projects / platform / core / security / cynara.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Verify PolicyType on service and offline client side
[platform/core/security/cynara.git] / src / service / logic / Logic.cpp
1 /*
2  * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
3  *
4  *    Licensed under the Apache License, Version 2.0 (the "License");
5  *    you may not use this file except in compliance with the License.
6  *    You may obtain a copy of the License at
7  *
8  *        http://www.apache.org/licenses/LICENSE-2.0
9  *
10  *    Unless required by applicable law or agreed to in writing, software
11  *    distributed under the License is distributed on an "AS IS" BASIS,
12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  *    See the License for the specific language governing permissions and
14  *    limitations under the License.
15  */
16 /**
17  * @file        src/service/logic/Logic.cpp
18  * @author      Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
19  * @version     1.0
20  * @brief       This file implements main class of logic layer in cynara service
21  */
22
23 #include <csignal>
24 #include <cinttypes>
25 #include <functional>
26 #include <memory>
27 #include <vector>
28
29 #include <log/log.h>
30 #include <common.h>
31 #include <log/log.h>
32 #include <exceptions/BucketNotExistsException.h>
33 #include <exceptions/DatabaseException.h>
34 #include <exceptions/DefaultBucketDeletionException.h>
35 #include <exceptions/DefaultBucketSetNoneException.h>
36 #include <exceptions/InvalidBucketIdException.h>
37 #include <exceptions/PluginErrorException.h>
38 #include <exceptions/PluginNotFoundException.h>
39 #include <exceptions/UnexpectedErrorException.h>
40 #include <exceptions/UnknownPolicyTypeException.h>
41 #include <request/AdminCheckRequest.h>
42 #include <request/AgentActionRequest.h>
43 #include <request/AgentRegisterRequest.h>
44 #include <request/CancelRequest.h>
45 #include <request/CheckRequest.h>
46 #include <request/DescriptionListRequest.h>
47 #include <request/EraseRequest.h>
48 #include <request/InsertOrUpdateBucketRequest.h>
49 #include <request/ListRequest.h>
50 #include <request/RemoveBucketRequest.h>
51 #include <request/RequestContext.h>
52 #include <request/SetPoliciesRequest.h>
53 #include <request/SignalRequest.h>
54 #include <response/AdminCheckResponse.h>
55 #include <response/AgentRegisterResponse.h>
56 #include <response/CancelResponse.h>
57 #include <response/CheckResponse.h>
58 #include <response/CodeResponse.h>
59 #include <response/DescriptionListResponse.h>
60 #include <response/ListResponse.h>
61 #include <types/Policy.h>
62
63 #include <main/Cynara.h>
64 #include <agent/AgentManager.h>
65 #include <sockets/SocketManager.h>
66 #include <storage/Storage.h>
67
68 #include <cynara-plugin.h>
69
70 #include <cynara-agent.h>
71
72 #include "Logic.h"
73
74 namespace Cynara {
75
76 Logic::Logic() {
77 }
78
79 Logic::~Logic() {
80 }
81
82 void Logic::execute(RequestContextPtr context UNUSED, SignalRequestPtr request) {
83     LOGD("Processing signal: [%d]", request->signalNumber());
84
85     switch (request->signalNumber()) {
86     case SIGTERM:
87         LOGI("SIGTERM received!");
88         m_socketManager->mainLoopStop();
89         break;
90     }
91 }
92
93 void Logic::execute(RequestContextPtr context, AdminCheckRequestPtr request) {
94     PolicyResult result;
95     bool bucketValid = true;
96     try {
97         result = m_storage->checkPolicy(request->key(), request->startBucket(),
98                                         request->recursive());
99     } catch (const BucketNotExistsException &ex) {
100         bucketValid = false;
101     }
102
103     context->returnResponse(context, std::make_shared<AdminCheckResponse>(result, bucketValid,
104                             request->sequenceNumber()));
105 }
106
107 void Logic::execute(RequestContextPtr context, AgentActionRequestPtr request) {
108     AgentTalkerPtr talkerPtr = m_agentManager->getTalker(context->responseQueue(),
109                                                          request->sequenceNumber());
110     if (!talkerPtr) {
111         LOGD("Received response from agent with invalid request id: [%" PRIu16 "]",
112              request->sequenceNumber());
113         return;
114     }
115
116     CheckContextPtr checkContextPtr = m_checkRequestManager.getContext(talkerPtr);
117     if (!checkContextPtr) {
118         LOGE("No matching check context for agent talker.");
119         m_agentManager->removeTalker(talkerPtr);
120         return;
121     }
122
123     if (!checkContextPtr->cancelled()) {
124         PluginData data(request->data().begin(), request->data().end());
125         if (request->type() == CYNARA_MSG_TYPE_CANCEL) {
126             // Nothing to do for now
127         } else if (request->type() == CYNARA_MSG_TYPE_ACTION) {
128             update(checkContextPtr->m_key, checkContextPtr->m_checkId, data,
129                    checkContextPtr->m_requestContext, checkContextPtr->m_plugin);
130         } else {
131             LOGE("Invalid response type [%d] in response from agent <%s>",
132                  static_cast<int>(request->type()), talkerPtr->agentType().c_str());
133             // TODO: disconnect agent
134         }
135     }
136
137     m_agentManager->removeTalker(talkerPtr);
138     m_checkRequestManager.removeRequest(checkContextPtr);
139 }
140
141 void Logic::execute(RequestContextPtr context, AgentRegisterRequestPtr request) {
142     auto result = m_agentManager->registerAgent(request->agentType(), context->responseQueue());
143     context->returnResponse(context, std::make_shared<AgentRegisterResponse>(
144                             result, request->sequenceNumber()));
145 }
146
147 void Logic::execute(RequestContextPtr context, CancelRequestPtr request) {
148     CheckContextPtr checkContextPtr = m_checkRequestManager.getContext(context->responseQueue(),
149                                                                        request->sequenceNumber());
150     if (!checkContextPtr) {
151         LOGD("Cancel request id: [%" PRIu16 "] with no matching request in progress.",
152              request->sequenceNumber());
153         return;
154     }
155
156     if (checkContextPtr->cancelled())
157         return;
158
159     checkContextPtr->cancel();
160     checkContextPtr->m_agentTalker->cancel();
161
162     LOGD("Returning response for cancel request id: [%" PRIu16 "].", request->sequenceNumber());
163     context->returnResponse(context, std::make_shared<CancelResponse>(request->sequenceNumber()));
164 }
165
166 void Logic::execute(RequestContextPtr context, CheckRequestPtr request) {
167     PolicyResult result(PredefinedPolicyType::DENY);
168     if (check(context, request->key(), request->sequenceNumber(), result)) {
169         context->returnResponse(context, std::make_shared<CheckResponse>(result,
170                                 request->sequenceNumber()));
171     }
172 }
173
174 bool Logic::check(const RequestContextPtr &context, const PolicyKey &key,
175                   ProtocolFrameSequenceNumber checkId, PolicyResult &result) {
176
177     if (m_checkRequestManager.getContext(context->responseQueue(), checkId)) {
178         LOGE("Check request for checkId: [%" PRIu16 "] is already processing", checkId);
179         return false;
180     }
181
182     result = m_storage->checkPolicy(key);
183
184     switch (result.policyType()) {
185         case PredefinedPolicyType::ALLOW :
186             LOGD("check of policy key <%s> returned ALLOW", key.toString().c_str());
187             return true;
188         case PredefinedPolicyType::DENY :
189             LOGD("check of policy key <%s> returned DENY", key.toString().c_str());
190             return true;
191     }
192
193     return pluginCheck(context, key, checkId, result);
194 }
195
196 bool Logic::pluginCheck(const RequestContextPtr &context, const PolicyKey &key,
197                         ProtocolFrameSequenceNumber checkId, PolicyResult &result) {
198
199     LOGD("Trying to check policy: <%s> in plugin.", key.toString().c_str());
200
201     ExternalPluginPtr plugin = m_pluginManager->getPlugin(result.policyType());
202     if (!plugin) {
203         LOGE("Plugin not found for policy: [0x%x]", result.policyType());
204         result = PolicyResult(PredefinedPolicyType::DENY);
205         return true;
206     }
207
208     ServicePluginInterfacePtr servicePlugin =
209             std::dynamic_pointer_cast<ServicePluginInterface>(plugin);
210     if (!plugin) {
211         throw PluginNotFoundException(result);
212     }
213
214     AgentType requiredAgent;
215     PluginData pluginData;
216
217     auto ret = servicePlugin->check(key.client().toString(), key.user().toString(),
218                                     key.privilege().toString(), result, requiredAgent, pluginData);
219
220     switch (ret) {
221         case ServicePluginInterface::PluginStatus::ANSWER_READY:
222             return true;
223         case ServicePluginInterface::PluginStatus::ANSWER_NOTREADY: {
224                 result = PolicyResult(PredefinedPolicyType::DENY);
225                 AgentTalkerPtr agentTalker = m_agentManager->createTalker(requiredAgent);
226                 if (!agentTalker) {
227                     LOGE("Required agent talker for: <%s> could not be created.",
228                          requiredAgent.c_str());
229                     return true;
230                 }
231
232                 if (!m_checkRequestManager.createContext(key, context, checkId, servicePlugin,
233                                                          agentTalker)) {
234                     LOGE("Check context for checkId: [%" PRIu16 "] could not be created.",
235                          checkId);
236                     m_agentManager->removeTalker(agentTalker);
237                     return true;
238                 }
239                 agentTalker->send(pluginData);
240             }
241             return false;
242         default:
243             throw PluginErrorException(key); // This 'throw' should be removed or handled properly.
244     }
245 }
246
247 bool Logic::update(const PolicyKey &key, ProtocolFrameSequenceNumber checkId,
248                    const PluginData &agentData, const RequestContextPtr &context,
249                    const ServicePluginInterfacePtr &plugin) {
250
251     LOGD("Check update: <%s>:[%" PRIu16 "]", key.toString().c_str(), checkId);
252
253     PolicyResult result;
254     bool answerReady = false;
255     auto ret = plugin->update(key.client().toString(), key.user().toString(),
256                               key.privilege().toString(), agentData, result);
257     switch (ret) {
258         case ServicePluginInterface::PluginStatus::SUCCESS:
259             answerReady = true;
260             break;
261         case ServicePluginInterface::PluginStatus::ERROR:
262             result = PolicyResult(PredefinedPolicyType::DENY);
263             answerReady = true;
264             break;
265         default:
266             throw PluginErrorException(key);
267     }
268
269     if (answerReady && context->responseQueue()) {
270         context->returnResponse(context, std::make_shared<CheckResponse>(result, checkId));
271         return true;
272     }
273
274     return false;
275 }
276
277 void Logic::execute(RequestContextPtr context, DescriptionListRequestPtr request) {
278     auto descriptions = m_pluginManager->getPolicyDescriptions();
279     descriptions.insert(descriptions.begin(), predefinedPolicyDescr.begin(),
280                         predefinedPolicyDescr.end());
281     context->returnResponse(context, std::make_shared<DescriptionListResponse>(descriptions,
282                             request->sequenceNumber()));
283 }
284
285 void Logic::execute(RequestContextPtr context, EraseRequestPtr request) {
286     auto code = CodeResponse::Code::OK;
287
288     try {
289         m_storage->erasePolicies(request->startBucket(), request->recursive(), request->filter());
290         onPoliciesChanged();
291     } catch (const DatabaseException &ex) {
292         code = CodeResponse::Code::FAILED;
293     } catch (const BucketNotExistsException &ex) {
294         code = CodeResponse::Code::NO_BUCKET;
295     }
296
297     context->returnResponse(context, std::make_shared<CodeResponse>(code,
298                             request->sequenceNumber()));
299 }
300
301 void Logic::execute(RequestContextPtr context, InsertOrUpdateBucketRequestPtr request) {
302     auto code = CodeResponse::Code::OK;
303
304     try {
305         checkSinglePolicyType(request->result().policyType(), true, true);
306         m_storage->addOrUpdateBucket(request->bucketId(), request->result());
307         onPoliciesChanged();
308     } catch (const DatabaseException &ex) {
309         code = CodeResponse::Code::FAILED;
310     } catch (const DefaultBucketSetNoneException &ex) {
311         code = CodeResponse::Code::NOT_ALLOWED;
312     } catch (const InvalidBucketIdException &ex) {
313         code = CodeResponse::Code::NOT_ALLOWED;
314     } catch (const UnknownPolicyTypeException &ex) {
315         code = CodeResponse::Code::NO_POLICY_TYPE;
316     }
317
318     context->returnResponse(context, std::make_shared<CodeResponse>(code,
319                             request->sequenceNumber()));
320 }
321
322 void Logic::execute(RequestContextPtr context, ListRequestPtr request) {
323     bool bucketValid = true;
324
325     std::vector<Policy> policies;
326     try {
327         policies = m_storage->listPolicies(request->bucket(), request->filter());
328     } catch (const BucketNotExistsException &ex) {
329         bucketValid = false;
330     }
331
332     context->returnResponse(context, std::make_shared<ListResponse>(policies, bucketValid,
333                             request->sequenceNumber()));
334 }
335
336 void Logic::execute(RequestContextPtr context, RemoveBucketRequestPtr request) {
337     auto code = CodeResponse::Code::OK;
338     try {
339         m_storage->deleteBucket(request->bucketId());
340         onPoliciesChanged();
341     } catch (const DatabaseException &ex) {
342         code = CodeResponse::Code::FAILED;
343     } catch (const BucketNotExistsException &ex) {
344         code = CodeResponse::Code::NO_BUCKET;
345     } catch (const DefaultBucketDeletionException &ex) {
346         code = CodeResponse::Code::NOT_ALLOWED;
347     }
348     context->returnResponse(context, std::make_shared<CodeResponse>(code,
349                             request->sequenceNumber()));
350 }
351
352 void Logic::execute(RequestContextPtr context, SetPoliciesRequestPtr request) {
353     auto code = CodeResponse::Code::OK;
354     try {
355         checkPoliciesTypes(request->policiesToBeInsertedOrUpdated(), true, false);
356         m_storage->insertPolicies(request->policiesToBeInsertedOrUpdated());
357         m_storage->deletePolicies(request->policiesToBeRemoved());
358         onPoliciesChanged();
359     } catch (const DatabaseException &ex) {
360         code = CodeResponse::Code::FAILED;
361     } catch (const BucketNotExistsException &ex) {
362         code = CodeResponse::Code::NO_BUCKET;
363     } catch (const UnknownPolicyTypeException &ex) {
364         code = CodeResponse::Code::NO_POLICY_TYPE;
365     }
366     context->returnResponse(context, std::make_shared<CodeResponse>(code,
367                             request->sequenceNumber()));
368 }
369
370 void Logic::checkPoliciesTypes(const std::map<PolicyBucketId, std::vector<Policy>> &policies,
371                                bool allowBucket, bool allowNone) {
372     for (const auto &group : policies) {
373         for (const auto &policy : group.second) {
374             checkSinglePolicyType(policy.result().policyType(), allowBucket, allowNone);
375         }
376     }
377 }
378
379 void Logic::checkSinglePolicyType(const PolicyType &policyType, bool allowBucket, bool allowNone) {
380     if (allowBucket && policyType == PredefinedPolicyType::BUCKET)
381         return;
382     if (allowNone && policyType == PredefinedPolicyType::NONE)
383         return;
384     for (const auto &descr : predefinedPolicyDescr) {
385         if (descr.type == policyType)
386             return;
387     }
388     m_pluginManager->checkPolicyType(policyType);
389 }
390
391 void Logic::contextClosed(RequestContextPtr context) {
392     LOGD("context closed");
393
394     LinkId linkId = context->responseQueue();
395
396     m_agentManager->cleanupAgent(linkId, [&](const AgentTalkerPtr &talker) -> void {
397                                  handleAgentTalkerDisconnection(talker); });
398
399     m_checkRequestManager.cancelRequests(linkId,
400                                          [&](const CheckContextPtr &checkContextPtr) -> void {
401                                          handleClientDisconnection(checkContextPtr); });
402 }
403
404 void Logic::onPoliciesChanged(void) {
405     m_storage->save();
406     m_socketManager->disconnectAllClients();
407     m_pluginManager->invalidateAll();
408     //todo remove all saved contexts (if there will be any saved contexts)
409 }
410
411 void Logic::handleAgentTalkerDisconnection(const AgentTalkerPtr &agentTalkerPtr) {
412     CheckContextPtr checkContextPtr = m_checkRequestManager.getContext(agentTalkerPtr);
413     if (checkContextPtr == nullptr) {
414         LOGE("No matching check context for agent talker.");
415         return;
416     }
417
418     if (!checkContextPtr->cancelled() && checkContextPtr->m_requestContext->responseQueue()) {
419         PolicyResult result(PredefinedPolicyType::DENY);
420         checkContextPtr->m_requestContext->returnResponse(checkContextPtr->m_requestContext,
421                 std::make_shared<CheckResponse>(result, checkContextPtr->m_checkId));
422     }
423
424     m_checkRequestManager.removeRequest(checkContextPtr);
425 }
426
427 void Logic::handleClientDisconnection(const CheckContextPtr &checkContextPtr) {
428     LOGD("Handle client disconnection");
429
430     if (!checkContextPtr->cancelled()) {
431         checkContextPtr->cancel();
432         checkContextPtr->m_agentTalker->cancel();
433     }
434 }
435
436 } // namespace Cynara
Domain: Security / Access Control;