EIC code displayed by LXR |
|
|
|
|||
File indexing completed on 2025-01-30 10:27:56
0001 #ifndef __SEC_INTERFACE_H__ 0002 #define __SEC_INTERFACE_H__ 0003 /******************************************************************************/ 0004 /* */ 0005 /* X r d S e c I n t e r f a c e . h h */ 0006 /* */ 0007 /* (c) 2005 by the Board of Trustees of the Leland Stanford, Jr., University */ 0008 /* Produced by Andrew Hanushevsky for Stanford University under contract */ 0009 /* DE-AC02-76-SFO0515 with the Department of Energy */ 0010 /* */ 0011 /* This file is part of the XRootD software suite. */ 0012 /* */ 0013 /* XRootD is free software: you can redistribute it and/or modify it under */ 0014 /* the terms of the GNU Lesser General Public License as published by the */ 0015 /* Free Software Foundation, either version 3 of the License, or (at your */ 0016 /* option) any later version. */ 0017 /* */ 0018 /* XRootD is distributed in the hope that it will be useful, but WITHOUT */ 0019 /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */ 0020 /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */ 0021 /* License for more details. */ 0022 /* */ 0023 /* You should have received a copy of the GNU Lesser General Public License */ 0024 /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */ 0025 /* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */ 0026 /* */ 0027 /* The copyright holder's institutional names and contributor's names may not */ 0028 /* be used to endorse or promote products derived from this software without */ 0029 /* specific prior written permission of the institution or contributor. */ 0030 /******************************************************************************/ 0031 0032 #include <cerrno> 0033 #ifndef WIN32 0034 #include <sys/param.h> 0035 #endif 0036 #include <cstdlib> 0037 #include <cstdio> 0038 #include <cstring> 0039 0040 #include "XrdSec/XrdSecEntity.hh" 0041 0042 /******************************************************************************/ 0043 /* X r d S e c C r e d e n t i a l s & X r d S e c P a r a m e t e r s */ 0044 /******************************************************************************/ 0045 0046 //------------------------------------------------------------------------------ 0047 //! Generic structure to pass security information back and forth. 0048 //------------------------------------------------------------------------------ 0049 0050 struct XrdSecBuffer 0051 { 0052 int size; //!< Size of the buffer or length of data in the buffer 0053 char *buffer; //!< Pointer to the buffer 0054 0055 XrdSecBuffer(char *bp=0, int sz=0) : size(sz), buffer(bp), membuf(bp) {} 0056 ~XrdSecBuffer() {if (membuf) free(membuf);} 0057 0058 private: 0059 char *membuf; // Stable copy of the buffer address 0060 }; 0061 0062 //------------------------------------------------------------------------------ 0063 //! When the buffer is used for credentials, the start of the buffer always 0064 //! holds the credential protocol name (e.g., krb4) as a string. The client 0065 //! will get credentials and the size will be filled out so that the contents 0066 //! of buffer can be easily transmitted to the server. 0067 //------------------------------------------------------------------------------ 0068 0069 typedef XrdSecBuffer XrdSecCredentials; 0070 0071 //------------------------------------------------------------------------------ 0072 //! When the buffer is used for parameters, the contents must be interpreted 0073 //! in the context that it is used. For instance, the server will send the 0074 //! security configuration parameters on the initial login. The format differs 0075 //! from, say, the x.500 continuation paremeters that would be sent during 0076 //! PKI authentication via an "authmore" return status. 0077 //------------------------------------------------------------------------------ 0078 0079 typedef XrdSecBuffer XrdSecParameters; 0080 0081 /******************************************************************************/ 0082 /* X r d S e c P r o t o c o l */ 0083 /******************************************************************************/ 0084 /*! 0085 The XrdSecProtocol is used to generate authentication credentials and to 0086 authenticate those credentials. For example, When a server indicates 0087 that authentication is needed (i.e., it returns security parameters), the 0088 client must call XrdSecgetProtocol() to get an appropriate XrdSecProtocol 0089 (i.e., one specific to the authentication protocol that needs to be used). 0090 Then the client can use the first form getCredentials() to generate the 0091 appropriate identification information. On subsequent calls in response to 0092 "authmore" the client must use the second form, providing the additional 0093 parameters the the server sends. The server uses Authenticate() to verify 0094 the credentials. When XrdOucErrInfo is null (as it will usually be), error 0095 messages are routed to standard error. So, for example, a client would 0096 0097 1) Call XrdSecGetProtocol() to get an appropriate XrdSecProtocol 0098 (i.e., one specific to the authentication protocol that needs to be used). 0099 Note that successive calls to XrdSecGetProtocol() using the same 0100 XrdSecParameters will use the subsequent protocol named in the list of 0101 protocols that the server returned. Failure is indicated when the list 0102 is exhausted or none of the protocols apply (which exhausts the list). 0103 0104 2) Call getCredentials() without supplying any parameters so as to 0105 generate identification information and send them to the server. 0106 0107 3) If the server indicates "authmore", call getCredentials() supplying 0108 the additional parameters sent by the server. The returned credentials 0109 are then sent to the server using the "authneticate" request code. 0110 0111 4) Repeat step (3) as often as "authmore" is requested by the server. 0112 0113 The server uses Authenticate() to verify the credentials and getParms() 0114 to generate initial parameters to start the authentication process. 0115 0116 When XrdOucErrInfo is null (as it will usually be), error messages are 0117 are routed to standard error. 0118 0119 Server-side security is handled by the XrdSecService object and, while 0120 it uses XrdSecProtocol objects to perform authentication, the XrdSecService 0121 object is used to initialize the security environment and to generate 0122 the appropriate protocol objects at run-time. For an implementation, see 0123 XrdSecServer.hh and XrdSecServer.cc. 0124 0125 MT Requirements: Must be MT_Safe. 0126 */ 0127 0128 class XrdOucErrInfo; 0129 0130 class XrdSecProtocol 0131 { 0132 public: 0133 0134 //------------------------------------------------------------------------------ 0135 //! Structure holding the entity's identification. It is filled in by a 0136 //! successful call to Authenticate() (i.e. it returns 0). 0137 //------------------------------------------------------------------------------ 0138 0139 XrdSecEntity Entity; 0140 0141 //------------------------------------------------------------------------------ 0142 //! Authenticate a client. 0143 //! 0144 //! @param cred Credentials supplied by the client. 0145 //! @param parms Place where the address of additional authentication data is 0146 //! to be placed for another autrhentication handshake. 0147 //! @param einfo The error information object where error messages should be 0148 //! placed. The messages are returned to the client. Should einfo 0149 //! be null, messages should be written to stderr. 0150 //! 0151 //! @return > 0 -> parms present (more authentication needed) 0152 //! = 0 -> Entity present (authentication suceeded) 0153 //! < 0 -> einfo present (error has occurred) 0154 //------------------------------------------------------------------------------ 0155 0156 virtual int Authenticate (XrdSecCredentials *cred, 0157 XrdSecParameters **parms, 0158 XrdOucErrInfo *einfo=0)=0; 0159 0160 //------------------------------------------------------------------------------ 0161 //! Generate client credentials to be used in the authentication process. 0162 //! 0163 //! @param parm Pointer to the information returned by the server either in 0164 //! the initial login response or the authmore response. 0165 //! @param einfo The error information object where error messages should be 0166 //! placed. The messages are returned to the client. Should einfo 0167 //! be null, messages should be written to stderr. 0168 //! 0169 //! @return Success: Pointer to credentials to sent to the server. The caller 0170 //! is responsible for deleting the object. 0171 //! Failure: Null pointer with einfo, if supplied, containing the 0172 //! reason for the failure. 0173 //------------------------------------------------------------------------------ 0174 0175 virtual XrdSecCredentials *getCredentials(XrdSecParameters *parm=0, 0176 XrdOucErrInfo *einfo=0)=0; 0177 0178 //------------------------------------------------------------------------------ 0179 //! Encrypt data in inbuff using the session key. 0180 //! 0181 //! @param inbuff buffer holding data to be encrypted. 0182 //! @param inlen length of the data. 0183 //! @param outbuff place where a pointer to the encrypted data is placed. 0184 //! 0185 //! @return < 0 Failed, the return value is -errno of the reason. Typically, 0186 //! -EINVAL - one or more arguments are invalid. 0187 //! -NOTSUP - encryption not supported by the protocol 0188 //! -ENOENT - Context not innitialized 0189 //! = 0 Success, outbuff contains a pointer to the encrypted data. 0190 //! The caller is responsible for deleting the returned object. 0191 //------------------------------------------------------------------------------ 0192 0193 virtual int Encrypt(const char *inbuff, // Data to be encrypted 0194 int inlen, // Length of data in inbuff 0195 XrdSecBuffer **outbuff // Returns encrypted data 0196 ) 0197 { 0198 (void) inbuff; (void) inlen; (void) outbuff; 0199 return -ENOTSUP; 0200 } 0201 0202 //------------------------------------------------------------------------------ 0203 //! Decrypt data in inbuff using the session key. 0204 //! 0205 //! @param inbuff buffer holding data to be decrypted. 0206 //! @param inlen length of the data. 0207 //! @param outbuff place where a pointer to the decrypted data is placed. 0208 //! 0209 //! @return < 0 Failed,the return value is -errno (see Encrypt). 0210 //! = 0 Success, outbuff contains a pointer to the decrypted data. 0211 //! The caller is responsible for deleting the returned object. 0212 //------------------------------------------------------------------------------ 0213 0214 virtual int Decrypt(const char *inbuff, // Data to be decrypted 0215 int inlen, // Length of data in inbuff 0216 XrdSecBuffer **outbuff // Buffer for decrypted data 0217 ) 0218 { 0219 (void) inbuff; (void) inlen; (void) outbuff; 0220 return -ENOTSUP; 0221 } 0222 0223 //------------------------------------------------------------------------------ 0224 //! Sign data in inbuff using the session key. 0225 //! 0226 //! @param inbuff buffer holding data to be signed. 0227 //! @param inlen length of the data. 0228 //! @param outbuff place where a pointer to the signature is placed. 0229 //! 0230 //! @return < 0 Failed,the return value is -errno (see Encrypt). 0231 //! = 0 Success, outbuff contains a pointer to the signature. 0232 //! The caller is responsible for deleting the returned object. 0233 //------------------------------------------------------------------------------ 0234 0235 virtual int Sign(const char *inbuff, // Data to be signed 0236 int inlen, // Length of data in inbuff 0237 XrdSecBuffer **outbuff // Buffer for the signature 0238 ) 0239 { 0240 (void) inbuff; (void) inlen; (void) outbuff; 0241 return -ENOTSUP; 0242 } 0243 0244 //------------------------------------------------------------------------------ 0245 //! Verify a signature using the session key. 0246 //! 0247 //! @param inbuff buffer holding data to be verified. 0248 //! @param inlen length of the data. 0249 //! @param sigbuff pointer to the signature data. 0250 //! @param siglen length of the signature data. 0251 //! 0252 //! @return < 0 Failed,the return value is -errno (see Encrypt). 0253 //! = 0 Success, signature is correct. 0254 //! > 0 Failed to verify, signature does not match inbuff data. 0255 //------------------------------------------------------------------------------ 0256 0257 virtual int Verify(const char *inbuff, // Data to be decrypted 0258 int inlen, // Length of data in inbuff 0259 const char *sigbuff, // Buffer for signature 0260 int siglen) // Length if signature 0261 { 0262 (void) inbuff; (void) inlen; (void) sigbuff; (void) siglen; 0263 return -ENOTSUP; 0264 } 0265 0266 //------------------------------------------------------------------------------ 0267 //! Get the current encryption key (i.e. session key) 0268 //! 0269 //! @param buff buffer to hold the key, and may be null. 0270 //! @param size size of the buffer. 0271 //! 0272 //! @returns < 0 Failed, returned value if -errno (see Encrypt) 0273 //! >= 0 The size of the encyption key. The supplied buffer of length 0274 //! size hold the key. If the buffer address is supplied, the 0275 //! key is placed in the buffer. 0276 //! 0277 //------------------------------------------------------------------------------ 0278 0279 virtual int getKey(char *buff = 0, int size = 0) 0280 { 0281 (void) buff; (void) size; 0282 return -ENOTSUP; 0283 } 0284 0285 //------------------------------------------------------------------------------ 0286 //! Set the current encryption key 0287 //! 0288 //! @param buff buffer that holds the key. 0289 //! @param size size of the key. 0290 //! 0291 //! @returns: < 0 Failed, returned value if -errno (see Encrypt) 0292 //! = 0 The new key has been set. 0293 //------------------------------------------------------------------------------ 0294 0295 virtual int setKey(char *buff, int size) 0296 { 0297 (void) buff; (void) size; 0298 return -ENOTSUP; 0299 } 0300 0301 //------------------------------------------------------------------------------ 0302 //! Check if this protocol requires TLS to properly function. 0303 //------------------------------------------------------------------------------ 0304 0305 virtual bool needTLS() {return false;} 0306 0307 //------------------------------------------------------------------------------ 0308 //! Delete the protocol object. DO NOT use C++ delete() on this object. 0309 //------------------------------------------------------------------------------ 0310 0311 virtual void Delete()=0; // Normally does "delete this" 0312 0313 //------------------------------------------------------------------------------ 0314 //! Constructor 0315 //------------------------------------------------------------------------------ 0316 0317 XrdSecProtocol(const char *pName) : Entity(pName) {} 0318 protected: 0319 0320 //------------------------------------------------------------------------------ 0321 //! Destructor (prevents use of direct delete). 0322 //------------------------------------------------------------------------------ 0323 0324 virtual ~XrdSecProtocol() {} 0325 }; 0326 0327 /******************************************************************************/ 0328 /* P r o t o c o l N a m i n g C o n v e n t i o n s */ 0329 /******************************************************************************/ 0330 0331 /*! Each specific protocol resides in a shared library named "libXrdSec<p>.so" 0332 where <p> is the protocol identifier (e.g., krb5, gsi, etc). The library 0333 contains a class derived from the XrdSecProtocol object. The library must 0334 also contain a three extern "C" functions: 0335 1) XrdSecProtocol<p>Init() 0336 Called for one-time protocol ininitialization. 0337 2) XrdSecProtocol<p>Object() 0338 Called for protocol object instantiation. 0339 3) XrdSecProtocol<p>Object_ 0340 Inspected for the protocol object xrootd version number used in 0341 compilation; defined by the XrdVERSIONINFO macro (see later comments). 0342 */ 0343 0344 //------------------------------------------------------------------------------ 0345 //! Perform one-time initialization when the shared library containing the 0346 //! the protocol is loaded. 0347 //! 0348 //! @param who contains 'c' when called on the client side and 's' when 0349 //! called on the server side. 0350 //! @param parms when who == 'c' (client) the pointer is null. 0351 //! when who == 's' (server) argument points to any parameters 0352 //! specified in the config file with the seclib directive. If no 0353 //! parameters were specified, the pointer may be null. 0354 //! @param einfo The error information object where error messages should be 0355 //! placed. Should einfo be null, messages should be written to 0356 //! stderr. 0357 //! 0358 //! @return Success: The initial security token to be sent to the client during 0359 //! the login phase (i.e. authentication handshake). If no 0360 //! token need to be sent, a pointer to null string should be 0361 //! returned. However, if protocol needs TLS to properly 0362 //! authenticate, the token must start with "TLS:" immediately 0363 //! by the token to be sent to the client, if any. See the 0364 //! for more information TLS-based protocols. 0365 //! Failure: A null pointer with einfo, if supplied, holding the reason 0366 //! for the failure. 0367 //! 0368 //! Notes: 1) Function is called since in single-thread mode and need not be 0369 //! thread-safe (server-side only). 0370 //! 2) If the protocol is TLS based then, in addition to returning a 0371 //! "TLS:" prefixed token it should do two more things: 0372 //! a) Make sure that the connection is in fact using TLS. Simply 0373 //! invoke the endPoint argument as endPoint.isUsingTLS() and 0374 //! make sure it returns true. 0375 //! b) Override the virtual XrdSecProtocol::needTLS() method and 0376 //! return true (the default is to return false). 0377 //------------------------------------------------------------------------------ 0378 0379 /*! @code {.cpp} 0380 extern "C" char *XrdSecProtocol<p>Init (const char who, 0381 const char *parms, 0382 XrdOucErrInfo *einfo) {. . . .} 0383 @endcode 0384 */ 0385 0386 //------------------------------------------------------------------------------ 0387 //! Obtain an instance of a protocol object. 0388 //! 0389 //! @param who contains 'c' when called on the client side and 's' when 0390 //! called on the server side. 0391 //! @param hostname The client's host name or the IP address as text. An IP 0392 //! may be supplied if the host address is not resolvable. Use 0393 //! endPoint to get the hostname only if it's actually needed. 0394 //! @param endPoint the XrdNetAddrInfo object describing the end-point. When 0395 //! who == 'c' this is the client, otherwise it is the server. 0396 //! @param parms when who == 'c' (client) points to the parms sent by the 0397 //! server upon the initial handshake (see Init() above). 0398 //! when who == 's' (server) is null. 0399 //! @param einfo The error information object where error messages should be 0400 //! placed. Should einfo be null, messages should be written to 0401 //! stderr. 0402 //! 0403 //! @return Success: A pointer to the protocol object. 0404 //! Failure: A null pointer with einfo, if supplied, holding the reason 0405 //! for the failure. 0406 //! 0407 //! Notes 1) Warning! The protocol *must* allow both 'c' and 's' calls within 0408 //! the same execution context. This occurs when a server acts like 0409 //! a client. 0410 //! 2) This function must be thread-safe. 0411 //! 3) Additionally, you *should* declare the xrootd version you used 0412 //! to compile your plug-in using XrdVERSIONINFO where \<name\> is 0413 //! the 1- to 15-character unquoted name of your plugin. This is a 0414 //! mandatory requirement! 0415 //------------------------------------------------------------------------------ 0416 0417 /*! Example: 0418 0419 #include "XrdVersion.hh" 0420 XrdVERSIONINFO(XrdSecProtocol<p>Object,<name>); 0421 0422 extern "C" XrdSecProtocol *XrdSecProtocol<p>Object 0423 (const char who, 0424 const char *hostname, 0425 XrdnetAddrInfo &endPoint, 0426 const char *parms, 0427 XrdOucErrInfo *einfo 0428 ) {. . .} 0429 */ 0430 0431 /******************************************************************************/ 0432 /* P r o t o c o l O b j e c t M a n a g e m e n t */ 0433 /******************************************************************************/ 0434 0435 //! The following extern "C" functions provide protocol object management. That 0436 //! is, coordinating the use of the right authentication protocol between the 0437 //! client and server. The default implementation may be replaced via a plugin. 0438 0439 /******************************************************************************/ 0440 /* X r d S e c G e t P r o t o c o l */ 0441 /* */ 0442 /* C l i e n t S i d e U S e O n l y */ 0443 /******************************************************************************/ 0444 0445 //------------------------------------------------------------------------------ 0446 //! Create a client security context and get a supported XrdSecProtocol object 0447 //! for one of the protocols suggested by the server and possibly based on the 0448 //! server's hostname or host address, as needed. 0449 //! 0450 //! @param hostname The client's host name or the IP address as text. An IP 0451 //! may be supplied if the host address is not resolvable. Use 0452 //! endPoint to get the hostname only if it's actually needed. 0453 //! @param endPoint the XrdNetAddrInfo object describing the server end-point. 0454 //! @param sectoken The security token supplied by the server. 0455 //! @param einfo The structure to record any error messages. These are 0456 //! normally sent to the client. If einfo is a null pointer, 0457 //! the messages should be sent to standard error. 0458 //! 0459 //! @return Success: Address of protocol object to be used for authentication. 0460 //! If cred was null, a host protocol object should be 0461 //! returned if so allowed. The object's delete method should 0462 //! be called to release the storage. 0463 //! Failure: Null, no protocol can be returned. The einfo parameter, 0464 //! if supplied, has the reason. 0465 //! 0466 //! Notes: 1) There should be one protocol object per physical TCP/IP 0467 //! connections. 0468 //! 2) When the connection is closed, the protocol's Delete() method 0469 //! should be called to properly delete the object. 0470 //! 3) The method and the returned object should be MT-safe. 0471 //! 4) When replacing the default implementation with a plug-in the 0472 //! extern "C" function below must exist in your shared library. 0473 //! 5) Additionally, you *should* declare the xrootd version you used 0474 //! to compile your plug-in using XrdVERSIONINFO where \<name\> is 0475 //! the 1- to 15-character unquoted name of your plugin. This is a 0476 //! mandatory requirement! 0477 //------------------------------------------------------------------------------ 0478 0479 //------------------------------------------------------------------------------ 0480 //! Typedef to simplify the encoding of methods returning XrdSecProtocol. 0481 //------------------------------------------------------------------------------ 0482 0483 typedef XrdSecProtocol *(*XrdSecGetProt_t)(const char *hostname, 0484 XrdNetAddrInfo &endPoint, 0485 XrdSecParameters §oken, 0486 XrdOucErrInfo *einfo); 0487 0488 /*! Example: 0489 0490 #include "XrdVersion.hh" 0491 XrdVERSIONINFO(XrdSecGetProtocol,<name>); 0492 0493 extern "C" XrdSecProtocol *XrdSecGetProtocol 0494 (const char *hostname, 0495 XrdNetAddrInfo &endPoint, 0496 XrdSecParameters §oken, 0497 XrdOucErrInfo *einfo=0) 0498 {....} 0499 */ 0500 0501 /******************************************************************************/ 0502 /* X r d S e c G e t P r o t e c t i o n */ 0503 /* */ 0504 /* C l i e n t S i d e U s e O n l y */ 0505 /******************************************************************************/ 0506 0507 /*! The XrdSecGetProtection function returns a protection object to secure 0508 an XRootD request stream from injection attacks. An object is returned 0509 when the response to kXR_protocol request indicates that the server 0510 requires that the client secure the connection. This protection is based 0511 on the authentication method used. Therefore, authentication must occur 0512 before a protection object can be obtained. Usually, a protection object 0513 is requested right after authentication. The function description is 0514 0515 @param rc Where an error return code is to be placed. 0516 @param aprot Uses the authentication protocol to protect requests. It 0517 must be supplied and must be he protocol the client used 0518 for authentication. Hence, authentication must occur first. 0519 @param presp The protocol value returned in response to kXR_protocol. 0520 The value must be host byte order. 0521 0522 @return >0 pointer to the protect object placed in protP. 0523 @return =0 No protection is needed, protP set to zero. 0524 @return <0 An error occurred getting the protection object the 0525 return value is -errno and protP has been set to zero. 0526 0527 Simply declare the following in the place where this is called: 0528 0529 extern int XrdSecGetProtection(XrdSecProtect *&protP, 0530 XrdSecProtocol &aprot, 0531 kXR_int32 presp); 0532 */ 0533 0534 /******************************************************************************/ 0535 /* X r d S e c S e r v i c e */ 0536 /* */ 0537 /* S e r v e r S i d e U s e O n l y */ 0538 /******************************************************************************/ 0539 0540 /*! The XrdSecService object is the the object that the server uses to obtain 0541 parameters to be passed to the client on initial contact and to create the 0542 appropriate protocol on the initial receipt of the client's credentials. 0543 Server-side processing is a bit more complicated because the set of valid 0544 protocols needs to be configured and that configuration needs to be supplied 0545 to the client so that both can agree on a compatible protocol. This object 0546 is created via a call to XrdSecgetService, defined later on. You may replace 0547 the default implementation by defining a plugin via the seclib directive. 0548 0549 Warning: The XrdSecService object as well as any objects returned by it 0550 should be MT-safe. 0551 */ 0552 0553 class XrdSecService 0554 { 0555 public: 0556 0557 //------------------------------------------------------------------------------ 0558 //! Obtain security parameters to be sent to the client upon initial contact. 0559 //! 0560 //! @param size Where the length of the return parameters are to be placed. 0561 //! @param endPoint The client's address information. It may also be a null 0562 //! pointer if the client's host is immaterial. 0563 //! 0564 //! @return EITHER The address of the parameter string (which may be 0565 //! host-specific if hname was supplied). The length of the 0566 //! string must be returned in size parameter. 0567 //! OR A null pointer if authentication need not occur for the 0568 //! client. The size parameter should be set to zero as well. 0569 //------------------------------------------------------------------------------ 0570 0571 virtual const char *getParms(int &size, XrdNetAddrInfo *endPoint=0) = 0; 0572 0573 //------------------------------------------------------------------------------ 0574 //! Obtain a protocol object suitable for authentication based on cred and 0575 //! possibly based on the hostname or host address, as needed. 0576 //! 0577 //! @param host The client's host name or the IP address as text. An IP 0578 //! may be supplied if the host address is not resolvable or 0579 //! resolution has been suppressed (i.e. nodnr). Use endPoint 0580 //! to get the hostname if it's actually needed. 0581 //! @param endPoint the XrdNetAddrInfo object describing the client end-point. 0582 //! @param cred The initial credentials supplied by the client, the pointer 0583 //! may be null if the client did not supply credentials. 0584 //! @param einfo The structure to record any error messages. These are 0585 //! normally sent to the client. 0586 //! 0587 //! @return Success: Address of protocol object to be used for authentication. 0588 //! If cred was null, a host protocol object shouldpo be 0589 //! returned if so allowed. 0590 //! Failure: Null, no protocol can be returned. The einfo parameter, 0591 //! if supplied, has the reason. 0592 //------------------------------------------------------------------------------ 0593 0594 virtual XrdSecProtocol *getProtocol(const char *host, // In 0595 XrdNetAddrInfo &endPoint,// In 0596 const XrdSecCredentials *cred, // In 0597 XrdOucErrInfo &einfo)=0;// Out 0598 0599 //------------------------------------------------------------------------------ 0600 //! Post process a fully authenticated XrdSecEntity object. 0601 //! 0602 //! @param entity The fully authenticated entity object. 0603 //! @param einfo The structure to record any error messages. These are 0604 //! normally sent to the client. If einfo is a null pointer, 0605 //! the messages should be sent to standard error via an 0606 //! XrdSysError object using the supplied XrdSysLogger when the 0607 //! the plugin was initialized. 0608 //! @return Success: True should be returned. 0609 //! Failure: False should be returned and the einfo object should hold 0610 //! the reason. In this case the authentication fails. 0611 //------------------------------------------------------------------------------ 0612 0613 virtual bool PostProcess(XrdSecEntity &entity, 0614 XrdOucErrInfo &einfo) {return true;} 0615 0616 //------------------------------------------------------------------------------ 0617 //! Get a list of authentication protocols that require TLS. 0618 //! 0619 //! @return Pointer to a list of protocols that require TLS or a nil if none. 0620 //------------------------------------------------------------------------------ 0621 0622 virtual const char *protTLS()=0; 0623 0624 //------------------------------------------------------------------------------ 0625 //! Constructor 0626 //------------------------------------------------------------------------------ 0627 0628 XrdSecService() {} 0629 0630 //------------------------------------------------------------------------------ 0631 //! Destructor 0632 //------------------------------------------------------------------------------ 0633 0634 virtual ~XrdSecService() {} 0635 }; 0636 0637 /******************************************************************************/ 0638 /* X r d g e t S e c S e r v i c e */ 0639 /******************************************************************************/ 0640 0641 //------------------------------------------------------------------------------ 0642 //! Create a server's security context and get an XrdSecService object. 0643 //! 0644 //! @param lp The logging object that should be associated with an 0645 //! XrdSysError object to route messages. 0646 //! @param cfn The configuration file name. 0647 //! 0648 //! @return Success: Pointer to the XrdSecService object. This object is never 0649 //! deleted by the server. 0650 //! Failure: Null pointer which causes initialization to fail. 0651 //! 0652 //! Notes: 1) The XrdSecSgetService function is called once during server 0653 //! initialization. So, it need not be thread safe. 0654 //! 2) If you choose to replace the default implementation with your 0655 //! own plugin, the extern "C" function below must be defined in 0656 //! your plugin shared library. 0657 //! 3) Additionally, you *should* declare the xrootd version you used 0658 //! to compile your plug-in using XrdVERSIONINFO where \<name\> is 0659 //! the 1- to 15-character unquoted name of your plugin. This is a 0660 //! mandatory requirement! 0661 //------------------------------------------------------------------------------ 0662 0663 0664 //------------------------------------------------------------------------------ 0665 //! Typedef to simplify the encoding of methods returning XrdSecService. 0666 //------------------------------------------------------------------------------ 0667 0668 class XrdSysLogger; 0669 typedef XrdSecService *(*XrdSecGetServ_t)(XrdSysLogger *, const char *); 0670 0671 /*! Example: 0672 0673 #include "XrdVersion.hh" 0674 XrdVERSIONINFO(XrdSecgetService,<name>); 0675 0676 extern "C" XrdSecService *XrdSecgetService(XrdSysLogger *lp, const char *cfn) 0677 */ 0678 #endif
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.3.7 LXR engine. The LXR team |
|