TAO_Security: SL2_SecurityManager.cpp Source File

00001 // $Id: SL2_SecurityManager.cpp 78984 2007-07-23 05:33:48Z johnnyw $
00002 
00003 #include "orbsvcs/Security/SL2_SecurityManager.h"
00004 
00005 #include "tao/ORB_Constants.h"
00006 #include "ace/Functor.h"
00007 #include "tao/Object_KeyC.h"
00008 #include "tao/PortableServer/Root_POA.h"
00009 #include "tao/PortableServer/Object_Adapter.h"
00010 #include "tao/PortableServer/Creation_Time.h"
00011 
00012 ACE_RCSID (Security,
00013            SL2_SecurityManager,
00014            "$Id: SL2_SecurityManager.cpp 78984 2007-07-23 05:33:48Z johnnyw $")
00015 
00016 
00017 TAO_BEGIN_VERSIONED_NAMESPACE_DECL
00018 
00019 TAO::Security::SecurityManager::SecurityManager (/* unknown */)
00020   : principal_authenticator_ (SecurityLevel2::PrincipalAuthenticator::_nil ())
00021 {
00022   // this needs to change to access decision
00023   SecurityLevel2::AccessDecision_ptr ad;
00024   ACE_NEW_THROW_EX (ad,
00025                     TAO::Security::AccessDecision,
00026                     CORBA::NO_MEMORY (
00027                       CORBA::SystemException::_tao_minor_code (
00028                         TAO::VMCID,
00029                         ENOMEM),
00030                       CORBA::COMPLETED_NO));
00031 
00032   this->access_decision_ = ad;
00033 }
00034 
00035 TAO::Security::SecurityManager::~SecurityManager (void)
00036 {
00037 }
00038 
00039 Security::MechandOptionsList*
00040 TAO::Security::SecurityManager::supported_mechanisms ()
00041 {
00042   throw CORBA::NO_IMPLEMENT ();
00043 }
00044 
00045 SecurityLevel2::CredentialsList*
00046 TAO::Security::SecurityManager::own_credentials ()
00047 {
00048   throw CORBA::NO_IMPLEMENT ();
00049 }
00050 
00051 SecurityLevel2::RequiredRights_ptr
00052 TAO::Security::SecurityManager::required_rights_object ()
00053 {
00054   throw CORBA::NO_IMPLEMENT ();
00055 }
00056 
00057 SecurityLevel2::PrincipalAuthenticator_ptr
00058 TAO::Security::SecurityManager::principal_authenticator ()
00059 {
00060   return SecurityLevel2::PrincipalAuthenticator::_duplicate
00061     (this->principal_authenticator_.in () );
00062 }
00063 
00064 SecurityLevel2::AccessDecision_ptr
00065 TAO::Security::SecurityManager::access_decision ()
00066 {
00067   return SecurityLevel2::AccessDecision::_duplicate (this->access_decision_.in () );
00068 }
00069 
00070 SecurityLevel2::AuditDecision_ptr
00071 TAO::Security::SecurityManager::audit_decision ()
00072 {
00073   throw CORBA::NO_IMPLEMENT ();
00074 }
00075 
00076 SecurityLevel2::TargetCredentials_ptr
00077 TAO::Security::SecurityManager::get_target_credentials (CORBA::Object_ptr /*o*/)
00078 {
00079   throw CORBA::NO_IMPLEMENT ();
00080 }
00081 
00082 void
00083 TAO::Security::SecurityManager::remove_own_credentials
00084   (SecurityLevel2::Credentials_ptr /*creds*/)
00085 {
00086   throw CORBA::NO_IMPLEMENT ();
00087 }
00088 
00089 CORBA::Policy_ptr
00090 TAO::Security::SecurityManager::get_security_policy
00091 (CORBA::PolicyType /*policy_type */)
00092 {
00093   throw CORBA::NO_IMPLEMENT ();
00094 }
00095 
00096 /*
00097  * AccessDecision stuff below here
00098  */
00099 
00100 bool
00101 TAO::Security::AccessDecision::ReferenceKeyType::operator==
00102   (const ReferenceKeyType& other) const
00103 {
00104   ::CORBA::ULong olen = this->oid_->length();
00105   ::CORBA::ULong alen = this->adapter_id_->length();
00106 
00107   if (olen == other.oid_->length() &&
00108       alen == other.adapter_id_->length())
00109     return (ACE_OS::memcmp (this->oid_->get_buffer(),
00110                             other.oid_->get_buffer(),olen) == 0 &&
00111             ACE_OS::memcmp (this->adapter_id_->get_buffer(),
00112                             other.adapter_id_->get_buffer(),alen) == 0 &&
00113             ACE_OS_String::strcmp (this->orbid_.in(), other.orbid_.in()) == 0);
00114   return false;
00115 }
00116 
00117 CORBA::ULong
00118 TAO::Security::AccessDecision::ReferenceKeyType::hash () const
00119 {
00120   return 0;
00121 }
00122 
00123 TAO::Security::AccessDecision::ReferenceKeyType::operator const char* () const
00124 {
00125   return "<hardcoded refkey>";
00126 }
00127 
00128 TAO::Security::AccessDecision::AccessDecision ()
00129   : default_allowance_decision_ (false)
00130 {
00131 }
00132 
00133 TAO::Security::AccessDecision::~AccessDecision ()
00134 {
00135 }
00136 
00137 TAO::Security::AccessDecision::OBJECT_KEY
00138 TAO::Security::AccessDecision::map_key_from_objref (CORBA::Object_ptr /*obj */)
00139 {
00140   ACE_ERROR ((LM_ERROR, "map_key_from_objref is currently not implemented\n"));
00141   throw CORBA::NO_IMPLEMENT();
00142 
00143 //  OBJECT_KEY key;
00144 //  return key;
00145 }
00146 
00147 CORBA::Boolean
00148 TAO::Security::AccessDecision::access_allowed_i (OBJECT_KEY &key,
00149                                                  const char *operation_name)
00150 {
00151   // LOCK THE MAP!
00152   ACE_GUARD_RETURN (TAO_SYNCH_MUTEX, guard, this->map_lock_,
00153                     this->default_allowance_decision_);
00154 
00155   ACE_Hash<OBJECT_KEY> hash;
00156 
00157   // Look up the target in access_map_; if there, return the value,
00158   // otherwise return the default value.
00159   CORBA::Boolean access_decision;
00160   if (this->access_map_.find (key, access_decision) == -1)
00161     {
00162       // Couldn't find the IOR in the map, so we use the default
00163       access_decision = this->default_allowance_decision_;
00164       if (TAO_debug_level >= 3)
00165         ACE_DEBUG ((LM_DEBUG,
00166           "TAO (%P|%t) SL2_AccessDecision::access_decision(%x,%s)"
00167           " NOT FOUND using default %d\n",
00168           hash.operator()(key),
00169           operation_name, access_decision));
00170     }
00171   else if (TAO_debug_level >= 3)
00172     {
00173       ACE_DEBUG ((LM_DEBUG,
00174         "TAO (%P|%t) SL2_AccessDecision::access_decision(%x,%s)"
00175         " found with decision %d\n",
00176         hash.operator()(key),
00177         operation_name, access_decision));
00178     }
00179 
00180   // For now we just return the default.
00181   return access_decision;
00182 
00183 }
00184 
00185 CORBA::Boolean
00186 TAO::Security::AccessDecision::access_allowed_ex (
00187           const char * orb_id,
00188           const ::CORBA::OctetSeq & adapter_id,
00189           const ::CORBA::OctetSeq & object_id,
00190           const ::SecurityLevel2::CredentialsList & /*cred_list */,
00191           const char * operation_name)
00192 {
00193   OBJECT_KEY key;
00194   key.orbid_ = orb_id;
00195   key.adapter_id_ = adapter_id;
00196   key.oid_ = object_id;
00197 
00198   return this->access_allowed_i (key, operation_name);
00199 }
00200 
00201 CORBA::Boolean
00202 TAO::Security::AccessDecision::access_allowed
00203   (const ::SecurityLevel2::CredentialsList & /*cred_list */,
00204    ::CORBA::Object_ptr target,
00205    const char * operation_name,
00206    const char * /*target_interface_name */)
00207 {
00208   // @@ I still don't know what we do with the cred_list in here...
00209   // Do we inspect it?
00210 
00211   // Turn the target into what we'll use as a key into the map.
00212   OBJECT_KEY key = this->map_key_from_objref (target);
00213   return this->access_allowed_i (key, operation_name);
00214 }
00215 
00216 void
00217 TAO::Security::AccessDecision::add_object
00218   (const char * orb_id,
00219    const ::CORBA::OctetSeq & adapter_id,
00220    const ::CORBA::OctetSeq & object_id,
00221    CORBA::Boolean allow_insecure_access)
00222 {
00223   // make a key from 'obj'
00224   OBJECT_KEY key;
00225   key.orbid_ = orb_id;
00226   key.adapter_id_ = adapter_id;
00227   key.oid_ = object_id;
00228 
00229   // bind it into the access_map_, replacing anything that's there.
00230   // LOCK THE MAP!
00231   ACE_GUARD (TAO_SYNCH_MUTEX, guard, this->map_lock_);
00232 
00233   ACE_Hash<OBJECT_KEY> hash;
00234 
00235   // Since we want to replace any existing entry in the map, we just
00236   // use rebind.
00237   errno = 0; // Not sure if this gets set if rebind fails...it only
00238              // appears to fail when an allocation thru the allocator's
00239              // malloc() fails.  Depending on the malloc() implementation,
00240              // errno could get set OR an exception thrown.
00241   int ret = this->access_map_.rebind (key, allow_insecure_access);
00242   if (ret == -1)
00243     {
00244       // rebind shouldn't fail under normal circumstances
00245       if (TAO_debug_level > 1)
00246         ACE_DEBUG ((LM_DEBUG,
00247           "TAO (%P|%t): SL2_AccessDecision::add_object(%x,%d) "
00248           "unexpectedly failed (errno=%d)\n",
00249           hash.operator()(key),
00250           allow_insecure_access,
00251           errno));
00252       throw
00253         CORBA::NO_MEMORY(CORBA::SystemException::_tao_minor_code (TAO::VMCID,
00254                                                                   errno),
00255          CORBA::COMPLETED_NO);
00256     }
00257   else
00258     {
00259       if (TAO_debug_level >= 3)
00260         ACE_DEBUG ((LM_DEBUG,
00261                     "TAO (%P|%t): SL2_AccessDecision::add_object(%x,%d) okay\n",
00262                     hash.operator()(key),
00263                     allow_insecure_access));
00264     }
00265 }
00266 
00267 void
00268 TAO::Security::AccessDecision::remove_object
00269   (const char * orb_id,
00270    const ::CORBA::OctetSeq & adapter_id,
00271    const ::CORBA::OctetSeq & object_id)
00272 {
00273   OBJECT_KEY key;
00274   key.orbid_ = orb_id;
00275   key.adapter_id_ = adapter_id;
00276   key.oid_ = object_id;
00277 
00278   ACE_Hash<OBJECT_KEY> hash;
00279 
00280   // unbind it from access_map_, no matter if it's not in there...
00281   // LOCK THE MAP!
00282   ACE_GUARD (TAO_SYNCH_MUTEX, guard, this->map_lock_);
00283 
00284   errno = 0;
00285   int ret = this->access_map_.unbind (key);
00286   if (ret == -1)
00287     {
00288       if (errno == ENOENT)
00289         {
00290           // ignore b/c we don't care...maybe log a debug message for info
00291           if (TAO_debug_level >= 3)
00292             ACE_DEBUG ((LM_DEBUG,
00293                         "TAO (%P|%t): SL2_AccessDecision::remove_object(%x) "
00294                         "object not found in access map\n",
00295                         hash.operator()(key)));
00296         }
00297       else
00298         {
00299           if (TAO_debug_level > 0)
00300             ACE_DEBUG ((LM_DEBUG,
00301                         "TAO (%P|%t): SL2_AccessDecision::remove_object(%x) "
00302                         " unexpected error during unbind from map (errno=%d\n)",
00303                         hash.operator()(key),
00304                         errno));
00305           throw
00306             CORBA::UNKNOWN (CORBA::SystemException::_tao_minor_code (TAO::VMCID,
00307                                                                      errno),
00308                             CORBA::COMPLETED_NO);
00309         }
00310     }
00311 }
00312 
00313 CORBA::Boolean
00314 TAO::Security::AccessDecision::default_decision (void)
00315 {
00316   return this->default_allowance_decision_;
00317 }
00318 
00319 void
00320 TAO::Security::AccessDecision::default_decision (CORBA::Boolean d)
00321 {
00322   this->default_allowance_decision_ = d;
00323 }
00324 
00325 TAO_END_VERSIONED_NAMESPACE_DECL