include/root/TAuthenticate.h

0001 // @(#)root/auth:$Id$
0002 // Author: Fons Rademakers   26/11/2000
0003
0004 /*************************************************************************
0005  * Copyright (C) 1995-2000, Rene Brun and Fons Rademakers.               *
0006  * All rights reserved.                                                  *
0007  *                                                                       *
0008  * For the licensing terms see $ROOTSYS/LICENSE.                         *
0009  * For the list of contributors see $ROOTSYS/README/CREDITS.             *
0010  *************************************************************************/
0011
0012 #ifndef ROOT_TAuthenticate
0013 #define ROOT_TAuthenticate
0014
0015
0016 //////////////////////////////////////////////////////////////////////////
0017 //                                                                      //
0018 // TAuthenticate                                                        //
0019 //                                                                      //
0020 // An authentication module for ROOT based network services, like rootd.//                                                          //
0021 //                                                                      //
0022 //////////////////////////////////////////////////////////////////////////
0023
0024 #include "TObject.h"
0025 #include "TString.h"
0026 #include "TList.h"
0027 #include "TDatime.h"
0028 #ifndef ROOT_rsafun
0029 //#include "rsafun.h"
0030 #endif
0031 #include "AuthConst.h"
0032
0033 class TAuthenticate;
0034 class THostAuth;
0035 class TPluginHandler;
0036 class TSocket;
0037 class TRootSecContext;
0038 class TVirtualMutex;
0039
0040 typedef Int_t (*CheckSecCtx_t)(const char *subj, TRootSecContext *ctx);
0041 typedef Int_t (*GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det);
0042 typedef Int_t (*Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version);
0043 typedef Int_t (*SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd,
0044                               const char *remote, TString &det, Int_t version);
0045
0046 R__EXTERN TVirtualMutex *gAuthenticateMutex;
0047
0048 struct R__rsa_KEY; // opaque replacement for rsa_KEY
0049 struct R__rsa_KEY_export; // opaque replacement for rsa_KEY_export
0050 struct R__rsa_NUMBER; // opaque replacement for rsa_NUMBER
0051
0052 class TAuthenticate : public TObject {
0053
0054 friend class TRootAuth;
0055 friend class TRootSecContext;
0056 friend class TSocket;
0057
0058 public:
0059    enum ESecurity { kClear, kUnsupported, kKrb5, kGlobus, kSSH, kRfio }; // type of authentication
0060
0061 private:
0062    TString      fDetails;     // logon details (method dependent ...)
0063    THostAuth   *fHostAuth;    // pointer to relevant authentication info
0064    TString      fPasswd;      // user's password
0065    TString      fProtocol;    // remote service (rootd)
0066    Bool_t       fPwHash;      // kTRUE if fPasswd is a passwd hash
0067    TString      fRemote;      // remote host to which we want to connect
0068    Int_t        fRSAKey;      // Type of RSA key used
0069    TRootSecContext *fSecContext;  // pointer to relevant sec context
0070    ESecurity    fSecurity;    // actual logon security level
0071    TSocket     *fSocket;      // connection to remote daemon
0072    Int_t        fVersion;     // 0,1,2, ... accordingly to remote daemon version
0073    TString      fUser;        // user to be authenticated
0074    Int_t        fTimeOut;     // timeout flag
0075
0076    Int_t        GenRSAKeys();
0077    Bool_t       GetPwHash() const { return fPwHash; }
0078    Int_t        GetRSAKey() const { return fRSAKey; }
0079    ESecurity    GetSecurity() const { return fSecurity; }
0080    Bool_t       GetSRPPwd() const { return false; }
0081    const char  *GetSshUser(TString user) const;
0082    Int_t        GetVersion() const { return fVersion; }
0083    Int_t        ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
0084    Bool_t       GetUserPasswd(TString &user, TString &passwd,
0085                               Bool_t &pwhash, Bool_t srppwd);
0086    char        *GetRandString(Int_t Opt,Int_t Len);
0087    Int_t        RfioAuth(TString &user);
0088    void         SetEnvironment();
0089    Int_t        SshAuth(TString &user);
0090    Int_t        SshError(const char *errfile);
0091
0092    static TList          *fgAuthInfo;
0093    static TString         fgAuthMeth[kMAXSEC];
0094    static Bool_t          fgAuthReUse;      // kTRUE is ReUse required
0095    static TString         fgDefaultUser;    // Default user information
0096    static TDatime         fgExpDate;        // Expiring date for new security contexts
0097    static GlobusAuth_t    fgGlobusAuthHook;
0098    static Krb5Auth_t      fgKrb5AuthHook;
0099    static TString         fgKrb5Principal;  // Principal for Krb5 ticket
0100    static TDatime         fgLastAuthrc;     // Time of last reading of fgRootAuthrc
0101    static TString         fgPasswd;
0102    static TPluginHandler *fgPasswdDialog;   // Passwd dialog GUI plugin
0103    static Bool_t          fgPromptUser;     // kTRUE if user prompt required
0104    static Bool_t          fgPwHash;         // kTRUE if fgPasswd is a passwd hash
0105    static Bool_t          fgReadHomeAuthrc; // kTRUE to look for $HOME/.rootauthrc
0106    static TString         fgRootAuthrc;     // Path to last rootauthrc-like file read
