#include "XrdAcc/XrdAccAuthorize.hh"
#include "XrdOuc/XrdOucEnv.hh"
#include "XrdOuc/XrdOucGatherConf.hh"
#include "XrdOuc/XrdOucPrivateUtils.hh"
#include "XrdSec/XrdSecEntity.hh"
#include "XrdSec/XrdSecEntityAttr.hh"
#include "XrdSys/XrdSysLogger.hh"
#include "XrdTls/XrdTlsContext.hh"
#include "XrdVersion.hh"
#include <cctype>
#include <ctime>
#include <map>
#include <memory>
#include <mutex>
#include <string>
#include <vector>
#include <sstream>
#include <fstream>
#include <unordered_map>
#include <tuple>
#include "fcntl.h"
#include "INIReader.h"
#include "picojson.h"
#include "scitokens/scitokens.h"
#include "XrdSciTokens/XrdSciTokensAccess.hh"
#include "XrdSciTokens/XrdSciTokensHelper.hh"
#include "XrdSciTokens/XrdSciTokensMon.hh"

Include dependency graph for XrdSciTokensAccess.cc:

Classes
class	XrdAccSciTokens

Functions
bool	AuthorizesRequiredIssuers (Access_Operation client_oper, const std::string_view &path, const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string >> &required_issuers, const std::vector< std::shared_ptr< XrdAccRules >> &access_rules_list)

void	InitAccSciTokens (XrdSysLogger lp, const char cfn, const char parm, XrdAccAuthorize accP, XrdOucEnv *envP)

XrdAccAuthorize *	XrdAccAuthorizeObjAdd (XrdSysLogger lp, const char cfn, const char parm, XrdOucEnv envP, XrdAccAuthorize *accP)

XrdAccAuthorize *	XrdAccAuthorizeObject (XrdSysLogger lp, const char cfn, const char *parm)

XrdAccAuthorize *	XrdAccAuthorizeObject2 (XrdSysLogger lp, const char cfn, const char parm, XrdOucEnv envP)

	XrdVERSIONINFO (XrdAccAuthorizeObjAdd, XrdAccSciTokens)

	XrdVERSIONINFO (XrdAccAuthorizeObject, XrdAccSciTokens)

Variables
XrdAccSciTokens *	accSciTokens = nullptr

XrdSciTokensHelper *	SciTokensHelper = nullptr

Function Documentation

◆ AuthorizesRequiredIssuers()

bool AuthorizesRequiredIssuers	(	Access_Operation	client_oper,
		const std::string_view &	path,
		const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string >> &	required_issuers,
		const std::vector< std::shared_ptr< XrdAccRules >> &	access_rules_list
	)

Definition at line 385 of file XrdSciTokensAccess.cc.

 {
  
     // Translate the client-attempted operation to one of the simpler operations we've defined.
     Access_Operation oper;
     switch (client_oper) {
         case AOP_Any:
             return false; // Invalid request
             break;
         case AOP_Chmod: [[fallthrough]];
         case AOP_Chown: [[fallthrough]];
         case AOP_Create: [[fallthrough]];
         case AOP_Excl_Create: [[fallthrough]];
         case AOP_Delete: [[fallthrough]];
         case AOP_Excl_Insert: [[fallthrough]];
         case AOP_Insert: [[fallthrough]];
         case AOP_Lock:
             oper = AOP_Create;
             break;
         case AOP_Mkdir:
             oper = AOP_Mkdir;
             break;
         case AOP_Read:
             oper = AOP_Read;
             break;
         case AOP_Readdir:
             oper = AOP_Readdir;
             break;
         case AOP_Rename:
             oper = AOP_Create;
             break;
         case AOP_Stat:
             oper = AOP_Stat;
             break;
         case AOP_Update:
             oper = AOP_Update;
             break;
         default:
             return false; // Invalid request
     };
  
     // Iterate through all the required issuers
     for (const auto &info : required_issuers) {
         // See if this issuer is required for this path/operation.
         if (info.first->apply(oper, path)) {
             bool has_authz = false;
             // If so, see if one of the tokens (a) is from this issuer and (b) authorizes the request.
             for (const auto &rules : access_rules_list) {
                 if (rules->get_issuer() == info.second && rules->apply(oper, path)) {
                     has_authz = true;
                     break;
                 }
             }
             if (!has_authz) {
                 return false;
             }
         }
     }
     return true;
 }

References AOP_Any, AOP_Chmod, AOP_Chown, AOP_Create, AOP_Delete, AOP_Excl_Create, AOP_Excl_Insert, AOP_Insert, AOP_Lock, AOP_Mkdir, AOP_Read, AOP_Readdir, AOP_Rename, AOP_Stat, and AOP_Update.

Referenced by XrdAccSciTokens::Access().

Here is the caller graph for this function:

◆ InitAccSciTokens()

void InitAccSciTokens	(	XrdSysLogger *	lp,
		const char *	cfn,
		const char *	parm,
		XrdAccAuthorize *	accP,
		XrdOucEnv *	envP
	)

Definition at line 1487 of file XrdSciTokensAccess.cc.

 {
     try {
         accSciTokens = new XrdAccSciTokens(lp, parm, accP, envP);
         SciTokensHelper = accSciTokens;
     } catch (std::exception &) {
     }
 }

References accSciTokens, XrdProxy::envP, and SciTokensHelper.

Referenced by XrdAccAuthorizeObjAdd(), XrdAccAuthorizeObject(), and XrdAccAuthorizeObject2().

Here is the caller graph for this function:

◆ XrdAccAuthorizeObjAdd()

XrdAccAuthorize* XrdAccAuthorizeObjAdd	(	XrdSysLogger *	lp,
		const char *	cfn,
		const char *	parm,
		XrdOucEnv *	envP,
		XrdAccAuthorize *	accP
	)

Definition at line 1499 of file XrdSciTokensAccess.cc.

 {
     // Record the parent authorization plugin. There is no need to use
     // unique_ptr as all of this happens once in the main and only thread.
     //
  
     // If we have been initialized by a previous load, them return that result.
     // Otherwise, it's the first time through, get a new SciTokens authorizer.
     //
     if (!accSciTokens) InitAccSciTokens(lp, cfn, parm, accP, envP);
     return accSciTokens;
 }

References accSciTokens, XrdProxy::envP, and InitAccSciTokens().

Here is the call graph for this function:

◆ XrdAccAuthorizeObject()

XrdAccAuthorize* XrdAccAuthorizeObject	(	XrdSysLogger *	lp,
		const char *	cfn,
		const char *	parm
	)

Definition at line 1516 of file XrdSciTokensAccess.cc.

 {
     InitAccSciTokens(lp, cfn, parm, nullptr, nullptr);
     return accSciTokens;
 }

References accSciTokens, and InitAccSciTokens().

Here is the call graph for this function:

◆ XrdAccAuthorizeObject2()

XrdAccAuthorize* XrdAccAuthorizeObject2	(	XrdSysLogger *	lp,
		const char *	cfn,
		const char *	parm,
		XrdOucEnv *	envP
	)

Definition at line 1524 of file XrdSciTokensAccess.cc.

 {
     InitAccSciTokens(lp, cfn, parm, nullptr, envP);
     return accSciTokens;
 }

References accSciTokens, XrdProxy::envP, and InitAccSciTokens().

Here is the call graph for this function:

◆ XrdVERSIONINFO() [1/2]

XrdVERSIONINFO	(	XrdAccAuthorizeObjAdd	,
		XrdAccSciTokens
	)

◆ XrdVERSIONINFO() [2/2]

XrdVERSIONINFO	(	XrdAccAuthorizeObject	,
		XrdAccSciTokens
	)

Variable Documentation

◆ accSciTokens

XrdAccSciTokens* accSciTokens = nullptr

Definition at line 450 of file XrdSciTokensAccess.cc.

Referenced by InitAccSciTokens(), XrdAccAuthorizeObjAdd(), XrdAccAuthorizeObject(), and XrdAccAuthorizeObject2().

◆ SciTokensHelper

XrdSciTokensHelper* SciTokensHelper = nullptr

Definition at line 39 of file XrdSciTokensAccess.cc.

Referenced by InitAccSciTokens().

Classes

Functions

Variables

Function Documentation

◆ AuthorizesRequiredIssuers()

◆ InitAccSciTokens()

◆ XrdAccAuthorizeObjAdd()

◆ XrdAccAuthorizeObject()

◆ XrdAccAuthorizeObject2()

◆ XrdVERSIONINFO() [1/2]

◆ XrdVERSIONINFO() [2/2]

Variable Documentation

◆ accSciTokens

◆ SciTokensHelper