2012-05-31 18:51:07 +04:00
/* -------------------------------------------------------------------------- */
2019-01-16 13:27:59 +03:00
/* Copyright 2002-2019, OpenNebula Project, OpenNebula Systems */
2012-05-31 18:51:07 +04:00
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef AUTH_REQUEST_H_
# define AUTH_REQUEST_H_
# include <time.h>
2013-08-23 14:39:14 +04:00
# include <set>
2012-05-31 18:51:07 +04:00
# include "ActionManager.h"
# include "PoolObjectAuth.h"
# include "AuthManager.h"
2013-02-17 03:07:07 +04:00
# include "NebulaUtil.h"
2012-05-31 18:51:07 +04:00
2012-05-31 20:38:14 +04:00
# include "SyncRequest.h"
2012-05-31 18:51:07 +04:00
using namespace std ;
/**
* The AuthRequest class is used to pass an Authorization or Authentication
* request to the AuthManager . The result of the request will be stored
* in the result and message attributes of this class .
*/
2012-05-31 20:38:14 +04:00
class AuthRequest : public SyncRequest
2012-05-31 18:51:07 +04:00
{
public :
2013-08-23 14:39:14 +04:00
AuthRequest ( int _uid , set < int > _gids ) : uid ( _uid ) , gids ( _gids ) , self_authorize ( true ) { } ;
2012-05-31 18:51:07 +04:00
~ AuthRequest ( ) { } ;
/**
* Authorization Request Type
*/
enum Operation
{
2018-01-24 17:33:12 +03:00
USE = 0x1LL , /**< Auth. to use an object */
USE_NO_LCK = 0x11LL , /**< Auth. to use an object no lockable */
MANAGE = 0x2LL , /**< Auth. to perform management actions */
MANAGE_NO_LCK = 0x12LL , /**< Auth. to perform management actions of an object no lockable */
ADMIN = 0x4LL , /**< Auth. to perform administrative actions */
ADMIN_NO_LCK = 0x14LL , /**< Auth. to perform administrative actions of an object no lockable */
CREATE = 0x8LL , /**< Auth. to create an object */
2018-03-28 21:55:17 +03:00
CREATE_NO_LCK = 0x18LL , /**< Auth. to create an object of an object no lockable */
NONE = 0x0LL
2012-05-31 18:51:07 +04:00
} ;
static string operation_to_str ( Operation op )
{
switch ( op )
{
2018-05-23 15:42:57 +03:00
case USE : return " USE " ;
case USE_NO_LCK : return " USE " ;
case MANAGE : return " MANAGE " ;
case MANAGE_NO_LCK : return " MANAGE " ;
case ADMIN : return " ADMIN " ;
case ADMIN_NO_LCK : return " ADMIN " ;
case CREATE : return " CREATE " ;
case CREATE_NO_LCK : return " CREATE " ;
case NONE : return " " ;
2012-05-31 18:51:07 +04:00
}
2018-05-23 15:42:57 +03:00
return " " ;
2012-05-31 18:51:07 +04:00
} ;
2018-03-28 21:55:17 +03:00
static Operation str_to_operation ( string str )
{
if ( str = = " USE " ) return USE ;
else if ( str = = " MANAGE " ) return MANAGE ;
else if ( str = = " ADMIN " ) return ADMIN ;
else if ( str = = " CREATE " ) return CREATE ;
else return NONE ;
} ;
2012-05-31 18:51:07 +04:00
/**
* Sets the challenge to authenticate an user
* @ param challenge a driver specific authentication challenge
*/
void add_authenticate ( const string & _driver ,
const string & _username ,
const string & _password ,
const string & _session )
{
username = _username ;
password = _password ;
session = _session ;
2013-02-09 19:38:54 +04:00
2012-05-31 18:51:07 +04:00
driver = _driver ;
}
/**
* Adds a CREATE authorization request .
2013-02-09 19:38:54 +04:00
*
2012-05-31 18:51:07 +04:00
* OBJECT : < - 1 | OBJECT_TMPL_XML64 > : CREATE : UID : AUTH
2013-02-09 19:38:54 +04:00
*
2014-01-29 21:15:06 +04:00
* @ param uid of the object owner
* @ param gid of the object group
2012-05-31 18:51:07 +04:00
* @ param type of the object to be created
2013-02-18 19:44:38 +04:00
* @ param txml template of the new object
2012-05-31 18:51:07 +04:00
*/
2014-01-29 21:15:06 +04:00
void add_create_auth ( int uid , int gid , PoolObjectSQL : : ObjectType type , const string & txml )
{
PoolObjectAuth perms ; //oid & gid set to -1
2013-02-09 19:38:54 +04:00
2014-01-29 21:15:06 +04:00
perms . uid = uid ;
perms . gid = gid ;
perms . obj_type = type ;
2012-05-31 18:51:07 +04:00
2014-01-29 21:15:06 +04:00
add_auth ( AuthRequest : : CREATE , perms , txml ) ;
}
2012-05-31 18:51:07 +04:00
/**
* Adds a new authorization item to this request
*
* OBJECT : OBJECT_ID : ACTION : OWNER : AUTH
*
* @ param op the operation to be authorized
* @ param ob_perms object ' s permission attributes
*/
void add_auth ( Operation op ,
const PoolObjectAuth & ob_perms )
{
add_auth ( op , ob_perms , " " ) ;
}
/**
* Gets the authorization requests in a single string
* @ return a space separated list of auth requests , or an empty string if
* no auth requests were added
*/
string get_auths ( )
{
ostringstream oss ;
unsigned int i ;
if ( auths . empty ( ) )
{
return string ( ) ;
}
for ( i = 0 ; i < auths . size ( ) - 1 ; i + + )
{
oss < < auths [ i ] < < " " ;
}
oss < < auths [ i ] ;
return oss . str ( ) ;
} ;
bool core_authorize ( )
{
2018-05-23 15:42:57 +03:00
return self_authorize ;
2012-05-31 18:51:07 +04:00
}
bool core_authenticate ( )
{
2013-02-09 19:38:54 +04:00
string sha1_session = one_util : : sha1_digest ( session ) ;
2019-03-01 14:30:24 +03:00
string sha256_session = one_util : : sha256_digest ( session ) ;
2012-05-31 18:51:07 +04:00
2019-03-01 14:30:24 +03:00
return ( password = = sha1_session ) | | ( password = = sha256_session ) ;
2012-05-31 18:51:07 +04:00
}
2013-02-09 19:38:54 +04:00
private :
2012-05-31 18:51:07 +04:00
friend class AuthManager ;
2013-02-09 19:38:54 +04:00
2012-05-31 18:51:07 +04:00
/**
* The user id for this request
*/
int uid ;
2013-02-09 19:38:54 +04:00
2012-05-31 18:51:07 +04:00
/**
2013-08-23 14:39:14 +04:00
* The user groups ID set
2012-05-31 18:51:07 +04:00
*/
2013-08-23 14:39:14 +04:00
set < int > gids ;
2012-05-31 18:51:07 +04:00
/**
* Username to authenticate the user
*/
string username ;
/**
* User password to authenticate the user
*/
string password ;
/**
* Authentication token as sent in the XML - RPC call ( user : session )
*/
string session ;
/**
* Authentication driver to be used with this request
*/
string driver ;
/**
* A list of authorization requests
*/
vector < string > auths ;
/**
* Plain authorization for the request
*/
bool self_authorize ;
/**
* Adds a new authorization item to this request , with a template for
* a new object
*
* OBJECT : < OBJECT_ID | OBJECT_TMPL_XML64 > : ACTION : OWNER : AUTH
*
* @ param op the operation to be authorized
* @ param ob_perms object ' s permission attributes
* @ param ob_template new object ' s template . If it is empty ,
* it will be ignored
*/
void add_auth ( Operation op ,
const PoolObjectAuth & ob_perms ,
string ob_template ) ;
} ;
# endif