From c775b17462a4a43547a82b86e4a663977b97fc82 Mon Sep 17 00:00:00 2001 From: Andreas Joachim Peters Date: Wed, 15 Feb 2023 16:35:08 +0100 Subject: [PATCH] [XrdSciTokens] Add global option 'validation = none' to disable token validation during ZTN handshakes --- src/XrdSciTokens/README.md | 4 ++++ src/XrdSciTokens/XrdSciTokensAccess.cc | 19 +++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/XrdSciTokens/README.md b/src/XrdSciTokens/README.md index 87d4948ac51..6eaa030c1d2 100644 --- a/src/XrdSciTokens/README.md +++ b/src/XrdSciTokens/README.md @@ -88,6 +88,10 @@ Within the `Global` section, the available attributes are: group or issuer information from the token. The username is only populated if either scope-based mapping or the mapfile-based approach is successful. + - `validation` (optional): when the library is used for ZTN authentication the Validate() function is called as part of the + ZTN handshake. To disable validating tokens during the ZTN handshake this variable can be set to the following value: + - `none`: Don't validate a token during the ZTN handshake. This is useful when the passed token is not handled by the SciToken library! + Each section name specifying a new issuer *MUST* be prefixed with `Issuer`. Known attributes are: diff --git a/src/XrdSciTokens/XrdSciTokensAccess.cc b/src/XrdSciTokens/XrdSciTokensAccess.cc index 22699bd67d3..96a3fc11759 100644 --- a/src/XrdSciTokens/XrdSciTokensAccess.cc +++ b/src/XrdSciTokens/XrdSciTokensAccess.cc @@ -425,7 +425,8 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper m_chain(chain), m_parms(parms ? parms : ""), m_next_clean(monotonic_time() + m_expiry_secs), - m_log(lp, "scitokens_") + m_log(lp, "scitokens_"), + m_validation(true) { pthread_rwlock_init(&m_config_lock, nullptr); m_config_lock_initialized = true; @@ -618,6 +619,11 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper { // Just check if the token is valid, no scope checking + // Consider if validation is disabled + if (!m_validation) { + return true; + } + // Deserialize the token SciToken scitoken; char *err_msg; @@ -1064,6 +1070,15 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper [](unsigned char c){ return std::tolower(c); }); if (section_lower.substr(0, 6) == "global") { + auto validation = reader.Get(section, "validation", ""); + if (!validation.empty()) { + if (validation == "none") { + m_validation = false; + m_log.Say("------ XrdAccSciTokens: disabling validation ..."); + continue; + } + } + auto audience = reader.Get(section, "audience", ""); if (!audience.empty()) { size_t pos = 0; @@ -1225,7 +1240,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper XrdSysError m_log; AuthzBehavior m_authz_behavior{AuthzBehavior::PASSTHROUGH}; std::string m_cfg_file; - + bool m_validation{true}; static constexpr uint64_t m_expiry_secs = 60; };