From 581b26b207a686988eea32dda65e9e7aa97a2d3a Mon Sep 17 00:00:00 2001 From: Fabrizio Furano Date: Tue, 21 Aug 2018 11:56:37 +0200 Subject: [PATCH] In the case of token-based http redirection, pass all the missing XrdSecEntity fields --- src/XrdHttp/XrdHttpProtocol.cc | 42 ++++++++++++++++++++++++-- src/XrdHttp/XrdHttpReq.cc | 54 ++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+), 2 deletions(-) diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc index c8ae6ae3ff6..ad90282616e 100644 --- a/src/XrdHttp/XrdHttpProtocol.cc +++ b/src/XrdHttp/XrdHttpProtocol.cc @@ -834,9 +834,47 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here TRACEI(REQ, " Setting dn: " << SecEntity.moninfo); } - // TODO: compare the xrdhttphost with the real client IP - // If they are different then reject + nfo = CurrentReq.opaque->Get("xrdhttprole"); + if (nfo) { + TRACEI(DEBUG, " Setting role: " << nfo); + SecEntity.role = unquote(nfo); + TRACEI(REQ, " Setting role: " << SecEntity.role); + } + nfo = CurrentReq.opaque->Get("xrdhttpgrps"); + if (nfo) { + TRACEI(DEBUG, " Setting grps: " << nfo); + SecEntity.grps = unquote(nfo); + TRACEI(REQ, " Setting grps: " << SecEntity.grps); + } + + nfo = CurrentReq.opaque->Get("xrdhttpendorsements"); + if (nfo) { + TRACEI(DEBUG, " Setting endorsements: " << nfo); + SecEntity.endorsements = unquote(nfo); + TRACEI(REQ, " Setting endorsements: " << SecEntity.endorsements); + } + + nfo = CurrentReq.opaque->Get("xrdhttpcredslen"); + if (nfo) { + TRACEI(DEBUG, " Setting credslen: " << nfo); + char *s1 = unquote(nfo); + if (s1 && s1[0]) { + SecEntity.credslen = atoi(s1); + TRACEI(REQ, " Setting credslen: " << SecEntity.credslen); + } + if (s1) free(s1); + } + + if (SecEntity.credslen) { + nfo = CurrentReq.opaque->Get("xrdhttpcreds"); + if (nfo) { + TRACEI(DEBUG, " Setting creds: " << nfo); + SecEntity.creds = unquote(nfo); + TRACEI(REQ, " Setting creds: " << SecEntity.creds); + } + } + char hash[512]; calcHashes(hash, CurrentReq.resource.c_str(), (kXR_int16) CurrentReq.request, diff --git a/src/XrdHttp/XrdHttpReq.cc b/src/XrdHttp/XrdHttpReq.cc index d89a089e90a..88e44cb215c 100644 --- a/src/XrdHttp/XrdHttpReq.cc +++ b/src/XrdHttp/XrdHttpReq.cc @@ -730,6 +730,60 @@ void XrdHttpReq::appendOpaque(XrdOucString &s, XrdSecEntity *secent, char *hash, } } + if (secent->role) { + s += "&xrdhttprole="; + char *s1 = quote(secent->role); + if (s1) { + s += s1; + free(s1); + } + } + + if (secent->grps) { + s += "&xrdhttpgrps="; + char *s1 = quote(secent->grps); + if (s1) { + s += s1; + free(s1); + } + } + + if (secent->endorsements) { + s += "&xrdhttpendorsements="; + char *s1 = quote(secent->endorsements); + if (s1) { + s += s1; + free(s1); + } + } + + if (secent->credslen) { + s += "&xrdhttpcredslen="; + char buf[16]; + sprintf(buf, "%d", secent->credslen); + char *s1 = quote(buf); + if (s1) { + s += s1; + free(s1); + } + } + + if (secent->credslen) { + if (secent->creds) { + s += "&xrdhttpcreds="; + // Apparently this string might be not 0-terminated (!) + char *zerocreds = strndup(secent->creds, secent->credslen); + if (zerocreds) { + char *s1 = quote(zerocreds); + if (s1) { + s += s1; + free(s1); + } + free(zerocreds); + } + } + } + } }