Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Protected Member Functions | Static Protected Member Functions | Protected Attributes | Static Protected Attributes
Arc::MCC_TLS_Service Class Reference

This MCC implements TLS server side functionality. More...

#include <MCCTLS.h>

Inheritance diagram for Arc::MCC_TLS_Service:
Inheritance graph
Collaboration diagram for Arc::MCC_TLS_Service:
Collaboration graph

List of all members.

Public Member Functions

 MCC_TLS_Service (Config &cfg)
virtual ~MCC_TLS_Service (void)
virtual MCC_Status process (Message &, Message &)
 Dummy Message processing method.
virtual void Next (MCCInterface *next, const std::string &label="")
 Add reference to next MCC in chain.
virtual void AddSecHandler (Config *cfg, ArcSec::SecHandler *sechandler, const std::string &label="")
 Add security components/handlers to this MCC.
virtual void Unlink ()
 Removing all links.

Protected Member Functions

MCCInterfaceNext (const std::string &label="")
bool ProcessSecHandlers (Message &message, const std::string &label="") const
 Executes security handlers of specified queue.

Static Protected Member Functions

static void ssl_locking_cb (int mode, int n, const char *file, int line)
static unsigned long ssl_id_cb (void)

Protected Attributes

ConfigTLSMCC config_
std::map< std::string,
MCCInterface * > 
 Set of labeled "next" components.
std::map< std::string,
std::list< ArcSec::SecHandler * > > 
 Set of labeled authentication and authorization handlers.

Static Protected Attributes

static unsigned int ssl_initialized_
static Glib::Mutex lock_
static Glib::Mutex * ssl_locks_
static int ssl_locks_num_
static Logger logger
 A logger for MCCs.

Detailed Description

This MCC implements TLS server side functionality.

Upon creation this object creats SSL_CTX object and configures SSL_CTX object with some environment information about credential. Because we cannot know the "socket" when the creation of MCC_TLS_Service/MCC_TLS_Client object (not like MCC_TCP_Client, which can creat socket in the constructor method by using information in configuration file), we can only creat "ssl" object which is binded to specified "socket", when MCC_HTTP_Client calls the process() method of MCC_TLS_Client object, or MCC_TCP_Service calls the process() method of MCC_TLS_Service object. The "ssl" object is embeded in a payload called PayloadTLSSocket.

The process() method of MCC_TLS_Service is passed payload implementing PayloadStreamInterface and the method returns empty PayloadRaw payload in "outmsg". The ssl object is created and bound to Stream payload when constructing the PayloadTLSSocket in the process() method.

During processing of message this MCC generates attribute TLS:PEERDN which contains Distinguished Name of remoote peer.

Definition at line 49 of file MCCTLS.h.

Constructor & Destructor Documentation

Definition at line 312 of file MCCTLS.cpp.

                                           :MCC_TLS(cfg,false) {
   if(!OpenSSLInit()) return;

Here is the call graph for this function:

MCC_TLS_Service::~MCC_TLS_Service ( void  ) [virtual]

Definition at line 316 of file MCCTLS.cpp.

   // SSL deinit not needed

Member Function Documentation

void Arc::MCC::AddSecHandler ( Config cfg,
ArcSec::SecHandler sechandler,
const std::string &  label = "" 
) [virtual, inherited]

Add security components/handlers to this MCC.

Security handlers are stacked into a few queues with each queue identified by its label. The queue labelled 'incoming' is executed for every 'request' message after the message is processed by the MCC on the service side and before processing on the client side. The queue labelled 'outgoing' is run for response message before it is processed by MCC algorithms on the service side and after processing on the client side. Those labels are just a matter of agreement and some MCCs may implement different queues executed at various message processing steps.