0107    static Int_t           fgRSAKey;         // Default type of RSA key to be tried
0108    static Int_t           fgRSAInit;
0109    static R__rsa_KEY         fgRSAPriKey;
0110    static R__rsa_KEY         fgRSAPubKey;
0111    static R__rsa_KEY_export* fgRSAPubExport; // array of size [2]
0112    static SecureAuth_t    fgSecAuthHook;
0113    static TString         fgUser;
0114    static Bool_t          fgUsrPwdCrypt;    // kTRUE if encryption for UsrPwd is required
0115    static Int_t           fgLastError;      // Last error code processed by AuthError()
0116    static Int_t           fgAuthTO;         // if > 0, timeout in sec
0117    static Int_t           fgProcessID;      // ID of the main thread as unique identifier
0118
0119    static Bool_t          CheckHost(const char *Host, const char *host);
0120
0121    static void            FileExpand(const char *fin, FILE *ftmp);
0122    static void            RemoveSecContext(TRootSecContext *ctx);
0123
0124 public:
0125    TAuthenticate(TSocket *sock, const char *remote, const char *proto,
0126                  const char *user = "");
0127    virtual ~TAuthenticate() {}
0128
0129    Bool_t             Authenticate();
0130    Int_t              AuthExists(TString User, Int_t method, const char *Options,
0131                           Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck);
0132    void               CatchTimeOut();
0133    Bool_t             CheckNetrc(TString &user, TString &passwd);
0134    Bool_t             CheckNetrc(TString &user, TString &passwd,
0135                                  Bool_t &pwhash, Bool_t srppwd);
0136    THostAuth         *GetHostAuth() const { return fHostAuth; }
0137    const char        *GetProtocol() const { return fProtocol; }
0138    const char        *GetRemoteHost() const { return fRemote; }
0139    Int_t              GetRSAKeyType() const { return fRSAKey; }
0140    TRootSecContext       *GetSecContext() const { return fSecContext; }
0141    TSocket           *GetSocket() const { return fSocket; }
0142    const char        *GetUser() const { return fUser; }
0143    Int_t              HasTimedOut() const { return fTimeOut; }
0144    void               SetRSAKeyType(Int_t key) { fRSAKey = key; }
0145    void               SetSecContext(TRootSecContext *ctx) { fSecContext = ctx; }
0146
0147    static void        AuthError(const char *where, Int_t error);
0148
0149    static Int_t       DecodeRSAPublic(const char *rsapubexport, R__rsa_NUMBER &n,
0150                                       R__rsa_NUMBER &d, char **rsassl = nullptr);
0151
0152    static TList      *GetAuthInfo();
0153    static const char *GetAuthMethod(Int_t idx);
0154    static Int_t       GetAuthMethodIdx(const char *meth);
0155    static Bool_t      GetAuthReUse();
0156    static Int_t       GetClientProtocol();
0157    static char       *GetDefaultDetails(Int_t method, Int_t opt, const char *user);
0158    static const char *GetDefaultUser();
0159    static TDatime     GetGlobalExpDate();
0160    static Bool_t      GetGlobalPwHash();
0161    static Bool_t      GetGlobalSRPPwd();
0162    static const char *GetGlobalUser();
0163    static GlobusAuth_t GetGlobusAuthHook();
0164    static THostAuth  *GetHostAuth(const char *host, const char *user="",
0165                                   Option_t *opt = "R", Int_t *Exact = nullptr);
0166    static const char *GetKrb5Principal();
0167    static Bool_t      GetPromptUser();
0168    static Int_t       GetRSAInit();
0169    static const char *GetRSAPubExport(Int_t key = 0);
0170    static THostAuth  *HasHostAuth(const char *host, const char *user,
0171                                   Option_t *opt = "R");
0172    static void        InitRandom();
0173    static void        MergeHostAuthList(TList *Std, TList *New, Option_t *Opt = "");
0174    static char       *PromptPasswd(const char *prompt = "Password: ");
0175    static char       *PromptUser(const char *remote);
0176    static Int_t       ReadRootAuthrc();
0177    static void        RemoveHostAuth(THostAuth *ha, Option_t *opt = "");
0178    static Int_t       SecureRecv(TSocket *Socket, Int_t dec,
0179                                  Int_t KeyType, char **Out);
0180    static Int_t       SecureSend(TSocket *Socket, Int_t enc,
0181                                  Int_t KeyType, const char *In);
0182    static Int_t       SendRSAPublicKey(TSocket *Socket, Int_t key = 0);
0183    static void        SetAuthReUse(Bool_t authreuse);
0184    static void        SetDefaultUser(const char *defaultuser);
0185    static void        SetGlobalExpDate(TDatime expdate);
0186    static void        SetGlobalPasswd(const char *passwd);
0187    static void        SetGlobalPwHash(Bool_t pwhash);
0188    static void        SetGlobalSRPPwd(Bool_t srppwd);
0189    static void        SetGlobalUser(const char *user);
0190    static void        SetGlobusAuthHook(GlobusAuth_t func);
0191    static void        SetKrb5AuthHook(Krb5Auth_t func);
0192    static void        SetPromptUser(Bool_t promptuser);
0193    static void        SetDefaultRSAKeyType(Int_t key);
0194    static void        SetRSAInit(Int_t init = 1);
0195    static Int_t       SetRSAPublic(const char *rsapubexport, Int_t klen);
0196    static void        SetSecureAuthHook(SecureAuth_t func);
0197    static void        SetTimeOut(Int_t to);
0198    static void        Show(Option_t *opt="S");
0199
0200    ClassDefOverride(TAuthenticate,0)  // Class providing remote authentication service
0201 };
0202
0203 #endif