cynara_admin_finish(m_cynaraAdmin);
}
-void CynaraAdmin::SetPolicies(const std::vector<CynaraAdminPolicy> &policies)
+void CynaraAdmin::setPolicies(const std::vector<CynaraAdminPolicy> &policies)
{
if (policies.empty()) {
LogDebug("no policies to set in Cynara.");
"Error while updating Cynara policy.");
}
-void CynaraAdmin::UpdateAppPolicy(
+void CynaraAdmin::updateAppPolicy(
const std::string &label,
bool global,
uid_t uid,
cynaraUser = std::to_string(static_cast<unsigned int>(uid));
// 1st, performing operation on MANIFESTS bucket
- CalculatePolicies(label, cynaraUser, privileges, Buckets.at(Bucket::MANIFESTS),
+ calculatePolicies(label, cynaraUser, privileges, Buckets.at(Bucket::MANIFESTS),
static_cast<int>(CynaraAdminPolicy::Operation::Allow),
policies);
std::vector<uid_t> users;
if (cynaraUser == CYNARA_ADMIN_WILDCARD) {
// perform bucket setting for all users in the system, app is installed for everyone
- ListUsers(users);
+ listUsers(users);
} else {
// local single user installation, do it only for that particular user
users.push_back(uid);
if (priv.hasAttribute(PrivilegeInfo::PrivilegeAttr::BLACKLIST))
blacklistPrivileges.push_back(p);
}
- CalculatePolicies(label, std::to_string(id), privacyPrivileges,
+ calculatePolicies(label, std::to_string(id), privacyPrivileges,
Buckets.at(Bucket::PRIVACY_MANAGER),
askUserPolicy, policies);
- CalculatePolicies(label, std::to_string(id), blacklistPrivileges,
+ calculatePolicies(label, std::to_string(id), blacklistPrivileges,
Buckets.at(Bucket::ADMIN),
static_cast<int>(CynaraAdminPolicy::Operation::Deny), policies);
}
- SetPolicies(policies);
+ setPolicies(policies);
}
-void CynaraAdmin::GetAppPolicy(const std::string &label, const std::string &user,
+void CynaraAdmin::getAppPolicy(const std::string &label, const std::string &user,
std::vector<std::string> &privileges)
{
std::vector<CynaraAdminPolicy> policies;
- ListPolicies(
+ listPolicies(
CynaraAdmin::Buckets.at(Bucket::MANIFESTS),
label, user, CYNARA_ADMIN_ANY, policies);
}
}
-void CynaraAdmin::UserInit(uid_t uid, security_manager_user_type userType)
+void CynaraAdmin::userInit(uid_t uid, security_manager_user_type userType)
{
Bucket bucket;
std::vector<CynaraAdminPolicy> policies;
Buckets.at(Bucket::MAIN)));
std::vector<CynaraAdminPolicy> appPolicies;
- ListPolicies(CynaraAdmin::Buckets.at(Bucket::MANIFESTS),
+ listPolicies(CynaraAdmin::Buckets.at(Bucket::MANIFESTS),
CYNARA_ADMIN_ANY, CYNARA_ADMIN_WILDCARD,
CYNARA_ADMIN_ANY, appPolicies);
}
- SetPolicies(policies);
+ setPolicies(policies);
}
-void CynaraAdmin::ListUsers(std::vector<uid_t> &listOfUsers)
+void CynaraAdmin::listUsers(std::vector<uid_t> &listOfUsers)
{
std::vector<CynaraAdminPolicy> tmpListOfUsers;
- ListPolicies(
+ listPolicies(
CynaraAdmin::Buckets.at(Bucket::MAIN),
CYNARA_ADMIN_WILDCARD,
CYNARA_ADMIN_ANY,
LogDebug("Found users: " << listOfUsers.size());
};
-void CynaraAdmin::UserRemove(uid_t uid)
+void CynaraAdmin::userRemove(uid_t uid)
{
std::vector<CynaraAdminPolicy> policies;
std::string user = std::to_string(static_cast<unsigned int>(uid));
- EmptyBucket(Buckets.at(Bucket::PRIVACY_MANAGER),true,
+ emptyBucket(Buckets.at(Bucket::PRIVACY_MANAGER),true,
CYNARA_ADMIN_ANY, user, CYNARA_ADMIN_ANY);
}
-security_manager_user_type CynaraAdmin::GetUserType(uid_t uid)
+security_manager_user_type CynaraAdmin::getUserType(uid_t uid)
{
std::string uidStr = std::to_string(uid);
std::vector<CynaraAdminPolicy> tmpListOfUsers;
- ListPolicies(
+ listPolicies(
CynaraAdmin::Buckets.at(Bucket::MAIN),
CYNARA_ADMIN_WILDCARD,
uidStr,
return SM_USER_TYPE_NONE;
};
-void CynaraAdmin::ListPolicies(
+void CynaraAdmin::listPolicies(
const std::string &bucket,
