CernVM-FS  2.9.0
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
AuthzExternalFetcher Class Reference

#include <authz_fetch.h>

Inheritance diagram for AuthzExternalFetcher:
Collaboration diagram for AuthzExternalFetcher:

Public Member Functions

 AuthzExternalFetcher (const std::string &fqrn, const std::string &progname, const std::string &search_path, OptionsManager *options_manager)
 
 AuthzExternalFetcher (const std::string &fqrn, int fd_send, int fd_recv)
 
virtual ~AuthzExternalFetcher ()
 
virtual AuthzStatus Fetch (const QueryInfo &query_info, AuthzToken *authz_token, unsigned *ttl)
 
- Public Member Functions inherited from AuthzFetcher
virtual ~AuthzFetcher ()
 

Static Public Attributes

static const uint32_t kProtocolVersion = 1
 

Private Member Functions

 FRIEND_TEST (T_AuthzFetch, ExecHelper)
 
 FRIEND_TEST (T_AuthzFetch, ExecHelperSlow)
 
 FRIEND_TEST (T_AuthzFetch, ParseMsg)
 
 FRIEND_TEST (T_AuthzFetch, Handshake)
 
void InitLock ()
 
std::string FindHelper (const std::string &membership)
 
void ExecHelper ()
 
bool Handshake ()
 
bool Send (const std::string &msg)
 
bool Recv (std::string *msg)
 
void EnterFailState ()
 
void StripAuthzSchema (const std::string &membership, std::string *authz_schema, std::string *pure_membership)
 
bool ParseMsg (const std::string &json_msg, const AuthzExternalMsgIds expected_msgid, AuthzExternalMsg *binary_msg)
 
bool ParseMsgId (JSON *json_authz, AuthzExternalMsg *binary_msg)
 
bool ParseRevision (JSON *json_authz, AuthzExternalMsg *binary_msg)
 
bool ParsePermit (JSON *json_authz, AuthzExternalMsg *binary_msg)
 
void ReapHelper ()
 
- Private Member Functions inherited from SingleCopy
 SingleCopy ()
 

Private Attributes

std::string fqrn_
 
std::string progname_
 
std::string search_path_
 
int fd_send_
 
int fd_recv_
 
pid_t pid_
 
bool fail_state_
 
OptionsManageroptions_manager_
 
pthread_mutex_t lock_
 
uint64_t next_start_
 

Static Private Attributes

static const unsigned kChildTimeout = 5
 
static const int kMinTtl = 0
 
static const unsigned kDefaultTtl = 120
 

Detailed Description

Connects to an external process that fetches the tokens. The external helper is spawned on demand through execve. It has to receive commands on stdin and write replies to stdout. Environment variables of the form CVMFS_AUTHZ_... are forwarded to the helper having the CVMFS_AUTHZ_ prefix stripped.

Definition at line 101 of file authz_fetch.h.

Constructor & Destructor Documentation

AuthzExternalFetcher::AuthzExternalFetcher ( const std::string &  fqrn,
const std::string &  progname,
const std::string &  search_path,
OptionsManager options_manager 
)
AuthzExternalFetcher::AuthzExternalFetcher ( const std::string &  fqrn,
int  fd_send,
int  fd_recv 
)
AuthzExternalFetcher::~AuthzExternalFetcher ( )
virtual

Definition at line 70 of file authz_fetch.cc.

Here is the call graph for this function:

Member Function Documentation

void AuthzExternalFetcher::EnterFailState ( )
private

Definition at line 120 of file authz_fetch.cc.

Referenced by ParseMsg(), ParseMsgId(), ParsePermit(), ParseRevision(), Recv(), and Send().

Here is the call graph for this function:

Here is the caller graph for this function:

void AuthzExternalFetcher::ExecHelper ( )
private

Uses execve to start progname_. The started program has stdin and stdout connected to fd_send_ and fd_recv_ and the CVMFS_... environment variables set. Special care must be taken when we call fork here in an unknown state of the client. Therefore we can't use ManagedExec (we can't use malloc).

