Macaroons::Handler Class Reference

#include <XrdMacaroonsHandler.hh>

Inheritance diagram for Macaroons::Handler:

Collaboration diagram for Macaroons::Handler:

Public Types
enum	AuthzBehavior {   PASSTHROUGH ,   ALLOW ,   DENY }

Public Member Functions
	Handler (XrdSysError *log, const char *config, XrdOucEnv *myEnv, XrdAccAuthorize *chain)
virtual	~Handler ()
virtual int	Init (const char *cfgfile) override
	Initializes the external request handler. More...
virtual bool	MatchesPath (const char *verb, const char *path) override
	Tells if the incoming path is recognized as one of the paths that have to be processed. More...
virtual int	ProcessReq (XrdHttpExtReq &req) override
Public Member Functions inherited from XrdHttpExtHandler
	XrdHttpExtHandler ()
	Constructor. More...
virtual	~XrdHttpExtHandler ()
	Destructor. More...

Static Public Member Functions
static bool	Config (const char *config, XrdOucEnv *env, XrdSysError *log, std::string &location, std::string &secret, ssize_t &max_duration, AuthzBehavior &behavior)

Detailed Description

Definition at line 39 of file XrdMacaroonsHandler.hh.

Member Enumeration Documentation

AuthzBehavior

enum Macaroons::Handler::AuthzBehavior

Enumerator
PASSTHROUGH
ALLOW
DENY

Definition at line 54 of file XrdMacaroonsHandler.hh.

                       {
        PASSTHROUGH,
        ALLOW,
        DENY
    };

Constructor & Destructor Documentation

Handler()

Macaroons::Handler::Handler ( XrdSysError *  log, const char *  config, XrdOucEnv *  myEnv, XrdAccAuthorize *  chain  )

inline

Definition at line 41 of file XrdMacaroonsHandler.hh.

                                :
        m_max_duration(86400),
        m_chain(chain),
        m_log(log)
    {
        AuthzBehavior behavior;
        if (!Config(config, myEnv, m_log, m_location, m_secret, m_max_duration, behavior))
        {
            throw std::runtime_error("Macaroon handler config failed.");
        }
    }

References Config().

Here is the call graph for this function:

~Handler()

Handler::~Handler ( )

virtual

Definition at line 132 of file XrdMacaroonsHandler.cc.

{
    delete m_chain;
}

Member Function Documentation

Config()

bool Handler::Config ( const char *  config, XrdOucEnv *  env, XrdSysError *  log, std::string &  location, std::string &  secret, ssize_t &  max_duration, AuthzBehavior &  behavior  )

static

Definition at line 39 of file XrdMacaroonsConfigure.cc.

{
  XrdOucStream config_obj(log, getenv("XRDINSTANCE"), env, "=====> ");
 
  // Open and attach the config file
  //
  int cfg_fd;
  if ((cfg_fd = open(config, O_RDONLY, 0)) < 0) {
    return log->Emsg("Config", errno, "open config file", config);
  }
  config_obj.Attach(cfg_fd);
  static const char *cvec[] = { "*** macaroons plugin config:", 0 };
  config_obj.Capture(cvec);
 
  // Set default mask for logging.
  log->setMsgMask(LogMask::Error | LogMask::Warning);
 
  // Set default maximum duration (24 hours).
  max_duration = 24*3600;
 
  // Process items
  //
  char *orig_var, *var;
  bool success = true, ismine;
  while ((orig_var = config_obj.GetMyFirstWord())) {
    var = orig_var;
    if ((ismine = !strncmp("all.sitename", var, 12))) var += 4;
    else if ((ismine = !strncmp("macaroons.", var, 10)) && var[10]) var += 10;
 
    
 
    if (!ismine) {continue;}
 
    if (!strcmp("secretkey", var)) {success = xsecretkey(config_obj, log, secret);}
    else if (!strcmp("sitename", var)) {success = xsitename(config_obj, log, location);}
    else if (!strcmp("trace", var)) {success = xtrace(config_obj, log);}
    else if (!strcmp("maxduration", var)) {success = xmaxduration(config_obj, log, max_duration);}
    else if (!strcmp("onmissing", var)) {success = xonmissing(config_obj, log, behavior);}
    else {
        log->Say("Config warning: ignoring unknown directive '", orig_var, "'.");
        config_obj.Echo();
        continue;
    }
    if (!success) {
        config_obj.Echo();
        break;
    }
  }
 
  if (success && !location.size())
  {
    log->Emsg("Config", "all.sitename must be specified to use macaroons.");
    return false;
  }
 
  return success;
}

References XrdOucStream::Attach(), XrdOucStream::Capture(), XrdOucStream::Echo(), XrdSysError::Emsg(), Error, XrdOucStream::GetMyFirstWord(), open, XrdSysError::Say(), XrdSysError::setMsgMask(), TPC::Warning, and xonmissing().

Referenced by Macaroons::Authz::Authz(), and Handler().

Here is the call graph for this function:

Here is the caller graph for this function:

Init()

virtual int Macaroons::Handler::Init ( const char *  cfgfile )

inlineoverridevirtual

Initializes the external request handler.

Implements XrdHttpExtHandler.

Definition at line 65 of file XrdMacaroonsHandler.hh.

{return 0;}

MatchesPath()

bool Handler::MatchesPath ( const char *  verb, const char *  path  )

overridevirtual

Tells if the incoming path is recognized as one of the paths that have to be processed.

Implements XrdHttpExtHandler.

Definition at line 203 of file XrdMacaroonsHandler.cc.

{
    return !strcmp(verb, "POST") || !strncmp(path, "/.well-known/", 13) ||
           !strncmp(path, "/.oauth2/", 9);
}

ProcessReq()

int Handler::ProcessReq ( XrdHttpExtReq &  )

overridevirtual

Process an HTTP request and send the response using the calling XrdHttpProtocol instance directly Returns 0 if ok, non0 if errors

Implements XrdHttpExtHandler.

Definition at line 373 of file XrdMacaroonsHandler.cc.

{
    if (req.resource == "/.well-known/oauth-authorization-server") {
        return ProcessOAuthConfig(req);
    } else if (req.resource == "/.oauth2/token") {
        return ProcessTokenRequest(req);
    }
 
    auto header = XrdOucTUtils::caseInsensitiveFind(req.headers,"content-type");
    if (header == req.headers.end())
    {
        return req.SendSimpleResp(400, NULL, NULL, "Content-Type missing; not a valid macaroon request?", 0);
    }
    if (header->second != "application/macaroon-request")
    {
        return req.SendSimpleResp(400, NULL, NULL, "Content-Type must be set to `application/macaroon-request' to request a macaroon", 0);
    }
    header = XrdOucTUtils::caseInsensitiveFind(req.headers,"content-length");
    if (header == req.headers.end())
    {
        return req.SendSimpleResp(400, NULL, NULL, "Content-Length missing; not a valid POST", 0);
    }
    ssize_t blen;
    try
    {
        blen = std::stoll(header->second);
    }
    catch (...)
    {
        return req.SendSimpleResp(400, NULL, NULL, "Content-Length not parseable.", 0);
    }
    if (blen <= 0)
    {
        return req.SendSimpleResp(400, NULL, NULL, "Content-Length has invalid value.", 0);
    }
    //for (const auto &header : req.headers) { printf("** Request header: %s=%s\n", header.first.c_str(), header.second.c_str()); }
 
    // request_data is not necessarily null-terminated; hence, we use the more advanced _ex variant
    // of the tokener to avoid making a copy of the character buffer.
    char *request_data;
    if (req.BuffgetData(blen, &request_data, true) != blen)
    {
        return req.SendSimpleResp(400, NULL, NULL, "Missing or invalid body of request.", 0);
    }
    json_tokener *tokener = json_tokener_new();
    if (!tokener)
    {
        return req.SendSimpleResp(500, NULL, NULL, "Internal error when allocating token parser.", 0);
    }
    json_object *macaroon_req = json_tokener_parse_ex(tokener, request_data, blen);
    enum json_tokener_error err = json_tokener_get_error(tokener);
    json_tokener_free(tokener);
    if (err != json_tokener_success)
    {
        if (macaroon_req) json_object_put(macaroon_req);
        return req.SendSimpleResp(400, NULL, NULL, "Invalid JSON serialization of macaroon request.", 0);
    }
    json_object *validity_obj;
    if (!json_object_object_get_ex(macaroon_req, "validity", &validity_obj))
    {
        json_object_put(macaroon_req);
        return req.SendSimpleResp(400, NULL, NULL, "JSON request does not include a `validity`", 0);
    }
    const char *validity_cstr = json_object_get_string(validity_obj);
    if (!validity_cstr)
    {
        json_object_put(macaroon_req);
        return req.SendSimpleResp(400, NULL, NULL, "validity key cannot be cast to a string", 0);
    }
    std::string validity_str(validity_cstr);
    ssize_t validity = determine_validity(validity_str);
    if (validity <= 0)
    {
        json_object_put(macaroon_req);
        return req.SendSimpleResp(400, NULL, NULL, "Invalid ISO 8601 duration for validity key", 0);
    }
    json_object *caveats_obj;
    std::vector<std::string> other_caveats;
    if (json_object_object_get_ex(macaroon_req, "caveats", &caveats_obj))
    {
        if (json_object_is_type(caveats_obj, json_type_array))
        { // Caveats were provided.  Let's record them.
          // TODO - could just add these in-situ.  No need for the other_caveats vector.
            int array_length = json_object_array_length(caveats_obj);
            other_caveats.reserve(array_length);
            for (int idx=0; idx<array_length; idx++)
            {
                json_object *caveat_item = json_object_array_get_idx(caveats_obj, idx);
                if (caveat_item)
                {
                    const char *caveat_item_str = json_object_get_string(caveat_item);
                    if (caveat_item_str && is_reserved_caveat(caveat_item_str)) {
                        json_object_put(macaroon_req);
                        return req.SendSimpleResp(400, NULL, NULL,
                            "Caveat uses a reserved predicate key (name:/path:/activity:/before:)", 0);
                    }
                    other_caveats.emplace_back(caveat_item_str);
                }
            }
        }
    }
    json_object_put(macaroon_req);
 
    return GenerateMacaroonResponse(req, req.resource, other_caveats, validity, false);
}

References XrdHttpExtReq::BuffgetData(), XrdOucTUtils::caseInsensitiveFind(), determine_validity(), XrdHttpExtReq::headers, is_reserved_caveat(), XrdHttpExtReq::resource, and XrdHttpExtReq::SendSimpleResp().

Here is the call graph for this function:

---

The documentation for this class was generated from the following files:

• XrdMacaroonsHandler.hh
• XrdMacaroonsConfigure.cc
• XrdMacaroonsHandler.cc