29 #include <boost/regex.hpp>
30 #include <boost/unordered_map.hpp>
31 #include <boost/thread/mutex.hpp>
32 #include <boost/thread/shared_mutex.hpp>
33 #include <boost/thread/locks.hpp>
35 #include <drizzled/configmake.h>
36 #include <drizzled/plugin/authorization.h>
38 namespace fs= boost::filesystem;
42 static const fs::path DEFAULT_POLICY_FILE= SYSCONFDIR
"/drizzle.policy";
44 static const uint64_t DEFAULT_MAX_LRU_LENGTH= 16384;
45 static const uint64_t DEFAULT_MAX_CACHE_BUCKETS= 4096;
47 static const char *comment_regex =
"^[[:space:]]*#.*$";
48 static const char *empty_regex =
"^[[:space:]]*$";
49 static const char *table_match_regex =
"^([^ ]+) table\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
50 static const char *process_match_regex =
"^([^ ]+) process\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
51 static const char *schema_match_regex =
"^([^ ]+) schema\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
53 static const int MATCH_REGEX_USER_POS= 1;
54 static const int MATCH_REGEX_OBJECT_POS= 2;
55 static const int MATCH_REGEX_ACTION_POS= 3;
66 const std::string user;
67 const std::string object;
68 const boost::regex user_re;
69 const boost::regex object_re;
72 PolicyItem(
const std::string &u,
const std::string &obj,
const std::string &act) :
78 if ((act ==
"ACCEPT")||(act ==
"ALLOW"))
80 action = POLICY_ACCEPT;
82 else if ((act ==
"REJECT")||(act ==
"DENY"))
88 throw std::exception();
91 bool userMatches(std::string &str);
92 bool objectMatches(std::string &object_id);
93 bool isRestricted()
const;
94 const std::string&getUser()
const
98 const std::string&getObject()
const
102 const char *getAction()
const
104 return action == POLICY_ACCEPT ?
"ALLOW" :
"DENY";
108 typedef std::list<PolicyItem *> PolicyItemList;
109 typedef std::vector<std::string> LruList;
110 typedef boost::unordered_map<std::string, bool> UnorderedCheckMap;
115 boost::mutex lru_mutex;
116 boost::shared_mutex map_mutex;
117 UnorderedCheckMap map;
119 bool* find(std::string
const&k);
120 void insert(std::string
const &k,
bool v);
132 bool has_cached_result;
138 bool hasCachedResult()
const
140 return has_cached_result;
142 bool getCachedResult()
const
144 return cached_result;
146 void setCachedResult(
bool result);
149 inline bool PolicyItem::userMatches(std::string &str)
151 return boost::regex_match(str, user_re);
154 inline bool PolicyItem::objectMatches(std::string &object_id)
156 return boost::regex_match(object_id, object_re);
159 inline bool PolicyItem::isRestricted()
const
161 return action == POLICY_DENY;
168 Policy(
const std::string &f_path) :
170 table_check_cache(), schema_check_cache(), process_check_cache()
182 void setPolicies(PolicyItemList new_table_policies, PolicyItemList new_schema_policies, PolicyItemList new_process_policies);
183 void clearPolicies();
184 std::string& getPolicyFile();
185 bool setPolicyFile(std::string& new_policy_file);
186 std::stringstream &getError() {
return error; }
190 const std::string &obj,
const PolicyItemList &policies,
192 std::string sysvar_policy_file;
193 fs::path policy_file;
194 std::stringstream error;
195 PolicyItemList table_policies;
196 PolicyItemList schema_policies;
197 PolicyItemList process_policies;
A set of Session members describing the current authenticated user.
virtual bool restrictSchema(const drizzled::identifier::User &user_ctx, const drizzled::identifier::Schema &schema)
virtual bool restrictProcess(const drizzled::identifier::User &user_ctx, const drizzled::identifier::User &session_ctx)
virtual bool restrictTable(const drizzled::identifier::User &user_ctx, const drizzled::identifier::Table &table)