XRootD
Loading...
Searching...
No Matches
XrdMacaroonsAuthz.cc
Go to the documentation of this file.
1
2#include <stdexcept>
3#include <sstream>
4
5#include <ctime>
6
7#include "macaroons.h"
8
9#include "XrdOuc/XrdOucEnv.hh"
10#include "XrdSec/XrdSecEntity.hh"
11#include "XrdSec/XrdSecEntityAttr.hh"
12
13#include "XrdMacaroonsHandler.hh"
14#include "XrdMacaroonsAuthz.hh"
15
16using namespace Macaroons;
17
18
19namespace {
20
21class AuthzCheck
22{
23public:
24 AuthzCheck(const char *req_path, const Access_Operation req_oper, ssize_t max_duration, XrdSysError &log);
25
26 const std::string &GetSecName() const {return m_sec_name;}
27 const std::string &GetErrorMessage() const {return m_emsg;}
28
29 static int verify_before_s(void *authz_ptr,
30 const unsigned char *pred,
31 size_t pred_sz);
32
33 static int verify_activity_s(void *authz_ptr,
34 const unsigned char *pred,
35 size_t pred_sz);
36
37 static int verify_path_s(void *authz_ptr,
38 const unsigned char *pred,
39 size_t pred_sz);
40
41 static int verify_name_s(void *authz_ptr,
42 const unsigned char *pred,
43 size_t pred_sz);
44
45private:
46 int verify_before(const unsigned char *pred, size_t pred_sz);
47 int verify_activity(const unsigned char *pred, size_t pred_sz);
48 int verify_path(const unsigned char *pred, size_t pred_sz);
49 int verify_name(const unsigned char *pred, size_t pred_sz);
50
51 ssize_t m_max_duration;
52 XrdSysError &m_log;
53 std::string m_emsg;
54 const std::string m_path;
55 std::string m_desired_activity;
56 std::string m_sec_name;
57 Access_Operation m_oper;
58 time_t m_now;
59};
60
61
62static XrdAccPrivs AddPriv(Access_Operation op, XrdAccPrivs privs)
63{
64 int new_privs = privs;
65 switch (op) {
66 case AOP_Any:
67 break;
68 case AOP_Chmod:
69 new_privs |= static_cast<int>(XrdAccPriv_Chmod);
70 break;
71 case AOP_Chown:
72 new_privs |= static_cast<int>(XrdAccPriv_Chown);
73 break;
74 case AOP_Excl_Create: // fallthrough
75 case AOP_Create:
76 new_privs |= static_cast<int>(XrdAccPriv_Create);
77 break;
78 case AOP_Delete:
79 new_privs |= static_cast<int>(XrdAccPriv_Delete);
80 break;
81 case AOP_Excl_Insert: // fallthrough
82 case AOP_Insert:
83 new_privs |= static_cast<int>(XrdAccPriv_Insert);
84 break;
85 case AOP_Lock:
86 new_privs |= static_cast<int>(XrdAccPriv_Lock);
87 break;
88 case AOP_Mkdir:
89 new_privs |= static_cast<int>(XrdAccPriv_Mkdir);
90 break;
91 case AOP_Read:
92 new_privs |= static_cast<int>(XrdAccPriv_Read);
93 break;
94 case AOP_Readdir:
95 new_privs |= static_cast<int>(XrdAccPriv_Readdir);
96 break;
97 case AOP_Rename:
98 new_privs |= static_cast<int>(XrdAccPriv_Rename);
99 break;
100 case AOP_Stat:
101 new_privs |= static_cast<int>(XrdAccPriv_Lookup);
102 break;
103 case AOP_Update:
104 new_privs |= static_cast<int>(XrdAccPriv_Update);
105 break;
106 };
107 return static_cast<XrdAccPrivs>(new_privs);
108}
109
110
111// Accept any value of the path, name, or activity caveats
112int validate_verify_empty(void *emsg_ptr,
113 const unsigned char *pred,
114 size_t pred_sz)
115{
116 if ((pred_sz >= 5) && (!memcmp(reinterpret_cast<const char *>(pred), "path:", 5) ||
117 !memcmp(reinterpret_cast<const char *>(pred), "name:", 5)))
118 {
119 return 0;
120 }
121 if ((pred_sz >= 9) && (!memcmp(reinterpret_cast<const char *>(pred), "activity:", 9)))
122 {
123 return 0;
124 }
125 return 1;
126}
127
128}
129
130
131Authz::Authz(XrdSysLogger *log, char const *config, XrdAccAuthorize *chain)
132 : m_max_duration(86400),
133 m_chain(chain),
134 m_log(log, "macarons_"),
135 m_authz_behavior(static_cast<int>(Handler::AuthzBehavior::PASSTHROUGH))
136{
137 Handler::AuthzBehavior behavior(Handler::AuthzBehavior::PASSTHROUGH);
138 XrdOucEnv env;
139 if (!Handler::Config(config, &env, &m_log, m_location, m_secret, m_max_duration, behavior))
140 {
141 throw std::runtime_error("Macaroon authorization config failed.");
142 }
143 m_authz_behavior = static_cast<int>(behavior);
144}
145
146
147XrdAccPrivs
148Authz::OnMissing(const XrdSecEntity *Entity, const char *path,
149 const Access_Operation oper, XrdOucEnv *env)
150{
151 switch (m_authz_behavior) {
152 case Handler::AuthzBehavior::PASSTHROUGH:
153 return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;
154 case Handler::AuthzBehavior::ALLOW:
155 return AddPriv(oper, XrdAccPriv_None);;
156 case Handler::AuthzBehavior::DENY:
157 return XrdAccPriv_None;
158 }
159 // Code should be unreachable.
160 return XrdAccPriv_None;
161}
162
163XrdAccPrivs
164Authz::Access(const XrdSecEntity *Entity, const char *path,
165 const Access_Operation oper, XrdOucEnv *env)
166{
167 // We don't allow any testing to occur in this authz module, preventing
168 // a macaroon to be used to receive further macaroons.
169 if (oper == AOP_Any)
170 {
171 return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;
172 }
173
174 const char *authz = env ? env->Get("authz") : nullptr;
175 if (authz && !strncmp(authz, "Bearer%20", 9))
176 {
177 authz += 9;
178 }
179 else if (!authz && (authz = env ? env->Get("access_token") : nullptr) && !strncmp(authz, "Bearer%20", 9))
180 {
181 authz += 9;
182 }
183
184 // If there's no request-specific token, check for a ZTN session token
185 if (!authz && Entity && !strcmp("ztn", Entity->prot) && Entity->creds &&
186 Entity->credslen && Entity->creds[Entity->credslen] == '\0')
187 {
188 authz = Entity->creds;
189 }
190
191 if (!authz) {
192 return OnMissing(Entity, path, oper, env);
193 }
194
195 macaroon_returncode mac_err = MACAROON_SUCCESS;
196 struct macaroon* macaroon = macaroon_deserialize(
197 authz,
198 &mac_err);
199 if (!macaroon)
200 {
201 // Do not log - might be other token type!
202 //m_log.Emsg("Access", "Failed to parse the macaroon");
203 return OnMissing(Entity, path, oper, env);
204 }
205
206 struct macaroon_verifier *verifier = macaroon_verifier_create();
207 if (!verifier)
208 {
209 m_log.Emsg("Access", "Failed to create a new macaroon verifier");
210 return XrdAccPriv_None;
211 }
212 if (!path)
213 {
214 m_log.Emsg("Access", "Request with no provided path.");
215 macaroon_verifier_destroy(verifier);
216 return XrdAccPriv_None;
217 }
218
219 AuthzCheck check_helper(path, oper, m_max_duration, m_log);
220
221 if (macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_before_s, &check_helper, &mac_err) ||
222 macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_activity_s, &check_helper, &mac_err) ||
223 macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_name_s, &check_helper, &mac_err) ||
224 macaroon_verifier_satisfy_general(verifier, AuthzCheck::verify_path_s, &check_helper, &mac_err))
225 {
226 m_log.Emsg("Access", "Failed to configure caveat verifier:");
227 macaroon_verifier_destroy(verifier);
228 return XrdAccPriv_None;
229 }
230
231 const unsigned char *macaroon_loc;
232 size_t location_sz;
233 macaroon_location(macaroon, &macaroon_loc, &location_sz);
234 if (strncmp(reinterpret_cast<const char *>(macaroon_loc), m_location.c_str(), location_sz))
235 {
236 std::string location_str(reinterpret_cast<const char *>(macaroon_loc), location_sz);
237 m_log.Emsg("Access", "Macaroon is for incorrect location", location_str.c_str());
238 macaroon_verifier_destroy(verifier);
239 macaroon_destroy(macaroon);
240 return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;
241 }
242
243 if (macaroon_verify(verifier, macaroon,
244 reinterpret_cast<const unsigned char *>(m_secret.c_str()),
245 m_secret.size(),
246 NULL, 0, // discharge macaroons
247 &mac_err))
248 {
249 m_log.Log(LogMask::Debug, "Access", "Macaroon verification failed");
250 macaroon_verifier_destroy(verifier);
251 macaroon_destroy(macaroon);
252 return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;
253 }
254 macaroon_verifier_destroy(verifier);
255
256 const unsigned char *macaroon_id;
257 size_t id_sz;
258 macaroon_identifier(macaroon, &macaroon_id, &id_sz);
259
260 std::string macaroon_id_str(reinterpret_cast<const char *>(macaroon_id), id_sz);
261 m_log.Log(LogMask::Info, "Access", "Macaroon verification successful; ID", macaroon_id_str.c_str());
262 macaroon_destroy(macaroon);
263
264 // Copy the name, if present into the macaroon, into the credential object.
265 if (Entity && check_helper.GetSecName().size()) {
266 const std::string &username = check_helper.GetSecName();
267 m_log.Log(LogMask::Debug, "Access", "Setting the request name to", username.c_str());
268 Entity->eaAPI->Add("request.name", username,true);
269 }
270
271 // We passed verification - give the correct privilege.
272 return AddPriv(oper, XrdAccPriv_None);
273}
274
275bool Authz::Validate(const char *token,
276 std::string &emsg,
277 long long *expT,
278 XrdSecEntity *entP)
279{
280 macaroon_returncode mac_err = MACAROON_SUCCESS;
281 std::unique_ptr<struct macaroon, decltype(&macaroon_destroy)> macaroon(
282 macaroon_deserialize(token, &mac_err),
283 &macaroon_destroy);
284
285 if (!macaroon)
286 {
287 emsg = "Failed to deserialize the token as a macaroon";
288 // Purposely log at debug level in case if this validation is ever
289 // chained so we don't have overly-chatty logs.
290 m_log.Log(LogMask::Debug, "Validate", emsg.c_str());
291 return false;
292 }
293
294 std::unique_ptr<struct macaroon_verifier, decltype(&macaroon_verifier_destroy)> verifier(
295 macaroon_verifier_create(), &macaroon_verifier_destroy);
296 if (!verifier)
297 {
298 emsg = "Internal error: failed to create a verifier.";
299 m_log.Log(LogMask::Error, "Validate", emsg.c_str());
300 return false;
301 }
302
303 // Note the path and operation here are ignored as we won't use those validators
304 AuthzCheck check_helper("/", AOP_Read, m_max_duration, m_log);
305
306 if (macaroon_verifier_satisfy_general(verifier.get(), AuthzCheck::verify_before_s, &check_helper, &mac_err) ||
307 macaroon_verifier_satisfy_general(verifier.get(), validate_verify_empty, nullptr, &mac_err))
308 {
309 emsg = "Failed to configure the verifier";
310 m_log.Log(LogMask::Error, "Validate", emsg.c_str());
311 return false;
312 }
313
314 const unsigned char *macaroon_loc;
315 size_t location_sz;
316 macaroon_location(macaroon.get(), &macaroon_loc, &location_sz);
317 if (strncmp(reinterpret_cast<const char *>(macaroon_loc), m_location.c_str(), location_sz))
318 {
319 emsg = "Macaroon contains incorrect location: " +
320 std::string(reinterpret_cast<const char *>(macaroon_loc), location_sz);
321 m_log.Log(LogMask::Warning, "Validate", emsg.c_str(), ("all.sitename is " + m_location).c_str());
322 return false;
323 }
324
325 if (macaroon_verify(verifier.get(), macaroon.get(),
326 reinterpret_cast<const unsigned char *>(m_secret.c_str()),
327 m_secret.size(),
328 nullptr, 0,
329 &mac_err))
330 {
331 emsg = "Macaroon verification error" + (check_helper.GetErrorMessage().size() ?
332 (", " + check_helper.GetErrorMessage()) : "");
333 m_log.Log(LogMask::Warning, "Validate", emsg.c_str());
334 return false;
335 }
336
337 const unsigned char *macaroon_id;
338 size_t id_sz;
339 macaroon_identifier(macaroon.get(), &macaroon_id, &id_sz);
340 m_log.Log(LogMask::Info, "Validate", ("Macaroon verification successful; ID " +
341 std::string(reinterpret_cast<const char *>(macaroon_id), id_sz)).c_str());
342
343 return true;
344}
345
346
347AuthzCheck::AuthzCheck(const char *req_path, const Access_Operation req_oper, ssize_t max_duration, XrdSysError &log)
348 : m_max_duration(max_duration),
349 m_log(log),
350 m_path(NormalizeSlashes(req_path)),
351 m_oper(req_oper),
352 m_now(time(NULL))
353{
354 switch (m_oper)
355 {
356 case AOP_Any:
357 break;
358 case AOP_Chmod:
359 case AOP_Chown:
360 m_desired_activity = "UPDATE_METADATA";
361 break;
362 case AOP_Insert:
363 case AOP_Lock:
364 case AOP_Mkdir:
365 case AOP_Update:
366 case AOP_Create:
367 m_desired_activity = "MANAGE";
368 break;
369 case AOP_Rename:
370 case AOP_Excl_Create:
371 case AOP_Excl_Insert:
372 m_desired_activity = "UPLOAD";
373 break;
374 case AOP_Delete:
375 m_desired_activity = "DELETE";
376 break;
377 case AOP_Read:
378 m_desired_activity = "DOWNLOAD";
379 break;
380 case AOP_Readdir:
381 m_desired_activity = "LIST";
382 break;
383 case AOP_Stat:
384 m_desired_activity = "READ_METADATA";
385 };
386}
387
388
389int
390AuthzCheck::verify_before_s(void *authz_ptr,
391 const unsigned char *pred,
392 size_t pred_sz)
393{
394 return static_cast<AuthzCheck*>(authz_ptr)->verify_before(pred, pred_sz);
395}
396
397
398int
399AuthzCheck::verify_activity_s(void *authz_ptr,
400 const unsigned char *pred,
401 size_t pred_sz)
402{
403 return static_cast<AuthzCheck*>(authz_ptr)->verify_activity(pred, pred_sz);
404}
405
406
407int
408AuthzCheck::verify_path_s(void *authz_ptr,
409 const unsigned char *pred,
410 size_t pred_sz)
411{
412 return static_cast<AuthzCheck*>(authz_ptr)->verify_path(pred, pred_sz);
413}
414
415
416int
417AuthzCheck::verify_name_s(void *authz_ptr,
418 const unsigned char *pred,
419 size_t pred_sz)
420{
421 return static_cast<AuthzCheck*>(authz_ptr)->verify_name(pred, pred_sz);
422}
423
424
425int
426AuthzCheck::verify_before(const unsigned char * pred, size_t pred_sz)
427{
428 std::string pred_str(reinterpret_cast<const char *>(pred), pred_sz);
429 if (strncmp("before:", pred_str.c_str(), 7))
430 {
431 return 1;
432 }
433 m_log.Log(LogMask::Debug, "AuthzCheck", "Checking macaroon for expiration; caveat:", pred_str.c_str());
434
435 struct tm caveat_tm;
436 if (strptime(&pred_str[7], "%Y-%m-%dT%H:%M:%SZ", &caveat_tm) == nullptr)
437 {
438 m_emsg = "Failed to parse time string: " + pred_str.substr(7);
439 m_log.Log(LogMask::Warning, "AuthzCheck", m_emsg.c_str());
440 return 1;
441 }
442 caveat_tm.tm_isdst = -1;
443
444 time_t caveat_time = timegm(&caveat_tm);
445 if (-1 == caveat_time)
446 {
447 m_emsg = "Failed to generate unix time: " + pred_str.substr(7);
448 m_log.Log(LogMask::Warning, "AuthzCheck", m_emsg.c_str());
449 return 1;
450 }
451 if ((m_max_duration > 0) && (caveat_time > m_now + m_max_duration))
452 {
453 m_emsg = "Max token age is greater than configured max duration; rejecting";
454 m_log.Log(LogMask::Warning, "AuthzCheck", m_emsg.c_str());
455 return 1;
456 }
457
458 int result = (m_now >= caveat_time);
459 if (!result)
460 {
461 m_log.Log(LogMask::Debug, "AuthzCheck", "Macaroon has not expired.");
462 }
463 else
464 {
465 m_emsg = "Macaroon expired at " + pred_str.substr(7);
466 m_log.Log(LogMask::Debug, "AuthzCheck", m_emsg.c_str());
467 }
468 return result;
469}
470
471
472int
473AuthzCheck::verify_activity(const unsigned char * pred, size_t pred_sz)
474{
475 if (!m_desired_activity.size()) {return 1;}
476 std::string pred_str(reinterpret_cast<const char *>(pred), pred_sz);
477 if (strncmp("activity:", pred_str.c_str(), 9)) {return 1;}
478 m_log.Log(LogMask::Debug, "AuthzCheck", "running verify activity", pred_str.c_str());
479
480 std::stringstream ss(pred_str.substr(9));
481 for (std::string activity; std::getline(ss, activity, ','); )
482 {
483 // Any allowed activity also implies "READ_METADATA"
484 if (m_desired_activity == "READ_METADATA") {return 0;}
485 if ((activity == m_desired_activity) || ((m_desired_activity == "UPLOAD") && (activity == "MANAGE")))
486 {
487 m_log.Log(LogMask::Debug, "AuthzCheck", "macaroon has desired activity", activity.c_str());
488 return 0;
489 }
490 }
491 m_log.Log(LogMask::Info, "AuthzCheck", "macaroon does NOT have desired activity", m_desired_activity.c_str());
492 return 1;
493}
494
495
496int
497AuthzCheck::verify_path(const unsigned char * pred, size_t pred_sz)
498{
499 std::string pred_str_raw(reinterpret_cast<const char *>(pred), pred_sz);
500 if (strncmp("path:", pred_str_raw.c_str(), 5)) {return 1;}
501 std::string pred_str = NormalizeSlashes(pred_str_raw.substr(5));
502 m_log.Log(LogMask::Debug, "AuthzCheck", "running verify path", pred_str.c_str());
503
504 if ((m_path.find("/./") != std::string::npos) ||
505 (m_path.find("/../") != std::string::npos))
506 {
507 m_log.Log(LogMask::Info, "AuthzCheck", "invalid requested path", m_path.c_str());
508 return 1;
509 }
510
511 int result = strncmp(pred_str.c_str(), m_path.c_str(), pred_str.size());
512 if (!result)
513 {
514 m_log.Log(LogMask::Debug, "AuthzCheck", "path request verified for", m_path.c_str());
515 }
516 // READ_METADATA permission for /foo/bar automatically implies permission
517 // to READ_METADATA for /foo.
518 else if (m_oper == AOP_Stat)
519 {
520 result = strncmp(m_path.c_str(), pred_str.c_str(), m_path.size());
521 if (!result) {m_log.Log(LogMask::Debug, "AuthzCheck", "READ_METADATA path request verified for", m_path.c_str());}
522 else {m_log.Log(LogMask::Debug, "AuthzCheck", "READ_METADATA path request NOT allowed", m_path.c_str());}
523 }
524 else
525 {
526 m_log.Log(LogMask::Debug, "AuthzCheck", "path request NOT allowed", m_path.c_str());
527 }
528
529 return result;
530}
531
532
533int
534AuthzCheck::verify_name(const unsigned char * pred, size_t pred_sz)
535{
536 std::string pred_str(reinterpret_cast<const char *>(pred), pred_sz);
537 if (strncmp("name:", pred_str.c_str(), 5)) {return 1;}
538 if (pred_str.size() < 6) {return 1;}
539 m_log.Log(LogMask::Debug, "AuthzCheck", "Verifying macaroon with", pred_str.c_str());
540
541 // Make a copy of the name for the XrdSecEntity; this will be used later.
542 m_sec_name = pred_str.substr(5);
543
544 return 0;
545}
Access_Operation
Access_Operation
The following are supported operations.
Definition XrdAccAuthorize.hh:41
AOP_Delete
@ AOP_Delete
rm() or rmdir()
Definition XrdAccAuthorize.hh:45
AOP_Mkdir
@ AOP_Mkdir
mkdir()
Definition XrdAccAuthorize.hh:48
AOP_Update
@ AOP_Update
open() r/w or append
Definition XrdAccAuthorize.hh:53
AOP_Create
@ AOP_Create
open() with create
Definition XrdAccAuthorize.hh:44
AOP_Readdir
@ AOP_Readdir
opendir()
Definition XrdAccAuthorize.hh:50
AOP_Chmod
@ AOP_Chmod
chmod()
Definition XrdAccAuthorize.hh:42
AOP_Any
@ AOP_Any
Special for getting privs.
Definition XrdAccAuthorize.hh:41
AOP_Stat
@ AOP_Stat
exists(), stat()
Definition XrdAccAuthorize.hh:52
AOP_Rename
@ AOP_Rename
mv() for source
Definition XrdAccAuthorize.hh:51
AOP_Read
@ AOP_Read
open() r/o, prepare()
Definition XrdAccAuthorize.hh:49
AOP_Excl_Create
@ AOP_Excl_Create
open() with O_EXCL|O_CREAT
Definition XrdAccAuthorize.hh:54
AOP_Insert
@ AOP_Insert
mv() for target
Definition XrdAccAuthorize.hh:46
AOP_Lock
@ AOP_Lock
n/a
Definition XrdAccAuthorize.hh:47
AOP_Chown
@ AOP_Chown
chown()
Definition XrdAccAuthorize.hh:43
AOP_Excl_Insert
@ AOP_Excl_Insert
mv() where destination doesn't exist.
Definition XrdAccAuthorize.hh:55
XrdAccPrivs
XrdAccPrivs
Definition XrdAccPrivs.hh:39
XrdAccPriv_Mkdir
@ XrdAccPriv_Mkdir
Definition XrdAccPrivs.hh:46
XrdAccPriv_Chown
@ XrdAccPriv_Chown
Definition XrdAccPrivs.hh:41
XrdAccPriv_Insert
@ XrdAccPriv_Insert
Definition XrdAccPrivs.hh:44
XrdAccPriv_Lookup
@ XrdAccPriv_Lookup
Definition XrdAccPrivs.hh:47
XrdAccPriv_Rename
@ XrdAccPriv_Rename
Definition XrdAccPrivs.hh:48
XrdAccPriv_Update
@ XrdAccPriv_Update
Definition XrdAccPrivs.hh:52
XrdAccPriv_Read
@ XrdAccPriv_Read
Definition XrdAccPrivs.hh:49
XrdAccPriv_Lock
@ XrdAccPriv_Lock
Definition XrdAccPrivs.hh:45
XrdAccPriv_None
@ XrdAccPriv_None
Definition XrdAccPrivs.hh:53
XrdAccPriv_Delete
@ XrdAccPriv_Delete
Definition XrdAccPrivs.hh:43
XrdAccPriv_Create
@ XrdAccPriv_Create
Definition XrdAccPrivs.hh:42
XrdAccPriv_Readdir
@ XrdAccPriv_Readdir
Definition XrdAccPrivs.hh:50
XrdAccPriv_Chmod
@ XrdAccPriv_Chmod
Definition XrdAccPrivs.hh:40
emsg
int emsg(int rc, char *msg)
Definition XrdSectestServer.cc:309
Macaroons::Authz::Validate
virtual bool Validate(const char *token, std::string &emsg, long long *expT, XrdSecEntity *entP) override
Definition XrdMacaroonsAuthz.cc:275
Macaroons::Authz::Authz
Authz(XrdSysLogger *lp, const char *parms, XrdAccAuthorize *chain)
Definition XrdMacaroonsAuthz.cc:131
Macaroons::Authz::Access
virtual XrdAccPrivs Access(const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *env) override
Definition XrdMacaroonsAuthz.cc:164
Macaroons::Handler::Config
static bool Config(const char *config, XrdOucEnv *env, XrdSysError *log, std::string &location, std::string &secret, ssize_t &max_duration, AuthzBehavior &behavior)
Definition XrdMacaroonsConfigure.cc:39
XrdAccAuthorize::XrdAccAuthorize
XrdAccAuthorize()
Constructor.
Definition XrdAccAuthorize.hh:134
XrdAccAuthorize::Access
virtual XrdAccPrivs Access(const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0)=0
XrdOucEnv::Get
char * Get(const char *varname)
Definition XrdOucEnv.hh:69
XrdSecEntityAttr::Add
bool Add(XrdSecAttr &attr)
Definition XrdSecEntityAttr.cc:41
XrdSecEntity::credslen
int credslen
Length of the 'creds' data.
Definition XrdSecEntity.hh:78
XrdSecEntity::eaAPI
XrdSecEntityAttr * eaAPI
non-const API to attributes
Definition XrdSecEntity.hh:92
XrdSecEntity::prot
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
Definition XrdSecEntity.hh:67
XrdSecEntity::creds
char * creds
Raw entity credentials or cert.
Definition XrdSecEntity.hh:77
Macaroons::NormalizeSlashes
std::string NormalizeSlashes(const std::string &)
Definition XrdMacaroonsHandler.cc:57