Statistics
| Branch: | Tag: | Revision:

one / src / authm / AclManager.cc @ bfaabf35

History | View | Annotate | Download (3.89 KB)

1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

    
17
#include "AclManager.h"
18
#include "NebulaLog.h"
19

    
20
/* -------------------------------------------------------------------------- */
21
/* -------------------------------------------------------------------------- */
22

    
23
bool AclManager::authorize(int uid, const set<int> &user_groups,
24
        AuthRequest::Object obj_type, int obj_id, int obj_gid,
25
        AuthRequest::Operation op)
26
{
27
    ostringstream oss;
28

    
29
    bool auth = false;
30

    
31
    // Build masks for request
32
    long long user_req          = AclRule::INDIVIDUAL_ID + uid;
33
    long long resource_oid_req  = obj_type + AclRule::INDIVIDUAL_ID + obj_id;
34
    long long resource_gid_req  = obj_type + AclRule::INDIVIDUAL_ID + obj_gid;
35
    long long rights_req        = op;
36

    
37
    long long individual_obj_type =
38
            ( obj_type | AclRule::INDIVIDUAL_ID | 0xFFFFFFFF );
39

    
40
    long long group_obj_type =
41
            ( obj_type | AclRule::GROUP_ID | 0xFFFFFFFF );
42

    
43
    AclRule request_rule(user_req, resource_oid_req, rights_req);
44
    oss << "Request " << request_rule.to_str();
45
    NebulaLog::log("ACL",Log::DEBUG,oss);
46

    
47

    
48
    set<AclRule>::iterator rule;
49

    
50
    for ( rule = acl_set.begin() ; rule != acl_set.end(); rule++ )
51
    {
52
        oss.str("");
53
        oss << "> Rule  " << rule->to_str();
54
        NebulaLog::log("ACL",Log::DEBUG,oss);
55

    
56
        // TODO: This only works for individual uid
57

    
58
        auth =
59
            // This rule applies to this individual user ID
60
            ( rule->user == user_req )
61
            &&
62
            (
63
                // Rule's object type and individual object ID match
64
                ( ( rule->resource & individual_obj_type ) == resource_oid_req )
65
                ||
66
                // Or rule's object type and group object ID match
67
                ( ( rule->resource & group_obj_type ) == resource_gid_req )
68
            )
69
            &&
70
            ( ( rule->rights & rights_req ) == rights_req );
71

    
72
        if ( auth == true )
73
        {
74
            oss.str("Permission granted");
75
            NebulaLog::log("ACL",Log::DEBUG,oss);
76

    
77
            return true;
78
        }
79
    }
80

    
81
    oss.str("No more rules, permission not granted ");
82
    NebulaLog::log("ACL",Log::DEBUG,oss);
83

    
84
    return false;
85
}
86

    
87
/* -------------------------------------------------------------------------- */
88
/* -------------------------------------------------------------------------- */
89

    
90
int AclManager::dump(ostringstream& oss)
91
{
92
    set<AclRule>::iterator rule;
93
    string xml;
94

    
95
    oss << "<ACL>";
96

    
97
    for ( rule = acl_set.begin() ; rule != acl_set.end(); rule++ )
98
    {
99
        oss << rule->to_xml(xml);
100
    }
101

    
102
    oss << "</ACL>";
103

    
104
    return 0;
105
}
106

    
107
/* -------------------------------------------------------------------------- */
108
/* -------------------------------------------------------------------------- */