XRootD
XrdSciTokensAccess.cc File Reference
#include "XrdAcc/XrdAccAuthorize.hh"
#include "XrdOuc/XrdOucEnv.hh"
#include "XrdOuc/XrdOucGatherConf.hh"
#include "XrdOuc/XrdOucPrivateUtils.hh"
#include "XrdSec/XrdSecEntity.hh"
#include "XrdSec/XrdSecEntityAttr.hh"
#include "XrdSys/XrdSysLogger.hh"
#include "XrdTls/XrdTlsContext.hh"
#include "XrdVersion.hh"
#include <map>
#include <memory>
#include <mutex>
#include <string>
#include <vector>
#include <sstream>
#include <fstream>
#include <unordered_map>
#include <tuple>
#include "fcntl.h"
#include "INIReader.h"
#include "picojson.h"
#include "scitokens/scitokens.h"
#include "XrdSciTokens/XrdSciTokensAccess.hh"
#include "XrdSciTokens/XrdSciTokensHelper.hh"
#include "XrdSciTokens/XrdSciTokensMon.hh"
+ Include dependency graph for XrdSciTokensAccess.cc:

Go to the source code of this file.

Classes

class  XrdAccSciTokens
 

Functions

bool AuthorizesRequiredIssuers (Access_Operation client_oper, const std::string_view &path, const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string >> &required_issuers, const std::vector< std::shared_ptr< XrdAccRules >> &access_rules_list)
 
void InitAccSciTokens (XrdSysLogger *lp, const char *cfn, const char *parm, XrdAccAuthorize *accP, XrdOucEnv *envP)
 
XrdAccAuthorizeXrdAccAuthorizeObjAdd (XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP, XrdAccAuthorize *accP)
 
XrdAccAuthorizeXrdAccAuthorizeObject (XrdSysLogger *lp, const char *cfn, const char *parm)
 
XrdAccAuthorizeXrdAccAuthorizeObject2 (XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP)
 
 XrdVERSIONINFO (XrdAccAuthorizeObjAdd, XrdAccSciTokens)
 
 XrdVERSIONINFO (XrdAccAuthorizeObject, XrdAccSciTokens)
 

Variables

XrdAccSciTokensaccSciTokens = nullptr
 
XrdSciTokensHelperSciTokensHelper = nullptr
 

Function Documentation

◆ AuthorizesRequiredIssuers()

bool AuthorizesRequiredIssuers ( Access_Operation  client_oper,
const std::string_view &  path,
const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string >> &  required_issuers,
const std::vector< std::shared_ptr< XrdAccRules >> &  access_rules_list 
)

Definition at line 370 of file XrdSciTokensAccess.cc.

373 {
374 
375  // Translate the client-attempted operation to one of the simpler operations we've defined.
376  Access_Operation oper;
377  switch (client_oper) {
378  case AOP_Any:
379  return false; // Invalid request
380  break;
381  case AOP_Chmod: [[fallthrough]];
382  case AOP_Chown: [[fallthrough]];
383  case AOP_Create: [[fallthrough]];
384  case AOP_Excl_Create: [[fallthrough]];
385  case AOP_Delete: [[fallthrough]];
386  case AOP_Excl_Insert: [[fallthrough]];
387  case AOP_Insert: [[fallthrough]];
388  case AOP_Lock:
389  oper = AOP_Create;
390  break;
391  case AOP_Mkdir:
392  oper = AOP_Mkdir;
393  break;
394  case AOP_Read:
395  oper = AOP_Read;
396  break;
397  case AOP_Readdir:
398  oper = AOP_Readdir;
399  break;
400  case AOP_Rename:
401  oper = AOP_Create;
402  break;
403  case AOP_Stat:
404  oper = AOP_Stat;
405  break;
406  case AOP_Update:
407  oper = AOP_Update;
408  break;
409  default:
410  return false; // Invalid request
411  };
412 
413  // Iterate through all the required issuers
414  for (const auto &info : required_issuers) {
415  // See if this issuer is required for this path/operation.
416  if (info.first->apply(oper, path)) {
417  bool has_authz = false;
418  // If so, see if one of the tokens (a) is from this issuer and (b) authorizes the request.
419  for (const auto &rules : access_rules_list) {
420  if (rules->get_issuer() == info.second && rules->apply(oper, path)) {
421  has_authz = true;
422  break;
423  }
424  }
425  if (!has_authz) {
426  return false;
427  }
428  }
429  }
430  return true;
431 }
Access_Operation
The following are supported operations.
@ AOP_Delete
rm() or rmdir()
@ AOP_Mkdir
mkdir()
@ AOP_Update
open() r/w or append
@ AOP_Create
open() with create
@ AOP_Readdir
opendir()
@ AOP_Chmod
chmod()
@ AOP_Any
Special for getting privs.
@ AOP_Stat
exists(), stat()
@ AOP_Rename
mv() for source
@ AOP_Read
open() r/o, prepare()
@ AOP_Excl_Create
open() with O_EXCL|O_CREAT
@ AOP_Insert
mv() for target
@ AOP_Lock
n/a
@ AOP_Chown
chown()
@ AOP_Excl_Insert
mv() where destination doesn't exist.

References AOP_Any, AOP_Chmod, AOP_Chown, AOP_Create, AOP_Delete, AOP_Excl_Create, AOP_Excl_Insert, AOP_Insert, AOP_Lock, AOP_Mkdir, AOP_Read, AOP_Readdir, AOP_Rename, AOP_Stat, and AOP_Update.

Referenced by XrdAccSciTokens::Access().

+ Here is the caller graph for this function:

◆ InitAccSciTokens()

void InitAccSciTokens ( XrdSysLogger lp,
const char *  cfn,
const char *  parm,
XrdAccAuthorize accP,
XrdOucEnv envP 
)

Definition at line 1442 of file XrdSciTokensAccess.cc.

1444 {
1445  try {
1446  accSciTokens = new XrdAccSciTokens(lp, parm, accP, envP);
1448  } catch (std::exception &) {
1449  }
1450 }
XrdAccSciTokens * accSciTokens
XrdSciTokensHelper * SciTokensHelper
XrdOucEnv * envP
Definition: XrdPss.cc:109

References accSciTokens, XrdProxy::envP, and SciTokensHelper.

Referenced by XrdAccAuthorizeObjAdd(), XrdAccAuthorizeObject(), and XrdAccAuthorizeObject2().

+ Here is the caller graph for this function:

◆ XrdAccAuthorizeObjAdd()

XrdAccAuthorize* XrdAccAuthorizeObjAdd ( XrdSysLogger lp,
const char *  cfn,
const char *  parm,
XrdOucEnv envP,
XrdAccAuthorize accP 
)

Definition at line 1454 of file XrdSciTokensAccess.cc.

1459 {
1460  // Record the parent authorization plugin. There is no need to use
1461  // unique_ptr as all of this happens once in the main and only thread.
1462  //
1463 
1464  // If we have been initialized by a previous load, them return that result.
1465  // Otherwise, it's the first time through, get a new SciTokens authorizer.
1466  //
1467  if (!accSciTokens) InitAccSciTokens(lp, cfn, parm, accP, envP);
1468  return accSciTokens;
1469 }
void InitAccSciTokens(XrdSysLogger *lp, const char *cfn, const char *parm, XrdAccAuthorize *accP, XrdOucEnv *envP)

References accSciTokens, XrdProxy::envP, and InitAccSciTokens().

+ Here is the call graph for this function:

◆ XrdAccAuthorizeObject()

XrdAccAuthorize* XrdAccAuthorizeObject ( XrdSysLogger lp,
const char *  cfn,
const char *  parm 
)

Definition at line 1471 of file XrdSciTokensAccess.cc.

1474 {
1475  InitAccSciTokens(lp, cfn, parm, nullptr, nullptr);
1476  return accSciTokens;
1477 }

References accSciTokens, and InitAccSciTokens().

+ Here is the call graph for this function:

◆ XrdAccAuthorizeObject2()

XrdAccAuthorize* XrdAccAuthorizeObject2 ( XrdSysLogger lp,
const char *  cfn,
const char *  parm,
XrdOucEnv envP 
)

Definition at line 1479 of file XrdSciTokensAccess.cc.

1483 {
1484  InitAccSciTokens(lp, cfn, parm, nullptr, envP);
1485  return accSciTokens;
1486 }

References accSciTokens, XrdProxy::envP, and InitAccSciTokens().

+ Here is the call graph for this function:

◆ XrdVERSIONINFO() [1/2]

XrdVERSIONINFO ( XrdAccAuthorizeObjAdd  ,
XrdAccSciTokens   
)

◆ XrdVERSIONINFO() [2/2]

XrdVERSIONINFO ( XrdAccAuthorizeObject  ,
XrdAccSciTokens   
)

Variable Documentation

◆ accSciTokens

◆ SciTokensHelper

XrdSciTokensHelper* SciTokensHelper = nullptr

Definition at line 37 of file XrdSciTokensAccess.cc.

Referenced by InitAccSciTokens().