Implement ACL generation for the enforcer.

bbockelm · bbockelm · commit 1670a090f9f3 · 2019-01-02T20:43:35.000-06:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -37,6 +37,9 @@ target_link_libraries(scitokens-verify SciTokens)
 add_executable(scitokens-test-access src/test_access.cpp)
 target_link_libraries(scitokens-test-access SciTokens)
 
+add_executable(scitokens-list-access src/list_access.cpp)
+target_link_libraries(scitokens-list-access SciTokens)
+
 if (NOT DEFINED LIB_INSTALL_DIR)
   SET(LIB_INSTALL_DIR "lib")
 endif()
diff --git a/src/list_access.cpp b/src/list_access.cpp
@@ -0,0 +1,44 @@
+#include <iostream>
+
+#include "scitokens.h"
+
+int main(int argc, const char** argv) {
+    if (argc < 4) {
+        std::cerr << "Usage: " << argv[0] << " (TOKEN) (ISSUER) (AUDIENCE)" << std::endl;
+        return 1;
+    }
+    std::string token(argv[1]);
+    std::string issuer(argv[2]);
+    std::string audience(argv[3]);
+
+    const char *aud_list[2];
+    aud_list[0] = audience.c_str();
+    aud_list[1] = nullptr;
+
+    SciToken scitoken;
+    char *err_msg = nullptr;
+    if (scitoken_deserialize(token.c_str(), &scitoken, nullptr, &err_msg)) {
+        std::cout << "Failed to deserialize a token: " << err_msg << std::endl;
+        return 1;
+    }
+    std::cout << "Token deserialization successful.  Checking authorizations." << std::endl;
+    Enforcer enf;
+    if (!(enf = enforcer_create(issuer.c_str(), aud_list, &err_msg))) {
+        std::cout << "Failed to create a new enforcer object: " << err_msg << std::endl;
+        return 1;
+    }
+    Acl *acls;
+    if (enforcer_generate_acls(enf, scitoken, &acls, &err_msg)) {
+        std::cout << "ACL generation failed: " << err_msg << std::endl;
+        return 1;
+    }
+    std::cout << "Start of ACLs:" << std::endl;
+    for (int idx=0; acls[idx].authz && acls[idx].resource; idx++) {
+        std::cout << "ACL: " << acls[idx].authz << ":" << acls[idx].resource << std::endl;
+    }
+    std::cout << "End of ACLs:" << std::endl;
+
+    enforcer_destroy(enf);
+    return 0;
+}
+
diff --git a/src/scitokens.cpp b/src/scitokens.cpp
@@ -218,12 +218,49 @@ void enforcer_destroy(Enforcer enf) {
     delete real_enf;
 }
 
+void enforcer_acl_free(Acl *acls) {
+    for (int idx=0; acls[idx].authz == nullptr && acls[idx].resource == nullptr; idx++) {
+        free(const_cast<char *>(acls[idx].authz));
+        free(const_cast<char *>(acls[idx].resource));
+    }
+    free(acls);
+}
 
-int enforcer_generate_acls(const Enforcer enf, const SciToken sci, char **Acl, char **err_msg) {
-    if (err_msg) {
-        *err_msg = strdup("This function is not implemented");
+
+int enforcer_generate_acls(const Enforcer enf, const SciToken scitoken, Acl **acls, char **err_msg) {
+    if (enf == nullptr) {
+        if (err_msg) {*err_msg = strdup("Enforcer may not be a null pointer");}
+        return -1;
     }
-    return -1;
+    auto real_enf = reinterpret_cast<scitokens::Enforcer*>(enf);
+    if (scitoken == nullptr) {
+        if (err_msg) {*err_msg = strdup("SciToken may not be a null pointer");}
+        return -1;
+    }
+    auto real_scitoken = reinterpret_cast<scitokens::SciToken*>(scitoken);
+
+    scitokens::Enforcer::AclsList acls_list;
+    try {
+         acls_list = real_enf->generate_acls(*real_scitoken);
+    } catch (std::exception &exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    Acl *acl_result = static_cast<Acl*>(malloc((acls_list.size() + 1)*sizeof(Acl)));
+    size_t idx = 0;
+    for (const auto &acl : acls_list) {
+        acl_result[idx].authz = strdup(acl.first.c_str());
+        acl_result[idx].resource = strdup(acl.second.c_str());
+        if (acl_result[idx].authz == nullptr || acl_result[idx].resource == nullptr) {
+            enforcer_acl_free(acl_result);
+            return -1;
+        }
+        idx++;
+    }
+    acl_result[idx].authz = nullptr;
+    acl_result[idx].resource = nullptr;
+    *acls = acl_result;
+    return 0;
 }
 
 
@@ -245,7 +282,7 @@ int enforcer_test(const Enforcer enf, const SciToken scitoken, const Acl *acl, c
 
     try {
         return real_enf->test(*real_scitoken, acl->authz, acl->resource) == true ? 0 : -1;
-    } catch (std::exception exc) {
+    } catch (std::exception &exc) {
         if (err_msg) {*err_msg = strdup(exc.what());}
         return -1;
     }
diff --git a/src/scitokens.h b/src/scitokens.h
@@ -50,7 +50,7 @@ Enforcer enforcer_create(const char *issuer, const char **audience, char **err_m
 
 void enforcer_destroy(Enforcer);
 
-int enforcer_generate_acls(const Enforcer enf, const SciToken sci, char **Acl, char **err_msg);
+int enforcer_generate_acls(const Enforcer enf, const SciToken scitokens, Acl **acls, char **err_msg);
 
 int enforcer_test(const Enforcer enf, const SciToken sci, const Acl *acl, char **err_msg);
 
diff --git a/src/scitokens_internal.cpp b/src/scitokens_internal.cpp
@@ -465,13 +465,13 @@ scitokens::Enforcer::scope_validator(const jwt::claim &claim, void *myself) {
         path = normalize_absolute_path(path);
 
         if (me->m_test_authz.empty()) {
-            return false;  // TODO: implement ACL generation.
+            me->m_gen_acls.emplace_back(authz, path);
         } else if ((me->m_test_authz == authz) &&
                    (requested_path.substr(0, path.size()) == path)) {
             return true;
         }
 
         scope_iter = next_scope_iter;
     }
-    return false;
+    return me->m_test_authz.empty();
 }
diff --git a/src/scitokens_internal.h b/src/scitokens_internal.h
@@ -326,6 +326,8 @@ class Validator {
 class Enforcer {
 
 public:
+    typedef std::vector<std::pair<std::string, std::string>> AclsList;
+
     Enforcer(std::string issuer, std::vector<std::string> audience_list)
       : m_issuer(issuer), m_audiences(audience_list)
     {
@@ -351,6 +353,12 @@ class Enforcer {
         }
     }
 
+    AclsList generate_acls(const SciToken &scitoken) {
+        reset_state();
+        m_validator.verify(scitoken);
+        return m_gen_acls;
+    }
+
 private:
 
     static bool all_validator(const jwt::claim &, void *) {return true;}
@@ -386,10 +394,12 @@ class Enforcer {
     void reset_state() {
         m_test_path = "";
         m_test_authz = "";
+        m_gen_acls.clear();
     }
 
     std::string m_test_path;
     std::string m_test_authz;
+    AclsList m_gen_acls;
 
     std::string m_issuer;
     std::vector<std::string> m_audiences;

Original file line number	Diff line number	Diff line change
`@@ -465,13 +465,13 @@ scitokens::Enforcer::scope_validator(const jwt::claim &claim, void *myself) {`
`465`	`465`	`path = normalize_absolute_path(path);`
`466`	`466`
`467`	`467`	`if (me->m_test_authz.empty()) {`
`468`		`- return false; // TODO: implement ACL generation.`
	`468`	`+ me->m_gen_acls.emplace_back(authz, path);`
`469`	`469`	`} else if ((me->m_test_authz == authz) &&`
`470`	`470`	`(requested_path.substr(0, path.size()) == path)) {`
`471`	`471`	`return true;`
`472`	`472`	`}`
`473`	`473`
`474`	`474`	`scope_iter = next_scope_iter;`
`475`	`475`	`}`
`476`		`- return false;`
	`476`	`+ return me->m_test_authz.empty();`
`477`	`477`	`}`