Add access-control logic to policy-admin

author Sangwan Kwon <sangwan.kwon@samsung.com>

Fri, 17 Jan 2020 05:37:07 +0000 (14:37 +0900)

committer 권상완/Security 2Lab(SR)/Engineer/삼성전자 <sangwan.kwon@samsung.com>

Fri, 17 Jan 2020 06:24:01 +0000 (15:24 +0900)
author Sangwan Kwon <sangwan.kwon@samsung.com>
Fri, 17 Jan 2020 05:37:07 +0000 (14:37 +0900)
committer 권상완/Security 2Lab(SR)/Engineer/삼성전자 <sangwan.kwon@samsung.com>
Fri, 17 Jan 2020 06:24:01 +0000 (15:24 +0900)
diff --git a/src/vist/CMakeLists.txt b/src/vist/CMakeLists.txt

index cc9addf39ae67ba87abd0d7246436defb01414e6..4208e76b4342824dc1bcba7225781b6ef38308bd 100644 (file)
--- a/src/vist/CMakeLists.txt
+++ b/src/vist/CMakeLists.txt
@@ -49,9 +49,11 @@ ADD_SUBDIRECTORY(database)
  ADD_SUBDIRECTORY(event)
  ADD_SUBDIRECTORY(klass)
  ADD_SUBDIRECTORY(logger)
-ADD_SUBDIRECTORY(rmi)
  ADD_SUBDIRECTORY(sdk)
  
+# rmi
+ADD_SUBDIRECTORY(rmi)
+
  # policy
  ADD_SUBDIRECTORY(policy)
  
@@ -111,6 +113,7 @@ ADD_EXECUTABLE(${TARGET_VIST_TEST} main/tests.cpp
  TARGET_LINK_LIBRARIES(${TARGET_VIST_TEST} ${TARGET_VIST_LIB}
                                                                                   ${TARGET_VIST_CLIENT_LIB}
                                                                                   ${TARGET_VIST_COMMON_LIB}
+                                                                                 ${TARGET_VIST_POLICY_LIB}
                                                                                   vist-rmi-static
                                                                                   gtest)
  TARGET_LINK_WHOLE(${TARGET_VIST_TEST} ${TARGET_OSQUERY_LIB})
diff --git a/src/vist/policy/CMakeLists.txt b/src/vist/policy/CMakeLists.txt

index 974dd1b6c605cad436412292ded7ddfa869df45b..56912fcbbf693d2001b5c7a71e6bd78030247f43 100644 (file)
--- a/src/vist/policy/CMakeLists.txt
+++ b/src/vist/policy/CMakeLists.txt
@@ -24,7 +24,7 @@ FILE(GLOB POLICY_CORE_TESTS "tests/*.cpp")
  ADD_VIST_TEST(${POLICY_CORE_TESTS})
  
  ADD_LIBRARY(${TARGET_VIST_POLICY_LIB} STATIC ${${TARGET_VIST_POLICY_LIB}_SRCS})
-TARGET_LINK_LIBRARIES(${TARGET_VIST_POLICY_LIB} ${VIST_POLICY_DEPS_LIBRARIES}
-                                                                                               ${TARGET_VIST_COMMON_LIB}
+TARGET_LINK_LIBRARIES(${TARGET_VIST_POLICY_LIB} ${TARGET_VIST_COMMON_LIB}
+                                                                                               vist-rmi
                                                                                                 pthread
                                                                                                 dl)
diff --git a/src/vist/policy/api.cpp b/src/vist/policy/api.cpp

index 947aafb613edd152234e900f5fdf34a761c81ea3..61ff6764c78316af08fc756c5aa15f179b6fb8a7 100644 (file)
--- a/src/vist/policy/api.cpp
+++ b/src/vist/policy/api.cpp
@@ -14,7 +14,10 @@
   *  limitations under the License
   */
  
+#include <vist/exception.hpp>
  #include <vist/policy/api.hpp>
+#include <vist/process.hpp>
+#include <vist/rmi/gateway.hpp>
  
  #include "policy-manager.hpp"
  
@@ -33,8 +36,14 @@ std::unordered_map<std::string, PolicyValue> API::GetAll()
  
  void API::Admin::Set(const std::string& policy, const PolicyValue& value)
  {
-       // TODO(Sangwan): Get admin name from peer PID
-       PolicyManager::Instance().set(policy, value, "admin");
+       std::string admin;
+       auto peer = rmi::Gateway::GetPeerCredentials();
+       if (peer == nullptr)
+               admin = Process::GetPath(Process::GetPid());
+       else
+               admin = Process::GetPath(peer->pid);
+
+       PolicyManager::Instance().set(policy, value, admin);
  }
  
  void API::Admin::Enroll(const std::string& admin)
diff --git a/src/vist/process.hpp b/src/vist/process.hpp

index b36458782150c688e2785ebb716e4b0fb440cb53..b17bd1e28000328ba3663220f86daf6edf375876 100644 (file)
--- a/src/vist/process.hpp
+++ b/src/vist/process.hpp
@@ -21,6 +21,7 @@
  #include <cstdio>
  #include <memory>
  #include <string>
+#include <vector>
  
  #include <errno.h>
  #include <sys/types.h>
diff --git a/src/vist/rmi/CMakeLists.txt b/src/vist/rmi/CMakeLists.txt

index 99976287df175ea29a73518d84cc5ae969385872..30a86fa770fe8bf0068b57e51f83529a92903765 100644 (file)
--- a/src/vist/rmi/CMakeLists.txt
+++ b/src/vist/rmi/CMakeLists.txt
@@ -36,6 +36,7 @@ INSTALL(TARGETS ${TARGET}
                                         WORLD_READ
                                         WORLD_EXECUTE)
  
+# for unit test
  ADD_LIBRARY(${TARGET}-static STATIC ${${TARGET}_SRCS})
  TARGET_LINK_LIBRARIES(${TARGET} ${TARGET_VIST_COMMON_LIB}
                                                                 pthread)
diff --git a/src/vist/rmi/gateway.cpp b/src/vist/rmi/gateway.cpp

index 5f4bed653866acb5157d4fe4b60ca10e5b1e7bc4..cae068eb98defe84da2972c28dd3ec0546e91958 100644 (file)
--- a/src/vist/rmi/gateway.cpp
+++ b/src/vist/rmi/gateway.cpp
@@ -85,7 +85,7 @@ void Gateway::stop(void)
  }
  
  /// Credentials exists per thread.
-std::shared_ptr<Credentials> GetPeerCredentials()
+std::shared_ptr<Credentials> Gateway::GetPeerCredentials() noexcept
  {
         return Server::GetPeerCredentials();
  }
diff --git a/src/vist/rmi/gateway.hpp b/src/vist/rmi/gateway.hpp

index afc7a1a3e0f53efddcaf78c106ee8fd9b973c3ac..2a0a6d24ab047d077876d3247057ccd67f198e33 100644 (file)
--- a/src/vist/rmi/gateway.hpp
+++ b/src/vist/rmi/gateway.hpp
@@ -51,7 +51,7 @@ public:
         template<typename O, typename F>
         void expose(O& object, const std::string& name, F&& func);
  
-       static std::shared_ptr<Credentials> GetPeerCredentials();
+       static std::shared_ptr<Credentials> GetPeerCredentials() noexcept;
  
  private:
         class Impl;
diff --git a/src/vist/rmi/impl/server.hpp b/src/vist/rmi/impl/server.hpp

index a64e09026aa5a933349a4c415787c07655a190b3..e622fa2d38acc1d8faec6823fa3b297c004e022e 100644 (file)
--- a/src/vist/rmi/impl/server.hpp
+++ b/src/vist/rmi/impl/server.hpp
@@ -49,7 +49,7 @@ public:
         void run(int timeout = -1, Stopper stopper = nullptr);
         void stop(void);
  
-       static std::shared_ptr<Credentials> GetPeerCredentials()
+       static std::shared_ptr<Credentials> GetPeerCredentials() noexcept
         {
                 return peer;
         }
diff --git a/src/vist/service/tests/core.cpp b/src/vist/service/tests/core.cpp

index 66aac2ae3fe6d8db50a0824cea7db1b3e68a999a..c7fc56486c82c64b82fc0a8b6c7640b32db4cf27 100644 (file)
--- a/src/vist/service/tests/core.cpp
+++ b/src/vist/service/tests/core.cpp
@@ -41,7 +41,7 @@ TEST_F(CoreTests, query_select)
  
  TEST_F(CoreTests, query_update)
  {
-       policy::API::Admin::Enroll("admin");
+       policy::API::Admin::Enroll("/usr/bin/vist-test");
  
         std::string statement = "SELECT * FROM policy WHERE name = 'sample-int-policy'";
         auto rows = Vistd::Query(statement);
@@ -56,5 +56,5 @@ TEST_F(CoreTests, query_update)
         rows = Vistd::Query(statement);
         EXPECT_EQ(rows[0]["value"], "I/10");
  
-       policy::API::Admin::Disenroll("admin");
+       policy::API::Admin::Disenroll("/usr/bin/vist-test");
  }
author	Sangwan Kwon <sangwan.kwon@samsung.com>
	Fri, 17 Jan 2020 05:37:07 +0000 (14:37 +0900)
committer	권상완/Security 2Lab(SR)/Engineer/삼성전자 <sangwan.kwon@samsung.com>
	Fri, 17 Jan 2020 06:24:01 +0000 (15:24 +0900)
src/vist/CMakeLists.txt		patch \| blob \| history
src/vist/policy/CMakeLists.txt		patch \| blob \| history
src/vist/policy/api.cpp		patch \| blob \| history
src/vist/process.hpp		patch \| blob \| history
src/vist/rmi/CMakeLists.txt		patch \| blob \| history
src/vist/rmi/gateway.cpp		patch \| blob \| history
src/vist/rmi/gateway.hpp		patch \| blob \| history
src/vist/rmi/impl/server.hpp		patch \| blob \| history
src/vist/service/tests/core.cpp		patch \| blob \| history