// ----------------------------------------------------------------------
// File: BoundIdentityProvider.hh
// Author: Georgios Bitzes - CERN
// ----------------------------------------------------------------------
/************************************************************************
* EOS - the CERN Disk Storage System *
* Copyright (C) 2011 CERN/Switzerland *
* *
* This program is free software: you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation, either version 3 of the License, or *
* (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program. If not, see .*
************************************************************************/
#ifndef __BOUND_IDENTITY_PROVIDER__HH__
#define __BOUND_IDENTITY_PROVIDER__HH__
#include "JailIdentifier.hh"
#include "UnixAuthenticator.hh"
#include "CredentialCache.hh"
#include "CredentialFinder.hh"
#include "ProcessInfo.hh"
#include "SecurityChecker.hh"
#include "EnvironmentReader.hh"
#include
#include
#include
class SecurityChecker;
class EnvironmentReader;
class CredentialValidator;
class LogbookScope;
class BoundIdentityProvider
{
public:
//----------------------------------------------------------------------------
// Constructor.
//----------------------------------------------------------------------------
BoundIdentityProvider(SecurityChecker& checker, EnvironmentReader& reader,
CredentialValidator& validator);
//----------------------------------------------------------------------------
// Destructor.
//----------------------------------------------------------------------------
~BoundIdentityProvider()
{
}
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of given environment
// variables. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr environmentToBoundIdentity(
const JailInformation& jail, const Environment& env, uid_t uid,
gid_t gid, bool reconnect, LogbookScope& scope, bool skip_sss = false);
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of environment variables
// of the given PID. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr pidEnvironmentToBoundIdentity(
const JailInformation& jail, pid_t pid, uid_t uid, gid_t gid,
bool reconnect, LogbookScope& logbook, Environment& env);
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of default paths, such
// as /tmp/krb5cc_.
// If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr
defaultPathsToBoundIdentity(const JailInformation& jail, uid_t uid,
gid_t gid, bool reconnect, LogbookScope& scope, const Environment& env);
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of the global eosfusebind
// binding. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr
globalBindingToBoundIdentity(const JailInformation& jail, uid_t uid,
gid_t gid, bool reconnect, LogbookScope& scope, const Environment& env);
void setCredentialConfig(const CredentialConfig& conf)
{
credConfig = conf;
}
//----------------------------------------------------------------------------
// Check if the given BoundIdentity object is still valid.
//----------------------------------------------------------------------------
bool checkValidity(const JailInformation& jail,
const BoundIdentity& identity);
//----------------------------------------------------------------------------
// Fallback to unix authentication. Guaranteed to always return a valid
// BoundIdentity object. (whether this is accepted by the server is another
// matter)
//----------------------------------------------------------------------------
std::shared_ptr unixAuth(pid_t pid, uid_t uid, gid_t gid,
bool reconnect, LogbookScope& scope, const Environment& env);
private:
EnvironmentReader& environmentReader;
CredentialValidator& validator;
UnixAuthenticator unixAuthenticator;
CredentialConfig credConfig;
CredentialCache credentialCache;
static XrdSecsssID& XrdSecsssIDInstance()
{
static XrdSecsssID* sssRegistry = new XrdSecsssID(XrdSecsssID::idDynamic);
return *sssRegistry;
}
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of KRB5 environment
// variables. NO fallback to default paths. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr krb5EnvToBoundIdentity(
const JailInformation& jail, const Environment& env, uid_t uid, gid_t gid,
bool reconnect, LogbookScope& scope);
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of X509 environment
// variables. NO fallback to default paths. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr x509EnvToBoundIdentity(
const JailInformation& jail, const Environment& env, uid_t uid, gid_t gid,
bool reconnect, LogbookScope& scope);
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of ZTN environment
// variables. NO fallback to default paths. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr ztnEnvToBoundIdentity(
const JailInformation& jail, const Environment& env, uid_t uid, gid_t gid,
bool reconnect, LogbookScope& scope);
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of SSS environment
// variables. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr sssEnvToBoundIdentity(
const JailInformation& jail, const Environment& env, uid_t uid, gid_t gid,
bool reconnect, LogbookScope& scope);
//----------------------------------------------------------------------------
// Attempt to produce a BoundIdentity object out of OAUTH2 environment
// variables. If not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr oauth2EnvToBoundIdentity(
const JailInformation& jail, const Environment& env, uid_t uid, gid_t gid,
bool reconnect, LogbookScope& scope);
//----------------------------------------------------------------------------
// Given a set of user-provided, non-trusted UserCredentials, attempt to
// translate them into a BoundIdentity object. (either by allocating a new
// connection, or re-using a cached one)
//
// If such a thing is not possible, return nullptr.
//----------------------------------------------------------------------------
std::shared_ptr userCredsToBoundIdentity(
const JailInformation& jail, const UserCredentials& creds, bool reconnect,
LogbookScope& scope);
//----------------------------------------------------------------------------
// Register SSS credentials
//----------------------------------------------------------------------------
void registerSSS(const BoundIdentity& bdi);
std::atomic connectionCounter{1};
};
#endif