A failed execve is not caught by this routine. It will be caught in the next step, when mother and child start talking.

Definition at line 140 of file authz_fetch.cc.

Referenced by Fetch().

Here is the call graph for this function:

Here is the caller graph for this function:

AuthzStatus AuthzExternalFetcher::Fetch ( const QueryInfo query_info,
AuthzToken authz_token,
unsigned *  ttl 
)
virtual

Based on the given pid, uid, gid and the given membership requirement, gather credentials. Positive and negative replies have a time to live.

Implements AuthzFetcher.

Definition at line 189 of file authz_fetch.cc.

Here is the call graph for this function:

string AuthzExternalFetcher::FindHelper ( const std::string &  membership)
private

Definition at line 248 of file authz_fetch.cc.

Referenced by Fetch().

Here is the call graph for this function:

Here is the caller graph for this function:

AuthzExternalFetcher::FRIEND_TEST ( T_AuthzFetch  ,
ExecHelper   
)
private
AuthzExternalFetcher::FRIEND_TEST ( T_AuthzFetch  ,
ExecHelperSlow   
)
private
AuthzExternalFetcher::FRIEND_TEST ( T_AuthzFetch  ,
ParseMsg   
)
private
AuthzExternalFetcher::FRIEND_TEST ( T_AuthzFetch  ,
Handshake   
)
private
bool AuthzExternalFetcher::Handshake ( )
private

Establish communication link with a forked authz helper.

Definition at line 271 of file authz_fetch.cc.

Referenced by Fetch().

Here is the call graph for this function:

Here is the caller graph for this function:

void AuthzExternalFetcher::InitLock ( )
private

Definition at line 301 of file authz_fetch.cc.

Here is the call graph for this function:

bool AuthzExternalFetcher::ParseMsg ( const std::string &  json_msg,
const AuthzExternalMsgIds  expected_msgid,
AuthzExternalMsg binary_msg 
)
private

We want to see valid JSON in the form { "cvmfs_authz_v1" : { "msgid": "revision": ... } ... }

The contents of "cvmfs_authz_v1" depends on the msgid. Additional fields are ignored. The protocol revision should indicate changes in the fields.

Definition at line 341 of file authz_fetch.cc.

Referenced by Fetch(), and Handshake().

Here is the call graph for this function:

Here is the caller graph for this function:

bool AuthzExternalFetcher::ParseMsgId ( JSON json_authz,
AuthzExternalMsg binary_msg 
)
private

Definition at line 387 of file authz_fetch.cc.

Referenced by ParseMsg().

Here is the call graph for this function:

Here is the caller graph for this function:

bool AuthzExternalFetcher::ParsePermit ( JSON json_authz,
AuthzExternalMsg binary_msg 
)
private

A permit must contain the authorization status. Optionally it can come with a "time to live" of the answer and a token (e.g. X.509 proxy certificate).

Definition at line 420 of file authz_fetch.cc.

Referenced by ParseMsg().

Here is the call graph for this function:

Here is the caller graph for this function:

bool AuthzExternalFetcher::ParseRevision ( JSON json_authz,
AuthzExternalMsg binary_msg 
)
private

Definition at line 508 of file authz_fetch.cc.

Referenced by ParseMsg().

Here is the call graph for this function:

Here is the caller graph for this function:

void AuthzExternalFetcher::ReapHelper ( )
private

Definition at line 85 of file authz_fetch.cc.

Referenced by EnterFailState(), and ~AuthzExternalFetcher().

Here is the call graph for this function:

Here is the caller graph for this function:

bool AuthzExternalFetcher::Recv ( std::string *  msg)
private

Definition at line 535 of file authz_fetch.cc.

Referenced by Fetch(), and Handshake().

