Macaroons::Authz Class Reference

#include <XrdMacaroonsAuthz.hh>

Inheritance diagram for Macaroons::Authz:

Collaboration diagram for Macaroons::Authz:

Public Member Functions
	Authz (XrdSysLogger *lp, const char *parms, XrdAccAuthorize *chain)
virtual	~Authz ()
virtual XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *env) override
virtual int	Audit (const int accok, const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env) override
virtual Issuers	IssuerList () override
virtual int	Test (const XrdAccPrivs priv, const Access_Operation oper) override
virtual bool	Validate (const char *token, std::string &emsg, long long *expT, XrdSecEntity *entP) override
Public Member Functions inherited from XrdAccAuthorize
	XrdAccAuthorize ()
	Constructor. More...
virtual	~XrdAccAuthorize ()
	Destructor. More...
virtual XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, std::string &eInfo, XrdOucEnv *Env=0)
Public Member Functions inherited from XrdSciTokensHelper
	XrdSciTokensHelper ()
	Constructor and Destructor. More...
virtual	~XrdSciTokensHelper ()

Additional Inherited Members
Public Types inherited from XrdSciTokensHelper
typedef std::vector< ValidIssuer >	Issuers

Detailed Description

Definition at line 12 of file XrdMacaroonsAuthz.hh.

Constructor & Destructor Documentation

Authz()

Authz::Authz	(	XrdSysLogger *	lp,
		const char *	parms,
		XrdAccAuthorize *	chain
	)

Definition at line 138 of file XrdMacaroonsAuthz.cc.

    : m_max_duration(86400),
    m_chain(chain),
    m_log(log, "macarons_"),
    m_authz_behavior(static_cast<int>(Handler::AuthzBehavior::PASSTHROUGH))
{
    Handler::AuthzBehavior behavior(Handler::AuthzBehavior::PASSTHROUGH);
    XrdOucEnv env;
    if (!Handler::Config(config, &env, &m_log, m_location, m_secret, m_max_duration, behavior))
    {
        throw std::runtime_error("Macaroon authorization config failed.");
    }
    m_authz_behavior = static_cast<int>(behavior);
}

References Macaroons::Handler::Config().

Here is the call graph for this function:

~Authz()

virtual Macaroons::Authz::~Authz ( )

inlinevirtual

Definition at line 17 of file XrdMacaroonsAuthz.hh.

{}

Member Function Documentation

Access()

XrdAccPrivs Authz::Access ( const XrdSecEntity *  Entity, const char *  path, const Access_Operation  oper, XrdOucEnv *  Env  )

overridevirtual

Check whether or not the client is permitted specified access to a path.

Parameters

Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see the enum above). If the oper is AOP_Any, then the actual privileges are returned and the caller may make subsequent tests using Test().
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 171 of file XrdMacaroonsAuthz.cc.

{
    // We don't allow any testing to occur in this authz module, preventing
    // a macaroon to be used to receive further macaroons.
    if (oper == AOP_Any)
    {
        return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;
    }
 
    const char *authz = env ? env->Get("authz") : nullptr;
    if (authz && !strncmp(authz, "Bearer%20", 9))
    {
        authz += 9;
    }
    else if (!authz && (authz = env ? env->Get("access_token") : nullptr) && !strncmp(authz, "Bearer%20", 9))
    {
        authz += 9;
    }
 
        // If there's no request-specific token, check for a ZTN session token
    if (!authz && Entity && !strcmp("ztn", Entity->prot) && Entity->creds &&
        Entity->credslen && Entity->creds[Entity->credslen] == '\0')
    {
        authz = Entity->creds;
    }
 
    if (!authz) {
        return OnMissing(Entity, path, oper, env);
    }
 
    macaroon_returncode mac_err = MACAROON_SUCCESS;
    struct macaroon* macaroon = macaroon_deserialize(
        authz,
        &mac_err);
    if (!macaroon)
    {
        // Do not log - might be other token type!
        //m_log.Emsg("Access", "Failed to parse the macaroon");
        return OnMissing(Entity, path, oper, env);
    }
 
    struct macaroon_verifier *verifier = macaroon_verifier_create();
    if (!verifier)
    {
        m_log.Emsg("Access", "Failed to create a new macaroon verifier");
        return XrdAccPriv_None;
    }
    if (!path)
    {
        m_log.Emsg("Access", "Request with no provided path.");
        macaroon_verifier_destroy(verifier);
        return XrdAccPriv_None;
    }
 
    AuthzCheck check_helper(path, oper, m_max_duration, m_log);
 
    if (macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_before_s, &check_helper, &mac_err) ||
        macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_activity_s, &check_helper, &mac_err) ||
        macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_name_s, &check_helper, &mac_err) ||
        macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_path_s, &check_helper, &mac_err))
    {
        m_log.Emsg("Access", "Failed to configure caveat verifier:");
        macaroon_verifier_destroy(verifier);
        return XrdAccPriv_None;
    }
 
    const unsigned char *macaroon_loc;
    size_t location_sz;
    macaroon_location(macaroon, &macaroon_loc, &location_sz);
    if (strncmp(reinterpret_cast<const char *>(macaroon_loc), m_location.c_str(), location_sz))
    {
        std::string location_str(reinterpret_cast<const char *>(macaroon_loc), location_sz);
        m_log.Emsg("Access", "Macaroon is for incorrect location", location_str.c_str());
        macaroon_verifier_destroy(verifier);
        macaroon_destroy(macaroon);
        return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;
    }
 
    if (macaroon_verify(verifier, macaroon,
                         reinterpret_cast<const unsigned char *>(m_secret.c_str()),
                         m_secret.size(),
                         NULL, 0, // discharge macaroons
                         &mac_err))
    {
        m_log.Log(LogMask::Debug, "Access", "Macaroon verification failed");
        macaroon_verifier_destroy(verifier);
        macaroon_destroy(macaroon);
        return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;
    }
    macaroon_verifier_destroy(verifier);
 
    const unsigned char *macaroon_id;
    size_t id_sz;
    macaroon_identifier(macaroon, &macaroon_id, &id_sz);
 
    std::string macaroon_id_str(reinterpret_cast<const char *>(macaroon_id), id_sz);
    m_log.Log(LogMask::Info, "Access", "Macaroon verification successful; ID", macaroon_id_str.c_str());
    macaroon_destroy(macaroon);
 
    // Copy the name, if present into the macaroon, into the credential object.
    if (Entity && check_helper.GetSecName().size()) {
        const std::string &username = check_helper.GetSecName();
        m_log.Log(LogMask::Debug, "Access", "Setting the request name to", username.c_str());
        Entity->eaAPI->Add("request.name", username,true);
    }
 
    // We passed verification - give the correct privilege.
    return AddPriv(oper, XrdAccPriv_None);
}

References XrdAccAuthorize::Access(), XrdSecEntityAttr::Add(), AOP_Any, XrdSecEntity::creds, XrdSecEntity::credslen, Debug, XrdSecEntity::eaAPI, XrdSysError::Emsg(), XrdOucEnv::Get(), TPC::Info, XrdSysError::Log(), XrdSecEntity::prot, and XrdAccPriv_None.

Here is the call graph for this function:

Audit()

virtual int Macaroons::Authz::Audit ( const int  accok, const XrdSecEntity *  Entity, const char *  path, const Access_Operation  oper, XrdOucEnv *  Env  )

inlineoverridevirtual

Route an audit message to the appropriate audit exit routine. See XrdAccAudit.h for more information on how the default implementation works. Currently, this method is not called by the ofs but should be used by the implementation to record denials or grants, as warranted.

Parameters

accok	-> True is access was grated; false otherwise.
Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see above)
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Success: !0 information recorded. Failure: 0 information could not be recorded.

Implements XrdAccAuthorize.

Definition at line 31 of file XrdMacaroonsAuthz.hh.

    {
        return 0;
    }

IssuerList()

virtual Issuers Macaroons::Authz::IssuerList ( )

inlineoverridevirtual

Implements XrdSciTokensHelper.

Definition at line 46 of file XrdMacaroonsAuthz.hh.

{return Issuers();}

Test()

virtual int Macaroons::Authz::Test ( const XrdAccPrivs  priv, const Access_Operation  oper  )

inlineoverridevirtual

Check whether the specified operation is permitted.

Parameters

priv	-> the privileges as returned by Access().
oper	-> The operation being attempted (see above)

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 38 of file XrdMacaroonsAuthz.hh.

    {
        return 0;
    }

Validate()

bool Authz::Validate ( const char *  token, std::string &  emsg, long long *  expT, XrdSecEntity *  entP  )

overridevirtual

Validate a scitoken.

Parameters

token	- Pointer to the token to validate.
emsg	- Reference to a string to hold the reason for rejection
expT	- Pointer to where the expiry value is to be placed. If nill, the value is not returned.
entP	- Pointer to the SecEntity object and when not nil requests that it be filled with any identifying information in the token. The caller assumes that all supplied fields may be released by calling free().

Returns

Return true if the token is valid; false otherwise with emsg set.

Implements XrdSciTokensHelper.

Definition at line 282 of file XrdMacaroonsAuthz.cc.

{
    macaroon_returncode mac_err = MACAROON_SUCCESS;
    std::unique_ptr<struct macaroon, decltype(&macaroon_destroy)> macaroon(
        macaroon_deserialize(token, &mac_err),
        &macaroon_destroy);
 
    if (!macaroon)
    {
        emsg = "Failed to deserialize the token as a macaroon";
        // Purposely log at debug level in case if this validation is ever
        // chained so we don't have overly-chatty logs.
        m_log.Log(LogMask::Debug, "Validate", emsg.c_str());
        return false;
    }
 
    std::unique_ptr<struct macaroon_verifier, decltype(&macaroon_verifier_destroy)> verifier(
        macaroon_verifier_create(), &macaroon_verifier_destroy);
    if (!verifier)
    {
        emsg = "Internal error: failed to create a verifier.";
        m_log.Log(LogMask::Error, "Validate", emsg.c_str());
        return false;
    }
 
    // Note the path and operation here are ignored as we won't use those validators
    AuthzCheck check_helper("/", AOP_Read, m_max_duration, m_log);
 
    if (macaroon_verifier_satisfy_general(verifier.get(), AuthzCheck::verify_before_s, &check_helper, &mac_err) ||
        macaroon_verifier_satisfy_general(verifier.get(), validate_verify_empty, nullptr, &mac_err))
    {
        emsg = "Failed to configure the verifier";
        m_log.Log(LogMask::Error, "Validate", emsg.c_str());
        return false;
    }
 
    const unsigned char *macaroon_loc;
    size_t location_sz;
    macaroon_location(macaroon.get(), &macaroon_loc, &location_sz);
    if (strncmp(reinterpret_cast<const char *>(macaroon_loc), m_location.c_str(), location_sz))
    {
        emsg = "Macaroon contains incorrect location: " +
            std::string(reinterpret_cast<const char *>(macaroon_loc), location_sz);
        m_log.Log(LogMask::Warning, "Validate", emsg.c_str(), ("all.sitename is " + m_location).c_str());
        return false;
    }
 
    if (macaroon_verify(verifier.get(), macaroon.get(),
                        reinterpret_cast<const unsigned char *>(m_secret.c_str()),
                        m_secret.size(),
                        nullptr, 0,
                        &mac_err))
    {
        emsg = "Macaroon verification error" + (check_helper.GetErrorMessage().size() ?
            (", " + check_helper.GetErrorMessage()) : "");
        m_log.Log(LogMask::Warning, "Validate", emsg.c_str());
        return false;
    }
 
    const unsigned char *macaroon_id;
    size_t id_sz;
    macaroon_identifier(macaroon.get(), &macaroon_id, &id_sz);
    m_log.Log(LogMask::Info, "Validate", ("Macaroon verification successful; ID " +
        std::string(reinterpret_cast<const char *>(macaroon_id), id_sz)).c_str());
 
    return true;
}

References AOP_Read, Debug, emsg(), Error, TPC::Info, XrdSysError::Log(), and TPC::Warning.

Here is the call graph for this function:

---

The documentation for this class was generated from the following files:

• XrdMacaroonsAuthz.hh
• XrdMacaroonsAuthz.cc