~drizzle-trunk/drizzle/development : contents of plugin/regex

~drizzle-trunk/drizzle/development : (revision 2420)

/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
 *  Copyright (C) 2011 Canonical, Ltd.
 *  Author: Clint Byrum <clint.byrum@canonical.com>
 *
 *  Copied from simple_user_policy
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; version 2 of the License.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */


#pragma once

#include <iosfwd>

#include <boost/regex.hpp>
#include <boost/unordered_map.hpp>
#include <boost/thread/mutex.hpp>

#include <drizzled/configmake.h>
#include <drizzled/plugin/authorization.h>

namespace fs= boost::filesystem;

namespace regex_policy {

static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";

static const char *comment_regex = "^[[:space:]]*#.*$";
static const char *empty_regex = "^[[:space:]]*$";
static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|DENY)$";
static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|DENY)$";
static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|DENY)$";
/* These correspond to the parenthesis above and must stay in sync */
static const int MATCH_REGEX_USER_POS= 1;
static const int MATCH_REGEX_OBJECT_POS= 2;
static const int MATCH_REGEX_ACTION_POS= 3;

typedef enum 
{
  POLICY_ACCEPT,
  POLICY_DENY
} PolicyAction;

class PolicyItem
{
  const std::string user;
  const std::string object;
  const boost::regex user_re;
  const boost::regex object_re;
  PolicyAction action;
public:
  PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
    user(u),
    object(obj),
    user_re(u),
    object_re(obj)
  { 
    if (act == "ACCEPT")
    {
      action = POLICY_ACCEPT;
    }
    else if (act == "DENY")
    {
      action = POLICY_DENY;
    }
    else
    {
      throw std::exception();
    }
  }
  bool userMatches(std::string &str);
  bool objectMatches(std::string &object_id);
  bool isRestricted() const;
  const std::string&getUser() const
  {
    return user;
  }
  const std::string&getObject() const
  {
    return object;
  }
  const char *getAction() const
  {
    return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
  }
};

typedef std::list<PolicyItem *> PolicyItemList;
typedef boost::unordered_map<std::string, bool> CheckMap;

static boost::mutex check_cache_mutex;

class CheckItem
{
  std::string user;
  std::string object;
  std::string key;
  bool has_cached_result;
  bool cached_result;
  CheckMap **check_cache;
public:
  CheckItem(const std::string &u, const std::string &obj, CheckMap **check_cache);
  bool operator()(PolicyItem *p);
  bool hasCachedResult() const
  {
    return has_cached_result;
  }
  bool getCachedResult() const
  {
    return cached_result;
  }
  void setCachedResult(bool result);
};

inline bool PolicyItem::userMatches(std::string &str)
{
  return boost::regex_match(str, user_re);
}

inline bool PolicyItem::objectMatches(std::string &object_id)
{
  return boost::regex_match(object_id, object_re);
}

inline bool PolicyItem::isRestricted() const
{
  return action == POLICY_DENY;
}

void clearPolicyItemList(PolicyItemList policies);

class Policy :
  public drizzled::plugin::Authorization
{
public:
  Policy(const fs::path &f_path) :
    drizzled::plugin::Authorization("Regex Policy"), policy_file(f_path), error(),
    table_check_cache(NULL), schema_check_cache(NULL), process_check_cache(NULL)
  { }

  virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
                              const drizzled::identifier::Schema& schema);

  virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
                               const drizzled::identifier::User &session_ctx);

  virtual bool restrictTable(const drizzled::identifier::User& user_ctx,
                             const drizzled::identifier::Table& table);

  bool loadFile();
  std::stringstream &getError() { return error; }
  ~Policy();
private:
  bool restrictObject(const drizzled::identifier::User &user_ctx,
                                   const std::string &obj, const PolicyItemList &policies,
                                   CheckMap **check_cache);
  fs::path policy_file;
  std::stringstream error;
  PolicyItemList table_policies;
  PolicyItemList schema_policies;
  PolicyItemList process_policies;
  CheckMap *table_check_cache;
  CheckMap *schema_check_cache;
  CheckMap *process_check_cache;
};

} /* namespace regex_policy */


2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	1	/* -- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; --
	2	* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
	3	*
	4	* Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
	5	* Copyright (C) 2011 Canonical, Ltd.
	6	* Author: Clint Byrum <clint.byrum@canonical.com>
	7	*
	8	* Copied from simple_user_policy
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
	12	* the Free Software Foundation; version 2 of the License.
	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	22	*/
	23
	24
2234 by Brian Aker Mass removal of ifdef/endif in favor of pragma once.	25	#pragma once
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	26
2371.1.1 by Brian Aker Fedora fix/use fwd header for iostream.	27	#include <iosfwd>
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	28
	29	#include <boost/regex.hpp>
	30	#include <boost/unordered_map.hpp>
	31	#include <boost/thread/mutex.hpp>
	32
	33	#include <drizzled/configmake.h>
	34	#include <drizzled/plugin/authorization.h>
	35
	36	namespace fs= boost::filesystem;
	37
2385.3.30 by Olaf van der Spek cppcheck	38	namespace regex_policy {
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	39
	40	static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";
	41
	42	static const char comment_regex = "^[[:space:]]#.*$";
	43	static const char empty_regex = "^[[:space:]]$";
	44	static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT\|DENY)$";
	45	static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT\|DENY)$";
	46	static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT\|DENY)$";
	47	/* These correspond to the parenthesis above and must stay in sync */
	48	static const int MATCH_REGEX_USER_POS= 1;
	49	static const int MATCH_REGEX_OBJECT_POS= 2;
	50	static const int MATCH_REGEX_ACTION_POS= 3;
	51
	52	typedef enum
	53	{
	54	POLICY_ACCEPT,
	55	POLICY_DENY
	56	} PolicyAction;
	57
	58	class PolicyItem
	59	{
	60	const std::string user;
	61	const std::string object;
	62	const boost::regex user_re;
	63	const boost::regex object_re;
	64	PolicyAction action;
	65	public:
	66	PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
	67	user(u),
	68	object(obj),
	69	user_re(u),
	70	object_re(obj)
	71	{
	72	if (act == "ACCEPT")
	73	{
	74	action = POLICY_ACCEPT;
	75	}
	76	else if (act == "DENY")
	77	{
	78	action = POLICY_DENY;
	79	}
	80	else
	81	{
	82	throw std::exception();
	83	}
	84	}
	85	bool userMatches(std::string &str);
	86	bool objectMatches(std::string &object_id);
2385.3.30 by Olaf van der Spek cppcheck	87	bool isRestricted() const;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	88	const std::string&getUser() const
	89	{
	90	return user;
	91	}
	92	const std::string&getObject() const
	93	{
	94	return object;
	95	}
	96	const char *getAction() const
	97	{
	98	return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
	99	}
	100	};
	101
	102	typedef std::list<PolicyItem *> PolicyItemList;
	103	typedef boost::unordered_map<std::string, bool> CheckMap;
	104
	105	static boost::mutex check_cache_mutex;
	106
	107	class CheckItem
	108	{
	109	std::string user;
	110	std::string object;
	111	std::string key;
	112	bool has_cached_result;
	113	bool cached_result;
	114	CheckMap **check_cache;
	115	public:
	116	CheckItem(const std::string &u, const std::string &obj, CheckMap **check_cache);
	117	bool operator()(PolicyItem *p);
	118	bool hasCachedResult() const
	119	{
	120	return has_cached_result;
	121	}
	122	bool getCachedResult() const
	123	{
	124	return cached_result;
	125	}
	126	void setCachedResult(bool result);
	127	};
	128
	129	inline bool PolicyItem::userMatches(std::string &str)
	130	{
	131	return boost::regex_match(str, user_re);
	132	}
	133
	134	inline bool PolicyItem::objectMatches(std::string &object_id)
	135	{
	136	return boost::regex_match(object_id, object_re);
	137	}
	138
2385.3.30 by Olaf van der Spek cppcheck	139	inline bool PolicyItem::isRestricted() const
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	140	{
2385.2.4 by Olaf van der Spek cppcheck	141	return action == POLICY_DENY;
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	142	}
	143
2215.5.5 by Clint Byrum add destructor for Policy object, should eliminate last valgrind warnings	144	void clearPolicyItemList(PolicyItemList policies);
	145
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	146	class Policy :
	147	public drizzled::plugin::Authorization
	148	{
	149	public:
	150	Policy(const fs::path &f_path) :
	151	drizzled::plugin::Authorization("Regex Policy"), policy_file(f_path), error(),
	152	table_check_cache(NULL), schema_check_cache(NULL), process_check_cache(NULL)
	153	{ }
	154
	155	virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
2246.4.9 by Olaf van der Spek Remove const_reference and reference from identifier::Schema	156	const drizzled::identifier::Schema& schema);
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	157
	158	virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
	159	const drizzled::identifier::User &session_ctx);
	160
2246.4.11 by Olaf van der Spek Remove const_reference and reference from identifier::User	161	virtual bool restrictTable(const drizzled::identifier::User& user_ctx,
2246.4.10 by Olaf van der Spek Remove const_reference and reference from identifier::Table	162	const drizzled::identifier::Table& table);
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	163
	164	bool loadFile();
	165	std::stringstream &getError() { return error; }
2215.5.5 by Clint Byrum add destructor for Policy object, should eliminate last valgrind warnings	166	~Policy();
2215.5.1 by Clint Byrum Adding regex_policy plugin for detailed authorization specifiction	167	private:
	168	bool restrictObject(const drizzled::identifier::User &user_ctx,
	169	const std::string &obj, const PolicyItemList &policies,
	170	CheckMap **check_cache);
	171	fs::path policy_file;
	172	std::stringstream error;
	173	PolicyItemList table_policies;
	174	PolicyItemList schema_policies;
	175	PolicyItemList process_policies;
	176	CheckMap *table_check_cache;
	177	CheckMap *schema_check_cache;
	178	CheckMap *process_check_cache;
	179	};
	180
	181	} /* namespace regex_policy */
	182