ROOT_528-00b_version: include/TAuthenticate.h Source File

00001 // @(#)root/auth:$Id: TAuthenticate.h 28642 2009-05-15 15:20:48Z rdm $
00002 // Author: Fons Rademakers   26/11/2000
00003 
00004 /*************************************************************************
00005  * Copyright (C) 1995-2000, Rene Brun and Fons Rademakers.               *
00006  * All rights reserved.                                                  *
00007  *                                                                       *
00008  * For the licensing terms see $ROOTSYS/LICENSE.                         *
00009  * For the list of contributors see $ROOTSYS/README/CREDITS.             *
00010  *************************************************************************/
00011 
00012 #ifndef ROOT_TAuthenticate
00013 #define ROOT_TAuthenticate
00014 
00015 
00016 //////////////////////////////////////////////////////////////////////////
00017 //                                                                      //
00018 // TAuthenticate                                                        //
00019 //                                                                      //
00020 // An authentication module for ROOT based network services, like rootd //
00021 // and proofd.                                                          //
00022 //                                                                      //
00023 //////////////////////////////////////////////////////////////////////////
00024 
00025 #ifndef ROOT_TObject
00026 #include "TObject.h"
00027 #endif
00028 #ifndef ROOT_TString
00029 #include "TString.h"
00030 #endif
00031 #ifndef ROOT_TList
00032 #include "TList.h"
00033 #endif
00034 #ifndef ROOT_TDatime
00035 #include "TDatime.h"
00036 #endif
00037 #ifndef ROOT_rsafun
00038 #include "rsafun.h"
00039 #endif
00040 #ifndef ROOT_AuthConst
00041 #include "AuthConst.h"
00042 #endif
00043 #ifdef R__SSL
00044 // SSL specific headers for blowfish encryption
00045 #include <openssl/blowfish.h>
00046 #endif
00047 
00048 class TAuthenticate;
00049 class THostAuth;
00050 class TPluginHandler;
00051 class TSocket;
00052 class TRootSecContext;
00053 class TVirtualMutex;
00054 
00055 typedef Int_t (*CheckSecCtx_t)(const char *subj, TRootSecContext *ctx);
00056 typedef Int_t (*GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det);
00057 typedef Int_t (*Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version);
00058 typedef Int_t (*SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd,
00059                               const char *remote, TString &det, Int_t version);
00060 
00061 R__EXTERN TVirtualMutex *gAuthenticateMutex;
00062 
00063 class TAuthenticate : public TObject {
00064 
00065 friend class TRootAuth;
00066 friend class TRootSecContext;
00067 friend class TSocket;
00068 
00069 public:
00070    enum ESecurity { kClear, kSRP, kKrb5, kGlobus, kSSH, kRfio }; // type of authentication
00071 
00072 private:
00073    TString      fDetails;     // logon details (method dependent ...)
00074    THostAuth   *fHostAuth;    // pointer to relevant authentication info
00075    TString      fPasswd;      // user's password
00076    TString      fProtocol;    // remote service (rootd, proofd)
00077    Bool_t       fPwHash;      // kTRUE if fPasswd is a passwd hash
00078    TString      fRemote;      // remote host to which we want to connect
00079    Int_t        fRSAKey;      // Type of RSA key used
00080    TRootSecContext *fSecContext;  // pointer to relevant sec context
00081    ESecurity    fSecurity;    // actual logon security level
00082    TSocket     *fSocket;      // connection to remote daemon
00083    Bool_t       fSRPPwd;      // kTRUE if fPasswd is a SRP passwd
00084    Int_t        fVersion;     // 0,1,2, ... accordingly to remote daemon version
00085    TString      fUser;        // user to be authenticated
00086    Int_t        fTimeOut;     // timeout flag
00087 
00088    Int_t        GenRSAKeys();
00089    Bool_t       GetPwHash() const { return fPwHash; }
00090    Int_t        GetRSAKey() const { return fRSAKey; }
00091    ESecurity    GetSecurity() const { return fSecurity; }
00092    Bool_t       GetSRPPwd() const { return fSRPPwd; }
00093    const char  *GetSshUser(TString user) const;
00094    Int_t        GetVersion() const { return fVersion; }
00095    Int_t        ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
00096    Bool_t       GetUserPasswd(TString &user, TString &passwd,
00097                               Bool_t &pwhash, Bool_t srppwd);
00098    char        *GetRandString(Int_t Opt,Int_t Len);
00099    Int_t        ProofAuthSetup();
00100    Int_t        RfioAuth(TString &user);
00101    void         SetEnvironment();
00102    Int_t        SshAuth(TString &user);
00103    Int_t        SshError(const char *errfile);
00104 
00105    static TList          *fgAuthInfo;
00106    static TString         fgAuthMeth[kMAXSEC];
00107    static Bool_t          fgAuthReUse;      // kTRUE is ReUse required
00108    static TString         fgDefaultUser;    // Default user information
00109    static TDatime         fgExpDate;        // Expiring date for new security contexts
00110    static GlobusAuth_t    fgGlobusAuthHook;
00111    static Krb5Auth_t      fgKrb5AuthHook;
00112    static TString         fgKrb5Principal;  // Principal for Krb5 ticket
00113    static TDatime         fgLastAuthrc;     // Time of last reading of fgRootAuthrc
00114    static TString         fgPasswd;
00115    static TPluginHandler *fgPasswdDialog;   // Passwd dialog GUI plugin
00116    static Bool_t          fgPromptUser;     // kTRUE if user prompt required
00117    static TList          *fgProofAuthInfo;  // Specific lists of THostAuth fro proof
00118    static Bool_t          fgPwHash;         // kTRUE if fgPasswd is a passwd hash
00119    static Bool_t          fgReadHomeAuthrc; // kTRUE to look for $HOME/.rootauthrc
00120    static TString         fgRootAuthrc;     // Path to last rootauthrc-like file read
00121    static Int_t           fgRSAKey;         // Default type of RSA key to be tried
00122    static Int_t           fgRSAInit;
00123    static rsa_KEY         fgRSAPriKey;
00124    static rsa_KEY         fgRSAPubKey;
00125    static rsa_KEY_export  fgRSAPubExport[2];
00126 #ifdef R__SSL
00127    static BF_KEY          fgBFKey;          // Blowfish symmetric key
00128 #endif
00129    static SecureAuth_t    fgSecAuthHook;
00130    static Bool_t          fgSRPPwd;         // kTRUE if fgPasswd is a SRP passwd
00131    static TString         fgUser;
00132    static Bool_t          fgUsrPwdCrypt;    // kTRUE if encryption for UsrPwd is required
00133    static Int_t           fgLastError;      // Last error code processed by AuthError()
00134    static Int_t           fgAuthTO;         // if > 0, timeout in sec
00135    static Int_t           fgProcessID;      // ID of the main thread as unique identifier
00136 
00137    static Bool_t          CheckHost(const char *Host, const char *host);
00138 
00139    static void            FileExpand(const char *fin, FILE *ftmp);
00140    static Int_t           ProofAuthSetup(TSocket *sock, Bool_t client);
00141    static void            RemoveSecContext(TRootSecContext *ctx);
00142 
00143 public:
00144    TAuthenticate(TSocket *sock, const char *remote, const char *proto,
00145                  const char *user = "");
00146    virtual ~TAuthenticate() { }
00147 
00148    Bool_t             Authenticate();
00149    Int_t              AuthExists(TString User, Int_t method, const char *Options,
00150                           Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck);
00151    void               CatchTimeOut();
00152    Bool_t             CheckNetrc(TString &user, TString &passwd);
00153    Bool_t             CheckNetrc(TString &user, TString &passwd,
00154                                  Bool_t &pwhash, Bool_t srppwd);
00155    THostAuth         *GetHostAuth() const { return fHostAuth; }
00156    const char        *GetProtocol() const { return fProtocol; }
00157    const char        *GetRemoteHost() const { return fRemote; }
00158    Int_t              GetRSAKeyType() const { return fRSAKey; }
00159    TRootSecContext       *GetSecContext() const { return fSecContext; }
00160    TSocket           *GetSocket() const { return fSocket; }
00161    const char        *GetUser() const { return fUser; }
00162    Int_t              HasTimedOut() const { return fTimeOut; }
00163    void               SetRSAKeyType(Int_t key) { fRSAKey = key; }
00164    void               SetSecContext(TRootSecContext *ctx) { fSecContext = ctx; }
00165 
00166    static void        AuthError(const char *where, Int_t error);
00167    static Bool_t      CheckProofAuth(Int_t cSec, TString &det);
00168 
00169    static Int_t       DecodeRSAPublic(const char *rsapubexport, rsa_NUMBER &n,
00170                                       rsa_NUMBER &d, char **rsassl = 0);
00171 
00172    static TList      *GetAuthInfo();
00173    static const char *GetAuthMethod(Int_t idx);
00174    static Int_t       GetAuthMethodIdx(const char *meth);
00175    static Bool_t      GetAuthReUse();
00176    static Int_t       GetClientProtocol();
00177    static char       *GetDefaultDetails(Int_t method, Int_t opt, const char *user);
00178    static const char *GetDefaultUser();
00179    static TDatime     GetGlobalExpDate();
00180    static Bool_t      GetGlobalPwHash();
00181    static Bool_t      GetGlobalSRPPwd();
00182    static const char *GetGlobalUser();
00183    static GlobusAuth_t GetGlobusAuthHook();
00184    static THostAuth  *GetHostAuth(const char *host, const char *user="",
00185                                   Option_t *opt = "R", Int_t *Exact = 0);
00186    static const char *GetKrb5Principal();
00187    static Bool_t      GetPromptUser();
00188    static TList      *GetProofAuthInfo();
00189    static Int_t       GetRSAInit();
00190    static const char *GetRSAPubExport(Int_t key = 0);
00191    static THostAuth  *HasHostAuth(const char *host, const char *user,
00192                                   Option_t *opt = "R");
00193    static void        InitRandom();
00194    static void        MergeHostAuthList(TList *Std, TList *New, Option_t *Opt = "");
00195    static char       *PromptPasswd(const char *prompt = "Password: ");
00196    static char       *PromptUser(const char *remote);
00197    static Int_t       ReadRootAuthrc();
00198    static void        RemoveHostAuth(THostAuth *ha, Option_t *opt = "");
00199    static Int_t       SecureRecv(TSocket *Socket, Int_t dec,
00200                                  Int_t KeyType, char **Out);
00201    static Int_t       SecureSend(TSocket *Socket, Int_t enc,
00202                                  Int_t KeyType, const char *In);
00203    static Int_t       SendRSAPublicKey(TSocket *Socket, Int_t key = 0);
00204    static void        SetAuthReUse(Bool_t authreuse);
00205    static void        SetDefaultUser(const char *defaultuser);
00206    static void        SetGlobalExpDate(TDatime expdate);
00207    static void        SetGlobalPasswd(const char *passwd);
00208    static void        SetGlobalPwHash(Bool_t pwhash);
00209    static void        SetGlobalSRPPwd(Bool_t srppwd);
00210    static void        SetGlobalUser(const char *user);
00211    static void        SetGlobusAuthHook(GlobusAuth_t func);
00212    static void        SetKrb5AuthHook(Krb5Auth_t func);
00213    static void        SetPromptUser(Bool_t promptuser);
00214    static void        SetDefaultRSAKeyType(Int_t key);
00215    static void        SetReadHomeAuthrc(Bool_t readhomeauthrc); // for PROOF
00216    static void        SetRSAInit(Int_t init = 1);
00217    static Int_t       SetRSAPublic(const char *rsapubexport, Int_t klen);
00218    static void        SetSecureAuthHook(SecureAuth_t func);
00219    static void        SetTimeOut(Int_t to);
00220    static void        Show(Option_t *opt="S");
00221 
00222    ClassDef(TAuthenticate,0)  // Class providing remote authentication service
00223 };
00224 
00225 #endif