Here is the call graph for this function:

Here is the caller graph for this function:

bool AuthzExternalFetcher::Send ( const std::string &  msg)
private

Definition at line 307 of file authz_fetch.cc.

Referenced by Fetch(), Handshake(), and ~AuthzExternalFetcher().

Here is the call graph for this function:

Here is the caller graph for this function:

void AuthzExternalFetcher::StripAuthzSchema ( const std::string &  membership,
std::string *  authz_schema,
std::string *  pure_membership 
)
private

Definition at line 576 of file authz_fetch.cc.

Referenced by Fetch(), and FindHelper().

Here is the call graph for this function:

Here is the caller graph for this function:

Member Data Documentation

bool AuthzExternalFetcher::fail_state_
private

If the external helper behaves unexectely, enter fail state and stop authenticating

Definition at line 196 of file authz_fetch.h.

Referenced by EnterFailState(), Fetch(), and ~AuthzExternalFetcher().

int AuthzExternalFetcher::fd_recv_
private

Receive authz status, ttl, and token from the external helper.

Definition at line 185 of file authz_fetch.h.

Referenced by ExecHelper(), Fetch(), ReapHelper(), and Recv().

int AuthzExternalFetcher::fd_send_
private

Send requests to the external helper.

Definition at line 180 of file authz_fetch.h.

Referenced by ExecHelper(), Fetch(), ReapHelper(), Send(), and ~AuthzExternalFetcher().

std::string AuthzExternalFetcher::fqrn_
private

The fully qualified repository name, e.g. atlas.cern.ch

Definition at line 165 of file authz_fetch.h.

Referenced by Handshake().

const unsigned AuthzExternalFetcher::kChildTimeout = 5
staticprivate

After 5 seconds of unresponsiveness, helper prcesses may be killed.

Definition at line 129 of file authz_fetch.h.

Referenced by EnterFailState(), and ReapHelper().

const unsigned AuthzExternalFetcher::kDefaultTtl = 120
staticprivate

If permits come without TTL, use 2 minutes.

Definition at line 139 of file authz_fetch.h.

Referenced by Fetch(), and ParsePermit().

const int AuthzExternalFetcher::kMinTtl = 0
staticprivate

For now we allow "no caching".

Definition at line 134 of file authz_fetch.h.

Referenced by ParsePermit().

const uint32_t AuthzExternalFetcher::kProtocolVersion = 1
static

The "wire" protocol: 4 byte version, 4 byte length, JSON message. Must be the same for cvmfs and helper.

Definition at line 112 of file authz_fetch.h.

Referenced by Recv(), and Send().

pthread_mutex_t AuthzExternalFetcher::lock_
private

The send-receive cycle is atomic.

Definition at line 206 of file authz_fetch.h.

Referenced by Fetch(), InitLock(), and ~AuthzExternalFetcher().

uint64_t AuthzExternalFetcher::next_start_
private

After the helper process fails, this is set to the time when it should be restarted.

Definition at line 212 of file authz_fetch.h.

Referenced by EnterFailState(), and Fetch().

OptionsManager* AuthzExternalFetcher::options_manager_
private

Used to gather CVMFS_AUTHZ_ options

Definition at line 201 of file authz_fetch.h.

Referenced by ExecHelper().

pid_t AuthzExternalFetcher::pid_
private

If a helper was started, the pid must be collected to avoid a zombie.

Definition at line 190 of file authz_fetch.h.

Referenced by ExecHelper(), and ReapHelper().

std::string AuthzExternalFetcher::progname_
private

Full path of external helper.

Definition at line 170 of file authz_fetch.h.

Referenced by EnterFailState(), ExecHelper(), Fetch(), ParseMsg(), ParseMsgId(), ParsePermit(), ParseRevision(), ReapHelper(), and Recv().

std::string AuthzExternalFetcher::search_path_
private

Where to look for authz helpers that are guessed from the membership schema

Definition at line 175 of file authz_fetch.h.

Referenced by FindHelper().


The documentation for this class was generated from the following files: