XRootD
Loading...
Searching...
No Matches
Public Types | Public Member Functions | Static Public Member Functions | List of all members
Macaroons::Handler Class Reference

#include <XrdMacaroonsHandler.hh>

+ Inheritance diagram for Macaroons::Handler:
+ Collaboration diagram for Macaroons::Handler:

Public Types

enum  AuthzBehavior {
  PASSTHROUGH ,
  ALLOW ,
  DENY
}
 

Public Member Functions

 Handler (XrdSysError *log, const char *config, XrdOucEnv *myEnv, XrdAccAuthorize *chain)
 
virtual ~Handler ()
 
virtual int Init (const char *cfgfile) override
 Initializes the external request handler.
 
virtual bool MatchesPath (const char *verb, const char *path) override
 Tells if the incoming path is recognized as one of the paths that have to be processed.
 
virtual int ProcessReq (XrdHttpExtReq &req) override
 
- Public Member Functions inherited from XrdHttpExtHandler
 XrdHttpExtHandler ()
 Constructor.
 
virtual ~XrdHttpExtHandler ()
 Destructor.
 

Static Public Member Functions

static bool Config (const char *config, XrdOucEnv *env, XrdSysError *log, std::string &location, std::string &secret, ssize_t &max_duration, AuthzBehavior &behavior)
 

Detailed Description

Definition at line 38 of file XrdMacaroonsHandler.hh.

Member Enumeration Documentation

◆ AuthzBehavior

enum Macaroons::Handler::AuthzBehavior
Enumerator
PASSTHROUGH 
ALLOW 
DENY 

Definition at line 53 of file XrdMacaroonsHandler.hh.

53 {
54 PASSTHROUGH,
55 ALLOW,
56 DENY
57 };

Constructor & Destructor Documentation

◆ Handler()

Macaroons::Handler::Handler ( XrdSysError * log,
const char * config,
XrdOucEnv * myEnv,
XrdAccAuthorize * chain )
inline

Definition at line 40 of file XrdMacaroonsHandler.hh.

41 :
42 m_max_duration(86400),
43 m_chain(chain),
44 m_log(log)
45 {
46 AuthzBehavior behavior;
47 if (!Config(config, myEnv, m_log, m_location, m_secret, m_max_duration, behavior))
48 {
49 throw std::runtime_error("Macaroon handler config failed.");
50 }
51 }
Macaroons::Handler::Config
static bool Config(const char *config, XrdOucEnv *env, XrdSysError *log, std::string &location, std::string &secret, ssize_t &max_duration, AuthzBehavior &behavior)
Definition XrdMacaroonsConfigure.cc:36

References Config().

+ Here is the call graph for this function:

◆ ~Handler()

Handler::~Handler ( )
virtual

Definition at line 132 of file XrdMacaroonsHandler.cc.

133{
134 delete m_chain;
135}

Member Function Documentation

◆ Config()

bool Handler::Config ( const char * config,
XrdOucEnv * env,
XrdSysError * log,
std::string & location,
std::string & secret,
ssize_t & max_duration,
AuthzBehavior & behavior )
static

Definition at line 36 of file XrdMacaroonsConfigure.cc.

39{
40 XrdOucStream config_obj(log, getenv("XRDINSTANCE"), env, "=====> ");
41
42 // Open and attach the config file
43 //
44 int cfg_fd;
45 if ((cfg_fd = open(config, O_RDONLY, 0)) < 0) {
46 return log->Emsg("Config", errno, "open config file", config);
47 }
48 config_obj.Attach(cfg_fd);
49 static const char *cvec[] = { "*** macaroons plugin config:", 0 };
50 config_obj.Capture(cvec);
51
52 // Set default mask for logging.
53 log->setMsgMask(LogMask::Error | LogMask::Warning);
54
55 // Set default maximum duration (24 hours).
56 max_duration = 24*3600;
57
58 // Process items
59 //
60 char *orig_var, *var;
61 bool success = true, ismine;
62 while ((orig_var = config_obj.GetMyFirstWord())) {
63 var = orig_var;
64 if ((ismine = !strncmp("all.sitename", var, 12))) var += 4;
65 else if ((ismine = !strncmp("macaroons.", var, 10)) && var[10]) var += 10;
66
67
68
69 if (!ismine) {continue;}
70
71 if (!strcmp("secretkey", var)) {success = xsecretkey(config_obj, log, secret);}
72 else if (!strcmp("sitename", var)) {success = xsitename(config_obj, log, location);}
73 else if (!strcmp("trace", var)) {success = xtrace(config_obj, log);}
74 else if (!strcmp("maxduration", var)) {success = xmaxduration(config_obj, log, max_duration);}
75 else if (!strcmp("onmissing", var)) {success = xonmissing(config_obj, log, behavior);}
76 else {
77 log->Say("Config warning: ignoring unknown directive '", orig_var, "'.");
78 config_obj.Echo();
79 continue;
80 }
81 if (!success) {
82 config_obj.Echo();
83 break;
84 }
85 }
86
87 if (success && !location.size())
88 {
89 log->Emsg("Config", "all.sitename must be specified to use macaroons.");
90 return false;
91 }
92
93 return success;
94}
xonmissing
static bool xonmissing(XrdOucStream &config_obj, XrdSysError *log, Handler::AuthzBehavior &behavior)
Definition XrdMacaroonsConfigure.cc:14
open
#define open
Definition XrdPosix.hh:76
XrdSysError::Emsg
int Emsg(const char *esfx, int ecode, const char *text1, const char *text2=0)
Definition XrdSysError.cc:95
XrdSysError::Say
void Say(const char *text1, const char *text2=0, const char *txt3=0, const char *text4=0, const char *text5=0, const char *txt6=0)
Definition XrdSysError.cc:141
XrdSysError::setMsgMask
void setMsgMask(int mask)
Definition XrdSysError.hh:154

References XrdOucStream::Attach(), XrdOucStream::Capture(), XrdOucStream::Echo(), XrdSysError::Emsg(), Macaroons::Error, XrdOucStream::GetMyFirstWord(), open, XrdSysError::Say(), XrdSysError::setMsgMask(), Macaroons::Warning, and xonmissing().

Referenced by Macaroons::Authz::Authz(), and Handler().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Init()

virtual int Macaroons::Handler::Init ( const char * cfgfile)
inlineoverridevirtual

Initializes the external request handler.

Implements XrdHttpExtHandler.

Definition at line 64 of file XrdMacaroonsHandler.hh.

64{return 0;}

◆ MatchesPath()

bool Handler::MatchesPath ( const char * verb,
const char * path )
overridevirtual

Tells if the incoming path is recognized as one of the paths that have to be processed.

Implements XrdHttpExtHandler.

Definition at line 201 of file XrdMacaroonsHandler.cc.

202{
203 return !strcmp(verb, "POST") || !strncmp(path, "/.well-known/", 13) ||
204 !strncmp(path, "/.oauth2/", 9);
205}

◆ ProcessReq()

int Handler::ProcessReq ( XrdHttpExtReq & )
overridevirtual

Process an HTTP request and send the response using the calling XrdHttpProtocol instance directly Returns 0 if ok, non0 if errors

Implements XrdHttpExtHandler.

Definition at line 357 of file XrdMacaroonsHandler.cc.

358{
359 if (req.resource == "/.well-known/oauth-authorization-server") {
360 return ProcessOAuthConfig(req);
361 } else if (req.resource == "/.oauth2/token") {
362 return ProcessTokenRequest(req);
363 }
364
365 auto header = XrdOucTUtils::caseInsensitiveFind(req.headers,"content-type");
366 if (header == req.headers.end() || header->second != "application/macaroon-request")
367 return req.SendSimpleResp(415, nullptr, "accept: application/macaroon-request",
368 "Content-Type must be 'application/macaroon-request' to request a macaroon", false);
369
370 header = XrdOucTUtils::caseInsensitiveFind(req.headers,"content-length");
371 if (header == req.headers.end())
372 return req.SendSimpleResp(411, nullptr, nullptr, "Content-Length missing; not a valid POST", false);
373
374 ssize_t blen = std::strtoll(header->second.c_str(), nullptr, 10);
375
376 if (blen <= 0)
377 return req.SendSimpleResp(400, nullptr, nullptr, "Content-Length has invalid value.", false);
378
379 if (blen > 4096)
380 return req.SendSimpleResp(413, nullptr, nullptr, "Macaroon request too large (must be less than 4KB)", false);
381
382 // request_data is not necessarily null-terminated; hence, we use the more advanced _ex variant
383 // of the tokener to avoid making a copy of the character buffer.
384 char *request_data;
385 if (req.BuffgetData(blen, &request_data, true) != blen)
386 {
387 return req.SendSimpleResp(400, nullptr, nullptr, "Missing or invalid body of request.", 0);
388 }
389 json_tokener *tokener = json_tokener_new();
390 if (!tokener)
391 {
392 return req.SendSimpleResp(500, nullptr, nullptr, "Internal error when allocating token parser.", 0);
393 }
394 json_object *macaroon_req = json_tokener_parse_ex(tokener, request_data, blen);
395 enum json_tokener_error err = json_tokener_get_error(tokener);
396 json_tokener_free(tokener);
397 if (err != json_tokener_success)
398 {
399 if (macaroon_req) json_object_put(macaroon_req);
400 return req.SendSimpleResp(400, nullptr, nullptr, "Invalid JSON serialization of macaroon request.", 0);
401 }
402 json_object *validity_obj;
403 if (!json_object_object_get_ex(macaroon_req, "validity", &validity_obj))
404 {
405 json_object_put(macaroon_req);
406 return req.SendSimpleResp(400, nullptr, nullptr, "JSON request does not include a `validity`", 0);
407 }
408 const char *validity_cstr = json_object_get_string(validity_obj);
409 if (!validity_cstr)
410 {
411 json_object_put(macaroon_req);
412 return req.SendSimpleResp(400, nullptr, nullptr, "validity key cannot be cast to a string", 0);
413 }
414 std::string validity_str(validity_cstr);
415 ssize_t validity = determine_validity(validity_str);
416 if (validity <= 0)
417 {
418 json_object_put(macaroon_req);
419 return req.SendSimpleResp(400, nullptr, nullptr, "Invalid ISO 8601 duration for validity key", 0);
420 }
421 json_object *caveats_obj;
422 std::vector<std::string> other_caveats;
423 if (json_object_object_get_ex(macaroon_req, "caveats", &caveats_obj))
424 {
425 if (json_object_is_type(caveats_obj, json_type_array))
426 { // Caveats were provided. Let's record them.
427 // TODO - could just add these in-situ. No need for the other_caveats vector.
428 int array_length = json_object_array_length(caveats_obj);
429 other_caveats.reserve(array_length);
430 for (int idx=0; idx<array_length; idx++)
431 {
432 json_object *caveat_item = json_object_array_get_idx(caveats_obj, idx);
433 if (caveat_item)
434 {
435 const char *caveat_item_str = json_object_get_string(caveat_item);
436
437 if (!caveat_item_str) {
438 json_object_put(macaroon_req);
439 return req.SendSimpleResp(400, nullptr, nullptr, "Malformed or invalid caveat", 0);
440 }
441
442 if (is_reserved_caveat(caveat_item_str)) {
443 json_object_put(macaroon_req);
444 return req.SendSimpleResp(400, nullptr, nullptr,
445 "Cannot accept caveat with reserved key (name, path, before)\n", 0);
446 }
447
448 if (!is_supported_caveat(caveat_item_str)) {
449 json_object_put(macaroon_req);
450 return req.SendSimpleResp(400, nullptr, nullptr,
451 "Cannot accept caveat of unsupported type (supported types: activity)\n", 0);
452 }
453
454 other_caveats.emplace_back(caveat_item_str);
455 }
456 }
457 }
458 }
459 json_object_put(macaroon_req);
460
461 return GenerateMacaroonResponse(req, req.resource, other_caveats, validity, false);
462}
is_supported_caveat
static bool is_supported_caveat(const std::string &cv)
Definition XrdMacaroonsHandler.cc:82
is_reserved_caveat
static bool is_reserved_caveat(const std::string &cv)
Definition XrdMacaroonsHandler.cc:75
determine_validity
static ssize_t determine_validity(const std::string &input)
Definition XrdMacaroonsHandler.cc:88
XrdOucTUtils::caseInsensitiveFind
static std::map< std::string, T >::const_iterator caseInsensitiveFind(const std::map< std::string, T > &m, const std::string &lowerCaseSearchKey)
Definition XrdOucTUtils.hh:79

References XrdHttpExtReq::BuffgetData(), XrdOucTUtils::caseInsensitiveFind(), determine_validity(), XrdHttpExtReq::headers, is_reserved_caveat(), is_supported_caveat(), XrdHttpExtReq::resource, and XrdHttpExtReq::SendSimpleResp().

+ Here is the call graph for this function:
The documentation for this class was generated from the following files: