24 #include "XrdVersion.hh"
48 #include <openssl/err.h>
49 #include <openssl/ssl.h>
51 #include <arpa/inet.h>
58 #define XRHTTP_TK_GRACETIME 600
99 BIO *XrdHttpProtocol::sslbio_err = 0;
101 bool XrdHttpProtocol::isRequiredXtractor =
false;
103 int XrdHttpProtocol::exthandlercnt = 0;
106 bool XrdHttpProtocol::usingEC = false;
107 bool XrdHttpProtocol::hasCache= false;
128 const char *TraceID =
"Protocol";
155 "xrootd protocol anchor");
161 #if OPENSSL_VERSION_NUMBER < 0x10100000L
168 #if OPENSSL_VERSION_NUMBER < 0x1000105fL
183 bio->shutdown = shut;
186 return bio->shutdown;
198 :
XrdProtocol(
"HTTP protocol handler"), ProtLink(this),
199 SecEntity(
""), CurrentReq(this, ReadRangeConfig) {
224 char mybuf[16], mybuf2[1024];
227 bool myishttps =
false;
231 if ((dlen = lp->
Peek(mybuf, (
int) sizeof (mybuf),
hailWait)) < (
int)
sizeof (mybuf)) {
232 if (dlen <= 0) lp->
setEtext(
"handshake not received");
235 mybuf[dlen - 1] =
'\0';
243 for (
int i = 0; i < dlen; i++) {
245 sprintf(mybuf3,
"%.02d ", mybuf[i]);
246 strcat(mybuf2, mybuf3);
253 for (
int i = 0; i < dlen - 1; i++)
254 if (!isprint(mybuf[i]) && (mybuf[i] !=
'\r') && (mybuf[i] !=
'\n')) {
256 TRACEI(
DEBUG,
"This does not look like http at pos " << i);
261 if ((!ismine) && (dlen >= 4)) {
262 char check[4] = {00, 00, 00, 00};
263 if (memcmp(mybuf, check, 4)) {
270 TRACEI(ALL,
"This may look like https, but https is not configured");
277 TRACEI(
DEBUG,
"This does not look like https. Protocol not matched.");
285 TRACEI(REQ,
"Protocol matched. https: " << myishttps);
288 hp->ishttps = myishttps;
303 hp->myBuffStart = hp->myBuffEnd = hp->myBuff->
buff;
311 char *XrdHttpProtocol::GetClientIPStr() {
314 if (!
Link)
return strdup(
"unknown");
316 if (!ai)
return strdup(
"unknown");
324 #if OPENSSL_VERSION_NUMBER < 0x1000105fL
335 int ret = lp->
Send(data, datal);
336 BIO_clear_retry_flags(bio);
339 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
340 BIO_set_retry_write(bio);
356 int ret = lp->
Send(data, datal);
357 BIO_clear_retry_flags(bio);
359 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
360 BIO_set_retry_write(bio);
367 #if OPENSSL_VERSION_NUMBER < 0x1000105fL
378 int ret = lp->
Recv(data, datal);
379 BIO_clear_retry_flags(bio);
382 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
383 BIO_set_retry_read(bio);
398 int ret = lp->
Recv(data, datal);
399 BIO_clear_retry_flags(bio);
401 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
402 BIO_set_retry_read(bio);
418 #if OPENSSL_VERSION_NUMBER < 0x10100000L
430 if (bio == NULL)
return 0;
446 case BIO_CTRL_GET_CLOSE:
449 case BIO_CTRL_SET_CLOSE:
464 BIO *XrdHttpProtocol::CreateBIO(
XrdLink *lp)
483 #define TRACELINK Link
491 if (!myBuff || !myBuff->
buff || !myBuff->
bsize) {
492 TRACE(ALL,
" Process. No buffer available. Internal error.");
498 char *nfo = GetClientIPStr();
500 TRACEI(REQ,
" Setting host: " << nfo);
509 if (ishttps && !ssldone) {
512 sbio = CreateBIO(
Link);
513 BIO_set_nbio(sbio, 1);
515 TRACE(ALL,
"Failed to configure the TLS client authentication; invalid configuration");
523 ERR_print_errors(sslbio_err);
532 SSL_set_bio(ssl, sbio, sbio);
539 setsockopt(
Link->
FDnum(), SOL_SOCKET, SO_RCVTIMEO, (
struct timeval *)&tv,
sizeof(
struct timeval));
540 setsockopt(
Link->
FDnum(), SOL_SOCKET, SO_SNDTIMEO, (
struct timeval *)&tv,
sizeof(
struct timeval));
543 int res = SSL_accept(ssl);
545 if ((res == -1) && (SSL_get_error(ssl, res) == SSL_ERROR_WANT_READ)) {
546 TRACEI(
DEBUG,
" SSL_accept wants to read more bytes... err:" << SSL_get_error(ssl, res));
551 ERR_print_errors(sslbio_err);
560 BIO_set_nbio(sbio, 0);
565 if (
tlsClientAuth == XrdTlsContext::ClientAuthSetting::kOn && HandleAuthentication(
Link)) {
586 if ((rc = getDataOneShot(BuffAvailable())) < 0) {
592 if (BuffUsed() < ResumeBytes)
return 1;
600 if (mon_info.size() >= 1024) {
601 TRACEI(ALL,
"User agent string too long");
603 TRACEI(ALL,
"Internal logic error: Bridge is null after login");
612 SendSimpleResp(500,
nullptr,
nullptr,
"Could not set user agent.", 0,
false);
627 while ((rc = BuffgetLine(tmpline)) > 0) {
628 std::string traceLine = tmpline.
c_str();
632 TRACE(
DEBUG,
" rc:" << rc <<
" got hdr line: " << traceLine);
633 if ((rc == 2) && (tmpline.
length() > 1) && (tmpline[rc - 1] ==
'\n')) {
635 TRACE(
DEBUG,
" rc:" << rc <<
" detected header end.");
641 TRACE(
DEBUG,
" Parsing first line: " << traceLine.c_str());
644 TRACE(
DEBUG,
" Parsing of first line failed with " << result);
650 TRACE(
DEBUG,
" Parsing of header line failed with " << result)
651 SendSimpleResp(400,NULL,NULL,
"Malformed header line. Hint: ensure the line finishes with \"\\r\\n\"", 0,
false);
662 TRACEI(REQ,
" rc:" << rc <<
"Header not yet complete.");
667 if ((rc <= 0) && (BuffUsed() >= 16384)) {
668 TRACEI(ALL,
"Corrupted header detected, or line too long. Disconnecting client.");
687 time_t timenow = time(0);
705 TRACEI(REQ,
" rc:" << rc <<
" self-redirecting to http with security token.");
712 struct sockaddr_storage sa;
713 socklen_t sl =
sizeof(sa);
720 switch (sa.ss_family) {
722 if (inet_ntop(AF_INET, &(((sockaddr_in*)&sa)->sin_addr), buf, INET_ADDRSTRLEN)) {
729 if (inet_ntop(AF_INET6, &(((sockaddr_in6*)&sa)->sin6_addr), buf, INET6_ADDRSTRLEN)) {
731 Addr_str = (
char *)malloc(strlen(buf)+3);
739 TRACEI(REQ,
" Can't recognize the address family of the local host.");
747 TRACEI(REQ,
" rc:"<<rc<<
" self-redirecting to http with security token: '"
748 << dest.
c_str() <<
"'");
752 SendSimpleResp(302, NULL, (
char *) dest.
c_str(), 0, 0,
true);
757 TRACEI(REQ,
" rc:" << rc <<
" Can't perform self-redirection.");
761 TRACEI(ALL,
" Could not calculate self-redirection hash");
767 if (!ishttps && !ssldone) {
777 if (t) tim = atoi(t);
779 TRACEI(REQ,
" xrdhttptime not specified. Authentication failed.");
783 TRACEI(REQ,
" Token expired. Authentication failed.");
868 TRACEI(REQ,
" Invalid tk '" << tk <<
"' != '" << hash <<
"'(calculated). Authentication failed.");
875 TRACEI(ALL,
" Rejecting plain http with no valid token as we have a secretkey.");
883 TRACEI(ALL,
" Rejecting plain http with no valid token as we have a secretkey.");
903 TRACEI(REQ,
" Authorization failed.");
919 TRACEI(REQ,
"Process is exiting rc:" << rc);
927 #define TRACELINK Link
981 #define TS_Xeq(x,m) (!strcmp(x,var)) GoNo = m(Config)
983 #define TS_Xeq3(x,m) (!strcmp(x,var)) GoNo = m(Config, extHIVec)
985 #define HTTPS_ALERT(x,y,z) httpsspec = true;\
986 if (xrdctx && httpsmode == hsmAuto && (z || xrdctx->x509Verify())) \
987 eDest.Say("Config http." x " overrides the xrd." y " directive.")
989 int XrdHttpProtocol::Config(
const char *ConfigFN,
XrdOucEnv *myEnv) {
992 std::vector<extHInfo> extHIVec;
994 int cfgFD, GoNo, NoGo = 0, ismine;
1004 if(nonIanaChecksums.size()) {
1005 std::stringstream warningMsgSS;
1006 warningMsgSS <<
"Config warning: the following checksum algorithms are not IANA compliant: [";
1007 std::string unknownCksumString;
1008 for(
auto unknownCksum: nonIanaChecksums) {
1009 unknownCksumString += unknownCksum +
",";
1011 unknownCksumString.erase(unknownCksumString.size() - 1);
1012 warningMsgSS << unknownCksumString <<
"]" <<
". They therefore cannot be queried by a user via HTTP." ;
1013 eDest.
Say(warningMsgSS.str().c_str());
1019 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1021 m_bio_method =
static_cast<BIO_METHOD*
>(OPENSSL_malloc(
sizeof(BIO_METHOD)));
1056 if ((cfgFD =
open(ConfigFN, O_RDONLY, 0)) < 0)
1057 return eDest.
Emsg(
"Config", errno,
"open config file", ConfigFN);
1059 static const char *cvec[] = {
"*** http protocol config:", 0 };
1064 while ((var =
Config.GetMyFirstWord())) {
1065 if ((ismine = !strncmp(
"http.", var, 5)) && var[5]) var += 5;
1068 if TS_Xeq(
"trace", xtrace);
1069 else if TS_Xeq(
"cert", xsslcert);
1070 else if TS_Xeq(
"key", xsslkey);
1071 else if TS_Xeq(
"cadir", xsslcadir);
1072 else if TS_Xeq(
"cipherfilter", xsslcipherfilter);
1073 else if TS_Xeq(
"gridmap", xgmap);
1074 else if TS_Xeq(
"cafile", xsslcafile);
1075 else if TS_Xeq(
"secretkey", xsecretkey);
1076 else if TS_Xeq(
"desthttps", xdesthttps);
1077 else if TS_Xeq(
"secxtractor", xsecxtractor);
1078 else if TS_Xeq3(
"exthandler", xexthandler);
1079 else if TS_Xeq(
"selfhttps2http", xselfhttps2http);
1080 else if TS_Xeq(
"embeddedstatic", xembeddedstatic);
1081 else if TS_Xeq(
"listingredir", xlistredir);
1082 else if TS_Xeq(
"staticredir", xstaticredir);
1083 else if TS_Xeq(
"staticpreload", xstaticpreload);
1084 else if TS_Xeq(
"staticheader", xstaticheader);
1085 else if TS_Xeq(
"listingdeny", xlistdeny);
1086 else if TS_Xeq(
"header2cgi", xheader2cgi);
1087 else if TS_Xeq(
"httpsmode", xhttpsmode);
1088 else if TS_Xeq(
"tlsreuse", xtlsreuse);
1089 else if TS_Xeq(
"auth", xauth);
1090 else if TS_Xeq(
"tlsclientauth", xtlsclientauth);
1092 eDest.
Say(
"Config warning: ignoring unknown directive '", var,
"'.");
1107 {
eDest.
Say(
"Config failure: one or more directives are flawed!");
1113 hdr2cgimap[
"Cache-Control"] =
"cache-control";
1116 if (getenv(
"XRDCL_EC"))
usingEC =
true;
1121 std::string default_static_headers;
1123 for (
const auto &header_entry : default_verb->second) {
1124 default_static_headers += header_entry.first +
": " + header_entry.second +
"\r\n";
1129 if (item.first.empty()) {
1132 auto headers = default_static_headers;
1133 for (
const auto &header_entry : item.second) {
1134 headers += header_entry.first +
": " + header_entry.second +
"\r\n";
1142 if (myEnv->
Get(
"XrdCache")) hasCache =
true;
1151 :
"was not configured.");
1152 const char *what = Configed();
1154 eDest.
Say(
"Config warning: HTTPS functionality ", why);
1157 LoadExtHandlerNoTls(extHIVec, ConfigFN, *myEnv);
1159 {
eDest.
Say(
"Config failure: ", what,
" HTTPS but it ", why);
1169 {
eDest.
Say(
"Config warning: specifying http.key without http.cert "
1170 "is meaningless; ignoring key!");
1178 {
eDest.
Say(
"Config failure: 'httpsmode manual' requires atleast a "
1179 "a cert specification!");
1190 const char *what1 = 0, *what2 = 0, *what3 = 0;
1195 what1 =
"xrd.tls to supply 'cert' and 'key'.";
1199 what2 =
"xrd.tlsca to supply 'cadir'.";
1203 what2 = (what2 ?
"xrd.tlsca to supply 'cadir' and 'cafile'."
1204 :
"xrd.tlsca to supply 'cafile'.");
1208 what3 =
"xrd.tlsca to supply 'refresh' interval.";
1218 {
const char *what = Configed();
1219 const char *why = (
httpsspec ?
"a cadir or cafile was not specified!"
1220 :
"'xrd.tlsca noverify' was specified!");
1222 {
eDest.
Say(
"Config failure: ", what,
" cert verification but ", why);
1230 sslbio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
1235 const char *how =
"completed.";
1236 eDest.
Say(
"++++++ HTTPS initialization started.");
1237 if (!
InitTLS()) {NoGo = 1; how =
"failed.";}
1238 eDest.
Say(
"------ HTTPS initialization ", how);
1239 if (NoGo)
return NoGo;
1243 if (LoadExtHandler(extHIVec, ConfigFN, *myEnv))
return 1;
1247 return (InitSecurity() ? NoGo : 1);
1254 const char *XrdHttpProtocol::Configed()
1256 if (secxtractor &&
gridmap)
return "gridmap and secxtractor require";
1257 if (secxtractor)
return "secxtractor requires";
1258 if (
gridmap)
return "gridmap requires";
1274 if (myBuffEnd >= myBuffStart) {
1276 for (
char *p = myBuffStart; p < myBuffEnd; p++) {
1281 dest.
assign(myBuffStart, 0, l-1);
1300 for (
char *p = myBuffStart; p < myBuff->
buff + myBuff->
bsize; p++) {
1302 if ((*p ==
'\n') || (*p ==
'\0')) {
1305 dest.
assign(myBuffStart, 0, l-1);
1321 for (
char *p = myBuff->
buff; p < myBuffEnd; p++) {
1323 if ((*p ==
'\n') || (*p ==
'\0')) {
1327 int l1 = myBuff->
buff + myBuff->
bsize - myBuffStart;
1329 dest.
assign(myBuffStart, 0, l1-1);
1333 dest.
insert(myBuffStart, l1, l-1);
1357 int XrdHttpProtocol::getDataOneShot(
int blen,
bool wait) {
1372 maxread = std::min(blen, BuffAvailable());
1373 TRACE(
DEBUG,
"getDataOneShot BuffAvailable: " << BuffAvailable() <<
" maxread: " << maxread);
1379 int sslavail = maxread;
1382 int l = SSL_pending(ssl);
1384 sslavail = std::min(maxread, SSL_pending(ssl));
1389 ERR_print_errors(sslbio_err);
1393 TRACE(
DEBUG,
"getDataOneShot sslavail: " << sslavail);
1394 if (sslavail <= 0)
return 0;
1396 if (myBuffEnd - myBuff->
buff >= myBuff->
bsize) {
1398 myBuffEnd = myBuff->
buff;
1401 rlen = SSL_read(ssl, myBuffEnd, sslavail);
1404 ERR_print_errors(sslbio_err);
1411 if (myBuffEnd - myBuff->
buff >= myBuff->
bsize) {
1413 myBuffEnd = myBuff->
buff;
1419 rlen =
Link->
Recv(myBuffEnd, maxread);
1435 TRACE(REQ,
"read " << rlen <<
" of " << blen <<
" bytes");
1442 int XrdHttpProtocol::BuffAvailable() {
1445 if (myBuffEnd >= myBuffStart)
1446 r = myBuff->
buff + myBuff->
bsize - myBuffEnd;
1448 r = myBuffStart - myBuffEnd;
1450 if ((r < 0) || (r > myBuff->
bsize)) {
1451 TRACE(REQ,
"internal error, myBuffAvailable: " << r <<
" myBuff->bsize " << myBuff->
bsize);
1464 int XrdHttpProtocol::BuffUsed() {
1467 if (myBuffEnd >= myBuffStart)
1468 r = myBuffEnd - myBuffStart;
1471 r = myBuff->
bsize - (myBuffStart - myBuffEnd);
1473 if ((r < 0) || (r > myBuff->
bsize)) {
1474 TRACE(REQ,
"internal error, myBuffUsed: " << r <<
" myBuff->bsize " << myBuff->
bsize);
1487 int XrdHttpProtocol::BuffFree() {
1488 return (myBuff->
bsize - BuffUsed());
1495 void XrdHttpProtocol::BuffConsume(
int blen) {
1497 if (blen > myBuff->
bsize) {
1498 TRACE(REQ,
"internal error, BuffConsume(" << blen <<
") smaller than buffsize");
1502 if (blen > BuffUsed()) {
1503 TRACE(REQ,
"internal error, BuffConsume(" << blen <<
") larger than BuffUsed:" << BuffUsed());
1507 myBuffStart = myBuffStart + blen;
1509 if (myBuffStart >= myBuff->
buff + myBuff->
bsize)
1510 myBuffStart -= myBuff->
bsize;
1512 if (myBuffEnd >= myBuff->
buff + myBuff->
bsize)
1513 myBuffEnd -= myBuff->
bsize;
1515 if (BuffUsed() == 0)
1516 myBuffStart = myBuffEnd = myBuff->
buff;
1531 int XrdHttpProtocol::BuffgetData(
int blen,
char **data,
bool wait) {
1534 TRACE(
DEBUG,
"BuffgetData: requested " << blen <<
" bytes");
1539 if (blen > BuffUsed()) {
1540 TRACE(REQ,
"BuffgetData: need to read " << blen - BuffUsed() <<
" bytes");
1541 if ( getDataOneShot(blen - BuffUsed(),
true) )
1547 if ( !BuffUsed() ) {
1548 if ( getDataOneShot(blen,
false) )
1556 if (myBuffStart <= myBuffEnd) {
1557 rlen = std::min( (
long) blen, (
long)(myBuffEnd - myBuffStart) );
1560 rlen = std::min( (
long) blen, (
long)(myBuff->
buff + myBuff->
bsize - myBuffStart) );
1562 *data = myBuffStart;
1573 int XrdHttpProtocol::SendData(
const char *body,
int bodylen) {
1577 if (body && bodylen) {
1578 TRACE(REQ,
"Sending " << bodylen <<
" bytes");
1580 r = SSL_write(ssl, body, bodylen);
1582 ERR_print_errors(sslbio_err);
1588 if (r <= 0)
return -1;
1599 int XrdHttpProtocol::StartSimpleResp(
int code,
const char *desc,
const char *header_to_add,
long long bodylen,
bool keepalive) {
1600 std::stringstream ss;
1601 const std::string crlf =
"\r\n";
1603 ss <<
"HTTP/1.1 " << code <<
" ";
1607 if (code == 200) ss <<
"OK";
1608 else if (code == 100) ss <<
"Continue";
1609 else if (code == 206) ss <<
"Partial Content";
1610 else if (code == 302) ss <<
"Redirect";
1611 else if (code == 307) ss <<
"Temporary Redirect";
1612 else if (code == 400) ss <<
"Bad Request";
1613 else if (code == 403) ss <<
"Forbidden";
1614 else if (code == 404) ss <<
"Not Found";
1615 else if (code == 405) ss <<
"Method Not Allowed";
1616 else if (code == 416) ss <<
"Range Not Satisfiable";
1617 else if (code == 500) ss <<
"Internal Server Error";
1618 else if (code == 502) ss <<
"Bad Gateway";
1619 else if (code == 504) ss <<
"Gateway Timeout";
1620 else ss <<
"Unknown";
1623 if (keepalive && (code != 100))
1624 ss <<
"Connection: Keep-Alive" << crlf;
1626 ss <<
"Connection: Close" << crlf;
1628 ss <<
"Server: XrootD/" << XrdVSTRING << crlf;
1637 if ((bodylen >= 0) && (code != 100))
1638 ss <<
"Content-Length: " << bodylen << crlf;
1640 if (header_to_add && (header_to_add[0] !=
'\0'))
1641 ss << header_to_add << crlf;
1645 const std::string &outhdr = ss.str();
1646 TRACEI(RSP,
"Sending resp: " << code <<
" header len:" << outhdr.size());
1647 if (SendData(outhdr.c_str(), outhdr.size()))
1657 int XrdHttpProtocol::StartChunkedResp(
int code,
const char *desc,
const char *header_to_add,
long long bodylen,
bool keepalive) {
1658 const std::string crlf =
"\r\n";
1659 std::stringstream ss;
1661 if (header_to_add && (header_to_add[0] !=
'\0')) {
1662 ss << header_to_add << crlf;
1665 ss <<
"Transfer-Encoding: chunked";
1666 TRACEI(RSP,
"Starting chunked response");
1667 return StartSimpleResp(code, desc, ss.str().c_str(), bodylen, keepalive);
1674 int XrdHttpProtocol::ChunkResp(
const char *body,
long long bodylen) {
1675 long long content_length = (bodylen <= 0) ? (body ? strlen(body) : 0) : bodylen;
1676 if (ChunkRespHeader(content_length))
1679 if (body && SendData(body, content_length))
1682 return ChunkRespFooter();
1689 int XrdHttpProtocol::ChunkRespHeader(
long long bodylen) {
1690 const std::string crlf =
"\r\n";
1691 std::stringstream ss;
1695 const std::string &chunkhdr = ss.str();
1696 TRACEI(RSP,
"Sending encoded chunk of size " << bodylen);
1697 return (SendData(chunkhdr.c_str(), chunkhdr.size())) ? -1 : 0;
1704 int XrdHttpProtocol::ChunkRespFooter() {
1705 const std::string crlf =
"\r\n";
1706 return (SendData(crlf.c_str(), crlf.size())) ? -1 : 0;
1717 int XrdHttpProtocol::SendSimpleResp(
int code,
const char *desc,
const char *header_to_add,
const char *body,
long long bodylen,
bool keepalive) {
1719 long long content_length = bodylen;
1721 content_length = body ? strlen(body) : 0;
1724 if (StartSimpleResp(code, desc, header_to_add, content_length, keepalive) < 0)
1731 return SendData(body, content_length);
1768 sprintf(buf,
"%d",
Port);
1774 rdf = (parms && *parms ? parms : pi->
ConfigFN);
1780 if ((rdf = getenv(
"XRDROLE"))) {
1783 if (!strcasecmp(rdf,
"manager") || !strcasecmp(rdf,
"supervisor")) {
1785 eDest.
Emsg(
"Config",
"Configured as HTTP(s) redirector.");
1788 eDest.
Emsg(
"Config",
"Configured as HTTP(s) data server.");
1792 eDest.
Emsg(
"Config",
"No XRDROLE specified.");
1811 char *val, keybuf[1024], parmbuf[1024];
1816 if (!val || !val[0]) {
1817 err.
Emsg(
"Config",
"No headerkey specified.");
1822 while ( *val && !isalnum(*val) ) val++;
1823 strcpy(keybuf, val);
1827 pp = keybuf + strlen(keybuf) - 1;
1828 while ( (pp >= keybuf) && (!isalnum(*pp)) ) {
1836 if(!parm || !parm[0]) {
1837 err.
Emsg(
"Config",
"No header2cgi value specified. key: '", keybuf,
"'");
1842 while ( *parm && !isalnum(*parm) ) parm++;
1843 strcpy(parmbuf, parm);
1846 pp = parmbuf + strlen(parmbuf) - 1;
1847 while ( (pp >= parmbuf) && (!isalnum(*pp)) ) {
1854 header2cgi[keybuf] = parmbuf;
1856 err.
Emsg(
"Config",
"Can't insert new header2cgi rule. key: '", keybuf,
"'");
1869 bool XrdHttpProtocol::InitTLS() {
1894 static const char *sess_ctx_id =
"XrdHTTPSessionCtx";
1895 unsigned int n =(
unsigned int)(strlen(sess_ctx_id)+1);
1901 {
eDest.
Say(
"Config failure: ",
"Unable to set allowable https ciphers!");
1914 void XrdHttpProtocol::Cleanup() {
1916 TRACE(ALL,
" Cleanup");
1918 if (
BPool && myBuff) {
1919 BuffConsume(BuffUsed());
1933 int ret = SSL_shutdown(ssl);
1937 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1938 ERR_remove_thread_state(
nullptr);
1942 TRACE(ALL,
" SSL_shutdown failed");
1943 ERR_print_errors(sslbio_err);
1977 void XrdHttpProtocol::Reset() {
1979 TRACE(ALL,
" Reset");
1988 myBuffStart = myBuffEnd = 0;
1991 DoneSetInfo =
false;
2041 if (!val || !val[0]) {
2042 eDest.
Emsg(
"Config",
"httpsmode parameter not specified");
2051 else {
eDest.
Emsg(
"Config",
"invalid httpsmode parameter - ", val);
2076 if (!val || !val[0]) {
2077 eDest.
Emsg(
"Config",
"sslverifydepth value not specified");
2108 if (!val || !val[0]) {
2109 eDest.
Emsg(
"Config",
"HTTP X509 certificate not specified");
2143 if (!val || !val[0]) {
2144 eDest.
Emsg(
"Config",
"HTTP X509 key not specified");
2180 if (!val || !val[0]) {
2181 eDest.
Emsg(
"Config",
"HTTP X509 gridmap file location not specified");
2187 if (!strncmp(val,
"required", 8)) {
2191 if (!val || !val[0]) {
2192 eDest.
Emsg(
"Config",
"HTTP X509 gridmap file missing after [required] "
2200 if (!strcmp(val,
"compatNameGeneration")) {
2203 if (!val || !val[0]) {
2204 eDest.
Emsg(
"Config",
"HTTP X509 gridmap file missing after "
2205 "[compatNameGeneration] parameter");
2237 if (!val || !val[0]) {
2238 eDest.
Emsg(
"Config",
"HTTP X509 CAfile not specified");
2266 bool inFile =
false;
2271 if (!val || !val[0]) {
2272 eDest.
Emsg(
"Config",
"Shared secret key not specified");
2280 if (val[0] ==
'/') {
2283 int fd =
open(val, O_RDONLY);
2286 eDest.
Emsg(
"Config", errno,
"open shared secret key file", val);
2290 if (
fstat(fd, &st) != 0 ) {
2291 eDest.
Emsg(
"Config", errno,
"fstat shared secret key file", val);
2296 if ( st.st_mode & S_IWOTH & S_IWGRP & S_IROTH) {
2298 "For your own security, the shared secret key file cannot be world readable or group writable '", val,
"'");
2303 FILE *fp = fdopen(fd,
"r");
2305 if ( fp ==
nullptr ) {
2306 eDest.
Emsg(
"Config", errno,
"fdopen shared secret key file", val);
2312 while( fgets(line, 1024, fp) ) {
2316 pp = line + strlen(line) - 1;
2317 while ( (pp >= line) && (!isalnum(*pp)) ) {
2324 while ( *pp && !isalnum(*pp) ) pp++;
2326 if ( strlen(pp) >= 32 ) {
2327 eDest.
Say(
"Config",
"Secret key loaded.");
2339 eDest.
Emsg(
"Config",
"Cannot find useful secretkey in file '", val,
"'");
2344 if ( strlen(val) < 32 ) {
2345 eDest.
Emsg(
"Config",
"Secret key is too short");
2352 if (!inFile)
Config.noEcho();
2376 if (!val || !val[0]) {
2377 eDest.
Emsg(
"Config",
"listingdeny flag not specified");
2383 listdeny = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2408 if (!val || !val[0]) {
2409 eDest.
Emsg(
"Config",
"listingredir flag not specified");
2441 if (!val || !val[0]) {
2442 eDest.
Emsg(
"Config",
"desthttps flag not specified");
2448 isdesthttps = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2473 if (!val || !val[0]) {
2474 eDest.
Emsg(
"Config",
"embeddedstatic flag not specified");
2480 embeddedstatic = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2505 if (!val || !val[0]) {
2506 eDest.
Emsg(
"Config",
"staticredir url not specified");
2535 char *val, *k, key[1024];
2541 eDest.
Emsg(
"Config",
"preloadstatic urlpath not specified");
2550 if (!val || !val[0]) {
2551 eDest.
Emsg(
"Config",
"preloadstatic filename not specified");
2556 int fp =
open(val, O_RDONLY);
2558 eDest.
Emsg(
"Config", errno,
"open preloadstatic filename", val);
2562 StaticPreloadInfo *nfo =
new StaticPreloadInfo;
2564 nfo->data = (
char *)malloc(65536);
2565 nfo->len =
read(fp, (
void *)nfo->data, 65536);
2568 if (nfo->len <= 0) {
2569 eDest.
Emsg(
"Config", errno,
"read from preloadstatic filename", val);
2573 if (nfo->len >= 65536) {
2574 eDest.
Emsg(
"Config",
"Truncated preloadstatic filename. Max is 64 KB '", val,
"'");
2605 auto val =
Config.GetWord();
2606 std::vector<std::string> verbs;
2608 if (!val || !val[0]) {
2609 eDest.
Emsg(
"Config",
"http.staticheader requires the header to be specified");
2613 std::string match_verb;
2614 std::string_view val_str(val);
2615 if (val_str.substr(0, 6) ==
"-verb=") {
2616 verbs.emplace_back(val_str.substr(6));
2617 }
else if (val_str ==
"-") {
2618 eDest.
Emsg(
"Config",
"http.staticheader is ignoring unknown flag: ", val_str.data());
2625 if (verbs.empty()) {
2626 verbs.emplace_back();
2629 std::string header = val;
2632 std::string header_value;
2633 if (val && val[0]) {
2637 for (
const auto &verb : verbs) {
2641 }
else if (header_value.empty()) {
2642 iter->second.clear();
2644 iter->second.emplace_back(header, header_value);
2671 if (!val || !val[0]) {
2672 eDest.
Emsg(
"Config",
"selfhttps2http flag not specified");
2678 selfhttps2http = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2706 if (!val || !val[0]) {
2707 eDest.
Emsg(
"Config",
"No security extractor plugin specified.");
2712 if (!strncmp(val,
"required", 8)) {
2713 isRequiredXtractor =
true;
2716 if (!val || !val[0]) {
2717 eDest.
Emsg(
"Config",
"No security extractor plugin after [required] "
2724 strlcpy(libName, val,
sizeof(libName));
2725 libName[
sizeof(libName) - 1] =
'\0';
2726 char libParms[4096];
2728 if (!
Config.GetRest(libParms, 4095)) {
2729 eDest.
Emsg(
"Config",
"secxtractor config params longer than 4k");
2735 if (LoadSecXtractor(&
eDest, libName, libParms)) {
2761 std::vector<extHInfo> &hiVec) {
2762 char *val, path[1024], namebuf[1024];
2765 bool noTlsOK =
false;
2770 if (!val || !val[0]) {
2771 eDest.
Emsg(
"Config",
"No instance name specified for an http external handler plugin.");
2774 if (strlen(val) >= 16) {
2775 eDest.
Emsg(
"Config",
"Instance name too long for an http external handler plugin.");
2778 strncpy(namebuf, val,
sizeof(namebuf));
2779 namebuf[
sizeof(namebuf)-1 ] =
'\0';
2784 if(val && !strcmp(
"+notls",val)) {
2791 if (!val || !val[0]) {
2792 eDest.
Emsg(
"Config",
"No http external handler plugin specified.");
2795 if (strlen(val) >= (int)
sizeof(path)) {
2796 eDest.
Emsg(
"Config",
"Path too long for an http external handler plugin.");
2808 for (
int i = 0; i < (int)hiVec.size(); i++)
2809 {
if (hiVec[i].extHName == namebuf) {
2810 eDest.
Emsg(
"Config",
"Instance name already present for "
2811 "http external handler plugin",
2812 hiVec[i].extHPath.c_str());
2820 eDest.
Emsg(
"Config",
"Cannot load one more exthandler. Max is 4");
2826 hiVec.push_back(extHInfo(namebuf, path, (parm ? parm :
""), noTlsOK));
2870 if (!val || !val[0]) {
2871 eDest.
Emsg(
"Config",
"HTTP X509 CAdir not specified");
2904 if (!val || !val[0]) {
2905 eDest.
Emsg(
"Config",
"SSL cipherlist filter string not specified");
2935 if (!val || !val[0])
2936 {
eDest.
Emsg(
"Config",
"tlsreuse argument not specified");
return 1;}
2940 if (!strcmp(val,
"off"))
2947 if (!strcmp(val,
"on"))
2954 eDest.
Emsg(
"config",
"invalid tlsreuse parameter -", val);
2959 auto val =
Config.GetWord();
2960 if (!val || !val[0])
2961 {
eDest.
Emsg(
"Config",
"tlsclientauth argument not specified");
return 1;}
2963 if (!strcmp(val,
"off"))
2967 if (!strcmp(val,
"on"))
2972 eDest.
Emsg(
"config",
"invalid tlsclientauth parameter -", val);
2977 char *val =
Config.GetWord();
2979 if(!strcmp(
"tpc",val)) {
2980 if(!(val =
Config.GetWord())) {
2981 eDest.
Emsg(
"Config",
"http.auth tpc value not specified.");
return 1;
2983 if(!strcmp(
"fcreds",val)) {
2986 eDest.
Emsg(
"Config",
"http.auth tpc value is invalid");
return 1;
2990 eDest.
Emsg(
"Config",
"http.auth value is invalid");
return 1;
3014 static struct traceopts {
3026 int i, neg, trval = 0, numopts =
sizeof (tropts) /
sizeof (
struct traceopts);
3028 if (!(val =
Config.GetWord())) {
3029 eDest.
Emsg(
"config",
"trace option not specified");
3033 if (!strcmp(val,
"off")) trval = 0;
3035 if ((neg = (val[0] ==
'-' && val[1]))) val++;
3036 for (i = 0; i < numopts; i++) {
3037 if (!strcmp(val, tropts[i].opname)) {
3038 if (neg) trval &= ~tropts[i].opval;
3039 else trval |= tropts[i].opval;
3044 eDest.
Emsg(
"config",
"invalid trace option", val);
3063 l = strlen(fname) + 1;
3088 length = fname.
length() + 1;
3100 int XrdHttpProtocol::LoadSecXtractor(
XrdSysError *myeDest,
const char *libName,
3101 const char *libParms) {
3105 if (secxtractor)
return 1;
3107 XrdOucPinLoader myLib(myeDest, &compiledVer,
"secxtractorlib", libName);
3113 if (ep && (secxtractor = ep(myeDest, NULL, libParms)))
return 0;
3121 int XrdHttpProtocol::LoadExtHandlerNoTls(std::vector<extHInfo> &hiVec,
const char *cFN,
XrdOucEnv &myEnv) {
3122 for (
int i = 0; i < (int) hiVec.size(); i++) {
3123 if(hiVec[i].extHNoTlsOK) {
3125 if (LoadExtHandler(&
eDest, hiVec[i].extHPath.c_str(), cFN,
3126 hiVec[i].extHParm.c_str(), &myEnv,
3127 hiVec[i].extHName.c_str()))
3134 int XrdHttpProtocol::LoadExtHandler(std::vector<extHInfo> &hiVec,
3146 for (
int i = 0; i < (int)hiVec.size(); i++) {
3149 if(!ExtHandlerLoaded(hiVec[i].extHName.c_str())) {
3150 if (LoadExtHandler(&
eDest, hiVec[i].extHPath.c_str(), cFN,
3151 hiVec[i].extHParm.c_str(), &myEnv,
3152 hiVec[i].extHName.c_str()))
return 1;
3159 int XrdHttpProtocol::LoadExtHandler(
XrdSysError *myeDest,
const char *libName,
3160 const char *configFN,
const char *libParms,
3161 XrdOucEnv *myEnv,
const char *instName) {
3165 if (ExtHandlerLoaded(instName)) {
3166 eDest.
Emsg(
"Config",
"Instance name already present for an http external handler plugin.");
3170 eDest.
Emsg(
"Config",
"Cannot load one more exthandler. Max is 4");
3174 XrdOucPinLoader myLib(myeDest, &compiledVer,
"exthandlerlib", libName);
3182 if (ep && (newhandler = ep(myeDest, configFN, libParms, myEnv))) {
3185 strncpy( exthandler[exthandlercnt].name, instName, 16 );
3186 exthandler[exthandlercnt].name[15] =
'\0';
3187 exthandler[exthandlercnt++].ptr = newhandler;
3200 bool XrdHttpProtocol::ExtHandlerLoaded(
const char *handlername) {
3201 for (
int i = 0; i < exthandlercnt; i++) {
3202 if ( !strncmp(exthandler[i].name, handlername, 15) ) {
3213 for (
int i = 0; i < exthandlercnt; i++) {
3215 return exthandler[i].ptr;
struct ClientSetRequest set
struct ClientQueryRequest query
struct ClientStatRequest stat
#define XrdHttpExtHandlerArgs
int BIO_get_init(BIO *bio)
int BIO_get_shutdown(BIO *bio)
int BIO_get_flags(BIO *bio)
static int BIO_XrdLink_create(BIO *bio)
const char * XrdHttpSecEntityTident
void BIO_set_init(BIO *bio, int init)
int BIO_XrdLink_write(BIO *bio, const char *data, size_t datal, size_t *written)
#define HTTPS_ALERT(x, y, z)
static long BIO_XrdLink_ctrl(BIO *bio, int cmd, long num, void *ptr)
void BIO_set_shutdown(BIO *bio, int shut)
XrdSysTrace XrdHttpTrace("http")
void * BIO_get_data(BIO *bio)
static int BIO_XrdLink_read(BIO *bio, char *data, size_t datal, size_t *read)
void BIO_set_data(BIO *bio, void *ptr)
static int BIO_XrdLink_destroy(BIO *bio)
#define XRHTTP_TK_GRACETIME
static XrdVERSIONINFODEF(compiledVer, XrdHttpProtocolTest, XrdVNUMBER, XrdVERSION)
void BIO_set_flags(BIO *bio, int flags)
A pragmatic implementation of the HTTP/DAV protocol for the Xrd framework.
#define MAX_XRDHTTPEXTHANDLERS
#define XrdHttpSecXtractorArgs
int compareHash(const char *h1, const char *h2)
char * unquote(char *str)
void calcHashes(char *hash, const char *fn, kXR_int16 request, XrdSecEntity *secent, time_t tim, const char *key)
Utility functions for XrdHTTP.
std::string obfuscateAuth(const std::string &input)
int stat(const char *path, struct stat *buf)
int open(const char *path, int oflag,...)
int fstat(int fildes, struct stat *buf)
ssize_t read(int fildes, void *buf, size_t nbyte)
#define TLS_SET_VDEPTH(cOpts, vdv)
#define TLS_SET_REFINT(cOpts, refi)
void Release(XrdBuffer *bp)
XrdBuffer * Obtain(int bsz)
const std::vector< std::string > & getNonIANAConfiguredCksums() const
void configure(const char *csList)
static char * secretkey
The key used to calculate the url hashes.
static BIO_METHOD * m_bio_method
C-style vptr table for our custom BIO objects.
static char * gridmap
Gridmap file location. The same used by XrdSecGsi.
static XrdScheduler * Sched
static kXR_int32 myRole
Our role.
static XrdNetPMark * pmarkHandle
Packet marking handler pointer (assigned from the environment during the Config() call)
static char * Port_str
Our port, as a string.
XrdXrootd::Bridge * Bridge
The Bridge that we use to exercise the xrootd internals.
static char * staticredir
static bool selfhttps2http
If client is HTTPS, self-redirect with HTTP+token.
static XrdHttpChecksumHandler cksumHandler
static int hailWait
Timeout for reading the handshake.
int doChksum(const XrdOucString &fname)
Perform a checksum request.
static XrdOucHash< StaticPreloadInfo > * staticpreload
static char * xrd_cslist
The list of checksums that were configured via the xrd.cksum parameter on the server config file.
static char * sslcipherfilter
static int m_bio_type
Type identifier for our custom BIO objects.
static std::map< std::string, std::string > hdr2cgimap
Rules that turn HTTP headers to cgi tokens in the URL, for internal comsumption.
static char * sslcert
OpenSSL stuff.
