2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Rafal Krypa <r.krypa@samsung.com>
21 * @brief Wrapper class for Cynara interface
24 #ifndef _SECURITY_MANAGER_CYNARA_
25 #define _SECURITY_MANAGER_CYNARA_
27 #include <cynara-client.h>
28 #include <cynara-admin.h>
29 #include <dpl/exception.h>
34 #include "security-manager.h"
36 namespace SecurityManager {
53 DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
54 DECLARE_EXCEPTION_TYPE(Base, OutOfMemory)
55 DECLARE_EXCEPTION_TYPE(Base, InvalidParam)
56 DECLARE_EXCEPTION_TYPE(Base, ServiceNotAvailable)
57 DECLARE_EXCEPTION_TYPE(Base, UnknownError)
58 DECLARE_EXCEPTION_TYPE(Base, BucketNotFound)
61 struct CynaraAdminPolicy : cynara_admin_policy
63 enum class Operation {
64 Deny = CYNARA_ADMIN_DENY,
65 Allow = CYNARA_ADMIN_ALLOW,
66 Delete = CYNARA_ADMIN_DELETE,
67 Bucket = CYNARA_ADMIN_BUCKET,
70 CynaraAdminPolicy(const std::string &client, const std::string &user,
71 const std::string &privilege, int operation,
72 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
74 CynaraAdminPolicy(const std::string &client, const std::string &user,
75 const std::string &privilege, const std::string &goToBucket,
76 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
78 /* Don't provide copy constructor, it would cause pointer trouble. */
79 CynaraAdminPolicy(const CynaraAdminPolicy &that) = delete;
81 /* Move constructor is the way to go. */
82 CynaraAdminPolicy(CynaraAdminPolicy &&that);
83 CynaraAdminPolicy& operator=(CynaraAdminPolicy &&that);
92 typedef std::map<Bucket, const std::string > BucketsMap;
93 static BucketsMap Buckets;
95 typedef std::map<int, std::string> TypeToDescriptionMap;
96 typedef std::map<std::string, int> DescriptionToTypeMap;
98 virtual ~CynaraAdmin();
100 static CynaraAdmin &getInstance();
103 * Update Cynara policies.
104 * Caller must have permission to access Cynara administrative socket.
106 * @param policies vector of CynaraAdminPolicy objects to send to Cynara
108 void SetPolicies(const std::vector<CynaraAdminPolicy> &policies);
111 * Update Cynara policies for the package and the user, using two vectors
112 * of privileges: privileges set before (and already enabled in Cynara)
113 * and new privileges, to be set in Cynara.
114 * Difference will be calculated, removing old unneeded privileges and
115 * adding new, previously not enabled privileges.
116 * Caller must have permission to access Cynara administrative socket.
118 * @param label application Smack label
119 * @param user user identifier
120 * @param oldPrivileges previously enabled privileges for the package.
121 * Must be sorted and without duplicates.
122 * @param newPrivileges currently enabled privileges for the package.
123 * Must be sorted and without duplicates.
125 * TODO: drop oldPrivileges argument and get them directly from Cynara.
126 * Appropriate Cynara interface is needed first.
128 void UpdateAppPolicy(const std::string &label, const std::string &user,
129 const std::vector<std::string> &oldPrivileges,
130 const std::vector<std::string> &newPrivileges);
133 * Depending on user type, create link between MAIN bucket and appropriate
134 * USER_TYPE_* bucket for newly added user uid to apply permissions for that
136 * @throws CynaraException::InvalidParam.
138 * @param uid new user uid
139 * @param userType type as enumerated in security-manager.h
141 void UserInit(uid_t uid, security_manager_user_type userType);
144 * List all users registered in Cynara
146 * @param[out] listOfUsers list of users
148 void ListUsers(std::vector<uid_t> &listOfUsers);
151 * Removes all entries for a user from cynara database
153 * @param uid removed user uid
155 void UserRemove(uid_t uid);
158 * List Cynara policies that match selected criteria in given bucket.
160 * @param bucketName name of the bucket to search policies in
161 * @param appId string with id of app to match in search
162 * @param user user string to match in search
163 * @param privilege privilege string to match in search
164 * @param policies empty vector for results of policies filtering.
