Add support for multiple token profiles.

Allows one to parse and validate the WLCG and SciTokens 2.0 profile.

Author: bbockelm

src/scitokens.cpp

@@ -67,6 +67,14 @@ int scitoken_set_claim_string(SciToken token, const char *key, const char *value
 }
 
 
+void scitoken_set_serialize_mode(SciToken token, SciTokenProfile profile) {
+    scitokens::SciToken *real_token = reinterpret_cast<scitokens::SciToken*>(token);
+    if (real_token == nullptr) {return;}
+
+    real_token->set_serialize_mode(static_cast<scitokens::SciToken::Profile>(profile));
+}
+
+
 int scitoken_get_claim_string(const SciToken token, const char *key, char **value, char **err_msg) {
     scitokens::SciToken *real_token = reinterpret_cast<scitokens::SciToken*>(token);
     std::string claim_str;
@@ -165,6 +173,13 @@ Validator validator_create() {
     return new Validator();
 }
 
+
+void validator_set_token_profile(Validator validator, SciTokenProfile profile) {
+    if (validator == nullptr) {return;}
+    auto real_validator = reinterpret_cast<scitokens::Validator*>(validator);
+    real_validator->set_validate_profile(static_cast<scitokens::SciToken::Profile>(profile));
+}
+
 int validator_add(Validator validator, const char *claim, StringValidatorFunction validator_func, char **err_msg) {
     if (validator == nullptr) {
         if (err_msg) {*err_msg = strdup("Validator may not be a null pointer");}
@@ -257,6 +272,14 @@ void enforcer_acl_free(Acl *acls) {
 }
 
 
+void enforcer_set_validate_profile(Enforcer enf, SciTokenProfile profile) {
+    if (enf == nullptr) {return;}
+
+    auto real_enf = reinterpret_cast<scitokens::Enforcer*>(enf);
+    real_enf->set_validate_profile(static_cast<scitokens::SciToken::Profile>(profile));
+}
+
+
 int enforcer_generate_acls(const Enforcer enf, const SciToken scitoken, Acl **acls, char **err_msg) {
     if (enf == nullptr) {
         if (err_msg) {*err_msg = strdup("Enforcer may not be a null pointer");}

src/scitokens.h

@@ -20,6 +20,21 @@ typedef struct Acl_s {
 }
 Acl;
 
+/**
+ * Determine the mode we will use to validate tokens.
+ * - COMPAT mode (default) indicates any supported token format
+ *   is acceptable.  Where possible, the scope names are translated into
+ *   equivalent SciTokens 1.0 claim names (i.e., storage.read -> read; storage.write -> write).
+ * - SCITOKENS_1_0, SCITOKENS_2_0, WLCG_1_0: only accept these specific profiles.
+ *   No automatic translation is performed.
+ */
+typedef enum _profile {
+    COMPAT = 0,
+    SCITOKENS_1_0,
+    SCITOKENS_2_0,
+    WLCG_1_0
+} SciTokenProfile;
+
 SciTokenKey scitoken_key_create(const char *key_id, const char *algorithm, const char *public_contents, const char *private_contents, char **err_msg);
 
 void scitoken_key_destroy(SciTokenKey private_key);
@@ -38,10 +53,22 @@ void scitoken_set_lifetime(SciToken token, int lifetime);
 
 int scitoken_serialize(const SciToken token, char **value, char **err_msg);
 
+/**
+ * Set the profile used for serialization; if COMPAT mode is used, then
+ * the library default is utilized (currently, scitokens 1.0).
+ */
+void scitoken_set_serialize_mode(SciToken token, SciTokenProfile profile);
+
 int scitoken_deserialize(const char *value, SciToken *token, char const* const* allowed_issuers, char **err_msg);
 
 Validator validator_create();
 
+/**
+ * Set the profile used for validating the tokens; COMPAT (default) will accept any known token
+ * type while others will only support that specific profile.
+ */
+void validator_set_token_profile(Validator, SciTokenProfile profile);
+
 int validator_add(Validator validator, const char *claim, StringValidatorFunction validator_func, char **err_msg);
 
 int validator_add_critical_claims(Validator validator, const char **claims, char **err_msg);
@@ -52,6 +79,12 @@ Enforcer enforcer_create(const char *issuer, const char **audience, char **err_m
 
 void enforcer_destroy(Enforcer);
 
+/**
+ * Set the profile used for enforcing ACLs; when set to COMPAT (default), then the authorizations
+ * will be converted to SciTokens 1.0-style authorizations (so, WLCG's storage.read becomes read).
+ */
+void enforcer_set_validate_profile(Enforcer, SciTokenProfile profile);
+
 int enforcer_generate_acls(const Enforcer enf, const SciToken scitokens, Acl **acls, char **err_msg);
 
 void enforcer_acl_free(Acl *acls);

src/scitokens_internal.cpp

@@ -336,6 +336,9 @@ SciToken::deserialize(const std::string &data, const std::vector<std::string> al
 
     // Set all the claims
     m_claims = m_decoded->get_payload_claims();
+
+    // Copy over the profile
+    m_profile = val.get_profile();
 }
 
 
@@ -491,6 +494,7 @@ scitokens::Enforcer::scope_validator(const jwt::claim &claim, void *myself) {
     std::string requested_path = normalize_absolute_path(me->m_test_path);
     auto scope_iter = scope.begin();
     //std::cout << "Comparing scope " << scope << " against test accesses " << me->m_test_authz << ":" << requested_path << std::endl;
+    bool compat_modify = false, compat_create = false, compat_cancel = false;
     while (scope_iter != scope.end()) {
         while (*scope_iter == ' ') {scope_iter++;}
         auto next_scope_iter = std::find(scope_iter, scope.end(), ' ');
@@ -507,6 +511,25 @@ scitokens::Enforcer::scope_validator(const jwt::claim &claim, void *myself) {
         }
         path = normalize_absolute_path(path);
 
+        // If we are in compatibility mode and this is a WLCG token, then translate the authorization
+        // names to utilize the SciToken-style names.
+        if (me->m_validate_profile == SciToken::Profile::COMPAT &&
+            me->m_validator.get_profile() == SciToken::Profile::WLCG_1_0) {
+            if (authz == "storage.read") {
+                authz = "read";
+            } else if (authz == "storage.write") {
+                authz = "write";
+            } else if (authz == "compute.read") {
+                authz = "condor:/READ";
+            } else if (authz == "compute.modify") {
+                compat_modify = true;
+            } else if (authz == "compute.create") {
+                compat_create = true;
+            } else if (authz == "compute.cancel") {
+                compat_cancel = true;
+            }
+        }
+
         if (me->m_test_authz.empty()) {
             me->m_gen_acls.emplace_back(authz, path);
         } else if ((me->m_test_authz == authz) &&
@@ -516,5 +539,17 @@ scitokens::Enforcer::scope_validator(const jwt::claim &claim, void *myself) {
 
         scope_iter = next_scope_iter;
     }
+
+    // Compatibility mode: the combination on compute modify, create, and cancel mode are equivalent
+    // to the condor:/WRITE authorization.
+    if (compat_modify && compat_create && compat_cancel) {
+        if (me->m_test_authz.empty()) {
+            me->m_gen_acls.emplace_back("condor", "/WRITE");
+        } else if ((me->m_test_authz == "condor") &&
+                   (requested_path.substr(0, 6) == "/WRITE")) {
+            return true;
+        }
+    }
+
     return me->m_test_authz.empty();
 }

src/scitokens_internal.h

@@ -111,6 +111,14 @@ class SciToken {
 friend class scitokens::Validator;
 
 public:
+
+    enum class Profile {
+        COMPAT = 0,
+        SCITOKENS_1_0,
+        SCITOKENS_2_0,
+        WLCG_1_0
+    };
+
     SciToken(SciTokenKey &signing_algorithm)
         : m_key(signing_algorithm)
     {}
@@ -121,6 +129,11 @@ friend class scitokens::Validator;
         if (key == "iss") {m_issuer_set = true;}
     }
 
+    void
+    set_serialize_mode(Profile profile) {
+        m_serialize_profile = profile;
+    }
+
     const jwt::claim
     get_claim(const std::string &key) {
         return m_claims[key];
@@ -162,6 +175,20 @@ friend class scitokens::Validator;
         uuid_unparse_lower(uuid, uuid_str);
         m_claims["jti"] = std::string(uuid_str);
 
+        if (m_serialize_profile == Profile::SCITOKENS_2_0) {
+            m_claims["ver"] = std::string("scitokens:2.0");
+            auto iter = m_claims.find("aud");
+            if (iter == m_claims.end()) {
+                m_claims["aud"] = std::string("ANY");
+            }
+        } else if (m_serialize_profile == Profile::WLCG_1_0) {
+            m_claims["wlcg_ver"] = std::string("1.0");
+            auto iter = m_claims.find("aud");
+            if (iter == m_claims.end()) {
+                m_claims["aud"] = std::string("https://wlcg.cern.ch/jwt/v1/any");
+            }
+        }
+
         // Set all the payload claims
         for (auto it : m_claims) {
             builder.set_payload_claim(it.first, it.second);
@@ -176,6 +203,8 @@ friend class scitokens::Validator;
 private:
     bool m_issuer_set{false};
     int m_lifetime{600};
+    Profile m_profile{Profile::SCITOKENS_1_0};
+    Profile m_serialize_profile{Profile::COMPAT};
     std::unordered_map<std::string, jwt::claim> m_claims;
     std::unique_ptr<jwt::decoded_jwt> m_decoded;
     SciTokenKey &m_key;
@@ -252,19 +281,62 @@ class Validator {
                 throw jwt::token_verification_exception("'ver' claim value must be a string (if present)");
             }
             std::string ver_string = claim.as_string();
-            if (ver_string == "scitoken:2.0") {
+            if (ver_string == "scitokens:2.0") {
                 must_verify_everything = false;
+                if ((m_validate_profile != SciToken::Profile::COMPAT) &&
+                    (m_validate_profile != SciToken::Profile::SCITOKENS_2_0))
+                {
+                    throw jwt::token_verification_exception("Invalidate token type; not expecting a SciToken 2.0.");
+                }
+                m_profile = SciToken::Profile::SCITOKENS_2_0;
                 if (!jwt.has_payload_claim("aud")) {
                     throw jwt::token_verification_exception("'aud' claim required for SciTokens 2.0 profile");
                 }
             }
-            else if (ver_string == "scitokens:1.0") must_verify_everything = m_validate_all_claims;
-            else {
+            else if (ver_string == "scitokens:1.0") {
+                must_verify_everything = m_validate_all_claims;
+                if ((m_validate_profile != SciToken::Profile::COMPAT) &&
+                    (m_validate_profile != SciToken::Profile::SCITOKENS_1_0))
+                {
+                    throw jwt::token_verification_exception("Invalidate token type; not expecting a SciToken 1.0.");
+                }
+                m_profile = SciToken::Profile::SCITOKENS_1_0;
+            } else {
                 std::stringstream ss;
                 ss << "Unknown profile version in token: " << ver_string;
                 throw jwt::token_verification_exception(ss.str());
             }
+            // Handle WLCG common JWT profile.
+        } else if (jwt.has_payload_claim("wlcg.ver")) {
+            if ((m_validate_profile != SciToken::Profile::COMPAT) &&
+                (m_validate_profile != SciToken::Profile::WLCG_1_0))
+            {
+                throw jwt::token_verification_exception("Invalidate token type; not expecting a WLCG 1.0.");
+            }
+
+            m_profile = SciToken::Profile::WLCG_1_0;
+            must_verify_everything = false;
+            const jwt::claim &claim = jwt.get_payload_claim("wlcg.ver");
+            if (claim.get_type() != jwt::claim::type::string) {
+                throw jwt::token_verification_exception("'ver' claim value must be a string (if present)");
+            }
+            std::string ver_string = claim.as_string();
+            if (ver_string != "1.0") {
+                std::stringstream ss;
+                ss << "Unknown WLCG profile version in token: " << ver_string;
+                throw jwt::token_verification_exception(ss.str());
+            }
+            if (!jwt.has_payload_claim("aud")) {
+                throw jwt::token_verification_exception("Malformed token: 'aud' claim required for WLCG profile");
+            }
         } else {
+            if ((m_validate_profile != SciToken::Profile::COMPAT) &&
+                (m_validate_profile != SciToken::Profile::SCITOKENS_1_0))
+            {
+                throw jwt::token_verification_exception("Invalidate token type; not expecting a SciToken 1.0.");
+            }
+
+            m_profile = SciToken::Profile::SCITOKENS_1_0;
             must_verify_everything = m_validate_all_claims;
         }
 
@@ -339,13 +411,38 @@ class Validator {
         m_validate_all_claims = new_val;
     }
 
+    /**
+     * Get the profile of the last validated token.
+     *
+     * If there has been no validation - or the validation failed,
+     * then the return value is unspecified.
+     *
+     * Will not return Profile::COMPAT.
+     */
+    SciToken::Profile get_profile() const {
+        if (m_profile == SciToken::Profile::COMPAT) {
+            throw jwt::token_verification_exception("Token profile has not been set.");
+        }
+        return m_profile;
+    }
+
+    /**
+     * Set the profile that will be used for validation; COMPAT indicates any supported profile
+     * is allowable.
+     */
+    void set_validate_profile(SciToken::Profile profile) {
+        m_validate_profile = profile;
+    }
+
 private:
     void get_public_key_pem(const std::string &issuer, const std::string &kid, std::string &public_pem, std::string &algorithm);
     void get_public_keys_from_web(const std::string &issuer, picojson::value &keys, int64_t &next_update, int64_t &expires);
     bool get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update);
     bool store_public_keys(const std::string &issuer, const picojson::value &keys, int64_t next_update, int64_t expires);
 
     bool m_validate_all_claims{true};
+    SciToken::Profile m_profile{SciToken::Profile::COMPAT};
+    SciToken::Profile m_validate_profile{SciToken::Profile::COMPAT};
     ClaimStringValidatorMap m_validators;
     ClaimValidatorMap m_claim_validators;
 
@@ -377,6 +474,10 @@ class Enforcer {
         m_validator.add_critical_claims(critical_claims);
     }
 
+    void set_validate_profile(SciToken::Profile profile) {
+        m_validate_profile = profile;
+    }
+
     bool test(const SciToken &scitoken, const std::string &authz, const std::string &path) {
         reset_state();
         m_test_path = path;
@@ -407,21 +508,26 @@ class Enforcer {
 
     static bool aud_validator(const jwt::claim &claim, void *myself) {
         auto me = reinterpret_cast<scitokens::Enforcer*>(myself);
+        std::vector<std::string> jwt_audiences;
         if (claim.get_type() == jwt::claim::type::string) {
             const std::string &audience = claim.as_string();
-            if ((audience == "ANY") && !me->m_audiences.empty()) {return true;}
-            for (const auto &aud : me->m_audiences) {
-                if (aud == audience) {return true;}
-            }
+            jwt_audiences.push_back(audience);
         } else if (claim.get_type() == jwt::claim::type::array) {
             const picojson::array &audiences = claim.as_array();
             for (const auto &aud_value : audiences) {
-                if (!aud_value.is<std::string>()) {continue;}
-                std::string audience = aud_value.get<std::string>();
-                if ((audience == "ANY") && !me->m_audiences.empty()) {return true;}
-                for (const auto &aud : me->m_audiences) {
-                    if (aud == audience) {return true;}
-                }
+                const std::string &audience = aud_value.get<std::string>();
+                jwt_audiences.push_back(audience);
+            }
+        }
+        for (const auto &aud_value : jwt_audiences) {
+            if (((me->m_validator.get_profile() == SciToken::Profile::SCITOKENS_2_0) && (aud_value == "ANY")) ||
+                ((me->m_validator.get_profile() == SciToken::Profile::WLCG_1_0) && (aud_value == "https://wlcg.cern.ch/jwt/v1/any"))
+               )
+            {
+                return true;
+            }
+            for (const auto &aud : me->m_audiences) {
+                if (aud == aud_value) {return true;}
             }
         }
         return false;
@@ -431,8 +537,11 @@ class Enforcer {
         m_test_path = "";
         m_test_authz = "";
         m_gen_acls.clear();
+        m_validator.set_validate_profile(m_validate_profile);
     }
 
+    SciToken::Profile m_validate_profile{SciToken::Profile::COMPAT};
+
     std::string m_test_path;
     std::string m_test_authz;
     AclsList m_gen_acls;