Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Private Attributes
Arc::VOMSTrustList Class Reference

Stores definitions for making decision if VOMS server is trusted. More...

#include <VOMSUtil.h>

Collaboration diagram for Arc::VOMSTrustList:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 VOMSTrustList (void)
 VOMSTrustList (const std::vector< std::string > &encoded_list)
 Creates chain lists and regexps from plain list.
 VOMSTrustList (const std::vector< VOMSTrustChain > &chains, const std::vector< VOMSTrustRegex > &regexs)
 Creates chain lists and regexps from those specified in arguments.
 ~VOMSTrustList (void)
VOMSTrustChainAddChain (const VOMSTrustChain &chain)
 Adds chain of trusted DNs to list.
VOMSTrustChainAddChain (void)
 Adds empty chain of trusted DNs to list.
RegularExpressionAddRegex (const VOMSTrustRegex &reg)
 Adds regular expression to list.
int SizeChains (void) const
int SizeRegexs (void) const
const VOMSTrustChainGetChain (int num) const
const RegularExpressionGetRegex (int num) const

Private Attributes

std::vector< VOMSTrustChainchains_
std::vector< RegularExpression * > regexs_

Detailed Description

Stores definitions for making decision if VOMS server is trusted.

Definition at line 18 of file VOMSUtil.h.


Constructor & Destructor Documentation

Arc::VOMSTrustList::VOMSTrustList ( void  ) [inline]

Definition at line 23 of file VOMSUtil.h.

{ };
Arc::VOMSTrustList::VOMSTrustList ( const std::vector< std::string > &  encoded_list)

Creates chain lists and regexps from plain list.

List is made of chunks delimited by elements containing pattern "NEXT CHAIN". Each chunk with more than one element is converted into one instance of VOMSTrustChain. Chunks with single element are converted to VOMSTrustChain if element does not have special symbols. Otherwise it is treated as regular expression. Those symbols are '^','$' and '*'. Trusted chains can be congicured in two ways: one way is: <tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>----NEXT CHAIN---</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/CN=CERN Trusted Certification Authority</tls:VOMSCertTrustDN> </tls:VOMSCertTrustDNChain> the other way is: <tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</tls:VOMSCertTrustDN> </tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/CN=CERN Trusted Certification Authority</tls:VOMSCertTrustDN> </tls:VOMSCertTrustDNChain> each chunk is supposed to contain a suit of DN of trusted certificate chain, in which the first DN is the DN of the certificate (cert0) which is used to sign the Attribute Certificate (AC), the second DN is the DN of the issuer certificate(cert1) which is used to sign cert0. So if there are one or more intermediate issuers, then there should be 3 or more than 3 DNs in this chunk (considering cert0 and the root certificate, plus the intermediate certificate) .

Definition at line 61 of file VOMSUtil.cpp.

                                                                       {
    VOMSTrustChain chain;
    for(std::vector<std::string>::const_iterator i = encoded_list.begin();
                                i != encoded_list.end(); ++i) {
      if((*i).find("NEXT CHAIN") != std::string::npos) {
        if(chain.size() > 0) {
          if(chain.size() > 1) { // More than one item in chain means DN list
            AddChain(chain);
          } else {
            // Trying to find special symbols
            if((chain[0].find('^') != std::string::npos) ||
               (chain[0].find('$') != std::string::npos) ||
               (chain[0].find('*') != std::string::npos)) {
              AddRegex(chain[0]);
            } else {
              AddChain(chain);
            };
          }
          chain.clear();
        }
        continue;
      }
      chain.push_back(*i);
    }
    if(chain.size() > 0) {
      if(chain.size() > 1) { // More than one item in chain means DN list
        AddChain(chain);
      } else {
        // Trying to find special symbols
        if((chain[0].find('^') != std::string::npos) ||
           (chain[0].find('$') != std::string::npos) ||
           (chain[0].find('*') != std::string::npos)) {
          AddRegex(chain[0]);
        } else {
          AddChain(chain);
        };
      }
      chain.clear();
    }
  }
Arc::VOMSTrustList::VOMSTrustList ( const std::vector< VOMSTrustChain > &  chains,
const std::vector< VOMSTrustRegex > &  regexs 
)

Creates chain lists and regexps from those specified in arguments.

See AddChain() and AddRegex() for more information.

Definition at line 110 of file VOMSUtil.cpp.

                                    {
    for(std::vector<RegularExpression*>::iterator r = regexs_.begin();
                    r != regexs_.end();++r) {
      if(*r) delete *r; *r=NULL;
    }
  }

Member Function Documentation

Adds chain of trusted DNs to list.

During verification each signature of AC is checked against all stored chains. DNs of chain of certificate used for signing AC are compared against DNs stored in these chains one by one. If needed DN of issuer of last certificate is checked too. Comparison succeeds if DNs in at least one stored chain are same as those in certificate chain. Comparison stops when all DNs in stored chain are compared. If there are more DNs in stored chain than in certificate chain then comparison fails. Empty stored list matches any certificate chain. Taking into account that certificate chains are verified down to trusted CA anyway, having more than one DN in stored chain seems to be useless. But such feature may be found useful by some very strict sysadmins. ??? IMO,DN list here is not only for authentication, it is also kind of ACL, which means the AC consumer only trusts those DNs which issues AC.

Adds empty chain of trusted DNs to list.

Definition at line 117 of file VOMSUtil.cpp.

                                              {
    VOMSTrustChain chain;
    return *chains_.insert(chains_.end(),chain);
  }

Adds regular expression to list.

During verification each signature of AC is checked against all stored regular expressions. DN of signing certificate must match at least one of stored regular expressions.

Definition at line 126 of file VOMSUtil.cpp.

                                                                      {
    RegularExpression* r = new RegularExpression(reg);
    regexs_.insert(regexs_.end(),r);
    return *r;
  }
const VOMSTrustChain& Arc::VOMSTrustList::GetChain ( int  num) const [inline]

Definition at line 92 of file VOMSUtil.h.

{ return chains_[num]; };

Here is the caller graph for this function:

const RegularExpression& Arc::VOMSTrustList::GetRegex ( int  num) const [inline]

Definition at line 93 of file VOMSUtil.h.

{ return *(regexs_[num]); };

Here is the caller graph for this function:

int Arc::VOMSTrustList::SizeChains ( void  ) const [inline]

Definition at line 90 of file VOMSUtil.h.

{ return chains_.size(); };

Here is the caller graph for this function:

int Arc::VOMSTrustList::SizeRegexs ( void  ) const [inline]

Definition at line 91 of file VOMSUtil.h.

{ return regexs_.size(); };

Here is the caller graph for this function:


Member Data Documentation

Definition at line 20 of file VOMSUtil.h.

Definition at line 21 of file VOMSUtil.h.


The documentation for this class was generated from the following files: