24#include "XrdVersion.hh"
48#include <openssl/err.h>
49#include <openssl/ssl.h>
58#define XRHTTP_TK_GRACETIME 600
99BIO *XrdHttpProtocol::sslbio_err = 0;
101bool XrdHttpProtocol::isRequiredXtractor =
false;
103int XrdHttpProtocol::exthandlercnt = 0;
106bool XrdHttpProtocol::usingEC = false;
107bool XrdHttpProtocol::hasCache= false;
128const char *TraceID =
"Protocol";
154 "xrootd protocol anchor");
160#if OPENSSL_VERSION_NUMBER < 0x10100000L
167#if OPENSSL_VERSION_NUMBER < 0x1000105fL
182 bio->shutdown = shut;
185 return bio->shutdown;
197:
XrdProtocol(
"HTTP protocol handler"), ProtLink(this),
198SecEntity(
""), CurrentReq(this, ReadRangeConfig) {
223 char mybuf[16], mybuf2[1024];
226 bool myishttps =
false;
230 if ((dlen = lp->
Peek(mybuf, (
int) sizeof (mybuf),
hailWait)) < (
int)
sizeof (mybuf)) {
231 if (dlen <= 0) lp->
setEtext(
"handshake not received");
234 mybuf[dlen - 1] =
'\0';
242 for (
int i = 0; i < dlen; i++) {
244 sprintf(mybuf3,
"%.02d ", mybuf[i]);
245 strcat(mybuf2, mybuf3);
252 for (
int i = 0; i < dlen - 1; i++)
253 if (!isprint(mybuf[i]) && (mybuf[i] !=
'\r') && (mybuf[i] !=
'\n')) {
255 TRACEI(
DEBUG,
"This does not look like http at pos " << i);
260 if ((!ismine) && (dlen >= 4)) {
261 char check[4] = {00, 00, 00, 00};
262 if (memcmp(mybuf, check, 4)) {
269 TRACEI(ALL,
"This may look like https, but https is not configured");
276 TRACEI(
DEBUG,
"This does not look like https. Protocol not matched.");
284 TRACEI(REQ,
"Protocol matched. https: " << myishttps);
287 hp->ishttps = myishttps;
302 hp->myBuffStart = hp->myBuffEnd = hp->myBuff->
buff;
310char *XrdHttpProtocol::GetClientIPStr() {
313 if (!
Link)
return strdup(
"unknown");
315 if (!ai)
return strdup(
"unknown");
323#if OPENSSL_VERSION_NUMBER < 0x1000105fL
334 int ret = lp->
Send(data, datal);
335 BIO_clear_retry_flags(bio);
338 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
339 BIO_set_retry_write(bio);
355 int ret = lp->
Send(data, datal);
356 BIO_clear_retry_flags(bio);
358 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
359 BIO_set_retry_write(bio);
366#if OPENSSL_VERSION_NUMBER < 0x1000105fL
377 int ret = lp->
Recv(data, datal);
378 BIO_clear_retry_flags(bio);
381 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
382 BIO_set_retry_read(bio);
397 int ret = lp->
Recv(data, datal);
398 BIO_clear_retry_flags(bio);
400 if ((errno == EINTR) || (errno == EINPROGRESS) || (errno == EAGAIN) || (errno == EWOULDBLOCK))
401 BIO_set_retry_read(bio);
417#if OPENSSL_VERSION_NUMBER < 0x10100000L
429 if (bio == NULL)
return 0;
445 case BIO_CTRL_GET_CLOSE:
448 case BIO_CTRL_SET_CLOSE:
463BIO *XrdHttpProtocol::CreateBIO(
XrdLink *lp)
482#define TRACELINK Link
490 if (!myBuff || !myBuff->
buff || !myBuff->
bsize) {
491 TRACE(ALL,
" Process. No buffer available. Internal error.");
497 char *nfo = GetClientIPStr();
499 TRACEI(REQ,
" Setting host: " << nfo);
508 if (ishttps && !ssldone) {
511 sbio = CreateBIO(
Link);
512 BIO_set_nbio(sbio, 1);
518 ERR_print_errors(sslbio_err);
527 SSL_set_bio(ssl, sbio, sbio);
534 setsockopt(
Link->
FDnum(), SOL_SOCKET, SO_RCVTIMEO, (
struct timeval *)&tv,
sizeof(
struct timeval));
535 setsockopt(
Link->
FDnum(), SOL_SOCKET, SO_SNDTIMEO, (
struct timeval *)&tv,
sizeof(
struct timeval));
538 int res = SSL_accept(ssl);
540 if ((res == -1) && (SSL_get_error(ssl, res) == SSL_ERROR_WANT_READ)) {
541 TRACEI(
DEBUG,
" SSL_accept wants to read more bytes... err:" << SSL_get_error(ssl, res));
546 ERR_print_errors(sslbio_err);
555 BIO_set_nbio(sbio, 0);
560 if (HandleAuthentication(
Link)) {
581 if ((rc = getDataOneShot(BuffAvailable())) < 0) {
587 if (BuffUsed() < ResumeBytes)
return 1;
595 if (mon_info.size() >= 1024) {
596 TRACEI(ALL,
"User agent string too long");
598 TRACEI(ALL,
"Internal logic error: Bridge is null after login");
607 SendSimpleResp(500,
nullptr,
nullptr,
"Could not set user agent.", 0,
false);
622 while ((rc = BuffgetLine(tmpline)) > 0) {
623 std::string traceLine = tmpline.
c_str();
627 TRACE(
DEBUG,
" rc:" << rc <<
" got hdr line: " << traceLine);
628 if ((rc == 2) && (tmpline.
length() > 1) && (tmpline[rc - 1] ==
'\n')) {
630 TRACE(
DEBUG,
" rc:" << rc <<
" detected header end.");
636 TRACE(
DEBUG,
" Parsing first line: " << traceLine.c_str());
639 TRACE(
DEBUG,
" Parsing of first line failed with " << result);
645 TRACE(
DEBUG,
" Parsing of header line failed with " << result)
646 SendSimpleResp(400,NULL,NULL,
"Malformed header line. Hint: ensure the line finishes with \"\\r\\n\"", 0,
false);
657 TRACEI(REQ,
" rc:" << rc <<
"Header not yet complete.");
662 if ((rc <= 0) && (BuffUsed() >= 16384)) {
663 TRACEI(ALL,
"Corrupted header detected, or line too long. Disconnecting client.");
682 time_t timenow = time(0);
700 TRACEI(REQ,
" rc:" << rc <<
" self-redirecting to http with security token.");
707 struct sockaddr_storage sa;
708 socklen_t sl =
sizeof(sa);
715 switch (sa.ss_family) {
717 if (inet_ntop(AF_INET, &(((sockaddr_in*)&sa)->sin_addr), buf, INET_ADDRSTRLEN)) {
724 if (inet_ntop(AF_INET6, &(((sockaddr_in6*)&sa)->sin6_addr), buf, INET6_ADDRSTRLEN)) {
726 Addr_str = (
char *)malloc(strlen(buf)+3);
734 TRACEI(REQ,
" Can't recognize the address family of the local host.");
742 TRACEI(REQ,
" rc:"<<rc<<
" self-redirecting to http with security token: '"
743 << dest.
c_str() <<
"'");
747 SendSimpleResp(302, NULL, (
char *) dest.
c_str(), 0, 0,
true);
752 TRACEI(REQ,
" rc:" << rc <<
" Can't perform self-redirection.");
756 TRACEI(ALL,
" Could not calculate self-redirection hash");
762 if (!ishttps && !ssldone) {
772 if (t) tim = atoi(t);
774 TRACEI(REQ,
" xrdhttptime not specified. Authentication failed.");
778 TRACEI(REQ,
" Token expired. Authentication failed.");
863 TRACEI(REQ,
" Invalid tk '" << tk <<
"' != '" << hash <<
"'(calculated). Authentication failed.");
870 TRACEI(ALL,
" Rejecting plain http with no valid token as we have a secretkey.");
878 TRACEI(ALL,
" Rejecting plain http with no valid token as we have a secretkey.");
898 TRACEI(REQ,
" Authorization failed.");
914 TRACEI(REQ,
"Process is exiting rc:" << rc);
922#define TRACELINK Link
976#define TS_Xeq(x,m) (!strcmp(x,var)) GoNo = m(Config)
978#define TS_Xeq3(x,m) (!strcmp(x,var)) GoNo = m(Config, extHIVec)
980#define HTTPS_ALERT(x,y,z) httpsspec = true;\
981 if (xrdctx && httpsmode == hsmAuto && (z || xrdctx->x509Verify())) \
982 eDest.Say("Config http." x " overrides the xrd." y " directive.")
984int XrdHttpProtocol::Config(
const char *ConfigFN,
XrdOucEnv *myEnv) {
987 std::vector<extHInfo> extHIVec;
989 int cfgFD, GoNo, NoGo = 0, ismine;
999 if(nonIanaChecksums.size()) {
1000 std::stringstream warningMsgSS;
1001 warningMsgSS <<
"Config warning: the following checksum algorithms are not IANA compliant: [";
1002 std::string unknownCksumString;
1003 for(
auto unknownCksum: nonIanaChecksums) {
1004 unknownCksumString += unknownCksum +
",";
1006 unknownCksumString.erase(unknownCksumString.size() - 1);
1007 warningMsgSS << unknownCksumString <<
"]" <<
". They therefore cannot be queried by a user via HTTP." ;
1008 eDest.
Say(warningMsgSS.str().c_str());
1014 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1016 m_bio_method =
static_cast<BIO_METHOD*
>(OPENSSL_malloc(
sizeof(BIO_METHOD)));
1051 if ((cfgFD =
open(ConfigFN, O_RDONLY, 0)) < 0)
1052 return eDest.
Emsg(
"Config", errno,
"open config file", ConfigFN);
1053 Config.Attach(cfgFD);
1054 static const char *cvec[] = {
"*** http protocol config:", 0 };
1055 Config.Capture(cvec);
1059 while ((var = Config.GetMyFirstWord())) {
1060 if ((ismine = !strncmp(
"http.", var, 5)) && var[5]) var += 5;
1063 if TS_Xeq(
"trace", xtrace);
1064 else if TS_Xeq(
"cert", xsslcert);
1065 else if TS_Xeq(
"key", xsslkey);
1066 else if TS_Xeq(
"cadir", xsslcadir);
1067 else if TS_Xeq(
"cipherfilter", xsslcipherfilter);
1068 else if TS_Xeq(
"gridmap", xgmap);
1069 else if TS_Xeq(
"cafile", xsslcafile);
1070 else if TS_Xeq(
"secretkey", xsecretkey);
1071 else if TS_Xeq(
"desthttps", xdesthttps);
1072 else if TS_Xeq(
"secxtractor", xsecxtractor);
1073 else if TS_Xeq3(
"exthandler", xexthandler);
1074 else if TS_Xeq(
"selfhttps2http", xselfhttps2http);
1075 else if TS_Xeq(
"embeddedstatic", xembeddedstatic);
1076 else if TS_Xeq(
"listingredir", xlistredir);
1077 else if TS_Xeq(
"staticredir", xstaticredir);
1078 else if TS_Xeq(
"staticpreload", xstaticpreload);
1079 else if TS_Xeq(
"staticheader", xstaticheader);
1080 else if TS_Xeq(
"listingdeny", xlistdeny);
1081 else if TS_Xeq(
"header2cgi", xheader2cgi);
1082 else if TS_Xeq(
"httpsmode", xhttpsmode);
1083 else if TS_Xeq(
"tlsreuse", xtlsreuse);
1084 else if TS_Xeq(
"auth", xauth);
1086 eDest.
Say(
"Config warning: ignoring unknown directive '", var,
"'.");
1101 {
eDest.
Say(
"Config failure: one or more directives are flawed!");
1107 hdr2cgimap[
"Cache-Control"] =
"cache-control";
1110 if (getenv(
"XRDCL_EC")) usingEC =
true;
1115 std::string default_static_headers;
1117 for (
const auto &header_entry : default_verb->second) {
1118 default_static_headers += header_entry.first +
": " + header_entry.second +
"\r\n";
1123 if (item.first.empty()) {
1126 auto headers = default_static_headers;
1127 for (
const auto &header_entry : item.second) {
1128 headers += header_entry.first +
": " + header_entry.second +
"\r\n";
1136 if (myEnv->
Get(
"XrdCache")) hasCache =
true;
1145 :
"was not configured.");
1146 const char *what = Configed();
1148 eDest.
Say(
"Config warning: HTTPS functionality ", why);
1151 LoadExtHandlerNoTls(extHIVec, ConfigFN, *myEnv);
1153 {
eDest.
Say(
"Config failure: ", what,
" HTTPS but it ", why);
1163 {
eDest.
Say(
"Config warning: specifying http.key without http.cert "
1164 "is meaningless; ignoring key!");
1172 {
eDest.
Say(
"Config failure: 'httpsmode manual' requires atleast a "
1173 "a cert specification!");
1184 const char *what1 = 0, *what2 = 0, *what3 = 0;
1189 what1 =
"xrd.tls to supply 'cert' and 'key'.";
1193 what2 =
"xrd.tlsca to supply 'cadir'.";
1197 what2 = (what2 ?
"xrd.tlsca to supply 'cadir' and 'cafile'."
1198 :
"xrd.tlsca to supply 'cafile'.");
1202 what3 =
"xrd.tlsca to supply 'refresh' interval.";
1212 {
const char *what = Configed();
1213 const char *why = (
httpsspec ?
"a cadir or cafile was not specified!"
1214 :
"'xrd.tlsca noverify' was specified!");
1216 {
eDest.
Say(
"Config failure: ", what,
" cert verification but ", why);
1224 sslbio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
1229 const char *how =
"completed.";
1230 eDest.
Say(
"++++++ HTTPS initialization started.");
1231 if (!InitTLS()) {NoGo = 1; how =
"failed.";}
1232 eDest.
Say(
"------ HTTPS initialization ", how);
1233 if (NoGo)
return NoGo;
1237 if (LoadExtHandler(extHIVec, ConfigFN, *myEnv))
return 1;
1241 return (InitSecurity() ? NoGo : 1);
1248const char *XrdHttpProtocol::Configed()
1250 if (secxtractor &&
gridmap)
return "gridmap and secxtractor require";
1251 if (secxtractor)
return "secxtractor requires";
1252 if (
gridmap)
return "gridmap requires";
1268 if (myBuffEnd >= myBuffStart) {
1270 for (
char *p = myBuffStart; p < myBuffEnd; p++) {
1275 dest.
assign(myBuffStart, 0, l-1);
1294 for (
char *p = myBuffStart; p < myBuff->
buff + myBuff->
bsize; p++) {
1296 if ((*p ==
'\n') || (*p ==
'\0')) {
1299 dest.
assign(myBuffStart, 0, l-1);
1315 for (
char *p = myBuff->
buff; p < myBuffEnd; p++) {
1317 if ((*p ==
'\n') || (*p ==
'\0')) {
1321 int l1 = myBuff->
buff + myBuff->
bsize - myBuffStart;
1323 dest.
assign(myBuffStart, 0, l1-1);
1327 dest.
insert(myBuffStart, l1, l-1);
1351int XrdHttpProtocol::getDataOneShot(
int blen,
bool wait) {
1366 maxread = std::min(blen, BuffAvailable());
1367 TRACE(
DEBUG,
"getDataOneShot BuffAvailable: " << BuffAvailable() <<
" maxread: " << maxread);
1373 int sslavail = maxread;
1376 int l = SSL_pending(ssl);
1378 sslavail = std::min(maxread, SSL_pending(ssl));
1383 ERR_print_errors(sslbio_err);
1387 TRACE(
DEBUG,
"getDataOneShot sslavail: " << sslavail);
1388 if (sslavail <= 0)
return 0;
1390 if (myBuffEnd - myBuff->
buff >= myBuff->
bsize) {
1392 myBuffEnd = myBuff->
buff;
1395 rlen = SSL_read(ssl, myBuffEnd, sslavail);
1398 ERR_print_errors(sslbio_err);
1405 if (myBuffEnd - myBuff->
buff >= myBuff->
bsize) {
1407 myBuffEnd = myBuff->
buff;
1413 rlen =
Link->
Recv(myBuffEnd, maxread);
1429 TRACE(REQ,
"read " << rlen <<
" of " << blen <<
" bytes");
1436int XrdHttpProtocol::BuffAvailable() {
1439 if (myBuffEnd >= myBuffStart)
1440 r = myBuff->
buff + myBuff->
bsize - myBuffEnd;
1442 r = myBuffStart - myBuffEnd;
1444 if ((r < 0) || (r > myBuff->
bsize)) {
1445 TRACE(REQ,
"internal error, myBuffAvailable: " << r <<
" myBuff->bsize " << myBuff->
bsize);
1458int XrdHttpProtocol::BuffUsed() {
1461 if (myBuffEnd >= myBuffStart)
1462 r = myBuffEnd - myBuffStart;
1465 r = myBuff->
bsize - (myBuffStart - myBuffEnd);
1467 if ((r < 0) || (r > myBuff->
bsize)) {
1468 TRACE(REQ,
"internal error, myBuffUsed: " << r <<
" myBuff->bsize " << myBuff->
bsize);
1481int XrdHttpProtocol::BuffFree() {
1482 return (myBuff->
bsize - BuffUsed());
1489void XrdHttpProtocol::BuffConsume(
int blen) {
1491 if (blen > myBuff->
bsize) {
1492 TRACE(REQ,
"internal error, BuffConsume(" << blen <<
") smaller than buffsize");
1496 if (blen > BuffUsed()) {
1497 TRACE(REQ,
"internal error, BuffConsume(" << blen <<
") larger than BuffUsed:" << BuffUsed());
1501 myBuffStart = myBuffStart + blen;
1503 if (myBuffStart >= myBuff->
buff + myBuff->
bsize)
1504 myBuffStart -= myBuff->
bsize;
1506 if (myBuffEnd >= myBuff->
buff + myBuff->
bsize)
1507 myBuffEnd -= myBuff->
bsize;
1509 if (BuffUsed() == 0)
1510 myBuffStart = myBuffEnd = myBuff->
buff;
1525int XrdHttpProtocol::BuffgetData(
int blen,
char **data,
bool wait) {
1528 TRACE(
DEBUG,
"BuffgetData: requested " << blen <<
" bytes");
1533 if (blen > BuffUsed()) {
1534 TRACE(REQ,
"BuffgetData: need to read " << blen - BuffUsed() <<
" bytes");
1535 if ( getDataOneShot(blen - BuffUsed(),
true) )
1541 if ( !BuffUsed() ) {
1542 if ( getDataOneShot(blen,
false) )
1550 if (myBuffStart <= myBuffEnd) {
1551 rlen = std::min( (
long) blen, (
long)(myBuffEnd - myBuffStart) );
1554 rlen = std::min( (
long) blen, (
long)(myBuff->
buff + myBuff->
bsize - myBuffStart) );
1556 *data = myBuffStart;
1567int XrdHttpProtocol::SendData(
const char *body,
int bodylen) {
1571 if (body && bodylen) {
1572 TRACE(REQ,
"Sending " << bodylen <<
" bytes");
1574 r = SSL_write(ssl, body, bodylen);
1576 ERR_print_errors(sslbio_err);
1582 if (r <= 0)
return -1;
1593int XrdHttpProtocol::StartSimpleResp(
int code,
const char *desc,
const char *header_to_add,
long long bodylen,
bool keepalive) {
1594 std::stringstream ss;
1595 const std::string crlf =
"\r\n";
1597 ss <<
"HTTP/1.1 " << code <<
" ";
1601 if (code == 200) ss <<
"OK";
1602 else if (code == 100) ss <<
"Continue";
1603 else if (code == 206) ss <<
"Partial Content";
1604 else if (code == 302) ss <<
"Redirect";
1605 else if (code == 307) ss <<
"Temporary Redirect";
1606 else if (code == 400) ss <<
"Bad Request";
1607 else if (code == 403) ss <<
"Forbidden";
1608 else if (code == 404) ss <<
"Not Found";
1609 else if (code == 405) ss <<
"Method Not Allowed";
1610 else if (code == 416) ss <<
"Range Not Satisfiable";
1611 else if (code == 500) ss <<
"Internal Server Error";
1612 else if (code == 502) ss <<
"Bad Gateway";
1613 else if (code == 504) ss <<
"Gateway Timeout";
1614 else ss <<
"Unknown";
1617 if (keepalive && (code != 100))
1618 ss <<
"Connection: Keep-Alive" << crlf;
1620 ss <<
"Connection: Close" << crlf;
1622 ss <<
"Server: XrootD/" << XrdVSTRING << crlf;
1631 if ((bodylen >= 0) && (code != 100))
1632 ss <<
"Content-Length: " << bodylen << crlf;
1634 if (header_to_add && (header_to_add[0] !=
'\0'))
1635 ss << header_to_add << crlf;
1639 const std::string &outhdr = ss.str();
1640 TRACEI(RSP,
"Sending resp: " << code <<
" header len:" << outhdr.size());
1641 if (SendData(outhdr.c_str(), outhdr.size()))
1651int XrdHttpProtocol::StartChunkedResp(
int code,
const char *desc,
const char *header_to_add,
long long bodylen,
bool keepalive) {
1652 const std::string crlf =
"\r\n";
1653 std::stringstream ss;
1655 if (header_to_add && (header_to_add[0] !=
'\0')) {
1656 ss << header_to_add << crlf;
1659 ss <<
"Transfer-Encoding: chunked";
1660 TRACEI(RSP,
"Starting chunked response");
1661 return StartSimpleResp(code, desc, ss.str().c_str(), bodylen, keepalive);
1668int XrdHttpProtocol::ChunkResp(
const char *body,
long long bodylen) {
1669 long long content_length = (bodylen <= 0) ? (body ? strlen(body) : 0) : bodylen;
1670 if (ChunkRespHeader(content_length))
1673 if (body && SendData(body, content_length))
1676 return ChunkRespFooter();
1683int XrdHttpProtocol::ChunkRespHeader(
long long bodylen) {
1684 const std::string crlf =
"\r\n";
1685 std::stringstream ss;
1687 ss << std::hex << bodylen << std::dec << crlf;
1689 const std::string &chunkhdr = ss.str();
1690 TRACEI(RSP,
"Sending encoded chunk of size " << bodylen);
1691 return (SendData(chunkhdr.c_str(), chunkhdr.size())) ? -1 : 0;
1698int XrdHttpProtocol::ChunkRespFooter() {
1699 const std::string crlf =
"\r\n";
1700 return (SendData(crlf.c_str(), crlf.size())) ? -1 : 0;
1711int XrdHttpProtocol::SendSimpleResp(
int code,
const char *desc,
const char *header_to_add,
const char *body,
long long bodylen,
bool keepalive) {
1713 long long content_length = bodylen;
1715 content_length = body ? strlen(body) : 0;
1718 if (StartSimpleResp(code, desc, header_to_add, content_length, keepalive) < 0)
1725 return SendData(body, content_length);
1762 sprintf(buf,
"%d",
Port);
1768 rdf = (parms && *parms ? parms : pi->
ConfigFN);
1769 if (rdf && Config(rdf, pi->
theEnv))
return 0;
1774 if ((rdf = getenv(
"XRDROLE"))) {
1777 if (!strcasecmp(rdf,
"manager") || !strcasecmp(rdf,
"supervisor")) {
1779 eDest.
Emsg(
"Config",
"Configured as HTTP(s) redirector.");
1782 eDest.
Emsg(
"Config",
"Configured as HTTP(s) data server.");
1786 eDest.
Emsg(
"Config",
"No XRDROLE specified.");
1805 char *val, keybuf[1024], parmbuf[1024];
1809 val = Config.GetWord();
1810 if (!val || !val[0]) {
1811 err.
Emsg(
"Config",
"No headerkey specified.");
1816 while ( *val && !isalnum(*val) ) val++;
1817 strcpy(keybuf, val);
1821 pp = keybuf + strlen(keybuf) - 1;
1822 while ( (pp >= keybuf) && (!isalnum(*pp)) ) {
1827 parm = Config.GetWord();
1830 if(!parm || !parm[0]) {
1831 err.
Emsg(
"Config",
"No header2cgi value specified. key: '", keybuf,
"'");
1836 while ( *parm && !isalnum(*parm) ) parm++;
1837 strcpy(parmbuf, parm);
1840 pp = parmbuf + strlen(parmbuf) - 1;
1841 while ( (pp >= parmbuf) && (!isalnum(*pp)) ) {
1848 header2cgi[keybuf] = parmbuf;
1850 err.
Emsg(
"Config",
"Can't insert new header2cgi rule. key: '", keybuf,
"'");
1863bool XrdHttpProtocol::InitTLS() {
1888 static const char *sess_ctx_id =
"XrdHTTPSessionCtx";
1889 unsigned int n =(
unsigned int)(strlen(sess_ctx_id)+1);
1895 {
eDest.
Say(
"Config failure: ",
"Unable to set allowable https ciphers!");
1908void XrdHttpProtocol::Cleanup() {
1910 TRACE(ALL,
" Cleanup");
1912 if (
BPool && myBuff) {
1913 BuffConsume(BuffUsed());
1927 int ret = SSL_shutdown(ssl);
1931 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1932 ERR_remove_thread_state(
nullptr);
1936 TRACE(ALL,
" SSL_shutdown failed");
1937 ERR_print_errors(sslbio_err);
1971void XrdHttpProtocol::Reset() {
1973 TRACE(ALL,
" Reset");
1982 myBuffStart = myBuffEnd = 0;
1985 DoneSetInfo =
false;
2029int XrdHttpProtocol::xhttpsmode(
XrdOucStream & Config) {
2035 if (!val || !val[0]) {
2036 eDest.
Emsg(
"Config",
"httpsmode parameter not specified");
2045 else {
eDest.
Emsg(
"Config",
"invalid httpsmode parameter - ", val);
2064int XrdHttpProtocol::xsslverifydepth(
XrdOucStream & Config) {
2070 if (!val || !val[0]) {
2071 eDest.
Emsg(
"Config",
"sslverifydepth value not specified");
2102 if (!val || !val[0]) {
2103 eDest.
Emsg(
"Config",
"HTTP X509 certificate not specified");
2137 if (!val || !val[0]) {
2138 eDest.
Emsg(
"Config",
"HTTP X509 key not specified");
2174 if (!val || !val[0]) {
2175 eDest.
Emsg(
"Config",
"HTTP X509 gridmap file location not specified");
2181 if (!strncmp(val,
"required", 8)) {
2185 if (!val || !val[0]) {
2186 eDest.
Emsg(
"Config",
"HTTP X509 gridmap file missing after [required] "
2194 if (!strcmp(val,
"compatNameGeneration")) {
2197 if (!val || !val[0]) {
2198 eDest.
Emsg(
"Config",
"HTTP X509 gridmap file missing after "
2199 "[compatNameGeneration] parameter");
2225int XrdHttpProtocol::xsslcafile(
XrdOucStream & Config) {
2231 if (!val || !val[0]) {
2232 eDest.
Emsg(
"Config",
"HTTP X509 CAfile not specified");
2258int XrdHttpProtocol::xsecretkey(
XrdOucStream & Config) {
2260 bool inFile =
false;
2265 if (!val || !val[0]) {
2266 eDest.
Emsg(
"Config",
"Shared secret key not specified");
2274 if (val[0] ==
'/') {
2277 int fd =
open(val, O_RDONLY);
2280 eDest.
Emsg(
"Config", errno,
"open shared secret key file", val);
2284 if (
fstat(fd, &st) != 0 ) {
2285 eDest.
Emsg(
"Config", errno,
"fstat shared secret key file", val);
2290 if ( st.st_mode & S_IWOTH & S_IWGRP & S_IROTH) {
2292 "For your own security, the shared secret key file cannot be world readable or group writable '", val,
"'");
2297 FILE *fp = fdopen(fd,
"r");
2299 if ( fp ==
nullptr ) {
2300 eDest.
Emsg(
"Config", errno,
"fdopen shared secret key file", val);
2306 while( fgets(line, 1024, fp) ) {
2310 pp = line + strlen(line) - 1;
2311 while ( (pp >= line) && (!isalnum(*pp)) ) {
2318 while ( *pp && !isalnum(*pp) ) pp++;
2320 if ( strlen(pp) >= 32 ) {
2321 eDest.
Say(
"Config",
"Secret key loaded.");
2333 eDest.
Emsg(
"Config",
"Cannot find useful secretkey in file '", val,
"'");
2338 if ( strlen(val) < 32 ) {
2339 eDest.
Emsg(
"Config",
"Secret key is too short");
2346 if (!inFile)
Config.noEcho();
2370 if (!val || !val[0]) {
2371 eDest.
Emsg(
"Config",
"listingdeny flag not specified");
2377 listdeny = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2396int XrdHttpProtocol::xlistredir(
XrdOucStream & Config) {
2402 if (!val || !val[0]) {
2403 eDest.
Emsg(
"Config",
"listingredir flag not specified");
2429int XrdHttpProtocol::xdesthttps(
XrdOucStream & Config) {
2435 if (!val || !val[0]) {
2436 eDest.
Emsg(
"Config",
"desthttps flag not specified");
2442 isdesthttps = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2461int XrdHttpProtocol::xembeddedstatic(
XrdOucStream & Config) {
2467 if (!val || !val[0]) {
2468 eDest.
Emsg(
"Config",
"embeddedstatic flag not specified");
2474 embeddedstatic = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2493int XrdHttpProtocol::xstaticredir(
XrdOucStream & Config) {
2499 if (!val || !val[0]) {
2500 eDest.
Emsg(
"Config",
"staticredir url not specified");
2528int XrdHttpProtocol::xstaticpreload(
XrdOucStream & Config) {
2529 char *val, *k, key[1024];
2535 eDest.
Emsg(
"Config",
"preloadstatic urlpath not specified");
2544 if (!val || !val[0]) {
2545 eDest.
Emsg(
"Config",
"preloadstatic filename not specified");
2550 int fp =
open(val, O_RDONLY);
2552 eDest.
Emsg(
"Config", errno,
"open preloadstatic filename", val);
2556 StaticPreloadInfo *nfo =
new StaticPreloadInfo;
2558 nfo->data = (
char *)malloc(65536);
2559 nfo->len =
read(fp, (
void *)nfo->data, 65536);
2562 if (nfo->len <= 0) {
2563 eDest.
Emsg(
"Config", errno,
"read from preloadstatic filename", val);
2567 if (nfo->len >= 65536) {
2568 eDest.
Emsg(
"Config",
"Truncated preloadstatic filename. Max is 64 KB '", val,
"'");
2598int XrdHttpProtocol::xstaticheader(
XrdOucStream & Config) {
2599 auto val =
Config.GetWord();
2600 std::vector<std::string> verbs;
2602 if (!val || !val[0]) {
2603 eDest.
Emsg(
"Config",
"http.staticheader requires the header to be specified");
2607 std::string match_verb;
2608 std::string_view val_str(val);
2609 if (val_str.substr(0, 6) ==
"-verb=") {
2610 verbs.emplace_back(val_str.substr(6));
2611 }
else if (val_str ==
"-") {
2612 eDest.
Emsg(
"Config",
"http.staticheader is ignoring unknown flag: ", val_str.data());
2619 if (verbs.empty()) {
2620 verbs.emplace_back();
2623 std::string header = val;
2626 std::string header_value;
2627 if (val && val[0]) {
2631 for (
const auto &verb : verbs) {
2635 }
else if (header_value.empty()) {
2636 iter->second.clear();
2638 iter->second.emplace_back(header, header_value);
2659int XrdHttpProtocol::xselfhttps2http(
XrdOucStream & Config) {
2665 if (!val || !val[0]) {
2666 eDest.
Emsg(
"Config",
"selfhttps2http flag not specified");
2672 selfhttps2http = (!strcasecmp(val,
"true") || !strcasecmp(val,
"yes") || !strcmp(val,
"1"));
2694int XrdHttpProtocol::xsecxtractor(
XrdOucStream& Config) {
2700 if (!val || !val[0]) {
2701 eDest.
Emsg(
"Config",
"No security extractor plugin specified.");
2706 if (!strncmp(val,
"required", 8)) {
2707 isRequiredXtractor =
true;
2710 if (!val || !val[0]) {
2711 eDest.
Emsg(
"Config",
"No security extractor plugin after [required] "
2718 strlcpy(libName, val,
sizeof(libName));
2719 libName[
sizeof(libName) - 1] =
'\0';
2720 char libParms[4096];
2722 if (!
Config.GetRest(libParms, 4095)) {
2723 eDest.
Emsg(
"Config",
"secxtractor config params longer than 4k");
2729 if (LoadSecXtractor(&
eDest, libName, libParms)) {
2755 std::vector<extHInfo> &hiVec) {
2756 char *val, path[1024], namebuf[1024];
2759 bool noTlsOK =
false;
2764 if (!val || !val[0]) {
2765 eDest.
Emsg(
"Config",
"No instance name specified for an http external handler plugin.");
2768 if (strlen(val) >= 16) {
2769 eDest.
Emsg(
"Config",
"Instance name too long for an http external handler plugin.");
2772 strncpy(namebuf, val,
sizeof(namebuf));
2773 namebuf[
sizeof(namebuf)-1 ] =
'\0';
2778 if(val && !strcmp(
"+notls",val)) {
2785 if (!val || !val[0]) {
2786 eDest.
Emsg(
"Config",
"No http external handler plugin specified.");
2789 if (strlen(val) >= (int)
sizeof(path)) {
2790 eDest.
Emsg(
"Config",
"Path too long for an http external handler plugin.");
2802 for (
int i = 0; i < (int)hiVec.size(); i++)
2803 {
if (hiVec[i].extHName == namebuf) {
2804 eDest.
Emsg(
"Config",
"Instance name already present for "
2805 "http external handler plugin",
2806 hiVec[i].extHPath.c_str());
2814 eDest.
Emsg(
"Config",
"Cannot load one more exthandler. Max is 4");
2820 hiVec.push_back(extHInfo(namebuf, path, (parm ? parm :
""), noTlsOK));
2841int XrdHttpProtocol::xheader2cgi(
XrdOucStream & Config) {
2864 if (!val || !val[0]) {
2865 eDest.
Emsg(
"Config",
"HTTP X509 CAdir not specified");
2892int XrdHttpProtocol::xsslcipherfilter(
XrdOucStream & Config) {
2898 if (!val || !val[0]) {
2899 eDest.
Emsg(
"Config",
"SSL cipherlist filter string not specified");
2929 if (!val || !val[0])
2930 {
eDest.
Emsg(
"Config",
"tlsreuse argument not specified");
return 1;}
2934 if (!strcmp(val,
"off"))
2941 if (!strcmp(val,
"on"))
2948 eDest.
Emsg(
"config",
"invalid tlsreuse parameter -", val);
2953 char *val =
Config.GetWord();
2955 if(!strcmp(
"tpc",val)) {
2956 if(!(val =
Config.GetWord())) {
2957 eDest.
Emsg(
"Config",
"http.auth tpc value not specified.");
return 1;
2959 if(!strcmp(
"fcreds",val)) {
2962 eDest.
Emsg(
"Config",
"http.auth tpc value is invalid");
return 1;
2966 eDest.
Emsg(
"Config",
"http.auth value is invalid");
return 1;
2990 static struct traceopts {
3002 int i, neg, trval = 0, numopts =
sizeof (tropts) /
sizeof (
struct traceopts);
3004 if (!(val =
Config.GetWord())) {
3005 eDest.
Emsg(
"config",
"trace option not specified");
3009 if (!strcmp(val,
"off")) trval = 0;
3011 if ((neg = (val[0] ==
'-' && val[1]))) val++;
3012 for (i = 0; i < numopts; i++) {
3013 if (!strcmp(val, tropts[i].opname)) {
3014 if (neg) trval &= ~tropts[i].opval;
3015 else trval |= tropts[i].opval;
3020 eDest.
Emsg(
"config",
"invalid trace option", val);
3039 l = strlen(fname) + 1;
3064 length = fname.
length() + 1;
3076int XrdHttpProtocol::LoadSecXtractor(
XrdSysError *myeDest,
const char *libName,
3077 const char *libParms) {
3081 if (secxtractor)
return 1;
3083 XrdOucPinLoader myLib(myeDest, &compiledVer,
"secxtractorlib", libName);
3089 if (ep && (secxtractor = ep(myeDest, NULL, libParms)))
return 0;
3097int XrdHttpProtocol::LoadExtHandlerNoTls(std::vector<extHInfo> &hiVec,
const char *cFN,
XrdOucEnv &myEnv) {
3098 for (
int i = 0; i < (int) hiVec.size(); i++) {
3099 if(hiVec[i].extHNoTlsOK) {
3101 if (LoadExtHandler(&
eDest, hiVec[i].extHPath.c_str(), cFN,
3102 hiVec[i].extHParm.c_str(), &myEnv,
3103 hiVec[i].extHName.c_str()))
3110int XrdHttpProtocol::LoadExtHandler(std::vector<extHInfo> &hiVec,
3122 for (
int i = 0; i < (int)hiVec.size(); i++) {
3125 if(!ExtHandlerLoaded(hiVec[i].extHName.c_str())) {
3126 if (LoadExtHandler(&
eDest, hiVec[i].extHPath.c_str(), cFN,
3127 hiVec[i].extHParm.c_str(), &myEnv,
3128 hiVec[i].extHName.c_str()))
return 1;
3135int XrdHttpProtocol::LoadExtHandler(
XrdSysError *myeDest,
const char *libName,
3136 const char *configFN,
const char *libParms,
3137 XrdOucEnv *myEnv,
const char *instName) {
3141 if (ExtHandlerLoaded(instName)) {
3142 eDest.
Emsg(
"Config",
"Instance name already present for an http external handler plugin.");
3146 eDest.
Emsg(
"Config",
"Cannot load one more exthandler. Max is 4");
3150 XrdOucPinLoader myLib(myeDest, &compiledVer,
"exthandlerlib", libName);
3158 if (ep && (newhandler = ep(myeDest, configFN, libParms, myEnv))) {
3161 strncpy( exthandler[exthandlercnt].name, instName, 16 );
3162 exthandler[exthandlercnt].name[15] =
'\0';
3163 exthandler[exthandlercnt++].ptr = newhandler;
3176bool XrdHttpProtocol::ExtHandlerLoaded(
const char *handlername) {
3177 for (
int i = 0; i < exthandlercnt; i++) {
3178 if ( !strncmp(exthandler[i].name, handlername, 15) ) {
3189 for (
int i = 0; i < exthandlercnt; i++) {
3191 return exthandler[i].ptr;
struct ClientSetRequest set
struct ClientQueryRequest query
struct ClientStatRequest stat
#define XrdHttpExtHandlerArgs
int BIO_get_init(BIO *bio)
int BIO_get_shutdown(BIO *bio)
int BIO_get_flags(BIO *bio)
static int BIO_XrdLink_create(BIO *bio)
const char * XrdHttpSecEntityTident
void BIO_set_init(BIO *bio, int init)
int BIO_XrdLink_write(BIO *bio, const char *data, size_t datal, size_t *written)
#define HTTPS_ALERT(x, y, z)
static long BIO_XrdLink_ctrl(BIO *bio, int cmd, long num, void *ptr)
void BIO_set_shutdown(BIO *bio, int shut)
XrdSysTrace XrdHttpTrace("http")
static int BIO_XrdLink_read(BIO *bio, char *data, size_t datal, size_t *read)
void BIO_set_data(BIO *bio, void *ptr)
static int BIO_XrdLink_destroy(BIO *bio)
#define XRHTTP_TK_GRACETIME
static XrdVERSIONINFODEF(compiledVer, XrdHttpProtocolTest, XrdVNUMBER, XrdVERSION)
void * BIO_get_data(BIO *bio)
void BIO_set_flags(BIO *bio, int flags)
A pragmatic implementation of the HTTP/DAV protocol for the Xrd framework.
#define MAX_XRDHTTPEXTHANDLERS
#define XrdHttpSecXtractorArgs
int compareHash(const char *h1, const char *h2)
char * unquote(char *str)
void calcHashes(char *hash, const char *fn, kXR_int16 request, XrdSecEntity *secent, time_t tim, const char *key)
Utility functions for XrdHTTP.
std::string obfuscateAuth(const std::string &input)
#define TLS_SET_VDEPTH(cOpts, vdv)
#define TLS_SET_REFINT(cOpts, refi)
void Release(XrdBuffer *bp)
XrdBuffer * Obtain(int bsz)
const std::vector< std::string > & getNonIANAConfiguredCksums() const
void configure(const char *csList)
static char * secretkey
The key used to calculate the url hashes.
static BIO_METHOD * m_bio_method
C-style vptr table for our custom BIO objects.
static char * gridmap
Gridmap file location. The same used by XrdSecGsi.
static XrdScheduler * Sched
static kXR_int32 myRole
Our role.
static XrdNetPMark * pmarkHandle
Packet marking handler pointer (assigned from the environment during the Config() call)
static char * Port_str
Our port, as a string.
XrdXrootd::Bridge * Bridge
The Bridge that we use to exercise the xrootd internals.
static char * staticredir
static bool selfhttps2http
If client is HTTPS, self-redirect with HTTP+token.
static XrdHttpChecksumHandler cksumHandler
static int hailWait
Timeout for reading the handshake.
int doChksum(const XrdOucString &fname)
Perform a checksum request.
static XrdOucHash< StaticPreloadInfo > * staticpreload
static char * xrd_cslist
The list of checksums that were configured via the xrd.cksum parameter on the server config file.
static char * sslcipherfilter
static int m_bio_type
Type identifier for our custom BIO objects.
static std::map< std::string, std::string > hdr2cgimap
Rules that turn HTTP headers to cgi tokens in the URL, for internal comsumption.
static char * sslcert
OpenSSL stuff.
XrdLink * Link
The link we are bound to.
int doStat(char *fname)
Perform a Stat request.
XrdObject< XrdHttpProtocol > ProtLink
static int readWait
Timeout for reading data.
void Recycle(XrdLink *lp, int consec, const char *reason)
Recycle this instance.
static std::unordered_map< std::string, std::vector< std::pair< std::string, std::string > > > m_staticheader_map
The static headers to always return; map is from verb to a list of (header, val) pairs.
XrdHttpProtocol operator=(const XrdHttpProtocol &rhs)
static bool compatNameGeneration
static bool isdesthttps
True if the redirections must be towards https targets.
static XrdObjectQ< XrdHttpProtocol > ProtStack
XrdProtocol * Match(XrdLink *lp)
Tells if the oustanding bytes on the socket match this protocol implementation.
static bool isRequiredGridmap
static char * listredir
Url to redirect to in the case a listing is requested.
int Stats(char *buff, int blen, int do_sync=0)
Get activity stats.
static int crlRefIntervalSec
CRL thread refresh interval.
static XrdHttpReadRangeHandler::Configuration ReadRangeConfig
configuration for the read range handler
static XrdSecService * CIA
static XrdBuffManager * BPool
static std::unordered_map< std::string, std::string > m_staticheaders
static bool tpcForwardCreds
If set to true, the HTTP TPC transfers will forward the credentials to redirected hosts.
int Process(XrdLink *lp)
Process data incoming from the socket.
XrdHttpProtocol(const XrdHttpProtocol &)=default
Ctor, dtors and copy ctor.
static bool listdeny
If true, any form of listing is denied.
static int parseHeader2CGI(XrdOucStream &Config, XrdSysError &err, std::map< std::string, std::string > &header2cgi)
Use this function to parse header2cgi configurations.
XrdSecEntity SecEntity
Authentication area.
static bool embeddedstatic
If true, use the embedded css and icons.
static int sslverifydepth
Depth of verification of a certificate chain.
static int Configure(char *parms, XrdProtocol_Config *pi)
Read and apply the configuration.
static int Configure(XrdSysError &Eroute, const char *const parms, Configuration &cfg)
int reqstate
State machine to talk to the bridge.
XrdOucString resource
The resource specified by the request, stripped of opaque data.
bool headerok
Tells if we have finished reading the header.
const std::string & userAgent() const
ReqType request
The request we got.
XrdOucEnv * opaque
The opaque data, after parsing.
int parseFirstLine(char *line, int len)
Parse the first line of the header.
int parseLine(char *line, int len)
Parse the header.
void appendOpaque(XrdOucString &s, XrdSecEntity *secent, char *hash, time_t tnow)
ClientRequest xrdreq
The last issued xrd request, often pending.
virtual int InitSSL(SSL *, char *)
virtual int FreeSSL(SSL *)
int setEtext(const char *text)
int Peek(char *buff, int blen, int timeout=-1)
int Recv(char *buff, int blen)
const XrdNetAddr * NetAddr() const
XrdNetAddrInfo * AddrInfo()
int Send(const char *buff, int blen)
static const int noPort
Do not add port number.
int Format(char *bAddr, int bLen, fmtUse fmtType=fmtAuto, int fmtOpts=0)
@ fmtAddr
Address using suitable ipv4 or ipv6 format.
void SetDialect(const char *dP)
void Set(int inQMax, time_t agemax=1800)
void Push(XrdObject< T > *Node)
static bool Import(const char *var, char *&val)
char * Get(const char *varname)
void * GetPtr(const char *varname)
void Put(const char *varname, const char *value)
T * Rep(const char *KeyVal, T *KeyData, const int LifeTime=0, XrdOucHash_Options opt=Hash_default)
void insert(const int i, int start=-1)
void assign(const char *s, int j, int k=-1)
const char * c_str() const
char * vorg
Entity's virtual organization(s)
int credslen
Length of the 'creds' data.
XrdNetAddrInfo * addrInfo
Entity's connection details.
const char * tident
Trace identifier always preset.
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
char * caps
Entity's capabilities.
char * creds
Raw entity credentials or cert.
char * grps
Entity's group name(s)
void Reset(const char *spV=0)
char * name
Entity's name.
char * role
Entity's role(s)
char * endorsements
Protocol specific endorsements.
void Display(XrdSysError &mDest)
char * moninfo
Information for monitoring.
char * host
Entity's host name dnr dependent.
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
void Say(const char *text1, const char *text2=0, const char *txt3=0, const char *text4=0, const char *text5=0, const char *txt6=0)
XrdSysLogger * logger(XrdSysLogger *lp=0)
void SetLogger(XrdSysLogger *logp)
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
static const uint64_t servr
This is a server context.
static const uint64_t rfCRL
Turn on the CRL refresh thread.
static const uint64_t logVF
Log verify failures.
static const uint64_t artON
Auto retry Handshake.
const CTX_Params * GetParams()
static const int scOff
Turn off cache.
bool SetContextCiphers(const char *ciphers)
static const int scSrvr
Turn on cache server mode (default)
static Bridge * Login(Result *rsltP, XrdLink *linkP, XrdSecEntity *seceP, const char *nameP, const char *protP)
virtual bool Run(const char *xreqP, char *xdataP=0, int xdataL=0)=0
std::string cafile
-> ca cert file.
std::string cadir
-> ca cert directory.
int crlRT
crl refresh interval time in seconds
std::string pkey
-> private key path.
std::string cert
-> certificate path.