|
46 | 46 | #include "XrdTls/XrdTlsContext.hh" |
47 | 47 | #include "XrdOuc/XrdOucUtils.hh" |
48 | 48 | #include "XrdOuc/XrdOucPrivateUtils.hh" |
| 49 | +#include "XrdSec/XrdSecLoadSecurity.hh" |
49 | 50 | #include "XrdHttpCors/XrdHttpCors.hh" |
50 | 51 |
|
51 | 52 | #include <charconv> |
@@ -119,6 +120,7 @@ XrdScheduler *XrdHttpProtocol::Sched = 0; // System scheduler |
119 | 120 | XrdBuffManager *XrdHttpProtocol::BPool = 0; // Buffer manager |
120 | 121 | XrdSysError XrdHttpProtocol::eDest = 0; // Error message handler |
121 | 122 | XrdSecService *XrdHttpProtocol::CIA = 0; // Authentication Server |
| 123 | +XrdOucEnv *XrdHttpProtocol::configEnv = 0; |
122 | 124 | int XrdHttpProtocol::m_bio_type = 0; // BIO type identifier for our custom BIO. |
123 | 125 | BIO_METHOD *XrdHttpProtocol::m_bio_method = NULL; // BIO method constructor. |
124 | 126 | char *XrdHttpProtocol::xrd_cslist = nullptr; |
@@ -155,6 +157,10 @@ bool xrdctxVer = false; |
155 | 157 |
|
156 | 158 | using namespace XrdHttpProtoInfo; |
157 | 159 |
|
| 160 | +XrdHttpProtocol::OAuth2HttpMode XrdHttpProtocol::oauth2HttpMode = |
| 161 | + XrdHttpProtocol::OAuth2HttpMode::Off; |
| 162 | +std::string_view XrdHttpProtocol::oauth2ConfigFN; |
| 163 | + |
158 | 164 | /******************************************************************************/ |
159 | 165 | /* P r o t o c o l M a n a g e m e n t S t a c k s */ |
160 | 166 | /******************************************************************************/ |
@@ -806,6 +812,13 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here |
806 | 812 |
|
807 | 813 |
|
808 | 814 |
|
| 815 | + // Bearer OAuth2 authentication over HTTPS (via sec.protocol oauth2 / CIA). |
| 816 | + if (ishttps && ssldone |
| 817 | + && oauth2HttpMode != OAuth2HttpMode::Off |
| 818 | + && HandleOAuth2Authentication()) { |
| 819 | + return -1; |
| 820 | + } |
| 821 | + |
809 | 822 | // Now we have everything that is needed to try the login |
810 | 823 | // Remember that if there is an exthandler then it has the responsibility |
811 | 824 | // for authorization in the paths that it manages |
@@ -904,6 +917,8 @@ int XrdHttpProtocol::Stats(char *buff, int blen, int do_sync) { |
904 | 917 | eDest.Say("Config http." x " overrides the xrd." y " directive.") |
905 | 918 |
|
906 | 919 | int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) { |
| 920 | + XrdHttpProtocol::oauth2ConfigFN = ConfigFN; |
| 921 | + XrdHttpProtocol::configEnv = myEnv; |
907 | 922 | XrdOucEnv cfgEnv; |
908 | 923 | XrdOucStream Config(&eDest, getenv("XRDINSTANCE"), &cfgEnv, "=====> "); |
909 | 924 | std::vector<extHInfo> extHIVec; |
@@ -1005,6 +1020,7 @@ int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) { |
1005 | 1020 | else if TS_Xeq("tlsreuse", xtlsreuse); |
1006 | 1021 | else if TS_Xeq("auth", xauth); |
1007 | 1022 | else if TS_Xeq("tlsclientauth", xtlsclientauth); |
| 1023 | + else if TS_Xeq("oauth2", xoauth2); |
1008 | 1024 | else if TS_Xeq("maxdelay", xmaxdelay); |
1009 | 1025 | else { |
1010 | 1026 | eDest.Say("Config warning: ignoring unknown directive '", var, "'."); |
@@ -1990,6 +2006,8 @@ void XrdHttpProtocol::Reset() { |
1990 | 2006 | ishttps = false; |
1991 | 2007 | ssldone = false; |
1992 | 2008 |
|
| 2009 | + oauth2BearerTokKey.clear(); |
| 2010 | + oauth2BearerTokExp = 0; |
1993 | 2011 | Bridge = 0; |
1994 | 2012 | ssl = 0; |
1995 | 2013 | sbio = 0; |
@@ -3001,6 +3019,29 @@ int XrdHttpProtocol::xtlsclientauth(XrdOucStream &Config) { |
3001 | 3019 | return 1; |
3002 | 3020 | } |
3003 | 3021 |
|
| 3022 | +int XrdHttpProtocol::xoauth2(XrdOucStream &Config) { |
| 3023 | + char *val = Config.GetWord(); |
| 3024 | + if (!val || !val[0]) |
| 3025 | + {eDest.Emsg("Config", "http.oauth2 argument not specified"); return 1;} |
| 3026 | + |
| 3027 | + if (!strcmp(val, "on") || !strcmp(val, "optional")) |
| 3028 | + {oauth2HttpMode = OAuth2HttpMode::Optional; |
| 3029 | + return 0; |
| 3030 | + } |
| 3031 | + if (!strcmp(val, "require")) |
| 3032 | + {oauth2HttpMode = OAuth2HttpMode::Require; |
| 3033 | + return 0; |
| 3034 | + } |
| 3035 | + if (val[0] == '-') |
| 3036 | + {eDest.Emsg("Config", "http.oauth2 inline parameters are not supported;", |
| 3037 | + "configure OAuth2 via sec.protparm oauth2 and sec.protocol oauth2"); |
| 3038 | + return 1; |
| 3039 | + } |
| 3040 | + |
| 3041 | + eDest.Emsg("Config", "invalid http.oauth2 parameter -", val); |
| 3042 | + return 1; |
| 3043 | +} |
| 3044 | + |
3004 | 3045 | int XrdHttpProtocol::xauth(XrdOucStream &Config) { |
3005 | 3046 | char *val = Config.GetWord(); |
3006 | 3047 | if(val) { |
|
0 commit comments