XrdAccSciTokens Class Reference

Inheritance diagram for XrdAccSciTokens:

Collaboration diagram for XrdAccSciTokens:

Public Member Functions
	XrdAccSciTokens (XrdSysLogger *lp, const char *parms, XrdAccAuthorize *chain, XrdOucEnv *envP)
virtual	~XrdAccSciTokens ()
virtual XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *env) override
virtual int	Audit (const int accok, const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0) override
std::string	GetConfigFile ()
virtual Issuers	IssuerList () override
virtual int	Test (const XrdAccPrivs priv, const Access_Operation oper) override
virtual bool	Validate (const char *token, std::string &emsg, long long *expT, XrdSecEntity *Entity) override
Public Member Functions inherited from XrdAccAuthorize
	XrdAccAuthorize ()
	Constructor.
virtual	~XrdAccAuthorize ()
	Destructor.
virtual XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, std::string &eInfo, XrdOucEnv *Env=0)
Public Member Functions inherited from XrdSciTokensHelper
	XrdSciTokensHelper ()
	Constructor and Destructor.
virtual	~XrdSciTokensHelper ()
Public Member Functions inherited from XrdSciTokensMon
	XrdSciTokensMon ()
	~XrdSciTokensMon ()
bool	Mon_isIO (const Access_Operation oper)
void	Mon_Report (const XrdSecEntity &Entity, const std::string &subject, const std::string &username)

Additional Inherited Members
Public Types inherited from XrdSciTokensHelper
typedef std::vector< ValidIssuer >	Issuers

Detailed Description

Definition at line 477 of file XrdSciTokensAccess.cc.

Constructor & Destructor Documentation

XrdAccSciTokens()

XrdAccSciTokens::XrdAccSciTokens ( XrdSysLogger * lp, const char * parms, XrdAccAuthorize * chain, XrdOucEnv * envP )

inline

Definition at line 488 of file XrdSciTokensAccess.cc.

                                                                                                  :
        m_chain(chain),
        m_parms(parms ? parms : ""),
        m_next_clean(monotonic_time() + m_expiry_secs),
        m_log(lp, "scitokens_")
    {
        pthread_rwlock_init(&m_config_lock, nullptr);
        m_config_lock_initialized = true;
        m_log.Say("++++++ XrdAccSciTokens: Initialized SciTokens-based authorization.");
        if (!Config(envP)) {
            throw std::runtime_error("Failed to configure SciTokens authorization.");
        }
    }

References XrdAccAuthorize::XrdAccAuthorize().

Here is the call graph for this function:

~XrdAccSciTokens()

virtual XrdAccSciTokens::~XrdAccSciTokens ( )

inlinevirtual

Definition at line 502 of file XrdSciTokensAccess.cc.

                               {
        if (m_config_lock_initialized) {
            pthread_rwlock_destroy(&m_config_lock);
        }
    }

Member Function Documentation

Access()

virtual XrdAccPrivs XrdAccSciTokens::Access ( const XrdSecEntity * Entity, const char * path, const Access_Operation oper, XrdOucEnv * Env )

inlineoverridevirtual

Check whether or not the client is permitted specified access to a path.

Parameters

Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see the enum above). If the oper is AOP_Any, then the actual privileges are returned and the caller may make subsequent tests using Test().
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 508 of file XrdSciTokensAccess.cc.

    {
        const char *authz = env ? env->Get("authz") : nullptr;
            // Note: this is more permissive than the plugin was previously.
            // The prefix 'Bearer%20' used to be required as that's what HTTP
            // required.  However, to make this more pleasant for XRootD protocol
            // users, we now simply "handle" the prefix insterad of requiring it.
        if (authz && !strncmp(authz, "Bearer%20", 9)) {
            authz += 9;
        }
            // If there's no request-specific token, then see if the ZTN authorization
            // has provided us with a session token.
        if (!authz && Entity && !strcmp("ztn", Entity->prot) && Entity->creds &&
            Entity->credslen > 0 && Entity->creds[Entity->credslen] == '\0')
        {
            authz = Entity->creds;
        }
        if (authz == nullptr) {
            return OnMissing(Entity, path, oper, env);
        }
        m_log.Log(LogMask::Debug, "Access", "Trying token-based access control");
        std::shared_ptr<XrdAccRules> access_rules;
        uint64_t now = monotonic_time();
        Check(now);
        {
            std::lock_guard<std::mutex> guard(m_map_mutex);
            const auto iter = m_map.find(authz);
            if (iter != m_map.end() && !iter->second->expired()) {
                access_rules = iter->second;
            }
        }
        if (!access_rules) {
            m_log.Log(LogMask::Debug, "Access", "Token not found in recent cache; parsing.");
            try {
                uint64_t cache_expiry;
                AccessRulesRaw rules;
                std::string username;
                std::string token_subject;
                std::string issuer;
                std::vector<MapRule> map_rules;
                std::vector<std::string> groups;
                uint32_t authz_strategy;
                if (GenerateAcls(authz, cache_expiry, rules, username, token_subject, issuer, map_rules, groups, authz_strategy)) {
                    access_rules.reset(new XrdAccRules(now + cache_expiry, username, token_subject, issuer, map_rules, groups, authz_strategy));
                    access_rules->parse(rules);
                } else {
                    m_log.Log(LogMask::Warning, "Access", "Failed to generate ACLs for token");
                    return OnMissing(Entity, path, oper, env);
                }
                if (m_log.getMsgMask() & LogMask::Debug) {
                    m_log.Log(LogMask::Debug, "Access", "New valid token", access_rules->str().c_str());
                }
            } catch (std::exception &exc) {
                m_log.Log(LogMask::Warning, "Access", "Error generating ACLs for authorization", exc.what());
                return OnMissing(Entity, path, oper, env);
            }
            std::lock_guard<std::mutex> guard(m_map_mutex);
            m_map[authz] = access_rules;
        } else if (m_log.getMsgMask() & LogMask::Debug) {
            m_log.Log(LogMask::Debug, "Access", "Cached token", access_rules->str().c_str());
        }
 
        // Strategy: assuming the corresponding strategy is enabled, we populate the name in
        // the XrdSecEntity if:
        //    1. There are scopes present in the token that authorize the request,
        //    2. The token is mapped by some rule in the mapfile (group or subject-based mapping).
        // The default username for the issuer is only used in (1).
        // If the scope-based mapping is successful, authorize immediately.  Otherwise, if the
        // mapping is successful, we potentially chain to another plugin.
        //
        // We always populate the issuer and the groups, if present.
 
        // Access may be authorized; populate XrdSecEntity
        XrdSecEntity new_secentity;
        new_secentity.vorg = nullptr;
        new_secentity.grps = nullptr;
        new_secentity.role = nullptr;
        new_secentity.secMon = Entity->secMon;
        new_secentity.addrInfo = Entity->addrInfo;
        const auto &issuer = access_rules->get_issuer();
        if (!issuer.empty()) {
            new_secentity.vorg = strdup(issuer.c_str());
        }
        bool group_success = false;
        if ((access_rules->get_authz_strategy() & IssuerAuthz::Group) && access_rules->groups().size()) {
            std::stringstream ss;
            for (const auto &grp : access_rules->groups()) {
                ss << grp << " ";
            }
            const auto &groups_str = ss.str();
            new_secentity.grps = static_cast<char*>(malloc(groups_str.size() + 1));
            if (new_secentity.grps) {
                memcpy(new_secentity.grps, groups_str.c_str(), groups_str.size());
                new_secentity.grps[groups_str.size()] = '\0';
                group_success = true;
            }
        }
 
        std::string username;
        bool mapping_success = false;
        bool scope_success = false;
        username = access_rules->get_username(path);
 
        mapping_success = (access_rules->get_authz_strategy() & IssuerAuthz::Mapping) && !username.empty();
        scope_success = (access_rules->get_authz_strategy() & IssuerAuthz::Capability) && access_rules->apply(oper, path);
        if (scope_success && (m_log.getMsgMask() & LogMask::Debug)) {
            std::stringstream ss;
            ss << "Grant authorization based on scopes for operation=" << OpToName(oper) << ", path=" << path;
            m_log.Log(LogMask::Debug, "Access", ss.str().c_str());
        }
 
        if (!scope_success && !mapping_success && !group_success) {
            auto returned_accs = OnMissing(&new_secentity, path, oper, env);
            // Clean up the new_secentity
            if (new_secentity.vorg != nullptr) free(new_secentity.vorg);
            if (new_secentity.grps != nullptr) free(new_secentity.grps);
            if (new_secentity.role != nullptr) free(new_secentity.role);
 
            return returned_accs;
        }
 
        // Default user only applies to scope-based mappings.
        if (scope_success && username.empty()) {
            username = access_rules->get_default_username();
        }
 
        // Setting the request.name will pass the username to the next plugin.
        // Ensure we do that only if map-based or scope-based authorization worked.
        if (scope_success || mapping_success) {
            // Set scitokens.name in the extra attribute
            Entity->eaAPI->Add("request.name", username, true);
            new_secentity.eaAPI->Add("request.name", username, true);
            m_log.Log(LogMask::Debug, "Access", "Request username", username.c_str());
        }
 
            // Make the token subject available.  Even though it's a reasonably bad idea
            // to use for *authorization* for file access, there may be other use cases.
            // For example, the combination of (vorg, token.subject) is a reasonable
            // approximation of a unique 'entity' (either person or a robot) and is
            // more reasonable to use for resource fairshare in XrdThrottle.
        const auto &token_subject = access_rules->get_token_subject();
        if (!token_subject.empty()) {
            Entity->eaAPI->Add("token.subject", token_subject, true);
        }
 
        // When the scope authorized this access, allow immediately.  Otherwise, chain
        XrdAccPrivs returned_op = scope_success ? AddPriv(oper, XrdAccPriv_None) : OnMissing(&new_secentity, path, oper, env);
 
        // Since we are doing an early return, insert token info into the
        // monitoring stream if monitoring is in effect and access granted
        //
        if (Entity->secMon && scope_success && returned_op && Mon_isIO(oper))
           Mon_Report(new_secentity, token_subject, username);
 
        // Cleanup the new_secentry
        if (new_secentity.vorg != nullptr) free(new_secentity.vorg);
        if (new_secentity.grps != nullptr) free(new_secentity.grps);
        if (new_secentity.role != nullptr) free(new_secentity.role);
 
        return returned_op;
    }

References XrdSecEntityAttr::Add(), XrdSecEntity::addrInfo, XrdSecEntity::creds, XrdSecEntity::credslen, XrdSecEntity::eaAPI, XrdOucEnv::Get(), XrdSecEntity::grps, XrdSciTokensMon::Mon_isIO(), XrdSciTokensMon::Mon_Report(), XrdSecEntity::prot, XrdSecEntity::role, XrdSecEntity::secMon, XrdSecEntity::vorg, and XrdAccPriv_None.

Here is the call graph for this function:

Audit()

virtual int XrdAccSciTokens::Audit ( const int accok, const XrdSecEntity * Entity, const char * path, const Access_Operation oper, XrdOucEnv * Env = 0 )

inlineoverridevirtual

Route an audit message to the appropriate audit exit routine. See XrdAccAudit.h for more information on how the default implementation works. Currently, this method is not called by the ofs but should be used by the implementation to record denials or grants, as warranted.

Parameters

accok	-> True is access was grated; false otherwise.
Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see above)
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Success: !0 information recorded. Failure: 0 information could not be recorded.

Implements XrdAccAuthorize.

Definition at line 749 of file XrdSciTokensAccess.cc.

    {
        return 0;
    }

GetConfigFile()

std::string XrdAccSciTokens::GetConfigFile ( )

inline

Definition at line 764 of file XrdSciTokensAccess.cc.

                              {
        return m_cfg_file;
    }

IssuerList()

virtual Issuers XrdAccSciTokens::IssuerList ( )

inlineoverridevirtual

Implements XrdSciTokensHelper.

Definition at line 673 of file XrdSciTokensAccess.cc.

    {
        /*
        Convert the m_issuers into the data structure:
        struct   ValidIssuer
        {std::string issuer_name;
         std::string issuer_url;
        };
        typedef std::vector<ValidIssuer> Issuers;
        */
        Issuers issuers;
        pthread_rwlock_rdlock(&m_config_lock);
        try {
            for (const auto &it: m_issuers) {
                issuers.push_back({it.first, it.second.m_url});
            }
        } catch (...) {
            pthread_rwlock_unlock(&m_config_lock);
            throw;
        }
        pthread_rwlock_unlock(&m_config_lock);
        return issuers;
 
    }

Test()

virtual int XrdAccSciTokens::Test ( const XrdAccPrivs priv, const Access_Operation oper )

inlineoverridevirtual

Check whether the specified operation is permitted.

Parameters

priv	-> the privileges as returned by Access().
oper	-> The operation being attempted (see above)

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 758 of file XrdSciTokensAccess.cc.

    {
        return (m_chain ? m_chain->Test(priv, oper) : 0);
    }

Validate()

virtual bool XrdAccSciTokens::Validate ( const char * token, std::string & emsg, long long * expT, XrdSecEntity * entP )

inlineoverridevirtual

Validate a scitoken.

Parameters

token	- Pointer to the token to validate.
emsg	- Reference to a string to hold the reason for rejection
expT	- Pointer to where the expiry value is to be placed. If nill, the value is not returned.
entP	- Pointer to the SecEntity object and when not nil requests that it be filled with any identifying information in the token. The caller assumes that all supplied fields may be released by calling free().

Returns

Return true if the token is valid; false otherwise with emsg set.

Implements XrdSciTokensHelper.

Definition at line 698 of file XrdSciTokensAccess.cc.

    {
        // Just check if the token is valid, no scope checking
 
        // Deserialize the token
        SciToken scitoken;
        char *err_msg;
        if (!strncmp(token, "Bearer%20", 9)) token += 9;
        pthread_rwlock_rdlock(&m_config_lock);
        auto retval = scitoken_deserialize(token, &scitoken, &m_valid_issuers_array[0], &err_msg);
        pthread_rwlock_unlock(&m_config_lock);
        if (retval) {
            // This originally looked like a JWT so log the failure.
            m_log.Log(LogMask::Warning, "Validate", "Failed to deserialize SciToken:", err_msg);
            emsg = err_msg;
            free(err_msg);
            return false;
        }
 
        // If an entity was passed then we will fill it in with the subject
        // name, should it exist. Note that we are gauranteed that all the
        // settable entity fields are null so no need to worry setting them.
        //
        if (Entity)
           {char *value = nullptr;
            if (!scitoken_get_claim_string(scitoken, "sub", &value, &err_msg)) {
               Entity->name = strdup(value);
               free(value);
            } else {
               free(err_msg);
            }
           }
 
        // Return the expiration time of this token if so wanted.
        //
        if (expT && scitoken_get_expiration(scitoken, expT, &err_msg)) {
            emsg = err_msg;
            free(err_msg);
            scitoken_destroy(scitoken);
            return false;
        }
 
 
        // Delete the scitokens
        scitoken_destroy(scitoken);
 
        // Deserialize checks the key, so we're good now.
        return true;
    }

References emsg(), and XrdSecEntity::name.

Here is the call graph for this function:

---

The documentation for this class was generated from the following file:

• XrdSciTokensAccess.cc