~drizzle-trunk/drizzle/development : contents of plugin/regex

~drizzle-trunk/drizzle/development : (revision 2239.1.1)

/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
 *  Copyright (C) 2011 Canonical, Ltd.
 *  Author: Clint Byrum <clint.byrum@canonical.com>
 *
 *  Copied from simple_user_policy
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; version 2 of the License.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */


#pragma once

#include <iostream>
#include <fstream>

#include <boost/regex.hpp>
#include <boost/unordered_map.hpp>
#include <boost/thread/mutex.hpp>

#include <drizzled/configmake.h>
#include <drizzled/plugin/authorization.h>

namespace fs= boost::filesystem;

namespace regex_policy
{

static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";

static const char *comment_regex = "^[[:space:]]*#.*$";
static const char *empty_regex = "^[[:space:]]*$";
static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|DENY)$";
static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|DENY)$";
static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|DENY)$";
/* These correspond to the parenthesis above and must stay in sync */
static const int MATCH_REGEX_USER_POS= 1;
static const int MATCH_REGEX_OBJECT_POS= 2;
static const int MATCH_REGEX_ACTION_POS= 3;

typedef enum 
{
  POLICY_ACCEPT,
  POLICY_DENY
} PolicyAction;

class PolicyItem
{
  const std::string user;
  const std::string object;
  const boost::regex user_re;
  const boost::regex object_re;
  PolicyAction action;
public:
  PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
    user(u),
    object(obj),
    user_re(u),
    object_re(obj)
  { 
    if (act == "ACCEPT")
    {
      action = POLICY_ACCEPT;
    }
    else if (act == "DENY")
    {
      action = POLICY_DENY;
    }
    else
    {
      throw std::exception();
    }
  }
  bool userMatches(std::string &str);
  bool objectMatches(std::string &object_id);
  bool isRestricted();
  const std::string&getUser() const
  {
    return user;
  }
  const std::string&getObject() const
  {
    return object;
  }
  const char *getAction() const
  {
    return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
  }
};

typedef std::list<PolicyItem *> PolicyItemList;
typedef boost::unordered_map<std::string, bool> CheckMap;

static boost::mutex check_cache_mutex;

class CheckItem
{
  std::string user;
  std::string object;
  std::string key;
  bool has_cached_result;
  bool cached_result;
  CheckMap **check_cache;
public:
  CheckItem(const std::string &u, const std::string &obj, CheckMap **check_cache);
  bool operator()(PolicyItem *p);
  bool hasCachedResult() const
  {
    return has_cached_result;
  }
  bool getCachedResult() const
  {
    return cached_result;
  }
  void setCachedResult(bool result);
};

inline bool PolicyItem::userMatches(std::string &str)
{
  return boost::regex_match(str, user_re);
}

inline bool PolicyItem::objectMatches(std::string &object_id)
{
  return boost::regex_match(object_id, object_re);
}

inline bool PolicyItem::isRestricted()
{
  return action == POLICY_DENY ? true : false;
}

void clearPolicyItemList(PolicyItemList policies);

class Policy :
  public drizzled::plugin::Authorization
{
public:
  Policy(const fs::path &f_path) :
    drizzled::plugin::Authorization("Regex Policy"), policy_file(f_path), error(),
    table_check_cache(NULL), schema_check_cache(NULL), process_check_cache(NULL)
  { }

  virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
                              drizzled::identifier::Schema::const_reference schema);

  virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
                               const drizzled::identifier::User &session_ctx);

  virtual bool restrictTable(drizzled::identifier::User::const_reference user_ctx,
                             drizzled::identifier::Table::const_reference table);

  bool loadFile();
  std::stringstream &getError() { return error; }
  ~Policy();
private:
  bool restrictObject(const drizzled::identifier::User &user_ctx,
                                   const std::string &obj, const PolicyItemList &policies,
                                   CheckMap **check_cache);
  fs::path policy_file;
  std::stringstream error;
  PolicyItemList table_policies;
  PolicyItemList schema_policies;
  PolicyItemList process_policies;
  CheckMap *table_check_cache;
  CheckMap *schema_check_cache;
  CheckMap *process_check_cache;
};

