2011-06-22 21:22:52 +04:00
/* -------------------------------------------------------------------------- */
2015-02-24 14:27:59 +03:00
/* Copyright 2002-2015, OpenNebula Project (OpenNebula.org), C12G Labs */
2011-06-22 21:22:52 +04:00
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef ACL_RULE_H_
# define ACL_RULE_H_
# include <set>
2011-07-03 15:12:00 +04:00
# include <string>
2011-07-05 00:33:13 +04:00
# include <libxml/tree.h>
2011-06-22 21:22:52 +04:00
2012-06-13 14:44:04 +04:00
# include "PoolObjectSQL.h"
2012-06-14 01:49:08 +04:00
# include "AuthRequest.h"
2012-06-13 14:44:04 +04:00
2011-06-22 21:22:52 +04:00
using namespace std ;
2011-06-27 20:41:16 +04:00
/**
* An ACL Rule is composed of three 64 bit numbers : user , resource and rights .
* These attributes store a combination of IDs and flags
*/
2011-06-22 21:22:52 +04:00
class AclRule
{
public :
2011-07-03 15:12:00 +04:00
// ------------------------------------------------------------------------
2011-06-22 21:22:52 +04:00
static const long long INDIVIDUAL_ID ;
2013-01-22 23:57:42 +04:00
2011-06-22 21:22:52 +04:00
static const long long GROUP_ID ;
2011-07-03 15:12:00 +04:00
static const long long ALL_ID ;
2013-01-16 21:27:36 +04:00
static const long long CLUSTER_ID ;
2011-07-03 15:12:00 +04:00
// ------------------------------------------------------------------------
2011-06-30 21:43:36 +04:00
2012-01-03 05:58:23 +04:00
/**
* Creates an empty ACL rule
*/
2014-01-21 15:52:25 +04:00
AclRule ( ) : oid ( 0 ) , user ( 0 ) , resource ( 0 ) , rights ( 0 ) , zone ( 0 ) , str ( " " ) { } ;
2012-01-03 05:58:23 +04:00
/**
* Main ACL rule constructor
*/
2013-01-22 23:57:42 +04:00
AclRule ( int _oid ,
long long _user ,
long long _resource ,
2014-01-21 15:52:25 +04:00
long long _rights ,
long long _zone ) :
oid ( _oid ) , user ( _user ) , resource ( _resource ) ,
rights ( _rights ) , zone ( _zone )
2011-06-29 15:09:29 +04:00
{
build_str ( ) ;
} ;
2011-06-22 21:22:52 +04:00
2012-01-03 05:58:23 +04:00
/**
* Set the fields of the ACL , and updates its representation
*/
void set ( int _oid ,
2013-01-22 23:57:42 +04:00
long long _user ,
long long _resource ,
2014-01-21 15:52:25 +04:00
long long _rights ,
long long _zone )
2012-01-03 05:58:23 +04:00
{
oid = _oid ;
user = _user ;
resource = _resource ;
rights = _rights ;
2014-01-21 15:52:25 +04:00
zone = _zone ;
2012-01-03 05:58:23 +04:00
build_str ( ) ;
} ;
/**
* Compares two ACL rules
*/
2011-06-22 21:22:52 +04:00
bool operator = = ( const AclRule & other ) const
{
2011-07-03 15:12:00 +04:00
return ( user = = other . user & &
2011-06-22 21:22:52 +04:00
resource = = other . resource & &
2014-01-21 15:52:25 +04:00
rights = = other . rights & &
zone = = other . zone ) ;
2011-06-22 21:22:52 +04:00
} ;
2011-06-27 20:41:16 +04:00
/**
* Returns a human readable string for this rule
*
* @ return a human readable string for this rule
*/
2011-06-29 15:09:29 +04:00
const string & to_str ( ) const
{
return str ;
} ;
2011-06-27 20:41:16 +04:00
2011-06-29 18:22:54 +04:00
/**
* Returns whether or not the rule is malformed .
*
* @ param error_str Returns the error message , if any
* @ return true if the rule is wrong
*/
bool malformed ( string & error_str ) const ;
2011-06-27 20:41:16 +04:00
/**
* Function to print the object into a string in XML format
*
* @ param xml the resulting XML string
* @ return a reference to the generated string
*/
2011-06-22 21:22:52 +04:00
string & to_xml ( string & xml ) const ;
2011-06-30 18:04:56 +04:00
/**
* Rebuilds the rule from an xml formatted string
*
2011-07-05 00:33:13 +04:00
* @ param node xml node for the ACL rule
2011-06-30 18:04:56 +04:00
* @ return 0 on success , - 1 otherwise
*/
2011-07-05 00:33:13 +04:00
int from_xml ( xmlNodePtr node ) ;
2011-06-30 18:04:56 +04:00
2011-06-27 20:41:16 +04:00
/**
* Returns the 32 less significant bits of the user long long attribute
*
* @ return the user or group ID
*/
2011-06-22 21:22:52 +04:00
int user_id ( ) const
{
return user ;
} ;
2011-06-27 20:41:16 +04:00
/**
* Returns the 64 bit user attribute with the ID cleared ( the 32 less
* significant bits are set to 0 )
*
* @ return the user flags
*/
2011-06-22 21:22:52 +04:00
long long user_code ( ) const
{
return user & 0xFFFFFFFF00000000LL ;
} ;
2011-06-27 20:41:16 +04:00
/**
* Returns the 32 less significant bits of the resource long long attribute
*
* @ return the resource ID
*/
2011-06-22 21:22:52 +04:00
int resource_id ( ) const
{
return resource ;
} ;
2011-06-27 20:41:16 +04:00
/**
* Returns the 64 bit resource attribute with the ID cleared ( the 32 less
* significant bits are set to 0 )
*
* @ return the resource flags
*/
2011-06-22 21:22:52 +04:00
long long resource_code ( ) const
{
return resource & 0xFFFFFFFF00000000LL ;
} ;
2014-01-21 15:52:25 +04:00
/**
* Returns the 32 less significant bits of the zone long long attribute
*
* @ return the zone ID
*/
int zone_id ( ) const
{
return zone ;
} ;
2011-07-05 18:32:18 +04:00
// ------------------------------------------------------------------------
// Functions needed by the Scheduler ACL engine
// ------------------------------------------------------------------------
long long get_user ( ) const
{
return user ;
}
long long get_oid ( ) const
{
return oid ;
}
2011-06-22 21:22:52 +04:00
private :
2011-07-03 15:12:00 +04:00
// NONE_ID can never be used in a rule. It is useful to create masks that
// will never match any existing rule
static const long long NONE_ID ;
2011-06-22 21:22:52 +04:00
friend class AclManager ;
2011-06-29 20:41:49 +04:00
/**
* Rule unique identifier
*/
int oid ;
2011-06-22 21:22:52 +04:00
/**
2013-01-22 23:57:42 +04:00
* 64 bit integer holding a user compound :
*
2011-07-03 15:12:00 +04:00
* 32 bits 32 bits
* + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - +
* | Type ( user , group , all ) | user / group ID |
* + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - +
2011-06-22 21:22:52 +04:00
*/
long long user ;
/**
2011-07-03 15:12:00 +04:00
* 64 bit integer holding a resource compound
2013-01-22 23:57:42 +04:00
*
2011-07-03 15:12:00 +04:00
* 32 bits 32 bits
* + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - +
* | Type ( VM , Host . . . ) | resource ID |
* + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - +
2011-06-22 21:22:52 +04:00
*/
long long resource ;
/**
2011-06-27 20:41:16 +04:00
* 64 bit integer containing the rights flags
2011-07-03 15:12:00 +04:00
*
* 64 bits
* + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
2011-12-28 20:51:10 +04:00
* | Actions ( MANAGE , CREATE , USE . . . |
2011-07-03 15:12:00 +04:00
* + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
2011-06-22 21:22:52 +04:00
*/
long long rights ;
2011-06-29 15:09:29 +04:00
2014-01-21 15:52:25 +04:00
/**
* 64 bit integer holding a zone compound :
*
* 32 bits 32 bits
* + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - +
* | Type ( individual , all ) | zone ID |
* + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - +
*/
long long zone ;
2011-06-29 15:09:29 +04:00
/**
2011-07-03 15:12:00 +04:00
* Human readable representation of the rule
2011-06-29 15:09:29 +04:00
*/
string str ;
2011-07-03 15:12:00 +04:00
/**
* Builds the human representation of the ACL
*/
2011-06-29 15:09:29 +04:00
void build_str ( ) ;
2012-06-13 14:44:04 +04:00
/**
* Array of PoolObjectSQL types to iterate over all types
*/
static const int num_pool_objects ;
static const PoolObjectSQL : : ObjectType pool_objects [ ] ;
/**
* Array of Auth operation types to iterate over all types
*/
static const int num_auth_operations ;
static const AuthRequest : : Operation auth_operations [ ] ;
2013-01-22 23:57:42 +04:00
/**
* Objects that cannot be used with the CLUSTER ( % ) selector
*/
static const long long INVALID_CLUSTER_OBJECTS ;
2014-01-28 21:21:49 +04:00
/**
* Objects that cannot be used with the GROUP ( @ ) selector
*/
static const long long INVALID_GROUP_OBJECTS ;
static const long long FEDERATED_OBJECTS ;
2011-06-22 21:22:52 +04:00
} ;
# endif /*ACL_RULE_H*/