~drizzle-trunk/drizzle/development : contents of drizzled/plugin/authorization.cc at revision 1999

~drizzle-trunk/drizzle/development : (revision 1999)

/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright (C) 2010 Monty Taylor
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#include "config.h"

#include <vector>

#include "drizzled/plugin/authorization.h"
#include "drizzled/security_context.h"
#include "drizzled/identifier.h"
#include "drizzled/error.h"
#include "drizzled/session.h"
#include "drizzled/gettext.h"

namespace drizzled
{

std::vector<plugin::Authorization *> authorization_plugins;


bool plugin::Authorization::addPlugin(plugin::Authorization *auth)
{
  if (auth != NULL)
    authorization_plugins.push_back(auth);

  return false;
}

void plugin::Authorization::removePlugin(plugin::Authorization *auth)
{
  if (auth != NULL)
  {
    authorization_plugins.erase(std::find(authorization_plugins.begin(),
                                          authorization_plugins.end(),
                                          auth));
  }
}

namespace
{

class RestrictDbFunctor :
  public std::unary_function<plugin::Authorization *, bool>
{
  const SecurityContext &user_ctx;
  SchemaIdentifier &schema;
public:
  RestrictDbFunctor(const SecurityContext &user_ctx_arg,
                    SchemaIdentifier &schema_arg) :
    std::unary_function<plugin::Authorization *, bool>(),
    user_ctx(user_ctx_arg),
    schema(schema_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return auth->restrictSchema(user_ctx, schema);
  }
};

class RestrictTableFunctor :
  public std::unary_function<plugin::Authorization *, bool>
{
  const SecurityContext &user_ctx;
  TableIdentifier &table;
public:
  RestrictTableFunctor(const SecurityContext &user_ctx_arg,
                       TableIdentifier &table_arg) :
    std::unary_function<plugin::Authorization *, bool>(),
    user_ctx(user_ctx_arg),
    table(table_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return auth->restrictTable(user_ctx, table);
  }
};

class RestrictProcessFunctor :
  public std::unary_function<plugin::Authorization *, bool>
{
  const SecurityContext &user_ctx;
  const SecurityContext &session_ctx;
public:
  RestrictProcessFunctor(const SecurityContext &user_ctx_arg,
                         const SecurityContext &session_ctx_arg) :
    std::unary_function<plugin::Authorization *, bool>(),
    user_ctx(user_ctx_arg),
    session_ctx(session_ctx_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return auth->restrictProcess(user_ctx, session_ctx);
  }
};

class PruneSchemaFunctor :
  public std::unary_function<SchemaIdentifier&, bool>
{
  const SecurityContext &user_ctx;
public:
  PruneSchemaFunctor(const SecurityContext &user_ctx_arg) :
    std::unary_function<SchemaIdentifier&, bool>(),
    user_ctx(user_ctx_arg)
  { }

  inline result_type operator()(argument_type auth)
  {
    return not plugin::Authorization::isAuthorized(user_ctx, auth, false);
  }
};

} /* namespace */

bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
                                         SchemaIdentifier &schema_identifier,
                                         bool send_error)
{
  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return true;

  /* Use find_if instead of foreach so that we can collect return codes */
  std::vector<plugin::Authorization *>::const_iterator iter=
    std::find_if(authorization_plugins.begin(),
                 authorization_plugins.end(),
                 RestrictDbFunctor(user_ctx, schema_identifier));


  /*
   * If iter is == end() here, that means that all of the plugins returned
   * false, which means that that each of them believe the user is authorized
   * to view the resource in question.
   */
  if (iter != authorization_plugins.end())
  {
    if (send_error)
    {
      std::string path;
      schema_identifier.getSQLPath(path);

      my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
               user_ctx.getUser().c_str(),
               user_ctx.getIp().c_str(),
               path.c_str());
    }
    return false;
  }
  return true;
}

bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
                                         TableIdentifier &table,
                                         bool send_error)
{
  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return true;

  /* Use find_if instead of foreach so that we can collect return codes */
  std::vector<plugin::Authorization *>::const_iterator iter=
    std::find_if(authorization_plugins.begin(),
            authorization_plugins.end(),
            RestrictTableFunctor(user_ctx, table));

