xrootd
Loading...
Searching...
No Matches
Classes | Typedefs
XrdSecInterface.hh File Reference
#include <cerrno>
#include <sys/param.h>
#include <cstdlib>
#include <cstdio>
#include <cstring>
#include "XrdSec/XrdSecEntity.hh"
Include dependency graph for XrdSecInterface.hh:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  XrdSecBuffer
 Generic structure to pass security information back and forth. More...
 
class  XrdSecProtocol
 
class  XrdSecService
 

Typedefs

typedef XrdSecBuffer XrdSecCredentials
 
typedef XrdSecBuffer XrdSecParameters
 
typedef XrdSecProtocol *(* XrdSecGetProt_t) (const char *hostname, XrdNetAddrInfo &endPoint, XrdSecParameters &sectoken, XrdOucErrInfo *einfo)
 Typedef to simplify the encoding of methods returning XrdSecProtocol.
 
typedef XrdSecService *(* XrdSecGetServ_t) (XrdSysLogger *, const char *)
 

Typedef Documentation

◆ XrdSecCredentials

typedef XrdSecBuffer XrdSecCredentials

When the buffer is used for credentials, the start of the buffer always holds the credential protocol name (e.g., krb4) as a string. The client will get credentials and the size will be filled out so that the contents of buffer can be easily transmitted to the server.

◆ XrdSecGetProt_t

typedef XrdSecProtocol *(* XrdSecGetProt_t) (const char *hostname, XrdNetAddrInfo &endPoint, XrdSecParameters &sectoken, XrdOucErrInfo *einfo)

Typedef to simplify the encoding of methods returning XrdSecProtocol.

Each specific protocol resides in a shared library named "libXrdSec<p>.so" where

is the protocol identifier (e.g., krb5, gsi, etc). The library contains a class derived from the XrdSecProtocol object. The library must also contain a three extern "C" functions: 1) XrdSecProtocol

Init() Called for one-time protocol ininitialization. 2) XrdSecProtocol

Object() Called for protocol object instantiation. 3) XrdSecProtocol

Object_ Inspected for the protocol object xrootd version number used in compilation; defined by the XrdVERSIONINFO macro (see later comments). Perform one-time initialization when the shared library containing the the protocol is loaded.

Parameters
whocontains 'c' when called on the client side and 's' when called on the server side.
parmswhen who == 'c' (client) the pointer is null. when who == 's' (server) argument points to any parameters specified in the config file with the seclib directive. If no parameters were specified, the pointer may be null.
einfoThe error information object where error messages should be placed. Should einfo be null, messages should be written to stderr.
Returns
Success: The initial security token to be sent to the client during the login phase (i.e. authentication handshake). If no token need to be sent, a pointer to null string should be returned. However, if protocol needs TLS to properly authenticate, the token must start with "TLS:" immediately by the token to be sent to the client, if any. See the for more information TLS-based protocols. Failure: A null pointer with einfo, if supplied, holding the reason for the failure.

Notes: 1) Function is called since in single-thread mode and need not be thread-safe (server-side only). 2) If the protocol is TLS based then, in addition to returning a "TLS:" prefixed token it should do two more things: a) Make sure that the connection is in fact using TLS. Simply invoke the endPoint argument as endPoint.isUsingTLS() and make sure it returns true. b) Override the virtual XrdSecProtocol::needTLS() method and return true (the default is to return false).

extern "C" char *XrdSecProtocol<p>Init (const char who,
const char *parms,
XrdOucErrInfo *einfo) {. . . .}
XrdOucErrInfo
Definition XrdOucErrInfo.hh:101
XrdSecProtocol
Definition XrdSecInterface.hh:131

Obtain an instance of a protocol object.

Parameters
whocontains 'c' when called on the client side and 's' when called on the server side.
hostnameThe client's host name or the IP address as text. An IP may be supplied if the host address is not resolvable. Use endPoint to get the hostname only if it's actually needed.
endPointthe XrdNetAddrInfo object describing the end-point. When who == 'c' this is the client, otherwise it is the server.
parmswhen who == 'c' (client) points to the parms sent by the server upon the initial handshake (see Init() above). when who == 's' (server) is null.
einfoThe error information object where error messages should be placed. Should einfo be null, messages should be written to stderr.
Returns
Success: A pointer to the protocol object. Failure: A null pointer with einfo, if supplied, holding the reason for the failure.

Notes 1) Warning! The protocol must allow both 'c' and 's' calls within the same execution context. This occurs when a server acts like a client. 2) This function must be thread-safe. 3) Additionally, you should declare the xrootd version you used to compile your plug-in using XrdVERSIONINFO where <name> is the 1- to 15-character unquoted name of your plugin. This is a mandatory requirement!

Example: 

#include "XrdVersion.hh"
XrdVERSIONINFO(XrdSecProtocol<p>Object,<name>);

extern "C" XrdSecProtocol *XrdSecProtocol<p>Object
                                      (const char              who,
                                       const char             *hostname,
                                             XrdnetAddrInfo   &endPoint,
                                       const char             *parms,
                                             XrdOucErrInfo    *einfo
                                      ) {. . .}

The following extern "C" functions provide protocol object management. That is, coordinating the use of the right authentication protocol between the client and server. The default implementation may be replaced via a plugin. Create a client security context and get a supported XrdSecProtocol object for one of the protocols suggested by the server and possibly based on the server's hostname or host address, as needed.

Parameters
hostnameThe client's host name or the IP address as text. An IP may be supplied if the host address is not resolvable. Use endPoint to get the hostname only if it's actually needed.
endPointthe XrdNetAddrInfo object describing the server end-point.
sectokenThe security token supplied by the server.
einfoThe structure to record any error messages. These are normally sent to the client. If einfo is a null pointer, the messages should be sent to standard error.
Returns
Success: Address of protocol object to be used for authentication. If cred was null, a host protocol object should be returned if so allowed. The object's delete method should be called to release the storage. Failure: Null, no protocol can be returned. The einfo parameter, if supplied, has the reason.

Notes: 1) There should be one protocol object per physical TCP/IP connections. 2) When the connection is closed, the protocol's Delete() method should be called to properly delete the object. 3) The method and the returned object should be MT-safe. 4) When replacing the default implementation with a plug-in the extern "C" function below must exist in your shared library. 5) Additionally, you should declare the xrootd version you used to compile your plug-in using XrdVERSIONINFO where <name> is the 1- to 15-character unquoted name of your plugin. This is a mandatory requirement!

◆ XrdSecGetServ_t

typedef XrdSecService *(* XrdSecGetServ_t) (XrdSysLogger *, const char *)

◆ XrdSecParameters

typedef XrdSecBuffer XrdSecParameters

When the buffer is used for parameters, the contents must be interpreted in the context that it is used. For instance, the server will send the security configuration parameters on the initial login. The format differs from, say, the x.500 continuation paremeters that would be sent during PKI authentication via an "authmore" return status.

Generated by doxygen 1.9.8