|
46 | 46 | #include "XrdTls/XrdTlsContext.hh" |
47 | 47 | #include "XrdOuc/XrdOucUtils.hh" |
48 | 48 | #include "XrdOuc/XrdOucPrivateUtils.hh" |
| 49 | +#include "XrdSec/XrdSecLoadSecurity.hh" |
49 | 50 | #include "XrdHttpCors/XrdHttpCors.hh" |
50 | 51 |
|
51 | 52 | #include <charconv> |
@@ -119,6 +120,7 @@ XrdScheduler *XrdHttpProtocol::Sched = 0; // System scheduler |
119 | 120 | XrdBuffManager *XrdHttpProtocol::BPool = 0; // Buffer manager |
120 | 121 | XrdSysError XrdHttpProtocol::eDest = 0; // Error message handler |
121 | 122 | XrdSecService *XrdHttpProtocol::CIA = 0; // Authentication Server |
| 123 | +XrdOucEnv *XrdHttpProtocol::configEnv = 0; |
122 | 124 | int XrdHttpProtocol::m_bio_type = 0; // BIO type identifier for our custom BIO. |
123 | 125 | BIO_METHOD *XrdHttpProtocol::m_bio_method = NULL; // BIO method constructor. |
124 | 126 | char *XrdHttpProtocol::xrd_cslist = nullptr; |
@@ -155,6 +157,9 @@ bool xrdctxVer = false; |
155 | 157 |
|
156 | 158 | using namespace XrdHttpProtoInfo; |
157 | 159 |
|
| 160 | +int XrdHttpProtocol::oauth2HttpMode = 0; |
| 161 | +const char *XrdHttpProtocol::oauth2ConfigFN = nullptr; |
| 162 | + |
158 | 163 | /******************************************************************************/ |
159 | 164 | /* P r o t o c o l M a n a g e m e n t S t a c k s */ |
160 | 165 | /******************************************************************************/ |
@@ -806,6 +811,11 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here |
806 | 811 |
|
807 | 812 |
|
808 | 813 |
|
| 814 | + // Bearer OAuth2 authentication over HTTPS (via sec.protocol oauth2 / CIA). |
| 815 | + if (ishttps && ssldone && oauth2HttpMode && HandleOAuth2Authentication()) { |
| 816 | + return -1; |
| 817 | + } |
| 818 | + |
809 | 819 | // Now we have everything that is needed to try the login |
810 | 820 | // Remember that if there is an exthandler then it has the responsibility |
811 | 821 | // for authorization in the paths that it manages |
@@ -904,6 +914,8 @@ int XrdHttpProtocol::Stats(char *buff, int blen, int do_sync) { |
904 | 914 | eDest.Say("Config http." x " overrides the xrd." y " directive.") |
905 | 915 |
|
906 | 916 | int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) { |
| 917 | + XrdHttpProtocol::oauth2ConfigFN = ConfigFN; |
| 918 | + XrdHttpProtocol::configEnv = myEnv; |
907 | 919 | XrdOucEnv cfgEnv; |
908 | 920 | XrdOucStream Config(&eDest, getenv("XRDINSTANCE"), &cfgEnv, "=====> "); |
909 | 921 | std::vector<extHInfo> extHIVec; |
@@ -1005,6 +1017,7 @@ int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) { |
1005 | 1017 | else if TS_Xeq("tlsreuse", xtlsreuse); |
1006 | 1018 | else if TS_Xeq("auth", xauth); |
1007 | 1019 | else if TS_Xeq("tlsclientauth", xtlsclientauth); |
| 1020 | + else if TS_Xeq("oauth2", xoauth2); |
1008 | 1021 | else if TS_Xeq("maxdelay", xmaxdelay); |
1009 | 1022 | else { |
1010 | 1023 | eDest.Say("Config warning: ignoring unknown directive '", var, "'."); |
@@ -1990,6 +2003,7 @@ void XrdHttpProtocol::Reset() { |
1990 | 2003 | ishttps = false; |
1991 | 2004 | ssldone = false; |
1992 | 2005 |
|
| 2006 | + oauth2BearerTokKey.clear(); |
1993 | 2007 | Bridge = 0; |
1994 | 2008 | ssl = 0; |
1995 | 2009 | sbio = 0; |
@@ -3001,6 +3015,29 @@ int XrdHttpProtocol::xtlsclientauth(XrdOucStream &Config) { |
3001 | 3015 | return 1; |
3002 | 3016 | } |
3003 | 3017 |
|
| 3018 | +int XrdHttpProtocol::xoauth2(XrdOucStream &Config) { |
| 3019 | + char *val = Config.GetWord(); |
| 3020 | + if (!val || !val[0]) |
| 3021 | + {eDest.Emsg("Config", "http.oauth2 argument not specified"); return 1;} |
| 3022 | + |
| 3023 | + if (!strcmp(val, "on") || !strcmp(val, "optional")) |
| 3024 | + {oauth2HttpMode = 1; |
| 3025 | + return 0; |
| 3026 | + } |
| 3027 | + if (!strcmp(val, "require")) |
| 3028 | + {oauth2HttpMode = 2; |
| 3029 | + return 0; |
| 3030 | + } |
| 3031 | + if (val[0] == '-') |
| 3032 | + {eDest.Emsg("Config", "http.oauth2 inline parameters are not supported;", |
| 3033 | + "configure OAuth2 via sec.protparm oauth2 and sec.protocol oauth2"); |
| 3034 | + return 1; |
| 3035 | + } |
| 3036 | + |
| 3037 | + eDest.Emsg("Config", "invalid http.oauth2 parameter -", val); |
| 3038 | + return 1; |
| 3039 | +} |
| 3040 | + |
3004 | 3041 | int XrdHttpProtocol::xauth(XrdOucStream &Config) { |
3005 | 3042 | char *val = Config.GetWord(); |
3006 | 3043 | if(val) { |
|
0 commit comments