XrdLink * Link
The link we are bound to.
int doStat(char *fname)
Perform a Stat request.
XrdObject< XrdHttpProtocol > ProtLink
static int readWait
Timeout for reading data.
void Recycle(XrdLink *lp, int consec, const char *reason)
Recycle this instance.
XrdHttpProtocol operator=(const XrdHttpProtocol &rhs)
static bool compatNameGeneration
static bool isdesthttps
True if the redirections must be towards https targets.
static XrdObjectQ< XrdHttpProtocol > ProtStack
XrdProtocol * Match(XrdLink *lp)
Tells if the oustanding bytes on the socket match this protocol implementation.
static std::unordered_map< std::string, std::vector< std::pair< std::string, std::string > > > m_staticheader_map
The static headers to always return; map is from verb to a list of (header, val) pairs.
static bool isRequiredGridmap
static char * listredir
Url to redirect to in the case a listing is requested.
int Stats(char *buff, int blen, int do_sync=0)
Get activity stats.
static std::unordered_map< std::string, std::string > m_staticheaders
static int crlRefIntervalSec
CRL thread refresh interval.
static XrdHttpReadRangeHandler::Configuration ReadRangeConfig
configuration for the read range handler
static XrdSecService * CIA
static XrdBuffManager * BPool
static bool tpcForwardCreds
If set to true, the HTTP TPC transfers will forward the credentials to redirected hosts.
int Process(XrdLink *lp)
Process data incoming from the socket.
XrdHttpProtocol(const XrdHttpProtocol &)=default
Ctor, dtors and copy ctor.
static bool listdeny
If true, any form of listing is denied.
static int parseHeader2CGI(XrdOucStream &Config, XrdSysError &err, std::map< std::string, std::string > &header2cgi)
Use this function to parse header2cgi configurations.
XrdSecEntity SecEntity
Authentication area.
static bool embeddedstatic
If true, use the embedded css and icons.
static int sslverifydepth
Depth of verification of a certificate chain.
static int Configure(char *parms, XrdProtocol_Config *pi)
Read and apply the configuration.
static int Configure(XrdSysError &Eroute, const char *const parms, Configuration &cfg)
int reqstate
State machine to talk to the bridge.
XrdOucString resource
The resource specified by the request, stripped of opaque data.
bool headerok
Tells if we have finished reading the header.
ReqType request
The request we got.
XrdOucEnv * opaque
The opaque data, after parsing.
int parseFirstLine(char *line, int len)
Parse the first line of the header.
int parseLine(char *line, int len)
Parse the header.
void appendOpaque(XrdOucString &s, XrdSecEntity *secent, char *hash, time_t tnow)
ClientRequest xrdreq
The last issued xrd request, often pending.
const std::string & userAgent() const
virtual int InitSSL(SSL *, char *)
virtual int FreeSSL(SSL *)
int setEtext(const char *text)
int Peek(char *buff, int blen, int timeout=-1)
int Recv(char *buff, int blen)
const XrdNetAddr * NetAddr() const
XrdNetAddrInfo * AddrInfo()
int Send(const char *buff, int blen)
static const int noPort
Do not add port number.
int Format(char *bAddr, int bLen, fmtUse fmtType=fmtAuto, int fmtOpts=0)
@ fmtAddr
Address using suitable ipv4 or ipv6 format.
void SetDialect(const char *dP)
void Set(int inQMax, time_t agemax=1800)
void Push(XrdObject< T > *Node)
static bool Import(const char *var, char *&val)
void * GetPtr(const char *varname)
char * Get(const char *varname)
void Put(const char *varname, const char *value)
void insert(const int i, int start=-1)
const char * c_str() const
void assign(const char *s, int j, int k=-1)
char * vorg
Entity's virtual organization(s)
int credslen
Length of the 'creds' data.
XrdNetAddrInfo * addrInfo
Entity's connection details.
const char * tident
Trace identifier always preset.
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
char * caps
Entity's capabilities.
char * creds
Raw entity credentials or cert.
char * grps
Entity's group name(s)
void Reset(const char *spV=0)
char * name
Entity's name.
char * role
Entity's role(s)
char * endorsements
Protocol specific endorsements.
void Display(XrdSysError &mDest)
char * moninfo
Information for monitoring.
char * host
Entity's host name dnr dependent.
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
void Say(const char *text1, const char *text2=0, const char *txt3=0, const char *text4=0, const char *text5=0, const char *txt6=0)
XrdSysLogger * logger(XrdSysLogger *lp=0)
void SetLogger(XrdSysLogger *logp)
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
static const uint64_t servr
This is a server context.
static const uint64_t rfCRL
Turn on the CRL refresh thread.
bool SetTlsClientAuth(ClientAuthSetting setting)
static const uint64_t logVF
Log verify failures.
static const uint64_t artON
Auto retry Handshake.
const CTX_Params * GetParams()
static const int scOff
Turn off cache.
bool SetContextCiphers(const char *ciphers)
static const int scSrvr
Turn on cache server mode (default)
static Bridge * Login(Result *rsltP, XrdLink *linkP, XrdSecEntity *seceP, const char *nameP, const char *protP)
virtual bool Run(const char *xreqP, char *xdataP=0, int xdataL=0)=0
CloseImpl< false > Close(Ctx< File > file, uint16_t timeout=0)
Factory for creating CloseImpl objects.
XrdTlsContext::ClientAuthSetting tlsClientAuth
std::string cafile
-> ca cert file.
std::string cadir
-> ca cert directory.
int crlRT
crl refresh interval time in seconds
std::string pkey
-> private key path.
std::string cert
-> certificate path.