SciTokens C++ Notebook
======================

This is a special type of jupyter notebook that is able to run C++ code, thanks to the [xeus-cling](https://github.com/jupyter-xeus/xeus-cling)

In this notebook, you will learn how to use the SciTokens C++ library.

- How to create a simple token
- How to validate a token
- How to query a token for access permissions

**NOTE**: For clarity, I will not be using all the C++ memory management tools, there are memory leaks!

Getting Started
---------------

First, we need to include the Scitokens library.  The noteboko technology, xeus-cling, has a specific way to include an external library. If you were compiling your own binary you would use the command line option like -lSciTokens.

In [None]:
#include <iostream>
#include <scitokens/scitokens.h>

In [None]:
#pragma cling add_library_path("/srv/conda/envs/notebook/lib")
#pragma cling load("libSciTokens")

Create an example private key and public key.  You can create these private and public keys with the openssl command:

```
$ openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem
$ openssl ec -in private-key.pem -pubout -out public-key.pem
```

In [None]:
const char ec_private[] =
    "-----BEGIN EC PRIVATE KEY-----\n"
    "MHcCAQEEIESSMxT7PLTR9A/aqd+CM0/6vv6fQWqDm0mNx8uE9EbpoAoGCCqGSM49\n"
    "AwEHoUQDQgAE1i+ImZ//iQhOPh0OMfZzdbmPH+3G1ouWezolCugQYWIRqNmwq3zR\n"
    "EnTbe4EmymTpJ1MJTPP/tCEUP3G/QqQuhA==\n"
    "-----END EC PRIVATE KEY-----\n";

In [None]:
const char ec_public[] =
    "-----BEGIN PUBLIC KEY-----\n"
    "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1i+ImZ//iQhOPh0OMfZzdbmPH+3G\n"
    "1ouWezolCugQYWIRqNmwq3zREnTbe4EmymTpJ1MJTPP/tCEUP3G/QqQuhA==\n"
    "-----END PUBLIC KEY-----\n";

Now we can start creating our scitoken key which we will use to sign our scitokens.

In [None]:
char *err_msg = nullptr;

SciTokenKey mykey = scitoken_key_create("1", "ES256", ec_public, ec_private, &err_msg);

// Check to make sure the key was made
if (mykey == nullptr) {
    std::cout << err_msg << std::endl;
}

In [None]:
SciToken mytoken = scitoken_create(mykey);

// Check to make sure the token was created
if (mytoken == nullptr) {
    std::cout << "Failed to create token\n";
}

Set a claim value in the token, the `iss` (issuer) claim.

In [None]:
auto rv = scitoken_set_claim_string(
        mytoken, "iss", "https://demo.scitokens.org/gtest", &err_msg);
rv = scitoken_set_claim_string(mytoken, "ver", "scitoken:2.0",
                                   &err_msg);
rv = scitoken_set_claim_string(mytoken, "aud", "https://demo.scitokens.org/",
                                   &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
}

Now, lets serialize the token and print out the token value!

In [None]:
char *value;
rv = scitoken_serialize(mytoken, &value, &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
} else {
    std::cout << "The (encoded) token value is:" << std::endl;
    std::cout << value << std::endl;
}

## Validate a Token

Next, we will take the token we created above and validate it.  Since this is a fake token, without a public issuer, we will need to _fake_ an issuer by inserting the issuer information into the scitokens DB.

When you `deserialize` a token, it will do a minimal validation for you.  It will check that the token:

1. Is signed properly
2. Is not expired
3. Is from a list of approved issuers (or any issuer)

In [None]:
// First, insert the issuer into the database:
auto iss = "https://demo.scitokens.org/gtest";
scitoken_store_public_ec_key(iss, "1", ec_public, &err_msg);

We already set the iss attribute above to `"https://demo.scitokens.org/gtest"`, so we can use the token above already.  But, lets set some scopes as well.

In [None]:
auto rv = scitoken_set_claim_string(
        mytoken, "scope", "read:/test", &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
}

rv = scitoken_set_claim_string(mytoken, "ver", "scitoken:2.0",
                                   &err_msg);
if (rv != 0) {
    std::cout << err_msg << std::endl;
}

In [None]:
char *value;
rv = scitoken_serialize(mytoken, &value, &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
} else {
    std::cout << "The (encoded) token value is:" << std::endl;
    std::cout << value << std::endl;
}

Now, lets read in that token `value` to deserialize it.

In [None]:
SciToken token;
err_msg = nullptr;
auto rv = scitoken_deserialize(value, &token, nullptr, &err_msg);
std::cout << "Success: " << std::endl;

if (err_msg == nullptr)
    std::cout << "err_msg = nullptr" << std::endl;
else
    std::cout << err_msg << std::endl;

if (rv != 0) {
    std::cout << "Error: " << err_msg << std::endl;
} else {
    std::cout << "Token: " << rv << std::endl;
    std::cout << "Success: " << token << std::endl;
}


In [None]:
char* iss_value;
auto rv = scitoken_get_claim_string(
        token, "iss", &iss_value, &err_msg);

if (rv != 0) {
    std::cout << "Error: " << err_msg << std::endl;
} else {
    std::cout << "RV: " << rv << std::endl;
    std::cout << "iss_value: " << iss_value << std::endl;
}

// Destroy the token
scitoken_destroy(token);


## Testing Permissions

The SciTokens library additionally has the ability to "query" the token for access writes.  For example, you can ask the token: Do you allow reading to `/home/jane` directory?

Next, we will add scopes to the token we have been working with, then query the token to determine permissions given to the token.  Scopes have the form of `<authz>:<path>`

### Client

This first part is creating the the SciToken, it is usually performed on the client side.

In [None]:
// Create a new token
mytoken = scitoken_create(mykey);

// Similar to how we have added the iss claim, we will add scp
auto rv = scitoken_set_claim_string(
        mytoken, "scope", "read:/home/jane", &err_msg);

We also have to set the `aud` (audience), `ver` (version), and `iss` (issuer) claims on the token.

In [None]:
auto rv = scitoken_set_claim_string(
        mytoken, "aud", "https://demo.scitokens.org/", &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
}
rv = scitoken_set_claim_string(mytoken, "ver", "scitoken:2.0",
                                   &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
}

rv = scitoken_set_claim_string(mytoken, "iss", "https://demo.scitokens.org/gtest",
                                   &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
}


In [None]:
char *value;
rv = scitoken_serialize(mytoken, &value, &err_msg);

if (rv != 0) {
    std::cout << err_msg << std::endl;
} else {
    std::cout << "The (encoded) token value is:" << std::endl;
    std::cout << value << std::endl;
}

### Server Side

On the server side, we will

1. Parse the token
2. Test it's permissions across some examples.

In [None]:
SciToken server_token;
auto rv = scitoken_deserialize(value, &server_token, nullptr, &err_msg);
if (rv != 0) {
    std::cout << err_msg << std::endl;
} else {
    std::cout << "Token deserialized!" << std::endl;
}

Test getting the scope value back from the deserialized token.

In [None]:
char* scope_value;
auto rv = scitoken_get_claim_string(
        server_token, "scope", &scope_value, &err_msg);

if (rv != 0) {
    std::cout << "Error: " << err_msg << std::endl;
} else {
    std::cout << "Scope: " << scope_value << std::endl;
}

We have to set the allowed audiences on the server.  As the server, we set the audience, usually to an URL, that represents the service receiving the token.

The audience is designed to protect against token theft.  A token can't be used everywhere, it only works at the audiences listed in the token.  One of the audiences in the server must exactly match one of the audiences in the token.

In [None]:
// We have to set what audiences we represent, to make sure the token was meant for us
std::vector<const char *> audiences_array;
audiences_array.push_back("https://demo.scitokens.org/");
audiences_array.push_back(nullptr);

Create an enforcer which will be used to query the token.

In [None]:
auto enforcer = enforcer_create("https://demo.scitokens.org/gtest",
                                    &audiences_array[0], &err_msg);
if (rv != 0) {
    std::cout << "Error: " << err_msg << std::endl;
} else {
    std::cout << "Enforcer: " << enforcer << std::endl;
}

### Test a simple read!

In [None]:
Acl acl;
acl.authz = "read";
acl.resource = "/home/jane";
rv = enforcer_test(enforcer, server_token, &acl, &err_msg);

if (rv == 0) {
    // In C, 0 is success (no error)
    // Allow access
    std::cout << "Allow access!" << std::endl;
} else {
    std::cout << "Deny access: " << rv << ", Message: " << err_msg << std::endl;
}

### Test writing to the same directory

In [None]:
Acl acl;
acl.authz = "write";
acl.resource = "/home/jane";
rv = enforcer_test(enforcer, server_token, &acl, &err_msg);

if (rv == 0) {
    std::cout << "Allow access!" << std::endl;
} else {
    std::cout << "Deny access: " << rv << ", Message: " << err_msg << std::endl;
}

### Test writing to a file below the `/home/jane` directory

In [None]:
Acl acl;
acl.authz = "read";
acl.resource = "/home/jane/file/test.txt";
rv = enforcer_test(enforcer, server_token, &acl, &err_msg);

if (rv == 0) {
    // In C, 0 is success (no error)
    // Allow access
    std::cout << "Allow access!" << std::endl;
} else {
    std::cout << "Deny access: " << rv << ", Message: " << err_msg << std::endl;
}

# Conclusion

We have:

1. Created a token
2. Serialize and Deserialize a token
3. Test a token against authorization