XRootD
Loading...
Searching...
No Matches
XrdAccRules Class Reference
Collaboration diagram for XrdAccRules:

Public Member Functions

 XrdAccRules (uint64_t expiry_time, const std::string &username, const std::string &token_subject, const std::string &issuer, const std::vector< MapRule > &rules, const std::vector< std::string > &groups, uint32_t authz_strategy)
 ~XrdAccRules ()
bool apply (Access_Operation oper, std::string path)
bool expired () const
uint32_t get_authz_strategy () const
const std::string & get_default_username () const
const std::string & get_issuer () const
const std::string & get_token_subject () const
std::string get_username (const std::string &req_path) const
const std::vector< std::string > & groups () const
void parse (const AccessRulesRaw &rules)
size_t size () const
const std::string str () const

Detailed Description

Definition at line 362 of file XrdSciTokensAccess.cc.

Constructor & Destructor Documentation

◆ XrdAccRules()

XrdAccRules::XrdAccRules ( uint64_t expiry_time,
const std::string & username,
const std::string & token_subject,
const std::string & issuer,
const std::vector< MapRule > & rules,
const std::vector< std::string > & groups,
uint32_t authz_strategy )
inline

Definition at line 365 of file XrdSciTokensAccess.cc.

367 :
368 m_authz_strategy(authz_strategy),
369 m_expiry_time(expiry_time),
370 m_username(username),
371 m_token_subject(token_subject),
372 m_issuer(issuer),
373 m_map_rules(rules),
374 m_groups(groups)
375 {}
XrdAccRules::groups
const std::vector< std::string > & groups() const
Definition XrdSciTokensAccess.cc:452

References groups().

Here is the call graph for this function:

◆ ~XrdAccRules()

XrdAccRules::~XrdAccRules ( )
inline

Definition at line 377 of file XrdSciTokensAccess.cc.

377{}

Member Function Documentation

◆ apply()

bool XrdAccRules::apply ( Access_Operation oper,
std::string path )
inline

Definition at line 379 of file XrdSciTokensAccess.cc.

379 {
380 for (const auto & rule : m_rules) {
381 // Skip rules that don't match the current operation
382 if (rule.first != oper)
383 continue;
384
385 // If the rule allows any path, allow the operation
386 if (rule.second == "/")
387 return true;
388
389 // Allow operation if path is a subdirectory of the rule's path
390 if (is_subdirectory(rule.second, path)) {
391 return true;
392 } else {
393 // Allow stat and mkdir of parent directories to comply with WLCG token specs
394 if (oper == AOP_Stat || oper == AOP_Mkdir)
395 if (is_subdirectory(path, rule.second))
396 return true;
397 }
398 }
399 return false;
400 }
AOP_Mkdir
@ AOP_Mkdir
mkdir()
Definition XrdAccAuthorize.hh:48
AOP_Stat
@ AOP_Stat
exists(), stat()
Definition XrdAccAuthorize.hh:52
is_subdirectory
static bool is_subdirectory(const std::string_view dir, const std::string_view subdir)
Definition XrdOucPrivateUtils.hh:34

References AOP_Mkdir, AOP_Stat, and is_subdirectory().

Here is the call graph for this function:

◆ expired()

bool XrdAccRules::expired ( ) const
inline

Definition at line 402 of file XrdSciTokensAccess.cc.

402{return monotonic_time() > m_expiry_time;}

◆ get_authz_strategy()

uint32_t XrdAccRules::get_authz_strategy ( ) const
inline

Definition at line 449 of file XrdSciTokensAccess.cc.

449{return m_authz_strategy;}

◆ get_default_username()

const std::string & XrdAccRules::get_default_username ( ) const
inline

Definition at line 446 of file XrdSciTokensAccess.cc.

446{return m_username;}

◆ get_issuer()

const std::string & XrdAccRules::get_issuer ( ) const
inline

Definition at line 447 of file XrdSciTokensAccess.cc.

447{return m_issuer;}

◆ get_token_subject()

const std::string & XrdAccRules::get_token_subject ( ) const
inline

Definition at line 445 of file XrdSciTokensAccess.cc.

445{return m_token_subject;}

◆ get_username()

std::string XrdAccRules::get_username ( const std::string & req_path) const
inline

Definition at line 411 of file XrdSciTokensAccess.cc.

412 {
413 for (const auto &rule : m_map_rules) {
414 std::string name = rule.match(m_token_subject, m_username, req_path, m_groups);
415 if (!name.empty()) {
416 return name;
417 }
418 }
419 return "";
420 }

◆ groups()

const std::vector< std::string > & XrdAccRules::groups ( ) const
inline

Definition at line 452 of file XrdSciTokensAccess.cc.

452{return m_groups;}

Referenced by XrdAccRules().

Here is the caller graph for this function:

◆ parse()

void XrdAccRules::parse ( const AccessRulesRaw & rules)
inline

Definition at line 404 of file XrdSciTokensAccess.cc.

404 {
405 m_rules.reserve(rules.size());
406 for (const auto &entry : rules) {
407 m_rules.emplace_back(entry.first, entry.second);
408 }
409 }

◆ size()

size_t XrdAccRules::size ( ) const
inline

Definition at line 451 of file XrdSciTokensAccess.cc.

451{return m_rules.size();}

◆ str()

const std::string XrdAccRules::str ( ) const
inline

Definition at line 422 of file XrdSciTokensAccess.cc.

423 {
424 std::stringstream ss;
425 ss << "mapped_username=" << m_username << ", subject=" << m_token_subject
426 << ", issuer=" << m_issuer;
427 if (!m_groups.empty()) {
428 ss << ", groups=";
429 bool first=true;
430 for (const auto &group : m_groups) {
431 ss << (first ? "" : ",") << group;
432 first = false;
433 }
434 }
435 if (!m_rules.empty()) {
436 ss << ", authorizations=" << AccessRuleStr(m_rules);
437 }
438 return ss.str();
439 }
The documentation for this class was generated from the following file: