1
/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
2
* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
4
* Copyright (C) 2010 Monty Taylor
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* This program is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
25
#include "drizzled/plugin/authorization.h"
26
#include "drizzled/security_context.h"
27
#include "drizzled/error.h"
28
#include "drizzled/session.h"
29
#include "drizzled/plugin/registry.h"
30
#include "drizzled/gettext.h"
37
vector<plugin::Authorization *> authorization_plugins;
40
bool plugin::Authorization::addPlugin(plugin::Authorization *auth)
43
authorization_plugins.push_back(auth);
47
void plugin::Authorization::removePlugin(plugin::Authorization *auth)
51
authorization_plugins.erase(find(authorization_plugins.begin(),
52
authorization_plugins.end(),
60
class RestrictDbFunctor :
61
public unary_function<plugin::Authorization *, bool>
63
const SecurityContext &user_ctx;
66
RestrictDbFunctor(const SecurityContext &user_ctx_arg,
67
const string &schema_arg) :
68
unary_function<plugin::Authorization *, bool>(),
69
user_ctx(user_ctx_arg),
73
inline result_type operator()(argument_type auth)
75
return auth->restrictSchema(user_ctx, schema);
79
class RestrictTableFunctor :
80
public unary_function<plugin::Authorization *, bool>
82
const SecurityContext &user_ctx;
86
RestrictTableFunctor(const SecurityContext &user_ctx_arg,
87
const string &schema_arg,
88
const string &table_arg) :
89
unary_function<plugin::Authorization *, bool>(),
90
user_ctx(user_ctx_arg),
95
inline result_type operator()(argument_type auth)
97
return auth->restrictTable(user_ctx, schema, table);
101
class RestrictProcessFunctor :
102
public unary_function<plugin::Authorization *, bool>
104
const SecurityContext &user_ctx;
105
const SecurityContext &session_ctx;
107
RestrictProcessFunctor(const SecurityContext &user_ctx_arg,
108
const SecurityContext &session_ctx_arg) :
109
unary_function<plugin::Authorization *, bool>(),
110
user_ctx(user_ctx_arg),
111
session_ctx(session_ctx_arg)
114
inline result_type operator()(argument_type auth)
116
return auth->restrictProcess(user_ctx, session_ctx);
122
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
123
const string &schema,
126
/* If we never loaded any authorization plugins, just return true */
127
if (authorization_plugins.empty())
130
/* Use find_if instead of foreach so that we can collect return codes */
131
vector<plugin::Authorization *>::const_iterator iter=
132
find_if(authorization_plugins.begin(),
133
authorization_plugins.end(),
134
RestrictDbFunctor(user_ctx, schema));
137
* If iter is == end() here, that means that all of the plugins returned
138
* false, which means that that each of them believe the user is authorized
139
* to view the resource in question.
141
if (iter != authorization_plugins.end())
145
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
146
user_ctx.getUser().c_str(),
147
user_ctx.getIp().c_str(),
155
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
156
const string &schema,
160
/* If we never loaded any authorization plugins, just return true */
161
if (authorization_plugins.empty())
164
/* Use find_if instead of foreach so that we can collect return codes */
165
vector<plugin::Authorization *>::const_iterator iter=
166
find_if(authorization_plugins.begin(),
167
authorization_plugins.end(),
168
RestrictTableFunctor(user_ctx, schema, table));
171
* If iter is == end() here, that means that all of the plugins returned
172
* false, which means that that each of them believe the user is authorized
173
* to view the resource in question.
175
if (iter != authorization_plugins.end())
179
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
180
user_ctx.getUser().c_str(),
181
user_ctx.getIp().c_str(),
189
bool plugin::Authorization::isAuthorized(const SecurityContext &user_ctx,
190
const Session *session,
193
const SecurityContext &session_ctx= session->getSecurityContext();
195
/* If we never loaded any authorization plugins, just return true */
196
if (authorization_plugins.empty())
199
/* Use find_if instead of foreach so that we can collect return codes */
200
vector<plugin::Authorization *>::const_iterator iter=
201
find_if(authorization_plugins.begin(),
202
authorization_plugins.end(),
203
RestrictProcessFunctor(user_ctx, session_ctx));
206
* If iter is == end() here, that means that all of the plugins returned
207
* false, which means that that each of them believe the user is authorized
208
* to view the resource in question.
211
if (iter != authorization_plugins.end())
215
my_error(ER_KILL_DENIED_ERROR, MYF(0), session->thread_id);
222
void plugin::Authorization::pruneSchemaNames(const SecurityContext &user_ctx,
223
set<string> &set_of_names)
226
set<string> pruned_set_of_names;
228
/* If we never loaded any authorization plugins, just return true */
229
if (authorization_plugins.empty())
233
* @TODO: It would be stellar if we could find a way to do this with a
234
* functor and an STL algoritm
236
for(set<string>::const_iterator iter= set_of_names.begin();
237
iter != set_of_names.end();
240
if (plugin::Authorization::isAuthorized(user_ctx, *iter, false))
242
pruned_set_of_names.insert(*iter);
245
set_of_names.swap(pruned_set_of_names);
248
} /* namespace drizzled */
added
removed
drizzled/plugin/authorization.cc
