~drizzle-trunk/drizzle/development

« back to all changes in this revision

Viewing changes to drizzled/plugin/authorization.cc

  • Committer: Brian Aker
  • Date: 2010-03-31 19:14:14 UTC
  • Revision ID: brian@gaz-20100331191414-9yv44mmpvf0tb7l1
Updated to use show schemas specific table.

Show diffs side-by-side

added added

removed removed

Lines of Context:
24
24
 
25
25
#include "drizzled/plugin/authorization.h"
26
26
#include "drizzled/security_context.h"
27
 
#include "drizzled/identifier.h"
28
27
#include "drizzled/error.h"
29
28
#include "drizzled/session.h"
 
29
#include "drizzled/plugin/registry.h"
30
30
#include "drizzled/gettext.h"
31
31
 
 
32
using namespace std;
 
33
 
32
34
namespace drizzled
33
35
{
34
36
 
35
 
std::vector<plugin::Authorization *> authorization_plugins;
 
37
vector<plugin::Authorization *> authorization_plugins;
36
38
 
37
39
 
38
40
bool plugin::Authorization::addPlugin(plugin::Authorization *auth)
39
41
{
40
42
  if (auth != NULL)
41
43
    authorization_plugins.push_back(auth);
42
 
 
43
44
  return false;
44
45
}
45
46
 
47
48
{
48
49
  if (auth != NULL)
49
50
  {
50
 
    authorization_plugins.erase(std::find(authorization_plugins.begin(),
51
 
                                          authorization_plugins.end(),
52
 
                                          auth));
 
51
    authorization_plugins.erase(find(authorization_plugins.begin(),
 
52
                                     authorization_plugins.end(),
 
53
                                     auth));
53
54
  }
54
55
}
55
56
 
57
58
{
58
59
 
59
60
class RestrictDbFunctor :
60
 
  public std::unary_function<plugin::Authorization *, bool>
 
61
  public unary_function<plugin::Authorization *, bool>
61
62
{
62
63
  const SecurityContext &user_ctx;
63
 
  SchemaIdentifier::const_reference schema;
64
 
 
 
64
  const string &schema;
65
65
public:
66
66
  RestrictDbFunctor(const SecurityContext &user_ctx_arg,
67
 
                    SchemaIdentifier::const_reference schema_arg) :
68
 
    std::unary_function<plugin::Authorization *, bool>(),
 
67
                    const string &schema_arg) :
 
68
    unary_function<plugin::Authorization *, bool>(),
69
69
    user_ctx(user_ctx_arg),
70
70
    schema(schema_arg)
71
71
  { }
77
77
};
78
78
 
79
79
class RestrictTableFunctor :
80
 
  public std::unary_function<plugin::Authorization *, bool>
 
80
  public unary_function<plugin::Authorization *, bool>
81
81
{
82
82
  const SecurityContext &user_ctx;
83
 
  TableIdentifier &table;
 
83
  const string &schema;
 
84
  const string &table;
84
85
public:
85
86
  RestrictTableFunctor(const SecurityContext &user_ctx_arg,
86
 
                       TableIdentifier &table_arg) :
87
 
    std::unary_function<plugin::Authorization *, bool>(),
 
87
                       const string &schema_arg,
 
88
                       const string &table_arg) :
 
89
    unary_function<plugin::Authorization *, bool>(),
88
90
    user_ctx(user_ctx_arg),
 
91
    schema(schema_arg),
89
92
    table(table_arg)
90
93
  { }
91
94
 
92
95
  inline result_type operator()(argument_type auth)
93
96
  {
94
 
    return auth->restrictTable(user_ctx, table);
 
97
    return auth->restrictTable(user_ctx, schema, table);
95
98
  }
96
99
};
97
100
 
98
101
class RestrictProcessFunctor :
99
 
  public std::unary_function<plugin::Authorization *, bool>
 
102
  public unary_function<plugin::Authorization *, bool>
100
103
{
101
104
  const SecurityContext &user_ctx;
102
105
  const SecurityContext &session_ctx;
103
106
public:
104
107
  RestrictProcessFunctor(const SecurityContext &user_ctx_arg,
105
108
                         const SecurityContext &session_ctx_arg) :
106
 
    std::unary_function<plugin::Authorization *, bool>(),
 
109
    unary_function<plugin::Authorization *, bool>(),
107
110
    user_ctx(user_ctx_arg),
108
111
    session_ctx(session_ctx_arg)
109
112
  { }
114
117
  }
115
118
};
116
119
 
