XrdAccSciTokens Class Reference

Inheritance diagram for XrdAccSciTokens:

Collaboration diagram for XrdAccSciTokens:

Public Member Functions
	XrdAccSciTokens (XrdSysLogger *lp, const char *parms, XrdAccAuthorize *chain, XrdOucEnv *envP)
virtual	~XrdAccSciTokens ()
virtual XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *env) override
virtual int	Audit (const int accok, const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0) override
std::string	GetConfigFile ()
virtual Issuers	IssuerList () override
virtual int	Test (const XrdAccPrivs priv, const Access_Operation oper) override
virtual bool	Validate (const char *token, std::string &emsg, long long *expT, XrdSecEntity *Entity) override
Public Member Functions inherited from XrdAccAuthorize
	XrdAccAuthorize ()
	Constructor.
virtual	~XrdAccAuthorize ()
	Destructor.
virtual XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, std::string &eInfo, XrdOucEnv *Env=0)
Public Member Functions inherited from XrdSciTokensHelper
	XrdSciTokensHelper ()
	Constructor and Destructor.
virtual	~XrdSciTokensHelper ()
Public Member Functions inherited from XrdSciTokensMon
	XrdSciTokensMon ()
	~XrdSciTokensMon ()
bool	Mon_isIO (const Access_Operation oper)
void	Mon_Report (const XrdSecEntity &Entity, const std::string &subject, const std::string &username)

Additional Inherited Members
Public Types inherited from XrdSciTokensHelper
typedef std::vector< ValidIssuer >	Issuers

Detailed Description

Definition at line 459 of file XrdSciTokensAccess.cc.

Constructor & Destructor Documentation

XrdAccSciTokens()

XrdAccSciTokens::XrdAccSciTokens ( XrdSysLogger * lp, const char * parms, XrdAccAuthorize * chain, XrdOucEnv * envP )

inline

Definition at line 470 of file XrdSciTokensAccess.cc.

                                                                                                  :
        m_chain(chain),
        m_parms(parms ? parms : ""),
        m_next_clean(monotonic_time() + m_expiry_secs),
        m_log(lp, "scitokens_")
    {
        pthread_rwlock_init(&m_config_lock, nullptr);
        m_config_lock_initialized = true;
        m_log.Say("++++++ XrdAccSciTokens: Initialized SciTokens-based authorization.");
        if (!Config(envP)) {
            throw std::runtime_error("Failed to configure SciTokens authorization.");
        }
    }

References XrdAccAuthorize::XrdAccAuthorize().

Here is the call graph for this function:

~XrdAccSciTokens()

virtual XrdAccSciTokens::~XrdAccSciTokens ( )

inlinevirtual

Definition at line 484 of file XrdSciTokensAccess.cc.

                               {
        if (m_config_lock_initialized) {
            pthread_rwlock_destroy(&m_config_lock);
        }
    }

Member Function Documentation

Access()

virtual XrdAccPrivs XrdAccSciTokens::Access ( const XrdSecEntity * Entity, const char * path, const Access_Operation oper, XrdOucEnv * Env )

inlineoverridevirtual

Check whether or not the client is permitted specified access to a path.

Parameters

Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see the enum above). If the oper is AOP_Any, then the actual privileges are returned and the caller may make subsequent tests using Test().
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 490 of file XrdSciTokensAccess.cc.

    {
        std::vector<std::string_view> authz_list;
        authz_list.reserve(1);
 
        // Parse the authz environment entry as a comma-separated list of tokens.
        // Traditionally, `authz` has been used as the parameter for XRootD; however,
        // RFC 6750 Section 2.3 ("URI Query Parameter") specifies that access_token
        // is correct.  We support both.
        ParseTokenString("authz", env, authz_list);
        ParseTokenString("access_token", env, authz_list);
 
        if (Entity && !strcmp("ztn", Entity->prot) && Entity->creds &&
            Entity->credslen && Entity->creds[Entity->credslen] == '\0')
        {
            authz_list.push_back(Entity->creds);
        }
 
        if (authz_list.empty()) {
            return OnMissing(Entity, path, oper, env);
        }
 
        // A potential DoS would be providing a large number of tokens to consider for ACLs.
        // Have a hardcoded assumption of <10 tokens per request.
        if (authz_list.size() > 10) {
            m_log.Log(LogMask::Warning, "Access", "Request had more than 10 tokens attached; ignoring");
            return OnMissing(Entity, path, oper, env);
        }
 
        m_log.Log(LogMask::Debug, "Access", "Trying token-based access control");
        std::vector<std::shared_ptr<XrdAccRules>> access_rules_list;
        uint64_t now = monotonic_time();
        Check(now);
        for (const auto &authz : authz_list) {
            std::shared_ptr<XrdAccRules> access_rules;
            {
                std::lock_guard<std::mutex> guard(m_map_mutex);
                const auto iter = m_map.find(authz);
                if (iter != m_map.end() && !iter->second->expired()) {
                    access_rules = iter->second;
                }
            }
            if (!access_rules) {
                m_log.Log(LogMask::Debug, "Access", "Token not found in recent cache; parsing.");
                try {
                    uint64_t cache_expiry;
                    AccessRulesRaw rules;
                    std::string username;
                    std::string token_subject;
                    std::string issuer;
                    std::vector<MapRule> map_rules;
                    std::vector<std::string> groups;
                    uint32_t authz_strategy;
                    AuthzSetting acceptable_authz;
                    if (GenerateAcls(authz, cache_expiry, rules, username, token_subject, issuer, map_rules, groups, authz_strategy, acceptable_authz)) {
                        access_rules.reset(new XrdAccRules(now + cache_expiry, username, token_subject, issuer, map_rules, groups, authz_strategy, acceptable_authz));
                        access_rules->parse(rules);
                    } else {
                        m_log.Log(LogMask::Warning, "Access", "Failed to generate ACLs for token");
                        continue;
                    }
                    if (m_log.getMsgMask() & LogMask::Debug) {
                        m_log.Log(LogMask::Debug, "Access", "New valid token", access_rules->str().c_str());
                    }
                } catch (std::exception &exc) {
                    m_log.Log(LogMask::Warning, "Access", "Error generating ACLs for authorization", exc.what());
                    continue;
                }
                std::lock_guard<std::mutex> guard(m_map_mutex);
                m_map[std::string(authz)] = access_rules;
            } else if (m_log.getMsgMask() & LogMask::Debug) {
                m_log.Log(LogMask::Debug, "Access", "Cached token", access_rules->str().c_str());
            }
            access_rules_list.push_back(access_rules);
        }
        if (access_rules_list.empty()) {
            return OnMissing(Entity, path, oper, env);
        }
        std::string_view path_view(path, strlen(path));
 
        // Apply the logic for the required issuers.
        if (!AuthorizesRequiredIssuers(oper, path_view, m_required_issuers, access_rules_list)) {
            return OnMissing(Entity, path, oper, env);
        }
 
        // Strategy: assuming the corresponding strategy is enabled, we populate the name in
        // the XrdSecEntity if:
        //    1. There are scopes present in the token that authorize the request,
        //    2. The token is mapped by some rule in the mapfile (group or subject-based mapping).
        // The default username for the issuer is only used in (1).
        // If the scope-based mapping is successful, authorize immediately.  Otherwise, if the
        // mapping is successful, we potentially chain to another plugin.
        //
        // We always populate the issuer and the groups, if present.
 
        // Access may be authorized; populate XrdSecEntity
        for (const auto &access_rules : access_rules_list) {
            // Make sure this issuer is acceptable for the given operation.
            if (!access_rules->acceptable_authz(oper)) {
                m_log.Log(LogMask::Debug, "Access", "Issuer is not acceptable for given operation:", access_rules->get_issuer().c_str());
                continue;
            }
 
            XrdSecEntity new_secentity;
            new_secentity.vorg = nullptr;
            new_secentity.grps = nullptr;
            new_secentity.role = nullptr;
            new_secentity.secMon = Entity->secMon;
            new_secentity.addrInfo = Entity->addrInfo;
            const auto &issuer = access_rules->get_issuer();
            if (!issuer.empty()) {
                new_secentity.vorg = strdup(issuer.c_str());
            }
            bool group_success = false;
            if ((access_rules->get_authz_strategy() & IssuerAuthz::Group) && access_rules->groups().size()) {
                std::stringstream ss;
                for (const auto &grp : access_rules->groups()) {
                    ss << grp << " ";
                }
                const auto &groups_str = ss.str();
                new_secentity.grps = static_cast<char*>(malloc(groups_str.size() + 1));
                if (new_secentity.grps) {
                    memcpy(new_secentity.grps, groups_str.c_str(), groups_str.size());
                    new_secentity.grps[groups_str.size()] = '\0';
                }
                group_success = true;
            }
 
            std::string username;
            bool mapping_success = false;
            bool scope_success = false;
            username = access_rules->get_username(path_view);
 
            mapping_success = (access_rules->get_authz_strategy() & IssuerAuthz::Mapping) && !username.empty();
            scope_success = (access_rules->get_authz_strategy() & IssuerAuthz::Capability) && access_rules->apply(oper, path_view);
            if (scope_success && (m_log.getMsgMask() & LogMask::Debug)) {
                std::stringstream ss;
                ss << "Grant authorization based on scopes for operation=" << OpToName(oper) << ", path=" << path;
                m_log.Log(LogMask::Debug, "Access", ss.str().c_str());
            }
 
            if (!scope_success && !mapping_success && !group_success) {
                auto returned_accs = OnMissing(&new_secentity, path, oper, env);
                // Clean up the new_secentity
                if (new_secentity.vorg != nullptr) free(new_secentity.vorg);
                if (new_secentity.grps != nullptr) free(new_secentity.grps);
                if (new_secentity.role != nullptr) free(new_secentity.role);
 
                return returned_accs;
            }
 
            // Default user only applies to scope-based mappings.
            if (scope_success && username.empty()) {
                username = access_rules->get_default_username();
            }
 
            // Setting the request.name will pass the username to the next plugin.
            // Ensure we do that only if map-based or scope-based authorization worked.
            if (scope_success || mapping_success) {
                // Set scitokens.name in the extra attribute
                Entity->eaAPI->Add("request.name", username, true);
                new_secentity.eaAPI->Add("request.name", username, true);
                m_log.Log(LogMask::Debug, "Access", "Request username", username.c_str());
            }
 
                // Make the token subject available.  Even though it's a reasonably bad idea
                // to use for *authorization* for file access, there may be other use cases.
                // For example, the combination of (vorg, token.subject) is a reasonable
                // approximation of a unique 'entity' (either person or a robot) and is
                // more reasonable to use for resource fairshare in XrdThrottle.
            const auto &token_subject = access_rules->get_token_subject();
            if (!token_subject.empty()) {
                Entity->eaAPI->Add("token.subject", token_subject, true);
            }
 
            // When the scope authorized this access, allow immediately.  Otherwise, chain
            XrdAccPrivs returned_op = scope_success ? AddPriv(oper, XrdAccPriv_None) : OnMissing(&new_secentity, path, oper, env);
 
            // Since we are doing an early return, insert token info into the
            // monitoring stream if monitoring is in effect and access granted
            //
            if (Entity->secMon && scope_success && returned_op && Mon_isIO(oper))
            Mon_Report(new_secentity, token_subject, username);
 
            // Cleanup the new_secentry
            if (new_secentity.vorg != nullptr) free(new_secentity.vorg);
            if (new_secentity.grps != nullptr) free(new_secentity.grps);
            if (new_secentity.role != nullptr) free(new_secentity.role);
            return returned_op;
        }
 
        // We iterated through all available credentials and none provided authorization; fall back
        return OnMissing(Entity, path, oper, env);
    }

References XrdSecEntityAttr::Add(), XrdSecEntity::addrInfo, AuthorizesRequiredIssuers(), Capability, XrdSecEntity::creds, XrdSecEntity::credslen, XrdSecEntity::eaAPI, Group, XrdSecEntity::grps, Mapping, XrdSciTokensMon::Mon_isIO(), XrdSciTokensMon::Mon_Report(), XrdSecEntity::prot, XrdSecEntity::role, XrdSecEntity::secMon, XrdSecEntity::vorg, and XrdAccPriv_None.

Here is the call graph for this function:

Audit()

virtual int XrdAccSciTokens::Audit ( const int accok, const XrdSecEntity * Entity, const char * path, const Access_Operation oper, XrdOucEnv * Env = 0 )

inlineoverridevirtual

Route an audit message to the appropriate audit exit routine. See XrdAccAudit.h for more information on how the default implementation works. Currently, this method is not called by the ofs but should be used by the implementation to record denials or grants, as warranted.

Parameters

accok	-> True is access was grated; false otherwise.
Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see above)
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Success: !0 information recorded. Failure: 0 information could not be recorded.

Implements XrdAccAuthorize.

Definition at line 764 of file XrdSciTokensAccess.cc.

    {
        return 0;
    }

GetConfigFile()

std::string XrdAccSciTokens::GetConfigFile ( )

inline

Definition at line 779 of file XrdSciTokensAccess.cc.

                              {
        return m_cfg_file;
    }

IssuerList()

virtual Issuers XrdAccSciTokens::IssuerList ( )

inlineoverridevirtual

Implements XrdSciTokensHelper.

Definition at line 688 of file XrdSciTokensAccess.cc.

    {
        /*
        Convert the m_issuers into the data structure:
        struct   ValidIssuer
        {std::string issuer_name;
         std::string issuer_url;
        };
        typedef std::vector<ValidIssuer> Issuers;
        */
        Issuers issuers;
        pthread_rwlock_rdlock(&m_config_lock);
        try {
            for (const auto &it: m_issuers) {
                issuers.push_back({it.first, it.second.m_url});
            }
        } catch (...) {
            pthread_rwlock_unlock(&m_config_lock);
            throw;
        }
        pthread_rwlock_unlock(&m_config_lock);
        return issuers;
 
    }

Test()

virtual int XrdAccSciTokens::Test ( const XrdAccPrivs priv, const Access_Operation oper )

inlineoverridevirtual

Check whether the specified operation is permitted.

Parameters

priv	-> the privileges as returned by Access().
oper	-> The operation being attempted (see above)

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 773 of file XrdSciTokensAccess.cc.

    {
        return (m_chain ? m_chain->Test(priv, oper) : 0);
    }

Validate()

virtual bool XrdAccSciTokens::Validate ( const char * token, std::string & emsg, long long * expT, XrdSecEntity * entP )

inlineoverridevirtual

Validate a scitoken.

Parameters

token	- Pointer to the token to validate.
emsg	- Reference to a string to hold the reason for rejection
expT	- Pointer to where the expiry value is to be placed. If nill, the value is not returned.
entP	- Pointer to the SecEntity object and when not nil requests that it be filled with any identifying information in the token. The caller assumes that all supplied fields may be released by calling free().

Returns

Return true if the token is valid; false otherwise with emsg set.

Implements XrdSciTokensHelper.

Definition at line 713 of file XrdSciTokensAccess.cc.

    {
        // Just check if the token is valid, no scope checking
 
        // Deserialize the token
        SciToken scitoken;
        char *err_msg;
        if (!strncmp(token, "Bearer%20", 9)) token += 9;
        pthread_rwlock_rdlock(&m_config_lock);
        auto retval = scitoken_deserialize(token, &scitoken, &m_valid_issuers_array[0], &err_msg);
        pthread_rwlock_unlock(&m_config_lock);
        if (retval) {
            // This originally looked like a JWT so log the failure.
            m_log.Log(LogMask::Warning, "Validate", "Failed to deserialize SciToken:", err_msg);
            emsg = err_msg;
            free(err_msg);
            return false;
        }
 
        // If an entity was passed then we will fill it in with the subject
        // name, should it exist. Note that we are gauranteed that all the
        // settable entity fields are null so no need to worry setting them.
        //
        if (Entity)
           {char *value = nullptr;
            if (!scitoken_get_claim_string(scitoken, "sub", &value, &err_msg)) {
               Entity->name = strdup(value);
               free(value);
            } else {
               free(err_msg);
            }
           }
 
        // Return the expiration time of this token if so wanted.
        //
        if (expT && scitoken_get_expiration(scitoken, expT, &err_msg)) {
            emsg = err_msg;
            free(err_msg);
            scitoken_destroy(scitoken);
            return false;
        }
 
 
        // Delete the scitokens
        scitoken_destroy(scitoken);
 
        // Deserialize checks the key, so we're good now.
        return true;
    }

References emsg(), and XrdSecEntity::name.

Here is the call graph for this function:

---

The documentation for this class was generated from the following file:

• XrdSciTokensAccess.cc