Definition at line 35 of file MCC.cpp.

    if (sechandler) {
      // need polishing to put the SecHandlerFactory->getinstance here
      XMLNode cn = (*cfg)["SecHandler"];
      Config cfg_(cn);

Here is the caller graph for this function:

MCCInterface * Arc::MCC::Next ( const std::string &  label = "") [protected, inherited]

Definition at line 22 of file MCC.cpp.

    std::map<std::string, MCCInterface *>::iterator n = next_.find(label);
    if (n == next_.end())
      return NULL;
    return n->second;

Here is the caller graph for this function:

void Arc::MCC::Next ( MCCInterface next,
const std::string &  label = "" 
) [virtual, inherited]

Add reference to next MCC in chain.

This method is called by Loader for every potentially labeled link to next component which implements MCCInterface. If next is NULL corresponding link is removed.

Reimplemented in Arc::MCC_TLS_Client, Arc::Plexer, and Arc::MCC_GSI_Client.

Definition at line 15 of file MCC.cpp.

    if (next == NULL)
      next_[label] = next;
MCC_Status MCC_TLS_Service::process ( Message ,
) [virtual]

Dummy Message processing method.

Just a placeholder.

Reimplemented from Arc::MCC.

Definition at line 320 of file MCCTLS.cpp.

   // Accepted payload is StreamInterface 
   // Returned payload is undefined - currently holds no information

   // TODO: probably some other credentials check is needed
   //if(!sslctx_) return MCC_Status();

   // Obtaining underlying stream
   if(!inmsg.Payload()) return MCC_Status();
   PayloadStreamInterface* inpayload = NULL;
   try {
      inpayload = dynamic_cast<PayloadStreamInterface*>(inmsg.Payload());
   } catch(std::exception& e) { };
   if(!inpayload) return MCC_Status();

   // Obtaining previously created stream context or creating a new one
   MCC_TLS_Context* context = NULL;
      MessageContextElement* mcontext = (*inmsg.Context())["tls.service"];
      if(mcontext) {
         try {
            context = dynamic_cast<MCC_TLS_Context*>(mcontext);
         } catch(std::exception& e) { };
   PayloadTLSMCC *stream = NULL;
   if(context) {
      // Old connection - using available SSL stream
   } else {
      // Creating new SSL object bound to stream of previous MCC
      // TODO: renew stream because it may be recreated by TCP MCC
      stream = new PayloadTLSMCC(inpayload,config_,logger);
      context=new MCC_TLS_Context(stream);
   // Creating message to pass to next MCC
   Message nextinmsg = inmsg;
   Message nextoutmsg = outmsg; nextoutmsg.Payload(NULL);

   PayloadTLSStream* tstream = dynamic_cast<PayloadTLSStream*>(stream);
   // Filling security attributes
   if(tstream && (config_.IfClientAuthn())) {
      TLSSecAttr* sattr = new TLSSecAttr(*tstream, config_, logger);
      //Getting the subject name of peer(client) certificate
      logger.msg(VERBOSE, "Peer name: %s", sattr->Subject());
      logger.msg(VERBOSE, "Identity name: %s", sattr->Identity());
      logger.msg(VERBOSE, "CA name: %s", sattr->CA());


   // Checking authentication and authorization;
   if(!ProcessSecHandlers(nextinmsg,"incoming")) {
      logger.msg(ERROR, "Security check failed in TLS MCC for incoming message");
      return MCC_Status();
   // Call next MCC 
   MCCInterface* next = Next();
   if(!next)  return MCC_Status();
   MCC_Status ret = next->process(nextinmsg,nextoutmsg);
   // TODO: If next MCC returns anything redirect it to stream
   if(nextoutmsg.Payload()) {
      delete nextoutmsg.Payload();
   if(!ret) return MCC_Status();
   // For nextoutmsg, nothing to do for payload of msg, but 
   // transfer some attributes of msg
   outmsg = nextoutmsg;
   return MCC_Status(STATUS_OK);

Here is the call graph for this function:

bool Arc::MCC::ProcessSecHandlers ( Message message,
const std::string &  label = "" 
) const [protected, inherited]

Executes security handlers of specified queue.