167 void ListPolicies(const std::string &bucketName,
168 const std::string &appId,
169 const std::string &user,
170 const std::string &privilege,
171 std::vector<CynaraAdminPolicy> &policies);
174 * Wrapper for Cynara API function cynara_admin_list_policies_descriptions.
175 * It collects all policies descriptions, extracts names
176 * of policies and returns as std strings. Caller is responsible for clearing
177 * vector passed as argument.
179 * @param policiesDescriptions empty vector for policies descriptions.
181 void ListPoliciesDescriptions(std::vector<std::string> &policiesDescriptions);
184 * Function translates internal Cynara policy type integer to string
185 * description. Descriptions are retrieved from Cynara using
186 * ListPoliciesDescriptions() function. Caller can force refetching of
187 * descriptions list from Cynara on each call.
189 * @throws std::out_of_range
191 * @param policyType Cynara policy result type.
192 * @param forceRefresh switch to force refetching of descriptions from Cynara.
194 std::string convertToPolicyDescription(const int policyType, bool forceRefresh = false);
197 * Function translates Cynara policy result string
198 * description to internal Cynara policy type integer.
199 * Descriptions are retrieved from Cynara using
200 * ListPoliciesDescriptions() function. Caller can force refetching of
201 * descriptions list from Cynara on each call.
203 * @throws std::out_of_range
205 * @param policy Cynara policy result string description.
206 * @param forceRefresh switch to force refetching of descriptions from Cynara.
208 int convertToPolicyType(const std::string &policy, bool forceRefresh = false);
211 * Ask Cynara for permission starting the search at specified bucket.
212 * Essentialy a wrapper on cynara_admin_check.
214 * @param label application Smack label
215 * @param privilege privilege string to match in search
216 * @param user user string to match in search
217 * @param bucket name of the bucket to search policies in
218 * @param result integer to return policy result
219 * @param resultExtra string to return additional information about policy
220 * result. If result is Bucket then resultExtra is the name of
222 * @param recursive flag to indicate if check should be done recursively in
223 * all buckets linked with bucket provided
225 void Check(const std::string &label,
226 const std::string &user,
227 const std::string &privilege,
228 const std::string &bucket,
230 std::string &resultExtra,
231 const bool recursive);
234 * Get current policy level for privilege-manager functionality
235 * Returns current policy value for given application, user and privilege
238 * @param label application Smack label
239 * @param user user identifier (uid)
240 * @param privilege privilege identifier
241 * @return current policy value
243 int GetPrivilegeManagerCurrLevel(const std::string &label, const std::string &user,
244 const std::string &privilege);
247 * Get maximum policy level for privilege-manager functionality
248 * Returns maximum possible policy value for given application, user and privilege
249 * identifiers. The maximum limit is imposed by other policy settings that are
250 * currently in place.
252 * @param label application Smack label
253 * @param user user identifier (uid)
254 * @param privilege privilege identifier
255 * @return maximum policy value for PRIVACY_MANAGER bucket
257 int GetPrivilegeManagerMaxLevel(const std::string &label, const std::string &user,
258 const std::string &privilege);
264 * Empty bucket using filter - matching rules will be removed
266 * @param bucketName name of the bucket to be emptied
267 * @param recursive flag to remove privileges recursively
268 * @param client client name
269 * @param user user name
270 * @param privilege privilege name
272 void EmptyBucket(const std::string &bucketName, bool recursive,
273 const std::string &client, const std::string &user, const std::string &privilege);
276 * Get Cynara policies result descriptions and cache them in std::map
278 * @param forceRefresh true if you want to reinitialize mappings
280 void FetchCynaraPolicyDescriptions(bool forceRefresh = false);
282 struct cynara_admin *m_CynaraAdmin;
284 static TypeToDescriptionMap TypeToDescription;
285 static DescriptionToTypeMap DescriptionToType;
286 bool m_policyDescriptionsInitialized;
294 static Cynara &getInstance();
297 * Ask Cynara for permission.
299 * @param label application Smack label
300 * @param privilege privilege identifier
301 * @param user user identifier (uid)
302 * @param session session identifier
303 * @return true if access is permitted, false if denied
305 bool check(const std::string &label, const std::string &privilege,
306 const std::string &user, const std::string &session);
310 struct cynara *m_Cynara;
314 } // namespace SecurityManager
316 #endif // _SECURITY_MANAGER_CYNARA_