10 #include "XrdVersion.hh"
19 #include <unordered_map>
24 #include "INIReader.h"
27 #include "scitokens/scitokens.h"
50 if (mask == LogMask::All) {
return "all";}
52 bool has_entry =
false;
59 ss << (has_entry ?
", " :
"") <<
"info";
63 ss << (has_entry ?
", " :
"") <<
"warning";
67 ss << (has_entry ?
", " :
"") <<
"error";
73 inline uint64_t monotonic_time() {
75 #ifdef CLOCK_MONOTONIC_COARSE
76 clock_gettime(CLOCK_MONOTONIC_COARSE, &tp);
78 clock_gettime(CLOCK_MONOTONIC, &tp);
80 return tp.tv_sec + (tp.tv_nsec >= 500000000);
85 int new_privs = privs;
153 std::unordered_map<std::string, std::unique_ptr<std::stringstream>> rule_map;
154 for (
const auto &rule : rules) {
155 auto iter = rule_map.find(rule.second);
156 if (iter == rule_map.end()) {
157 auto result = rule_map.insert(std::make_pair(rule.second, std::make_unique<std::stringstream>()));
159 *(iter->second) << OpToName(rule.first);
161 *(iter->second) <<
"," << OpToName(rule.first);
164 std::stringstream ss;
166 for (
const auto &val : rule_map) {
167 ss << (first ?
"" :
";") << val.first <<
":" << val.second->str();
173 bool MakeCanonical(
const std::string &path, std::string &result)
175 if (path.empty() || path[0] !=
'/') {
return false;}
178 std::vector<std::string> components;
180 while (path.size() > pos && path[pos] ==
'/') {pos++;}
181 auto next_pos = path.find_first_of(
"/", pos);
182 auto next_component = path.substr(pos, next_pos - pos);
184 if (next_component.empty() || next_component ==
".") {
continue;}
185 else if (next_component ==
"..") {
186 if (!components.empty()) {
187 components.pop_back();
190 components.emplace_back(next_component);
192 }
while (pos != std::string::npos);
193 if (components.empty()) {
197 std::stringstream ss;
198 for (
const auto &comp : components) {
205 void ParseCanonicalPaths(
const std::string &path, std::vector<std::string> &results)
209 while (path.size() > pos && (path[pos] ==
',' || path[pos] ==
' ')) {pos++;}
210 auto next_pos = path.find_first_of(
", ", pos);
211 auto next_path = path.substr(pos, next_pos - pos);
213 if (!next_path.empty()) {
214 std::string canonical_path;
215 if (MakeCanonical(next_path, canonical_path)) {
216 results.emplace_back(std::move(canonical_path));
219 }
while (pos != std::string::npos);
224 IssuerConfig(
const std::string &issuer_name,
225 const std::string &issuer_url,
226 const std::vector<std::string> &base_paths,
227 const std::vector<std::string> &restricted_paths,
229 uint32_t authz_strategy,
230 const std::string &default_user,
231 const std::string &username_claim,
232 const std::string &groups_claim,
233 const std::vector<MapRule> rules,
236 : m_map_subject(map_subject || !username_claim.empty()),
237 m_acceptable_authz(acceptable_authz),
238 m_required_authz(required_authz),
239 m_authz_strategy(authz_strategy),
242 m_default_user(default_user),
243 m_username_claim(username_claim),
244 m_groups_claim(groups_claim),
245 m_base_paths(base_paths),
246 m_restricted_paths(restricted_paths),
250 const bool m_map_subject;
253 const uint32_t m_authz_strategy;
254 const std::string m_name;
255 const std::string m_url;
256 const std::string m_default_user;
257 const std::string m_username_claim;
258 const std::string m_groups_claim;
259 const std::vector<std::string> m_base_paths;
260 const std::vector<std::string> m_restricted_paths;
261 const std::vector<MapRule> m_map_rules;
264 class OverrideINIReader:
public INIReader {
266 OverrideINIReader() {};
267 inline OverrideINIReader(std::string filename) {
268 _error = ini_parse(filename.c_str(), ValueHandler,
this);
270 inline OverrideINIReader(FILE *file) {
271 _error = ini_parse_file(file, ValueHandler,
this);
287 inline static int ValueHandler(
void* user,
const char* section,
const char* name,
289 OverrideINIReader* reader = (OverrideINIReader*)user;
290 std::string key = MakeKey(section, name);
293 reader->_values[key] = value;
294 reader->_sections.insert(section);
302 ParseTokenString(
const std::string ¶m,
XrdOucEnv *env, std::vector<std::string_view> &authz_list)
305 const char *authz = env->
Get(param.c_str());
306 if (!authz) {
return;}
307 std::string_view authz_view(authz);
314 if (authz_view.substr(0, 9) ==
"Bearer%20") {
315 authz_view = authz_view.substr(9);
317 pos = authz_view.find(
",");
318 authz_list.push_back(authz_view.substr(0, pos));
319 authz_view = authz_view.substr(pos + 1);
320 }
while (pos != std::string_view::npos);
327 return AccessRuleStr(m_rules);
334 std::stringstream ss;
335 ss <<
"mapped_username=" << m_username <<
", subject=" << m_token_subject
336 <<
", issuer=" << m_issuer;
337 if (!m_groups.empty()) {
340 for (
const auto &group : m_groups) {
341 ss << (first ?
"" :
",") << group;
345 if (!m_matcher.
empty()) {
346 ss <<
", authorizations=" << m_matcher.
str();
353 return monotonic_time() > m_expiry_time;
371 const std::vector<std::pair<std::unique_ptr<SubpathMatch>, std::string>> &required_issuers,
372 const std::vector<std::shared_ptr<XrdAccRules>> &access_rules_list)
377 switch (client_oper) {
414 for (
const auto &info : required_issuers) {
416 if (info.first->apply(oper, path)) {
417 bool has_authz =
false;
419 for (
const auto &rules : access_rules_list) {
420 if (rules->get_issuer() == info.second && rules->apply(oper, path)) {
441 enum class AuthzBehavior {
450 m_parms(parms ? parms :
""),
451 m_next_clean(monotonic_time() + m_expiry_secs),
452 m_log(lp,
"scitokens_")
454 pthread_rwlock_init(&m_config_lock,
nullptr);
455 m_config_lock_initialized =
true;
456 m_log.
Say(
"++++++ XrdAccSciTokens: Initialized SciTokens-based authorization.");
458 throw std::runtime_error(
"Failed to configure SciTokens authorization.");
463 if (m_config_lock_initialized) {
464 pthread_rwlock_destroy(&m_config_lock);
473 std::vector<std::string_view> authz_list;
474 authz_list.reserve(1);
480 ParseTokenString(
"authz", env, authz_list);
481 ParseTokenString(
"access_token", env, authz_list);
483 if (Entity && !strcmp(
"ztn", Entity->
prot) && Entity->
creds &&
486 authz_list.push_back(Entity->
creds);
489 if (authz_list.empty()) {
490 return OnMissing(Entity, path, oper, env);
495 if (authz_list.size() > 10) {
496 m_log.
Log(
LogMask::Warning,
"Access",
"Request had more than 10 tokens attached; ignoring");
497 return OnMissing(Entity, path, oper, env);
501 std::vector<std::shared_ptr<XrdAccRules>> access_rules_list;
502 uint64_t now = monotonic_time();
504 for (
const auto &authz : authz_list) {
505 std::shared_ptr<XrdAccRules> access_rules;
507 std::lock_guard<std::mutex> guard(m_mutex);
508 const auto iter = m_map.find(authz);
509 if (iter != m_map.end() && !iter->second->expired()) {
510 access_rules = iter->second;
514 m_log.
Log(
LogMask::Debug,
"Access",
"Token not found in recent cache; parsing.");
516 uint64_t cache_expiry;
518 std::string username;
519 std::string token_subject;
521 std::vector<MapRule> map_rules;
522 std::vector<std::string> groups;
523 uint32_t authz_strategy;
525 if (GenerateAcls(authz, cache_expiry, rules, username, token_subject, issuer, map_rules, groups, authz_strategy, acceptable_authz)) {
526 access_rules.reset(
new XrdAccRules(now + cache_expiry, username, token_subject, issuer, map_rules, groups, authz_strategy, acceptable_authz));
527 access_rules->parse(rules);
533 m_log.
Log(
LogMask::Debug,
"Access",
"New valid token", access_rules->str().c_str());
535 }
catch (std::exception &exc) {
536 m_log.
Log(
LogMask::Warning,
"Access",
"Error generating ACLs for authorization", exc.what());
539 std::lock_guard<std::mutex> guard(m_mutex);
540 m_map[std::string(authz)] = access_rules;
542 m_log.
Log(
LogMask::Debug,
"Access",
"Cached token", access_rules->str().c_str());
544 access_rules_list.push_back(access_rules);
546 if (access_rules_list.empty()) {
547 return OnMissing(Entity, path, oper, env);
549 std::string_view path_view(path, strlen(path));
553 return OnMissing(Entity, path, oper, env);
567 for (
const auto &access_rules : access_rules_list) {
569 if (!access_rules->acceptable_authz(oper)) {
570 m_log.
