Noscript checksum

packaging/makesrpm.sh

@@ -149,7 +149,7 @@ fi
 #-------------------------------------------------------------------------------
 # Deal with release candidates
 #-------------------------------------------------------------------------------
-RELEASE=1
+RELEASE=4
 if test x`echo $VERSION | grep -E $RCEXP` != x; then
   RELEASE=0.`echo $VERSION | sed 's/.*-rc/rc/'`
   VERSION=`echo $VERSION | sed 's/-rc.*//'`

src/XrdCks/XrdCksManager.cc

@@ -454,7 +454,8 @@ int XrdCksManager::Del(const char *Pfn, XrdCksData &Cks)
 int XrdCksManager::Get(const char *Pfn, XrdCksData &Cks)
 {
    XrdOucXAttr<XrdCksXAttr> xCS;
-   time_t MTime;
+   // not checking stale checksums as ceph file modification times constantly refresh on read
+   //time_t MTime;
    int rc, nFault;
 
 // Determine which checksum to get (we will accept unsupported ones as well)
@@ -473,13 +474,12 @@ int XrdCksManager::Get(const char *Pfn, XrdCksData &Cks)
    Cks = xCS.Attr.Cks;
 
 // Verify the file
-//
-   if ((rc = ModTime(Pfn, MTime))) return rc;
+// not done as ceph mod times are weird
+//   if ((rc = ModTime(Pfn, MTime))) return rc;
 
 // Return result
 //
-   return (Cks.fmTime != MTime || nFault
-       ||  Cks.Length > XrdCksData::ValuSize || Cks.Length <= 0
+   return ( nFault || Cks.Length > XrdCksData::ValuSize || Cks.Length <= 0
         ? -ESTALE : int(Cks.Length));
 }
 

src/XrdSciTokens/XrdSciTokensAccess.cc

@@ -339,7 +339,14 @@ class XrdAccRules
 
     bool apply(Access_Operation oper, std::string path) {
         for (const auto & rule : m_rules) {
-            if ((oper == rule.first) && !path.compare(0, rule.second.size(), rule.second, 0, rule.second.size())) {
+            if ((oper == rule.first) && !path.compare(0, rule.second.size(), rule.second, 0, rule.second.size()) && ( rule.second.size() == path.length() || path[rule.second.size()]=='/') ) {
+                return true;
+            }
+            // pass the scope if the operation is stat of mkdir
+            if ((oper == rule.first) && (oper == AOP_Stat || oper == AOP_Mkdir) && 
+                 rule.second.size() >= path.length() && 
+                 !rule.second.compare(0, path.size(), path, 0, path.size()) && 
+                (rule.second.size() == path.length() || rule.second[path.length()] == '/')) {
                 return true;
             }
         }
@@ -834,19 +841,43 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
         int idx = 0;
         std::set<std::string> paths_write_seen;
         std::set<std::string> paths_create_or_modify_seen;
+        std::vector<std::string> acl_paths;
+        acl_paths.reserve(config.m_restricted_paths.size() + 1);
         while (acls[idx].resource && acls[idx++].authz) {
+            acl_paths.clear();
             const auto &acl_path = acls[idx-1].resource;
             const auto &acl_authz = acls[idx-1].authz;
-            if (!config.m_restricted_paths.empty()) {
-                bool found_path = false;
+            if (config.m_restricted_paths.empty()) {
+                acl_paths.push_back(acl_path);
+            } else {
+                auto acl_path_size = strlen(acl_path);
                 for (const auto &restricted_path : config.m_restricted_paths) {
+                    // See if the acl_path is more specific than the restricted path; if so, accept it
+                    // and move on to applying paths.
                     if (!strncmp(acl_path, restricted_path.c_str(), restricted_path.size())) {
-                        found_path = true;
+                        // Only do prefix checking on full path components.  If acl_path=/foobar and
+                        // restricted_path=/foo, then we shouldn't authorize access to /foobar.
+                        if (acl_path_size > restricted_path.size() && acl_path[restricted_path.size()] != '/') {
+                            continue;
+                        }
+                        acl_paths.push_back(acl_path);
                         break;
                     }
+                    // See if the restricted_path is more specific than the acl_path; if so, accept the
+                    // restricted path as the ACL.  Keep looping to see if other restricted paths add
+                    // more possible authorizations.
+                    if (!strncmp(acl_path, restricted_path.c_str(), acl_path_size)) {
+                        // Only do prefix checking on full path components.  If acl_path=/foo and
+                        // restricted_path=/foobar, then we shouldn't authorize access to /foobar.
+                        if (restricted_path.size() > acl_path_size && restricted_path[acl_path_size-1] != '/') { 
+                            continue;
+                        }
+                        acl_paths.push_back(restricted_path);
+                    }
                 }
-                if (!found_path) {continue;}
+
             }
+            for (const auto &acl_path : acl_paths) {
             for (const auto &base_path : config.m_base_paths) {
                 if (!acl_path[0] || acl_path[0] != '/') {continue;}
                 std::string path;
@@ -861,6 +892,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
                     xrd_rules.emplace_back(AOP_Mkdir, path);
                     xrd_rules.emplace_back(AOP_Rename, path);
                     xrd_rules.emplace_back(AOP_Excl_Insert, path);
+                    xrd_rules.emplace_back(AOP_Stat, path);
                 } else if (!strcmp(acl_authz, "modify")) {
                     paths_create_or_modify_seen.insert(path);
                     xrd_rules.emplace_back(AOP_Create, path);
@@ -869,11 +901,13 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
                     xrd_rules.emplace_back(AOP_Insert, path);
                     xrd_rules.emplace_back(AOP_Update, path);
                     xrd_rules.emplace_back(AOP_Chmod, path);
+                    xrd_rules.emplace_back(AOP_Stat, path);
                     xrd_rules.emplace_back(AOP_Delete, path);
                 } else if (!strcmp(acl_authz, "write")) {
                     paths_write_seen.insert(path);
                 }
-            }
+              }
+           }
         }
         for (const auto &write_path : paths_write_seen) {
             if (paths_create_or_modify_seen.find(write_path) == paths_create_or_modify_seen.end()) {
@@ -882,6 +916,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
                 xrd_rules.emplace_back(AOP_Mkdir, write_path);
                 xrd_rules.emplace_back(AOP_Rename, write_path);
                 xrd_rules.emplace_back(AOP_Insert, write_path);
+                xrd_rules.emplace_back(AOP_Stat, write_path);
                 xrd_rules.emplace_back(AOP_Update, write_path);
                 xrd_rules.emplace_back(AOP_Chmod, write_path);
                 xrd_rules.emplace_back(AOP_Delete, write_path);

src/XrdXrootd/XrdXrootdProtocol.cc

@@ -467,7 +467,7 @@ int XrdXrootdProtocol::Process2()
       switch(Request.header.requestid)
             {case kXR_login:    return do_Login();
              case kXR_protocol: return do_Protocol();
-             case kXR_bind:     return do_Bind();
+             //case kXR_bind:     return do_Bind();
              default:           Response.Send(kXR_InvalidRequest,
                                 "Invalid request; user not logged in");
                                 return Link->setEtext("request without login");

src/XrdXrootd/XrdXrootdXeqPgrw.cc

@@ -205,7 +205,7 @@ int XrdXrootdProtocol::do_PgRIO()
 // We restrict the maximum transfer size to generate no more than 1023 iovec
 // elements where the first is used for the header.
 //
-   static const int maxCSSZ = 1022;
+   static const int maxCSSZ = 511;
 // static const int maxCSSZ = 32;
    static const int maxPGRD = maxCSSZ*pgPageSize; // 2,093,056 usually
    static const int maxIOVZ = maxCSSZ*2+1;