Back to index

nordugrid-arc-nox  1.1.0~rc6
Classes | Public Member Functions | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Types | Private Attributes
ArcSec::Service_Delegation Class Reference

A Service which launches the proxy certificate request; it accepts the request from. More...

#include <delegation.h>

Inheritance diagram for ArcSec::Service_Delegation:
Inheritance graph
Collaboration diagram for ArcSec::Service_Delegation:
Collaboration graph

List of all members.


class  CredentialCache

Public Member Functions

 Service_Delegation (Arc::Config *cfg)
virtual ~Service_Delegation (void)
virtual Arc::MCC_Status process (Arc::Message &inmsg, Arc::Message &outmsg)
 Method for processing of requests and responses.
bool RegistrationCollector (Arc::XMLNode &doc)
 Service specific registartion collector, used for generate service registartions.
virtual void AddSecHandler (Config *cfg, ArcSec::SecHandler *sechandler, const std::string &label="")
 Add security components/handlers to this MCC.
virtual std::string getID ()
 Service may implement own service identitifer gathering method.

Protected Member Functions

Arc::MCC_Status make_soap_fault (Arc::Message &outmsg)
bool ProcessSecHandlers (Message &message, const std::string &label="") const
 Executes security handlers of specified queue.

Protected Attributes

Arc::NS ns_
Arc::Logger logger_
std::string endpoint_
std::string expiration_
Arc::InformationContainer infodoc
std::map< std::string,
std::list< ArcSec::SecHandler * > > 
 Set of labeled authentication and authorization handlers.

Static Protected Attributes

static Logger logger
 Logger object used to print messages generated by this class.

Private Types

typedef std::map< std::string,
CredentialCache * > 
typedef ID2CredMap::iterator ID2CredMapIterator
typedef std::multimap
< std::string, CredentialCache * > 
typedef Identity2CredMap::iterator Identity2CredMapIterator
typedef std::pair
< Identity2CredMapIterator,

Private Attributes

ID2CredMap id2cred_
Identity2CredMap identity2cred_
Glib::Mutex lock_
int max_crednum_
int max_credlife_
std::string trusted_cadir
std::string trusted_capath

Detailed Description

A Service which launches the proxy certificate request; it accepts the request from.

Definition at line 14 of file delegation.h.

Member Typedef Documentation

typedef std::map<std::string,CredentialCache*> ArcSec::Service_Delegation::ID2CredMap [private]

Definition at line 16 of file delegation.h.

typedef ID2CredMap::iterator ArcSec::Service_Delegation::ID2CredMapIterator [private]

Definition at line 18 of file delegation.h.

typedef std::multimap<std::string,CredentialCache*> ArcSec::Service_Delegation::Identity2CredMap [private]

Definition at line 20 of file delegation.h.

typedef Identity2CredMap::iterator ArcSec::Service_Delegation::Identity2CredMapIterator [private]

Definition at line 21 of file delegation.h.

Definition at line 22 of file delegation.h.

Constructor & Destructor Documentation

Definition at line 189 of file delegation.cpp.

    logger_(Arc::Logger::rootLogger, "Delegation_Service"), deleg_service_(NULL) {


  deleg_service_ = new Arc::DelegationContainerSOAP;
  max_crednum_ = 1000;
  max_credlife_ = 43200;

  trusted_cadir = (std::string)((*cfg)["CACertificatesDir"]);
  trusted_capath = (std::string)((*cfg)["CACertificatePath"]);

Definition at line 203 of file delegation.cpp.

  if(deleg_service_) delete deleg_service_;

Member Function Documentation

void Arc::Service::AddSecHandler ( Config cfg,
ArcSec::SecHandler sechandler,
const std::string &  label = "" 
) [virtual, inherited]

Add security components/handlers to this MCC.

For more information please see description of MCC::AddSecHandler

Definition at line 14 of file Service.cpp.

    if(sechandler) {
        sechandlers_[label].push_back(sechandler); //need polishing to put the SecHandlerFactory->getinstance here
        XMLNode cn = (*cfg)["SecHandler"];
        Config cfg_(cn);

Here is the caller graph for this function:

virtual std::string Arc::Service::getID ( ) [inline, virtual, inherited]

Service may implement own service identitifer gathering method.

This method return identifier of service which is used for registering it Information Services.

Reimplemented in ARex::ARexService.

Definition at line 69 of file Service.h.

{ return ""; };

Definition at line 31 of file delegation.cpp.

