From 995c96e5b126a56401b5c17210acf32014b0b691 Mon Sep 17 00:00:00 2001
From: Mu-Woong Lee <muwoong.lee@samsung.com>
Date: Thu, 3 Aug 2017 12:17:06 +0900
Subject: [PATCH] trigger: add PrivilegeChecker

Change-Id: I8cb0592a8bc3060cdd02e65f9df359c1ed09d8c2
Signed-off-by: Mu-Woong Lee <muwoong.lee@samsung.com>
---
 CMakeLists.txt                   |  2 +-
 packaging/capi-context.spec      |  1 +
 src/trigger/PrivilegeChecker.cpp | 92 ++++++++++++++++++++++++++++++++++++++++
 src/trigger/PrivilegeChecker.h   | 39 +++++++++++++++++
 4 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 src/trigger/PrivilegeChecker.cpp
 create mode 100644 src/trigger/PrivilegeChecker.h

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5c0df62..97e5d3f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -7,7 +7,7 @@ SET(target ${PROJECT_NAME})
 
 # Dependencies
 SET(DEPS "gio-2.0 jsoncpp bundle aul pkgmgr-info capi-base-common capi-appfw-app-control")
-SET(DEPS "${DEPS} cynara-creds-self cynara-client")
+SET(DEPS "${DEPS} cynara-creds-self cynara-session cynara-client")
 SET(DEPS "${DEPS} context-app-history-client context-job-scheduler-client")
 
 # Source Lists
diff --git a/packaging/capi-context.spec b/packaging/capi-context.spec
index 5379142..1f04395 100644
--- a/packaging/capi-context.spec
+++ b/packaging/capi-context.spec
@@ -15,6 +15,7 @@ BuildRequires: pkgconfig(pkgmgr-info)
 BuildRequires: pkgconfig(capi-base-common)
 BuildRequires: pkgconfig(capi-appfw-app-control)
 BuildRequires: pkgconfig(cynara-creds-self)
+BuildRequires: pkgconfig(cynara-session)
 BuildRequires: pkgconfig(cynara-client)
 BuildRequires: pkgconfig(context-app-history-client)
 BuildRequires: pkgconfig(context-job-scheduler-client)
diff --git a/src/trigger/PrivilegeChecker.cpp b/src/trigger/PrivilegeChecker.cpp
new file mode 100644
index 0000000..fe39067
--- /dev/null
+++ b/src/trigger/PrivilegeChecker.cpp
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2017 Samsung Electronics Co., Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <cynara-creds-self.h>
+#include <cynara-session.h>
+#include <ScopeMutex.h>
+#include "PrivilegeChecker.h"
+
+#define CACHE_SIZE	10
+
+static GMutex __cynaraMutex;
+
+PrivilegeChecker::PrivilegeChecker() :
+	__client(NULL),
+	__session(NULL),
+	__user(NULL),
+	__cynara(NULL)
+{
+	cynara_creds_self_get_client(CLIENT_METHOD_DEFAULT, &__client);
+	cynara_creds_self_get_user(USER_METHOD_DEFAULT, &__user);
+
+	__session = cynara_session_from_pid(getpid());
+
+	if (!__client || !__user || !__session) {
+		_E("Self credentialing failed");
+		return;
+	}
+
+	cynara_configuration* conf = NULL;
+	int err = cynara_configuration_create(&conf);
+	IF_FAIL_VOID_TAG(err == CYNARA_API_SUCCESS, _E, "Cynara configuration creation failed");
+
+	err = cynara_configuration_set_cache_size(conf, CACHE_SIZE);
+	if (err != CYNARA_API_SUCCESS) {
+		_E("Cynara cache size set failed");
+		cynara_configuration_destroy(conf);
+		return;
+	}
+
+	err = cynara_initialize(&__cynara, conf);
+	cynara_configuration_destroy(conf);
+	if (err != CYNARA_API_SUCCESS) {
+		_E("Cynara initialization failed");
+		__cynara = NULL;
+		return;
+	}
+
+	_I("Cynara initialized");
+}
+
+PrivilegeChecker::~PrivilegeChecker()
+{
+	g_free(__client);
+	g_free(__session);
+	g_free(__user);
+
+	if (__cynara)
+		cynara_finish(__cynara);
+}
+
+bool PrivilegeChecker::hasPrivilege(const char* privil)
+{
+	if (!privil)
+		return true;
+
+	ctx::ScopeMutex sm(&__cynaraMutex);
+
+	static PrivilegeChecker checker;
+
+	return checker.__hasPrivilege(privil);
+}
+
+bool PrivilegeChecker::__hasPrivilege(const char* privil)
+{
+	IF_FAIL_RETURN_TAG(__cynara, false, _E, "Cynara not initialized");
+	int ret = cynara_check(__cynara, __client, __session, __user, privil);
+	_D("Check %s -> %d", privil, ret);
+	return (ret == CYNARA_API_ACCESS_ALLOWED);
+}
diff --git a/src/trigger/PrivilegeChecker.h b/src/trigger/PrivilegeChecker.h
new file mode 100644
index 0000000..3e272da
--- /dev/null
+++ b/src/trigger/PrivilegeChecker.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2017 Samsung Electronics Co., Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __CONTEXT_TRIGGER_PRIVILEGE_CHECKER_H__
+#define __CONTEXT_TRIGGER_PRIVILEGE_CHECKER_H__
+
+#include <cynara-client.h>
+#include <ContextTypes.h>
+
+class PrivilegeChecker {
+public:
+	static bool hasPrivilege(const char* privil);
+
+private:
+	PrivilegeChecker();
+	~PrivilegeChecker();
+
+	bool __hasPrivilege(const char* privil);
+
+	char* __client;
+	char* __session;
+	char* __user;
+	cynara* __cynara;
+};
+
+#endif	/* __CONTEXT_TRIGGER_PRIVILEGE_CHECKER_H__ */
-- 
2.7.4