2010-05-28 02:27:29 +04:00
/* -------------------------------------------------------------------------- */
/* Copyright 2002-2010, OpenNebula Project Leads (OpenNebula.org) */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef AUTH_MANAGER_H_
# define AUTH_MANAGER_H_
2010-07-06 14:35:47 +04:00
# include <time.h>
2010-05-28 02:27:29 +04:00
# include "MadManager.h"
# include "ActionManager.h"
# include "AuthManagerDriver.h"
using namespace std ;
2010-07-06 14:35:47 +04:00
//Forward definition of the AuthRequest
class AuthRequest ;
2010-05-28 02:27:29 +04:00
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
extern " C " void * authm_action_loop ( void * arg ) ;
class AuthManager : public MadManager , public ActionListener
{
public :
AuthManager (
2010-07-06 14:35:47 +04:00
time_t timer ,
time_t __time_out ,
2010-05-28 02:27:29 +04:00
vector < const Attribute * > & _mads ) :
2010-07-06 14:35:47 +04:00
MadManager ( _mads ) , timer_period ( timer )
2010-05-28 02:27:29 +04:00
{
2010-07-06 14:35:47 +04:00
_time_out = __time_out ;
2010-05-28 02:27:29 +04:00
am . addListener ( this ) ;
2010-07-06 14:35:47 +04:00
2010-05-29 05:42:30 +04:00
pthread_mutex_init ( & mutex , 0 ) ;
2010-05-28 02:27:29 +04:00
} ;
~ AuthManager ( ) { } ;
enum Actions
{
AUTHENTICATE ,
AUTHORIZE ,
FINALIZE
} ;
/**
* Triggers specific actions to the Auth Manager . This function
* wraps the ActionManager trigger function .
* @ param action the Auth Manager action
* @ param request an auth request
*/
void trigger (
Actions action ,
AuthRequest * request ) ;
/**
* This functions starts the associated listener thread , and creates a
2010-05-29 05:42:30 +04:00
* new thread for the AuthManager . This thread will wait in
2010-05-28 02:27:29 +04:00
* an action loop till it receives ACTION_FINALIZE .
* @ return 0 on success .
*/
int start ( ) ;
/**
* Loads Virtual Machine Manager Mads defined in configuration file
* @ param uid of the user executing the driver . When uid is 0 the nebula
* identity will be used . Otherwise the Mad will be loaded through the
* sudo application .
*/
void load_mads ( int uid ) ;
/**
* Gets the thread identification .
* @ return pthread_t for the manager thread ( that in the action loop ) .
*/
pthread_t get_thread_id ( ) const
{
return authm_thread ;
} ;
/**
* Notify the result of an auth request
*/
2010-05-29 05:42:30 +04:00
void notify_request ( int auth_id , bool result , const string & message ) ;
/**
* Discards a pending request . Call this before freeing not notified or
* timeout requests .
*/
void discard_request ( int auth_id )
{
lock ( ) ;
auth_requests . erase ( auth_id ) ;
unlock ( ) ;
}
2010-07-06 14:35:47 +04:00
/**
* Gets default timeout for Auth requests
*/
static time_t time_out ( )
{
return _time_out ;
}
2010-05-28 02:27:29 +04:00
private :
/**
* Thread id for the Transfer Manager
*/
pthread_t authm_thread ;
/**
* Action engine for the Manager
*/
2010-07-06 14:35:47 +04:00
ActionManager am ;
2010-05-28 02:27:29 +04:00
/**
2010-07-06 14:35:47 +04:00
* List of pending requests
2010-05-28 02:27:29 +04:00
*/
map < int , AuthRequest * > auth_requests ;
/**
* Mutex to access the auth_requests
*/
2010-07-06 14:35:47 +04:00
pthread_mutex_t mutex ;
/**
* Default timeout for Auth requests
*/
2010-07-08 17:45:00 +04:00
static time_t _time_out ;
2010-07-06 14:35:47 +04:00
/**
* Timer for the Manager ( periocally triggers timer action )
*/
2010-07-08 17:45:00 +04:00
time_t timer_period ;
2010-05-28 02:27:29 +04:00
2010-07-08 20:50:32 +04:00
/**
* Generic name for the Auth driver
*/
static const char * auth_driver_name ;
2010-05-28 02:27:29 +04:00
/**
* Returns a pointer to a Auth Manager driver .
* @ param name of an attribute of the driver ( e . g . its type )
* @ param value of the attribute
* @ return the Auth driver with attribute name equal to value
* or 0 in not found
*/
const AuthManagerDriver * get (
const string & name ,
const string & value )
{
return static_cast < const AuthManagerDriver * >
( MadManager : : get ( 0 , name , value ) ) ;
} ;
/**
* Returns a pointer to a Auth Manager driver . The driver is
* searched by its name .
* @ param name the name of the driver
* @ return the TM driver owned by uid with attribute name equal to value
* or 0 in not found
*/
2010-07-08 20:50:32 +04:00
const AuthManagerDriver * get ( )
2010-05-28 02:27:29 +04:00
{
2010-07-08 20:50:32 +04:00
string name ( " NAME " ) ;
2010-05-28 02:27:29 +04:00
return static_cast < const AuthManagerDriver * >
2010-07-08 20:50:32 +04:00
( MadManager : : get ( 0 , name , auth_driver_name ) ) ;
2010-05-28 02:27:29 +04:00
} ;
/**
* Function to execute the Manager action loop method within a new pthread
* ( requires C linkage )
*/
friend void * authm_action_loop ( void * arg ) ;
/**
* The action function executed when an action is triggered .
* @ param action the name of the action
* @ param arg arguments for the action function
*/
void do_action (
const string & action ,
void * arg ) ;
/**
* This function authenticates a user
*/
void authenticate_action ( AuthRequest * ar ) ;
/**
* This function authorizes a user request
*/
void authorize_action ( AuthRequest * ar ) ;
2010-07-06 14:35:47 +04:00
/**
* This function is periodically executed to check time_outs on requests
*/
void timer_action ( ) ;
2010-05-28 02:27:29 +04:00
/**
* Function to lock the pool
*/
void lock ( )
{
pthread_mutex_lock ( & mutex ) ;
} ;
/**
* Function to unlock the pool
*/
void unlock ( )
{
pthread_mutex_unlock ( & mutex ) ;
} ;
/**
* Add a new request to the Request map
* @ param ar pointer to the AuthRequest
* @ return the id for the request
*/
int add_request ( AuthRequest * ar ) ;
/**
* Gets request from the Request map
* @ param id for the request
* @ return pointer to the AuthRequest
*/
AuthRequest * get_request ( int id ) ;
} ;
2010-07-06 14:35:47 +04:00
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/**
* The AuthRequest class is used to pass an Authorization or Authentication
* request to the AuthManager . The result of the request will be stored
* in the result and message attributes of this class .
*/
class AuthRequest : public ActionListener
{
public :
2010-07-08 20:50:32 +04:00
AuthRequest ( int _uid ) :
2010-07-06 14:35:47 +04:00
result ( false ) ,
timeout ( false ) ,
uid ( _uid ) ,
2010-07-08 19:50:49 +04:00
time_out ( 0 ) ,
self_authorize ( true )
2010-07-06 14:35:47 +04:00
{
am . addListener ( this ) ;
} ;
~ AuthRequest ( ) { } ;
/**
* Authorization Request Type
*/
enum Operation
{
2010-07-08 18:36:33 +04:00
CREATE , /** Authorization to create an object (host, vm, net, image)*/
DELETE , /** Authorization to delete an object */
USE , /** Authorization to use an object */
MANAGE /** Authorization to manage an object */
2010-07-06 14:35:47 +04:00
} ;
/**
* OpenNebula objects to perform an Operation
*/
enum Object
{
VM ,
HOST ,
NET ,
IMAGE
} ;
/**
* Sets the challenge to authenticate an user
* @ param challenge a driver specific authentication challenge
*/
2010-07-08 17:45:00 +04:00
void add_authenticate ( const string & _username ,
const string & _password ,
const string & _session )
2010-07-06 14:35:47 +04:00
{
2010-07-08 17:45:00 +04:00
username = _username ;
password = _password ;
session = _session ;
2010-07-06 14:35:47 +04:00
}
/**
2010-07-08 18:36:33 +04:00
* Adds a new authorization item to this request
*
* OBJECT : OBJECT_ID : ACTION : OWNER : PUBLIC
*
* @ param ob the object over which the operation will be performed
* @ param ob_id the object unique id
* @ param op the operation to be authorized
2010-07-08 19:50:49 +04:00
* @ param owner id of user that owns the object . For creates MUST equals
uid , hosts owner is uid = 0
2010-07-08 18:36:33 +04:00
* @ param pub public attribute
*/
void add_auth ( Object ob ,
const string & ob_id ,
Operation op ,
int owner ,
bool pub )
2010-07-06 14:35:47 +04:00
{
ostringstream oss ;
2010-07-08 19:50:49 +04:00
bool auth = owner = = uid ;
2010-07-06 14:35:47 +04:00
switch ( ob )
{
case VM : oss < < " VM: " ; break ;
case HOST : oss < < " HOST: " ; break ;
case NET : oss < < " NET: " ; break ;
case IMAGE : oss < < " IMAGE: " ; break ;
}
2010-07-08 18:36:33 +04:00
oss < < ob_id < < " : " ;
switch ( op )
{
2010-07-08 19:50:49 +04:00
case CREATE :
oss < < " CREATE: " ;
break ;
case DELETE :
oss < < " DELETE: " ;
break ;
case USE :
oss < < " USE: " ;
if ( ob = = NET | | ob = = IMAGE )
{
auth = auth | | ( pub = = true ) ;
}
break ;
case MANAGE :
oss < < " MANAGE: " ;
break ;
2010-07-08 18:36:33 +04:00
}
oss < < owner < < " : " < < pub ;
2010-07-06 14:35:47 +04:00
2010-07-08 19:50:49 +04:00
self_authorize = self_authorize & & auth ;
2010-07-06 14:35:47 +04:00
auths . push_back ( oss . str ( ) ) ;
} ;
2010-07-08 18:36:33 +04:00
/**
* Adds a new authorization item to this requests
*/
void add_auth ( Object ob ,
int ob_id ,
Operation op ,
int owner ,
bool pub )
{
ostringstream oss ;
oss < < ob_id ;
add_auth ( ob , oss . str ( ) , op , owner , pub ) ;
} ;
2010-07-06 14:35:47 +04:00
/**
* Gets the authorization requests in a single string
* @ return a space separated list of auth requests .
*/
string get_auths ( )
{
ostringstream oss ;
for ( unsigned int i = 0 ; i < auths . size ( ) ; i + + )
{
oss < < auths [ i ] < < " " ;
}
return oss . str ( ) ;
} ;
/**
* Notify client that we have an answer for the request
*/
void notify ( )
{
am . trigger ( ActionListener : : ACTION_FINALIZE , 0 ) ;
} ;
/**
* Wait for the AuthRequest to be completed
*/
void wait ( )
{
time_out = time ( 0 ) + AuthManager : : time_out ( ) ;
am . loop ( 0 , 0 ) ;
} ;
2010-07-08 19:50:49 +04:00
bool plain_authorize ( )
{
return ( uid = = 0 | | self_authorize ) ;
}
bool plain_authenticate ( )
{
return ( password = = session ) ;
}
2010-07-06 14:35:47 +04:00
/**
* The result of the request , true if authorized or authenticated
*/
bool result ;
/**
* Error message for negative results
*/
string message ;
/**
* Time out
*/
bool timeout ;
/**
* Identification of this request
*/
int id ;
private :
friend class AuthManager ;
/**
* The ActionManager that will be notify when the request is ready .
*/
ActionManager am ;
/**
* The user id for this request
*/
int uid ;
/**
* Timeout for this request
*/
time_t time_out ;
/**
2010-07-08 17:45:00 +04:00
* Username to authenticate the user
2010-07-06 14:35:47 +04:00
*/
2010-07-08 17:45:00 +04:00
string username ;
/**
* User password to authenticate the user
*/
string password ;
/**
2010-07-08 20:50:32 +04:00
* Authentication token as sent in the XML - RPC call ( user : session )
2010-07-08 17:45:00 +04:00
*/
string session ;
2010-07-06 14:35:47 +04:00
/**
* A list of authorization requests
*/
vector < string > auths ;
2010-07-08 19:50:49 +04:00
/**
* Plain authorization for the request
*/
bool self_authorize ;
2010-07-06 14:35:47 +04:00
/**
* No actions defined for the Auth request , just FINALIZE when done
*/
void do_action ( const string & name , void * args ) { } ;
} ;
2010-05-28 02:27:29 +04:00
# endif /*AUTH_MANAGER_H*/
