Add first version of the enforcer.

Can only test for access, not including ACLs.

Author: bbockelm

CMakeLists.txt

@@ -29,10 +29,13 @@ target_link_libraries(SciTokens ${LIBCRYPTO_LIBRARIES} ${CURL_LIBRARIES} ${SQLIT
 set_target_properties(SciTokens PROPERTIES LINK_FLAGS "-Wl,--version-script=${PROJECT_SOURCE_DIR}/configs/export-symbols")
 
 add_executable(scitokens-test src/test.cpp)
-target_link_libraries(scitokens-test SciTokens ${LIBCRYPTO_LIB})
+target_link_libraries(scitokens-test SciTokens)
 
 add_executable(scitokens-verify src/verify.cpp)
-target_link_libraries(scitokens-verify SciTokens ${LIBCRYPTO_LIB})
+target_link_libraries(scitokens-verify SciTokens)
+
+add_executable(scitokens-test-access src/test_access.cpp)
+target_link_libraries(scitokens-test-access SciTokens)
 
 if (NOT DEFINED LIB_INSTALL_DIR)
   SET(LIB_INSTALL_DIR "lib")

src/scitokens.cpp

@@ -135,7 +135,7 @@ Validator validator_create() {
     return new Validator();
 }
 
-int validator_add(Validator validator, const char *claim, ValidatorFunction validator_func, char **err_msg) {
+int validator_add(Validator validator, const char *claim, StringValidatorFunction validator_func, char **err_msg) {
     if (validator == nullptr) {
         if (err_msg) {*err_msg = strdup("Validator may not be a null pointer");}
         return -1;
@@ -172,21 +172,82 @@ int validator_add_critical_claims(Validator validator, const char **claims, char
 }
 
 
-int validator_validate(Validator validator, SciToken scitoken, char **err_msg);
+int validator_validate(Validator validator, SciToken scitoken, char **err_msg) {
+    if (validator == nullptr) {
+        if (err_msg) {*err_msg = strdup("Validator may not be a null pointer");}
+        return -1;
+    }
+    auto real_validator = reinterpret_cast<scitokens::Validator*>(validator);
+    if (scitoken == nullptr) {
+        if (err_msg) {*err_msg = strdup("SciToken may not be a null pointer");}
+        return -1;
+    }
+    auto real_scitoken = reinterpret_cast<scitokens::SciToken*>(scitoken);
+
+    try {
+        real_validator->verify(*real_scitoken);
+    } catch (std::exception exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}
 
 
-Enforcer enforcer(const char *issuer, const char **audience) {
-    return nullptr;
+Enforcer enforcer_create(const char *issuer, const char **audience_list, char **err_msg) {
+    if (issuer == nullptr) {
+        if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
+        return nullptr;
+    }
+    std::vector<std::string> aud_list;
+    if (audience_list != nullptr) {
+        for (int idx=0; audience_list[idx]; idx++) {
+            aud_list.push_back(audience_list[idx]);
+        }
+    }
+
+    return new scitokens::Enforcer(issuer, aud_list);
 }
 
+
+void enforcer_destroy(Enforcer enf) {
+    if (enf == nullptr) {
+        return;
+    }
+    auto real_enf = reinterpret_cast<scitokens::Enforcer*>(enf);
+    delete real_enf;
+}
+
+
 int enforcer_generate_acls(const Enforcer enf, const SciToken sci, char **Acl, char **err_msg) {
     if (err_msg) {
         *err_msg = strdup("This function is not implemented");
     }
     return -1;
 }
 
-int enforcer_test(const Enforcer enf, const SciToken sci, const Acl *acl) {
-    return -1;
-}
 
+int enforcer_test(const Enforcer enf, const SciToken scitoken, const Acl *acl, char **err_msg) {
+    if (enf == nullptr) {
+        if (err_msg) {*err_msg = strdup("Enforcer may not be a null pointer");}
+        return -1;
+    }
+    auto real_enf = reinterpret_cast<scitokens::Enforcer*>(enf);
+    if (scitoken == nullptr) {
+        if (err_msg) {*err_msg = strdup("SciToken may not be a null pointer");}
+        return -1;
+    }
+    auto real_scitoken = reinterpret_cast<scitokens::SciToken*>(scitoken);
+    if (acl == nullptr) {
+        if (err_msg) {*err_msg = strdup("ACL may not be a null pointer");}
+        return -1;
+    }
+
+    try {
+        return real_enf->test(*real_scitoken, acl->authz, acl->resource) == true ? 0 : -1;
+    } catch (std::exception exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}

src/scitokens.h

@@ -13,10 +13,10 @@ typedef void * SciToken;
 typedef void * Validator;
 typedef void * Enforcer;
 
-typedef int (*ValidatorFunction)(const char *value, char **err_msg);
+typedef int (*StringValidatorFunction)(const char *value, char **err_msg);
 typedef struct Acl_s {
-char *authz;
-char *resource;
+    const char *authz;
+    const char *resource;
 }
 Acl;
 
@@ -40,17 +40,19 @@ int scitoken_deserialize(const char *value, SciToken *token, char **allowed_issu
 
 Validator validator_create();
 
-int validator_add(Validator validator, const char *claim, ValidatorFunction validator_func, char **err_msg);
+int validator_add(Validator validator, const char *claim, StringValidatorFunction validator_func, char **err_msg);
 
 int validator_add_critical_claims(Validator validator, const char **claims, char **err_msg);
 
 int validator_validate(Validator validator, SciToken scitoken, char **err_msg);
 
-Enforcer enforcer(const char *issuer, const char **audience);
+Enforcer enforcer_create(const char *issuer, const char **audience, char **err_msg);
+
+void enforcer_destroy(Enforcer);
 
 int enforcer_generate_acls(const Enforcer enf, const SciToken sci, char **Acl, char **err_msg);
 
-int enforcer_test(const Enforcer enf, const SciToken sci, const Acl *acl);
+int enforcer_test(const Enforcer enf, const SciToken sci, const Acl *acl, char **err_msg);
 
 #ifdef __cplusplus
 }

src/scitokens_internal.cpp

@@ -437,3 +437,41 @@ Validator::get_public_key_pem(const std::string &issuer, const std::string &kid,
     algorithm = alg;
 }
 
+
+bool
+scitokens::Enforcer::scope_validator(const jwt::claim &claim, void *myself) {
+    auto me = reinterpret_cast<scitokens::Enforcer*>(myself);
+    if (claim.get_type() != jwt::claim::type::string) {
+        return false;
+    }
+    std::string scope = claim.as_string();
+    std::string requested_path = normalize_absolute_path(me->m_test_path);
+    auto scope_iter = scope.begin();
+    //std::cout << "Comparing scope " << scope << " against test accesses " << me->m_test_authz << ":" << requested_path << std::endl;
+    while (scope_iter != scope.end()) {
+        while (*scope_iter == ' ') {scope_iter++;}
+        auto next_scope_iter = std::find(scope_iter, scope.end(), ' ');
+        std::string full_authz;
+        full_authz.reserve(std::distance(scope_iter, next_scope_iter));
+        full_authz.assign(scope_iter, next_scope_iter);
+        auto sep_iter = full_authz.find(':');
+        std::string authz = full_authz.substr(0, sep_iter);
+        std::string path;
+        if (sep_iter == std::string::npos) {
+            path = "/";
+        } else {
+            path = full_authz.substr((++sep_iter));
+        }
+        path = normalize_absolute_path(path);
+
+        if (me->m_test_authz.empty()) {
+            return false;  // TODO: implement ACL generation.
+        } else if ((me->m_test_authz == authz) &&
+                   (requested_path.substr(0, path.size()) == path)) {
+            return true;
+        }
+
+        scope_iter = next_scope_iter;
+    }
+    return false;
+}