~drizzle-trunk/drizzle/development : contents of plugin/regex

~drizzle-trunk/drizzle/development : (revision 2395)

/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
 *  Copyright (C) 2011 Canonical, Ltd.
 *  Author: Clint Byrum <clint.byrum@canonical.com>
 *
 *  Copied from simple_user_policy
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; version 2 of the License.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#include <config.h>

#include <drizzled/plugin/authorization.h>
#include <drizzled/module/option_map.h>

#include "policy.h"

#include <fstream>

namespace po= boost::program_options;

using namespace std;
using namespace drizzled;

namespace regex_policy
{

static int init(module::Context &context)
{
  const module::option_map &vm= context.getOptions();

  Policy *policy= new Policy(fs::path(vm["policy"].as<string>()));
  if (not policy->loadFile())
  {
    errmsg_printf(error::ERROR, _("Could not load regex policy file: %s\n"),
                  (policy ? policy->getError().str().c_str() : _("Unknown")));
    delete policy;
    return 1;
  }

  context.add(policy);
  context.registerVariable(new sys_var_const_string_val("policy", vm["policy"].as<string>()));

  return 0;
}

static void init_options(drizzled::module::option_context &context)
{
  context("policy",
      po::value<string>()->default_value(DEFAULT_POLICY_FILE.string()),
      N_("File to load for regex authorization policies"));
}

bool Policy::loadFile()
{
  ifstream file(policy_file.string().c_str());
  boost::regex comment_re;
  boost::regex empty_re;
  boost::regex table_matches_re;
  boost::regex process_matches_re;
  boost::regex schema_matches_re;

  try
  {
    comment_re= comment_regex;
    empty_re= empty_regex;
    table_matches_re= table_match_regex;
    process_matches_re= process_match_regex;
    schema_matches_re= schema_match_regex;
  }   
  catch (const std::exception &e)
  {
    error << e.what();
    return false;
  }

  if (! file.is_open())
  {
    error << "Unable to open regex policy file: " << policy_file.string();
    return false;
  }

  int lines= 0;
  try
  {
    while (! file.eof())
    {
      ++lines;
      string line;
      getline(file, line);
      if (boost::regex_match(line, comment_re))
      {
        continue;
      }
      if (boost::regex_match(line, empty_re))
      {
        continue;
      }
      boost::smatch matches;
      PolicyItemList *policies;
      if (boost::regex_match(line, matches, table_matches_re, boost::match_extra))
      {
        policies= &table_policies;
      }
      else if (boost::regex_match(line, matches, process_matches_re, boost::match_extra))
      {
        policies= &process_policies;
      }
      else if (boost::regex_match(line, matches, schema_matches_re, boost::match_extra))
      {
        policies= &schema_policies;
      }
      else
      {
        throw std::exception();
      }
      string user_regex;
      string object_regex;
      string action;
      user_regex= matches[MATCH_REGEX_USER_POS];
      object_regex= matches[MATCH_REGEX_OBJECT_POS];
      action= matches[MATCH_REGEX_ACTION_POS];
      PolicyItem *i;
      try
      {
        i= new PolicyItem(user_regex, object_regex, action);
      }
      catch (const std::exception &e)
      {
        error << "Bad policy item: user=" << user_regex << " object=" << object_regex << " action=" << action;
        throw std::exception();
      }
      policies->push_back(i);
    }
    return true;
  }
  catch (const std::exception &e)
  {
    /* On any non-EOF break, unparseable line */
    error << "Unable to parse line " << lines << " of policy file " << policy_file.string() << ":" << e.what();
    return false;
  }
}

void clearPolicyItemList(PolicyItemList policies)
{
  for (PolicyItemList::iterator x= policies.begin() ; x != policies.end() ; ++x)
  {
    delete *x;
    *x= NULL;
  }
} 

Policy::~Policy()
{
  clearPolicyItemList(table_policies);
  clearPolicyItemList(process_policies);
  clearPolicyItemList(schema_policies);
  delete table_check_cache;
  delete process_check_cache;
  delete schema_check_cache;
}

bool Policy::restrictObject(const drizzled::identifier::User &user_ctx,
                                   const string &obj, const PolicyItemList &policies,
                                   CheckMap **check_cache)
{
  CheckItem c(user_ctx.username(), obj, check_cache);
  if (!c.hasCachedResult())
  {
    PolicyItemList::const_iterator m= find_if(policies.begin(), policies.end(), c);
    if (m != policies.end())
    {
      c.setCachedResult((*m)->isRestricted());
    }
    else
    {
      /* TODO: make default action configurable */
      c.setCachedResult(false);
    }
  }
  return c.getCachedResult();
}

bool Policy::restrictSchema(const drizzled::identifier::User &user_ctx,
                                   const drizzled::identifier::Schema& schema)
{
  return restrictObject(user_ctx, schema.getSchemaName(), schema_policies, &schema_check_cache);
}

bool Policy::restrictProcess(const drizzled::identifier::User &user_ctx,
                                    const drizzled::identifier::User &session_ctx)
{
  return restrictObject(user_ctx, session_ctx.username(), process_policies, &process_check_cache);
}

bool Policy::restrictTable(const drizzled::identifier::User& user_ctx,
                             const drizzled::identifier::Table& table)
{
  return restrictObject(user_ctx, table.getTableName(), table_policies, &table_check_cache);
}

bool CheckItem::operator()(PolicyItem *p)
{
  if (p->userMatches(user))
  {
    errmsg_printf(error::INSPECT, _("User %s matches regex\n"), user.c_str());
    if (p->objectMatches(object))
    {
      errmsg_printf(error::INSPECT, _("Object %s matches regex %s (%s)\n"), 
          object.c_str(),
          p->getObject().c_str(),
          p->getAction());
      return true;
    }
    errmsg_printf(error::INSPECT, _("Object %s NOT restricted by regex %s (%s)\n"), 
        object.c_str(),
        p->getObject().c_str(),
        p->getAction());
  }
  return false;
}

CheckItem::CheckItem(const std::string &user_in, const std::string &obj_in, CheckMap **check_cache_in)
  : user(user_in), object(obj_in), has_cached_result(false), check_cache(check_cache_in)
{
  CheckMap::iterator check_val;
  std::stringstream keystream;
  keystream << user << "_" << object;
  key= keystream.str();

  /* using RCU to only need to lock when updating the cache */
  if ((*check_cache) && (check_val= (*check_cache)->find(key)) != (*check_cache)->end())
  {
    setCachedResult(check_val->second);
  }
}

void CheckItem::setCachedResult(bool result)
{
  // TODO: make the mutex per-cache
  boost::mutex::scoped_lock lock(check_cache_mutex, boost::defer_lock);
  lock.lock();

  // Copy the current one
  CheckMap* new_cache= *check_cache ? new CheckMap(**check_cache) : new CheckMap;

  // Update it
  (*new_cache)[key]= result;
  // Replace old
  CheckMap* old_cache= *check_cache;
  *check_cache= new_cache;

  lock.unlock();
  has_cached_result= true;
  cached_result= result;

  delete old_cache;
}

} /* namespace regex_policy */

DRIZZLE_PLUGIN(regex_policy::init, NULL, regex_policy::init_options);

2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	1	/* -- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; --
	2	* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
	3	*
	4	* Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
	5	* Copyright (C) 2011 Canonical, Ltd.
	6	* Author: Clint Byrum <clint.byrum@canonical.com>
	7	*
	8	* Copied from simple_user_policy
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
	12	* the Free Software Foundation; version 2 of the License.
	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	22	*/
	23
	24	#include <config.h>
	25
	26	#include <drizzled/plugin/authorization.h>
	27	#include <drizzled/module/option_map.h>
	28
	29	#include "policy.h"
	30
2371.1.1 by Brian Aker Fedora fix/use fwd header for iostream.	31	#include <fstream>
	32
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	33	namespace po= boost::program_options;
	34
	35	using namespace std;
	36	using namespace drizzled;
	37
	38	namespace regex_policy
	39	{
	40
	41	static int init(module::Context &context)
	42	{
	43	const module::option_map &vm= context.getOptions();
	44
2246.3.1 by Olaf van der Spek Remove std::nothrow from new()	45	Policy *policy= new Policy(fs::path(vm["policy"].as<string>()));
	46	if (not policy->loadFile())
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	47	{
	48	errmsg_printf(error::ERROR, _("Could not load regex policy file: %s\n"),
	49	(policy ? policy->getError().str().c_str() : _("Unknown")));
2246.3.1 by Olaf van der Spek Remove std::nothrow from new()	50	delete policy;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	51	return 1;
	52	}
	53
	54	context.add(policy);
	55	context.registerVariable(new sys_var_const_string_val("policy", vm["policy"].as<string>()));
	56
	57	return 0;
	58	}
	59
	60	static void init_options(drizzled::module::option_context &context)
	61	{
	62	context("policy",
	63	po::value<string>()->default_value(DEFAULT_POLICY_FILE.string()),
	64	N_("File to load for regex authorization policies"));
	65	}
	66
	67	bool Policy::loadFile()
	68	{
	69	ifstream file(policy_file.string().c_str());
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	70	boost::regex comment_re;
	71	boost::regex empty_re;
	72	boost::regex table_matches_re;
	73	boost::regex process_matches_re;
	74	boost::regex schema_matches_re;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	75
	76	try
	77	{
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	78	comment_re= comment_regex;
	79	empty_re= empty_regex;
	80	table_matches_re= table_match_regex;
	81	process_matches_re= process_match_regex;
	82	schema_matches_re= schema_match_regex;
	83	}
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	84	catch (const std::exception &e)
	85	{
	86	error << e.what();
	87	return false;
	88	}
	89
	90	if (! file.is_open())
	91	{
	92	error << "Unable to open regex policy file: " << policy_file.string();
	93	return false;
	94	}
	95
	96	int lines= 0;
	97	try
	98	{
	99	while (! file.eof())
	100	{
	101	++lines;
	102	string line;
	103	getline(file, line);
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	104	if (boost::regex_match(line, comment_re))
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	105	{
	106	continue;
	107	}
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	108	if (boost::regex_match(line, empty_re))
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	109	{
	110	continue;
	111	}
	112	boost::smatch matches;
	113	PolicyItemList *policies;
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	114	if (boost::regex_match(line, matches, table_matches_re, boost::match_extra))
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	115	{
	116	policies= &table_policies;
	117	}
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	118	else if (boost::regex_match(line, matches, process_matches_re, boost::match_extra))
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	119	{
	120	policies= &process_policies;
	121	}
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	122	else if (boost::regex_match(line, matches, schema_matches_re, boost::match_extra))
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	123	{
	124	policies= &schema_policies;
	125	}
	126	else
	127	{
	128	throw std::exception();
	129	}
	130	string user_regex;
	131	string object_regex;
	132	string action;
	133	user_regex= matches[MATCH_REGEX_USER_POS];
	134	object_regex= matches[MATCH_REGEX_OBJECT_POS];
	135	action= matches[MATCH_REGEX_ACTION_POS];
	136	PolicyItem *i;
	137	try
	138	{
	139	i= new PolicyItem(user_regex, object_regex, action);
	140	}
	141	catch (const std::exception &e)
	142	{
	143	error << "Bad policy item: user=" << user_regex << " object=" << object_regex << " action=" << action;
	144	throw std::exception();
	145	}
	146	policies->push_back(i);
	147	}
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	148	return true;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	149	}
	150	catch (const std::exception &e)
	151	{
	152	/* On any non-EOF break, unparseable line */
	153	error << "Unable to parse line " << lines << " of policy file " << policy_file.string() << ":" << e.what();
2215.5.4 by Clint Byrum fixing valgrind problems in a more sane way	154	return false;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	155	}
	156	}
	157
2215.5.5 by Clint Byrum add destructor for Policy object, should eliminate last valgrind warnings	158	void clearPolicyItemList(PolicyItemList policies)
	159	{
	160	for (PolicyItemList::iterator x= policies.begin() ; x != policies.end() ; ++x)
	161	{
	162	delete *x;
	163	*x= NULL;
	164	}
	165	}
	166
	167	Policy::~Policy()
	168	{
	169	clearPolicyItemList(table_policies);
	170	clearPolicyItemList(process_policies);
	171	clearPolicyItemList(schema_policies);
	172	delete table_check_cache;
	173	delete process_check_cache;
	174	delete schema_check_cache;
	175	}
	176
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	177	bool Policy::restrictObject(const drizzled::identifier::User &user_ctx,
	178	const string &obj, const PolicyItemList &policies,
	179	CheckMap **check_cache)
	180	{
	181	CheckItem c(user_ctx.username(), obj, check_cache);
	182	if (!c.hasCachedResult())
	183	{
	184	PolicyItemList::const_iterator m= find_if(policies.begin(), policies.end(), c);
	185	if (m != policies.end())
	186	{
	187	c.setCachedResult((*m)->isRestricted());
	188	}
	189	else
	190	{
	191	/* TODO: make default action configurable */
	192	c.setCachedResult(false);
	193	}
	194	}
	195	return c.getCachedResult();
	196	}
	197
	198	bool Policy::restrictSchema(const drizzled::identifier::User &user_ctx,
2246.4.9 by Olaf van der Spek Remove const_reference and reference from identifier::Schema	199	const drizzled::identifier::Schema& schema)
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	200	{
	201	return restrictObject(user_ctx, schema.getSchemaName(), schema_policies, &schema_check_cache);
	202	}
	203
	204	bool Policy::restrictProcess(const drizzled::identifier::User &user_ctx,
	205	const drizzled::identifier::User &session_ctx)
	206	{
	207	return restrictObject(user_ctx, session_ctx.username(), process_policies, &process_check_cache);
	208	}
	209
2246.4.11 by Olaf van der Spek Remove const_reference and reference from identifier::User	210	bool Policy::restrictTable(const drizzled::identifier::User& user_ctx,
2246.4.10 by Olaf van der Spek Remove const_reference and reference from identifier::Table	211	const drizzled::identifier::Table& table)
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	212	{
	213	return restrictObject(user_ctx, table.getTableName(), table_policies, &table_check_cache);
	214	}
	215
	216	bool CheckItem::operator()(PolicyItem *p)
	217	{
	218	if (p->userMatches(user))
	219	{
	220	errmsg_printf(error::INSPECT, _("User %s matches regex\n"), user.c_str());
	221	if (p->objectMatches(object))
	222	{
	223	errmsg_printf(error::INSPECT, _("Object %s matches regex %s (%s)\n"),
	224	object.c_str(),
	225	p->getObject().c_str(),
	226	p->getAction());
	227	return true;
	228	}
	229	errmsg_printf(error::INSPECT, _("Object %s NOT restricted by regex %s (%s)\n"),
	230	object.c_str(),
	231	p->getObject().c_str(),
	232	p->getAction());
	233	}
	234	return false;
	235	}
	236
	237	CheckItem::CheckItem(const std::string &user_in, const std::string &obj_in, CheckMap **check_cache_in)
	238	: user(user_in), object(obj_in), has_cached_result(false), check_cache(check_cache_in)
	239	{
	240	CheckMap::iterator check_val;
	241	std::stringstream keystream;
	242	keystream << user << "_" << object;
	243	key= keystream.str();
	244
	245	/* using RCU to only need to lock when updating the cache */
	246	if ((check_cache) && (check_val= (check_cache)->find(key)) != (*check_cache)->end())
	247	{
	248	setCachedResult(check_val->second);
	249	}
	250	}
	251
	252	void CheckItem::setCachedResult(bool result)
	253	{
	254	// TODO: make the mutex per-cache
	255	boost::mutex::scoped_lock lock(check_cache_mutex, boost::defer_lock);
	256	lock.lock();
	257
	258	// Copy the current one
2318.6.94 by Olaf van der Spek Refactor	259	CheckMap* new_cache= check_cache ? new CheckMap(*check_cache) : new CheckMap;
2215.5.3 by Clint Byrum fixing valgrind warnings	260
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	261	// Update it
	262	(*new_cache)[key]= result;
	263	// Replace old
2318.6.94 by Olaf van der Spek Refactor	264	CheckMap* old_cache= *check_cache;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	265	*check_cache= new_cache;
	266
	267	lock.unlock();
	268	has_cached_result= true;
	269	cached_result= result;
	270
2318.6.94 by Olaf van der Spek Refactor	271	delete old_cache;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	272	}
	273
	274	} /* namespace regex_policy */
	275
	276	DRIZZLE_PLUGIN(regex_policy::init, NULL, regex_policy::init_options);