26 const std::string &GetSecName()
const {
return m_sec_name;}
27 const std::string &GetErrorMessage()
const {
return m_emsg;}
29 static int verify_before_s(
void *authz_ptr,
30 const unsigned char *pred,
33 static int verify_activity_s(
void *authz_ptr,
34 const unsigned char *pred,
37 static int verify_path_s(
void *authz_ptr,
38 const unsigned char *pred,
41 static int verify_name_s(
void *authz_ptr,
42 const unsigned char *pred,
46 int verify_before(
const unsigned char *pred,
size_t pred_sz);
47 int verify_activity(
const unsigned char *pred,
size_t pred_sz);
48 int verify_path(
const unsigned char *pred,
size_t pred_sz);
49 int verify_name(
const unsigned char *pred,
size_t pred_sz);
51 ssize_t m_max_duration;
54 const std::string m_path;
55 std::string m_desired_activity;
56 std::string m_sec_name;
64 int new_privs = privs;
112 int validate_verify_empty(
void *emsg_ptr,
113 const unsigned char *pred,
116 if ((pred_sz >= 5) && (!memcmp(
reinterpret_cast<const char *
>(pred),
"path:", 5) ||
117 !memcmp(
reinterpret_cast<const char *
>(pred),
"name:", 5)))
121 if ((pred_sz >= 9) && (!memcmp(
reinterpret_cast<const char *
>(pred),
"activity:", 9)))
132 : m_max_duration(86400),
134 m_log(log,
"macarons_"),
135 m_authz_behavior(static_cast<int>(
Handler::AuthzBehavior::PASSTHROUGH))
139 if (!
Handler::Config(config, &env, &m_log, m_location, m_secret, m_max_duration, behavior))
141 throw std::runtime_error(
"Macaroon authorization config failed.");
143 m_authz_behavior =
static_cast<int>(behavior);
148 Authz::OnMissing(
const XrdSecEntity *Entity,
const char *path,
151 switch (m_authz_behavior) {
152 case Handler::AuthzBehavior::PASSTHROUGH:
154 case Handler::AuthzBehavior::ALLOW:
156 case Handler::AuthzBehavior::DENY:
174 const char *authz = env ? env->
Get(
"authz") :
nullptr;
175 if (authz && !strncmp(authz,
"Bearer%20", 9))
179 else if (!authz && (authz = env ? env->
Get(
"access_token") :
nullptr) && !strncmp(authz,
"Bearer%20", 9))
185 if (!authz && Entity && !strcmp(
"ztn", Entity->
prot) && Entity->
creds &&
188 authz = Entity->
creds;
192 return OnMissing(Entity, path, oper, env);
195 macaroon_returncode mac_err = MACAROON_SUCCESS;
196 struct macaroon* macaroon = macaroon_deserialize(
203 return OnMissing(Entity, path, oper, env);
206 struct macaroon_verifier *verifier = macaroon_verifier_create();
209 m_log.
Emsg(
"Access",
"Failed to create a new macaroon verifier");
214 m_log.
Emsg(
"Access",
"Request with no provided path.");
215 macaroon_verifier_destroy(verifier);
219 AuthzCheck check_helper(path, oper, m_max_duration, m_log);
221 if (macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_before_s, &check_helper, &mac_err) ||
222 macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_activity_s, &check_helper, &mac_err) ||
223 macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_name_s, &check_helper, &mac_err) ||
224 macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_path_s, &check_helper, &mac_err))
226 m_log.
Emsg(
"Access",
"Failed to configure caveat verifier:");
227 macaroon_verifier_destroy(verifier);
231 const unsigned char *macaroon_loc;
233 macaroon_location(macaroon, &macaroon_loc, &location_sz);
234 if (strncmp(
reinterpret_cast<const char *
>(macaroon_loc), m_location.c_str(), location_sz))
236 std::string location_str(
reinterpret_cast<const char *
>(macaroon_loc), location_sz);
237 m_log.
Emsg(
"Access",
"Macaroon is for incorrect location", location_str.c_str());
238 macaroon_verifier_destroy(verifier);
239 macaroon_destroy(macaroon);
243 if (macaroon_verify(verifier, macaroon,
244 reinterpret_cast<const unsigned char *
>(m_secret.c_str()),
250 macaroon_verifier_destroy(verifier);
251 macaroon_destroy(macaroon);
254 macaroon_verifier_destroy(verifier);
256 const unsigned char *macaroon_id;
258 macaroon_identifier(macaroon, &macaroon_id, &id_sz);
260 std::string macaroon_id_str(
reinterpret_cast<const char *
>(macaroon_id), id_sz);
261 m_log.
Log(
LogMask::Info,
"Access",
"Macaroon verification successful; ID", macaroon_id_str.c_str());
262 macaroon_destroy(macaroon);
265 if (Entity && check_helper.GetSecName().size()) {
266 const std::string &username = check_helper.GetSecName();
267 m_log.
Log(
LogMask::Debug,
"Access",
"Setting the request name to", username.c_str());
268 Entity->
eaAPI->
Add(
"request.name", username,
true);
280 macaroon_returncode mac_err = MACAROON_SUCCESS;
281 std::unique_ptr<
struct macaroon, decltype(&macaroon_destroy)> macaroon(
282 macaroon_deserialize(token, &mac_err),
287 emsg =
"Failed to deserialize the token as a macaroon";
294 std::unique_ptr<
struct macaroon_verifier, decltype(&macaroon_verifier_destroy)> verifier(
295 macaroon_verifier_create(), &macaroon_verifier_destroy);
298 emsg =
"Internal error: failed to create a verifier.";
304 AuthzCheck check_helper(
"/",
AOP_Read, m_max_duration, m_log);
306 if (macaroon_verifier_satisfy_general(verifier.get(), AuthzCheck::verify_before_s, &check_helper, &mac_err) ||
307 macaroon_verifier_satisfy_general(verifier.get(), validate_verify_empty,
nullptr, &mac_err))
309 emsg =
"Failed to configure the verifier";
314 const unsigned char *macaroon_loc;
316 macaroon_location(macaroon.get(), &macaroon_loc, &location_sz);
317 if (strncmp(
reinterpret_cast<const char *
>(macaroon_loc), m_location.c_str(), location_sz))
319 emsg =
"Macaroon contains incorrect location: " +
320 std::string(
reinterpret_cast<const char *
>(macaroon_loc), location_sz);
325 if (macaroon_verify(verifier.get(), macaroon.get(),
326 reinterpret_cast<const unsigned char *
>(m_secret.c_str()),
331 emsg =
"Macaroon verification error" + (check_helper.GetErrorMessage().size() ?
332 (
", " + check_helper.GetErrorMessage()) :
"");
337 const unsigned char *macaroon_id;
339 macaroon_identifier(macaroon.get(), &macaroon_id, &id_sz);
340 m_log.
Log(
LogMask::Info,
"Validate", (
"Macaroon verification successful; ID " +
341 std::string(
reinterpret_cast<const char *
>(macaroon_id), id_sz)).c_str());
348 : m_max_duration(max_duration),
360 m_desired_activity =
"UPDATE_METADATA";
367 m_desired_activity =
"MANAGE";
372 m_desired_activity =
"UPLOAD";
375 m_desired_activity =
"DELETE";
378 m_desired_activity =
"DOWNLOAD";
381 m_desired_activity =
"LIST";
384 m_desired_activity =
"READ_METADATA";
390 AuthzCheck::verify_before_s(
void *authz_ptr,
391 const unsigned char *pred,
394 return static_cast<AuthzCheck*
>(authz_ptr)->verify_before(pred, pred_sz);
399 AuthzCheck::verify_activity_s(
void *authz_ptr,
400 const unsigned char *pred,
403 return static_cast<AuthzCheck*
>(authz_ptr)->verify_activity(pred, pred_sz);
408 AuthzCheck::verify_path_s(
void *authz_ptr,
409 const unsigned char *pred,
412 return static_cast<AuthzCheck*
>(authz_ptr)->verify_path(pred, pred_sz);
417 AuthzCheck::verify_name_s(
void *authz_ptr,
418 const unsigned char *pred,
421 return static_cast<AuthzCheck*
>(authz_ptr)->verify_name(pred, pred_sz);
426 AuthzCheck::verify_before(
const unsigned char * pred,
size_t pred_sz)
428 std::string pred_str(
reinterpret_cast<const char *
>(pred), pred_sz);
429 if (strncmp(
"before:", pred_str.c_str(), 7))
433 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"Checking macaroon for expiration; caveat:", pred_str.c_str());
436 if (strptime(&pred_str[7],
"%Y-%m-%dT%H:%M:%SZ", &caveat_tm) ==
nullptr)
438 m_emsg =
"Failed to parse time string: " + pred_str.substr(7);
442 caveat_tm.tm_isdst = -1;
444 time_t caveat_time = timegm(&caveat_tm);
445 if (-1 == caveat_time)
447 m_emsg =
"Failed to generate unix time: " + pred_str.substr(7);
451 if ((m_max_duration > 0) && (caveat_time > m_now + m_max_duration))
453 m_emsg =
"Max token age is greater than configured max duration; rejecting";
458 int result = (m_now >= caveat_time);
461 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"Macaroon has not expired.");
465 m_emsg =
"Macaroon expired at " + pred_str.substr(7);
473 AuthzCheck::verify_activity(
const unsigned char * pred,
size_t pred_sz)
475 if (!m_desired_activity.size()) {
return 1;}
476 std::string pred_str(
reinterpret_cast<const char *
>(pred), pred_sz);
477 if (strncmp(
"activity:", pred_str.c_str(), 9)) {
return 1;}
478 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"running verify activity", pred_str.c_str());
480 std::stringstream ss(pred_str.substr(9));
481 for (std::string activity;
std::getline(ss, activity,
','); )
484 if (m_desired_activity ==
"READ_METADATA") {
return 0;}
485 if ((activity == m_desired_activity) || ((m_desired_activity ==
"UPLOAD") && (activity ==
"MANAGE")))
487 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"macaroon has desired activity", activity.c_str());
491 m_log.Log(
LogMask::Info,
"AuthzCheck",
"macaroon does NOT have desired activity", m_desired_activity.c_str());
497 AuthzCheck::verify_path(
const unsigned char * pred,
size_t pred_sz)
499 std::string pred_str_raw(
reinterpret_cast<const char *
>(pred), pred_sz);
500 if (strncmp(
"path:", pred_str_raw.c_str(), 5)) {
return 1;}
502 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"running verify path", pred_str.c_str());
504 if ((m_path.find(
"/./") != std::string::npos) ||
505 (m_path.find(
"/../") != std::string::npos))
507 m_log.Log(
LogMask::Info,
"AuthzCheck",
"invalid requested path", m_path.c_str());
511 int result = strncmp(pred_str.c_str(), m_path.c_str(), pred_str.size());
514 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"path request verified for", m_path.c_str());
520 result = strncmp(m_path.c_str(), pred_str.c_str(), m_path.size());
521 if (!result) {m_log.Log(
LogMask::Debug,
"AuthzCheck",
"READ_METADATA path request verified for", m_path.c_str());}
522 else {m_log.Log(
LogMask::Debug,
"AuthzCheck",
"READ_METADATA path request NOT allowed", m_path.c_str());}
526 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"path request NOT allowed", m_path.c_str());
534 AuthzCheck::verify_name(
const unsigned char * pred,
size_t pred_sz)
536 std::string pred_str(
reinterpret_cast<const char *
>(pred), pred_sz);
537 if (strncmp(
"name:", pred_str.c_str(), 5)) {
return 1;}
538 if (pred_str.size() < 6) {
return 1;}
539 m_log.Log(
LogMask::Debug,
"AuthzCheck",
"Verifying macaroon with", pred_str.c_str());
542 m_sec_name = pred_str.substr(5);
Access_Operation
The following are supported operations.
@ AOP_Delete
rm() or rmdir()
@ AOP_Update
open() r/w or append
@ AOP_Create
open() with create
@ AOP_Any
Special for getting privs.
@ AOP_Stat
exists(), stat()
@ AOP_Rename
mv() for source
@ AOP_Read
open() r/o, prepare()
@ AOP_Excl_Create
open() with O_EXCL|O_CREAT
@ AOP_Insert
mv() for target
@ AOP_Excl_Insert
mv() where destination doesn't exist.
void getline(uchar *buff, int blen)
int emsg(int rc, char *msg)
virtual bool Validate(const char *token, std::string &emsg, long long *expT, XrdSecEntity *entP) override
Authz(XrdSysLogger *lp, const char *parms, XrdAccAuthorize *chain)
virtual XrdAccPrivs Access(const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *env) override
static bool Config(const char *config, XrdOucEnv *env, XrdSysError *log, std::string &location, std::string &secret, ssize_t &max_duration, AuthzBehavior &behavior)
virtual XrdAccPrivs Access(const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0)=0
char * Get(const char *varname)
bool Add(XrdSecAttr &attr)
int credslen
Length of the 'creds' data.
XrdSecEntityAttr * eaAPI
non-const API to attributes
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
char * creds
Raw entity credentials or cert.
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
void Log(int mask, const char *esfx, const char *text1, const char *text2=0, const char *text3=0)
std::string NormalizeSlashes(const std::string &)