From c639065624e37a76149f6f4671ba654494dfa920 Mon Sep 17 00:00:00 2001 From: Derek Weitzel Date: Mon, 18 May 2020 11:16:40 -0500 Subject: [PATCH 1/2] Change WLCG compat for compute.* and storage.* for all scitokens --- src/scitokens_internal.cpp | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/scitokens_internal.cpp b/src/scitokens_internal.cpp index 71ee563..8c70b6c 100644 --- a/src/scitokens_internal.cpp +++ b/src/scitokens_internal.cpp @@ -580,21 +580,19 @@ scitokens::Enforcer::scope_validator(const jwt::claim &claim, void *myself) { // If we are in compatibility mode and this is a WLCG token, then translate the authorization // names to utilize the SciToken-style names. - if (me->m_validate_profile == SciToken::Profile::COMPAT && - me->m_validator.get_profile() == SciToken::Profile::WLCG_1_0) { - if (authz == "storage.read") { - authz = "read"; - } else if (authz == "storage.write") { - authz = "write"; - } else if (authz == "compute.read") { - authz = "condor:/READ"; - } else if (authz == "compute.modify") { - compat_modify = true; - } else if (authz == "compute.create") { - compat_create = true; - } else if (authz == "compute.cancel") { - compat_cancel = true; - } + // No longer need to be compatibility mode or a WLCG token + if (authz == "storage.read") { + authz = "read"; + } else if (authz == "storage.write") { + authz = "write"; + } else if (authz == "compute.read") { + authz = "condor:/READ"; + } else if (authz == "compute.modify") { + compat_modify = true; + } else if (authz == "compute.create") { + compat_create = true; + } else if (authz == "compute.cancel") { + compat_cancel = true; } if (me->m_test_authz.empty()) { From 60b2a67e88817a21e8250a88b64026258db0c35f Mon Sep 17 00:00:00 2001 From: Derek Weitzel Date: Mon, 18 May 2020 14:15:41 -0500 Subject: [PATCH 2/2] Adding compute verification --- test/main.cpp | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/test/main.cpp b/test/main.cpp index 0a8397a..a59aaad 100644 --- a/test/main.cpp +++ b/test/main.cpp @@ -1,6 +1,7 @@ #include "../src/scitokens.h" #include +#include namespace { @@ -178,6 +179,65 @@ TEST_F(SerializeTest, VerifyWLCGTest) { ASSERT_FALSE(rv == 0); } +TEST_F(SerializeTest, VerifyCompute) { + char *err_msg = nullptr; + + char *token_value = nullptr; + + m_token = TokenPtr(scitoken_create(m_key.get()), scitoken_destroy); + ASSERT_TRUE(m_token.get() != nullptr); + + auto rv = scitoken_set_claim_string(m_token.get(), "iss", + "https://demo.scitokens.org/gtest", &err_msg); + ASSERT_TRUE(rv == 0); + + scitoken_set_serialize_profile(m_token.get(), SciTokenProfile::SCITOKENS_1_0); + rv = scitoken_serialize(m_token.get(), &token_value, &err_msg); + ASSERT_TRUE(rv == 0); + + // Set the scope + rv = scitoken_set_claim_string(m_token.get(), "scope", "compute.cancel compute.modify compute.create", &err_msg); + ASSERT_TRUE(rv == 0); + + // Set the audience + rv = scitoken_set_claim_string(m_token.get(), "aud", "demo.test", &err_msg); + ASSERT_TRUE(rv == 0); + + // Get the issuer from the token + char* issuer_ptr = NULL; + rv = scitoken_get_claim_string(m_token.get(), "iss", &issuer_ptr, &err_msg); + ASSERT_TRUE(rv == 0); + std::string issuer(issuer_ptr); + delete issuer_ptr; + + // Serialize and desearilze the token + rv = scitoken_serialize(m_token.get(), &token_value, &err_msg); + ASSERT_TRUE(rv == 0); + rv = scitoken_deserialize_v2(token_value, m_read_token.get(), nullptr, &err_msg); + ASSERT_TRUE(rv == 0); + + + // Create the enforcer + Enforcer enf; + const char* aud_list[2]; + aud_list[0] = "demo.test"; + aud_list[1] = NULL; + enf = enforcer_create(issuer.c_str(), aud_list, &err_msg); + ASSERT_FALSE(enf == 0); + + // Test the enforcer + Acl acl; + acl.authz = "condor"; + acl.resource = "/WRITE"; + rv = enforcer_test(enf, m_read_token.get(), &acl, &err_msg); + printf("After err: %s\n", err_msg); + ASSERT_TRUE(rv == 0); + + // Destroy the enforcer + enforcer_destroy(enf); + +} + TEST_F(SerializeTest, FailVerifyToken) { char *err_msg;