Fixes issue CTA#194, check admin user is valid for admin commands

xroot_plugins/XrdSsiCtaRequestMessage.cpp

@@ -76,6 +76,12 @@ void RequestMessage::process(const cta::xrd::Request &request, cta::xrd::Respons
       using namespace cta::xrd;
 
       case Request::kAdmincmd:
+         // Validate that the Kerberos user is an authorized CTA Admin user
+         if(m_protocol != Protocol::KRB5) {
+            throw cta::exception::Exception("[ERROR] Admin commands must be authenticated using the Kerberos 5 protocol.");
+         }
+         m_scheduler.authorizeAdmin(m_cliIdentity, m_lc);
+
          // Validate the Protocol Buffer and import options into maps
          importOptions(request.admincmd());
 

xroot_plugins/XrdSsiCtaRequestMessage.hpp

@@ -39,6 +39,10 @@ public:
       m_lc       (service->getLogContext()) {
          m_cliIdentity.username = client.name;
          m_cliIdentity.host     = client.host;
+
+         // Map the client protcol string to an enum value
+         auto proto_it = m_protomap.find(client.prot);
+         m_protocol = proto_it != m_protomap.end() ? proto_it->second : Protocol::OTHER;
       }
 
    /*!
@@ -257,12 +261,22 @@ private:
       return opt_it != m_option_bool.end() && opt_it->second;
    }
 
+   // Security protocol used to connect
+
+   enum class Protocol { SSS, KRB5, OTHER };
+
+   const std::map<std::string, Protocol> m_protomap = {
+      { "sss",  Protocol::SSS  },
+      { "krb5", Protocol::KRB5 },
+   };
+
    // Member variables
 
+   Protocol                                                m_protocol;               //!< The protocol the client used to connect
+   cta::common::dataStructures::SecurityIdentity           m_cliIdentity;            //!< Client identity: username/host
    cta::catalogue::Catalogue                              &m_catalogue;              //!< Reference to CTA Catalogue
    cta::Scheduler                                         &m_scheduler;              //!< Reference to CTA Scheduler
    cta::log::LogContext                                    m_lc;                     //!< CTA Log Context
-   cta::common::dataStructures::SecurityIdentity           m_cliIdentity;            //!< The client identity info: username and host
    std::map<cta::admin::OptionBoolean::Key, bool>          m_option_bool;            //!< Boolean options
    std::map<cta::admin::OptionUInt64::Key,  uint64_t>      m_option_uint64;          //!< UInt64 options
    std::map<cta::admin::OptionString::Key,  std::string>   m_option_str;             //!< String options

xroot_plugins/XrdSsiCtaServiceProvider.cpp

@@ -61,6 +61,13 @@ namespace XrdSsiPb {
 template<>
 bool Service<cta::xrd::Request, cta::xrd::Response, cta::xrd::Alert>::Prepare(XrdSsiErrInfo &eInfo, const XrdSsiResource &resource)
 {
+   if(resource.client == nullptr || resource.client->name == nullptr)
+   {
+      eInfo.Set("Service::Prepare(): XRootD client name is not set. "
+         "Possible misconfiguration of the KRB5 or SSS keyfile.", EACCES);
+      return false;
+   }
+
 #ifdef XRDSSI_DEBUG
    std::cerr << "[DEBUG] Service::Prepare():" << std::endl;
    std::cerr << "[DEBUG]    Resource name: " << resource.rName << std::endl
@@ -82,14 +89,8 @@ bool Service<cta::xrd::Request, cta::xrd::Response, cta::xrd::Alert>::Prepare(Xr
              << (resource.rOpts & XrdSsiResource::Reusable ? "Resuable " : "")
              << (resource.rOpts & XrdSsiResource::Discard  ? "Discard"   : "")
              << std::endl;
-#endif
-   if(resource.client == nullptr || resource.client->name == nullptr)
-   {
-      eInfo.Set("Service::Prepare(): XRootD client name is not set. "
-         "Possible misconfiguration of the KRB5 or SSS keyfile.", EACCES);
-      return false;
-   }
-#ifdef XRDSSI_DEBUG
+
+   std::cerr << "[DEBUG]    Resource client protocol: " << resource.client->prot << std::endl;
    std::cerr << "[DEBUG]    Resource client name: " << resource.client->name << std::endl;
 #endif