Returns true if the message is authorized for further processing or if there are no security handlers which implement authorization functionality. This is a convenience method and has to be called by the implemention of the MCC.

Definition at line 45 of file MCC.cpp.

    // Each MCC/Service can define security handler queues in the configuration
    // file, the queues have labels specified in handlers configuration 'event'
    // attribute.
    // Security handlers in one queue are called sequentially.
    // Each one should be configured carefully, because there can be some
    // relationship between them (e.g. authentication should be put in front
    // of authorization).
    // The SecHandler::Handle() only returns true/false with true meaning that
    // handler processed message successfuly. If SecHandler implements
    // authorization functionality, it returns false if message is disallowed
    // and true otherwise.
    // If any SecHandler in the handler chain produces some information which
    // will be used by some following handler, the information should be
    // stored in the attributes of message (e.g. the Identity extracted from
    // authentication will be used by authorization to make access control
    // decision).
    std::map<std::string, std::list<ArcSec::SecHandler *> >::const_iterator q =
    if (q == sechandlers_.end()) {
     "No security processing/check requested for '%s'", label);
      return true;
    for (std::list<ArcSec::SecHandler *>::const_iterator h = q->second.begin();
         h != q->second.end(); ++h) {
      const ArcSec::SecHandler *handler = *h;
      if (!handler)
        continue; // Shouldn't happen. Just a sanity check.
      if (!(handler->Handle(&message))) {
        logger.msg(INFO, "Security processing/check failed");
        return false;
    logger.msg(DEBUG, "Security processing/check passed");
    return true;

Here is the call graph for this function:

Here is the caller graph for this function:

static unsigned long Arc::MCC_TLS::ssl_id_cb ( void  ) [static, protected, inherited]
static void Arc::MCC_TLS::ssl_locking_cb ( int  mode,
int  n,
const char *  file,
int  line 
) [static, protected, inherited]
void Arc::MCC::Unlink ( ) [virtual, inherited]

Removing all links.

Useful for destroying chains.

Definition at line 29 of file MCC.cpp.

    for (std::map<std::string, MCCInterface *>::iterator n = next_.begin();
         n != next_.end(); n = next_.begin())

Here is the caller graph for this function:

Member Data Documentation

ConfigTLSMCC Arc::MCC_TLS::config_ [protected, inherited]

Definition at line 27 of file MCCTLS.h.

Glib::Mutex Arc::MCC_TLS::lock_ [static, protected, inherited]

Definition at line 20 of file MCCTLS.h.

Arc::Logger Arc::MCC_TLS::logger [static, protected, inherited]

A logger for MCCs.

A logger intended to be the parent of loggers in the different MCCs.

Reimplemented from Arc::MCC.

Definition at line 23 of file MCCTLS.h.

std::map<std::string, MCCInterface *> Arc::MCC::next_ [protected, inherited]

Set of labeled "next" components.

Each implemented MCC must call process() method of corresponding MCCInterface from this set in own process() method.

Definition at line 50 of file MCC.h.

std::map<std::string, std::list<ArcSec::SecHandler *> > Arc::MCC::sechandlers_ [protected, inherited]

Set of labeled authentication and authorization handlers.

MCC calls sequence of handlers at specific point depending on associated identifier. In most aces those are "in" and "out" for incoming and outgoing messages correspondingly.

Definition at line 57 of file MCC.h.

unsigned int Arc::MCC_TLS::ssl_initialized_ [static, protected, inherited]

Definition at line 19 of file MCCTLS.h.

Glib::Mutex* Arc::MCC_TLS::ssl_locks_ [static, protected, inherited]

Definition at line 21 of file MCCTLS.h.

int Arc::MCC_TLS::ssl_locks_num_ [static, protected, inherited]

Definition at line 22 of file MCCTLS.h.

The documentation for this class was generated from the following files: