Drizzled Public API Documentation

policy.h
1 /* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
2  * vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
3  *
4  * Copyright (C) 2010 Monty Taylor <mordred@inaugust.com>
5  * Copyright (C) 2011 Canonical, Ltd.
6  * Author: Clint Byrum <clint.byrum@canonical.com>
7  *
8  * Copied from simple_user_policy
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License as published by
12  * the Free Software Foundation; version 2 of the License.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
22  */
23 
24 
25 #pragma once
26 
27 #include <iosfwd>
28 
29 #include <boost/regex.hpp>
30 #include <boost/unordered_map.hpp>
31 #include <boost/thread/mutex.hpp>
32 #include <boost/thread/shared_mutex.hpp>
33 #include <boost/thread/locks.hpp>
34 
35 #include <drizzled/configmake.h>
36 #include <drizzled/plugin/authorization.h>
37 
38 namespace fs= boost::filesystem;
39 
40 namespace regex_policy {
41 
42 static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR "/drizzle.policy";
43 
44 static const uint64_t DEFAULT_MAX_LRU_LENGTH= 16384;
45 static const uint64_t DEFAULT_MAX_CACHE_BUCKETS= 4096;
46 
47 static const char *comment_regex = "^[[:space:]]*#.*$";
48 static const char *empty_regex = "^[[:space:]]*$";
49 static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
50 static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
51 static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
52 /* These correspond to the parenthesis above and must stay in sync */
53 static const int MATCH_REGEX_USER_POS= 1;
54 static const int MATCH_REGEX_OBJECT_POS= 2;
55 static const int MATCH_REGEX_ACTION_POS= 3;
56 
57 
58 typedef enum
59 {
60  POLICY_ACCEPT,
61  POLICY_DENY
62 } PolicyAction;
63 
65 {
66  const std::string user;
67  const std::string object;
68  const boost::regex user_re;
69  const boost::regex object_re;
70  PolicyAction action;
71 public:
72  PolicyItem(const std::string &u, const std::string &obj, const std::string &act) :
73  user(u),
74  object(obj),
75  user_re(u),
76  object_re(obj)
77  {
78  if ((act == "ACCEPT")||(act == "ALLOW"))
79  {
80  action = POLICY_ACCEPT;
81  }
82  else if ((act == "REJECT")||(act == "DENY"))
83  {
84  action = POLICY_DENY;
85  }
86  else
87  {
88  throw std::exception();
89  }
90  }
91  bool userMatches(std::string &str);
92  bool objectMatches(std::string &object_id);
93  bool isRestricted() const;
94  const std::string&getUser() const
95  {
96  return user;
97  }
98  const std::string&getObject() const
99  {
100  return object;
101  }
102  const char *getAction() const
103  {
104  return action == POLICY_ACCEPT ? "ALLOW" : "DENY";
105  }
106 };
107 
108 typedef std::list<PolicyItem *> PolicyItemList;
109 typedef std::vector<std::string> LruList;
110 typedef boost::unordered_map<std::string, bool> UnorderedCheckMap;
111 
112 class CheckMap
113 {
114  LruList lru;
115  boost::mutex lru_mutex;
116  boost::shared_mutex map_mutex;
117  UnorderedCheckMap map;
118 public:
119  bool* find(std::string const&k);
120  void insert(std::string const &k, bool v);
121  void clear()
122  {
123  map.clear();
124  }
125 };
126 
128 {
129  std::string user;
130  std::string object;
131  std::string key;
132  bool has_cached_result;
133  bool cached_result;
134  CheckMap &check_cache;
135 public:
136  CheckItem(const std::string &u, const std::string &obj, CheckMap &check_cache);
137  bool operator()(PolicyItem *p);
138  bool hasCachedResult() const
139  {
140  return has_cached_result;
141  }
142  bool getCachedResult() const
143  {
144  return cached_result;
145  }
146  void setCachedResult(bool result);
147 };
148 
149 inline bool PolicyItem::userMatches(std::string &str)
150 {
151  return boost::regex_match(str, user_re);
152 }
153 
154 inline bool PolicyItem::objectMatches(std::string &object_id)
155 {
156  return boost::regex_match(object_id, object_re);
157 }
158 
159 inline bool PolicyItem::isRestricted() const
160 {
161  return action == POLICY_DENY;
162 }
163 
164 class Policy :
166 {
167 public:
168  Policy(const std::string &f_path) :
169  drizzled::plugin::Authorization("regex_policy"), sysvar_policy_file(f_path), policy_file(f_path), error(),
170  table_check_cache(), schema_check_cache(), process_check_cache()
171  { }
172 
173  virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
174  const drizzled::identifier::Schema& schema);
175 
176  virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
177  const drizzled::identifier::User &session_ctx);
178 
179  virtual bool restrictTable(const drizzled::identifier::User& user_ctx,
180  const drizzled::identifier::Table& table);
181 
182  void setPolicies(PolicyItemList new_table_policies, PolicyItemList new_schema_policies, PolicyItemList new_process_policies);
183  void clearPolicies();
184  std::string& getPolicyFile();
185  bool setPolicyFile(std::string& new_policy_file);
186  std::stringstream &getError() { return error; }
187  ~Policy();
188 private:
189  bool restrictObject(const drizzled::identifier::User &user_ctx,
190  const std::string &obj, const PolicyItemList &policies,
191  CheckMap &check_cache);
192  std::string sysvar_policy_file;
193  fs::path policy_file;
194  std::stringstream error;
195  PolicyItemList table_policies;
196  PolicyItemList schema_policies;
197  PolicyItemList process_policies;
198  CheckMap table_check_cache;
199  CheckMap schema_check_cache;
200  CheckMap process_check_cache;
201 };
202 
203 } /* namespace regex_policy */
204 
A set of Session members describing the current authenticated user.
Definition: user.h:34
virtual bool restrictSchema(const drizzled::identifier::User &user_ctx, const drizzled::identifier::Schema &schema)
Definition: module.cc:292
virtual bool restrictProcess(const drizzled::identifier::User &user_ctx, const drizzled::identifier::User &session_ctx)
Definition: module.cc:298
virtual bool restrictTable(const drizzled::identifier::User &user_ctx, const drizzled::identifier::Table &table)
Definition: module.cc:304