117
 
class PruneSchemaFunctor :
118
 
  public std::unary_function<SchemaIdentifier&, bool>
119
 
{
120
 
  const SecurityContext &user_ctx;
121
 
public:
122
 
  PruneSchemaFunctor(const SecurityContext &user_ctx_arg) :
123
 
    std::unary_function<SchemaIdentifier&, bool>(),
124
 
    user_ctx(user_ctx_arg)
125
 
  { }
126
 
 
127
 
  inline result_type operator()(argument_type auth)
128
 
  {
129
 
    return not plugin::Authorization::isAuthorized(user_ctx, auth, false);
130
 
  }
131
 
};
132
 
 
133
120
} /* namespace */
134
121
 
135
122
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
136
 
                                         SchemaIdentifier::const_reference schema_identifier,
 
123
                                         SchemaIdentifier &schema_identifier,
137
124
                                         bool send_error)
138
125
{
139
126
  /* If we never loaded any authorization plugins, just return true */
141
128
    return true;
142
129
 
143
130
  /* Use find_if instead of foreach so that we can collect return codes */
144
 
  std::vector<plugin::Authorization *>::const_iterator iter=
145
 
    std::find_if(authorization_plugins.begin(),
146
 
                 authorization_plugins.end(),
147
 
                 RestrictDbFunctor(user_ctx, schema_identifier));
148
 
 
 
131
  vector<plugin::Authorization *>::const_iterator iter=
 
132
    find_if(authorization_plugins.begin(),
 
133
            authorization_plugins.end(),
 
134
            RestrictDbFunctor(user_ctx, schema_identifier.getPath()));
149
135
 
150
136
  /*
151
137
   * If iter is == end() here, that means that all of the plugins returned
156
142
  {
157
143
    if (send_error)
158
144
    {
159
 
      std::string path;
160
 
      schema_identifier.getSQLPath(path);
161
 
 
162
145
      my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
163
146
               user_ctx.getUser().c_str(),
164
147
               user_ctx.getIp().c_str(),
165
 
               path.c_str());
 
148
               schema_identifier.getSQLPath().c_str());
166
149
    }
167
150
    return false;
168
151
  }
170
153
}
171
154
 
172
155
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
173
 
                                         TableIdentifier &table,
 
156
                                         const string &schema,
 
157
                                         const string &table,
174
158
                                         bool send_error)
175
159
{
176
160
  /* If we never loaded any authorization plugins, just return true */
178
162
    return true;
179
163
 
180
164
  /* Use find_if instead of foreach so that we can collect return codes */
181
 
  std::vector<plugin::Authorization *>::const_iterator iter=
182
 
    std::find_if(authorization_plugins.begin(),
 
165
  vector<plugin::Authorization *>::const_iterator iter=
 
166
    find_if(authorization_plugins.begin(),
183
167
            authorization_plugins.end(),
184
 
            RestrictTableFunctor(user_ctx, table));
 
168
            RestrictTableFunctor(user_ctx, schema, table));
185
169
 
186
170
  /*
187
171
   * If iter is == end() here, that means that all of the plugins returned
192
176
  {
193
177
    if (send_error)
194
178
    {
195
 
      std::string path;
196
 
      table.getSQLPath(path);
197
 
 
198
179
      my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
199
180
               user_ctx.getUser().c_str(),
200
181
               user_ctx.getIp().c_str(),
201
 
               path.c_str());
 
182
               schema.c_str());
202
183
    }
203
184
    return false;
204
185
  }
216
197
    return true;
217
198
 
218
199
  /* Use find_if instead of foreach so that we can collect return codes */
219
 
  std::vector<plugin::Authorization *>::const_iterator iter=
220
 
    std::find_if(authorization_plugins.begin(),
221
 
                 authorization_plugins.end(),
222
 
                 RestrictProcessFunctor(user_ctx, session_ctx));
 
200
  vector<plugin::Authorization *>::const_iterator iter=
 
201
    find_if(authorization_plugins.begin(),
 
202
            authorization_plugins.end(),
 
203
            RestrictProcessFunctor(user_ctx, session_ctx));
223
204
 
224
205
  /*
225
206
   * If iter is == end() here, that means that all of the plugins returned
239
220
}
240
221
 
241
222
void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
242
 
                                             SchemaIdentifier::vector &set_of_schemas)
 
223
                                             SchemaIdentifierList &set_of_schemas)
243
224
{
 
225
  SchemaIdentifierList pruned_set_of_names;
 
226
 
244
227
  /* If we never loaded any authorization plugins, just return true */
245
228
  if (authorization_plugins.empty())
246
229
    return;
247
230
 
248
 
  set_of_schemas.erase(std::remove_if(set_of_schemas.begin(),
249
 
                                      set_of_schemas.end(),
250
 
                                      PruneSchemaFunctor(user_ctx)),
251
 
                       set_of_schemas.end());
 
231
  /**
 
232
   * @TODO: It would be stellar if we could find a way to do this with a
 
233
   * functor and an STL algoritm
 
234
   */
 
235
  for (SchemaIdentifierList::iterator iter; iter != set_of_schemas.end(); iter++)
 
236
  {
 
237
    if (not plugin::Authorization::isAuthorized(user_ctx, *iter, false))
 
238
    {
 
239
      iter= pruned_set_of_names.erase(iter);
 
240
    }
 
241
  }
 
242
  set_of_schemas.swap(pruned_set_of_names);
252
243
}
253
244
 
254
245
} /* namespace drizzled */