  Arc::PayloadSOAP* outpayload = new Arc::PayloadSOAP(ns_,true);
  Arc::SOAPFault* fault = outpayload?outpayload->Fault():NULL;
  if(fault) {
    fault->Reason("Failed processing delegation request");
  return Arc::MCC_Status(Arc::STATUS_OK);

Here is the call graph for this function:

Here is the caller graph for this function:

Method for processing of requests and responses.

This method is called by preceeding MCC in chain when a request needs to be processed. This method must call similar method of next MCC in chain unless any failure happens. Result returned by call to next MCC should be processed and passed back to previous MCC. In case of failure this method is expected to generate valid error response and return it back to previous MCC without calling the next one.

requestThe request that needs to be processed.
responseA Message object that will contain the response of the request when the method returns.
An object representing the status of the call.

Implements Arc::MCCInterface.

Definition at line 58 of file delegation.cpp.

  std::string method = inmsg.Attributes()->get("HTTP:METHOD");

  if(!ProcessSecHandlers(inmsg,"incoming")) {
    logger_.msg(Arc::ERROR, "Security Handlers processing failed");
    return Arc::MCC_Status();

  Arc::PayloadSOAP* outpayload = new Arc::PayloadSOAP(ns_);
  if(!outpayload) {
    logger_.msg(Arc::ERROR, "Can not create output SOAP payload for delegation service");
    return make_soap_fault(outmsg);

  // Identify which of served endpoints request is for.
  // Delegation can only accept POST method
  if(method == "POST") {
    logger_.msg(Arc::VERBOSE, "process: POST");
    // Both input and output are supposed to be SOAP
    // Extracting payload
    Arc::PayloadSOAP* inpayload = NULL;
    try {
      inpayload = dynamic_cast<Arc::PayloadSOAP*>(inmsg.Payload());
    } catch(std::exception& e) { };
    if(!inpayload) {
      logger_.msg(Arc::ERROR, "input is not SOAP");
      delete outpayload;
      return make_soap_fault(outmsg);
    // Analyzing request
    if((*inpayload)["DelegateCredentialsInit"]) {
      if(!deleg_service_->DelegateCredentialsInit(*inpayload,*outpayload)) {
        logger_.msg(Arc::ERROR, "Can not generate X509 request");
        delete outpayload;
        return make_soap_fault(outmsg);
    } else if((*inpayload)["UpdateCredentials"]) {
      std::string cred;
      std::string identity;
      if(!deleg_service_->UpdateCredentials(cred,identity,*inpayload,*outpayload)) {
        logger_.msg(Arc::ERROR, "Can not store proxy certificate");
        delete outpayload;
        return make_soap_fault(outmsg);
      logger_.msg(Arc::DEBUG,"Delegated credentials:\n %s",cred.c_str());

      CredentialCache* cred_cache = NULL;
      std::string id = (std::string)((*inpayload)["UpdateCredentials"]["DelegatedToken"]["Id"]);
      std::string credential_delegator_ip = inmsg.Attributes()->get("TCP:REMOTEHOST");
      cred_cache = new CredentialCache(cred);
      cred_cache->credential_delegator_ip_ = credential_delegator_ip;
      cred_cache->credential_identity_ = identity;
      cred_cache->id_ = id;

      //Need some way to make other services get the proxy credential

    } else if((*inpayload)["AcquireCredentials"]) {
      CredentialCache* cred_cache = NULL;
      std::string cred;
      std::string id = (std::string)((*inpayload)["AcquireCredentials"]["DelegatedTokenLookup"]["Id"]);
      std::string cred_identity = (std::string)((*inpayload)["AcquireCredentials"]["DelegatedTokenLookup"]["CredIdentity"]);
      std::string cred_delegator_ip = (std::string)((*inpayload)["AcquireCredentials"]["DelegatedTokenLookup"]["CredDelegatorIP"]);
      std::string x509req_value = (std::string)((*inpayload)["AcquireCredentials"]["DelegatedTokenLookup"]["Value"]);
      if(!id.empty()) cred_cache = id2cred_.find(id)->second;
      else if(!cred_identity.empty() && !cred_delegator_ip.empty()) {
        Identity2CredMapReturn ret;
        Identity2CredMapIterator it;
        ret = identity2cred_.equal_range(cred_identity);
        for(it = ret.first; it!=ret.second; ++it) {
          cred_cache = (*it).second;
          if(!(cred_cache->credential_delegator_ip_).empty()) break;
      if(!cred_cache) {
        logger_.msg(Arc::ERROR, "Can not find the corresponding credential from credential cache");
        return make_soap_fault(outmsg);
      cred = cred_cache->credential_;

      Arc::NS ns; ns["deleg"]=ARC_DELEGATION_NAMESPACE;
      Arc::XMLNode cred_resp = (*outpayload).NewChild("deleg:AcquireCredentialsResponse");
      Arc::XMLNode token = cred_resp.NewChild("deleg:DelegatedToken");
      token.NewChild("deleg:Id") = cred_cache->id_;
      token.NewAttribute("deleg:Format") = std::string("x509");

      //Sign the proxy certificate
      Arc::Time start;
      //Set proxy path length to be -1, which means infinit length
      Arc::Credential proxy(start,Arc::Period(12*3600), 0, "rfc", "inheritAll","",-1);
      Arc::Credential signer(cred, "", trusted_cadir, trusted_capath, "", false);
      std::string signedcert;
      if(!(signer.SignRequest(&proxy, signedcert))) {
        logger_.msg(Arc::ERROR, "Signing proxy on delegation service failed");
        delete outpayload;
        return Arc::MCC_Status();

      std::string signercert_str;
      std::string signercertchain_str;

      token.NewChild("deleg:Value") = signedcert;

      logger_.msg(Arc::DEBUG,"Delegated credentials:\n %s",signedcert.c_str());

    //Compose response message

    if(!ProcessSecHandlers(outmsg,"outgoing")) {
      logger_.msg(Arc::ERROR, "Security Handlers processing failed");
      delete outmsg.Payload(NULL);
      return Arc::MCC_Status();

    return Arc::MCC_Status(Arc::STATUS_OK);
  else {
    delete inmsg.Payload();
    logger_.msg(Arc::VERBOSE, "process: %s: not supported",method);
    return Arc::MCC_Status();
  return Arc::MCC_Status();

Here is the call graph for this function:

bool Arc::Service::ProcessSecHandlers ( Message message,
const std::string &  label = "" 
) const [protected, inherited]

Executes security handlers of specified queue.

For more information please see description of MCC::ProcessSecHandlers

Definition at line 22 of file Service.cpp.

    std::map<std::string,std::list<ArcSec::SecHandler*> >::const_iterator q = sechandlers_.find(label);
    if(q == sechandlers_.end()) {
        logger.msg(DEBUG, "No security processing/check requested for '%s'", label);
        return true;

    std::list<ArcSec::SecHandler*>::const_iterator h = q->second.begin();
    for(;h!=q->second.end();++h) {
        const ArcSec::SecHandler* handler = *h;
        if(handler) if(!(handler->Handle(&message))) {
            logger.msg(DEBUG, "Security processing/check for '%s' failed", label);
            return false;
    logger.msg(DEBUG, "Security processing/check for '%s' passed", label);
    return true;

Here is the call graph for this function:

Here is the caller graph for this function:

Service specific registartion collector, used for generate service registartions.

In implemented service this method should generate GLUE2 document with part of service description which service wishes to advertise to Information Services.

Reimplemented from Arc::Service.

Definition at line 207 of file delegation.cpp.

  Arc::NS isis_ns; isis_ns["isis"] = "";
  Arc::XMLNode regentry(isis_ns, "RegEntry");
  regentry.NewChild("SrcAdv").NewChild("Type") = "";
  return true;

Here is the call graph for this function:

Member Data Documentation

Definition at line 42 of file delegation.h.

std::string ArcSec::Service_Delegation::endpoint_ [protected]

Definition at line 32 of file delegation.h.

std::string ArcSec::Service_Delegation::expiration_ [protected]

Definition at line 33 of file delegation.h.

Definition at line 19 of file delegation.h.

Definition at line 23 of file delegation.h.

Definition at line 34 of file delegation.h.

Glib::Mutex ArcSec::Service_Delegation::lock_ [private]

Definition at line 24 of file delegation.h.

Logger Arc::Service::logger [static, protected, inherited]

Logger object used to print messages generated by this class.

Reimplemented in Echo::Service_Echo, Arc::Service_JavaWrapper, SPService::Service_SP, Compiler::Service_Compiler, Hopi::Hopi, and Arc::Service_PythonWrapper.

Definition at line 43 of file Service.h.

Definition at line 31 of file delegation.h.

Definition at line 26 of file delegation.h.

Definition at line 25 of file delegation.h.

Definition at line 30 of file delegation.h.

std::map<std::string,std::list<ArcSec::SecHandler*> > Arc::Service::sechandlers_ [protected, inherited]

Set of labeled authentication and authorization handlers.

MCC calls sequence of handlers at specific point depending on associated identifier. in most aces those are "in" and "out" for incoming and outgoing messages correspondingly.

Definition at line 40 of file Service.h.

Definition at line 27 of file delegation.h.

Definition at line 28 of file delegation.h.

The documentation for this class was generated from the following files: