XRootD
Public Member Functions | List of all members
XrdAccRules Class Reference
+ Collaboration diagram for XrdAccRules:

Public Member Functions

 XrdAccRules (uint64_t expiry_time, const std::string &username, const std::string &token_subject, const std::string &issuer, const std::vector< MapRule > &rules, const std::vector< std::string > &groups, uint32_t authz_strategy)
 
 ~XrdAccRules ()
 
bool apply (Access_Operation oper, std::string path)
 
bool expired () const
 
uint32_t get_authz_strategy () const
 
const std::string & get_default_username () const
 
const std::string & get_issuer () const
 
const std::string & get_token_subject () const
 
std::string get_username (const std::string &req_path) const
 
const std::vector< std::string > & groups () const
 
void parse (const AccessRulesRaw &rules)
 
size_t size () const
 
const std::string str () const
 

Detailed Description

Definition at line 362 of file XrdSciTokensAccess.cc.

Constructor & Destructor Documentation

◆ XrdAccRules()

XrdAccRules::XrdAccRules ( uint64_t  expiry_time,
const std::string &  username,
const std::string &  token_subject,
const std::string &  issuer,
const std::vector< MapRule > &  rules,
const std::vector< std::string > &  groups,
uint32_t  authz_strategy 
)
inline

Definition at line 365 of file XrdSciTokensAccess.cc.

367  :
368  m_authz_strategy(authz_strategy),
369  m_expiry_time(expiry_time),
370  m_username(username),
371  m_token_subject(token_subject),
372  m_issuer(issuer),
373  m_map_rules(rules),
374  m_groups(groups)
375  {}
XrdAccRules::groups
const std::vector< std::string > & groups() const
Definition: XrdSciTokensAccess.cc:452

◆ ~XrdAccRules()

XrdAccRules::~XrdAccRules ( )
inline

Definition at line 377 of file XrdSciTokensAccess.cc.

377 {}

Member Function Documentation

◆ apply()

bool XrdAccRules::apply ( Access_Operation  oper,
std::string  path 
)
inline

Definition at line 379 of file XrdSciTokensAccess.cc.

379  {
380  for (const auto & rule : m_rules) {
381  // Skip rules that don't match the current operation
382  if (rule.first != oper)
383  continue;
384 
385  // If the rule allows any path, allow the operation
386  if (rule.second == "/")
387  return true;
388 
389  // Allow operation if path is a subdirectory of the rule's path
390  if (is_subdirectory(rule.second, path)) {
391  return true;
392  } else {
393  // Allow stat and mkdir of parent directories to comply with WLCG token specs
394  if (oper == AOP_Stat || oper == AOP_Mkdir)
395  if (is_subdirectory(path, rule.second))
396  return true;
397  }
398  }
399  return false;
400  }
AOP_Mkdir
@ AOP_Mkdir
mkdir()
Definition: XrdAccAuthorize.hh:48
AOP_Stat
@ AOP_Stat
exists(), stat()
Definition: XrdAccAuthorize.hh:52
is_subdirectory
static bool is_subdirectory(const std::string_view dir, const std::string_view subdir)
Definition: XrdOucPrivateUtils.hh:34

References AOP_Mkdir, AOP_Stat, and is_subdirectory().

+ Here is the call graph for this function:

◆ expired()

bool XrdAccRules::expired ( ) const
inline

Definition at line 402 of file XrdSciTokensAccess.cc.

402 {return monotonic_time() > m_expiry_time;}

◆ get_authz_strategy()

uint32_t XrdAccRules::get_authz_strategy ( ) const
inline

Definition at line 449 of file XrdSciTokensAccess.cc.

449 {return m_authz_strategy;}

◆ get_default_username()

const std::string& XrdAccRules::get_default_username ( ) const
inline

Definition at line 446 of file XrdSciTokensAccess.cc.

446 {return m_username;}

◆ get_issuer()

const std::string& XrdAccRules::get_issuer ( ) const
inline

Definition at line 447 of file XrdSciTokensAccess.cc.

447 {return m_issuer;}

◆ get_token_subject()

const std::string& XrdAccRules::get_token_subject ( ) const
inline

Definition at line 445 of file XrdSciTokensAccess.cc.

445 {return m_token_subject;}

◆ get_username()

std::string XrdAccRules::get_username ( const std::string &  req_path) const
inline

Definition at line 411 of file XrdSciTokensAccess.cc.

412  {
413  for (const auto &rule : m_map_rules) {
414  std::string name = rule.match(m_token_subject, m_username, req_path, m_groups);
415  if (!name.empty()) {
416  return name;
417  }
418  }
419  return "";
420  }

◆ groups()

const std::vector<std::string>& XrdAccRules::groups ( ) const
inline

Definition at line 452 of file XrdSciTokensAccess.cc.

452 {return m_groups;}

◆ parse()

void XrdAccRules::parse ( const AccessRulesRaw &  rules)
inline

Definition at line 404 of file XrdSciTokensAccess.cc.

404  {
405  m_rules.reserve(rules.size());
406  for (const auto &entry : rules) {
407  m_rules.emplace_back(entry.first, entry.second);
408  }
409  }

◆ size()

size_t XrdAccRules::size ( ) const
inline

Definition at line 451 of file XrdSciTokensAccess.cc.

451 {return m_rules.size();}

◆ str()

const std::string XrdAccRules::str ( ) const
inline

Definition at line 422 of file XrdSciTokensAccess.cc.

423  {
424  std::stringstream ss;
425  ss << "mapped_username=" << m_username << ", subject=" << m_token_subject
426  << ", issuer=" << m_issuer;
427  if (!m_groups.empty()) {
428  ss << ", groups=";
429  bool first=true;
430  for (const auto &group : m_groups) {
431  ss << (first ? "" : ",") << group;
432  first = false;
433  }
434  }
435  if (!m_rules.empty()) {
436  ss << ", authorizations=" << AccessRuleStr(m_rules);
437  }
438  return ss.str();
439  }
The documentation for this class was generated from the following file: