Verification of PolicyTypes was removed from libcynara-admin library.
Now it is added to Cynara service and cynara offline admin with full
plugin support. It means, that validation passes only for predefined
types or types provided by loaded cynara service plugins.
In case, the validation fails, new CodeResponse::Code::NO_POLICY_TYPE
value is returned from service to libcynara admin side and
CYNARA_API_INVALID_PARAM is returned from cynara_admin_set_policies()
or cynara_admin_set_bucket() functions.
Change-Id: Id1a85aafaa4feb31d8513e819c78736813a9ff38
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
/**
* @file src/admin/logic/OfflineLogic.cpp
* @author Aleksander Zdyb <a.zdyb@samsung.com>
+ * @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
* @version 1.0
* @brief This file contains implementation of OfflineLogic class
*/
#include <exceptions/DefaultBucketDeletionException.h>
#include <exceptions/DefaultBucketSetNoneException.h>
#include <exceptions/InvalidBucketIdException.h>
+#include <exceptions/UnknownPolicyTypeException.h>
#include <plugin/PluginManager.h>
#include <storage/InMemoryStorageBackend.h>
m_pluginManager->loadPlugins();
}
+void OfflineLogic::checkPoliciesTypes(const ApiInterface::PoliciesByBucket &policies,
+ bool allowBucket, bool allowNone) {
+ for (const auto &group : policies) {
+ for (const auto &policy : group.second) {
+ checkSinglePolicyType(policy.result().policyType(), allowBucket, allowNone);
+ }
+ }
+}
+
+void OfflineLogic::checkSinglePolicyType(const PolicyType &policyType, bool allowBucket,
+ bool allowNone) {
+ if (allowBucket && policyType == PredefinedPolicyType::BUCKET)
+ return;
+ if (allowNone && policyType == PredefinedPolicyType::NONE)
+ return;
+ for (const auto &descr : predefinedPolicyDescr) {
+ if (descr.type == policyType)
+ return;
+ }
+ m_pluginManager->checkPolicyType(policyType);
+}
+
int OfflineLogic::setPolicies(const ApiInterface::PoliciesByBucket &insertOrUpdate,
const ApiInterface::KeysByBucket &remove) {
try {
acquireDatabase();
+ acquirePlugins();
+ checkPoliciesTypes(insertOrUpdate, true, false);
m_storage->insertPolicies(insertOrUpdate);
m_storage->deletePolicies(remove);
onPoliciesChanged();
return CYNARA_API_BUCKET_NOT_FOUND;
} catch (const DatabaseException &) {
return CYNARA_API_OPERATION_FAILED;
+ } catch (const UnknownPolicyTypeException &ex) {
+ return CYNARA_API_INVALID_PARAM;
}
return CYNARA_API_SUCCESS;
const PolicyResult &policyResult) {
try {
acquireDatabase();
+ acquirePlugins();
+ checkSinglePolicyType(policyResult.policyType(), true, true);
m_storage->addOrUpdateBucket(bucket, policyResult);
onPoliciesChanged();
} catch (const DefaultBucketSetNoneException &) {
return CYNARA_API_OPERATION_NOT_ALLOWED;
} catch (const DatabaseException &) {
return CYNARA_API_OPERATION_FAILED;
+ } catch (const UnknownPolicyTypeException &ex) {
+ return CYNARA_API_INVALID_PARAM;
}
return CYNARA_API_SUCCESS;
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
/**
* @file src/admin/logic/OfflineLogic.h
* @author Aleksander Zdyb <a.zdyb@samsung.com>
+ * @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
* @version 1.0
* @brief This file contains definition of OfflineLogic class
*/
#include <lock/FileLock.h>
#include <plugin/PluginManager.h>
+#include <types/PolicyType.h>
#include <storage/Storage.h>
#include <storage/StorageBackend.h>
void acquireDatabase(void);
void acquirePlugins(void);
void onPoliciesChanged(void);
+ void checkPoliciesTypes(const ApiInterface::PoliciesByBucket &policies, bool allowBucket,
+ bool allowNone);
+ void checkSinglePolicyType(const PolicyType &policyType, bool allowBucket, bool allowNone);
private:
typedef std::unique_ptr<Storage> StorageUniquePtr;
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
case CodeResponse::Code::NO_BUCKET:
LOGE("Trying to use unexisting bucket.");
return CYNARA_API_BUCKET_NOT_FOUND;
+ case CodeResponse::Code::NO_POLICY_TYPE:
+ LOGE("Trying to use unknown policy type.");
+ return CYNARA_API_INVALID_PARAM;
case CodeResponse::Code::FAILED:
LOGC("Cynara service answered: Operation failed.");
return CYNARA_API_OPERATION_FAILED;
--- /dev/null
+/*
+ * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * @file src/common/exceptions/UnknownPolicyTypeException.h
+ * @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
+ * @version 1.0
+ * @brief Implementation of UnknownPolicyTypeException
+ */
+
+#ifndef SRC_COMMON_EXCEPTIONS_UNKNOWNPOLICYTYPEEXCEPTION_H_
+#define SRC_COMMON_EXCEPTIONS_UNKNOWNPOLICYTYPEEXCEPTION_H_
+
+#include <exception>
+
+#include "Exception.h"
+#include "types/PolicyType.h"
+
+namespace Cynara {
+
+class UnknownPolicyTypeException : public Exception {
+public:
+ UnknownPolicyTypeException() = delete;
+ UnknownPolicyTypeException(const PolicyType &policyType)
+ : m_policyType(policyType), m_message("UnknownPolicyTypeException") {
+ }
+ virtual ~UnknownPolicyTypeException() {};
+
+ virtual const std::string &message(void) const {
+ return m_message;
+ }
+
+ const PolicyType &policyType(void) const {
+ return m_policyType;
+ }
+
+private:
+ PolicyType m_policyType;
+ std::string m_message;
+};
+
+} /* namespace Cynara */
+
+#endif /* SRC_COMMON_EXCEPTIONS_UNKNOWNPOLICYTYPEEXCEPTION_H_ */
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
/**
* @file src/common/plugin/PluginManager.cpp
* @author Zofia Abramowska <z.abramowska@samsung.com>
+ * @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
* @version 1.0
* @brief Definition of PluginManager class
*/
#include <dlfcn.h>
#include <functional>
+#include <exceptions/UnknownPolicyTypeException.h>
#include <log/log.h>
#include "PluginManager.h"
}
}
+void PluginManager::checkPolicyType(PolicyType pType) const {
+ const auto it = m_plugins.find(pType);
+ if (it == m_plugins.end() || it->second == nullptr)
+ throw UnknownPolicyTypeException(pType);
+}
+
void PluginManager::loadPlugins(void) {
struct dirent **nameList = NULL;
int fileAmount = scandir(m_dir.c_str(), &nameList, pluginFilter, alphasort);
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
/**
* @file src/common/plugin/PluginManager.h
* @author Zofia Abramowska <z.abramowska@samsung.com>
+ * @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
* @version 1.0
* @brief Declaration of PluginManager class
*/
#include <plugin/ExternalPluginInterface.h>
#include <types/PolicyDescription.h>
+#include <types/PolicyType.h>
namespace Cynara {
typedef std::shared_ptr<ExternalPluginInterface> ExternalPluginPtr;
std::vector<PolicyDescription> getPolicyDescriptions(void) const;
void invalidateAll(void);
+ void checkPolicyType(PolicyType pType) const;
+
private:
typedef std::unique_ptr<void, std::function<void (void*)>> PluginLibPtr;
typedef std::list<PluginLibPtr> PluginLibs;
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
enum Code {
OK,
NO_BUCKET,
+ NO_POLICY_TYPE,
NOT_ALLOWED,
FAILED
};
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <exceptions/PluginErrorException.h>
#include <exceptions/PluginNotFoundException.h>
#include <exceptions/UnexpectedErrorException.h>
+#include <exceptions/UnknownPolicyTypeException.h>
#include <request/AdminCheckRequest.h>
#include <request/AgentActionRequest.h>
#include <request/AgentRegisterRequest.h>
auto code = CodeResponse::Code::OK;
try {
+ checkSinglePolicyType(request->result().policyType(), true, true);
m_storage->addOrUpdateBucket(request->bucketId(), request->result());
onPoliciesChanged();
} catch (const DatabaseException &ex) {
code = CodeResponse::Code::NOT_ALLOWED;
} catch (const InvalidBucketIdException &ex) {
code = CodeResponse::Code::NOT_ALLOWED;
+ } catch (const UnknownPolicyTypeException &ex) {
+ code = CodeResponse::Code::NO_POLICY_TYPE;
}
context->returnResponse(context, std::make_shared<CodeResponse>(code,
void Logic::execute(RequestContextPtr context, SetPoliciesRequestPtr request) {
auto code = CodeResponse::Code::OK;
try {
+ checkPoliciesTypes(request->policiesToBeInsertedOrUpdated(), true, false);
m_storage->insertPolicies(request->policiesToBeInsertedOrUpdated());
m_storage->deletePolicies(request->policiesToBeRemoved());
onPoliciesChanged();
code = CodeResponse::Code::FAILED;
} catch (const BucketNotExistsException &ex) {
code = CodeResponse::Code::NO_BUCKET;
+ } catch (const UnknownPolicyTypeException &ex) {
+ code = CodeResponse::Code::NO_POLICY_TYPE;
}
context->returnResponse(context, std::make_shared<CodeResponse>(code,
request->sequenceNumber()));
}
+void Logic::checkPoliciesTypes(const std::map<PolicyBucketId, std::vector<Policy>> &policies,
+ bool allowBucket, bool allowNone) {
+ for (const auto &group : policies) {
+ for (const auto &policy : group.second) {
+ checkSinglePolicyType(policy.result().policyType(), allowBucket, allowNone);
+ }
+ }
+}
+
+void Logic::checkSinglePolicyType(const PolicyType &policyType, bool allowBucket, bool allowNone) {
+ if (allowBucket && policyType == PredefinedPolicyType::BUCKET)
+ return;
+ if (allowNone && policyType == PredefinedPolicyType::NONE)
+ return;
+ for (const auto &descr : predefinedPolicyDescr) {
+ if (descr.type == policyType)
+ return;
+ }
+ m_pluginManager->checkPolicyType(policyType);
+}
+
void Logic::contextClosed(RequestContextPtr context) {
LOGD("context closed");
/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#ifndef SRC_SERVICE_LOGIC_LOGIC_H_
#define SRC_SERVICE_LOGIC_LOGIC_H_
+#include <map>
+#include <vector>
+
+#include <types/Policy.h>
+#include <types/PolicyBucketId.h>
#include <types/PolicyKey.h>
#include <types/PolicyResult.h>
+#include <types/PolicyType.h>
#include <main/pointers.h>
#include <plugin/PluginManager.h>
const PluginData &agentData, const RequestContextPtr &request,
const ServicePluginInterfacePtr &plugin);
+ void checkPoliciesTypes(const std::map<PolicyBucketId, std::vector<Policy>> &policies,
+ bool allowBucket, bool allowNone);
+ void checkSinglePolicyType(const PolicyType &policyType, bool allowBucket, bool allowNone);
void handleAgentTalkerDisconnection(const AgentTalkerPtr &agentTalkerPtr);
void handleClientDisconnection(const CheckContextPtr &checkContextPtr);
projects / platform / core / security / cynara.git / commitdiff