From bea5eff85b35038112d59f9efda7f6308060a43b Mon Sep 17 00:00:00 2001 From: Brian Bockelman Date: Wed, 19 Jun 2019 16:40:46 -0500 Subject: [PATCH 1/2] Ensure macros are expanded for Macaroon authz. If an environment object isn't passed to the configuration stream (even an empty one will do!), then macros will silently not be expanded. --- src/XrdMacaroons/XrdMacaroonsAuthz.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/XrdMacaroons/XrdMacaroonsAuthz.cc b/src/XrdMacaroons/XrdMacaroonsAuthz.cc index 76e90cc4f08..6456b288095 100644 --- a/src/XrdMacaroons/XrdMacaroonsAuthz.cc +++ b/src/XrdMacaroons/XrdMacaroonsAuthz.cc @@ -112,7 +112,8 @@ Authz::Authz(XrdSysLogger *log, char const *config, XrdAccAuthorize *chain) m_authz_behavior(static_cast(Handler::AuthzBehavior::PASSTHROUGH)) { Handler::AuthzBehavior behavior(Handler::AuthzBehavior::PASSTHROUGH); - if (!Handler::Config(config, nullptr, &m_log, m_location, m_secret, m_max_duration, behavior)) + XrdOucEnv env; + if (!Handler::Config(config, &env, &m_log, m_location, m_secret, m_max_duration, behavior)) { throw std::runtime_error("Macaroon authorization config failed."); } From 59fcc5ba371793427e7d4c7254854b25bc213385 Mon Sep 17 00:00:00 2001 From: Brian Bockelman Date: Wed, 19 Jun 2019 16:44:02 -0500 Subject: [PATCH 2/2] Do not log entire macaroon. We must extract out only the location substring when logging an invalid location. --- src/XrdMacaroons/XrdMacaroonsAuthz.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/XrdMacaroons/XrdMacaroonsAuthz.cc b/src/XrdMacaroons/XrdMacaroonsAuthz.cc index 6456b288095..081a04ab876 100644 --- a/src/XrdMacaroons/XrdMacaroonsAuthz.cc +++ b/src/XrdMacaroons/XrdMacaroonsAuthz.cc @@ -196,7 +196,8 @@ Authz::Access(const XrdSecEntity *Entity, const char *path, macaroon_location(macaroon, &macaroon_loc, &location_sz); if (strncmp(reinterpret_cast(macaroon_loc), m_location.c_str(), location_sz)) { - m_log.Emsg("Access", "Macaroon is for incorrect location", reinterpret_cast(macaroon_loc)); + std::string location_str(reinterpret_cast(macaroon_loc), location_sz); + m_log.Emsg("Access", "Macaroon is for incorrect location", location_str.c_str()); macaroon_verifier_destroy(verifier); macaroon_destroy(macaroon); return m_chain ? m_chain->Access(Entity, path, oper, env) : XrdAccPriv_None;