} /* namespace regex_policy */


2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	1	/* -- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; --
	2	* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
	3	*
	4	* Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
	5	* Copyright (C) 2011 Canonical, Ltd.
	6	* Author: Clint Byrum <clint.byrum@canonical.com>
	7	*
	8	* Copied from simple_user_policy
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
	12	* the Free Software Foundation; version 2 of the License.
	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	22	*/
	23
	24
2234 by Brian Aker Mass removal of ifdef/endif in favor of pragma once.	25	#pragma once
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	26
	27	#include <iostream>
	28	#include <fstream>
	29
	30	#include <boost/regex.hpp>
	31	#include <boost/unordered_map.hpp>
	32	#include <boost/thread/mutex.hpp>
	33
	34	#include <drizzled/configmake.h>
	35	#include <drizzled/plugin/authorization.h>
	36
	37	namespace fs= boost::filesystem;
	38
	39	namespace regex_policy
	40	{
	41
	42	static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";
	43
	44	static const char comment_regex = "^[[:space:]]#.*$";
	45	static const char empty_regex = "^[[:space:]]$";
	46	static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT\|DENY)$";
	47	static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT\|DENY)$";
	48	static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT\|DENY)$";
	49	/* These correspond to the parenthesis above and must stay in sync */
	50	static const int MATCH_REGEX_USER_POS= 1;
	51	static const int MATCH_REGEX_OBJECT_POS= 2;
	52	static const int MATCH_REGEX_ACTION_POS= 3;
	53
	54	typedef enum
	55	{
	56	POLICY_ACCEPT,
	57	POLICY_DENY
	58	} PolicyAction;
	59
	60	class PolicyItem
	61	{
	62	const std::string user;
	63	const std::string object;
	64	const boost::regex user_re;
	65	const boost::regex object_re;
	66	PolicyAction action;
	67	public:
	68	PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
	69	user(u),
	70	object(obj),
	71	user_re(u),
	72	object_re(obj)
	73	{
	74	if (act == "ACCEPT")
	75	{
	76	action = POLICY_ACCEPT;
	77	}
	78	else if (act == "DENY")
	79	{
	80	action = POLICY_DENY;
	81	}
	82	else
	83	{
	84	throw std::exception();
	85	}
	86	}
	87	bool userMatches(std::string &str);
	88	bool objectMatches(std::string &object_id);
	89	bool isRestricted();
90	const std::string&getUser() const
91	{
92	return user;
93	}
94	const std::string&getObject() const
95	{
96	return object;
97	}
98	const char *getAction() const
99	{
100	return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
101	}
102	};
103
104	typedef std::list<PolicyItem *> PolicyItemList;
105	typedef boost::unordered_map<std::string, bool> CheckMap;
106
107	static boost::mutex check_cache_mutex;
108
109	class CheckItem
110	{
111	std::string user;
112	std::string object;
113	std::string key;
114	bool has_cached_result;
115	bool cached_result;
116	CheckMap **check_cache;
117	public:
118	CheckItem(const std::string &u, const std::string &obj, CheckMap **check_cache);
119	bool operator()(PolicyItem *p);
120	bool hasCachedResult() const
121	{
122	return has_cached_result;
123	}
124	bool getCachedResult() const
125	{
126	return cached_result;
127	}
128	void setCachedResult(bool result);
129	};
130
131	inline bool PolicyItem::userMatches(std::string &str)
132	{
133	return boost::regex_match(str, user_re);
134	}
135
136	inline bool PolicyItem::objectMatches(std::string &object_id)
137	{
138	return boost::regex_match(object_id, object_re);
139	}
140
141	inline bool PolicyItem::isRestricted()
142	{
143	return action == POLICY_DENY ? true : false;
144	}
145
2215.5.5 by Clint Byrum add destructor for Policy object, should eliminate last valgrind warnings	146	void clearPolicyItemList(PolicyItemList policies);
	147
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	148	class Policy :
	149	public drizzled::plugin::Authorization
	150	{
	151	public:
	152	Policy(const fs::path &f_path) :
	153	drizzled::plugin::Authorization("Regex Policy"), policy_file(f_path), error(),
	154	table_check_cache(NULL), schema_check_cache(NULL), process_check_cache(NULL)
	155	{ }
	156
	157	virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
	158	drizzled::identifier::Schema::const_reference schema);
	159
	160	virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
	161	const drizzled::identifier::User &session_ctx);
	162
	163	virtual bool restrictTable(drizzled::identifier::User::const_reference user_ctx,
	164	drizzled::identifier::Table::const_reference table);
	165
	166	bool loadFile();
	167	std::stringstream &getError() { return error; }
2215.5.5 by Clint Byrum add destructor for Policy object, should eliminate last valgrind warnings	168	~Policy();
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	169	private:
	170	bool restrictObject(const drizzled::identifier::User &user_ctx,
	171	const std::string &obj, const PolicyItemList &policies,
	172	CheckMap **check_cache);
	173	fs::path policy_file;
	174	std::stringstream error;
	175	PolicyItemList table_policies;
	176	PolicyItemList schema_policies;
	177	PolicyItemList process_policies;
	178	CheckMap *table_check_cache;
	179	CheckMap *schema_check_cache;
	180	CheckMap *process_check_cache;
	181	};
	182
	183	} /* namespace regex_policy */
	184