Add support for scitokens verifiers.

Author: bbockelm

src/scitokens.cpp

@@ -99,7 +99,7 @@ int scitoken_serialize(const SciToken token, char **value, char **err_msg) {
     return 0;
 }
 
-int scitoken_deserialize(const char *value, SciToken *token, char **err_msg) {
+int scitoken_deserialize(const char *value, SciToken *token, char **allowed_issuers, char **err_msg) {
     if (value == nullptr) {
         if (err_msg) {*err_msg = strdup("Token may not be NULL");}
         return -1;
@@ -112,8 +112,15 @@ int scitoken_deserialize(const char *value, SciToken *token, char **err_msg) {
     scitokens::SciTokenKey key;
     scitokens::SciToken *real_token = new scitokens::SciToken(key);
 
+    std::vector<std::string> allowed_issuers_vec;
+    if (allowed_issuers != nullptr) {
+        for (int idx=0; allowed_issuers[idx]; idx++) {
+            allowed_issuers_vec.push_back(allowed_issuers[idx]);
+        }
+    }
+
     try {
-        real_token->deserialize(value);
+        real_token->deserialize(value, allowed_issuers_vec);
     } catch (std::exception &exc) {
         if (err_msg) {
             *err_msg = strdup(exc.what());
@@ -125,13 +132,49 @@ int scitoken_deserialize(const char *value, SciToken *token, char **err_msg) {
 }
 
 Validator validator_create() {
-    return nullptr;
+    return new Validator();
 }
 
-int validator_add(ValidatorFunction validator_func) {
-    return -1;
+int validator_add(Validator validator, const char *claim, ValidatorFunction validator_func, char **err_msg) {
+    if (validator == nullptr) {
+        if (err_msg) {*err_msg = strdup("Validator may not be a null pointer");}
+        return -1;
+    }
+    auto real_validator = reinterpret_cast<scitokens::Validator*>(validator);
+    if (claim == nullptr) {
+        if (err_msg) {*err_msg = strdup("Claim name may not be a null pointer");}
+        return -1;
+    }
+    if (validator_func == nullptr) {
+        if (err_msg) {*err_msg = strdup("Validator function may not be a null pointer");}
+        return -1;
+    }
+    real_validator->add_string_validator(claim, validator_func);
+    return 0;
 }
 
+int validator_add_critical_claims(Validator validator, const char **claims, char **err_msg) {
+    if (validator == nullptr) {
+        if (err_msg) {*err_msg = strdup("Validator may not be a null pointer");}
+        return -1;
+    }
+    auto real_validator = reinterpret_cast<scitokens::Validator*>(validator);
+    if (claims == nullptr) {
+        if (err_msg) {*err_msg = strdup("Claim list may not be a null pointer");}
+        return -1;
+    }
+    std::vector<std::string> claims_vec;
+    for (int idx=0; claims[idx]; idx++) {
+        claims_vec.push_back(claims[idx]);
+    }
+    real_validator->add_critical_claims(claims_vec);
+    return 0;
+}
+
+
+int validator_validate(Validator validator, SciToken scitoken, char **err_msg);
+
+
 Enforcer enforcer(const char *issuer, const char **audience) {
     return nullptr;
 }

src/scitokens.h

@@ -36,11 +36,15 @@ void scitoken_set_lifetime(SciToken token, int lifetime);
 
 int scitoken_serialize(const SciToken token, char **value, char **err_msg);
 
-int scitoken_deserialize(const char *value, SciToken *token, char **err_msg);
+int scitoken_deserialize(const char *value, SciToken *token, char **allowed_issuers, char **err_msg);
 
 Validator validator_create();
 
-int validator_add(ValidatorFunction validator_func);
+int validator_add(Validator validator, const char *claim, ValidatorFunction validator_func, char **err_msg);
+
+int validator_add_critical_claims(Validator validator, const char **claims, char **err_msg);
+
+int validator_validate(Validator validator, SciToken scitoken, char **err_msg);
 
 Enforcer enforcer(const char *issuer, const char **audience);
 

src/scitokens_internal.cpp

@@ -1,5 +1,6 @@
 
 #include <memory>
+#include <sstream>
 
 #include <curl/curl.h>
 #include <jwt-cpp/base.h>
@@ -259,13 +260,61 @@ rs256_from_coords(const std::string &e_str, const std::string &n_str) {
     return result;
 }
 
+
+/**
+ * Normalize path: collapse etc.
+ * >>> normalize_path('/a/b///c')
+ * '/a/b/c'
+ */
+std::string
+normalize_absolute_path(const std::string &path) {
+    if ((path == "//") || (path == "/") || (path == "")) {
+        return "/";
+    }
+    std::vector<std::string> path_components;
+    auto path_iter = path.begin();
+    while (path_iter != path.end()) {
+        while (*path_iter == '/') {path_iter++;}
+        auto next_path_iter = std::find(path_iter, path.end(), '/');
+        std::string component;
+        component.reserve(std::distance(path_iter, next_path_iter));
+        component.assign(path_iter, next_path_iter);
+        path_components.push_back(component);    
+        path_iter = next_path_iter;
+    }
+    std::vector<std::string> path_components_filtered;
+    path_components_filtered.reserve(path_components.size());
+    for (const auto &component : path_components) {
+        if (component == "..") {
+            path_components_filtered.pop_back();
+        } else if (!component.empty() && component != ".") {
+            path_components_filtered.push_back(component);
+        }
+    }
+    std::stringstream ss;
+    for (const auto &component : path_components_filtered) {
+        ss << "/" << component;
+    }
+    std::string result = ss.str();
+    return result.empty() ? "/" : result;
 }
 
+
+int empty_validator(const char *, char **) {
+    return 0;
+}
+
+
+}
+
+
 void
-SciToken::deserialize(const std::string &data) {
+SciToken::deserialize(const std::string &data, const std::vector<std::string> allowed_issuers) {
     m_decoded.reset(new jwt::decoded_jwt(data));
 
     scitokens::Validator val;
+    val.add_allowed_issuers(allowed_issuers);
+    val.set_validate_all_claims_scitokens_1(false);
     val.verify(*m_decoded);
 }
 

src/scitokens_internal.h

@@ -1,5 +1,6 @@
 
 #include <memory>
+#include <sstream>
 
 #include <jwt-cpp/jwt.h>
 
@@ -133,7 +134,7 @@ class SciToken {
     }
 
     void
-    deserialize(const std::string &data);
+    deserialize(const std::string &data, std::vector<std::string> allowed_issuers={});
 
 private:
     bool m_issuer_set{false};
@@ -145,6 +146,9 @@ class SciToken {
 
 class Validator {
 
+    typedef int (*ValidatorFunction)(const char *value, char **err_msg);
+    typedef std::map<std::string, std::vector<ValidatorFunction>> ClaimValidatorMap;
+
 public:
     void verify(jwt::decoded_jwt &jwt) {
         if (!jwt.has_payload_claim("iat")) {
@@ -162,6 +166,27 @@ class Validator {
         if (!jwt.has_header_claim("kid")) {
             throw jwt::token_verification_exception("'kid' claim is mandatory");
         }
+        if (!m_allowed_issuers.empty()) {
+            std::string issuer = jwt.get_issuer();
+            bool permitted = false;
+            for (const auto &allowed_issuer : m_allowed_issuers) {
+                 if (issuer == allowed_issuer) {
+                     permitted = true;
+                     break;
+                 }
+            }
+            if (!permitted) {
+                throw jwt::token_verification_exception("Token issuer is not in list of allowed issuers.");
+            }
+        }
+
+        for (const auto &claim : m_critical_claims) {
+            if (!jwt.has_payload_claim(claim)) {
+                std::stringstream ss;
+                ss << "'" << claim << "' claim is mandatory";
+                throw jwt::token_verification_exception(ss.str());
+            }
+        }
 
         std::string public_pem;
         std::string algorithm;
@@ -172,13 +197,90 @@ class Validator {
             .allow_algorithm(key);
 
         verifier.verify(jwt);
+
+        bool must_verify_everything = true;
+        if (jwt.has_payload_claim("ver")) {
+            const jwt::claim &claim = jwt.get_payload_claim("ver");
+            if (claim.get_type() != jwt::claim::type::string) {
+                throw jwt::token_verification_exception("'ver' claim value must be a string (if present)");
+            }
+            std::string ver_string = claim.as_string();
+            if (ver_string == "scitoken:2.0") must_verify_everything = false;
+            else if (ver_string == "scitokens:1.0") must_verify_everything = m_validate_all_claims;
+            else {
+                std::stringstream ss;
+                ss << "Unknown profile version in token: " << ver_string;
+                throw jwt::token_verification_exception(ss.str());
+            }
+        } else {
+            must_verify_everything = m_validate_all_claims;
+        }
+
+        for (const auto &claim_pair : jwt.get_payload_claims()) {
+             if (claim_pair.first == "iat" || claim_pair.first == "nbf" || claim_pair.first == "exp") {
+                 continue;
+             }
+             auto iter = m_validators.find(claim_pair.first);
+             if (iter == m_validators.end() || iter->second.empty()) {
+                 bool is_issuer = claim_pair.first == "iss";
+                 if (is_issuer && !m_allowed_issuers.empty()) {
+                     // skip; we verified it above
+                 } else if (must_verify_everything) {
+                     std::stringstream ss;
+                     ss << "'" << claim_pair.first << "' claim verification is mandatory";
+                     throw jwt::token_verification_exception(ss.str());
+                 }
+             }
+             for (const auto verification_func : iter->second) {
+                 const jwt::claim &claim = jwt.get_payload_claim(claim_pair.first);
+                 if (claim.get_type() != jwt::claim::type::string) {
+                     std::stringstream ss;
+                     ss << "'" << claim_pair.first << "' claim value must be a string to verify.";
+                     throw jwt::token_verification_exception(ss.str());
+                 }
+                 std::string value = claim.as_string();
+                 char * err_msg = nullptr;
+                 if (verification_func(value.c_str(), &err_msg)) {
+                     if (err_msg) {
+                         throw jwt::token_verification_exception(err_msg);
+                     } else {
+                         std::stringstream ss;
+                         ss << "'" << claim_pair.first << "' claim verification failed.";
+                         throw jwt::token_verification_exception(ss.str());
+                     }
+                 }
+             }
+        }
+    }
+
+    void add_critical_claims(const std::vector<std::string> &claims) {
+        std::copy(claims.begin(), claims.end(), std::back_inserter(m_critical_claims));
+    }
+
+    void add_allowed_issuers(const std::vector<std::string> &allowed_issuers) {
+        std::copy(allowed_issuers.begin(), allowed_issuers.end(), std::back_inserter(m_allowed_issuers));
+    }
+
+    void add_string_validator(const std::string &claim, ValidatorFunction func) {
+        auto result = m_validators.insert({claim, std::vector<ValidatorFunction>()});
+        result.first->second.push_back(func);
+    }
+
+    void set_validate_all_claims_scitokens_1(bool new_val) {
+        m_validate_all_claims = new_val;
     }
 
 private:
     void get_public_key_pem(const std::string &issuer, const std::string &kid, std::string &public_pem, std::string &algorithm);
     void get_public_keys_from_web(const std::string &issuer, picojson::value &keys, int64_t &next_update, int64_t &expires);
     bool get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update);
     bool store_public_keys(const std::string &issuer, const picojson::value &keys, int64_t next_update, int64_t expires);
+
+    bool m_validate_all_claims{true};
+    ClaimValidatorMap m_validators;
+
+    std::vector<std::string> m_critical_claims;
+    std::vector<std::string> m_allowed_issuers;
 };
 
 }

src/test.cpp

@@ -44,7 +44,7 @@ int main(int argc, const char** argv) {
     //std::string test_value = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImtleS1lczI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8uc2NpdG9rZW5zLm9yZyIsImV4cCI6MTU0NjM4OTU5MiwiaWF0IjoxNTQ2Mzg4OTkyLCJuYmYiOjE1NDYzODg5OTIsImp0aSI6IjRkMzM2MTU5LWMxMDEtNGRhYy1iYzI5LWI5NDQ3ZDRkY2IxZSJ9.VfSCPj79IfdVCZHw8n0RJJupbaSU0OqMWxRVAnVUNvk1SCz0Ep3O06Boe5I0SRiZR8_0jzHw9vHZ0YOT_0kPAw";
     std::string test_value = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1yczI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8uc2NpdG9rZW5zLm9yZyIsImV4cCI6MTU0NjM5MjAwOSwiaWF0IjoxNTQ2MzkxNDA5LCJuYmYiOjE1NDYzOTE0MDksImp0aSI6ImFkYTk2MjdiLWExMGYtNGMyYS05Nzc2LTE4ZThkN2JmN2M4NSJ9.cNMG5zI2-JHh7l_PUPUAxom5Vi6Q3akKmv6q57CoVKHtxZAZRc47Uoix_AH3Xzr42qohr2FPamRTxUMsfZjrAFDJ_4JhJ-kKjJ3cRXXF-gj7lbniCDGOBuPXeMsVmeED15nauZ3XKXUHTGLEsg5O6RjS7sGKM_e9YiYvcTvWXcdkrkxZ2dPPU-R3IxdK6PtE9OB2XOk85H670OAJT3qimKm8Dk_Ri6DEEty1Su_1Tov3ac5B19iZkbhhVPMVP0cRolR9UNLhMxQAsbgEmArQOcs046AOzqQz6osOkdYOrVVO7lO2owUyMol94mB_39y1M8jcf5WNq3ukMMIzMCAPwA";
 
-    if (scitoken_deserialize(test_value.c_str(), &scitoken, &err_msg)) {
+    if (scitoken_deserialize(test_value.c_str(), &scitoken, nullptr, &err_msg)) {
         std::cout << "Failed to deserialize a token: " << err_msg << std::endl;
         return 1;
     }

src/verify.cpp

@@ -11,7 +11,7 @@ int main(int argc, const char** argv) {
 
     SciToken scitoken;
     char *err_msg = nullptr;
-    if (scitoken_deserialize(token.c_str(), &scitoken, &err_msg)) {
+    if (scitoken_deserialize(token.c_str(), &scitoken, nullptr, &err_msg)) {
         std::cout << "Failed to deserialize a token: " << err_msg << std::endl;
         return 1;
     }