~drizzle-trunk/drizzle/development : contents of drizzled/plugin/authorization.cc at revision 1877.2.8

~drizzle-trunk/drizzle/development : (revision 1877.2.8)

/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright (C) 2010 Monty Taylor
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#include "config.h"

#include <vector>

#include "drizzled/plugin/authorization.h"
#include "drizzled/security_context.h"
#include "drizzled/identifier.h"
#include "drizzled/error.h"
#include "drizzled/session.h"
#include "drizzled/gettext.h"

using namespace std;

namespace drizzled
{

vector<plugin::Authorization *> authorization_plugins;


bool plugin::Authorization::addPlugin(plugin::Authorization *auth)
{
  if (auth != NULL)
    authorization_plugins.push_back(auth);
  return false;
}

void plugin::Authorization::removePlugin(plugin::Authorization *auth)
{
  if (auth != NULL)
  {
    authorization_plugins.erase(find(authorization_plugins.begin(),
                                     authorization_plugins.end(),
                                     auth));
  }
}

namespace
{

class RestrictDbFunctor :
  public unary_function<plugin::Authorization *, bool>
{
  const SecurityContext &user_ctx;
  SchemaIdentifier &schema;
public:
  RestrictDbFunctor(const SecurityContext &user_ctx_arg,
                    SchemaIdentifier &schema_arg) :
    unary_function<plugin::Authorization *, bool>(),
    user_ctx(user_ctx_arg),
    schema(schema_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return auth->restrictSchema(user_ctx, schema);
  }
};

class RestrictTableFunctor :
  public unary_function<plugin::Authorization *, bool>
{
  const SecurityContext &user_ctx;
  TableIdentifier &table;
public:
  RestrictTableFunctor(const SecurityContext &user_ctx_arg,
                       TableIdentifier &table_arg) :
    unary_function<plugin::Authorization *, bool>(),
    user_ctx(user_ctx_arg),
    table(table_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return auth->restrictTable(user_ctx, table);
  }
};

class RestrictProcessFunctor :
  public unary_function<plugin::Authorization *, bool>
{
  const SecurityContext &user_ctx;
  const SecurityContext &session_ctx;
public:
  RestrictProcessFunctor(const SecurityContext &user_ctx_arg,
                         const SecurityContext &session_ctx_arg) :
    unary_function<plugin::Authorization *, bool>(),
    user_ctx(user_ctx_arg),
    session_ctx(session_ctx_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return auth->restrictProcess(user_ctx, session_ctx);
  }
};

class PruneSchemaFunctor :
  public unary_function<SchemaIdentifier&, bool>
{
  const SecurityContext &user_ctx;
public:
  PruneSchemaFunctor(const SecurityContext &user_ctx_arg) :
    unary_function<SchemaIdentifier&, bool>(),
    user_ctx(user_ctx_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return not plugin::Authorization::isAuthorized(user_ctx, auth, false);
  }
};

} /* namespace */

bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
                                         SchemaIdentifier &schema_identifier,
                                         bool send_error)
{
  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return true;

  /* Use find_if instead of foreach so that we can collect return codes */
  vector<plugin::Authorization *>::const_iterator iter=
    find_if(authorization_plugins.begin(),
            authorization_plugins.end(),
            RestrictDbFunctor(user_ctx, schema_identifier));


  /*
   * If iter is == end() here, that means that all of the plugins returned
   * false, which means that that each of them believe the user is authorized
   * to view the resource in question.
   */
  if (iter != authorization_plugins.end())
  {
    if (send_error)
    {
      my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
               user_ctx.getUser().c_str(),
               user_ctx.getIp().c_str(),
               schema_identifier.getSQLPath().c_str());
    }
    return false;
  }
  return true;
}

bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
                                         TableIdentifier &table,
                                         bool send_error)
{
  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return true;

  /* Use find_if instead of foreach so that we can collect return codes */
  vector<plugin::Authorization *>::const_iterator iter=
    find_if(authorization_plugins.begin(),
            authorization_plugins.end(),
            RestrictTableFunctor(user_ctx, table));

  /*
   * If iter is == end() here, that means that all of the plugins returned
   * false, which means that that each of them believe the user is authorized
   * to view the resource in question.
   */
  if (iter != authorization_plugins.end())
  {
    if (send_error)
    {
      my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
               user_ctx.getUser().c_str(),
               user_ctx.getIp().c_str(),
               table.getSQLPath().c_str());
    }
    return false;
  }
  return true;
}

bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
                                         const Session *session,
                                         bool send_error)
{
  const SecurityContext &session_ctx= session->getSecurityContext();

  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return true;

  /* Use find_if instead of foreach so that we can collect return codes */
  vector<plugin::Authorization *>::const_iterator iter=
    find_if(authorization_plugins.begin(),
            authorization_plugins.end(),
            RestrictProcessFunctor(user_ctx, session_ctx));

  /*
   * If iter is == end() here, that means that all of the plugins returned
   * false, which means that that each of them believe the user is authorized
   * to view the resource in question.
   */

  if (iter != authorization_plugins.end())
  {
    if (send_error)
    {
      my_error(ER_KILL_DENIED_ERROR, MYF(0), session->thread_id);
    }
    return false;
  }
  return true;
}

void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
                                             SchemaIdentifiers &set_of_schemas)
{
  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return;

  set_of_schemas.erase(remove_if(set_of_schemas.begin(),
                                 set_of_schemas.end(),
                                 PruneSchemaFunctor(user_ctx)),
                       set_of_schemas.end());
}

} /* namespace drizzled */

1317.1.5 by Monty Taylor Added Authorization interface.	1	/* -- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; --
	2	* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
	3	*
	4	* Copyright (C) 2010 Monty Taylor
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License
	17	* along with this program; if not, write to the Free Software
	18	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	19	*/
	20
	21	#include "config.h"
	22
	23	#include <vector>
	24
	25	#include "drizzled/plugin/authorization.h"
	26	#include "drizzled/security_context.h"
1660.1.1 by Brian Aker Merge in move identifier work.	27	#include "drizzled/identifier.h"
1317.1.5 by Monty Taylor Added Authorization interface.	28	#include "drizzled/error.h"
	29	#include "drizzled/session.h"
	30	#include "drizzled/gettext.h"
	31
	32	using namespace std;
	33
	34	namespace drizzled
	35	{
	36
	37	vector<plugin::Authorization *> authorization_plugins;
	38
	39
	40	bool plugin::Authorization::addPlugin(plugin::Authorization *auth)
	41	{
	42	if (auth != NULL)
	43	authorization_plugins.push_back(auth);
	44	return false;
	45	}
	46
	47	void plugin::Authorization::removePlugin(plugin::Authorization *auth)
	48	{
	49	if (auth != NULL)
	50	{
	51	authorization_plugins.erase(find(authorization_plugins.begin(),
	52	authorization_plugins.end(),
	53	auth));
	54	}
	55	}
	56
	57	namespace
	58	{
	59
	60	class RestrictDbFunctor :
	61	public unary_function<plugin::Authorization *, bool>
	62	{
	63	const SecurityContext &user_ctx;
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	64	SchemaIdentifier &schema;
1317.1.5 by Monty Taylor Added Authorization interface.	65	public:
1317.1.5 by Monty Taylor Added Authorization interface.	66	RestrictDbFunctor(const SecurityContext &user_ctx_arg,
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	67	SchemaIdentifier &schema_arg) :
1317.1.5 by Monty Taylor Added Authorization interface.	68	unary_function<plugin::Authorization *, bool>(),
	69	user_ctx(user_ctx_arg),
	70	schema(schema_arg)
	71	{ }
	72
	73	inline result_type operator()(argument_type auth)
	74	{
	75	return auth->restrictSchema(user_ctx, schema);
	76	}
	77	};
	78
	79	class RestrictTableFunctor :
	80	public unary_function<plugin::Authorization *, bool>
	81	{
	82	const SecurityContext &user_ctx;
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	83	TableIdentifier &table;
1317.1.5 by Monty Taylor Added Authorization interface.	84	public:
1317.1.5 by Monty Taylor Added Authorization interface.	85	RestrictTableFunctor(const SecurityContext &user_ctx_arg,
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	86	TableIdentifier &table_arg) :
1317.1.5 by Monty Taylor Added Authorization interface.	87	unary_function<plugin::Authorization *, bool>(),
	88	user_ctx(user_ctx_arg),
	89	table(table_arg)
	90	{ }
	91
	92	inline result_type operator()(argument_type auth)
	93	{
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	94	return auth->restrictTable(user_ctx, table);
1317.1.5 by Monty Taylor Added Authorization interface.	95	}
	96	};
	97
	98	class RestrictProcessFunctor :
	99	public unary_function<plugin::Authorization *, bool>
	100	{
	101	const SecurityContext &user_ctx;
	102	const SecurityContext &session_ctx;
	103	public:
	104	RestrictProcessFunctor(const SecurityContext &user_ctx_arg,
	105	const SecurityContext &session_ctx_arg) :
	106	unary_function<plugin::Authorization *, bool>(),
	107	user_ctx(user_ctx_arg),
	108	session_ctx(session_ctx_arg)
	109	{ }
	110
	111	inline result_type operator()(argument_type auth)
	112	{
	113	return auth->restrictProcess(user_ctx, session_ctx);
	114	}
	115	};
	116
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	117	class PruneSchemaFunctor :
	118	public unary_function<SchemaIdentifier&, bool>
	119	{
	120	const SecurityContext &user_ctx;
	121	public:
	122	PruneSchemaFunctor(const SecurityContext &user_ctx_arg) :
	123	unary_function<SchemaIdentifier&, bool>(),
	124	user_ctx(user_ctx_arg)
	125	{ }
	126
	127	inline result_type operator()(argument_type auth)
	128	{
	129	return not plugin::Authorization::isAuthorized(user_ctx, auth, false);
	130	}
	131	};
	132
1317.1.5 by Monty Taylor Added Authorization interface.	133	} /* namespace */
	134
	135	bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
1415 by Brian Aker Mass overhaul to use schema_identifier.	136	SchemaIdentifier &schema_identifier,
1317.1.5 by Monty Taylor Added Authorization interface.	137	bool send_error)
	138	{
	139	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	140	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	141	return true;
	142
	143	/* Use find_if instead of foreach so that we can collect return codes */
	144	vector<plugin::Authorization *>::const_iterator iter=
	145	find_if(authorization_plugins.begin(),
	146	authorization_plugins.end(),
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	147	RestrictDbFunctor(user_ctx, schema_identifier));
	148
1317.1.5 by Monty Taylor Added Authorization interface.	149
	150	/*
	151	* If iter is == end() here, that means that all of the plugins returned
	152	* false, which means that that each of them believe the user is authorized
	153	* to view the resource in question.
	154	*/
	155	if (iter != authorization_plugins.end())
	156	{
	157	if (send_error)
	158	{
	159	my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
	160	user_ctx.getUser().c_str(),
	161	user_ctx.getIp().c_str(),
1415 by Brian Aker Mass overhaul to use schema_identifier.	162	schema_identifier.getSQLPath().c_str());
1317.1.5 by Monty Taylor Added Authorization interface.	163	}
	164	return false;
	165	}
	166	return true;
	167	}
	168
	169	bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	170	TableIdentifier &table,
1317.1.5 by Monty Taylor Added Authorization interface.	171	bool send_error)
	172	{
	173	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	174	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	175	return true;
	176
	177	/* Use find_if instead of foreach so that we can collect return codes */
	178	vector<plugin::Authorization *>::const_iterator iter=
	179	find_if(authorization_plugins.begin(),
	180	authorization_plugins.end(),
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	181	RestrictTableFunctor(user_ctx, table));
1317.1.5 by Monty Taylor Added Authorization interface.	182
	183	/*
	184	* If iter is == end() here, that means that all of the plugins returned
	185	* false, which means that that each of them believe the user is authorized
	186	* to view the resource in question.
	187	*/
	188	if (iter != authorization_plugins.end())
	189	{
	190	if (send_error)
	191	{
	192	my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
	193	user_ctx.getUser().c_str(),
	194	user_ctx.getIp().c_str(),
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	195	table.getSQLPath().c_str());
1317.1.5 by Monty Taylor Added Authorization interface.	196	}
	197	return false;
	198	}
	199	return true;
	200	}
	201
	202	bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
	203	const Session *session,
	204	bool send_error)
	205	{
	206	const SecurityContext &session_ctx= session->getSecurityContext();
	207
	208	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	209	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	210	return true;
	211
	212	/* Use find_if instead of foreach so that we can collect return codes */
	213	vector<plugin::Authorization *>::const_iterator iter=
	214	find_if(authorization_plugins.begin(),
	215	authorization_plugins.end(),
	216	RestrictProcessFunctor(user_ctx, session_ctx));
	217
	218	/*
	219	* If iter is == end() here, that means that all of the plugins returned
	220	* false, which means that that each of them believe the user is authorized
	221	* to view the resource in question.
	222	*/
	223
	224	if (iter != authorization_plugins.end())
	225	{
	226	if (send_error)
	227	{
	228	my_error(ER_KILL_DENIED_ERROR, MYF(0), session->thread_id);
	229	}
	230	return false;
	231	}
	232	return true;
	233	}
	234
	235	void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
1643.3.3 by Brian Aker Updated to harmonize the identifier API.	236	SchemaIdentifiers &set_of_schemas)
1317.1.5 by Monty Taylor Added Authorization interface.	237	{
1317.1.5 by Monty Taylor Added Authorization interface.	238	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	239	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	240	return;
1317.1.5 by Monty Taylor Added Authorization interface.	241
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	242	set_of_schemas.erase(remove_if(set_of_schemas.begin(),
	243	set_of_schemas.end(),
	244	PruneSchemaFunctor(user_ctx)),
	245	set_of_schemas.end());
1317.1.5 by Monty Taylor Added Authorization interface.	246	}
	247
	248	} /* namespace drizzled */