const std::string &label,
const std::string &user,
}
-void CynaraAdmin::EmptyBucket(const std::string &bucketName, bool recursive, const std::string &client,
+void CynaraAdmin::emptyBucket(const std::string &bucketName, bool recursive, const std::string &client,
const std::string &user, const std::string &privilege)
{
checkCynaraError(
client + ", " + user + ", " + privilege);
}
-void CynaraAdmin::FetchCynaraPolicyDescriptions(bool forceRefresh)
+void CynaraAdmin::fetchCynaraPolicyDescriptions(bool forceRefresh)
{
struct cynara_admin_policy_descr **descriptions = nullptr;
}
-void CynaraAdmin::CalculatePolicies(const std::string &label, const std::string &user,
+void CynaraAdmin::calculatePolicies(const std::string &label, const std::string &user,
const std::vector<std::string> &privileges,
const std::string &bucket, int policyToSet,
std::vector<CynaraAdminPolicy> &policies)
std::vector<CynaraAdminPolicy> oldPolicies;
std::unordered_set<std::string> privilegesSet(privileges.begin(),
privileges.end());
- ListPolicies(bucket, label, user, CYNARA_ADMIN_ANY, oldPolicies);
+ listPolicies(bucket, label, user, CYNARA_ADMIN_ANY, oldPolicies);
// Compare previous policies with set of new requested privileges
for (auto &policy : oldPolicies) {
if (privilegesSet.erase(policy.privilege)) {
}
}
-void CynaraAdmin::ListPoliciesDescriptions(std::vector<std::string> &policiesDescriptions)
+void CynaraAdmin::listPoliciesDescriptions(std::vector<std::string> &policiesDescriptions)
{
- FetchCynaraPolicyDescriptions(false);
+ fetchCynaraPolicyDescriptions(false);
for (const auto &it : s_typeToDescription)
policiesDescriptions.push_back(it.second);
std::string CynaraAdmin::convertToPolicyDescription(const int policyType, bool forceRefresh)
{
- FetchCynaraPolicyDescriptions(forceRefresh);
+ fetchCynaraPolicyDescriptions(forceRefresh);
return s_typeToDescription.at(policyType);
}
int CynaraAdmin::convertToPolicyType(const std::string &policy, bool forceRefresh)
{
- FetchCynaraPolicyDescriptions(forceRefresh);
+ fetchCynaraPolicyDescriptions(forceRefresh);
return s_descriptionToType.at(policy);
}
-void CynaraAdmin::Check(const std::string &label, const std::string &user, const std::string &privilege,
+void CynaraAdmin::check(const std::string &label, const std::string &user, const std::string &privilege,
const std::string &bucket, int &result, std::string &resultExtra, const bool recursive)
{
char *resultExtraCstr = nullptr;
}
}
-int CynaraAdmin::GetPrivilegeManagerCurrLevel(const std::string &label, const std::string &user,
+int CynaraAdmin::getPrivilegeManagerCurrLevel(const std::string &label, const std::string &user,
const std::string &privilege)
{
int result;
std::string resultExtra;
- Check(label, user, privilege, Buckets.at(Bucket::PRIVACY_MANAGER), result, resultExtra, true);
+ check(label, user, privilege, Buckets.at(Bucket::PRIVACY_MANAGER), result, resultExtra, true);
return result;
}
-int CynaraAdmin::GetPrivilegeManagerMaxLevel(const std::string &label, const std::string &user,
+int CynaraAdmin::getPrivilegeManagerMaxLevel(const std::string &label, const std::string &user,
const std::string &privilege)
{
int result;
std::string resultExtra;
- Check(label, user, privilege, Buckets.at(Bucket::MAIN), result, resultExtra, true);
+ check(label, user, privilege, Buckets.at(Bucket::MAIN), result, resultExtra, true);
return result;
}
*
* @param policies vector of CynaraAdminPolicy objects to send to Cynara
*/
- void SetPolicies(const std::vector<CynaraAdminPolicy> &policies);
+ void setPolicies(const std::vector<CynaraAdminPolicy> &policies);
/**
* Update Cynara policies for the application and the user.
* @param uid user identifier
* @param privileges currently enabled privileges
*/
- void UpdateAppPolicy(const std::string &label, bool global, uid_t uid,
+ void updateAppPolicy(const std::string &label, bool global, uid_t uid,
const std::vector<std::string> &privileges);
/**
* @param[in] user user identifier
* @param[out] privileges currently enabled privileges
*/
- void GetAppPolicy(const std::string &label, const std::string &user,
+ void getAppPolicy(const std::string &label, const std::string &user,
std::vector<std::string> &privileges);
/**
* @param uid new user uid
* @param userType type as enumerated in security-manager.h
*/
- void UserInit(uid_t uid, security_manager_user_type userType);
+ void userInit(uid_t uid, security_manager_user_type userType);
/**
* List all users registered in Cynara
*
* @param listOfUsers empty vector for list of users
*/
- void ListUsers(std::vector<uid_t> &listOfUsers);
+ void listUsers(std::vector<uid_t> &listOfUsers);
/**
* Removes all entries for a user from cynara database
*
* @param uid removed user uid
*/
- void UserRemove(uid_t uid);
+ void userRemove(uid_t uid);
/**
* Returns user type of given uid
* @return security_manager_user_type for given uid or SM_USER_TYPE_NONE if user not found
*
*/
- security_manager_user_type GetUserType(uid_t uid);
+ security_manager_user_type getUserType(uid_t uid);
/**
* List Cynara policies that match selected criteria in given bucket.
* @param policies empty vector for results of policies filtering.
*
*/
- void ListPolicies(const std::string &bucketName,
+ void listPolicies(const std::string &bucketName,
const std::string &label,
const std::string &user,
const std::string &privilege,
*
* @param policiesDescriptions empty vector for policies descriptions.
*/
- void ListPoliciesDescriptions(std::vector<std::string> &policiesDescriptions);
+ void listPoliciesDescriptions(std::vector<std::string> &policiesDescriptions);
/**
* Function translates internal Cynara policy type integer to string
* @param recursive flag to indicate if check should be done recursively in
* all buckets linked with bucket provided
*/
- void Check(const std::string &label,
+ void check(const std::string &label,
const std::string &user,
const std::string &privilege,
const std::string &bucket,
* @param privilege privilege identifier
* @return current policy value
*/
- int GetPrivilegeManagerCurrLevel(const std::string &label, const std::string &user,
+ int getPrivilegeManagerCurrLevel(const std::string &label, const std::string &user,
const std::string &privilege);
/**
* @param privilege privilege identifier
* @return maximum policy value for PRIVACY_MANAGER bucket
*/
- int GetPrivilegeManagerMaxLevel(const std::string &label, const std::string &user,
+ int getPrivilegeManagerMaxLevel(const std::string &label, const std::string &user,
const std::string &privilege);
private:
* @param user user name
* @param privilege privilege name
*/
- void EmptyBucket(const std::string &bucketName, bool recursive,
+ void emptyBucket(const std::string &bucketName, bool recursive,
const std::string &client, const std::string &user, const std::string &privilege);
/**
*
* @param forceRefresh true if you want to reinitialize mappings
*/
- void FetchCynaraPolicyDescriptions(bool forceRefresh = false);
+ void fetchCynaraPolicyDescriptions(bool forceRefresh = false);
/**
* Calculate actual Cynara policy based on appilcation data & previous policy
* @param policyToSet policy effect to be set
* @param policies current policy (input/output parameter)
*/
- void CalculatePolicies(const std::string &label, const std::string &user,
+ void calculatePolicies(const std::string &label, const std::string &user,
const std::vector<std::string> &privileges,
const std::string &bucket, int policyToSet,
std::vector<CynaraAdminPolicy> &policies);
bool global = req.installationType == SM_APP_INSTALL_GLOBAL ||
req.installationType == SM_APP_INSTALL_PRELOADED;
- m_cynaraAdmin.UpdateAppPolicy(appLabel, global, req.uid, req.privileges);
+ m_cynaraAdmin.updateAppPolicy(appLabel, global, req.uid, req.privileges);
if (hasSharedRO)
m_priviligeDb.SetSharedROPackage(req.pkgName);
bool global = req.installationType == SM_APP_INSTALL_GLOBAL ||
req.installationType == SM_APP_INSTALL_PRELOADED;
- m_cynaraAdmin.UpdateAppPolicy(processLabel, global, req.uid, std::vector<std::string>());
+ m_cynaraAdmin.updateAppPolicy(processLabel, global, req.uid, std::vector<std::string>());
trans.commit();
LogDebug("Application uninstallation commited to database");
std::vector<std::string> privileges;
std::string uidStr = std::to_string(creds.uid);
- m_cynaraAdmin.GetAppPolicy(appProcessLabel, uidStr, privileges);
- m_cynaraAdmin.GetAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, privileges);
+ m_cynaraAdmin.getAppPolicy(appProcessLabel, uidStr, privileges);
+ m_cynaraAdmin.getAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, privileges);
vectorRemoveDuplicates(privileges);
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
try {
- m_cynaraAdmin.UserInit(uidAdded, static_cast<security_manager_user_type>(userType));
+ m_cynaraAdmin.userInit(uidAdded, static_cast<security_manager_user_type>(userType));
PermissibleSet::initializeUserPermissibleFile(uidAdded);
} catch (CynaraException::InvalidParam &e) {
return SECURITY_MANAGER_ERROR_INPUT_PARAM;
}
}
- m_cynaraAdmin.UserRemove(uidDeleted);
+ m_cynaraAdmin.userRemove(uidDeleted);
return ret;
}
};
// Apply updates
- m_cynaraAdmin.SetPolicies(validatedPolicies);
+ m_cynaraAdmin.setPolicies(validatedPolicies);
} catch (const CynaraException::Base &e) {
LogError("Error while updating Cynara rules: " << e.DumpToString());
}
//Fetch privileges from ADMIN bucket
- m_cynaraAdmin.ListPolicies(
+ m_cynaraAdmin.listPolicies(
CynaraAdmin::Buckets.at(Bucket::ADMIN),
appProcessLabel,
user,
};
};
//Fetch privileges from PRIVACY_MANAGER bucket
- m_cynaraAdmin.ListPolicies(
+ m_cynaraAdmin.listPolicies(
CynaraAdmin::Buckets.at(Bucket::PRIVACY_MANAGER),
appProcessLabel,
user,
if (!forAdmin) {
// All policy entries in PRIVACY_MANAGER should be fully-qualified
pe.maxLevel = m_cynaraAdmin.convertToPolicyDescription(
- m_cynaraAdmin.GetPrivilegeManagerMaxLevel(
+ m_cynaraAdmin.getPrivilegeManagerMaxLevel(
policy.client, policy.user, policy.privilege));
} else {
// Cannot reliably calculate maxLavel for policies from ADMIN bucket
LogError("Invalid UID: " << e.what());
};
} else
- m_cynaraAdmin.ListUsers(listOfUsers);
+ m_cynaraAdmin.listUsers(listOfUsers);
} else {
LogWarning("Not enough privilege to fetch user policy for all users by user: " << creds.uid);
LogDebug("Fetching personal policy for user: " << creds.uid);
std::string appProcessLabel = getAppProcessLabel(appName);
std::vector<std::string> listOfPrivileges;
- m_cynaraAdmin.GetAppPolicy(appProcessLabel, userStr, listOfPrivileges);
- m_cynaraAdmin.GetAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, listOfPrivileges);
+ m_cynaraAdmin.getAppPolicy(appProcessLabel, userStr, listOfPrivileges);
+ m_cynaraAdmin.getAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, listOfPrivileges);
if (filter.privilege.compare(SECURITY_MANAGER_ANY)) {
LogDebug("Limitting Cynara query to privilege: " << filter.privilege);
pe.privilege = privilege;
pe.currentLevel = m_cynaraAdmin.convertToPolicyDescription(
- m_cynaraAdmin.GetPrivilegeManagerCurrLevel(
+ m_cynaraAdmin.getPrivilegeManagerCurrLevel(
appProcessLabel, userStr, privilege));
pe.maxLevel = m_cynaraAdmin.convertToPolicyDescription(
- m_cynaraAdmin.GetPrivilegeManagerMaxLevel(
+ m_cynaraAdmin.getPrivilegeManagerMaxLevel(
appProcessLabel, userStr, privilege));
LogDebug(
int ret = SECURITY_MANAGER_SUCCESS;
try {
- m_cynaraAdmin.ListPoliciesDescriptions(levels);
+ m_cynaraAdmin.listPoliciesDescriptions(levels);
} catch (const CynaraException::OutOfMemory &e) {
LogError("Error - out of memory while querying Cynara for policy descriptions list: " << e.DumpToString());
return SECURITY_MANAGER_ERROR_MEMORY;
int ret = SECURITY_MANAGER_SUCCESS;
try {
- auto userType = m_cynaraAdmin.GetUserType(uid);
+ auto userType = m_cynaraAdmin.getUserType(uid);
if (userType == SM_USER_TYPE_NONE) {
return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
m_priviligeDb.GetGroupsRelatedPrivileges(group2privVector);
for (const auto &g2p : group2privVector) {
- m_cynaraAdmin.Check(CYNARA_ADMIN_ANY, uidStr, g2p.second,
+ m_cynaraAdmin.check(CYNARA_ADMIN_ANY, uidStr, g2p.second,
bucket, result, resultExtra, true);
if (result == CYNARA_ADMIN_ALLOW)
groups.push_back(g2p.first);
projects / platform / core / security / security-manager.git / commitdiff