#include "XrdAcc/XrdAccAuthorize.hh"
#include "XrdOuc/XrdOucEnv.hh"
#include "XrdOuc/XrdOucGatherConf.hh"
#include "XrdOuc/XrdOucPrivateUtils.hh"
#include "XrdSec/XrdSecEntity.hh"
#include "XrdSec/XrdSecEntityAttr.hh"
#include "XrdSys/XrdSysLogger.hh"
#include "XrdTls/XrdTlsContext.hh"
#include "XrdVersion.hh"
#include <cctype>
#include <ctime>
#include <map>
#include <memory>
#include <mutex>
#include <string>
#include <vector>
#include <sstream>
#include <fstream>
#include <unordered_map>
#include <tuple>
#include <cstdlib>
#include "INIReader.h"
#include "picojson.h"
#include "scitokens/scitokens.h"
#include "XrdSciTokens/XrdSciTokensAccess.hh"
#include "XrdSciTokens/XrdSciTokensHelper.hh"
#include "XrdSciTokens/XrdSciTokensMon.hh"

Include dependency graph for XrdSciTokensAccess.cc:

Classes
class	XrdAccSciTokens

Functions
bool	AuthorizesRequiredIssuers (Access_Operation client_oper, const std::string_view &path, const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string > > &required_issuers, const std::vector< std::shared_ptr< XrdAccRules > > &access_rules_list)

void	InitAccSciTokens (XrdSysLogger lp, const char cfn, const char parm, XrdAccAuthorize accP, XrdOucEnv *envP)

XrdAccAuthorize *	XrdAccAuthorizeObjAdd (XrdSysLogger lp, const char cfn, const char parm, XrdOucEnv envP, XrdAccAuthorize *accP)

XrdAccAuthorize *	XrdAccAuthorizeObject (XrdSysLogger lp, const char cfn, const char *parm)

XrdAccAuthorize *	XrdAccAuthorizeObject2 (XrdSysLogger lp, const char cfn, const char parm, XrdOucEnv envP)

	XrdVERSIONINFO (XrdAccAuthorizeObjAdd, XrdAccSciTokens)

	XrdVERSIONINFO (XrdAccAuthorizeObject, XrdAccSciTokens)

Variables
XrdAccSciTokens *	accSciTokens = nullptr

XrdSciTokensHelper *	SciTokensHelper = nullptr

Function Documentation

◆ AuthorizesRequiredIssuers()

bool AuthorizesRequiredIssuers	(	Access_Operation	client_oper,
		const std::string_view &	path,
		const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string > > &	required_issuers,
		const std::vector< std::shared_ptr< XrdAccRules > > &	access_rules_list )

Definition at line 392 of file XrdSciTokensAccess.cc.

{
 
    // Translate the client-attempted operation to one of the simpler operations we've defined.
    Access_Operation oper;
    switch (client_oper) {
        case AOP_Any:
            return false; // Invalid request
            break;
        case AOP_Chmod: [[fallthrough]];
        case AOP_Chown: [[fallthrough]];
        case AOP_Create: [[fallthrough]];
        case AOP_Excl_Create: [[fallthrough]];
        case AOP_Delete: [[fallthrough]];
        case AOP_Excl_Insert: [[fallthrough]];
        case AOP_Insert: [[fallthrough]];
        case AOP_Lock:
            oper = AOP_Create;
            break;
        case AOP_Mkdir:
            oper = AOP_Mkdir;
            break;
        case AOP_Read:
            oper = AOP_Read;
            break;
        case AOP_Readdir:
            oper = AOP_Readdir;
            break;
        case AOP_Rename:
            oper = AOP_Create;
            break;
        case AOP_Stat:
            oper = AOP_Stat;
            break;
        case AOP_Update:
            oper = AOP_Update;
            break;
        default:
            return false; // Invalid request
    };
 
    // Iterate through all the required issuers
    for (const auto &info : required_issuers) {
        // See if this issuer is required for this path/operation.
        if (info.first->apply(oper, path)) {
            bool has_authz = false;
            // If so, see if one of the tokens (a) is from this issuer and (b) authorizes the request.
            for (const auto &rules : access_rules_list) {
                if (rules->get_issuer() == info.second && rules->apply(oper, path)) {
                    has_authz = true;
                    break;
                }
            }
            if (!has_authz) {
                return false;
            }
        }
    }
    return true;
}

References AOP_Any, AOP_Chmod, AOP_Chown, AOP_Create, AOP_Delete, AOP_Excl_Create, AOP_Excl_Insert, AOP_Insert, AOP_Lock, AOP_Mkdir, AOP_Read, AOP_Readdir, AOP_Rename, AOP_Stat, and AOP_Update.

Referenced by XrdAccSciTokens::Access().

Here is the caller graph for this function:

◆ InitAccSciTokens()

void InitAccSciTokens	(	XrdSysLogger *	lp,
		const char *	cfn,
		const char *	parm,
		XrdAccAuthorize *	accP,
		XrdOucEnv *	envP )

Definition at line 1530 of file XrdSciTokensAccess.cc.

{
    try {
        accSciTokens = new XrdAccSciTokens(lp, parm, accP, envP);
        SciTokensHelper = accSciTokens;
    } catch (std::exception &) {
    }
}

References accSciTokens, and SciTokensHelper.

Referenced by XrdAccAuthorizeObjAdd(), XrdAccAuthorizeObject(), and XrdAccAuthorizeObject2().

Here is the caller graph for this function:

◆ XrdAccAuthorizeObjAdd()

XrdAccAuthorize * XrdAccAuthorizeObjAdd	(	XrdSysLogger *	lp,
		const char *	cfn,
		const char *	parm,
		XrdOucEnv *	envP,
		XrdAccAuthorize *	accP )

Definition at line 1542 of file XrdSciTokensAccess.cc.

{
    // Record the parent authorization plugin. There is no need to use
    // unique_ptr as all of this happens once in the main and only thread.
    //
 
    // If we have been initialized by a previous load, them return that result.
    // Otherwise, it's the first time through, get a new SciTokens authorizer.
    //
    if (!accSciTokens) InitAccSciTokens(lp, cfn, parm, accP, envP);
    return accSciTokens;
}

References accSciTokens, and InitAccSciTokens().