From: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Date: Fri, 19 Dec 2014 08:54:49 +0000 (+0100)
Subject: Define Cynara buckets inside CynaraAdmin class
X-Git-Tag: accepted/tizen/tv/20150217.004257~27
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F91%2F32591%2F19;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git

Define Cynara buckets inside CynaraAdmin class

Change-Id: I4380aa94f04c728ab4467264db5d1c12e0aaff60
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
---

diff --git a/src/common/cynara.cpp b/src/common/cynara.cpp
index 293826b..45f1b9d 100644
--- a/src/common/cynara.cpp
+++ b/src/common/cynara.cpp
@@ -28,6 +28,89 @@
 
 namespace SecurityManager {
 
+/**
+ * Rules for apps and users are organized into set of buckets stored in Cynara.
+ * Bucket is set of rules (app, uid, privilege) -> (DENY, ALLOW, BUCKET, ...).
+ *  |------------------------|
+ *  |      <<allow>>         |
+ *  |   PRIVACY_MANAGER      |
+ *  |------------------------|
+ *  |  A    U   P      policy|
+ *  |------------------------|
+ *  | app1 uid1 priv1  DENY  |
+ *  |  *   uid2 priv2  DENY  |
+ *  |  * * *      Bucket:MAIN|
+ *  |------------------------|
+ *
+ * For details about buckets see Cynara documentation.
+ *
+ * Security Manager currently defines 8 buckets:
+ * - PRIVACY_MANAGER - first bucket during search (which is actually default bucket
+ *   with empty string as id). If user specifies his preference then required rule
+ *   is created here.
+ * - MAIN            - holds rules denied by manufacturer, redirects to MANIFESTS
+ *   bucket and holds entries for each user pointing to User Type
+ *   specific buckets
+ * - MANIFESTS       - stores rules needed by installed apps (from package
+ *   manifest)
+ * - USER_TYPE_ADMIN
+ * - USER_TYPE_SYSTEM
+ * - USER_TYPE_NORMAL
+ * - USER_TYPE_GUEST - they store privileges from templates for apropriate
+ *   user type. ALLOW rules only.
+ * - ADMIN           - stores custom rules introduced by device administrator.
+ *   Ignored if no matching rule found.
+ *
+ * Below is basic layout of buckets:
+ *
+ *  |------------------------|
+ *  |      <<allow>>         |
+ *  |   PRIVACY_MANAGER      |
+ *  |                        |
+ *  |  * * *      Bucket:MAIN|                         |------------------|
+ *  |------------------------|                         |      <<deny>>    |
+ *             |                                    |->|     MANIFESTS    |
+ *             -----------------                    |  |                  |
+ *                             |                    |  |------------------|
+ *                             V                    |
+ *                     |------------------------|   |
+ *                     |       <<deny>>         |---|
+ *                     |         MAIN           |
+ * |---------------|   |                        |     |-------------------|
+ * |    <<deny>>   |<--| * * *  Bucket:MANIFESTS|---->|      <<deny>>     |
+ * | USER_TYPE_SYST|   |------------------------|     |  USER_TYPE_NORMAL |
+ * |               |        |              |          |                   |
+ * |---------------|        |              |          |-------------------|
+ *        |                 |              |                    |
+ *        |                 V              V                    |
+ *        |      |---------------|      |---------------|       |
+ *        |      |    <<deny>>   |      |    <<deny>>   |       |
+ *        |      |USER_TYPE_GUEST|      |USER_TYPE_ADMIN|       |
+ *        |      |               |      |               |       |
+ *        |      |---------------|      |---------------|       |
+ *        |              |                      |               |
+ *        |              |----             -----|               |
+ *        |                  |             |                    |
+ *        |                  V             V                    |
+ *        |                |------------------|                 |
+ *        |------------->  |     <<none>>     | <---------------|
+ *                         |       ADMIN      |
+ *                         |                  |
+ *                         |------------------|
+ *
+ */
+CynaraAdmin::BucketsMap CynaraAdmin::Buckets =
+{
+    { Bucket::PRIVACY_MANAGER, std::string(CYNARA_ADMIN_DEFAULT_BUCKET)},
+    { Bucket::MAIN, std::string("MAIN")},
+    { Bucket::USER_TYPE_ADMIN, std::string("USER_TYPE_ADMIN")},
+    { Bucket::USER_TYPE_NORMAL, std::string("USER_TYPE_NORMAL")},
+    { Bucket::USER_TYPE_GUEST, std::string("USER_TYPE_GUEST") },
+    { Bucket::USER_TYPE_SYSTEM, std::string("USER_TYPE_SYSTEM")},
+    { Bucket::ADMIN, std::string("ADMIN")},
+    { Bucket::MANIFESTS, std::string("MANIFESTS")},
+};
+
 
 CynaraAdminPolicy::CynaraAdminPolicy(const std::string &client, const std::string &user,
         const std::string &privilege, Operation operation,
diff --git a/src/common/include/cynara.h b/src/common/include/cynara.h
index 802cbb1..8982d54 100644
--- a/src/common/include/cynara.h
+++ b/src/common/include/cynara.h
@@ -29,9 +29,22 @@
 #include <dpl/exception.h>
 #include <string>
 #include <vector>
+#include <map>
 
 namespace SecurityManager {
 
+enum class Bucket
+{
+    PRIVACY_MANAGER,
+    MAIN,
+    USER_TYPE_ADMIN,
+    USER_TYPE_NORMAL,
+    USER_TYPE_GUEST,
+    USER_TYPE_SYSTEM,
+    ADMIN,
+    MANIFESTS
+};
+
 class CynaraException
 {
 public:
@@ -71,6 +84,10 @@ struct CynaraAdminPolicy : cynara_admin_policy
 class CynaraAdmin
 {
 public:
+
+    typedef std::map<Bucket, const std::string > BucketsMap;
+    static BucketsMap Buckets;
+
     virtual ~CynaraAdmin();
 
     static CynaraAdmin &getInstance();