XRootD
Loading...
Searching...
No Matches
XrdAccRules Class Reference
Collaboration diagram for XrdAccRules:

Public Member Functions

 XrdAccRules (uint64_t expiry_time, const std::string &username, const std::string &token_subject, const std::string &issuer, const std::vector< MapRule > &rules, const std::vector< std::string > &groups, uint32_t authz_strategy)
 ~XrdAccRules ()
bool apply (Access_Operation oper, std::string path)
bool expired () const
uint32_t get_authz_strategy () const
const std::string & get_default_username () const
const std::string & get_issuer () const
const std::string & get_token_subject () const
std::string get_username (const std::string &req_path) const
const std::vector< std::string > & groups () const
void parse (const AccessRulesRaw &rules)
size_t size () const
const std::string str () const

Detailed Description

Definition at line 357 of file XrdSciTokensAccess.cc.

Constructor & Destructor Documentation

◆ XrdAccRules()

XrdAccRules::XrdAccRules ( uint64_t expiry_time,
const std::string & username,
const std::string & token_subject,
const std::string & issuer,
const std::vector< MapRule > & rules,
const std::vector< std::string > & groups,
uint32_t authz_strategy )
inline

Definition at line 360 of file XrdSciTokensAccess.cc.

362 :
363 m_authz_strategy(authz_strategy),
364 m_expiry_time(expiry_time),
365 m_username(username),
366 m_token_subject(token_subject),
367 m_issuer(issuer),
368 m_map_rules(rules),
369 m_groups(groups)
370 {}
XrdAccRules::groups
const std::vector< std::string > & groups() const
Definition XrdSciTokensAccess.cc:447

References groups().

Here is the call graph for this function:

◆ ~XrdAccRules()

XrdAccRules::~XrdAccRules ( )
inline

Definition at line 372 of file XrdSciTokensAccess.cc.

372{}

Member Function Documentation

◆ apply()

bool XrdAccRules::apply ( Access_Operation oper,
std::string path )
inline

Definition at line 374 of file XrdSciTokensAccess.cc.

374 {
375 for (const auto & rule : m_rules) {
376 // Skip rules that don't match the current operation
377 if (rule.first != oper)
378 continue;
379
380 // If the rule allows any path, allow the operation
381 if (rule.second == "/")
382 return true;
383
384 // Allow operation if path is a subdirectory of the rule's path
385 if (is_subdirectory(rule.second, path)) {
386 return true;
387 } else {
388 // Allow stat and mkdir of parent directories to comply with WLCG token specs
389 if (oper == AOP_Stat || oper == AOP_Mkdir)
390 if (is_subdirectory(path, rule.second))
391 return true;
392 }
393 }
394 return false;
395 }
AOP_Mkdir
@ AOP_Mkdir
mkdir()
Definition XrdAccAuthorize.hh:48
AOP_Stat
@ AOP_Stat
exists(), stat()
Definition XrdAccAuthorize.hh:52
is_subdirectory
static bool is_subdirectory(const std::string &dir, const std::string &subdir)
Definition XrdOucPrivateUtils.hh:36

References AOP_Mkdir, AOP_Stat, and is_subdirectory().

Here is the call graph for this function:

◆ expired()

bool XrdAccRules::expired ( ) const
inline

Definition at line 397 of file XrdSciTokensAccess.cc.

397{return monotonic_time() > m_expiry_time;}

◆ get_authz_strategy()

uint32_t XrdAccRules::get_authz_strategy ( ) const
inline

Definition at line 444 of file XrdSciTokensAccess.cc.

444{return m_authz_strategy;}

◆ get_default_username()

const std::string & XrdAccRules::get_default_username ( ) const
inline

Definition at line 441 of file XrdSciTokensAccess.cc.

441{return m_username;}

◆ get_issuer()

const std::string & XrdAccRules::get_issuer ( ) const
inline

Definition at line 442 of file XrdSciTokensAccess.cc.

442{return m_issuer;}

◆ get_token_subject()

const std::string & XrdAccRules::get_token_subject ( ) const
inline

Definition at line 440 of file XrdSciTokensAccess.cc.

440{return m_token_subject;}

◆ get_username()

std::string XrdAccRules::get_username ( const std::string & req_path) const
inline

Definition at line 406 of file XrdSciTokensAccess.cc.

407 {
408 for (const auto &rule : m_map_rules) {
409 std::string name = rule.match(m_token_subject, m_username, req_path, m_groups);
410 if (!name.empty()) {
411 return name;
412 }
413 }
414 return "";
415 }

◆ groups()

const std::vector< std::string > & XrdAccRules::groups ( ) const
inline

Definition at line 447 of file XrdSciTokensAccess.cc.

447{return m_groups;}

Referenced by XrdAccRules().

Here is the caller graph for this function:

◆ parse()

void XrdAccRules::parse ( const AccessRulesRaw & rules)
inline

Definition at line 399 of file XrdSciTokensAccess.cc.

399 {
400 m_rules.reserve(rules.size());
401 for (const auto &entry : rules) {
402 m_rules.emplace_back(entry.first, entry.second);
403 }
404 }

◆ size()

size_t XrdAccRules::size ( ) const
inline

Definition at line 446 of file XrdSciTokensAccess.cc.

446{return m_rules.size();}

◆ str()

const std::string XrdAccRules::str ( ) const
inline

Definition at line 417 of file XrdSciTokensAccess.cc.

418 {
419 std::stringstream ss;
420 ss << "mapped_username=" << m_username << ", subject=" << m_token_subject
421 << ", issuer=" << m_issuer;
422 if (!m_groups.empty()) {
423 ss << ", groups=";
424 bool first=true;
425 for (const auto &group : m_groups) {
426 ss << (first ? "" : ",") << group;
427 first = false;
428 }
429 }
430 if (!m_rules.empty()) {
431 ss << ", authorizations=" << AccessRuleStr(m_rules);
432 }
433 return ss.str();
434 }
The documentation for this class was generated from the following file: