OW_SimpleAuthorizer2.cpp

Go to the documentation of this file.
00001 /*******************************************************************************
00002 * Copyright (C) 2001-2004 Novell, Inc. All rights reserved.
00003 *
00004 * Redistribution and use in source and binary forms, with or without
00005 * modification, are permitted provided that the following conditions are met:
00006 *
00007 *  - Redistributions of source code must retain the above copyright notice,
00008 *    this list of conditions and the following disclaimer.
00009 *
00010 *  - Redistributions in binary form must reproduce the above copyright notice,
00011 *    this list of conditions and the following disclaimer in the documentation
00012 *    and/or other materials provided with the distribution.
00013 *
00014 *  - Neither the name of Novell, Inc. nor the names of its
00015 *    contributors may be used to endorse or promote products derived from this
00016 *    software without specific prior written permission.
00017 *
00018 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
00019 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
00020 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
00021 * ARE DISCLAIMED. IN NO EVENT SHALL Novell, Inc. OR THE CONTRIBUTORS
00022 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
00023 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
00024 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
00025 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
00026 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
00027 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
00028 * POSSIBILITY OF SUCH DAMAGE.
00029 *******************************************************************************/
00030 
00035 #include "OW_config.h"
00036 #include "OW_SimpleAuthorizer2.hpp"
00037 #include "OW_Assertion.hpp"
00038 #include "OW_UserInfo.hpp"
00039 #include "OW_OperationContext.hpp"
00040 #include "OW_Logger.hpp"
00041 #include "OW_Format.hpp"
00042 #include "OW_ConfigOpts.hpp"
00043 #include "OW_CIMClass.hpp"
00044 #include "OW_CIMValue.hpp"
00045 #include "OW_CIMException.hpp"
00046 #include "OW_CIMObjectPath.hpp"
00047 #include "OW_CIMInstance.hpp"
00048 #include "OW_CIMProperty.hpp"
00049 #include "OW_CIMQualifierType.hpp"
00050 #include "OW_CIMOMHandleIFC.hpp"
00051 
00052 #include <cstring>
00053 
00054 namespace OW_NAMESPACE
00055 {
00056 
00057 using namespace WBEMFlags;
00058 
00059 namespace
00060 {
00061 const String ACCESS_READ("r");
00062 const String ACCESS_WRITE("w");
00063 const String ACCESS_READWRITE("rw");
00064 const String COMPONENT_NAME = "ow.authorizer.simple2";
00065 }
00066    
00068 SimpleAuthorizer2::SimpleAuthorizer2()
00069    : Authorizer2IFC()
00070 {
00071 }
00073 SimpleAuthorizer2::~SimpleAuthorizer2()
00074 {
00075 }
00076 
00078 bool
00079 SimpleAuthorizer2::checkAccess(const String& opType, const String& ns,
00080    const ServiceEnvironmentIFCRef& env, OperationContext& context)
00081 {
00082    OW_ASSERT(opType == ACCESS_READ || opType == ACCESS_WRITE
00083       || opType == ACCESS_READWRITE);
00084 
00085    UserInfo userInfo = context.getUserInfo();
00086    if (userInfo.getInternal())
00087    {
00088       return true;
00089    }
00090 
00091    CIMOMHandleIFCRef lch = env->getCIMOMHandle(context,
00092       ServiceEnvironmentIFC::E_USE_PROVIDERS);
00093 
00094    LoggerRef lgr = env->getLogger(COMPONENT_NAME);
00095 
00096    if (!userInfo.getUserName().empty())
00097    {
00098       String superUser =
00099          env->getConfigItem(ConfigOpts::ACL_SUPERUSER_opt);
00100       if (superUser.equalsIgnoreCase(userInfo.getUserName()))
00101       {
00102          OW_LOG_DEBUG(lgr, "User is SuperUser: checkAccess returning.");
00103          return true;
00104       }
00105    }
00106 
00107    String lns(ns);
00108    while (lns.startsWith('/'))
00109    {
00110       lns = lns.substring(1);
00111    }
00112    lns.toLowerCase();
00113    for (;;)
00114    {
00115       if (!userInfo.getUserName().empty())
00116       {
00117          try
00118          {
00119             CIMClass cc = lch->getClass("root/security",
00120                "OpenWBEM_UserACL", E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS,
00121                E_INCLUDE_CLASS_ORIGIN, NULL);
00122          }
00123          catch(CIMException&)
00124          {
00125             OW_LOG_DEBUG(lgr, "OpenWBEM_UserACL class non-existent in"
00126                " /root/security. ACLs disabled");
00127             return true;
00128          }
00129          
00130          CIMObjectPath cop("OpenWBEM_UserACL");
00131          cop.setKeyValue("username", CIMValue(userInfo.getUserName()));
00132          cop.setKeyValue("nspace", CIMValue(lns));
00133          CIMInstance ci(CIMNULL);
00134          try
00135          {
00136             ci = lch->getInstance("root/security", cop,
00137                E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS,
00138                E_INCLUDE_CLASS_ORIGIN, NULL);
00139          }
00140          catch(const CIMException&)
00141          {
00142             ci.setNull();
00143          }
00144          if (ci)
00145          {
00146             String capability;
00147             CIMProperty capabilityProp = ci.getProperty("capability");
00148             if (capabilityProp)
00149             {
00150                CIMValue cv = capabilityProp.getValue();
00151                if (cv)
00152                {
00153                   capability = cv.toString();
00154                }
00155             }
00156 
00157             capability.toLowerCase();
00158             if (opType.length() == 1)
00159             {
00160                if (capability.indexOf(opType) == String::npos)
00161                {
00162                    // Access to namespace denied for user
00163                   OW_THROWCIM(CIMException::ACCESS_DENIED);
00164                }
00165             }
00166             else
00167             {
00168                if (!capability.equals("rw") && !capability.equals("wr"))
00169                {
00170                   // Access to namespace denied for user
00171                   OW_THROWCIM(CIMException::ACCESS_DENIED);
00172                }
00173             }
00174 
00175             // Access to namespace granted for user
00176             return true;
00177          }
00178       }
00179 
00180       // use default policy for namespace
00181       try
00182       {
00183          CIMClass cc = lch->getClass("root/security",
00184             "OpenWBEM_NamespaceACL", E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS,
00185             E_INCLUDE_CLASS_ORIGIN, NULL);
00186       }
00187       catch(CIMException&)
00188       {
00189          // OpenWBEM_NamespaceACL class non-existent in /root/security.
00190          // namespace ACLs disabled
00191          return true;
00192       }
00193       CIMObjectPath cop("OpenWBEM_NamespaceACL");
00194       cop.setKeyValue("nspace", CIMValue(lns));
00195       CIMInstance ci(CIMNULL);
00196       try
00197       {
00198          ci = lch->getInstance("root/security", cop, E_NOT_LOCAL_ONLY,
00199             E_INCLUDE_QUALIFIERS, E_INCLUDE_CLASS_ORIGIN, NULL);
00200       }
00201       catch(const CIMException& ce)
00202       {
00203          OW_LOG_DEBUG(lgr, Format("Caught exception: %1 in"
00204             " AccessMgr::checkAccess. line=%2", ce, __LINE__));
00205          ci.setNull();
00206       }
00207    
00208       if (ci)
00209       {
00210          String capability;
00211          CIMProperty capabilityProp = ci.getProperty("capability");
00212          if (capabilityProp)
00213          {
00214             CIMValue v = capabilityProp.getValue();
00215             if (v)
00216             {
00217                capability = v.toString();
00218             }
00219          }
00220 
00221          capability.toLowerCase();
00222          if (opType.length() == 1)
00223          {
00224             if (capability.indexOf(opType) == String::npos)
00225             {
00226                // Access namespace denied for user
00227                   OW_THROWCIM(CIMException::ACCESS_DENIED);
00228             }
00229          }
00230          else
00231          {
00232             if (!capability.equals("rw") && !capability.equals("wr"))
00233             {
00234                // Access to namespace denied for user
00235                   OW_THROWCIM(CIMException::ACCESS_DENIED);
00236             }
00237          }
00238 
00239          // Access to namespace granted for user
00240          return true;
00241       }
00242       size_t idx = lns.lastIndexOf('/');
00243       if (idx == 0 || idx == String::npos)
00244       {
00245          break;
00246       }
00247       lns = lns.substring(0, idx);
00248    }
00249 
00250    // Access to namespace denied for user
00251       OW_THROWCIM(CIMException::ACCESS_DENIED);
00252    return false;
00253 }
00254 
00256 bool
00257 SimpleAuthorizer2::doAllowReadInstance(
00258    const ServiceEnvironmentIFCRef& env,
00259    const String& ns,
00260    const String& className,
00261    const StringArray* clientPropertyList,
00262    StringArray& authorizedPropertyList,
00263    OperationContext& context)
00264 {
00265    return checkAccess(ACCESS_READ, ns, env, context);
00266 }
00267 #ifndef OW_DISABLE_INSTANCE_MANIPULATION
00268 
00269 bool
00270 SimpleAuthorizer2::doAllowWriteInstance(
00271    const ServiceEnvironmentIFCRef& env,
00272    const String& ns,
00273    const CIMObjectPath& instanceName,
00274    Authorizer2IFC::EDynamicFlag dynamic,
00275    Authorizer2IFC::EWriteFlag flag,
00276    OperationContext& context)
00277 {
00278    return checkAccess(ACCESS_WRITE, ns, env, context);
00279 }
00280 #endif
00281 
00282 bool
00283 SimpleAuthorizer2::doAllowReadSchema(
00284    const ServiceEnvironmentIFCRef& env,
00285    const String& ns,
00286    OperationContext& context)
00287 {
00288    return checkAccess(ACCESS_READ, ns, env, context);
00289 }
00290 #if !defined(OW_DISABLE_SCHEMA_MANIPULATION) || !defined(OW_DISABLE_QUALIFIER_DECLARATION)
00291 
00292 bool
00293 SimpleAuthorizer2::doAllowWriteSchema(
00294    const ServiceEnvironmentIFCRef& env,
00295    const String& ns,
00296    Authorizer2IFC::EWriteFlag flag,
00297    OperationContext& context)
00298 {
00299    return checkAccess(ACCESS_WRITE, ns, env, context);
00300 }
00301 #endif
00302 
00303 bool
00304 SimpleAuthorizer2::doAllowAccessToNameSpace(
00305    const ServiceEnvironmentIFCRef& env,
00306    const String& ns,
00307    Authorizer2IFC::EAccessType accessType,
00308    OperationContext& context)
00309 {
00310    String actype;
00311    switch (accessType)
00312    {
00313       case Authorizer2IFC::E_READ:
00314          actype = ACCESS_READ;
00315          break;
00316       case Authorizer2IFC::E_WRITE:
00317          actype = ACCESS_WRITE;
00318          break;
00319       default:
00320          actype = ACCESS_READWRITE;
00321          break;
00322    }
00323 
00324    return checkAccess(actype, ns, env, context);
00325 }
00326 #if !defined(OW_DISABLE_INSTANCE_MANIPULATION) && !defined(OW_DISABLE_NAMESPACE_MANIPULATION)
00327 
00328 bool
00329 SimpleAuthorizer2::doAllowCreateNameSpace(
00330    const ServiceEnvironmentIFCRef& env,
00331    const String& ns_,
00332    OperationContext& context)
00333 {
00334    return doAllowAccessToNameSpace(env, ns_, Authorizer2IFC::E_WRITE,
00335       context);
00336 }
00338 bool
00339 SimpleAuthorizer2::doAllowDeleteNameSpace(
00340    const ServiceEnvironmentIFCRef& env,
00341    const String& ns_,
00342    OperationContext& context)
00343 {
00344    return doAllowAccessToNameSpace(env, ns_, Authorizer2IFC::E_WRITE,
00345       context);
00346 }
00347 #endif
00348 
00349 bool
00350 SimpleAuthorizer2::doAllowEnumNameSpace(
00351    const ServiceEnvironmentIFCRef& env,
00352    OperationContext& context)
00353 {
00354    return true; // ?
00355 }
00357 bool
00358 SimpleAuthorizer2::doAllowMethodInvocation(
00359    const ServiceEnvironmentIFCRef& env,
00360    const String& ns,
00361    const CIMObjectPath& path,
00362    const String& methodName,
00363    OperationContext& context)
00364 {
00365    return checkAccess(ACCESS_READWRITE, ns, env, context);
00366 }
00367 
00368 } // end namespace OW_NAMESPACE
00369 
00370 
00371 OW_AUTHORIZER2_FACTORY(OpenWBEM::SimpleAuthorizer2, simple);

Generated on Thu Feb 9 08:48:11 2006 for openwbem by  doxygen 1.4.6