XRootD
XrdAccRules Class Reference

#include <XrdSciTokensAccess.hh>

+ Collaboration diagram for XrdAccRules:

Public Member Functions

 XrdAccRules (uint64_t expiry_time, const std::string &username, const std::string &token_subject, const std::string &issuer, const std::vector< MapRule > &rules, const std::vector< std::string > &groups, uint32_t authz_strategy, AuthzSetting acceptable_authz)
 
 ~XrdAccRules ()
 
bool acceptable_authz (Access_Operation oper) const
 
bool apply (Access_Operation oper, const std::string_view path)
 
bool expired () const
 
uint32_t get_authz_strategy () const
 
const std::string & get_default_username () const
 
const std::string & get_issuer () const
 
const std::string & get_token_subject () const
 
std::string get_username (const std::string_view &req_path) const
 
const std::vector< std::string > & groups () const
 
void parse (const AccessRulesRaw &rules)
 
size_t size () const
 
const std::string str () const
 

Detailed Description

A class that encapsulates the access rules generated from a token.

The access rules are generated from the token's claims; the object is intended to be kept in a cache and periodically checked for expiration.

Definition at line 137 of file XrdSciTokensAccess.hh.

Constructor & Destructor Documentation

◆ XrdAccRules()

XrdAccRules::XrdAccRules ( uint64_t  expiry_time,
const std::string &  username,
const std::string &  token_subject,
const std::string &  issuer,
const std::vector< MapRule > &  rules,
const std::vector< std::string > &  groups,
uint32_t  authz_strategy,
AuthzSetting  acceptable_authz 
)
inline

Definition at line 140 of file XrdSciTokensAccess.hh.

142  :
143  m_authz_strategy(authz_strategy),
144  m_acceptable_authz(acceptable_authz),
145  m_expiry_time(expiry_time),
146  m_username(username),
147  m_token_subject(token_subject),
148  m_issuer(issuer),
149  m_map_rules(rules),
150  m_groups(groups)
151  {}
const std::vector< std::string > & groups() const
bool acceptable_authz(Access_Operation oper) const

◆ ~XrdAccRules()

XrdAccRules::~XrdAccRules ( )
inline

Definition at line 153 of file XrdSciTokensAccess.hh.

153 {}

Member Function Documentation

◆ acceptable_authz()

bool XrdAccRules::acceptable_authz ( Access_Operation  oper) const
inline

Definition at line 187 of file XrdSciTokensAccess.hh.

187  {
188  if (m_acceptable_authz == AuthzSetting::All) return true;
189  if (m_acceptable_authz == AuthzSetting::None) return false;
190 
191  bool is_read = oper == AOP_Read || oper == AOP_Readdir || oper == AOP_Stat;
192  if (is_read) return m_acceptable_authz == AuthzSetting::Read;
193  else return m_acceptable_authz == AuthzSetting::Write;
194  }
@ AOP_Readdir
opendir()
@ AOP_Stat
exists(), stat()
@ AOP_Read
open() r/o, prepare()

References All, AOP_Read, AOP_Readdir, AOP_Stat, None, Read, and Write.

◆ apply()

bool XrdAccRules::apply ( Access_Operation  oper,
const std::string_view  path 
)
inline

Definition at line 155 of file XrdSciTokensAccess.hh.

155  {
156  return m_matcher.apply(oper, path);
157  }
bool apply(Access_Operation oper, const std::string_view path) const

References SubpathMatch::apply().

+ Here is the call graph for this function:

◆ expired()

bool XrdAccRules::expired ( ) const

Definition at line 351 of file XrdSciTokensAccess.cc.

352 {
353  return monotonic_time() > m_expiry_time;
354 }

◆ get_authz_strategy()

uint32_t XrdAccRules::get_authz_strategy ( ) const
inline

Definition at line 186 of file XrdSciTokensAccess.hh.

186 {return m_authz_strategy;}

◆ get_default_username()

const std::string& XrdAccRules::get_default_username ( ) const
inline

Definition at line 183 of file XrdSciTokensAccess.hh.

183 {return m_username;}

◆ get_issuer()

const std::string& XrdAccRules::get_issuer ( ) const
inline

Definition at line 184 of file XrdSciTokensAccess.hh.

184 {return m_issuer;}

◆ get_token_subject()

const std::string& XrdAccRules::get_token_subject ( ) const
inline

Definition at line 182 of file XrdSciTokensAccess.hh.

182 {return m_token_subject;}

◆ get_username()

std::string XrdAccRules::get_username ( const std::string_view &  req_path) const
inline

Definition at line 166 of file XrdSciTokensAccess.hh.

167  {
168  for (const auto &rule : m_map_rules) {
169  std::string name = rule.match(m_token_subject, m_username, req_path, m_groups);
170  if (!name.empty()) {
171  return name;
172  }
173  }
174  return "";
175  }

◆ groups()

const std::vector<std::string>& XrdAccRules::groups ( ) const
inline

Definition at line 197 of file XrdSciTokensAccess.hh.

197 {return m_groups;}

◆ parse()

void XrdAccRules::parse ( const AccessRulesRaw rules)
inline

Definition at line 162 of file XrdSciTokensAccess.hh.

162  {
163  m_matcher = SubpathMatch(rules);
164  }

◆ size()

size_t XrdAccRules::size ( ) const
inline

Definition at line 196 of file XrdSciTokensAccess.hh.

196 {return m_matcher.size();}
size_t size() const

References SubpathMatch::size().

+ Here is the call graph for this function:

◆ str()

const std::string XrdAccRules::str ( ) const

Definition at line 332 of file XrdSciTokensAccess.cc.

333 {
334  std::stringstream ss;
335  ss << "mapped_username=" << m_username << ", subject=" << m_token_subject
336  << ", issuer=" << m_issuer;
337  if (!m_groups.empty()) {
338  ss << ", groups=";
339  bool first=true;
340  for (const auto &group : m_groups) {
341  ss << (first ? "" : ",") << group;
342  first = false;
343  }
344  }
345  if (!m_matcher.empty()) {
346  ss << ", authorizations=" << m_matcher.str();
347  }
348  return ss.str();
349 }
std::string str() const
bool empty() const

References SubpathMatch::empty(), and SubpathMatch::str().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: