 |
CernVM-FS
2.12.0
|
|
CernVM-FS
2.12.0
|
#include <authz_fetch.h>
Public Member Functions | |
| AuthzExternalFetcher (const std::string &fqrn, const std::string &progname, const std::string &search_path, OptionsManager *options_manager) | |
| AuthzExternalFetcher (const std::string &fqrn, int fd_send, int fd_recv) | |
| virtual | ~AuthzExternalFetcher () |
| virtual AuthzStatus | Fetch (const QueryInfo &query_info, AuthzToken *authz_token, unsigned *ttl) |
 Public Member Functions inherited from AuthzFetcher | |
| virtual | ~AuthzFetcher () |
Static Public Attributes | |
| static const uint32_t | kProtocolVersion = 1 |
Private Member Functions | |
| FRIEND_TEST (T_AuthzFetch, ExecHelper) | |
| FRIEND_TEST (T_AuthzFetch, ExecHelperSlow) | |
| FRIEND_TEST (T_AuthzFetch, ParseMsg) | |
| FRIEND_TEST (T_AuthzFetch, Handshake) | |
| void | InitLock () |
| std::string | FindHelper (const std::string &membership) |
| void | ExecHelper () |
| bool | Handshake () |
| bool | Send (const std::string &msg) |
| bool | Recv (std::string *msg) |
| void | EnterFailState () |
| void | StripAuthzSchema (const std::string &membership, std::string *authz_schema, std::string *pure_membership) |
| bool | ParseMsg (const std::string &json_msg, const AuthzExternalMsgIds expected_msgid, AuthzExternalMsg *binary_msg) |
| bool | ParseMsgId (JSON *json_authz, AuthzExternalMsg *binary_msg) |
| bool | ParseRevision (JSON *json_authz, AuthzExternalMsg *binary_msg) |
| bool | ParsePermit (JSON *json_authz, AuthzExternalMsg *binary_msg) |
| void | ReapHelper () |
| Private Member Functions inherited from SingleCopy | |
| SingleCopy () | |
Private Attributes | |
| std::string | fqrn_ |
| std::string | progname_ |
| std::string | search_path_ |
| int | fd_send_ |
| int | fd_recv_ |
| pid_t | pid_ |
| bool | fail_state_ |
| OptionsManager * | options_manager_ |
| pthread_mutex_t | lock_ |
| uint64_t | next_start_ |
Static Private Attributes | |
| static const unsigned | kChildTimeout = 5 |
| static const int | kMinTtl = 0 |
| static const unsigned | kDefaultTtl = 120 |
Connects to an external process that fetches the tokens. The external helper is spawned on demand through execve. It has to receive commands on stdin and write replies to stdout. Environment variables of the form CVMFS_AUTHZ_... are forwarded to the helper having the CVMFS_AUTHZ_ prefix stripped.
Definition at line 101 of file authz_fetch.h.
| AuthzExternalFetcher::AuthzExternalFetcher | ( | const std::string & | fqrn, |
| const std::string & | progname, | ||
| const std::string & | search_path, | ||
| OptionsManager * | options_manager | ||
| ) |
| AuthzExternalFetcher::AuthzExternalFetcher | ( | const std::string & | fqrn, |
| int | fd_send, | ||
| int | fd_recv | ||
| ) |
|
virtual |
|
private |
Definition at line 121 of file authz_fetch.cc.
Referenced by ParseMsg(), ParseMsgId(), ParsePermit(), ParseRevision(), Recv(), and Send().
|
private |
Uses execve to start progname_. The started program has stdin and stdout connected to fd_send_ and fd_recv_ and the CVMFS_... environment variables set. Special care must be taken when we call fork here in an unknown state of the client. Therefore we can't use ManagedExec (we can't use malloc).
A failed execve is not caught by this routine. It will be caught in the next step, when mother and child start talking.
Definition at line 141 of file authz_fetch.cc.
Referenced by Fetch().
|
virtual |
Based on the given pid, uid, gid and the given membership requirement, gather credentials. Positive and negative replies have a time to live.
Implements AuthzFetcher.
Definition at line 220 of file authz_fetch.cc.
|
private |
Definition at line 279 of file authz_fetch.cc.
Referenced by Fetch().
|
private |
|
private |
|
private |
|
private |
|
private |
Establish communication link with a forked authz helper.
Definition at line 302 of file authz_fetch.cc.
Referenced by Fetch().
|
private |
|
private |
We want to see valid JSON in the form { "cvmfs_authz_v1" : { "msgid": "revision": ... } ... }
The contents of "cvmfs_authz_v1" depends on the msgid. Additional fields are ignored. The protocol revision should indicate changes in the fields.
Definition at line 372 of file authz_fetch.cc.
Referenced by Fetch(), and Handshake().
|
private |
Definition at line 418 of file authz_fetch.cc.
Referenced by ParseMsg().
|
private |
A permit must contain the authorization status. Optionally it can come with a "time to live" of the answer and a token (e.g. X.509 proxy certificate).
Definition at line 451 of file authz_fetch.cc.
Referenced by ParseMsg().
|
private |
Definition at line 539 of file authz_fetch.cc.
Referenced by ParseMsg().
|
private |
Definition at line 86 of file authz_fetch.cc.
Referenced by EnterFailState(), and ~AuthzExternalFetcher().
|
private |
Definition at line 566 of file authz_fetch.cc.
Referenced by Fetch(), and Handshake().
|
private |
Definition at line 338 of file authz_fetch.cc.
Referenced by Fetch(), Handshake(), and ~AuthzExternalFetcher().
|
private |
Definition at line 607 of file authz_fetch.cc.
Referenced by Fetch(), and FindHelper().
|
private |
If the external helper behaves unexectely, enter fail state and stop authenticating
Definition at line 196 of file authz_fetch.h.
Referenced by EnterFailState(), Fetch(), and ~AuthzExternalFetcher().
|
private |
Receive authz status, ttl, and token from the external helper.
Definition at line 185 of file authz_fetch.h.
Referenced by ExecHelper(), Fetch(), ReapHelper(), and Recv().
|
private |
Send requests to the external helper.
Definition at line 180 of file authz_fetch.h.
Referenced by ExecHelper(), Fetch(), ReapHelper(), Send(), and ~AuthzExternalFetcher().
|
private |
The fully qualified repository name, e.g. atlas.cern.ch
Definition at line 165 of file authz_fetch.h.
Referenced by Handshake().
|
staticprivate |
After 5 seconds of unresponsiveness, helper processes may be killed.
Definition at line 129 of file authz_fetch.h.
Referenced by EnterFailState(), and ReapHelper().
|
staticprivate |
If permits come without TTL, use 2 minutes.
Definition at line 139 of file authz_fetch.h.
Referenced by Fetch(), and ParsePermit().
|
staticprivate |
For now we allow "no caching".
Definition at line 134 of file authz_fetch.h.
Referenced by ParsePermit().
|
static |
The "wire" protocol: 4 byte version, 4 byte length, JSON message. Must be the same for cvmfs and helper.
Definition at line 112 of file authz_fetch.h.
|
private |
The send-receive cycle is atomic.
Definition at line 206 of file authz_fetch.h.
Referenced by Fetch(), InitLock(), and ~AuthzExternalFetcher().
|
private |
After the helper process fails, this is set to the time when it should be restarted.
Definition at line 212 of file authz_fetch.h.
Referenced by EnterFailState(), and Fetch().
|
private |
Used to gather CVMFS_AUTHZ_ options
Definition at line 201 of file authz_fetch.h.
Referenced by ExecHelper().
|
private |
If a helper was started, the pid must be collected to avoid a zombie.
Definition at line 190 of file authz_fetch.h.
Referenced by ExecHelper(), and ReapHelper().
|
private |
Full path of external helper.
Definition at line 170 of file authz_fetch.h.
Referenced by EnterFailState(), ExecHelper(), Fetch(), ParseMsg(), ParseMsgId(), ParsePermit(), ParseRevision(), ReapHelper(), and Recv().
|
private |
Where to look for authz helpers that are guessed from the membership schema
Definition at line 175 of file authz_fetch.h.
Referenced by FindHelper().
1.8.5 
