include/root/TAuthenticate.h

0001 // @(#)root/auth:$Id$
0002 // Author: Fons Rademakers   26/11/2000
0003
0004 /*************************************************************************
0005  * Copyright (C) 1995-2000, Rene Brun and Fons Rademakers.               *
0006  * All rights reserved.                                                  *
0007  *                                                                       *
0008  * For the licensing terms see $ROOTSYS/LICENSE.                         *
0009  * For the list of contributors see $ROOTSYS/README/CREDITS.             *
0010  *************************************************************************/
0011
0012 #ifndef ROOT_TAuthenticate
0013 #define ROOT_TAuthenticate
0014
0015
0016 //////////////////////////////////////////////////////////////////////////
0017 //                                                                      //
0018 // TAuthenticate                                                        //
0019 //                                                                      //
0020 // An authentication module for ROOT based network services, like rootd //
0021 // and proofd.                                                          //
0022 //                                                                      //
0023 //////////////////////////////////////////////////////////////////////////
0024
0025 #include "TObject.h"
0026 #include "TString.h"
0027 #include "TList.h"
0028 #include "TDatime.h"
0029 #ifndef ROOT_rsafun
0030 //#include "rsafun.h"
0031 #endif
0032 #include "AuthConst.h"
0033
0034 class TAuthenticate;
0035 class THostAuth;
0036 class TPluginHandler;
0037 class TSocket;
0038 class TRootSecContext;
0039 class TVirtualMutex;
0040
0041 typedef Int_t (*CheckSecCtx_t)(const char *subj, TRootSecContext *ctx);
0042 typedef Int_t (*GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det);
0043 typedef Int_t (*Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version);
0044 typedef Int_t (*SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd,
0045                               const char *remote, TString &det, Int_t version);
0046
0047 R__EXTERN TVirtualMutex *gAuthenticateMutex;
0048
0049 struct R__rsa_KEY; // opaque replacement for rsa_KEY
0050 struct R__rsa_KEY_export; // opaque replacement for rsa_KEY_export
0051 struct R__rsa_NUMBER; // opaque replacement for rsa_NUMBER
0052
0053 class TAuthenticate : public TObject {
0054
0055 friend class TRootAuth;
0056 friend class TRootSecContext;
0057 friend class TSocket;
0058
0059 public:
0060    enum ESecurity { kClear, kUnsupported, kKrb5, kGlobus, kSSH, kRfio }; // type of authentication
0061
0062 private:
0063    TString      fDetails;     // logon details (method dependent ...)
0064    THostAuth   *fHostAuth;    // pointer to relevant authentication info
0065    TString      fPasswd;      // user's password
0066    TString      fProtocol;    // remote service (rootd, proofd)
0067    Bool_t       fPwHash;      // kTRUE if fPasswd is a passwd hash
0068    TString      fRemote;      // remote host to which we want to connect
0069    Int_t        fRSAKey;      // Type of RSA key used
0070    TRootSecContext *fSecContext;  // pointer to relevant sec context
0071    ESecurity    fSecurity;    // actual logon security level
0072    TSocket     *fSocket;      // connection to remote daemon
0073    Int_t        fVersion;     // 0,1,2, ... accordingly to remote daemon version
0074    TString      fUser;        // user to be authenticated
0075    Int_t        fTimeOut;     // timeout flag
0076
0077    Int_t        GenRSAKeys();
0078    Bool_t       GetPwHash() const { return fPwHash; }
0079    Int_t        GetRSAKey() const { return fRSAKey; }
0080    ESecurity    GetSecurity() const { return fSecurity; }
0081    Bool_t       GetSRPPwd() const { return false; }
0082    const char  *GetSshUser(TString user) const;
0083    Int_t        GetVersion() const { return fVersion; }
0084    Int_t        ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
0085    Bool_t       GetUserPasswd(TString &user, TString &passwd,
0086                               Bool_t &pwhash, Bool_t srppwd);
0087    char        *GetRandString(Int_t Opt,Int_t Len);
0088    Int_t        ProofAuthSetup();
0089    Int_t        RfioAuth(TString &user);
0090    void         SetEnvironment();
0091    Int_t        SshAuth(TString &user);
0092    Int_t        SshError(const char *errfile);
0093
0094    static TList          *fgAuthInfo;
0095    static TString         fgAuthMeth[kMAXSEC];
0096    static Bool_t          fgAuthReUse;      // kTRUE is ReUse required
0097    static TString         fgDefaultUser;    // Default user information
0098    static TDatime         fgExpDate;        // Expiring date for new security contexts
0099    static GlobusAuth_t    fgGlobusAuthHook;
0100    static Krb5Auth_t      fgKrb5AuthHook;
0101    static TString         fgKrb5Principal;  // Principal for Krb5 ticket
0102    static TDatime         fgLastAuthrc;     // Time of last reading of fgRootAuthrc
0103    static TString         fgPasswd;
0104    static TPluginHandler *fgPasswdDialog;   // Passwd dialog GUI plugin
0105    static Bool_t          fgPromptUser;     // kTRUE if user prompt required
0106    static TList          *fgProofAuthInfo;  // Specific lists of THostAuth fro proof
0107    static Bool_t          fgPwHash;         // kTRUE if fgPasswd is a passwd hash
0108    static Bool_t          fgReadHomeAuthrc; // kTRUE to look for $HOME/.rootauthrc
0109    static TString         fgRootAuthrc;     // Path to last rootauthrc-like file read
0110    static Int_t           fgRSAKey;         // Default type of RSA key to be tried
0111    static Int_t           fgRSAInit;
0112    static R__rsa_KEY         fgRSAPriKey;
0113    static R__rsa_KEY         fgRSAPubKey;
0114    static R__rsa_KEY_export* fgRSAPubExport; // array of size [2]
0115    static SecureAuth_t    fgSecAuthHook;
0116    static TString         fgUser;
0117    static Bool_t          fgUsrPwdCrypt;    // kTRUE if encryption for UsrPwd is required
0118    static Int_t           fgLastError;      // Last error code processed by AuthError()
0119    static Int_t           fgAuthTO;         // if > 0, timeout in sec
0120    static Int_t           fgProcessID;      // ID of the main thread as unique identifier
0121
0122    static Bool_t          CheckHost(const char *Host, const char *host);
0123
0124    static void            FileExpand(const char *fin, FILE *ftmp);
0125    static Int_t           ProofAuthSetup(TSocket *sock, Bool_t client);
0126    static void            RemoveSecContext(TRootSecContext *ctx);
0127
0128 public:
0129    TAuthenticate(TSocket *sock, const char *remote, const char *proto,
0130                  const char *user = "");
0131    virtual ~TAuthenticate() {}
0132
0133    Bool_t             Authenticate();
0134    Int_t              AuthExists(TString User, Int_t method, const char *Options,
0135                           Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck);
0136    void               CatchTimeOut();
0137    Bool_t             CheckNetrc(TString &user, TString &passwd);
0138    Bool_t             CheckNetrc(TString &user, TString &passwd,
0139                                  Bool_t &pwhash, Bool_t srppwd);
0140    THostAuth         *GetHostAuth() const { return fHostAuth; }
0141    const char        *GetProtocol() const { return fProtocol; }
0142    const char        *GetRemoteHost() const { return fRemote; }
0143    Int_t              GetRSAKeyType() const { return fRSAKey; }
0144    TRootSecContext       *GetSecContext() const { return fSecContext; }
0145    TSocket           *GetSocket() const { return fSocket; }
0146    const char        *GetUser() const { return fUser; }
0147    Int_t              HasTimedOut() const { return fTimeOut; }
0148    void               SetRSAKeyType(Int_t key) { fRSAKey = key; }
0149    void               SetSecContext(TRootSecContext *ctx) { fSecContext = ctx; }
0150
0151    static void        AuthError(const char *where, Int_t error);
0152    static Bool_t      CheckProofAuth(Int_t cSec, TString &det);
0153
0154    static Int_t       DecodeRSAPublic(const char *rsapubexport, R__rsa_NUMBER &n,
0155                                       R__rsa_NUMBER &d, char **rsassl = nullptr);
0156
0157    static TList      *GetAuthInfo();
0158    static const char *GetAuthMethod(Int_t idx);
0159    static Int_t       GetAuthMethodIdx(const char *meth);
0160    static Bool_t      GetAuthReUse();
0161    static Int_t       GetClientProtocol();
0162    static char       *GetDefaultDetails(Int_t method, Int_t opt, const char *user);
0163    static const char *GetDefaultUser();
0164    static TDatime     GetGlobalExpDate();
0165    static Bool_t      GetGlobalPwHash();
0166    static Bool_t      GetGlobalSRPPwd();
0167    static const char *GetGlobalUser();
0168    static GlobusAuth_t GetGlobusAuthHook();
0169    static THostAuth  *GetHostAuth(const char *host, const char *user="",
0170                                   Option_t *opt = "R", Int_t *Exact = nullptr);
0171    static const char *GetKrb5Principal();
0172    static Bool_t      GetPromptUser();
0173    static TList      *GetProofAuthInfo();
0174    static Int_t       GetRSAInit();
0175    static const char *GetRSAPubExport(Int_t key = 0);
0176    static THostAuth  *HasHostAuth(const char *host, const char *user,
0177                                   Option_t *opt = "R");
0178    static void        InitRandom();
0179    static void        MergeHostAuthList(TList *Std, TList *New, Option_t *Opt = "");
0180    static char       *PromptPasswd(const char *prompt = "Password: ");
0181    static char       *PromptUser(const char *remote);
0182    static Int_t       ReadRootAuthrc();
0183    static void        RemoveHostAuth(THostAuth *ha, Option_t *opt = "");
0184    static Int_t       SecureRecv(TSocket *Socket, Int_t dec,
0185                                  Int_t KeyType, char **Out);
0186    static Int_t       SecureSend(TSocket *Socket, Int_t enc,
0187                                  Int_t KeyType, const char *In);
0188    static Int_t       SendRSAPublicKey(TSocket *Socket, Int_t key = 0);
0189    static void        SetAuthReUse(Bool_t authreuse);
0190    static void        SetDefaultUser(const char *defaultuser);
0191    static void        SetGlobalExpDate(TDatime expdate);
0192    static void        SetGlobalPasswd(const char *passwd);
0193    static void        SetGlobalPwHash(Bool_t pwhash);
0194    static void        SetGlobalSRPPwd(Bool_t srppwd);
0195    static void        SetGlobalUser(const char *user);
0196    static void        SetGlobusAuthHook(GlobusAuth_t func);
0197    static void        SetKrb5AuthHook(Krb5Auth_t func);
0198    static void        SetPromptUser(Bool_t promptuser);
0199    static void        SetDefaultRSAKeyType(Int_t key);
0200    static void        SetReadHomeAuthrc(Bool_t readhomeauthrc); // for PROOF
0201    static void        SetRSAInit(Int_t init = 1);
0202    static Int_t       SetRSAPublic(const char *rsapubexport, Int_t klen);
0203    static void        SetSecureAuthHook(SecureAuth_t func);
0204    static void        SetTimeOut(Int_t to);
0205    static void        Show(Option_t *opt="S");
0206
0207    ClassDefOverride(TAuthenticate,0)  // Class providing remote authentication service
0208 };
0209
0210 #endif