~drizzle-trunk/drizzle/development : contents of plugin/regex

~drizzle-trunk/drizzle/development : (revision 2378)

/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
 *  Copyright (C) 2011 Canonical, Ltd.
 *  Author: Clint Byrum <clint.byrum@canonical.com>
 *
 *  Copied from simple_user_policy
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; version 2 of the License.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */


#pragma once

#include <iosfwd>

#include <boost/regex.hpp>
#include <boost/unordered_map.hpp>
#include <boost/thread/mutex.hpp>

#include <drizzled/configmake.h>
#include <drizzled/plugin/authorization.h>

namespace fs= boost::filesystem;

namespace regex_policy
{

static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";

static const char *comment_regex = "^[[:space:]]*#.*$";
static const char *empty_regex = "^[[:space:]]*$";
static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|DENY)$";
static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|DENY)$";
static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|DENY)$";
/* These correspond to the parenthesis above and must stay in sync */
static const int MATCH_REGEX_USER_POS= 1;
static const int MATCH_REGEX_OBJECT_POS= 2;
static const int MATCH_REGEX_ACTION_POS= 3;

typedef enum 
{
  POLICY_ACCEPT,
  POLICY_DENY
} PolicyAction;

class PolicyItem
{
  const std::string user;
  const std::string object;
  const boost::regex user_re;
  const boost::regex object_re;
  PolicyAction action;
public:
  PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
    user(u),
    object(obj),
    user_re(u),
    object_re(obj)
  { 
    if (act == "ACCEPT")
    {
      action = POLICY_ACCEPT;
    }
    else if (act == "DENY")
    {
      action = POLICY_DENY;
    }
    else
    {
      throw std::exception();
    }
  }
  bool userMatches(std::string &str);
  bool objectMatches(std::string &object_id);
  bool isRestricted();
  const std::string&getUser() const
  {
    return user;
  }
  const std::string&getObject() const
  {
    return object;
  }
  const char *getAction() const
  {
    return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
  }
};

typedef std::list<PolicyItem *> PolicyItemList;
typedef boost::unordered_map<std::string, bool> CheckMap;

static boost::mutex check_cache_mutex;

class CheckItem
{
  std::string user;
  std::string object;
  std::string key;
  bool has_cached_result;
  bool cached_result;
  CheckMap **check_cache;
public:
  CheckItem(const std::string &u, const std::string &obj, CheckMap **check_cache);
  bool operator()(PolicyItem *p);
  bool hasCachedResult() const
  {
    return has_cached_result;
  }
  bool getCachedResult() const
  {
    return cached_result;
  }
  void setCachedResult(bool result);
};

inline bool PolicyItem::userMatches(std::string &str)
{
  return boost::regex_match(str, user_re);
}

inline bool PolicyItem::objectMatches(std::string &object_id)
{
  return boost::regex_match(object_id, object_re);
}

inline bool PolicyItem::isRestricted()
{
  return action == POLICY_DENY ? true : false;
}

void clearPolicyItemList(PolicyItemList policies);

class Policy :
  public drizzled::plugin::Authorization
{
public:
  Policy(const fs::path &f_path) :
    drizzled::plugin::Authorization("Regex Policy"), policy_file(f_path), error(),
    table_check_cache(NULL), schema_check_cache(NULL), process_check_cache(NULL)
  { }

  virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
                              const drizzled::identifier::Schema& schema);

  virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
                               const drizzled::identifier::User &session_ctx);

  virtual bool restrictTable(const drizzled::identifier::User& user_ctx,
                             const drizzled::identifier::Table& table);

  bool loadFile();
  std::stringstream &getError() { return error; }
  ~Policy();
private:
  bool restrictObject(const drizzled::identifier::User &user_ctx,
                                   const std::string &obj, const PolicyItemList &policies,
                                   CheckMap **check_cache);
  fs::path policy_file;
  std::stringstream error;
  PolicyItemList table_policies;
  PolicyItemList schema_policies;
  PolicyItemList process_policies;
  CheckMap *table_check_cache;
  CheckMap *schema_check_cache;
  CheckMap *process_check_cache;
};

} /* namespace regex_policy */


2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	1	/* -- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; --
	2	* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
	3	*
	4	* Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
	5	* Copyright (C) 2011 Canonical, Ltd.
	6	* Author: Clint Byrum <clint.byrum@canonical.com>
	7	*
	8	* Copied from simple_user_policy
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
	12	* the Free Software Foundation; version 2 of the License.
	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	22	*/
	23
	24
2234 by Brian Aker Mass removal of ifdef/endif in favor of pragma once.	25	#pragma once
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	26
2371.1.1 by Brian Aker Fedora fix/use fwd header for iostream.	27	#include <iosfwd>
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	28
	29	#include <boost/regex.hpp>
	30	#include <boost/unordered_map.hpp>
	31	#include <boost/thread/mutex.hpp>
	32
	33	#include <drizzled/configmake.h>
	34	#include <drizzled/plugin/authorization.h>
	35
	36	namespace fs= boost::filesystem;
	37
	38	namespace regex_policy
	39	{
	40
	41	static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";
	42
	43	static const char comment_regex = "^[[:space:]]#.*$";
	44	static const char empty_regex = "^[[:space:]]$";
	45	static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT\|DENY)$";
	46	static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT\|DENY)$";
	47	static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT\|DENY)$";
	48	/* These correspond to the parenthesis above and must stay in sync */
	49	static const int MATCH_REGEX_USER_POS= 1;
	50	static const int MATCH_REGEX_OBJECT_POS= 2;
	51	static const int MATCH_REGEX_ACTION_POS= 3;
	52
	53	typedef enum
	54	{
	55	POLICY_ACCEPT,
	56	POLICY_DENY
	57	} PolicyAction;
	58
	59	class PolicyItem
	60	{
	61	const std::string user;
	62	const std::string object;
	63	const boost::regex user_re;
	64	const boost::regex object_re;
	65	PolicyAction action;
	66	public:
	67	PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
	68	user(u),
	69	object(obj),
	70	user_re(u),
	71	object_re(obj)
	72	{
	73	if (act == "ACCEPT")
	74	{
	75	action = POLICY_ACCEPT;
	76	}
	77	else if (act == "DENY")
	78	{
	79	action = POLICY_DENY;
	80	}
	81	else
	82	{
	83	throw std::exception();
	84	}
	85	}
	86	bool userMatches(std::string &str);
	87	bool objectMatches(std::string &object_id);
	88	bool isRestricted();
	89	const std::string&getUser() const
	90	{
	91	return user;
92	}
93	const std::string&getObject() const
94	{
95	return object;
96	}
97	const char *getAction() const
98	{
99	return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
100	}
101	};
102
103	typedef std::list<PolicyItem *> PolicyItemList;
104	typedef boost::unordered_map<std::string, bool> CheckMap;
105
106	static boost::mutex check_cache_mutex;
107
108	class CheckItem
109	{
110	std::string user;
111	std::string object;
112	std::string key;
113	bool has_cached_result;
114	bool cached_result;
115	CheckMap **check_cache;
116	public:
117	CheckItem(const std::string &u, const std::string &obj, CheckMap **check_cache);
118	bool operator()(PolicyItem *p);
119	bool hasCachedResult() const
120	{
121	return has_cached_result;
122	}
123	bool getCachedResult() const
124	{
125	return cached_result;
126	}
127	void setCachedResult(bool result);
128	};
129
130	inline bool PolicyItem::userMatches(std::string &str)
131	{
132	return boost::regex_match(str, user_re);
133	}
134
135	inline bool PolicyItem::objectMatches(std::string &object_id)
136	{
137	return boost::regex_match(object_id, object_re);
138	}
139
140	inline bool PolicyItem::isRestricted()
141	{
142	return action == POLICY_DENY ? true : false;
143	}
144
2215.5.5 by Clint Byrum add destructor for Policy object, should eliminate last valgrind warnings	145	void clearPolicyItemList(PolicyItemList policies);
	146
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	147	class Policy :
	148	public drizzled::plugin::Authorization
	149	{
	150	public:
	151	Policy(const fs::path &f_path) :
	152	drizzled::plugin::Authorization("Regex Policy"), policy_file(f_path), error(),
	153	table_check_cache(NULL), schema_check_cache(NULL), process_check_cache(NULL)
	154	{ }
	155
	156	virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
2246.4.9 by Olaf van der Spek Remove const_reference and reference from identifier::Schema	157	const drizzled::identifier::Schema& schema);
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	158
	159	virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
	160	const drizzled::identifier::User &session_ctx);
	161
2246.4.11 by Olaf van der Spek Remove const_reference and reference from identifier::User	162	virtual bool restrictTable(const drizzled::identifier::User& user_ctx,
2246.4.10 by Olaf van der Spek Remove const_reference and reference from identifier::Table	163	const drizzled::identifier::Table& table);
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	164
	165	bool loadFile();
	166	std::stringstream &getError() { return error; }
2215.5.5 by Clint Byrum add destructor for Policy object, should eliminate last valgrind warnings	167	~Policy();
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	168	private:
	169	bool restrictObject(const drizzled::identifier::User &user_ctx,
	170	const std::string &obj, const PolicyItemList &policies,
	171	CheckMap **check_cache);
	172	fs::path policy_file;
	173	std::stringstream error;
	174	PolicyItemList table_policies;
	175	PolicyItemList schema_policies;
	176	PolicyItemList process_policies;
	177	CheckMap *table_check_cache;
	178	CheckMap *schema_check_cache;
	179	CheckMap *process_check_cache;
	180	};
	181
	182	} /* namespace regex_policy */
	183