XRootD
XrdAccRules Class Reference

#include <XrdSciTokensAccess.hh>

+ Collaboration diagram for XrdAccRules:

Public Member Functions

 XrdAccRules (uint64_t expiry_time, const std::string &username, const std::string &token_subject, const std::string &issuer, const std::vector< MapRule > &rules, const std::vector< std::string > &groups, uint32_t authz_strategy, AuthzSetting acceptable_authz)
 
 ~XrdAccRules ()
 
bool acceptable_authz (Access_Operation oper) const
 
bool apply (Access_Operation oper, const std::string_view path)
 
bool expired () const
 
uint32_t get_authz_strategy () const
 
const std::string & get_default_username () const
 
const std::string & get_issuer () const
 
const std::string & get_token_subject () const
 
std::string get_username (const std::string_view &req_path) const
 
const std::vector< std::string > & groups () const
 
void parse (const AccessRulesRaw &rules)
 
size_t size () const
 
const std::string str () const
 

Detailed Description

A class that encapsulates the access rules generated from a token.

The access rules are generated from the token's claims; the object is intended to be kept in a cache and periodically checked for expiration.

Definition at line 145 of file XrdSciTokensAccess.hh.

Constructor & Destructor Documentation

◆ XrdAccRules()

XrdAccRules::XrdAccRules ( uint64_t  expiry_time,
const std::string &  username,
const std::string &  token_subject,
const std::string &  issuer,
const std::vector< MapRule > &  rules,
const std::vector< std::string > &  groups,
uint32_t  authz_strategy,
AuthzSetting  acceptable_authz 
)
inline

Definition at line 148 of file XrdSciTokensAccess.hh.

150  :
151  m_authz_strategy(authz_strategy),
152  m_acceptable_authz(acceptable_authz),
153  m_expiry_time(expiry_time),
154  m_username(username),
155  m_token_subject(token_subject),
156  m_issuer(issuer),
157  m_map_rules(rules),
158  m_groups(groups)
159  {}
const std::vector< std::string > & groups() const
bool acceptable_authz(Access_Operation oper) const

◆ ~XrdAccRules()

XrdAccRules::~XrdAccRules ( )
inline

Definition at line 161 of file XrdSciTokensAccess.hh.

161 {}

Member Function Documentation

◆ acceptable_authz()

bool XrdAccRules::acceptable_authz ( Access_Operation  oper) const
inline

Definition at line 195 of file XrdSciTokensAccess.hh.

195  {
196  if (m_acceptable_authz == AuthzSetting::All) return true;
197  if (m_acceptable_authz == AuthzSetting::None) return false;
198 
199  bool is_read = oper == AOP_Read || oper == AOP_Readdir || oper == AOP_Stat;
200  if (is_read) return m_acceptable_authz == AuthzSetting::Read;
201  else return m_acceptable_authz == AuthzSetting::Write;
202  }
@ AOP_Readdir
opendir()
@ AOP_Stat
exists(), stat()
@ AOP_Read
open() r/o, prepare()

References All, AOP_Read, AOP_Readdir, AOP_Stat, None, Read, and Write.

◆ apply()

bool XrdAccRules::apply ( Access_Operation  oper,
const std::string_view  path 
)
inline

Definition at line 163 of file XrdSciTokensAccess.hh.

163  {
164  return m_matcher.apply(oper, path);
165  }
bool apply(Access_Operation oper, const std::string_view path) const

References SubpathMatch::apply().

+ Here is the call graph for this function:

◆ expired()

bool XrdAccRules::expired ( ) const

Definition at line 350 of file XrdSciTokensAccess.cc.

351 {
352  return monotonic_time() > m_expiry_time;
353 }

◆ get_authz_strategy()

uint32_t XrdAccRules::get_authz_strategy ( ) const
inline

Definition at line 194 of file XrdSciTokensAccess.hh.

194 {return m_authz_strategy;}

◆ get_default_username()

const std::string& XrdAccRules::get_default_username ( ) const
inline

Definition at line 191 of file XrdSciTokensAccess.hh.

191 {return m_username;}

◆ get_issuer()

const std::string& XrdAccRules::get_issuer ( ) const
inline

Definition at line 192 of file XrdSciTokensAccess.hh.

192 {return m_issuer;}

◆ get_token_subject()

const std::string& XrdAccRules::get_token_subject ( ) const
inline

Definition at line 190 of file XrdSciTokensAccess.hh.

190 {return m_token_subject;}

◆ get_username()

std::string XrdAccRules::get_username ( const std::string_view &  req_path) const
inline

Definition at line 174 of file XrdSciTokensAccess.hh.

175  {
176  for (const auto &rule : m_map_rules) {
177  std::string name = rule.match(m_token_subject, m_username, req_path, m_groups);
178  if (!name.empty()) {
179  return name;
180  }
181  }
182  return "";
183  }

◆ groups()

const std::vector<std::string>& XrdAccRules::groups ( ) const
inline

Definition at line 205 of file XrdSciTokensAccess.hh.

205 {return m_groups;}

◆ parse()

void XrdAccRules::parse ( const AccessRulesRaw rules)
inline

Definition at line 170 of file XrdSciTokensAccess.hh.

170  {
171  m_matcher = SubpathMatch(rules);
172  }

◆ size()

size_t XrdAccRules::size ( ) const
inline

Definition at line 204 of file XrdSciTokensAccess.hh.

204 {return m_matcher.size();}
size_t size() const

References SubpathMatch::size().

+ Here is the call graph for this function:

◆ str()

const std::string XrdAccRules::str ( ) const

Definition at line 331 of file XrdSciTokensAccess.cc.

332 {
333  std::stringstream ss;
334  ss << "mapped_username=" << m_username << ", subject=" << m_token_subject
335  << ", issuer=" << m_issuer;
336  if (!m_groups.empty()) {
337  ss << ", groups=";
338  bool first=true;
339  for (const auto &group : m_groups) {
340  ss << (first ? "" : ",") << group;
341  first = false;
342  }
343  }
344  if (!m_matcher.empty()) {
345  ss << ", authorizations=" << m_matcher.str();
346  }
347  return ss.str();
348 }
std::string str() const
bool empty() const

References SubpathMatch::empty(), and SubpathMatch::str().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: