2010-05-28 02:27:29 +04:00
/* -------------------------------------------------------------------------- */
2012-01-12 15:29:18 +04:00
/* Copyright 2002-2012, OpenNebula Project Leads (OpenNebula.org) */
2010-05-28 02:27:29 +04:00
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef AUTH_MANAGER_H_
# define AUTH_MANAGER_H_
2010-07-06 14:35:47 +04:00
# include <time.h>
2010-05-28 02:27:29 +04:00
# include "MadManager.h"
# include "ActionManager.h"
2011-10-12 02:27:03 +04:00
# include "SSLTools.h"
2010-05-28 02:27:29 +04:00
# include "AuthManagerDriver.h"
2012-01-03 05:58:23 +04:00
# include "PoolObjectSQL.h"
# include "PoolObjectAuth.h"
2010-05-28 02:27:29 +04:00
using namespace std ;
2012-01-02 22:21:54 +04:00
//Forward definitions
2010-07-06 14:35:47 +04:00
class AuthRequest ;
2012-01-03 00:17:20 +04:00
class PoolObjectAuth ;
2010-05-28 02:27:29 +04:00
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
extern " C " void * authm_action_loop ( void * arg ) ;
class AuthManager : public MadManager , public ActionListener
{
public :
AuthManager (
2010-07-06 14:35:47 +04:00
time_t timer ,
time_t __time_out ,
2010-05-28 02:27:29 +04:00
vector < const Attribute * > & _mads ) :
2010-07-06 14:35:47 +04:00
MadManager ( _mads ) , timer_period ( timer )
2010-05-28 02:27:29 +04:00
{
2010-07-06 14:35:47 +04:00
_time_out = __time_out ;
2010-05-28 02:27:29 +04:00
am . addListener ( this ) ;
2010-07-06 14:35:47 +04:00
2010-05-29 05:42:30 +04:00
pthread_mutex_init ( & mutex , 0 ) ;
2010-05-28 02:27:29 +04:00
} ;
~ AuthManager ( ) { } ;
enum Actions
{
AUTHENTICATE ,
AUTHORIZE ,
FINALIZE
} ;
/**
* Triggers specific actions to the Auth Manager . This function
* wraps the ActionManager trigger function .
* @ param action the Auth Manager action
* @ param request an auth request
*/
void trigger (
Actions action ,
2011-10-21 03:17:46 +04:00
AuthRequest * request ) ;
2010-05-28 02:27:29 +04:00
/**
* This functions starts the associated listener thread , and creates a
2010-05-29 05:42:30 +04:00
* new thread for the AuthManager . This thread will wait in
2010-05-28 02:27:29 +04:00
* an action loop till it receives ACTION_FINALIZE .
* @ return 0 on success .
*/
int start ( ) ;
/**
* Loads Virtual Machine Manager Mads defined in configuration file
* @ param uid of the user executing the driver . When uid is 0 the nebula
* identity will be used . Otherwise the Mad will be loaded through the
* sudo application .
*/
void load_mads ( int uid ) ;
/**
* Gets the thread identification .
* @ return pthread_t for the manager thread ( that in the action loop ) .
*/
pthread_t get_thread_id ( ) const
{
return authm_thread ;
} ;
/**
* Notify the result of an auth request
*/
2010-05-29 05:42:30 +04:00
void notify_request ( int auth_id , bool result , const string & message ) ;
/**
* Discards a pending request . Call this before freeing not notified or
* timeout requests .
*/
void discard_request ( int auth_id )
{
lock ( ) ;
auth_requests . erase ( auth_id ) ;
unlock ( ) ;
}
2010-07-06 14:35:47 +04:00
/**
* Gets default timeout for Auth requests
*/
static time_t time_out ( )
{
return _time_out ;
}
2010-05-28 02:27:29 +04:00
private :
/**
* Thread id for the Transfer Manager
*/
pthread_t authm_thread ;
/**
* Action engine for the Manager
*/
2010-07-06 14:35:47 +04:00
ActionManager am ;
2010-05-28 02:27:29 +04:00
/**
2010-07-06 14:35:47 +04:00
* List of pending requests
2010-05-28 02:27:29 +04:00
*/
map < int , AuthRequest * > auth_requests ;
/**
* Mutex to access the auth_requests
*/
2010-07-06 14:35:47 +04:00
pthread_mutex_t mutex ;
/**
* Default timeout for Auth requests
*/
2010-07-08 17:45:00 +04:00
static time_t _time_out ;
2010-07-06 14:35:47 +04:00
/**
* Timer for the Manager ( periocally triggers timer action )
*/
2010-07-08 17:45:00 +04:00
time_t timer_period ;
2010-05-28 02:27:29 +04:00
2010-07-08 20:50:32 +04:00
/**
* Generic name for the Auth driver
*/
static const char * auth_driver_name ;
2010-05-28 02:27:29 +04:00
/**
* Returns a pointer to a Auth Manager driver .
* @ param name of an attribute of the driver ( e . g . its type )
* @ param value of the attribute
* @ return the Auth driver with attribute name equal to value
* or 0 in not found
*/
const AuthManagerDriver * get (
const string & name ,
const string & value )
{
return static_cast < const AuthManagerDriver * >
( MadManager : : get ( 0 , name , value ) ) ;
} ;
/**
* Returns a pointer to a Auth Manager driver . The driver is
* searched by its name .
* @ param name the name of the driver
* @ return the TM driver owned by uid with attribute name equal to value
* or 0 in not found
*/
2010-07-08 20:50:32 +04:00
const AuthManagerDriver * get ( )
2010-05-28 02:27:29 +04:00
{
2010-07-08 20:50:32 +04:00
string name ( " NAME " ) ;
2010-05-28 02:27:29 +04:00
return static_cast < const AuthManagerDriver * >
2010-07-08 20:50:32 +04:00
( MadManager : : get ( 0 , name , auth_driver_name ) ) ;
2010-05-28 02:27:29 +04:00
} ;
/**
* Function to execute the Manager action loop method within a new pthread
* ( requires C linkage )
*/
friend void * authm_action_loop ( void * arg ) ;
/**
* The action function executed when an action is triggered .
* @ param action the name of the action
* @ param arg arguments for the action function
*/
void do_action (
const string & action ,
void * arg ) ;
/**
* This function authenticates a user
*/
void authenticate_action ( AuthRequest * ar ) ;
/**
* This function authorizes a user request
*/
void authorize_action ( AuthRequest * ar ) ;
2010-07-06 14:35:47 +04:00
/**
* This function is periodically executed to check time_outs on requests
*/
void timer_action ( ) ;
2010-05-28 02:27:29 +04:00
/**
* Function to lock the pool
*/
void lock ( )
{
pthread_mutex_lock ( & mutex ) ;
} ;
/**
* Function to unlock the pool
*/
void unlock ( )
{
pthread_mutex_unlock ( & mutex ) ;
} ;
/**
* Add a new request to the Request map
* @ param ar pointer to the AuthRequest
* @ return the id for the request
*/
int add_request ( AuthRequest * ar ) ;
/**
* Gets request from the Request map
* @ param id for the request
* @ return pointer to the AuthRequest
*/
AuthRequest * get_request ( int id ) ;
} ;
2010-07-06 14:35:47 +04:00
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/**
* The AuthRequest class is used to pass an Authorization or Authentication
* request to the AuthManager . The result of the request will be stored
* in the result and message attributes of this class .
*/
class AuthRequest : public ActionListener
{
public :
2011-07-07 21:01:04 +04:00
AuthRequest ( int _uid , int _gid ) :
2010-07-06 14:35:47 +04:00
result ( false ) ,
timeout ( false ) ,
uid ( _uid ) ,
2011-07-07 21:01:04 +04:00
gid ( _gid ) ,
2010-07-08 19:50:49 +04:00
time_out ( 0 ) ,
self_authorize ( true )
2010-07-06 14:35:47 +04:00
{
am . addListener ( this ) ;
} ;
~ AuthRequest ( ) { } ;
/**
* Authorization Request Type
*/
enum Operation
{
2012-01-03 05:58:23 +04:00
USE = 0x1LL , /**< Auth. to use an object */
MANAGE = 0x2LL , /**< Auth. to perform management actions */
ADMIN = 0x4LL , /**< Auth. to perform administrative actions */
CREATE = 0x8LL /**< Auth. to create an object */
2011-06-22 21:22:52 +04:00
} ;
2012-01-03 05:58:23 +04:00
static string operation_to_str ( Operation op )
2011-06-22 21:22:52 +04:00
{
switch ( op )
{
2012-01-03 05:58:23 +04:00
case USE : return " USE " ;
case MANAGE : return " MANAGE " ;
case ADMIN : return " ADMIN " ;
case CREATE : return " CREATE " ;
default : return " " ;
2011-06-22 21:22:52 +04:00
}
2010-07-06 14:35:47 +04:00
} ;
/**
* Sets the challenge to authenticate an user
* @ param challenge a driver specific authentication challenge
*/
2011-10-12 03:00:50 +04:00
void add_authenticate ( const string & _driver ,
const string & _username ,
2010-07-08 17:45:00 +04:00
const string & _password ,
const string & _session )
2010-07-06 14:35:47 +04:00
{
2010-07-08 17:45:00 +04:00
username = _username ;
password = _password ;
session = _session ;
2011-10-12 03:00:50 +04:00
driver = _driver ;
2010-07-06 14:35:47 +04:00
}
2012-01-03 05:58:23 +04:00
/**
* Adds a CREATE authorization request .
*
2012-01-10 16:46:12 +04:00
* OBJECT : < - 1 | OBJECT_TMPL_XML64 > : CREATE : UID : AUTH
2012-01-03 05:58:23 +04:00
*
* @ param type of the object to be created
* @ param template ( base64 encoded ) of the new object
*/
void add_create_auth ( PoolObjectSQL : : ObjectType type , const string & txml_64 )
{
PoolObjectAuth perms ; //oid & gid set to -1
perms . uid = uid ;
perms . obj_type = type ;
add_auth ( AuthRequest : : CREATE , perms , txml_64 ) ;
}
2010-07-06 14:35:47 +04:00
/**
2010-07-08 18:36:33 +04:00
* Adds a new authorization item to this request
*
2012-01-10 16:46:12 +04:00
* OBJECT : OBJECT_ID : ACTION : OWNER : AUTH
2010-07-08 18:36:33 +04:00
*
2011-12-30 01:05:11 +04:00
* @ param op the operation to be authorized
* @ param ob_perms object ' s permission attributes
2010-07-08 18:36:33 +04:00
*/
2012-01-03 05:58:23 +04:00
void add_auth ( Operation op ,
const PoolObjectAuth & ob_perms )
2011-12-30 01:05:11 +04:00
{
2012-01-03 01:14:43 +04:00
add_auth ( op , ob_perms , " " ) ;
2011-12-30 01:05:11 +04:00
}
2010-07-06 14:35:47 +04:00
/**
* Gets the authorization requests in a single string
2011-07-27 13:27:16 +04:00
* @ return a space separated list of auth requests , or an empty string if
* no auth requests were added
2010-07-06 14:35:47 +04:00
*/
string get_auths ( )
{
ostringstream oss ;
2011-07-27 13:27:16 +04:00
unsigned int i ;
2010-07-06 14:35:47 +04:00
2011-07-27 13:27:16 +04:00
if ( auths . empty ( ) )
{
return string ( ) ;
}
for ( i = 0 ; i < auths . size ( ) - 1 ; i + + )
2010-07-06 14:35:47 +04:00
{
oss < < auths [ i ] < < " " ;
}
2011-07-27 13:27:16 +04:00
oss < < auths [ i ] ;
2010-07-06 14:35:47 +04:00
return oss . str ( ) ;
} ;
/**
* Notify client that we have an answer for the request
*/
void notify ( )
{
am . trigger ( ActionListener : : ACTION_FINALIZE , 0 ) ;
} ;
/**
* Wait for the AuthRequest to be completed
*/
void wait ( )
{
time_out = time ( 0 ) + AuthManager : : time_out ( ) ;
am . loop ( 0 , 0 ) ;
} ;
2011-10-11 21:15:13 +04:00
bool core_authorize ( )
2010-07-08 19:50:49 +04:00
{
return ( uid = = 0 | | self_authorize ) ;
}
2011-10-11 21:15:13 +04:00
bool core_authenticate ( )
2010-07-08 19:50:49 +04:00
{
2011-10-12 02:27:03 +04:00
string sha1_session = SSLTools : : sha1_digest ( session ) ;
return ( password = = sha1_session ) ;
2010-07-08 19:50:49 +04:00
}
2010-07-06 14:35:47 +04:00
/**
* The result of the request , true if authorized or authenticated
*/
bool result ;
/**
* Error message for negative results
*/
string message ;
/**
* Time out
*/
bool timeout ;
/**
* Identification of this request
*/
int id ;
private :
friend class AuthManager ;
/**
* The ActionManager that will be notify when the request is ready .
*/
ActionManager am ;
/**
* The user id for this request
*/
int uid ;
2011-06-29 14:50:16 +04:00
/**
2011-07-07 21:01:04 +04:00
* The user group ID
2011-06-29 14:50:16 +04:00
*/
2011-07-07 21:01:04 +04:00
int gid ;
2011-06-29 14:50:16 +04:00
2010-07-06 14:35:47 +04:00
/**
* Timeout for this request
*/
time_t time_out ;
/**
2010-07-08 17:45:00 +04:00
* Username to authenticate the user
2010-07-06 14:35:47 +04:00
*/
2010-07-08 17:45:00 +04:00
string username ;
/**
* User password to authenticate the user
*/
string password ;
/**
2010-07-08 20:50:32 +04:00
* Authentication token as sent in the XML - RPC call ( user : session )
2010-07-08 17:45:00 +04:00
*/
string session ;
2010-07-06 14:35:47 +04:00
2011-10-12 03:00:50 +04:00
/**
* Authentication driver to be used with this request
*/
string driver ;
2010-07-06 14:35:47 +04:00
/**
* A list of authorization requests
*/
vector < string > auths ;
2010-07-08 19:50:49 +04:00
/**
* Plain authorization for the request
*/
bool self_authorize ;
2010-07-06 14:35:47 +04:00
/**
* No actions defined for the Auth request , just FINALIZE when done
*/
void do_action ( const string & name , void * args ) { } ;
2010-07-09 11:14:35 +04:00
2012-01-03 05:58:23 +04:00
/**
* Adds a new authorization item to this request , with a template for
* a new object
*
2012-01-10 16:46:12 +04:00
* OBJECT : < OBJECT_ID | OBJECT_TMPL_XML64 > : ACTION : OWNER : AUTH
2012-01-03 05:58:23 +04:00
*
* @ param op the operation to be authorized
* @ param ob_perms object ' s permission attributes
* @ param ob_template new object ' s template . If it is empty ,
* it will be ignored
*/
void add_auth ( Operation op ,
const PoolObjectAuth & ob_perms ,
string ob_template ) ;
2010-07-06 14:35:47 +04:00
} ;
2010-05-28 02:27:29 +04:00
# endif /*AUTH_MANAGER_H*/