Statistics
| Branch: | Tag: | Revision:

one / include / AuthManager.h @ 01d932ad

History | View | Annotate | Download (11.4 KB)

1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

    
17
#ifndef AUTH_MANAGER_H_
18
#define AUTH_MANAGER_H_
19

    
20
#include <time.h>
21

    
22
#include "MadManager.h"
23
#include "ActionManager.h"
24

    
25
#include "AuthManagerDriver.h"
26

    
27
using namespace std;
28

    
29
//Forward definition of the AuthRequest
30
class AuthRequest;
31

    
32
/* -------------------------------------------------------------------------- */
33
/* -------------------------------------------------------------------------- */
34

    
35
extern "C" void * authm_action_loop(void *arg);
36

    
37
class AuthManager : public MadManager, public ActionListener
38
{
39
public:
40

    
41
    AuthManager(
42
        time_t                      timer,
43
        time_t                      __time_out,
44
        vector<const Attribute*>&   _mads):
45
            MadManager(_mads), timer_period(timer)
46
    {
47
        _time_out = __time_out;
48

    
49
        am.addListener(this);
50

    
51
        pthread_mutex_init(&mutex,0);
52
    };
53

    
54
    ~AuthManager(){};
55

    
56
    enum Actions
57
    {
58
        AUTHENTICATE,
59
        AUTHORIZE,
60
        FINALIZE
61
    };
62

    
63
    /**
64
     *  Triggers specific actions to the Auth Manager. This function
65
     *  wraps the ActionManager trigger function.
66
     *    @param action the Auth Manager action
67
     *    @param request an auth request
68
     */
69
    void trigger(
70
        Actions       action,
71
        AuthRequest * request);
72

    
73
    /**
74
     *  This functions starts the associated listener thread, and creates a
75
     *  new thread for the AuthManager. This thread will wait in
76
     *  an action loop till it receives ACTION_FINALIZE.
77
     *    @return 0 on success.
78
     */
79
    int start();
80

    
81
    /**
82
     *  Loads Virtual Machine Manager Mads defined in configuration file
83
     *   @param uid of the user executing the driver. When uid is 0 the nebula
84
     *   identity will be used. Otherwise the Mad will be loaded through the
85
     *   sudo application.
86
     */
87
    void load_mads(int uid);
88

    
89
    /**
90
     *  Gets the thread identification.
91
     *    @return pthread_t for the manager thread (that in the action loop).
92
     */
93
    pthread_t get_thread_id() const
94
    {
95
        return authm_thread;
96
    };
97

    
98
    /**
99
     *  Notify the result of an auth request
100
     */
101
    void notify_request(int auth_id, bool result, const string& message);
102

    
103
    /**
104
     *  Discards a pending request. Call this before freeing not notified or
105
     *  timeout requests.
106
     */
107
    void discard_request(int auth_id)
108
    {
109
        lock();
110

    
111
        auth_requests.erase(auth_id);
112

    
113
        unlock();
114
    }
115

    
116
    /**
117
     *  Gets default timeout for Auth requests
118
     */
119
    static time_t  time_out()
120
    {
121
        return _time_out;
122
    }
123

    
124
private:
125
    /**
126
     *  Thread id for the Transfer Manager
127
     */
128
    pthread_t               authm_thread;
129

    
130
    /**
131
     *  Action engine for the Manager
132
     */
133
    ActionManager           am;
134

    
135
    /**
136
     *  List of pending requests
137
     */
138
    map<int, AuthRequest *> auth_requests;
139

    
140
    /**
141
     *  Mutex to access the auth_requests
142
     */
143
    pthread_mutex_t         mutex;
144

    
145
    /**
146
     *  Default timeout for Auth requests
147
     */
148
    static time_t           _time_out;
149

    
150
    /**
151
     *  Timer for the Manager (periocally triggers timer action)
152
     */
153
    time_t                  timer_period;
154

    
155
    /**
156
     *  Generic name for the Auth driver
157
     */
158
     static const char *  auth_driver_name;
159

    
160
    /**
161
     *  Returns a pointer to a Auth Manager driver.
162
     *    @param name of an attribute of the driver (e.g. its type)
163
     *    @param value of the attribute
164
     *    @return the Auth driver with attribute name equal to value
165
     *    or 0 in not found
166
     */
167
    const AuthManagerDriver * get(
168
        const string&   name,
169
        const string&   value)
170
    {
171
        return static_cast<const AuthManagerDriver *>
172
               (MadManager::get(0,name,value));
173
    };
174

    
175
    /**
176
     *  Returns a pointer to a Auth Manager driver. The driver is
177
     *  searched by its name.
178
     *    @param name the name of the driver
179
     *    @return the TM driver owned by uid with attribute name equal to value
180
     *    or 0 in not found
181
     */
182
    const AuthManagerDriver * get()
183
    {
184
        string name("NAME");
185

    
186
        return static_cast<const AuthManagerDriver *>
187
               (MadManager::get(0,name,auth_driver_name));
188
    };
189

    
190
    /**
191
     *  Function to execute the Manager action loop method within a new pthread
192
     * (requires C linkage)
193
     */
194
    friend void * authm_action_loop(void *arg);
195

    
196
    /**
197
     *  The action function executed when an action is triggered.
198
     *    @param action the name of the action
199
     *    @param arg arguments for the action function
200
     */
201
    void do_action(
202
        const string &  action,
203
        void *          arg);
204

    
205
    /**
206
     *  This function authenticates a user
207
     */
208
    void authenticate_action(AuthRequest * ar);
209

    
210
    /**
211
     *  This function authorizes a user request
212
     */
213
    void authorize_action(AuthRequest * ar);
214

    
215
    /**
216
     *  This function is periodically executed to check time_outs on requests
217
     */
218
    void timer_action();
219

    
220
    /**
221
     *  Function to lock the pool
222
     */
223
    void lock()
224
    {
225
        pthread_mutex_lock(&mutex);
226
    };
227

    
228
    /**
229
     *  Function to unlock the pool
230
     */
231
    void unlock()
232
    {
233
        pthread_mutex_unlock(&mutex);
234
    };
235

    
236
    /**
237
     *  Add a new request to the Request map
238
     *    @param ar pointer to the AuthRequest
239
     *    @return the id for the request
240
     */
241
    int add_request(AuthRequest *ar);
242

    
243
    /**
244
     *  Gets request from the Request map
245
     *    @param id for the request
246
     *    @return pointer to the AuthRequest
247
     */
248
    AuthRequest * get_request(int id);
249
};
250

    
251
/* -------------------------------------------------------------------------- */
252
/* -------------------------------------------------------------------------- */
253

    
254
/**
255
 *  The AuthRequest class is used to pass an Authorization or Authentication
256
 *  request to the AuthManager. The result of the request will be stored
257
 *  in the result and message attributes of this class.
258
 */
259
class AuthRequest : public ActionListener
260
{
261
public:
262
    AuthRequest(int _uid):
263
        result(false),
264
        timeout(false),
265
        uid(_uid),
266
        time_out(0),
267
        self_authorize(true)
268
    {
269
        am.addListener(this);
270
    };
271

    
272
    ~AuthRequest(){};
273

    
274
    /**
275
     *  Authorization Request Type
276
     */
277
    enum Operation
278
    {
279
        CREATE,     /** Authorization to create an object   */
280
        DELETE,     /** Authorization to delete an object   */
281
        USE,        /** Authorization to use an object      */
282
        MANAGE,     /** Authorization to manage an object   */
283
        INFO,       /** Authorization to view an object     */
284
        INFO_POOL,  /** Authorization to view all objects in the pool */
285
        INSTANTIATE /** Authorization to instantiate a VM from a TEMPLATE   */
286
    };
287

    
288
    /**
289
     *  OpenNebula objects to perform an Operation
290
     */
291
    enum Object
292
    {
293
        VM,
294
        HOST,
295
        NET,
296
        IMAGE,
297
        USER,
298
        CLUSTER,
299
        TEMPLATE,
300
        GROUP
301
    };
302

