XRootD
XrdSciTokensAccess.hh File Reference
#include "XrdAcc/XrdAccAuthorize.hh"
#include <memory>
#include <string>
#include <string_view>
#include <vector>
#include <string.h>
+ Include dependency graph for XrdSciTokensAccess.hh:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  MapRule
 
class  SubpathMatch
 
class  XrdAccRules
 

Typedefs

typedef std::vector< std::pair< Access_Operation, std::string > > AccessRulesRaw
 

Enumerations

enum class  AuthzSetting {
  None ,
  Read ,
  Write ,
  All
}
 
enum  IssuerAuthz {
  Capability = 0x01 ,
  Group = 0x02 ,
  Mapping = 0x04 ,
  Default = 0x07
}
 

Functions

bool AuthorizesRequiredIssuers (Access_Operation client_oper, const std::string_view &path, const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string >> &required_issuers, const std::vector< std::shared_ptr< XrdAccRules >> &access_rules_list)
 

Typedef Documentation

◆ AccessRulesRaw

typedef std::vector<std::pair<Access_Operation, std::string> > AccessRulesRaw

Class and function definitions for the SciTokens plugin.

Definition at line 15 of file XrdSciTokensAccess.hh.

Enumeration Type Documentation

◆ AuthzSetting

enum AuthzSetting
strong
Enumerator
None 
Read 
Write 
All 

Definition at line 68 of file XrdSciTokensAccess.hh.

68  {
69  None, // Issuer's authorization is not necessary
70  Read, // Authorization from this issuer is necessary for reads.
71  Write, // Authorization from this issuer is necessary for writes.
72  All, // Authorization from this issuer is necessary for all operations.
73 };
WriteImpl< false > Write(Ctx< File > file, Arg< uint64_t > offset, Arg< uint32_t > size, Arg< const void * > buffer, uint16_t timeout=0)
Factory for creating WriteImpl objects.
ReadImpl< false > Read(Ctx< File > file, Arg< uint64_t > offset, Arg< uint32_t > size, Arg< void * > buffer, uint16_t timeout=0)
Factory for creating ReadImpl objects.

◆ IssuerAuthz

Enumerator
Capability 
Group 
Mapping 
Default 

Definition at line 79 of file XrdSciTokensAccess.hh.

79  {
80  Capability = 0x01,
81  Group = 0x02,
82  Mapping = 0x04,
83  Default = 0x07
84 };
@ Default
@ Capability
@ Mapping

Function Documentation

◆ AuthorizesRequiredIssuers()

bool AuthorizesRequiredIssuers ( Access_Operation  client_oper,
const std::string_view &  path,
const std::vector< std::pair< std::unique_ptr< SubpathMatch >, std::string >> &  required_issuers,
const std::vector< std::shared_ptr< XrdAccRules >> &  access_rules_list 
)

Definition at line 369 of file XrdSciTokensAccess.cc.

372 {
373 
374  // Translate the client-attempted operation to one of the simpler operations we've defined.
375  Access_Operation oper;
376  switch (client_oper) {
377  case AOP_Any:
378  return false; // Invalid request
379  break;
380  case AOP_Chmod: [[fallthrough]];
381  case AOP_Chown: [[fallthrough]];
382  case AOP_Create: [[fallthrough]];
383  case AOP_Excl_Create: [[fallthrough]];
384  case AOP_Delete: [[fallthrough]];
385  case AOP_Excl_Insert: [[fallthrough]];
386  case AOP_Insert: [[fallthrough]];
387  case AOP_Lock:
388  oper = AOP_Create;
389  break;
390  case AOP_Mkdir:
391  oper = AOP_Mkdir;
392  break;
393  case AOP_Read:
394  oper = AOP_Read;
395  break;
396  case AOP_Readdir:
397  oper = AOP_Readdir;
398  break;
399  case AOP_Rename:
400  oper = AOP_Create;
401  break;
402  case AOP_Stat:
403  oper = AOP_Stat;
404  break;
405  case AOP_Update:
406  oper = AOP_Update;
407  break;
408  default:
409  return false; // Invalid request
410  };
411 
412  // Iterate through all the required issuers
413  for (const auto &info : required_issuers) {
414  // See if this issuer is required for this path/operation.
415  if (info.first->apply(oper, path)) {
416  bool has_authz = false;
417  // If so, see if one of the tokens (a) is from this issuer and (b) authorizes the request.
418  for (const auto &rules : access_rules_list) {
419  if (rules->get_issuer() == info.second && rules->apply(oper, path)) {
420  has_authz = true;
421  break;
422  }
423  }
424  if (!has_authz) {
425  return false;
426  }
427  }
428  }
429  return true;
430 }
Access_Operation
The following are supported operations.
@ AOP_Delete
rm() or rmdir()
@ AOP_Mkdir
mkdir()
@ AOP_Update
open() r/w or append
@ AOP_Create
open() with create
@ AOP_Readdir
opendir()
@ AOP_Chmod
chmod()
@ AOP_Any
Special for getting privs.
@ AOP_Stat
exists(), stat()
@ AOP_Rename
mv() for source
@ AOP_Read
open() r/o, prepare()
@ AOP_Excl_Create
open() with O_EXCL|O_CREAT
@ AOP_Insert
mv() for target
@ AOP_Lock
n/a
@ AOP_Chown
chown()
@ AOP_Excl_Insert
mv() where destination doesn't exist.

References AOP_Any, AOP_Chmod, AOP_Chown, AOP_Create, AOP_Delete, AOP_Excl_Create, AOP_Excl_Insert, AOP_Insert, AOP_Lock, AOP_Mkdir, AOP_Read, AOP_Readdir, AOP_Rename, AOP_Stat, and AOP_Update.

Referenced by XrdAccSciTokens::Access().

+ Here is the caller graph for this function: