2009-07-09 14:34:34 +00:00
/* -------------------------------------------------------------------------- */
2019-01-16 11:27:59 +01:00
/* Copyright 2002-2019, OpenNebula Project, OpenNebula Systems */
2009-07-09 14:34:34 +00:00
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef USER_POOL_H_
# define USER_POOL_H_
# include "PoolSQL.h"
# include "User.h"
Feature #407: Add 'GID' attribute to some pool objects; change *pool.info XML-RPC flag meaning; update onedb migrator; fix tests.
* VM, VMTEMPLATE, VNET & IMAGE objects have a GID attribute, and a table column. The group id is inherited from the user creating the object, except for VMs created from Templates, that inherit the Template's group.
* The new flag meaning has been modified in src/rm sources and CLI commands for one.(vm,template,vnet,image)pool.info . It changes from
-2 all, -1 mine & public, >=0 UID
to
-3 mine, -2 all, -1 mine & group
* USER has a group, but not secondary ones. The user_pool table doesn't have a GID column, we'll deal with it later when the group-users relations are implemented.
* onedb migrator 1.rb: deleted USERNAME, and GID added.
2011-05-16 17:00:27 +02:00
# include "GroupPool.h"
2017-10-19 16:41:42 +02:00
# include "CachePool.h"
# include "LoginToken.h"
2009-07-09 14:34:34 +00:00
# include <time.h>
# include <sstream>
# include <iostream>
# include <vector>
using namespace std ;
2010-07-08 19:45:00 +02:00
class AuthRequest ; //Forward definition of AuthRequest
2009-07-09 14:34:34 +00:00
/**
* The User Pool class . . . .
*/
class UserPool : public PoolSQL
{
public :
2011-10-20 12:53:36 +02:00
UserPool ( SqlDB * db ,
2012-10-09 11:56:01 +02:00
time_t __session_expiration_time ,
2016-02-04 13:10:42 +01:00
vector < const VectorAttribute * > hook_mads ,
2014-01-24 18:27:36 +01:00
const string & remotes_location ,
2014-02-05 19:30:35 +01:00
bool is_federation_slave ) ;
2009-07-09 14:34:34 +00:00
~ UserPool ( ) { } ;
/**
* Function to allocate a new User object
* @ param oid the id assigned to the User
2010-04-28 18:37:45 +02:00
* @ return the oid assigned to the object or - 1 in case of failure
2009-07-09 14:34:34 +00:00
*/
int allocate (
2010-08-05 19:28:28 +02:00
int * oid ,
2011-06-30 11:31:00 +02:00
const string & uname ,
2016-09-29 12:22:07 +02:00
int gid ,
2011-06-30 11:31:00 +02:00
const string & password ,
2011-10-11 19:15:13 +02:00
const string & auth ,
2010-08-05 19:28:28 +02:00
bool enabled ,
2016-09-29 12:22:07 +02:00
const set < int > & gids ,
2010-08-05 19:28:28 +02:00
string & error_str ) ;
2009-07-09 14:34:34 +00:00
2014-01-29 13:04:07 +01:00
/**
* Drops the object ' s data in the data base . The object mutex SHOULD be
* locked .
* @ param objsql a pointer to the object
* @ param error_msg Error reason , if any
* @ return 0 on success , - 1 DB error
*/
int drop ( PoolObjectSQL * objsql , string & error_msg ) ;
2009-07-09 14:34:34 +00:00
/**
* Function to get a User from the pool , if the object is not in memory
* it is loaded from the DB
* @ param oid User unique id
* @ param lock locks the User mutex
2011-03-14 19:06:39 +01:00
* @ return a pointer to the User , 0 if the User could not be loaded
2009-07-09 14:34:34 +00:00
*/
2018-03-17 23:31:52 +01:00
User * get ( int oid )
2009-07-09 14:34:34 +00:00
{
2018-03-17 23:31:52 +01:00
User * u = static_cast < User * > ( PoolSQL : : get ( oid ) ) ;
2017-10-19 16:41:42 +02:00
if ( u ! = 0 )
{
2017-10-20 14:17:55 +02:00
u - > session = get_session_token ( oid ) ;
2017-10-19 16:41:42 +02:00
}
return u ;
2011-03-14 19:06:39 +01:00
} ;
2009-07-09 14:34:34 +00:00
2018-10-09 11:05:08 +02:00
/**
* Function to get a read only User from the pool , if the object is not in memory
* it is loaded from the DB
* @ param oid User unique id
* @ return a pointer to the User , 0 if the User could not be loaded
*/
User * get_ro ( int oid )
{
User * u = static_cast < User * > ( PoolSQL : : get_ro ( oid ) ) ;
if ( u ! = 0 )
{
u - > session = get_session_token ( oid ) ;
}
return u ;
} ;
2009-07-09 14:34:34 +00:00
/**
* Function to get a User from the pool , if the object is not in memory
* it is loaded from the DB
* @ param username
* @ param lock locks the User mutex
* @ return a pointer to the User , 0 if the User could not be loaded
*/
2018-03-17 23:31:52 +01:00
User * get ( string name )
2009-07-09 14:34:34 +00:00
{
2012-01-25 12:26:46 +01:00
// The owner is set to -1, because it is not used in the key() method
2018-03-17 23:31:52 +01:00
User * u = static_cast < User * > ( PoolSQL : : get ( name , - 1 ) ) ;
2017-10-19 16:41:42 +02:00
if ( u ! = 0 )
{
2017-10-20 14:17:55 +02:00
u - > session = get_session_token ( u - > oid ) ;
2017-10-19 16:41:42 +02:00
}
return u ;
2011-03-14 19:06:39 +01:00
} ;
2009-07-09 14:34:34 +00:00
2018-10-09 11:05:08 +02:00
/**
* Function to get a read only User from the pool , if the object is not in memory
* it is loaded from the DB
* @ param username
* @ return a pointer to the User , 0 if the User could not be loaded
*/
User * get_ro ( string name )
{
// The owner is set to -1, because it is not used in the key() method
User * u = static_cast < User * > ( PoolSQL : : get_ro ( name , - 1 ) ) ;
if ( u ! = 0 )
{
u - > session = get_session_token ( u - > oid ) ;
}
return u ;
} ;
2017-09-28 16:55:57 +02:00
/**
* Function to get the token password of an user from the pool
* @ param uid creator of the object
* @ param uid owner of the object , only used if the creator not exists
*
* @ return the user ' s token password
*/
string get_token_password ( int oid , int bck_oid ) ;
2014-01-22 18:54:48 +01:00
/**
* Update a particular User . This method does not update the user ' s quotas
2009-07-09 14:34:34 +00:00
* @ param user pointer to User
* @ return 0 on success
*/
2015-12-10 15:39:23 +01:00
int update ( PoolObjectSQL * objsql ) ;
2014-01-22 18:54:48 +01:00
/**
* Update a particular User ' s Quotas
* @ param user pointer to User
* @ return 0 on success
*/
int update_quotas ( User * user ) ;
2010-04-05 00:07:31 +02:00
2009-07-09 14:34:34 +00:00
/**
* Bootstraps the database table ( s ) associated to the User pool
2011-10-10 06:14:46 -07:00
* @ return 0 on success
2009-07-09 14:34:34 +00:00
*/
2011-10-10 06:14:46 -07:00
static int bootstrap ( SqlDB * _db )
2009-07-09 14:34:34 +00:00
{
2011-10-10 06:14:46 -07:00
return User : : bootstrap ( _db ) ;
2009-07-09 14:34:34 +00:00
} ;
2010-04-05 00:07:31 +02:00
2011-05-24 15:15:23 +02:00
/**
* Returns whether there is a user with given username / password or not
* @ param session , colon separated username and password string
* @ param uid of the user if authN succeeded - 1 otherwise
* @ param gid of the user if authN succeeded - 1 otherwise
2011-06-30 11:31:00 +02:00
* @ param uname of the user if authN succeeded " " otherwise
* @ param gname of the group if authN succeeded " " otherwise
2013-08-23 12:39:14 +02:00
* @ param group_ids the user groups if authN succeeded , is empty otherwise
2014-05-27 12:58:46 +02:00
* @ param umask of the user , 0 otherwise
2011-07-07 19:01:04 +02:00
*
2011-05-24 15:15:23 +02:00
* @ return false if authn failed , true otherwise
*/
2012-10-09 11:56:01 +02:00
bool authenticate ( const string & session ,
2014-10-28 18:52:48 +01:00
string & password ,
2012-10-09 11:56:01 +02:00
int & uid ,
2011-06-30 11:31:00 +02:00
int & gid ,
string & uname ,
2013-08-23 12:39:14 +02:00
string & gname ,
2014-05-27 12:58:46 +02:00
set < int > & group_ids ,
int & umask ) ;
2010-07-08 19:45:00 +02:00
/**
2012-05-30 02:20:16 +02:00
* Returns whether the operations described in a authorization request are
* authorized ot not .
2010-07-08 19:45:00 +02:00
* @ param ar , an Authorization Request
* @ return - 1 if authz failed , 0 otherwise
*/
2010-07-09 12:10:05 +02:00
static int authorize ( AuthRequest & ar ) ;
2010-07-08 19:45:00 +02:00
2009-07-09 14:34:34 +00:00
/**
* Dumps the User pool in XML format . A filter can be also added to the
* query
* @ param oss the output stream to dump the pool contents
* @ param where filter for the objects , defaults to all
2014-01-13 16:30:43 +01:00
* @ param limit parameters used for pagination
2018-07-24 11:41:41 +02:00
* @ param desc descending order of pool elements
2009-07-09 14:34:34 +00:00
*
* @ return 0 on success
*/
2018-10-09 11:05:08 +02:00
int dump ( string & oss , const string & where , const string & limit ,
2018-07-24 11:41:41 +02:00
bool desc ) ;
2009-07-09 14:34:34 +00:00
2011-10-11 19:15:13 +02:00
/**
2012-10-09 11:56:01 +02:00
* Name for the OpenNebula core authentication process
2011-10-11 19:15:13 +02:00
*/
static const char * CORE_AUTH ;
2011-10-21 01:17:46 +02:00
/**
2012-10-09 11:56:01 +02:00
* Name for the OpenNebula server ( delegated ) authentication process
2011-10-21 01:17:46 +02:00
*/
static const char * SERVER_AUTH ;
/**
* Name for the OpenNebula public authentication process . It only
* allows delegated
*/
static const char * PUBLIC_AUTH ;
2011-10-25 18:48:24 +02:00
/**
* Name for the default Sunstone server user
*/
static const char * SERVER_NAME ;
2011-10-21 01:17:46 +02:00
2012-03-01 18:48:25 +01:00
/**
* Name of the oneadmin user
*/
static string oneadmin_name ;
/**
* Identifier for the oneadmin user
*/
static const int ONEADMIN_ID ;
2009-07-09 14:34:34 +00:00
private :
2011-10-20 12:53:36 +02:00
//--------------------------------------------------------------------------
// Configuration Attributes for Users
// -------------------------------------------------------------------------
/**
* Authentication session expiration time
* */
static time_t _session_expiration_time ;
2017-10-19 16:41:42 +02:00
CachePool < SessionToken > cache ;
2017-10-20 14:17:55 +02:00
SessionToken * get_session_token ( int oid )
{
2017-10-19 16:41:42 +02:00
return cache . get_resource ( oid ) ;
}
2017-10-20 14:17:55 +02:00
void delete_session_token ( int oid )
{
2017-10-19 16:41:42 +02:00
cache . delete_resource ( oid ) ;
}
2011-10-21 01:17:46 +02:00
/**
* Function to authenticate internal ( known ) users
*/
2011-10-21 10:15:26 +02:00
bool authenticate_internal ( User * user ,
2011-10-21 01:17:46 +02:00
const string & token ,
2014-10-28 18:52:48 +01:00
string & password ,
2011-10-21 10:15:26 +02:00
int & user_id ,
int & group_id ,
string & uname ,
2013-08-23 12:39:14 +02:00
string & gname ,
2014-05-27 12:58:46 +02:00
set < int > & group_ids ,
int & umask ) ;
2011-10-24 18:04:00 +02:00
/**
* Function to authenticate internal users using a server driver
*/
bool authenticate_server ( User * user ,
const string & token ,
2014-10-28 18:52:48 +01:00
string & password ,
2011-10-24 18:04:00 +02:00
int & user_id ,
int & group_id ,
string & uname ,
2013-08-23 12:39:14 +02:00
string & gname ,
2014-05-27 12:58:46 +02:00
set < int > & group_ids ,
int & umask ) ;
2011-10-24 18:04:00 +02:00
2012-10-09 11:56:01 +02:00
2011-10-21 01:17:46 +02:00
/**
* Function to authenticate external ( not known ) users
*/
2013-08-23 12:39:14 +02:00
bool authenticate_external ( const string & username ,
const string & token ,
2014-10-28 18:52:48 +01:00
string & password ,
2013-08-23 12:39:14 +02:00
int & user_id ,
int & group_id ,
string & uname ,
string & gname ,
2014-05-27 12:58:46 +02:00
set < int > & group_ids ,
int & umask ) ;
2009-07-09 14:34:34 +00:00
/**
* Factory method to produce User objects
* @ return a pointer to the new User
*/
PoolObjectSQL * create ( )
{
2011-10-11 19:15:13 +02:00
return new User ( - 1 , - 1 , " " , " " , " " , UserPool : : CORE_AUTH , true ) ;
2009-07-09 14:34:34 +00:00
} ;
} ;
2010-09-02 20:44:14 +02:00
# endif /*USER_POOL_H_*/