Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Static Public Attributes | Protected Member Functions | Protected Attributes | Friends
Arc::TLSSecAttr Class Reference
Inheritance diagram for Arc::TLSSecAttr:
Inheritance graph
[legend]
Collaboration diagram for Arc::TLSSecAttr:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 TLSSecAttr (PayloadTLSStream &, ConfigTLSMCC &config, Logger &logger)
virtual ~TLSSecAttr (void)
virtual operator bool (void) const
 This function should return false if the value is to be considered null, e.g.
virtual bool Export (SecAttrFormat format, XMLNode &val) const
 Convert internal structure into specified format.
std::string Identity (void)
std::string Subject (void)
std::string CA (void)
std::string X509Str (void)
bool operator== (const SecAttr &b) const
 This function should (in inheriting classes) return true if this and b are considered to represent same content.
bool operator!= (const SecAttr &b) const
 This is a convenience function to allow the usage of "not equal" conditions and need not be overridden.
virtual bool Export (SecAttrFormat format, std::string &val) const
 Convert internal structure into specified format.
virtual bool Import (SecAttrFormat format, const std::string &val)
 Fills internal structure from external object of specified format.
virtual bool Import (SecAttrFormat format, XMLNode val)

Static Public Attributes

static SecAttrFormat UNDEFINED
static SecAttrFormat ARCAuth
 own serialization/deserialization format
static SecAttrFormat XACML
 representation for ARC authorization policy
static SecAttrFormat SAML
 represenation for XACML policy
static SecAttrFormat GACL
 suitable for inclusion into SAML structures

Protected Member Functions

virtual bool equal (const SecAttr &b) const

Protected Attributes

std::string identity_
std::list< std::string > subjects_
std::vector< std::string > voms_attributes_
std::string target_
std::string x509str_

Friends

class MCC_TLS_Service
class MCC_TLS_Client

Detailed Description

Definition at line 56 of file MCCTLS.cpp.


Constructor & Destructor Documentation

TLSSecAttr::TLSSecAttr ( PayloadTLSStream payload,
ConfigTLSMCC config,
Logger logger 
)

Definition at line 119 of file MCCTLS.cpp.

                                                                                      {
   char buf[100];
   std::string subject;
   STACK_OF(X509)* peerchain = payload.GetPeerChain();
   voms_attributes_.clear();
   if(peerchain != NULL) {
      for(int idx = 0;;++idx) {
         if(idx >= sk_X509_num(peerchain)) break;
         X509* cert = sk_X509_value(peerchain,sk_X509_num(peerchain)-idx-1);
         if(idx == 0) { // Obtain CA subject
           // Sometimes certificates chain contains CA certificate.
           if(!SELFSIGNED(cert)) {           
             buf[0]=0;
             X509_NAME_oneline(X509_get_issuer_name(cert),buf,sizeof(buf));
             subject=buf;
             subjects_.push_back(subject);
           };
         };
         buf[0]=0;
         X509_NAME_oneline(X509_get_subject_name(cert),buf,sizeof(buf));
         subject=buf;
         subjects_.push_back(subject);
#ifdef HAVE_OPENSSL_PROXY
         if(X509_get_ext_by_NID(cert,NID_proxyCertInfo,-1) < 0) {
            identity_=subject;
         };
#endif
        // Parse VOMS attributes from each certificate of the peer chain.
        bool res = parseVOMSAC(cert, config.CADir(), config.CAFile(), config.VOMSCertTrustDN(), voms_attributes_);
        if(!res) {
          logger.msg(ERROR,"VOMS attribute parsing failed");
        };
      };
   };
   X509* peercert = payload.GetPeerCert();
   if (peercert != NULL) {
      if(subjects_.size() <= 0) { // Obtain CA subject if not obtained yet
        // Check for CA certificate used for connection - overprotection
        if(!SELFSIGNED(peercert)) {           
          buf[0]=0;
          X509_NAME_oneline(X509_get_issuer_name(peercert),buf,sizeof buf);
          subject=buf;
          subjects_.push_back(subject);
        };
      };
      buf[0]=0;
      X509_NAME_oneline(X509_get_subject_name(peercert),buf,sizeof buf);
      subject=buf;
      //logger.msg(VERBOSE, "Peer name: %s", peer_dn);
      subjects_.push_back(subject);
#ifdef HAVE_OPENSSL_PROXY
      if(X509_get_ext_by_NID(peercert,NID_proxyCertInfo,-1) < 0) {
         identity_=subject;
      };
#endif
      // Parse VOMS attributes from peer certificate
      bool res = parseVOMSAC(peercert, config.CADir(), config.CAFile(), config.VOMSCertTrustDN(), voms_attributes_);
      if(!res) {
        logger.msg(ERROR,"VOMS attribute parsing failed");
      };
      // Convert the x509 cert into string format
      x509_to_string(peercert, x509str_);
      X509_free(peercert);
   };
   if(identity_.empty()) identity_=subject;
   X509* hostcert = payload.GetCert();
   if (hostcert != NULL) {
      buf[0]=0;
      X509_NAME_oneline(X509_get_subject_name(hostcert),buf,sizeof buf);
      target_=buf;
      //logger.msg(VERBOSE, "Host name: %s", peer_dn);
   };
}

Here is the call graph for this function:

TLSSecAttr::~TLSSecAttr ( void  ) [virtual]

Definition at line 193 of file MCCTLS.cpp.

                            {
}

Member Function Documentation

std::string Arc::TLSSecAttr::CA ( void  ) [inline]

Definition at line 69 of file MCCTLS.cpp.

                     {
    if(subjects_.size() <= 0) return "";
    return *(subjects_.begin());
  };

Here is the caller graph for this function:

bool TLSSecAttr::equal ( const SecAttr b) const [protected, virtual]

Reimplemented from Arc::SecAttr.

Definition at line 200 of file MCCTLS.cpp.

                                             {
  try {
    const TLSSecAttr& a = dynamic_cast<const TLSSecAttr&>(b);
    if (!a) return false;
    // ...
    return false;
  } catch(std::exception&) { };
  return false;
}
bool TLSSecAttr::Export ( SecAttrFormat  format,
XMLNode val 
) const [virtual]

Convert internal structure into specified format.

Returns false if format is not supported/suitable for this attribute. XML node referenced by is turned into top level element of specified format.

Reimplemented from Arc::SecAttr.

Definition at line 223 of file MCCTLS.cpp.

                                                               {
  if(format == UNDEFINED) {
  } else if(format == ARCAuth) {
    NS ns;
    ns["ra"]="http://www.nordugrid.org/schemas/request-arc";
    val.Namespaces(ns); val.Name("ra:Request");
    XMLNode item = val.NewChild("ra:RequestItem");
    XMLNode subj = item.NewChild("ra:Subject");
    std::list<std::string>::const_iterator s = subjects_.begin();
    std::string subject;
    if(s != subjects_.end()) {
      subject=*s;
      add_arc_subject_attribute(subj,subject,"http://www.nordugrid.org/schemas/policy-arc/types/tls/ca");
      for(;s != subjects_.end();++s) {
        subject=*s;
        add_arc_subject_attribute(subj,subject,"http://www.nordugrid.org/schemas/policy-arc/types/tls/chain");
      };
      add_arc_subject_attribute(subj,subject,"http://www.nordugrid.org/schemas/policy-arc/types/tls/subject");
    };
    if(!identity_.empty()) {
       add_arc_subject_attribute(subj,identity_,"http://www.nordugrid.org/schemas/policy-arc/types/tls/identity");
    };
    if(!voms_attributes_.empty()) {
      for(int k=0; k < voms_attributes_.size(); k++) {
        add_arc_subject_attribute(subj, voms_attributes_[k],"http://www.nordugrid.org/schemas/policy-arc/types/tls/vomsattribute");
      };
    };
    if(!target_.empty()) {
      XMLNode resource = item.NewChild("ra:Resource");
      resource=target_; resource.NewAttribute("Type")="string";
      resource.NewAttribute("AttributeId")="http://www.nordugrid.org/schemas/policy-arc/types/tls/hostidentity";
      // Following is agreed to not be use till all use cases are clarified (Bern agreement)
      //hostidentity should be SubjectAttribute, because hostidentity is be constrained to access
      //the peer delegation identity, or some resource which is attached to the peer delegation identity.
      //The constrant is defined in delegation policy.
      //add_arc_subject_attribute(subj,target_,"http://www.nordugrid.org/schemas/policy-arc/types/tls/hostidentity");
    };
    return true;
  } else if(format == XACML) {
    NS ns;
    ns["ra"]="urn:oasis:names:tc:xacml:2.0:context:schema:os";
    val.Namespaces(ns); val.Name("ra:Request");
    XMLNode subj = val.NewChild("ra:Subject");
    std::list<std::string>::const_iterator s = subjects_.begin();
    std::string subject;
    if(s != subjects_.end()) {
      subject=*s;
      add_xacml_subject_attribute(subj,subject,"http://www.nordugrid.org/schemas/policy-arc/types/tls/ca");
      for(;s != subjects_.end();++s) {
        subject=*s;
        add_xacml_subject_attribute(subj,subject,"http://www.nordugrid.org/schemas/policy-arc/types/tls/chain");
      };
      add_xacml_subject_attribute(subj,subject,"http://www.nordugrid.org/schemas/policy-arc/types/tls/subject");
    };
    if(!identity_.empty()) {
       add_xacml_subject_attribute(subj,identity_,"http://www.nordugrid.org/schemas/policy-arc/types/tls/identity");
    };
    if(!voms_attributes_.empty()) {
      for(int k=0; k < voms_attributes_.size(); k++) {
        add_xacml_subject_attribute(subj, voms_attributes_[k],"http://www.nordugrid.org/schemas/policy-arc/types/tls/vomsattribute");
      };
    };
    if(!target_.empty()) {
      XMLNode resource = val.NewChild("ra:Resource");
      XMLNode attr = resource.NewChild("ra:Attribute");
      attr.NewChild("ra:AttributeValue") = target_; 
      attr.NewAttribute("DataType")="xs:string";
      attr.NewAttribute("AttributeId")="http://www.nordugrid.org/schemas/policy-arc/types/tls/hostidentity";
      // Following is agreed to not be use till all use cases are clarified (Bern agreement)
      //hostidentity should be SubjectAttribute, because hostidentity is be constrained to access
      //the peer delegation identity, or some resource which is attached to the peer delegation identity.
      //The constrant is defined in delegation policy.
      //add_xacml_subject_attribute(subj,target_,"http://www.nordugrid.org/schemas/policy-arc/types/tls/hostidentity");
    };
    return true;
  } else {
  };
  return false;
}

Here is the call graph for this function:

bool Arc::SecAttr::Export ( SecAttrFormat  format,
std::string &  val 
) const [virtual, inherited]

Convert internal structure into specified format.

Returns false if format is not supported/suitable for this attribute.

Definition at line 20 of file SecAttr.cpp.

                                                              {
  NS ns;
  XMLNode x(ns, "");
  if(!Export(format,x)) return false;
  x.GetXML(val);
  return true;
}

Here is the call graph for this function:

Here is the caller graph for this function:

std::string Arc::TLSSecAttr::Identity ( void  ) [inline]

Definition at line 64 of file MCCTLS.cpp.

{ return identity_; };

Here is the caller graph for this function:

bool Arc::SecAttr::Import ( SecAttrFormat  format,
const std::string &  val 
) [virtual, inherited]

Fills internal structure from external object of specified format.

Returns false if failed to do. The usage pattern for this method is not defined and it is provided only to make class symmetric. Hence it's implementation is not required yet.

Definition at line 32 of file SecAttr.cpp.

                                                              {
  XMLNode x(val);
  if(!x) return false;
  return Import(format,x);
}
bool Arc::SecAttr::Import ( SecAttrFormat  format,
XMLNode  val 
) [virtual, inherited]

Reimplemented in Arc::MultiSecAttr.

Definition at line 38 of file SecAttr.cpp.

                                           {
  return false;
}
TLSSecAttr::operator bool ( void  ) const [virtual]

This function should return false if the value is to be considered null, e.g.

if it hasn't been set or initialized. In other cases it should return true.

Reimplemented from Arc::SecAttr.

Definition at line 196 of file MCCTLS.cpp.

                                    {
  return true;
}
bool Arc::SecAttr::operator!= ( const SecAttr b) const [inline, inherited]

This is a convenience function to allow the usage of "not equal" conditions and need not be overridden.

Definition at line 54 of file SecAttr.h.

{ return !equal(b); };

Here is the call graph for this function:

bool Arc::SecAttr::operator== ( const SecAttr b) const [inline, inherited]

This function should (in inheriting classes) return true if this and b are considered to represent same content.

Identifying and restricting the type of b should be done using dynamic_cast operations. Currently it is not defined how comparison methods to be used. Hence their implementation is not required.

Definition at line 51 of file SecAttr.h.

{ return equal(b); };

Here is the call graph for this function:

std::string Arc::TLSSecAttr::Subject ( void  ) [inline]

Definition at line 65 of file MCCTLS.cpp.

                          {
    if(subjects_.size() <= 0) return "";
    return *(--(subjects_.end()));
  };

Here is the caller graph for this function:

std::string Arc::TLSSecAttr::X509Str ( void  ) [inline]

Definition at line 73 of file MCCTLS.cpp.

                          {
    return x509str_;
  };

Here is the caller graph for this function:


Friends And Related Function Documentation

friend class MCC_TLS_Client [friend]

Definition at line 58 of file MCCTLS.cpp.

friend class MCC_TLS_Service [friend]

Definition at line 57 of file MCCTLS.cpp.


Member Data Documentation

SecAttrFormat Arc::SecAttr::ARCAuth [static, inherited]

own serialization/deserialization format

Definition at line 40 of file SecAttr.h.

SecAttrFormat Arc::SecAttr::GACL [static, inherited]

suitable for inclusion into SAML structures

Definition at line 43 of file SecAttr.h.

std::string Arc::TLSSecAttr::identity_ [protected]

Definition at line 75 of file MCCTLS.cpp.

SecAttrFormat Arc::SecAttr::SAML [static, inherited]

represenation for XACML policy

Definition at line 42 of file SecAttr.h.

std::list<std::string> Arc::TLSSecAttr::subjects_ [protected]

Definition at line 78 of file MCCTLS.cpp.

std::string Arc::TLSSecAttr::target_ [protected]

Definition at line 80 of file MCCTLS.cpp.

Definition at line 39 of file SecAttr.h.

std::vector<std::string> Arc::TLSSecAttr::voms_attributes_ [protected]

Definition at line 79 of file MCCTLS.cpp.

std::string Arc::TLSSecAttr::x509str_ [protected]

Definition at line 81 of file MCCTLS.cpp.

SecAttrFormat Arc::SecAttr::XACML [static, inherited]

representation for ARC authorization policy

Definition at line 41 of file SecAttr.h.


The documentation for this class was generated from the following file: