XRootD
Loading...
Searching...
No Matches
Classes | Typedefs | Enumerations | Functions
XrdSciTokensAccess.hh File Reference
#include "XrdAcc/XrdAccAuthorize.hh"
#include "XrdOuc/XrdOucPrivateUtils.hh"
#include <memory>
#include <string>
#include <string_view>
#include <vector>
#include <string.h>
+ Include dependency graph for XrdSciTokensAccess.hh:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  MapRule
 
class  SubpathMatch
 
class  XrdAccRules
 

Typedefs

typedef std::vector< std::pair< Access_Operation, std::string > > AccessRulesRaw
 

Enumerations

enum class  AuthzSetting {
  None ,
  Read ,
  Write ,
  All
}
 
enum  IssuerAuthz {
  Capability = 0x01 ,
  Group = 0x02 ,
  Mapping = 0x04 ,
  Default = 0x07
}
 

Functions

bool AuthorizesRequiredIssuers (Access_Operation client_oper, const std::string_view &path, const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string > > &required_issuers, const std::vector< std::shared_ptr< XrdAccRules > > &access_rules_list)
 

Typedef Documentation

◆ AccessRulesRaw

typedef std::vector<std::pair<Access_Operation, std::string> > AccessRulesRaw

Class and function definitions for the SciTokens plugin.

Definition at line 16 of file XrdSciTokensAccess.hh.

Enumeration Type Documentation

◆ AuthzSetting

enum class AuthzSetting
strong
Enumerator
None 
Read 
Write 
All 

Definition at line 69 of file XrdSciTokensAccess.hh.

69 {
70 None, // Issuer's authorization is not necessary
71 Read, // Authorization from this issuer is necessary for reads.
72 Write, // Authorization from this issuer is necessary for writes.
73 All, // Authorization from this issuer is necessary for all operations.
74};

◆ IssuerAuthz

enum IssuerAuthz
Enumerator
Capability 
Group 
Mapping 
Default 

Definition at line 80 of file XrdSciTokensAccess.hh.

80 {
81 Capability = 0x01,
82 Group = 0x02,
83 Mapping = 0x04,
84 Default = 0x07
85};
Capability
@ Capability
Definition XrdSciTokensAccess.hh:81

Function Documentation

◆ AuthorizesRequiredIssuers()

bool AuthorizesRequiredIssuers ( Access_Operation client_oper,
const std::string_view & path,
const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string > > & required_issuers,
const std::vector< std::shared_ptr< XrdAccRules > > & access_rules_list )

Definition at line 385 of file XrdSciTokensAccess.cc.

388{
389
390 // Translate the client-attempted operation to one of the simpler operations we've defined.
391 Access_Operation oper;
392 switch (client_oper) {
393 case AOP_Any:
394 return false; // Invalid request
395 break;
396 case AOP_Chmod: [[fallthrough]];
397 case AOP_Chown: [[fallthrough]];
398 case AOP_Create: [[fallthrough]];
399 case AOP_Excl_Create: [[fallthrough]];
400 case AOP_Delete: [[fallthrough]];
401 case AOP_Excl_Insert: [[fallthrough]];
402 case AOP_Insert: [[fallthrough]];
403 case AOP_Lock:
404 oper = AOP_Create;
405 break;
406 case AOP_Mkdir:
407 oper = AOP_Mkdir;
408 break;
409 case AOP_Read:
410 oper = AOP_Read;
411 break;
412 case AOP_Readdir:
413 oper = AOP_Readdir;
414 break;
415 case AOP_Rename:
416 oper = AOP_Create;
417 break;
418 case AOP_Stat:
419 oper = AOP_Stat;
420 break;
421 case AOP_Update:
422 oper = AOP_Update;
423 break;
424 default:
425 return false; // Invalid request
426 };
427
428 // Iterate through all the required issuers
429 for (const auto &info : required_issuers) {
430 // See if this issuer is required for this path/operation.
431 if (info.first->apply(oper, path)) {
432 bool has_authz = false;
433 // If so, see if one of the tokens (a) is from this issuer and (b) authorizes the request.
434 for (const auto &rules : access_rules_list) {
435 if (rules->get_issuer() == info.second && rules->apply(oper, path)) {
436 has_authz = true;
437 break;
438 }
439 }
440 if (!has_authz) {
441 return false;
442 }
443 }
444 }
445 return true;
446}
Access_Operation
Access_Operation
The following are supported operations.
Definition XrdAccAuthorize.hh:41
AOP_Delete
@ AOP_Delete
rm() or rmdir()
Definition XrdAccAuthorize.hh:45
AOP_Mkdir
@ AOP_Mkdir
mkdir()
Definition XrdAccAuthorize.hh:48
AOP_Update
@ AOP_Update
open() r/w or append
Definition XrdAccAuthorize.hh:53
AOP_Create
@ AOP_Create
open() with create
Definition XrdAccAuthorize.hh:44
AOP_Readdir
@ AOP_Readdir
opendir()
Definition XrdAccAuthorize.hh:50
AOP_Chmod
@ AOP_Chmod
chmod()
Definition XrdAccAuthorize.hh:42
AOP_Any
@ AOP_Any
Special for getting privs.
Definition XrdAccAuthorize.hh:41
AOP_Stat
@ AOP_Stat
exists(), stat()
Definition XrdAccAuthorize.hh:52
AOP_Rename
@ AOP_Rename
mv() for source
Definition XrdAccAuthorize.hh:51
AOP_Read
@ AOP_Read
open() r/o, prepare()
Definition XrdAccAuthorize.hh:49
AOP_Excl_Create
@ AOP_Excl_Create
open() with O_EXCL|O_CREAT
Definition XrdAccAuthorize.hh:54
AOP_Insert
@ AOP_Insert
mv() for target
Definition XrdAccAuthorize.hh:46
AOP_Lock
@ AOP_Lock
n/a
Definition XrdAccAuthorize.hh:47
AOP_Chown
@ AOP_Chown
chown()
Definition XrdAccAuthorize.hh:43
AOP_Excl_Insert
@ AOP_Excl_Insert
mv() where destination doesn't exist.
Definition XrdAccAuthorize.hh:55

References AOP_Any, AOP_Chmod, AOP_Chown, AOP_Create, AOP_Delete, AOP_Excl_Create, AOP_Excl_Insert, AOP_Insert, AOP_Lock, AOP_Mkdir, AOP_Read, AOP_Readdir, AOP_Rename, AOP_Stat, and AOP_Update.

Referenced by XrdAccSciTokens::Access().

+ Here is the caller graph for this function: