1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-24 21:34:01 +03:00
one/include/AuthRequest.h

237 lines
6.9 KiB
C
Raw Normal View History

/* -------------------------------------------------------------------------- */
2019-01-16 13:27:59 +03:00
/* Copyright 2002-2019, OpenNebula Project, OpenNebula Systems */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
#ifndef AUTH_REQUEST_H_
#define AUTH_REQUEST_H_
#include <time.h>
#include <set>
#include "ActionManager.h"
#include "PoolObjectAuth.h"
#include "AuthManager.h"
#include "NebulaUtil.h"
#include "SyncRequest.h"
using namespace std;
/**
* The AuthRequest class is used to pass an Authorization or Authentication
* request to the AuthManager. The result of the request will be stored
* in the result and message attributes of this class.
*/
class AuthRequest : public SyncRequest
{
public:
AuthRequest(int _uid, set<int> _gids): uid(_uid),gids(_gids),self_authorize(true){};
~AuthRequest(){};
/**
* Authorization Request Type
*/
enum Operation
{
USE = 0x1LL, /**< Auth. to use an object */
USE_NO_LCK = 0x11LL, /**< Auth. to use an object no lockable */
MANAGE = 0x2LL, /**< Auth. to perform management actions */
MANAGE_NO_LCK = 0x12LL, /**< Auth. to perform management actions of an object no lockable */
ADMIN = 0x4LL, /**< Auth. to perform administrative actions */
ADMIN_NO_LCK = 0x14LL, /**< Auth. to perform administrative actions of an object no lockable */
CREATE = 0x8LL, /**< Auth. to create an object */
CREATE_NO_LCK = 0x18LL, /**< Auth. to create an object of an object no lockable */
NONE = 0x0LL
};
static string operation_to_str(Operation op)
{
switch (op)
{
case USE: return "USE";
case USE_NO_LCK: return "USE";
case MANAGE: return "MANAGE";
case MANAGE_NO_LCK: return "MANAGE";
case ADMIN: return "ADMIN";
case ADMIN_NO_LCK: return "ADMIN";
case CREATE: return "CREATE";
case CREATE_NO_LCK: return "CREATE";
case NONE: return "";
}
return "";
};
static Operation str_to_operation(string str)
{
if (str == "USE") return USE;
else if (str == "MANAGE") return MANAGE;
else if (str == "ADMIN") return ADMIN;
else if (str == "CREATE") return CREATE;
else return NONE;
};
/**
* Sets the challenge to authenticate an user
* @param challenge a driver specific authentication challenge
*/
void add_authenticate(const string &_driver,
const string &_username,
const string &_password,
const string &_session)
{
username = _username;
password = _password;
session = _session;
driver = _driver;
}
/**
* Adds a CREATE authorization request.
*
* OBJECT:<-1|OBJECT_TMPL_XML64>:CREATE:UID:AUTH
*
* @param uid of the object owner
* @param gid of the object group
* @param type of the object to be created
* @param txml template of the new object
*/
void add_create_auth(int uid, int gid, PoolObjectSQL::ObjectType type, const string& txml)
{
PoolObjectAuth perms; //oid & gid set to -1
perms.uid = uid;
perms.gid = gid;
perms.obj_type = type;
add_auth(AuthRequest::CREATE, perms, txml);
}
/**
* Adds a new authorization item to this request
*
* OBJECT:OBJECT_ID:ACTION:OWNER:AUTH
*
* @param op the operation to be authorized
* @param ob_perms object's permission attributes
*/
void add_auth(Operation op,
const PoolObjectAuth& ob_perms)
{
add_auth(op, ob_perms, "");
}
/**
* Gets the authorization requests in a single string
* @return a space separated list of auth requests, or an empty string if
* no auth requests were added
*/
string get_auths()
{
ostringstream oss;
unsigned int i;
if ( auths.empty() )
{
return string();
}
for (i=0; i<auths.size()-1; i++)
{
oss << auths[i] << " ";
}
oss << auths[i];
return oss.str();
};
bool core_authorize()
{
return self_authorize;
}
bool core_authenticate()
{
string sha1_session = one_util::sha1_digest(session);
string sha256_session = one_util::sha256_digest(session);
return (password == sha1_session) || (password == sha256_session);
}
private:
friend class AuthManager;
/**
* The user id for this request
*/
int uid;
/**
* The user groups ID set
*/
set<int> gids;
/**
* Username to authenticate the user
*/
string username;
/**
* User password to authenticate the user
*/
string password;
/**
* Authentication token as sent in the XML-RPC call (user:session)
*/
string session;
/**
* Authentication driver to be used with this request
*/
string driver;
/**
* A list of authorization requests
*/
vector<string> auths;
/**
* Plain authorization for the request
*/
bool self_authorize;
/**
* Adds a new authorization item to this request, with a template for
* a new object
*
* OBJECT:<OBJECT_ID|OBJECT_TMPL_XML64>:ACTION:OWNER:AUTH
*
* @param op the operation to be authorized
* @param ob_perms object's permission attributes
* @param ob_template new object's template. If it is empty,
* it will be ignored
*/
void add_auth(Operation op,
const PoolObjectAuth& ob_perms,
string ob_template);
};
#endif