Log(
LogMask::Debug,
"Access",
"Issuer is not acceptable for given operation:", access_rules->get_issuer().c_str());
575 new_secentity.
vorg =
nullptr;
576 new_secentity.
grps =
nullptr;
577 new_secentity.
role =
nullptr;
580 const auto &issuer = access_rules->get_issuer();
581 if (!issuer.empty()) {
582 new_secentity.
vorg = strdup(issuer.c_str());
584 bool group_success =
false;
585 if ((access_rules->get_authz_strategy() &
IssuerAuthz::Group) && access_rules->groups().size()) {
586 std::stringstream ss;
587 for (
const auto &grp : access_rules->groups()) {
590 const auto &groups_str = ss.str();
591 new_secentity.
grps =
static_cast<char*
>(malloc(groups_str.size() + 1));
592 if (new_secentity.
grps) {
593 memcpy(new_secentity.
grps, groups_str.c_str(), groups_str.size());
594 new_secentity.
grps[groups_str.size()] =
'\0';
596 group_success =
true;
599 std::string username;
600 bool mapping_success =
false;
601 bool scope_success =
false;
602 username = access_rules->get_username(path_view);
604 mapping_success = (access_rules->get_authz_strategy() &
IssuerAuthz::Mapping) && !username.empty();
605 scope_success = (access_rules->get_authz_strategy() &
IssuerAuthz::Capability) && access_rules->apply(oper, path_view);
607 std::stringstream ss;
608 ss <<
"Grant authorization based on scopes for operation=" << OpToName(oper) <<
", path=" << path;
612 if (!scope_success && !mapping_success && !group_success) {
613 auto returned_accs = OnMissing(&new_secentity, path, oper, env);
615 if (new_secentity.
vorg !=
nullptr) free(new_secentity.
vorg);
616 if (new_secentity.
grps !=
nullptr) free(new_secentity.
grps);
617 if (new_secentity.
role !=
nullptr) free(new_secentity.
role);
619 return returned_accs;
623 if (scope_success && username.empty()) {
624 username = access_rules->get_default_username();
629 if (scope_success || mapping_success) {
631 Entity->
eaAPI->
Add(
"request.name", username,
true);
632 new_secentity.
eaAPI->
Add(
"request.name", username,
true);
641 const auto &token_subject = access_rules->get_token_subject();
642 if (!token_subject.empty()) {
643 Entity->
eaAPI->
Add(
"token.subject", token_subject,
true);
652 if (Entity->
secMon && scope_success && returned_op &&
Mon_isIO(oper))
653 Mon_Report(new_secentity, token_subject, username);
656 if (new_secentity.
vorg !=
nullptr) free(new_secentity.
vorg);
657 if (new_secentity.
grps !=
nullptr) free(new_secentity.
grps);
658 if (new_secentity.
role !=
nullptr) free(new_secentity.
role);
663 return OnMissing(Entity, path, oper, env);
677 for (
auto it: m_issuers) {
681 issuers.push_back(issuer_info);
687 virtual bool Validate(
const char *token, std::string &
emsg,
long long *expT,
695 if (!strncmp(token,
"Bearer%20", 9)) token += 9;
696 pthread_rwlock_rdlock(&m_config_lock);
697 auto retval = scitoken_deserialize(token, &scitoken, &m_valid_issuers_array[0], &err_msg);
698 pthread_rwlock_unlock(&m_config_lock);
712 {
char *value =
nullptr;
713 if (!scitoken_get_claim_string(scitoken,
"sub", &value, &err_msg))
714 Entity->
name = strdup(value);
719 if (expT && scitoken_get_expiration(scitoken, expT, &err_msg)) {
727 scitoken_destroy(scitoken);
745 return (m_chain ? m_chain->
Test(priv, oper) : 0);
756 switch (m_authz_behavior) {
757 case AuthzBehavior::PASSTHROUGH:
759 case AuthzBehavior::ALLOW:
761 case AuthzBehavior::DENY:
768 bool GenerateAcls(
const std::string_view &authz, uint64_t &cache_expiry,
AccessRulesRaw &rules, std::string &username, std::string &token_subject, std::string &issuer, std::vector<MapRule> &map_rules, std::vector<std::string> &groups, uint32_t &authz_strategy,
AuthzSetting &acceptable_authz) {
771 bool looks_good =
true;
772 int separator_count = 0;
773 for (
auto cur_char = authz.data(); *cur_char; cur_char++) {
774 if (*cur_char ==
'.') {
776 if (separator_count > 2) {
780 if (!(*cur_char >= 65 && *cur_char <= 90) &&
781 !(*cur_char >= 97 && *cur_char <= 122) &&
782 !(*cur_char >= 48 && *cur_char <= 57) &&
783 (*cur_char != 43) && (*cur_char != 47) &&
784 (*cur_char != 45) && (*cur_char != 95))
790 if ((separator_count != 2) || (!looks_good)) {
791 m_log.
Log(
LogMask::Debug,
"Parse",
"Token does not appear to be a valid JWT; skipping.");
796 SciToken token =
nullptr;
797 pthread_rwlock_rdlock(&m_config_lock);
798 auto retval = scitoken_deserialize(authz.data(), &token, &m_valid_issuers_array[0], &err_msg);
799 pthread_rwlock_unlock(&m_config_lock);
808 if (scitoken_get_expiration(token, &expiry, &err_msg)) {
809 m_log.
Log(
LogMask::Warning,
"GenerateAcls",
"Unable to determine token expiration:", err_msg);
811 scitoken_destroy(token);
815 expiry = std::max(
static_cast<int64_t
>(monotonic_time() - expiry),
816 static_cast<int64_t
>(60));
821 char *value =
nullptr;
822 if (scitoken_get_claim_string(token,
"iss", &value, &err_msg)) {
824 scitoken_destroy(token);
828 std::string token_issuer(value);
831 pthread_rwlock_rdlock(&m_config_lock);
832 auto enf = enforcer_create(token_issuer.c_str(), &m_audiences_array[0], &err_msg);
833 pthread_rwlock_unlock(&m_config_lock);
836 scitoken_destroy(token);
842 if (enforcer_generate_acls(enf, token, &acls, &err_msg)) {
843 scitoken_destroy(token);
844 enforcer_destroy(enf);
845 m_log.
Log(
LogMask::Warning,
"GenerateAcls",
"ACL generation from SciToken failed:", err_msg);
849 enforcer_destroy(enf);
851 pthread_rwlock_rdlock(&m_config_lock);
852 auto iter = m_issuers.find(token_issuer);
853 if (iter == m_issuers.end()) {
854 pthread_rwlock_unlock(&m_config_lock);
856 scitoken_destroy(token);
859 const auto config = iter->second;
860 pthread_rwlock_unlock(&m_config_lock);
864 std::vector<std::string> groups_parsed;
865 if (scitoken_get_claim_string_list(token, config.m_groups_claim.c_str(), &group_list, &err_msg) == 0) {
866 for (
int idx=0; group_list[idx]; idx++) {
867 groups_parsed.emplace_back(group_list[idx]);
869 scitoken_free_string_list(group_list);
876 if (scitoken_get_claim_string(token,
"sub", &value, &err_msg)) {
879 scitoken_destroy(token);
882 token_subject = std::string(value);
885 auto tmp_username = token_subject;
886 if (!config.m_username_claim.empty()) {
887 if (scitoken_get_claim_string(token, config.m_username_claim.c_str(), &value, &err_msg)) {
890 scitoken_destroy(token);
893 tmp_username = std::string(value);
895 }
else if (!config.m_map_subject) {
896 tmp_username = config.m_default_user;
899 for (
auto rule : config.m_map_rules) {
900 for (
auto path : config.m_base_paths) {
901 auto path_rule = rule;
902 path_rule.m_path_prefix = path + rule.m_path_prefix;
903 auto pos = path_rule.m_path_prefix.find(
"//");
904 if (pos != std::string::npos) {
905 path_rule.m_path_prefix.erase(pos + 1, 1);
907 map_rules.emplace_back(path_rule);
913 std::set<std::string> paths_write_seen;
914 std::set<std::string> paths_create_or_modify_seen;
915 std::vector<std::string> acl_paths;
916 acl_paths.reserve(config.m_restricted_paths.size() + 1);
917 while (acls[idx].resource && acls[idx++].authz) {
919 const auto &acl_path = acls[idx-1].resource;
920 const auto &acl_authz = acls[idx-1].authz;
921 if (config.m_restricted_paths.empty()) {
922 acl_paths.push_back(acl_path);
924 auto acl_path_size = strlen(acl_path);
925 for (
const auto &restricted_path : config.m_restricted_paths) {
928 if (!strncmp(acl_path, restricted_path.c_str(), restricted_path.size())) {
931 if (acl_path_size > restricted_path.size() && acl_path[restricted_path.size()] !=
'/') {
934 acl_paths.push_back(acl_path);
940 if (!strncmp(acl_path, restricted_path.c_str(), acl_path_size)) {
947 if ((restricted_path.size() > acl_path_size && restricted_path[acl_path_size] !=
'/') && (acl_path_size != 1)) {
950 acl_paths.push_back(restricted_path);
954 for (
const auto &acl_path : acl_paths) {
955 for (
const auto &base_path : config.m_base_paths) {
956 if (!acl_path[0] || acl_path[0] !=
'/') {
continue;}
958 MakeCanonical(base_path + acl_path, path);
959 if (!strcmp(acl_authz,
"read")) {
960 xrd_rules.emplace_back(
AOP_Read, path);
962 xrd_rules.emplace_back(
AOP_Stat, path);
963 }
else if (!strcmp(acl_authz,
"create")) {
964 paths_create_or_modify_seen.insert(path);
969 xrd_rules.emplace_back(
AOP_Stat, path);
970 }
else if (!strcmp(acl_authz,
"modify")) {
971 paths_create_or_modify_seen.insert(path);
978 xrd_rules.emplace_back(
AOP_Stat, path);
980 }
else if (!strcmp(acl_authz,
"write")) {
981 paths_write_seen.insert(path);
986 for (
const auto &write_path : paths_write_seen) {
987 if (paths_create_or_modify_seen.find(write_path) == paths_create_or_modify_seen.end()) {
989 xrd_rules.emplace_back(
AOP_Create, write_path);
990 xrd_rules.emplace_back(
AOP_Mkdir, write_path);
991 xrd_rules.emplace_back(
AOP_Rename, write_path);
992 xrd_rules.emplace_back(
AOP_Insert, write_path);
993 xrd_rules.emplace_back(
AOP_Update, write_path);
994 xrd_rules.emplace_back(
AOP_Stat, write_path);
995 xrd_rules.emplace_back(
AOP_Chmod, write_path);
996 xrd_rules.emplace_back(
AOP_Delete, write_path);
999 authz_strategy = config.m_authz_strategy;
1001 cache_expiry = expiry;
1002 rules = std::move(xrd_rules);
1003 username = std::move(tmp_username);
1004 issuer = std::move(token_issuer);
1005 groups = std::move(groups_parsed);
1006 acceptable_authz = config.m_acceptable_authz;
1016 char *config_filename =
nullptr;
1023 m_log.
Emsg(
"Config", -result,
"parsing config file", config_filename);
1028 std::string map_filename;
1029 while (scitokens_conf.GetLine()) {
1031 scitokens_conf.GetToken();
1032 if (!(val = scitokens_conf.GetToken())) {
1033 m_log.
Emsg(
"Config",
"scitokens.trace requires an argument. Usage: scitokens.trace [all|error|warning|info|debug|none]");
1042 else if (!strcmp(val,
"none")) {m_log.
setMsgMask(0);}
1043 else {m_log.
Emsg(
"Config",
"scitokens.trace encountered an unknown directive:", val);
return false;}
1044 }
while ((val = scitokens_conf.GetToken()));
1049 auto tlsCtx =
static_cast<XrdTlsContext*
>(xrdEnv ? xrdEnv->GetPtr(
"XrdTlsContext*") :
nullptr);
1052 if (params && !params->cafile.empty()) {
1053 #ifdef HAVE_SCITOKEN_CONFIG_SET_STR
1054 scitoken_config_set_str(
"tls.ca_file", params->cafile.c_str(),
nullptr);
1056 m_log.
Log(
LogMask::Warning,
"Config",
"tls.ca_file is set but the platform's libscitokens.so does not support setting config parameters");
1064 bool ParseMapfile(
const std::string &filename, std::vector<MapRule> &rules)
1066 std::stringstream ss;
1067 std::ifstream mapfile(filename);
1068 if (!mapfile.is_open())
1070 ss <<
"Error opening mapfile (" << filename <<
"): " << strerror(errno);
1074 picojson::value val;
1075 auto err = picojson::parse(val, mapfile);
1077 ss <<
"Unable to parse mapfile (" << filename <<
") as json: " << err;
1081 if (!val.is<picojson::array>()) {
1082 ss <<
"Top-level element of the mapfile " << filename <<
" must be a list";
1086 const auto& rule_list = val.get<picojson::array>();
1087 for (
const auto &rule : rule_list)
1089 if (!rule.is<picojson::object>()) {
1090 ss <<
"Mapfile " << filename <<
" must be a list of JSON objects; found non-object";
1097 std::string username;
1099 bool ignore =
false;
1100 for (
const auto &entry : rule.get<picojson::object>()) {
1101 if (!entry.second.is<std::string>()) {
1102 if (entry.first !=
"result" && entry.first !=
"group" && entry.first !=
"sub" && entry.first !=
"path") {
continue;}
1103 ss <<
"In mapfile " << filename <<
", rule entry for " << entry.first <<
" has non-string value";
1107 if (entry.first ==
"result") {
1108 result = entry.second.get<std::string>();
1110 else if (entry.first ==
"group") {
1111 group = entry.second.get<std::string>();
1113 else if (entry.first ==
"sub") {
1114 sub = entry.second.get<std::string>();
1115 }
else if (entry.first ==
"username") {
1116 username = entry.second.get<std::string>();
1117 }
else if (entry.first ==
"path") {
1118 std::string norm_path;
1119 if (!MakeCanonical(entry.second.get<std::string>(), norm_path)) {
1120 ss <<
"In mapfile " << filename <<
" encountered a path " << entry.second.get<std::string>()
1121 <<
" that cannot be normalized";
1126 }
else if (entry.first ==
"ignore") {
1131 if (ignore)
continue;
1134 ss <<
"In mapfile " << filename <<
" encountered a rule without a 'result' attribute";
1138 rules.emplace_back(sub, username, path, group, result);
1148 bool ParseAuthzSetting(OverrideINIReader &reader,
const std::string §ion,
const std::string &variable,
AuthzSetting &result) {
1149 auto authz_setting_str = reader.Get(section, variable,
"");
1151 if (authz_setting_str ==
"") {
1153 }
else if (authz_setting_str ==
"none") {
1155 }
else if (authz_setting_str ==
"all") {
1157 }
else if (authz_setting_str ==
"read") {
1159 }
else if (authz_setting_str ==
"write") {
1162 std::stringstream ss;
1163 ss <<
"Failed to parse " << variable <<
" in section " << section <<
": unknown authorization setting " << authz_setting_str;
1167 result = authz_setting;
1174 m_cfg_file =
"/etc/xrootd/scitokens.cfg";
1175 if (!m_parms.empty()) {
1177 std::vector<std::string> arg_list;
1179 while ((m_parms.size() > pos) && (m_parms[pos] ==
' ')) {pos++;}
1180 auto next_pos = m_parms.find_first_of(
", ", pos);
1181 auto next_arg = m_parms.substr(pos, next_pos - pos);
1183 if (!next_arg.empty()) {
1184 arg_list.emplace_back(std::move(next_arg));
1186 }
while (pos != std::string::npos);
1188 for (
const auto &arg : arg_list) {
1189 if (strncmp(arg.c_str(),
"config=", 7)) {
1190 m_log.
Log(
LogMask::Error,
"Reconfig",
"Ignoring unknown configuration argument:", arg.c_str());
1193 m_cfg_file = std::string(arg.c_str() + 7);
1196 m_log.
Log(
LogMask::Info,
"Reconfig",
"Parsing configuration file:", m_cfg_file.c_str());
1198 OverrideINIReader reader(m_cfg_file);
1199 if (reader.ParseError() < 0) {
1200 std::stringstream ss;
1201 ss <<
"Error opening config file (" << m_cfg_file <<
"): " << strerror(errno);
1204 }
else if (reader.ParseError()) {
1205 std::stringstream ss;
1206 ss <<
"Parse error on line " << reader.ParseError() <<
" of file " << m_cfg_file;
1210 std::vector<std::string> audiences;
1211 std::unordered_map<std::string, IssuerConfig> issuers;
1212 for (
const auto §ion : reader.Sections()) {
1213 std::string section_lower;
1214 std::transform(section.begin(), section.end(), std::back_inserter(section_lower),
1215 [](
unsigned char c){ return std::tolower(c); });
1217 if (section_lower.substr(0, 6) ==
"global") {
1218 auto audience = reader.Get(section,
"audience",
"");
1219 if (!audience.empty()) {
1222 while (audience.size() > pos && (audience[pos] ==
',' || audience[pos] ==
' ')) {pos++;}
1223 auto next_pos = audience.find_first_of(
", ", pos);
1224 auto next_aud = audience.substr(pos, next_pos - pos);
1226 if (!next_aud.empty()) {
1227 audiences.push_back(next_aud);
1229 }
while (pos != std::string::npos);
1231 audience = reader.Get(section,
"audience_json",
"");
1232 if (!audience.empty()) {
1233 picojson::value json_obj;
1234 auto err = picojson::parse(json_obj, audience);
1236 m_log.
Log(
LogMask::Error,
"Reconfig",
"Unable to parse audience_json:", err.c_str());
1239 if (!json_obj.is<picojson::value::array>()) {
1240 m_log.
Log(
LogMask::Error,
"Reconfig",
"audience_json must be a list of strings; not a list.");
1243 for (
const auto &val : json_obj.get<picojson::value::array>()) {
1244 if (!val.is<std::string>()) {
1245 m_log.
Log(
LogMask::Error,
"Reconfig",
"audience must be a list of strings; value is not a string.");
1248 audiences.push_back(val.get<std::string>());
1251 auto onmissing = reader.Get(section,
"onmissing",
"");
1252 if (onmissing ==
"passthrough") {
1253 m_authz_behavior = AuthzBehavior::PASSTHROUGH;
1254 }
else if (onmissing ==
"allow") {
1255 m_authz_behavior = AuthzBehavior::ALLOW;
1256 }
else if (onmissing ==
"deny") {
1257 m_authz_behavior = AuthzBehavior::DENY;
1258 }
else if (!onmissing.empty()) {
1259 m_log.
Log(
LogMask::Error,
"Reconfig",
"Unknown value for onmissing key:", onmissing.c_str());
1264 if (section_lower.substr(0, 7) !=
"issuer ") {
continue;}
1266 auto issuer = reader.Get(section,
"issuer",
"");
1267 if (issuer.empty()) {
1268 m_log.
Log(
LogMask::Error,
"Reconfig",
"Ignoring section because 'issuer' attribute is not set:",
1274 std::vector<MapRule> rules;
1275 auto name_mapfile = reader.Get(section,
"name_mapfile",
"");
1276 if (!name_mapfile.empty()) {
1277 if (!ParseMapfile(name_mapfile, rules)) {
1278 m_log.
Log(
LogMask::Error,
"Reconfig",
"Failed to parse mapfile; failing (re-)configuration", name_mapfile.c_str());
1281 m_log.
Log(
LogMask::Info,
"Reconfig",
"Successfully parsed SciTokens mapfile:", name_mapfile.c_str());
1285 auto base_path = reader.Get(section,
"base_path",
"");
1286 if (base_path.empty()) {
1287 m_log.
Log(
LogMask::Error,
"Reconfig",
"Ignoring section because 'base_path' attribute is not set:",
1293 while (section.size() > pos && std::isspace(section[pos])) {pos++;}
1295 auto name = section.substr(pos);
1297 m_log.
Log(
LogMask::Error,
"Reconfig",
"Invalid section name:", section.c_str());
1301 std::vector<std::string> base_paths;
1302 ParseCanonicalPaths(base_path, base_paths);
1304 auto restricted_path = reader.Get(section,
"restricted_path",
"");
1305 std::vector<std::string> restricted_paths;
1306 if (!restricted_path.empty()) {
1307 ParseCanonicalPaths(restricted_path, restricted_paths);
1310 auto default_user = reader.Get(section,
"default_user",
"");
1311 auto map_subject = reader.GetBoolean(section,
"map_subject",
false);
1312 auto username_claim = reader.Get(section,
"username_claim",
"");
1313 auto groups_claim = reader.Get(section,
"groups_claim",
"wlcg.groups");
1316 if (!ParseAuthzSetting(reader, section,
"required_authorization", required_authz)) {
1317 m_log.
Log(
LogMask::Error,
"Reconfig",
"Ignoring required_authorization and using default of 'none'");
1319 if (!ParseAuthzSetting(reader, section,
"acceptable_authorization", acceptable_authz)) {
1320 m_log.
Log(
LogMask::Error,
"Reconfig",
"Ignoring acceptable_authorization and using default of 'all'");
1323 auto authz_strategy_str = reader.Get(section,
"authorization_strategy",
"");
1324 uint32_t authz_strategy = 0;
1325 if (authz_strategy_str.empty()) {
1328 std::istringstream authz_strategy_stream(authz_strategy_str);
1329 std::string authz_str;
1330 while (
std::getline(authz_strategy_stream, authz_str,
' ')) {
1331 if (!strcasecmp(authz_str.c_str(),
"capability")) {
1333 }
else if (!strcasecmp(authz_str.c_str(),
"group")) {
1335 }
else if (!strcasecmp(authz_str.c_str(),
"mapping")) {
1338 m_log.
Log(
LogMask::Error,
"Reconfig",
"Unknown authorization strategy (ignoring):", authz_str.c_str());
1343 issuers.emplace(std::piecewise_construct,
1344 std::forward_as_tuple(issuer),
1345 std::forward_as_tuple(name, issuer, base_paths, restricted_paths,
1346 map_subject, authz_strategy, default_user, username_claim, groups_claim, rules,
1347 acceptable_authz, required_authz));
1353 for (
const auto &base_path : base_paths) {
1354 if (restricted_paths.empty()) {
1355 restricted_paths.emplace_back(
"/");
1357 for (
const auto &restricted_path : restricted_paths) {
1358 auto full_path = base_path +
"/" + restricted_path;
1359 std::string cleaned_path;
1360 MakeCanonical(full_path, cleaned_path);
1362 rules.emplace_back(
AOP_Read, cleaned_path);
1363 rules.emplace_back(
AOP_Stat, cleaned_path);
1365 rules.emplace_back(
AOP_Create, cleaned_path);
1366 rules.emplace_back(
AOP_Mkdir, cleaned_path);
1367 rules.emplace_back(
AOP_Stat, cleaned_path);
1371 m_required_issuers.emplace_back(std::make_unique<SubpathMatch>(rules), issuer);
1375 if (issuers.empty()) {
1379 pthread_rwlock_wrlock(&m_config_lock);
1381 m_audiences = std::move(audiences);
1383 m_audiences_array.resize(m_audiences.size() + 1);
1384 for (
const auto &audience : m_audiences) {
1385 m_audiences_array[idx++] = audience.c_str();
1387 m_audiences_array[idx] =
nullptr;
1389 m_issuers = std::move(issuers);
1390 m_valid_issuers_array.resize(m_issuers.size() + 1);
1392 for (
const auto &issuer : m_issuers) {
1393 m_valid_issuers_array[idx++] = issuer.first.c_str();
1395 m_valid_issuers_array[idx] =
nullptr;
1397 pthread_rwlock_unlock(&m_config_lock);
1400 pthread_rwlock_unlock(&m_config_lock);
1404 void Check(uint64_t now)
1406 if (now <= m_next_clean) {
return;}
1407 std::lock_guard<std::mutex> guard(m_mutex);
1409 for (
auto iter = m_map.begin(); iter != m_map.end(); ) {
1410 if (iter->second->expired()) {
1411 iter = m_map.erase(iter);
1418 m_next_clean = monotonic_time() + m_expiry_secs;
1421 bool m_config_lock_initialized{
false};
1423 pthread_rwlock_t m_config_lock;
1424 std::vector<std::string> m_audiences;
1425 std::vector<const char *> m_audiences_array;
1426 std::map<std::string, std::shared_ptr<XrdAccRules>, std::less<>> m_map;
1428 const std::string m_parms;
1429 std::vector<const char*> m_valid_issuers_array;
1432 std::vector<std::pair<std::unique_ptr<SubpathMatch>, std::string>> m_required_issuers;
1433 std::unordered_map<std::string, IssuerConfig> m_issuers;
1434 uint64_t m_next_clean{0};
1436 AuthzBehavior m_authz_behavior{AuthzBehavior::PASSTHROUGH};
1437 std::string m_cfg_file;
1439 static constexpr uint64_t m_expiry_secs = 60;
1448 }
catch (std::exception &) {
Access_Operation
The following are supported operations.
@ AOP_Delete
rm() or rmdir()
@ AOP_Update
open() r/w or append
@ AOP_Create
open() with create
@ AOP_Any
Special for getting privs.
@ AOP_Stat
exists(), stat()
@ AOP_Rename
mv() for source
@ AOP_Read
open() r/o, prepare()
@ AOP_Excl_Create
open() with O_EXCL|O_CREAT
@ AOP_Insert
mv() for target
@ AOP_Excl_Insert
mv() where destination doesn't exist.
XrdAccSciTokens * accSciTokens
bool AuthorizesRequiredIssuers(Access_Operation client_oper, const std::string_view &path, const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string >> &required_issuers, const std::vector< std::shared_ptr< XrdAccRules >> &access_rules_list)
XrdSciTokensHelper * SciTokensHelper
XrdVERSIONINFO(XrdAccAuthorizeObject, XrdAccSciTokens)
void InitAccSciTokens(XrdSysLogger *lp, const char *cfn, const char *parm, XrdAccAuthorize *accP, XrdOucEnv *envP)
XrdAccAuthorize * XrdAccAuthorizeObjAdd(XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP, XrdAccAuthorize *accP)
XrdAccAuthorize * XrdAccAuthorizeObject(XrdSysLogger *lp, const char *cfn, const char *parm)
XrdAccAuthorize * XrdAccAuthorizeObject2(XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP)
std::vector< std::pair< Access_Operation, std::string > > AccessRulesRaw
void getline(uchar *buff, int blen)
int emsg(int rc, char *msg)
virtual int Test(const XrdAccPrivs priv, const Access_Operation oper)=0
virtual XrdAccPrivs Access(const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0)=0
const std::string str() const
virtual int Audit(const int accok, const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0) override
virtual XrdAccPrivs Access(const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *env) override
XrdAccSciTokens(XrdSysLogger *lp, const char *parms, XrdAccAuthorize *chain, XrdOucEnv *envP)
virtual Issuers IssuerList() override
virtual bool Validate(const char *token, std::string &emsg, long long *expT, XrdSecEntity *Entity) override
virtual int Test(const XrdAccPrivs priv, const Access_Operation oper) override
std::string GetConfigFile()
virtual ~XrdAccSciTokens()
static bool Import(const char *var, char *&val)
void * GetPtr(const char *varname)
char * Get(const char *varname)
@ trim_lines
Prefix trimmed lines.
std::vector< ValidIssuer > Issuers
bool Mon_isIO(const Access_Operation oper)
void Mon_Report(const XrdSecEntity &Entity, const std::string &subject, const std::string &username)
bool Add(XrdSecAttr &attr)
char * vorg
Entity's virtual organization(s)
int credslen
Length of the 'creds' data.
XrdNetAddrInfo * addrInfo
Entity's connection details.
XrdSecEntityAttr * eaAPI
non-const API to attributes
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
char * creds
Raw entity credentials or cert.
XrdSecMonitor * secMon
If !0 security monitoring enabled.
char * grps
Entity's group name(s)
char * name
Entity's name.
char * role
Entity's role(s)
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
void Say(const char *text1, const char *text2=0, const char *txt3=0, const char *text4=0, const char *text5=0, const char *txt6=0)
void setMsgMask(int mask)
void Log(int mask, const char *esfx, const char *text1, const char *text2=0, const char *text3=0)
const CTX_Params * GetParams()
std::string LogMaskToString(int mask)