    
303
    /**
304
     *  Sets the challenge to authenticate an user
305
     *  @param challenge a driver specific authentication challenge
306
     */
307
    void add_authenticate(const string &_username,
308
                          const string &_password,
309
                          const string &_session)
310
    {
311
        username = _username;
312
        password = _password;
313
        session  = _session;
314
    }
315

    
316
    /**
317
     *  Adds a new authorization item to this request
318
     *
319
     *        OBJECT:OBJECT_ID:ACTION:OWNER:PUBLIC
320
     *
321
     *    @param ob the object over which the operation will be performed
322
     *    @param ob_id the object unique id
323
     *    @param op the operation to be authorized
324
     *    @param owner id of user that owns the object. For creates MUST equals
325
          uid, hosts owner is uid=0
326
     *    @param pub public attribute
327
     */
328
    void add_auth(Object        ob,
329
                  const string& ob_id,
330
                  Operation     op,
331
                  int           owner,
332
                  bool          pub);
333

    
334
    /**
335
     *  Adds a new authorization item to this requests
336
     */
337
    void add_auth(Object        ob,
338
                  int           ob_id,
339
                  Operation     op,
340
                  int           owner,
341
                  bool          pub)
342
    {
343
        ostringstream oss;
344
        oss << ob_id;
345

    
346
        add_auth(ob,oss.str(),op,owner,pub);
347
    };
348

    
349
    /**
350
     *  Gets the authorization requests in a single string
351
     *  @return a space separated list of auth requests.
352
     */
353
    string get_auths()
354
    {
355
        ostringstream oss;
356

    
357
        for (unsigned int i=0; i<auths.size(); i++)
358
        {
359
            oss << auths[i] << " ";
360
        }
361

    
362
        return oss.str();
363
    };
364

    
365
    /**
366
     *  Notify client that we have an answer for the request
367
     */
368
    void notify()
369
    {
370
        am.trigger(ActionListener::ACTION_FINALIZE,0);
371
    };
372

    
373
    /**
374
     *  Wait for the AuthRequest to be completed
375
     */
376
    void wait()
377
    {
378
        time_out = time(0) + AuthManager::time_out();
379

    
380
        am.loop(0,0);
381
    };
382

    
383
    bool plain_authorize()
384
    {
385
        return ( uid == 0 || self_authorize );
386
    }
387

    
388
    bool plain_authenticate()
389
    {
390
        return (password == session);
391
    }
392

    
393
    /**
394
     *  The result of the request, true if authorized or authenticated
395
     */
396
    bool            result;
397

    
398
    /**
399
     *  Error message for negative results
400
     */
401
    string          message;
402

    
403
    /**
404
     *  Time out
405
     */
406
    bool            timeout;
407

    
408
    /**
409
     *  Identification of this request
410
     */
411
    int             id;
412

    
413
private:
414

    
415
    friend class AuthManager;
416

    
417
    /**
418
     *  The ActionManager that will be notify when the request is ready.
419
     */
420
    ActionManager am;
421

    
422
    /**
423
     *  The user id for this request
424
     */
425
    int uid;
426

    
427
    /**
428
     *  Timeout for this request
429
     */
430
    time_t time_out;
431

    
432
    /**
433
     *  Username to authenticate the user
434
     */
435
    string username;
436

    
437
    /**
438
     *  User password to authenticate the user
439
     */
440
    string password;
441

    
442
    /**
443
     *  Authentication token as sent in the XML-RPC call (user:session)
444
     */
445
    string session;
446

    
447
    /**
448
     *  A list of authorization requests
449
     */
450
    vector<string> auths;
451

    
452
    /**
453
     *  Plain authorization for the request
454
     */
455
    bool self_authorize;
456

    
457
    /**
458
     *  No actions defined for the Auth request, just FINALIZE when done
459
     */
460
    void do_action(const string &name, void *args){};
461

    
462

    
463
};
464

    
465
#endif /*AUTH_MANAGER_H*/
466