25
25
#include "drizzled/plugin/authorization.h"
26
26
#include "drizzled/security_context.h"
27
#include "drizzled/identifier.h"
28
27
#include "drizzled/error.h"
29
28
#include "drizzled/session.h"
29
#include "drizzled/plugin/registry.h"
30
30
#include "drizzled/gettext.h"
35
std::vector<plugin::Authorization *> authorization_plugins;
37
vector<plugin::Authorization *> authorization_plugins;
38
40
bool plugin::Authorization::addPlugin(plugin::Authorization *auth)
41
43
authorization_plugins.push_back(auth);
50
authorization_plugins.erase(std::find(authorization_plugins.begin(),
51
authorization_plugins.end(),
51
authorization_plugins.erase(find(authorization_plugins.begin(),
52
authorization_plugins.end(),
59
60
class RestrictDbFunctor :
60
public std::unary_function<plugin::Authorization *, bool>
61
public unary_function<plugin::Authorization *, bool>
62
63
const SecurityContext &user_ctx;
63
SchemaIdentifier::const_reference schema;
66
66
RestrictDbFunctor(const SecurityContext &user_ctx_arg,
67
SchemaIdentifier::const_reference schema_arg) :
68
std::unary_function<plugin::Authorization *, bool>(),
67
const string &schema_arg) :
68
unary_function<plugin::Authorization *, bool>(),
69
69
user_ctx(user_ctx_arg),
79
79
class RestrictTableFunctor :
80
public std::unary_function<plugin::Authorization *, bool>
80
public unary_function<plugin::Authorization *, bool>
82
82
const SecurityContext &user_ctx;
83
TableIdentifier &table;
85
86
RestrictTableFunctor(const SecurityContext &user_ctx_arg,
86
TableIdentifier &table_arg) :
87
std::unary_function<plugin::Authorization *, bool>(),
87
const string &schema_arg,
88
const string &table_arg) :
89
unary_function<plugin::Authorization *, bool>(),
88
90
user_ctx(user_ctx_arg),
92
95
inline result_type operator()(argument_type auth)
94
return auth->restrictTable(user_ctx, table);
97
return auth->restrictTable(user_ctx, schema, table);
98
101
class RestrictProcessFunctor :
99
public std::unary_function<plugin::Authorization *, bool>
102
public unary_function<plugin::Authorization *, bool>
101
104
const SecurityContext &user_ctx;
102
105
const SecurityContext &session_ctx;
104
107
RestrictProcessFunctor(const SecurityContext &user_ctx_arg,
105
108
const SecurityContext &session_ctx_arg) :
106
std::unary_function<plugin::Authorization *, bool>(),
109
unary_function<plugin::Authorization *, bool>(),
107
110
user_ctx(user_ctx_arg),
108
111
session_ctx(session_ctx_arg)
117
class PruneSchemaFunctor :
118
public std::unary_function<SchemaIdentifier&, bool>
120
const SecurityContext &user_ctx;
122
PruneSchemaFunctor(const SecurityContext &user_ctx_arg) :
123
std::unary_function<SchemaIdentifier&, bool>(),
124
user_ctx(user_ctx_arg)
127
inline result_type operator()(argument_type auth)
129
return not plugin::Authorization::isAuthorized(user_ctx, auth, false);
133
120
} /* namespace */
135
122
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
136
SchemaIdentifier::const_reference schema_identifier,
123
SchemaIdentifier &schema_identifier,
139
126
/* If we never loaded any authorization plugins, just return true */
143
130
/* Use find_if instead of foreach so that we can collect return codes */
144
std::vector<plugin::Authorization *>::const_iterator iter=
145
std::find_if(authorization_plugins.begin(),
146
authorization_plugins.end(),
147
RestrictDbFunctor(user_ctx, schema_identifier));
131
vector<plugin::Authorization *>::const_iterator iter=
132
find_if(authorization_plugins.begin(),
133
authorization_plugins.end(),
134
RestrictDbFunctor(user_ctx, schema_identifier.getPath()));
151
137
* If iter is == end() here, that means that all of the plugins returned
160
schema_identifier.getSQLPath(path);
162
145
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
163
146
user_ctx.getUser().c_str(),
164
147
user_ctx.getIp().c_str(),
148
schema_identifier.getSQLPath().c_str());
180
164
/* Use find_if instead of foreach so that we can collect return codes */
181
std::vector<plugin::Authorization *>::const_iterator iter=
182
std::find_if(authorization_plugins.begin(),
165
vector<plugin::Authorization *>::const_iterator iter=
166
find_if(authorization_plugins.begin(),
183
167
authorization_plugins.end(),
184
RestrictTableFunctor(user_ctx, table));
168
RestrictTableFunctor(user_ctx, schema, table));
187
171
* If iter is == end() here, that means that all of the plugins returned
196
table.getSQLPath(path);
198
179
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
199
180
user_ctx.getUser().c_str(),
200
181
user_ctx.getIp().c_str(),
218
199
/* Use find_if instead of foreach so that we can collect return codes */
219
std::vector<plugin::Authorization *>::const_iterator iter=
220
std::find_if(authorization_plugins.begin(),
221
authorization_plugins.end(),
222
RestrictProcessFunctor(user_ctx, session_ctx));
200
vector<plugin::Authorization *>::const_iterator iter=
201
find_if(authorization_plugins.begin(),
202
authorization_plugins.end(),
203
RestrictProcessFunctor(user_ctx, session_ctx));
225
206
* If iter is == end() here, that means that all of the plugins returned
241
222
void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
242
SchemaIdentifier::vector &set_of_schemas)
223
SchemaIdentifierList &set_of_schemas)
225
SchemaIdentifierList pruned_set_of_names;
244
227
/* If we never loaded any authorization plugins, just return true */
245
228
if (authorization_plugins.empty())
248
set_of_schemas.erase(std::remove_if(set_of_schemas.begin(),
249
set_of_schemas.end(),
250
PruneSchemaFunctor(user_ctx)),
251
set_of_schemas.end());
232
* @TODO: It would be stellar if we could find a way to do this with a
233
* functor and an STL algoritm
235
for (SchemaIdentifierList::iterator iter; iter != set_of_schemas.end(); iter++)
237
if (not plugin::Authorization::isAuthorized(user_ctx, *iter, false))
239
iter= pruned_set_of_names.erase(iter);
242
set_of_schemas.swap(pruned_set_of_names);
254
245
} /* namespace drizzled */