Skip to content

Commit

Permalink
Fix creation of non-existent parent directory authZ with WLCG scopes
Browse files Browse the repository at this point in the history
  • Loading branch information
enricovianello committed Oct 4, 2024
1 parent 577ec80 commit eb50688
Show file tree
Hide file tree
Showing 3 changed files with 113 additions and 65 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ boolean filterMatcherByRequest(HttpServletRequest request, String method,
if (requestedResourceExists) {
return m.getPrefix().equals(STORAGE_MODIFY);
}
return m.getPrefix().equals(STORAGE_CREATE);
return m.getPrefix().equals(STORAGE_CREATE) || m.getPrefix().equals(STORAGE_MODIFY);
}
if (MODIFY_METHODS.contains(method)) {
return m.getPrefix().equals(STORAGE_MODIFY);
Expand All @@ -149,9 +149,9 @@ boolean filterMatcherByRequest(HttpServletRequest request, String method,
if (requestedResourceExists) {
return m.getPrefix().equals(STORAGE_MODIFY);
}
return m.getPrefix().equals(STORAGE_CREATE);
return m.getPrefix().equals(STORAGE_CREATE) || m.getPrefix().equals(STORAGE_MODIFY);
}
return m.getPrefix().equals(STORAGE_READ);
return m.getPrefix().equals(STORAGE_READ) || m.getPrefix().equals(STORAGE_STAGE);

}

Expand Down Expand Up @@ -212,10 +212,17 @@ public PathAuthorizationResult authorizeRequest(PathAuthorizationRequest authzRe
final boolean requestedResourceExists = pathResolver.pathExists(requestPath);
final String saPath = getStorageAreaPath(requestPath, sa);

scopeMatchers = scopeMatchers.stream()
.filter(m -> filterMatcherByRequest(request, method, m, requestedResourceExists))
.filter(m -> m.matchesPath(saPath))
.collect(toList());
if ("MKCOL".equals(method)) {
scopeMatchers = scopeMatchers.stream()
.filter(m -> filterMatcherByRequest(request, method, m, requestedResourceExists))
.filter(m -> m.matchesPathIncludingParents(saPath))
.collect(toList());
} else {
scopeMatchers = scopeMatchers.stream()
.filter(m -> filterMatcherByRequest(request, method, m, requestedResourceExists))
.filter(m -> m.matchesPath(saPath))
.collect(toList());
}

if (scopeMatchers.isEmpty()) {
return deny(ERROR_INSUFFICIENT_TOKEN_SCOPE);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import static com.google.common.base.Strings.isNullOrEmpty;
import static java.util.Objects.nonNull;

import java.nio.file.Path;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

Expand All @@ -37,15 +38,15 @@ public class StructuredPathScopeMatcher implements ScopeMatcher {
private static final String SEP_STR = SEP.toString();

private final String prefix;
private final String path;
private final Path path;

private final Pattern prefixMatchPattern;
private final Pattern pathMatchPattern;

private StructuredPathScopeMatcher(String prefix, String path) {

this.prefix = prefix;
this.path = path;
this.path = Path.of(path);

final String prefixMatchRegexp = String.format("^%s%c", prefix, SEP);
prefixMatchPattern = Pattern.compile(prefixMatchRegexp);
Expand Down Expand Up @@ -75,6 +76,11 @@ public boolean matchesScope(String scope) {
public boolean matchesPath(String path) {
return pathMatchPattern.matcher(path).matches();
}

public boolean matchesPathIncludingParents(String path) {
Path targetPath = Path.of(path);
return this.path.startsWith(targetPath) || matchesPath(path);
}

public static StructuredPathScopeMatcher fromString(String scope) {
final int sepIndex = scope.indexOf(SEP);
Expand Down Expand Up @@ -135,7 +141,7 @@ public String getPrefix() {
}

public String getPath() {
return path;
return path.toString();
}

}
Loading

0 comments on commit eb50688

Please sign in to comment.