", EINVAL, false);
return -1;
}
}
validated = true;
}
if (!tokenlib || validated)
{
Entity.credslen = strlen(tResp->tkn);
if (Entity.creds) free(Entity.creds);
Entity.creds = (char *)malloc(Entity.credslen+1);
Expand Down Expand Up @@ -744,7 +750,12 @@ char *XrdSecProtocolztnInit(const char mode,
{Fatal(erp, "-acclib plugin path missing", EINVAL);
return 0;
}
accPlugin = val;
if (strcmp(val,"none"))
{accPlugin = val;
}
else
{tokenlib = false;
}
}

else {XrdOucString eTxt("Invalid parameter - "); eTxt += val;
Expand All @@ -753,11 +764,12 @@ char *XrdSecProtocolztnInit(const char mode,
}
}

// We rely on the token authorization plugin to validate tokens. Load it to
// We rely on the token authorization plugin to validate tokens unless
// it is disabled using '-tokenlib none'. If active load it to
// get the validation object pointer. This will be filled in later but we
// want to know that it's actually present.
//
if (!getLinkage(erp, accPlugin.c_str())) return 0;
if (tokenlib && !getLinkage(erp, accPlugin.c_str())) return 0;

// Assemble the parameter line and return it
//
Expand Down Expand Up @@ -799,16 +811,20 @@ XrdSecProtocol *XrdSecProtocolztnObject(const char mode,
return 0;
}

XrdSciTokensHelper *sthP= nullptr;
if (tokenlib)
{
// In server mode we need to make sure the token plugin was actually
// loaded and initialized as we need a pointer to the helper.
//
XrdSciTokensHelper *sthP= *sth_Linkage;
if (!sthP)
{char msg[1024];
snprintf(msg,sizeof(msg),"ztn required plugin (%s) has not been loaded!",
sth_piName);
Fatal(erp, msg, EIDRM,false);
return 0;
sthP= *sth_Linkage;
if (!sthP)
{char msg[1024];
snprintf(msg,sizeof(msg),"ztn required plugin (%s) has not been loaded!",
sth_piName);
Fatal(erp, msg, EIDRM,false);
return 0;
}
}

// Get an authentication object and return it
Expand Down