XRootD
Loading...
Searching...
No Matches
XrdAccRules Class Reference
Collaboration diagram for XrdAccRules:

Public Member Functions

 XrdAccRules (uint64_t expiry_time, const std::string &username, const std::string &token_subject, const std::string &issuer, const std::vector< MapRule > &rules, const std::vector< std::string > &groups, uint32_t authz_strategy)
 ~XrdAccRules ()
bool apply (Access_Operation oper, std::string path)
bool expired () const
uint32_t get_authz_strategy () const
const std::string & get_default_username () const
const std::string & get_issuer () const
const std::string & get_token_subject () const
std::string get_username (const std::string &req_path) const
const std::vector< std::string > & groups () const
void parse (const AccessRulesRaw &rules)
size_t size () const
const std::string str () const

Detailed Description

Definition at line 369 of file XrdSciTokensAccess.cc.

Constructor & Destructor Documentation

◆ XrdAccRules()

XrdAccRules::XrdAccRules ( uint64_t expiry_time,
const std::string & username,
const std::string & token_subject,
const std::string & issuer,
const std::vector< MapRule > & rules,
const std::vector< std::string > & groups,
uint32_t authz_strategy )
inline

Definition at line 372 of file XrdSciTokensAccess.cc.

374 :
375 m_authz_strategy(authz_strategy),
376 m_expiry_time(expiry_time),
377 m_username(username),
378 m_token_subject(token_subject),
379 m_issuer(issuer),
380 m_map_rules(rules),
381 m_groups(groups)
382 {}
XrdAccRules::groups
const std::vector< std::string > & groups() const
Definition XrdSciTokensAccess.cc:459

References groups().

Here is the call graph for this function:

◆ ~XrdAccRules()

XrdAccRules::~XrdAccRules ( )
inline

Definition at line 384 of file XrdSciTokensAccess.cc.

384{}

Member Function Documentation

◆ apply()

bool XrdAccRules::apply ( Access_Operation oper,
std::string path )
inline

Definition at line 386 of file XrdSciTokensAccess.cc.

386 {
387 for (const auto & rule : m_rules) {
388 // Skip rules that don't match the current operation
389 if (rule.first != oper)
390 continue;
391
392 // If the rule allows any path, allow the operation
393 if (rule.second == "/")
394 return true;
395
396 // Allow operation if path is a subdirectory of the rule's path
397 if (is_subdirectory(rule.second, path)) {
398 return true;
399 } else {
400 // Allow stat and mkdir of parent directories to comply with WLCG token specs
401 if (oper == AOP_Stat || oper == AOP_Mkdir)
402 if (is_subdirectory(path, rule.second))
403 return true;
404 }
405 }
406 return false;
407 }
AOP_Mkdir
@ AOP_Mkdir
mkdir()
Definition XrdAccAuthorize.hh:48
AOP_Stat
@ AOP_Stat
exists(), stat()
Definition XrdAccAuthorize.hh:52
is_subdirectory
static bool is_subdirectory(const std::string_view dir, const std::string_view subdir)
Definition XrdOucPrivateUtils.hh:37

References AOP_Mkdir, AOP_Stat, and is_subdirectory().

Here is the call graph for this function:

◆ expired()

bool XrdAccRules::expired ( ) const
inline

Definition at line 409 of file XrdSciTokensAccess.cc.

409{return monotonic_time() > m_expiry_time;}

◆ get_authz_strategy()

uint32_t XrdAccRules::get_authz_strategy ( ) const
inline

Definition at line 456 of file XrdSciTokensAccess.cc.

456{return m_authz_strategy;}

◆ get_default_username()

const std::string & XrdAccRules::get_default_username ( ) const
inline

Definition at line 453 of file XrdSciTokensAccess.cc.

453{return m_username;}

◆ get_issuer()

const std::string & XrdAccRules::get_issuer ( ) const
inline

Definition at line 454 of file XrdSciTokensAccess.cc.

454{return m_issuer;}

◆ get_token_subject()

const std::string & XrdAccRules::get_token_subject ( ) const
inline

Definition at line 452 of file XrdSciTokensAccess.cc.

452{return m_token_subject;}

◆ get_username()

std::string XrdAccRules::get_username ( const std::string & req_path) const
inline

Definition at line 418 of file XrdSciTokensAccess.cc.

419 {
420 for (const auto &rule : m_map_rules) {
421 std::string name = rule.match(m_token_subject, m_username, req_path, m_groups);
422 if (!name.empty()) {
423 return name;
424 }
425 }
426 return "";
427 }

◆ groups()

const std::vector< std::string > & XrdAccRules::groups ( ) const
inline

Definition at line 459 of file XrdSciTokensAccess.cc.

459{return m_groups;}

Referenced by XrdAccRules().

Here is the caller graph for this function:

◆ parse()

void XrdAccRules::parse ( const AccessRulesRaw & rules)
inline

Definition at line 411 of file XrdSciTokensAccess.cc.

411 {
412 m_rules.reserve(rules.size());
413 for (const auto &entry : rules) {
414 m_rules.emplace_back(entry.first, entry.second);
415 }
416 }

◆ size()

size_t XrdAccRules::size ( ) const
inline

Definition at line 458 of file XrdSciTokensAccess.cc.

458{return m_rules.size();}

◆ str()

const std::string XrdAccRules::str ( ) const
inline

Definition at line 429 of file XrdSciTokensAccess.cc.

430 {
431 std::stringstream ss;
432 ss << "mapped_username=" << m_username << ", subject=" << m_token_subject
433 << ", issuer=" << m_issuer;
434 if (!m_groups.empty()) {
435 ss << ", groups=";
436 bool first=true;
437 for (const auto &group : m_groups) {
438 ss << (first ? "" : ",") << group;
439 first = false;
440 }
441 }
442 if (!m_rules.empty()) {
443 ss << ", authorizations=" << AccessRuleStr(m_rules);
444 }
445 return ss.str();
446 }
The documentation for this class was generated from the following file: