2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Rafal Krypa <r.krypa@samsung.com>
21 * @brief Wrapper class for Cynara interface
24 #ifndef _SECURITY_MANAGER_CYNARA_
25 #define _SECURITY_MANAGER_CYNARA_
27 #include <cynara-client.h>
28 #include <cynara-admin.h>
29 #include <dpl/exception.h>
34 #include "security-manager.h"
36 namespace SecurityManager {
53 DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
54 DECLARE_EXCEPTION_TYPE(Base, OutOfMemory)
55 DECLARE_EXCEPTION_TYPE(Base, InvalidParam)
56 DECLARE_EXCEPTION_TYPE(Base, ServiceNotAvailable)
57 DECLARE_EXCEPTION_TYPE(Base, UnknownError)
58 DECLARE_EXCEPTION_TYPE(Base, BucketNotFound)
61 struct CynaraAdminPolicy : cynara_admin_policy
63 enum class Operation {
64 Deny = CYNARA_ADMIN_DENY,
65 Allow = CYNARA_ADMIN_ALLOW,
66 Delete = CYNARA_ADMIN_DELETE,
67 Bucket = CYNARA_ADMIN_BUCKET,
70 CynaraAdminPolicy(const std::string &client, const std::string &user,
71 const std::string &privilege, Operation operation,
72 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
74 CynaraAdminPolicy(const std::string &client, const std::string &user,
75 const std::string &privilege, const std::string &goToBucket,
76 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
78 /* Don't provide copy constructor, it would cause pointer trouble. */
79 CynaraAdminPolicy(const CynaraAdminPolicy &that) = delete;
81 /* Move constructor is the way to go. */
82 CynaraAdminPolicy(CynaraAdminPolicy &&that);
91 typedef std::map<Bucket, const std::string > BucketsMap;
92 static BucketsMap Buckets;
94 virtual ~CynaraAdmin();
96 static CynaraAdmin &getInstance();
99 * Update Cynara policies.
100 * Caller must have permission to access Cynara administrative socket.
102 * @param policies vector of CynaraAdminPolicy objects to send to Cynara
104 void SetPolicies(const std::vector<CynaraAdminPolicy> &policies);
107 * Update Cynara policies for the package and the user, using two vectors
108 * of privileges: privileges set before (and already enabled in Cynara)
109 * and new privileges, to be set in Cynara.
110 * Difference will be calculated, removing old unneeded privileges and
111 * adding new, previously not enabled privileges.
112 * Caller must have permission to access Cynara administrative socket.
114 * @param label application Smack label
115 * @param user user identifier
116 * @param oldPrivileges previously enabled privileges for the package.
117 * Must be sorted and without duplicates.
118 * @param newPrivileges currently enabled privileges for the package.
119 * Must be sorted and without duplicates.
121 * TODO: drop oldPrivileges argument and get them directly from Cynara.
122 * Appropriate Cynara interface is needed first.
124 void UpdateAppPolicy(const std::string &label, const std::string &user,
125 const std::vector<std::string> &oldPrivileges,
126 const std::vector<std::string> &newPrivileges);
129 * Depending on user type, create link between MAIN bucket and appropriate
130 * USER_TYPE_* bucket for newly added user uid to apply permissions for that
132 * @throws CynaraException::InvalidParam.
134 * @param uid new user uid
135 * @param userType type as enumerated in security-manager.h
137 void UserInit(uid_t uid, security_manager_user_type userType);
140 * List Cynara policies that match selected criteria in given bucket.
142 * @param bucketName name of the bucket to search policies in
143 * @param appId string with id of app to match in search
144 * @param user user string to match in search
145 * @param privilege privilege string to match in search
146 * @param policies empty vector for results of policies filtering.
149 void ListPolicies(const std::string &bucketName,
150 const std::string &appId,
151 const std::string &user,
152 const std::string &privilege,
153 std::vector<CynaraAdminPolicy> &policies);
159 * Empty bucket using filter - matching rules will be removed
161 * @param bucketName name of the bucket to be emptied
162 * @param recursive flag to remove privileges recursively
163 * @param client client name
164 * @param user user name
165 * @param privilege privilege name
167 void EmptyBucket(const std::string &bucketName, bool recursive,
168 const std::string &client, const std::string &user, const std::string &privilege);
170 struct cynara_admin *m_CynaraAdmin;
178 static Cynara &getInstance();
181 * Ask Cynara for permission.
183 * @param label application Smack label
184 * @param privilege privilege identifier
185 * @param user user identifier (uid)
186 * @param session session identifier
187 * @return true if access is permitted, false if denied
189 bool check(const std::string &label, const std::string &privilege,
190 const std::string &user, const std::string &session);
194 struct cynara *m_Cynara;
198 } // namespace SecurityManager
200 #endif // _SECURITY_MANAGER_CYNARA_