TAuthenticate.h

Go to the documentation of this file.

// @(#)root/auth:$Id$
// Author: Fons Rademakers   26/11/2000
 
/*************************************************************************
 * Copyright (C) 1995-2000, Rene Brun and Fons Rademakers.               *
 * All rights reserved.                                                  *
 *                                                                       *
 * For the licensing terms see $ROOTSYS/LICENSE.                         *
 * For the list of contributors see $ROOTSYS/README/CREDITS.             *
 *************************************************************************/
 
#ifndef ROOT_TAuthenticate
#define ROOT_TAuthenticate
 
 
//////////////////////////////////////////////////////////////////////////
//                                                                      //
// TAuthenticate                                                        //
//                                                                      //
// An authentication module for ROOT based network services, like rootd //
// and proofd.                                                          //
//                                                                      //
//////////////////////////////////////////////////////////////////////////
 
#include "TObject.h"
#include "TString.h"
#include "TList.h"
#include "TDatime.h"
#ifndef ROOT_rsafun
//#include "rsafun.h"
#endif
#include "AuthConst.h"
 
class TAuthenticate;
class THostAuth;
class TPluginHandler;
class TSocket;
class TRootSecContext;
class TVirtualMutex;
 
typedef Int_t (*CheckSecCtx_t)(const char *subj, TRootSecContext *ctx);
typedef Int_t (*GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det);
typedef Int_t (*Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version);
typedef Int_t (*SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd,
                              const char *remote, TString &det, Int_t version);
 
R__EXTERN TVirtualMutex *gAuthenticateMutex;
 
struct R__rsa_KEY; // opaque replacement for rsa_KEY
struct R__rsa_KEY_export; // opaque replacement for rsa_KEY_export
struct R__rsa_NUMBER; // opaque replacement for rsa_NUMBER
 
class TAuthenticate : public TObject {
 
friend class TRootAuth;
friend class TRootSecContext;
friend class TSocket;
 
public:
   enum ESecurity { kClear, kUnsupported, kKrb5, kGlobus, kSSH, kRfio }; // type of authentication
 
private:
   TString      fDetails;     // logon details (method dependent ...)
   THostAuth   *fHostAuth;    // pointer to relevant authentication info
   TString      fPasswd;      // user's password
   TString      fProtocol;    // remote service (rootd, proofd)
   Bool_t       fPwHash;      // kTRUE if fPasswd is a passwd hash
   TString      fRemote;      // remote host to which we want to connect
   Int_t        fRSAKey;      // Type of RSA key used
   TRootSecContext *fSecContext;  // pointer to relevant sec context
   ESecurity    fSecurity;    // actual logon security level
   TSocket     *fSocket;      // connection to remote daemon
   Int_t        fVersion;     // 0,1,2, ... accordingly to remote daemon version
   TString      fUser;        // user to be authenticated
   Int_t        fTimeOut;     // timeout flag
 
   Int_t        GenRSAKeys();
   Bool_t       GetPwHash() const { return fPwHash; }
   Int_t        GetRSAKey() const { return fRSAKey; }
   ESecurity    GetSecurity() const { return fSecurity; }
   Bool_t       GetSRPPwd() const { return false; }
   const char  *GetSshUser(TString user) const;
   Int_t        GetVersion() const { return fVersion; }
   Int_t        ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
   Bool_t       GetUserPasswd(TString &user, TString &passwd,
                              Bool_t &pwhash, Bool_t srppwd);
   char        *GetRandString(Int_t Opt,Int_t Len);
   Int_t        ProofAuthSetup();
   Int_t        RfioAuth(TString &user);
   void         SetEnvironment();
   Int_t        SshAuth(TString &user);
   Int_t        SshError(const char *errfile);
 
   static TList          *fgAuthInfo;
   static TString         fgAuthMeth[kMAXSEC];
   static Bool_t          fgAuthReUse;      // kTRUE is ReUse required
   static TString         fgDefaultUser;    // Default user information
   static TDatime         fgExpDate;        // Expiring date for new security contexts
   static GlobusAuth_t    fgGlobusAuthHook;
   static Krb5Auth_t      fgKrb5AuthHook;
   static TString         fgKrb5Principal;  // Principal for Krb5 ticket
   static TDatime         fgLastAuthrc;     // Time of last reading of fgRootAuthrc
   static TString         fgPasswd;
   static TPluginHandler *fgPasswdDialog;   // Passwd dialog GUI plugin
   static Bool_t          fgPromptUser;     // kTRUE if user prompt required
   static TList          *fgProofAuthInfo;  // Specific lists of THostAuth fro proof
   static Bool_t          fgPwHash;         // kTRUE if fgPasswd is a passwd hash
   static Bool_t          fgReadHomeAuthrc; // kTRUE to look for $HOME/.rootauthrc
   static TString         fgRootAuthrc;     // Path to last rootauthrc-like file read
   static Int_t           fgRSAKey;         // Default type of RSA key to be tried
   static Int_t           fgRSAInit;
   static R__rsa_KEY         fgRSAPriKey;
   static R__rsa_KEY         fgRSAPubKey;
   static R__rsa_KEY_export* fgRSAPubExport; // array of size [2]
   static SecureAuth_t    fgSecAuthHook;
   static TString         fgUser;
   static Bool_t          fgUsrPwdCrypt;    // kTRUE if encryption for UsrPwd is required
   static Int_t           fgLastError;      // Last error code processed by AuthError()
   static Int_t           fgAuthTO;         // if > 0, timeout in sec
   static Int_t           fgProcessID;      // ID of the main thread as unique identifier
 
   static Bool_t          CheckHost(const char *Host, const char *host);
 
   static void            FileExpand(const char *fin, FILE *ftmp);
   static Int_t           ProofAuthSetup(TSocket *sock, Bool_t client);
   static void            RemoveSecContext(TRootSecContext *ctx);
 
public:
   TAuthenticate(TSocket *sock, const char *remote, const char *proto,
                 const char *user = "");
   virtual ~TAuthenticate() {}
 
   Bool_t             Authenticate();
   Int_t              AuthExists(TString User, Int_t method, const char *Options,
                          Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck);
   void               CatchTimeOut();
   Bool_t             CheckNetrc(TString &user, TString &passwd);
   Bool_t             CheckNetrc(TString &user, TString &passwd,
                                 Bool_t &pwhash, Bool_t srppwd);
   THostAuth         *GetHostAuth() const { return fHostAuth; }
   const char        *GetProtocol() const { return fProtocol; }
   const char        *GetRemoteHost() const { return fRemote; }
   Int_t              GetRSAKeyType() const { return fRSAKey; }
   TRootSecContext       *GetSecContext() const { return fSecContext; }
   TSocket           *GetSocket() const { return fSocket; }
   const char        *GetUser() const { return fUser; }
   Int_t              HasTimedOut() const { return fTimeOut; }
   void               SetRSAKeyType(Int_t key) { fRSAKey = key; }
   void               SetSecContext(TRootSecContext *ctx) { fSecContext = ctx; }
 
   static void        AuthError(const char *where, Int_t error);
   static Bool_t      CheckProofAuth(Int_t cSec, TString &det);
 
   static Int_t       DecodeRSAPublic(const char *rsapubexport, R__rsa_NUMBER &n,
                                      R__rsa_NUMBER &d, char **rsassl = nullptr);
 
   static TList      *GetAuthInfo();
   static const char *GetAuthMethod(Int_t idx);
   static Int_t       GetAuthMethodIdx(const char *meth);
   static Bool_t      GetAuthReUse();
   static Int_t       GetClientProtocol();
   static char       *GetDefaultDetails(Int_t method, Int_t opt, const char *user);
   static const char *GetDefaultUser();
   static TDatime     GetGlobalExpDate();
   static Bool_t      GetGlobalPwHash();
   static Bool_t      GetGlobalSRPPwd();
   static const char *GetGlobalUser();
   static GlobusAuth_t GetGlobusAuthHook();
   static THostAuth  *GetHostAuth(const char *host, const char *user="",
                                  Option_t *opt = "R", Int_t *Exact = nullptr);
   static const char *GetKrb5Principal();
   static Bool_t      GetPromptUser();
   static TList      *GetProofAuthInfo();
   static Int_t       GetRSAInit();
   static const char *GetRSAPubExport(Int_t key = 0);
   static THostAuth  *HasHostAuth(const char *host, const char *user,
                                  Option_t *opt = "R");
   static void        InitRandom();
   static void        MergeHostAuthList(TList *Std, TList *New, Option_t *Opt = "");
   static char       *PromptPasswd(const char *prompt = "Password: ");
   static char       *PromptUser(const char *remote);
   static Int_t       ReadRootAuthrc();
   static void        RemoveHostAuth(THostAuth *ha, Option_t *opt = "");
   static Int_t       SecureRecv(TSocket *Socket, Int_t dec,
                                 Int_t KeyType, char **Out);
   static Int_t       SecureSend(TSocket *Socket, Int_t enc,
                                 Int_t KeyType, const char *In);
   static Int_t       SendRSAPublicKey(TSocket *Socket, Int_t key = 0);
   static void        SetAuthReUse(Bool_t authreuse);
   static void        SetDefaultUser(const char *defaultuser);
   static void        SetGlobalExpDate(TDatime expdate);
   static void        SetGlobalPasswd(const char *passwd);
   static void        SetGlobalPwHash(Bool_t pwhash);
   static void        SetGlobalSRPPwd(Bool_t srppwd);
   static void        SetGlobalUser(const char *user);
   static void        SetGlobusAuthHook(GlobusAuth_t func);
   static void        SetKrb5AuthHook(Krb5Auth_t func);
   static void        SetPromptUser(Bool_t promptuser);
   static void        SetDefaultRSAKeyType(Int_t key);
   static void        SetReadHomeAuthrc(Bool_t readhomeauthrc); // for PROOF
   static void        SetRSAInit(Int_t init = 1);
   static Int_t       SetRSAPublic(const char *rsapubexport, Int_t klen);
   static void        SetSecureAuthHook(SecureAuth_t func);
   static void        SetTimeOut(Int_t to);
   static void        Show(Option_t *opt="S");
 
   ClassDefOverride(TAuthenticate,0)  // Class providing remote authentication service
};
 
#endif