  /*
   * If iter is == end() here, that means that all of the plugins returned
   * false, which means that that each of them believe the user is authorized
   * to view the resource in question.
   */
  if (iter != authorization_plugins.end())
  {
    if (send_error)
    {
      std::string path;
      table.getSQLPath(path);

      my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
               user_ctx.getUser().c_str(),
               user_ctx.getIp().c_str(),
               path.c_str());
    }
    return false;
  }
  return true;
}

bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
                                         const Session *session,
                                         bool send_error)
{
  const SecurityContext &session_ctx= session->getSecurityContext();

  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return true;

  /* Use find_if instead of foreach so that we can collect return codes */
  std::vector<plugin::Authorization *>::const_iterator iter=
    std::find_if(authorization_plugins.begin(),
                 authorization_plugins.end(),
                 RestrictProcessFunctor(user_ctx, session_ctx));

  /*
   * If iter is == end() here, that means that all of the plugins returned
   * false, which means that that each of them believe the user is authorized
   * to view the resource in question.
   */

  if (iter != authorization_plugins.end())
  {
    if (send_error)
    {
      my_error(ER_KILL_DENIED_ERROR, MYF(0), session->thread_id);
    }
    return false;
  }
  return true;
}

void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
                                             SchemaIdentifier::vector &set_of_schemas)
{
  /* If we never loaded any authorization plugins, just return true */
  if (authorization_plugins.empty())
    return;

  set_of_schemas.erase(std::remove_if(set_of_schemas.begin(),
                                      set_of_schemas.end(),
                                      PruneSchemaFunctor(user_ctx)),
                       set_of_schemas.end());
}

} /* namespace drizzled */

1317.1.5 by Monty Taylor Added Authorization interface.	1	/* -- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; --
	2	* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
	3	*
	4	* Copyright (C) 2010 Monty Taylor
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License
	17	* along with this program; if not, write to the Free Software
	18	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	19	*/
	20
	21	#include "config.h"
	22
	23	#include <vector>
	24
	25	#include "drizzled/plugin/authorization.h"
	26	#include "drizzled/security_context.h"
1660.1.1 by Brian Aker Merge in move identifier work.	27	#include "drizzled/identifier.h"
1317.1.5 by Monty Taylor Added Authorization interface.	28	#include "drizzled/error.h"
	29	#include "drizzled/session.h"
	30	#include "drizzled/gettext.h"
	31
	32	namespace drizzled
	33	{
	34
1966.2.6 by Brian Aker This is from the catalog patch (I'm pushing it up as its own little thing	35	std::vector<plugin::Authorization *> authorization_plugins;
1317.1.5 by Monty Taylor Added Authorization interface.	36
	37
	38	bool plugin::Authorization::addPlugin(plugin::Authorization *auth)
	39	{
	40	if (auth != NULL)
	41	authorization_plugins.push_back(auth);
1966.2.13 by Brian Aker Fix for solaris find for std::find.	42
1317.1.5 by Monty Taylor Added Authorization interface.	43	return false;
	44	}
	45
	46	void plugin::Authorization::removePlugin(plugin::Authorization *auth)
	47	{
	48	if (auth != NULL)
	49	{
1966.2.13 by Brian Aker Fix for solaris find for std::find.	50	authorization_plugins.erase(std::find(authorization_plugins.begin(),
	51	authorization_plugins.end(),
	52	auth));
1317.1.5 by Monty Taylor Added Authorization interface.	53	}
	54	}
	55
	56	namespace
	57	{
	58
	59	class RestrictDbFunctor :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	60	public std::unary_function<plugin::Authorization *, bool>
1317.1.5 by Monty Taylor Added Authorization interface.	61	{
1317.1.5 by Monty Taylor Added Authorization interface.	62	const SecurityContext &user_ctx;
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	63	SchemaIdentifier &schema;
1317.1.5 by Monty Taylor Added Authorization interface.	64	public:
1317.1.5 by Monty Taylor Added Authorization interface.	65	RestrictDbFunctor(const SecurityContext &user_ctx_arg,
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	66	SchemaIdentifier &schema_arg) :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	67	std::unary_function<plugin::Authorization *, bool>(),
1317.1.5 by Monty Taylor Added Authorization interface.	68	user_ctx(user_ctx_arg),
	69	schema(schema_arg)
	70	{ }
	71
	72	inline result_type operator()(argument_type auth)
	73	{
	74	return auth->restrictSchema(user_ctx, schema);
	75	}
	76	};
	77
	78	class RestrictTableFunctor :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	79	public std::unary_function<plugin::Authorization *, bool>
1317.1.5 by Monty Taylor Added Authorization interface.	80	{
1317.1.5 by Monty Taylor Added Authorization interface.	81	const SecurityContext &user_ctx;
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	82	TableIdentifier &table;
1317.1.5 by Monty Taylor Added Authorization interface.	83	public:
1317.1.5 by Monty Taylor Added Authorization interface.	84	RestrictTableFunctor(const SecurityContext &user_ctx_arg,
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	85	TableIdentifier &table_arg) :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	86	std::unary_function<plugin::Authorization *, bool>(),
1317.1.5 by Monty Taylor Added Authorization interface.	87	user_ctx(user_ctx_arg),
	88	table(table_arg)
	89	{ }
	90
	91	inline result_type operator()(argument_type auth)
	92	{
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	93	return auth->restrictTable(user_ctx, table);
1317.1.5 by Monty Taylor Added Authorization interface.	94	}
	95	};
	96
	97	class RestrictProcessFunctor :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	98	public std::unary_function<plugin::Authorization *, bool>
1317.1.5 by Monty Taylor Added Authorization interface.	99	{
	100	const SecurityContext &user_ctx;
	101	const SecurityContext &session_ctx;
	102	public:
	103	RestrictProcessFunctor(const SecurityContext &user_ctx_arg,
	104	const SecurityContext &session_ctx_arg) :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	105	std::unary_function<plugin::Authorization *, bool>(),
1317.1.5 by Monty Taylor Added Authorization interface.	106	user_ctx(user_ctx_arg),
	107	session_ctx(session_ctx_arg)
	108	{ }
	109
	110	inline result_type operator()(argument_type auth)
	111	{
	112	return auth->restrictProcess(user_ctx, session_ctx);
	113	}
	114	};
	115
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	116	class PruneSchemaFunctor :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	117	public std::unary_function<SchemaIdentifier&, bool>
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	118	{
	119	const SecurityContext &user_ctx;
	120	public:
	121	PruneSchemaFunctor(const SecurityContext &user_ctx_arg) :
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	122	std::unary_function<SchemaIdentifier&, bool>(),
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	123	user_ctx(user_ctx_arg)
	124	{ }
	125
	126	inline result_type operator()(argument_type auth)
	127	{
	128	return not plugin::Authorization::isAuthorized(user_ctx, auth, false);
	129	}
	130	};
	131
1317.1.5 by Monty Taylor Added Authorization interface.	132	} /* namespace */
	133
	134	bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
1415 by Brian Aker Mass overhaul to use schema_identifier.	135	SchemaIdentifier &schema_identifier,
1317.1.5 by Monty Taylor Added Authorization interface.	136	bool send_error)
	137	{
	138	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	139	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	140	return true;
	141
	142	/* Use find_if instead of foreach so that we can collect return codes */
1966.2.6 by Brian Aker This is from the catalog patch (I'm pushing it up as its own little thing	143	std::vector<plugin::Authorization *>::const_iterator iter=
1966.2.9 by Brian Aker Remove the use of "using std" from the plugin interface .cc files.	144	std::find_if(authorization_plugins.begin(),
	145	authorization_plugins.end(),
	146	RestrictDbFunctor(user_ctx, schema_identifier));
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	147
1317.1.5 by Monty Taylor Added Authorization interface.	148
	149	/*
	150	* If iter is == end() here, that means that all of the plugins returned
	151	* false, which means that that each of them believe the user is authorized
	152	* to view the resource in question.
	153	*/
	154	if (iter != authorization_plugins.end())
	155	{
	156	if (send_error)
	157	{
1954.2.1 by Brian Aker getSQLPath() modified to take a string so that we can const the table	158	std::string path;
	159	schema_identifier.getSQLPath(path);
	160
1317.1.5 by Monty Taylor Added Authorization interface.	161	my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
	162	user_ctx.getUser().c_str(),
	163	user_ctx.getIp().c_str(),
1954.2.1 by Brian Aker getSQLPath() modified to take a string so that we can const the table	164	path.c_str());
1317.1.5 by Monty Taylor Added Authorization interface.	165	}
	166	return false;
	167	}
	168	return true;
	169	}
	170
	171	bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	172	TableIdentifier &table,
1317.1.5 by Monty Taylor Added Authorization interface.	173	bool send_error)
	174	{
	175	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	176	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	177	return true;
	178
	179	/* Use find_if instead of foreach so that we can collect return codes */
1966.2.6 by Brian Aker This is from the catalog patch (I'm pushing it up as its own little thing	180	std::vector<plugin::Authorization *>::const_iterator iter=
1966.2.15 by Brian Aker Did a grep for _if(	181	std::find_if(authorization_plugins.begin(),
1317.1.5 by Monty Taylor Added Authorization interface.	182	authorization_plugins.end(),
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	183	RestrictTableFunctor(user_ctx, table));
1317.1.5 by Monty Taylor Added Authorization interface.	184
	185	/*
	186	* If iter is == end() here, that means that all of the plugins returned
	187	* false, which means that that each of them believe the user is authorized
	188	* to view the resource in question.
	189	*/
	190	if (iter != authorization_plugins.end())
	191	{
	192	if (send_error)
	193	{
1954.2.1 by Brian Aker getSQLPath() modified to take a string so that we can const the table	194	std::string path;
	195	table.getSQLPath(path);
	196
1317.1.5 by Monty Taylor Added Authorization interface.	197	my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
	198	user_ctx.getUser().c_str(),
	199	user_ctx.getIp().c_str(),
1954.2.1 by Brian Aker getSQLPath() modified to take a string so that we can const the table	200	path.c_str());
1317.1.5 by Monty Taylor Added Authorization interface.	201	}
	202	return false;
	203	}
	204	return true;
	205	}
	206
	207	bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
	208	const Session *session,
	209	bool send_error)
	210	{
	211	const SecurityContext &session_ctx= session->getSecurityContext();
	212
	213	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	214	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	215	return true;
	216
	217	/* Use find_if instead of foreach so that we can collect return codes */
1966.2.6 by Brian Aker This is from the catalog patch (I'm pushing it up as its own little thing	218	std::vector<plugin::Authorization *>::const_iterator iter=
1966.2.15 by Brian Aker Did a grep for _if(	219	std::find_if(authorization_plugins.begin(),
	220	authorization_plugins.end(),
	221	RestrictProcessFunctor(user_ctx, session_ctx));
1317.1.5 by Monty Taylor Added Authorization interface.	222
	223	/*
	224	* If iter is == end() here, that means that all of the plugins returned
	225	* false, which means that that each of them believe the user is authorized
	226	* to view the resource in question.
	227	*/
	228
	229	if (iter != authorization_plugins.end())
	230	{
	231	if (send_error)
	232	{
	233	my_error(ER_KILL_DENIED_ERROR, MYF(0), session->thread_id);
	234	}
	235	return false;
	236	}
	237	return true;
	238	}
	239
	240	void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
1966.2.3 by Brian Aker Fix another style issue.	241	SchemaIdentifier::vector &set_of_schemas)
1317.1.5 by Monty Taylor Added Authorization interface.	242	{
1317.1.5 by Monty Taylor Added Authorization interface.	243	/* If we never loaded any authorization plugins, just return true */
1317.3.1 by Monty Taylor Replaced calls of size()==0 with empty().	244	if (authorization_plugins.empty())
1317.1.5 by Monty Taylor Added Authorization interface.	245	return;
1317.1.5 by Monty Taylor Added Authorization interface.	246
1966.2.15 by Brian Aker Did a grep for _if(	247	set_of_schemas.erase(std::remove_if(set_of_schemas.begin(),
	248	set_of_schemas.end(),
	249	PruneSchemaFunctor(user_ctx)),
1471.2.2 by Monty Taylor Updated Authorization plugin interface to use new Schema\|TableIdentifier	250	set_of_schemas.end());
1317.1.5 by Monty Taylor Added Authorization interface.	251	}
	252
	253	} /* namespace drizzled */