Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[XrdSciTokens] Add global option 'validation = none' to disable token… #1910

Closed
wants to merge 1 commit into from
Closed

[XrdSciTokens] Add global option 'validation = none' to disable token… #1910

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/XrdSciTokens/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,10 @@ Within the `Global` section, the available attributes are:
group or issuer information from the token. The username is only populated if either scope-based mapping or
the mapfile-based approach is successful.

- `validation` (optional): when the library is used for ZTN authentication the Validate() function is called as part of the
ZTN handshake. To disable validating tokens during the ZTN handshake this variable can be set to the following value:
- `none`: Don't validate a token during the ZTN handshake. This is useful when the passed token is not handled by the SciToken library!

Copy link
Member

@abh3 abh3 Feb 16, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you will need to fix the indentation here as markdown is not formatting this correctly and it really is not well readable.

However, you will not need to do this if you accept my observation that the changes should be done in XrdSecProtocolztn.cc (see last comment).

Each section name specifying a new issuer *MUST* be prefixed with `Issuer`. Known attributes
are:

Expand Down
19 changes: 17 additions & 2 deletions src/XrdSciTokens/XrdSciTokensAccess.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -425,7 +425,8 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
m_chain(chain),
m_parms(parms ? parms : ""),
m_next_clean(monotonic_time() + m_expiry_secs),
m_log(lp, "scitokens_")
m_log(lp, "scitokens_"),
m_validation(true)
{
pthread_rwlock_init(&m_config_lock, nullptr);
m_config_lock_initialized = true;
Expand Down Expand Up @@ -618,6 +619,11 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
{
// Just check if the token is valid, no scope checking

// Consider if validation is disabled
if (!m_validation) {
return true;
}

// Deserialize the token
SciToken scitoken;
char *err_msg;
Expand Down Expand Up @@ -1064,6 +1070,15 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
[](unsigned char c){ return std::tolower(c); });

if (section_lower.substr(0, 6) == "global") {
auto validation = reader.Get(section, "validation", "");
if (!validation.empty()) {
if (validation == "none") {
m_validation = false;
m_log.Say("------ XrdAccSciTokens: disabling validation ...");
continue;
}
}

auto audience = reader.Get(section, "audience", "");
if (!audience.empty()) {
size_t pos = 0;
Expand Down Expand Up @@ -1225,7 +1240,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
XrdSysError m_log;
AuthzBehavior m_authz_behavior{AuthzBehavior::PASSTHROUGH};
std::string m_cfg_file;

bool m_validation{true};
static constexpr uint64_t m_expiry_secs = 60;
};

Expand Down