# SciTokens C++ Notebook

In this notebook, you will learn how to use the C++ library to authenticate a token and test it's permissions.  You will learn:

1. How to create a token
2. How to authenticate a token
3. How to test permissions on a token

First, we need to perform the normal C++ includes, along with some jupyter notebook specific configuration to load the scitokens library.

In [1]:
#include <scitokens/scitokens.h>
#include <fstream>
#include <iostream>
#include <getopt.h>
#pragma cling add_library_path("/srv/conda/envs/notebook/lib")
#pragma cling load("libSciTokens")

Import an existing private key.  This private key was taken from the tests distributed with the scitokens-cpp library.

In [2]:
const char ec_private[] = "-----BEGIN EC PRIVATE KEY-----\n"
"MHcCAQEEIESSMxT7PLTR9A/aqd+CM0/6vv6fQWqDm0mNx8uE9EbpoAoGCCqGSM49\n"
"AwEHoUQDQgAE1i+ImZ//iQhOPh0OMfZzdbmPH+3G1ouWezolCugQYWIRqNmwq3zR\n"
"EnTbe4EmymTpJ1MJTPP/tCEUP3G/QqQuhA==\n"
"-----END EC PRIVATE KEY-----\n";

const char ec_public[] = "-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1i+ImZ//iQhOPh0OMfZzdbmPH+3G\n"
"1ouWezolCugQYWIRqNmwq3zREnTbe4EmymTpJ1MJTPP/tCEUP3G/QqQuhA==\n"
"-----END PUBLIC KEY-----\n";

Next, create a token with the above keys.  We will be using proper memory management, which requires the use of `unique_ptr` and other mechanisms.

In [3]:
// Place to put error messages
char *err_msg;

// Create the key.  On out of scope, delete the key with "scitoken_key_destroy" function
std::unique_ptr<void, decltype(&scitoken_key_destroy)> mykey(
    scitoken_key_create("1", "ES256", ec_public, ec_private, &err_msg),
    scitoken_key_destroy);

// Create the token, mytoken.  On out of scope, delete the token with "scitoken_destory".
std::unique_ptr<void, decltype(&scitoken_destroy)>
    mytoken(scitoken_create(mykey.get()), scitoken_destroy);

// Set an arbitrary issuer that doesn't exist.
auto rv = scitoken_set_claim_string(mytoken.get(), "iss",
    "https://demo.scitokens.org/gtest", &err_msg);

// Serialize the token and get the token back in "value", which will need to be cleaned up later.
char *value;
rv = scitoken_serialize(mytoken.get(), &value, &err_msg);
if (rv) {
    std::cout << "Failed to serialize token with error: " << err_msg << std::endl;
}
std::unique_ptr<char, decltype(&free)> value_ptr(value, free);

std::cout << "Token is: " << value_ptr.get() << std::endl;

Token is: eyJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ.eyJleHAiOjE2Njc0ODU3MDgsImlhdCI6MTY2NzQ4NTEwOCwiaXNzIjoiaHR0cHM6XC9cL2RlbW8uc2NpdG9rZW5zLm9yZ1wvZ3Rlc3QiLCJqdGkiOiI1ZDNiYmJhNy05MjI2LTRjNDYtOWRkMS0yOGIyNWFlNTY0MjgiLCJuYmYiOjE2Njc0ODUxMDh9.0jm9zWc0nGqveZ8CBusFZ0r7ppUHMGpXdmqCYuAG6nAoSjDfnXem6Wr6r26CciUZlq8tCbQ91UjdlrWeyRe7sQ


## Authenticating a Token

Next, we will take the token we just created above and verify that it is a valid token.

**Note**: Since the token above uses an issuer that does not exist, so we have to inject the issuer into the scitokens-cpp keycache manually.  This step is not necessary in a production environment as the issuers will provide the public keys through HTTPs

In [4]:
rv = scitoken_store_public_ec_key("https://demo.scitokens.org/gtest", "1", ec_public, &err_msg);
if (rv) {
    std::cout << "Failed to store the key in the keycache: " << err_msg << std::endl;
}

Deserialize the token, which will automatically check the cryptographic signature and the expiration and issued at time to confirm the token is valid.

In [None]:
using TokenPtr = std::unique_ptr<void, decltype(&scitoken_destroy)>;
TokenPtr m_read_token{nullptr, scitoken_destroy};

rv = scitoken_deserialize_v2(value_ptr.get(), m_read_token.get(), nullptr, &err_msg);
if (rv) {
    std::cout << "Failed to deserialize the token, error: " << err_msg << std::endl;
}


In [None]:
#pragma cling add_library_path("/srv/conda/envs/notebook/lib")
#pragma cling load("libSciTokens")

std::string token;
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1yczI1NiJ9.eyJ2ZXIiOiJzY2l0b2tlbjoyLjAiLCJhdWQiOiJodHRwczovL2RlbW8uc2NpdG9rZW5zLm9yZyIsImlzcyI6Imh0dHBzOi8vZGVtby5zY2l0b2tlbnMub3JnIiwiZXhwIjoxNjY3NDQwNzc3LCJpYXQiOjE2Njc0NDAxNzcsIm5iZiI6MTY2NzQ0MDE3NywianRpIjoiOWE2ZTRkY2MtMmE1YS00MWVlLTkyYzgtNzExNjkyODgwN2EyIiwic2NvcGUiOiJyZWFkOi9ibGFoIn0.fxTc9YsCbtbT-1qAFmLareqSuSNwkG-jRYEpBqiVt2UqVUbWWsUk59V9XHwZQgz82gONkZ5deBAsOCQZpP8CjX5jU4kZK4l5300vcM4OSdXMrqEJy2D3DV1Yve_qpCgpnEx2NdeMXvthIBCnh6uN-OaQ3GBeHCq33gbs44bKRfC-5qU7Xf6x7Q-VYwNwJYvhCFrDOy3ucVjIOOsPxfaLr4MnYwG62DHuZLTK4bEl5-QdMsWRF0d_tFHMrRA7Xu1FU_NlDSd7NM3I69OeTJs9UCxrRzOkll4LexmfBGdJuNLkwpKoE9_2LLw4a3Ik9p22vgskxG6D_MBRLfGEBeeY1A";
SciToken scitoken;
char *err_msg = nullptr;
if (scitoken_deserialize(token.c_str(), &scitoken, nullptr, &err_msg)) {
    std::cout << "Failed to deserialize a token: " << err_msg << std::endl;
    return 1;
}
std::cout << "Token deserialization successful." << std::endl;


In [None]:
scitoken

In [None]:
const char *aud_list[2];
aud_list[0] = "https://demo.scitokens.org";
aud_list[1] = nullptr;
std::string issuer = "https://demo.scitokens.org";
const Acl acl {"read", "/blah"};

Enforcer enf;
if (!(enf = enforcer_create(issuer.c_str(), aud_list, &err_msg))) {
    std::cout << "Failed to create a new enforcer object: " << err_msg << std::endl;
    return 1;
}
Acl *acls;
if (enforcer_test(enf, scitoken, &acl, &err_msg)) {
    if (err_msg) {std::cout << "Access test failed: " << err_msg << std::endl;}
    else {std::cout << "Access test failed." << std::endl;}
    return 1;
}
std::cout << "Access test successful." << std::endl;

enforcer_destroy(enf);