« back to all changes in this revision
Viewing changes to plugin/regex_policy/policy.h
- browse files at revision 2215.5.1
- compare with another revision
- compare with revision 2318.7.9
- download diff
- download tarball
- view history from revision 2215.5.1
- Committer: Clint Byrum
- Date: 2011-03-03 01:55:10 UTC
- mto: (2222.1.1 build)
- mto: This revision was merged to the branch mainline in revision 2223.
- Revision ID: clint@ubuntu.com-20110303015510-fj9fsdimwyo2gefy
Adding regex_policy plugin for detailed authorization specifiction
- files added:
- plugin/regex_policy
- plugin/regex_policy/tests
- plugin/regex_policy/tests/r
- plugin/regex_policy/tests/t
added
removed
plugin/regex_policy/policy.h
1
/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
2
* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
3
*
4
* Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
5
* Copyright (C) 2011 Canonical, Ltd.
6
* Author: Clint Byrum <clint.byrum@canonical.com>
7
*
8
* Copied from simple_user_policy
9
*
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License as published by
12
* the Free Software Foundation; version 2 of the License.
13
*
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
18
*
19
* You should have received a copy of the GNU General Public License
20
* along with this program; if not, write to the Free Software
21
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
22
*/
23
24
25
#ifndef PLUGIN_REGEX_POLICY_POLICY_H
26
#define PLUGIN_REGEX_POLICY_POLICY_H
27
28
#include <iostream>
29
#include <fstream>
30
31
#include <boost/regex.hpp>
32
#include <boost/unordered_map.hpp>
33
#include <boost/thread/mutex.hpp>
34
35
#include <drizzled/configmake.h>
36
#include <drizzled/plugin/authorization.h>
37
38
namespace fs= boost::filesystem;
39
40
namespace regex_policy
41
{
42
43
static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";
44
45
static const char *comment_regex = "^[[:space:]]*#.*$";
46
static const char *empty_regex = "^[[:space:]]*$";
47
static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|DENY)$";
48
static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|DENY)$";
49
static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|DENY)$";
50
/* These correspond to the parenthesis above and must stay in sync */
51
static const int MATCH_REGEX_USER_POS= 1;
52
static const int MATCH_REGEX_OBJECT_POS= 2;
53
static const int MATCH_REGEX_ACTION_POS= 3;
54
55
typedef enum
56
{
57
POLICY_ACCEPT,
58
POLICY_DENY
59
} PolicyAction;
60
61
class PolicyItem
62
{
63
const std::string user;
64
const std::string object;
65
const boost::regex user_re;
66
const boost::regex object_re;
67
PolicyAction action;
68
public:
69
PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
70
user(u),
71
object(obj),
72
user_re(u),
73
object_re(obj)
74
{
75
if (act == "ACCEPT")
76
{
77
action = POLICY_ACCEPT;
78
}
79
else if (act == "DENY")
80
{
81
action = POLICY_DENY;
82
}
83
else
84
{
85
throw std::exception();
86
}
87
}
88
bool userMatches(std::string &str);
89
bool objectMatches(std::string &object_id);
90
bool isRestricted();
91
const std::string&getUser() const
92
{
93
return user;
94
}
95
const std::string&getObject() const
96
{
97
return object;
98
}
99
const char *getAction() const
100
{
101
return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
102
}
103
};
104
105
typedef std::list<PolicyItem *> PolicyItemList;
106
typedef boost::unordered_map<std::string, bool> CheckMap;
107
108
static boost::mutex check_cache_mutex;
109
110
class CheckItem
111
{
112
std::string user;
113
std::string object;
114
std::string key;
115
bool has_cached_result;
116
bool cached_result;
117
CheckMap **check_cache;
118
public:
119
CheckItem(const std::string &u, const std::string &obj, CheckMap **check_cache);
120
bool operator()(PolicyItem *p);
121
bool hasCachedResult() const
122
{
123
return has_cached_result;
124
}
125
bool getCachedResult() const
126
{
127
return cached_result;
128
}
129
void setCachedResult(bool result);
130
};
131
132
inline bool PolicyItem::userMatches(std::string &str)
133
{
134
return boost::regex_match(str, user_re);
135
}
136
137
inline bool PolicyItem::objectMatches(std::string &object_id)
138
{
139
return boost::regex_match(object_id, object_re);
140
}
141
142
inline bool PolicyItem::isRestricted()
143
{
144
return action == POLICY_DENY ? true : false;
145
}
146
147
class Policy :
148
public drizzled::plugin::Authorization
149
{
150
public:
151
Policy(const fs::path &f_path) :
152
drizzled::plugin::Authorization("Regex Policy"), policy_file(f_path), error(),
153
table_check_cache(NULL), schema_check_cache(NULL), process_check_cache(NULL)
154
{ }
155
156
virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
157
drizzled::identifier::Schema::const_reference schema);
158
159
virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
160
const drizzled::identifier::User &session_ctx);
161
162
virtual bool restrictTable(drizzled::identifier::User::const_reference user_ctx,
163
drizzled::identifier::Table::const_reference table);
164
165
bool loadFile();
166
std::stringstream &getError() { return error; }
167
private:
168
bool restrictObject(const drizzled::identifier::User &user_ctx,
169
const std::string &obj, const PolicyItemList &policies,
170
CheckMap **check_cache);
171
fs::path policy_file;
172
std::stringstream error;
173
PolicyItemList table_policies;
174
PolicyItemList schema_policies;
175
PolicyItemList process_policies;
176
CheckMap *table_check_cache;
177
CheckMap *schema_check_cache;
178
CheckMap *process_check_cache;
179
};
180
181
} /* namespace regex_policy */
182
183
#endif /* PLUGIN_REGEX_POLICY_POLICY_H */
Loggerhead is a web-based interface for Breezy
Version: 2.0.1