Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Static Public Member Functions | Protected Attributes | Static Protected Attributes | Private Attributes
ArcSec::DelegationPDP Class Reference

DeleagtionPDP - PDP which can handle the Arc specific request and policy provided as identity delegation policy. More...

#include <DelegationPDP.h>

Inheritance diagram for ArcSec::DelegationPDP:
Inheritance graph
[legend]
Collaboration diagram for ArcSec::DelegationPDP:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 DelegationPDP (Arc::Config *cfg)
virtual ~DelegationPDP ()
virtual bool isPermitted (Arc::Message *msg) const
void SetId (std::string &id)
std::string GetId ()

Static Public Member Functions

static Arc::Pluginget_delegation_pdp (Arc::PluginArgument *arg)

Protected Attributes

std::string id_

Static Protected Attributes

static Arc::Logger logger

Private Attributes

std::list< std::string > select_attrs
std::list< std::string > reject_attrs

Detailed Description

DeleagtionPDP - PDP which can handle the Arc specific request and policy provided as identity delegation policy.

Definition at line 14 of file DelegationPDP.h.


Constructor & Destructor Documentation

Definition at line 39 of file DelegationPDP.cpp.

                                       :PDP(cfg) {
  XMLNode pdp_node(*cfg);
  XMLNode filter = (*cfg)["Filter"];
  if((bool)filter) {
    XMLNode select_attr = filter["Select"];
    XMLNode reject_attr = filter["Reject"];
    for(;(bool)select_attr;++select_attr) select_attrs.push_back((std::string)select_attr);
    for(;(bool)reject_attr;++reject_attr) reject_attrs.push_back((std::string)reject_attr);
  };
}

Definition at line 50 of file DelegationPDP.cpp.

                             {
}

Member Function Documentation

Definition at line 32 of file DelegationPDP.cpp.

                                                             {
    PDPPluginArgument* pdparg =
            arg?dynamic_cast<PDPPluginArgument*>(arg):NULL;
    if(!pdparg) return NULL;
    return new DelegationPDP((Config*)(*pdparg));
}
std::string ArcSec::PDP::GetId ( ) [inline, inherited]

Definition at line 88 of file PDP.h.

{ return id_; };
bool ArcSec::DelegationPDP::isPermitted ( Arc::Message msg) const [virtual]

Implements ArcSec::PDP.

Definition at line 53 of file DelegationPDP.cpp.

                                                  {
  MessageAuth* mauth = msg->Auth()->Filter(select_attrs,reject_attrs);
  MessageAuth* cauth = msg->AuthContext()->Filter(select_attrs,reject_attrs);
  if((!mauth) && (!cauth)) {
    logger.msg(ERROR,"Missing security object in message");
    return false;
  };

  // Extract policies
  // TODO: Probably make MessageAuth do it or there should be some other way
  //       to avoid multiple extraction of same object.
  // Currently delegated policies are simply stored under special name "DELEGATION POLICY"
  // To have multiple policies in same object MultiSecAttr class may be used. Then
  // Policies are catenated under top-level element "Policies".
  // Otherwise in case of single policy (current implementation) top-level element is "Policy".

  bool result = false;
  Evaluator* eval = NULL;
  try {
    SecAttr* mpolicy_attr = mauth?(*mauth)["DELEGATION POLICY"]:NULL;
    SecAttr* cpolicy_attr = cauth?(*cauth)["DELEGATION POLICY"]:NULL;
    if((cpolicy_attr == NULL) && (mpolicy_attr == NULL)) {
      logger.msg(INFO,"No delegation policies in this context and message - passing through");
      result=true; throw std::exception();
    };

    // Create evaluator
    std::string evaluator = "arc.evaluator";
    EvaluatorLoader eval_loader;
    eval = eval_loader.getEvaluator(evaluator);
    if(!eval) {
      logger.msg(ERROR, "Can not dynamically produce Evaluator");
      throw std::exception();
    };
    // Just make sure algorithm is proper one
    eval->setCombiningAlg(EvaluatorFailsOnDeny);

    // Add policies to evaluator
    int policies_num = 0;
    if(mpolicy_attr) {
      NS ns; XMLNode policyxml(ns,"");
      if(!mpolicy_attr->Export(SecAttr::ARCAuth,policyxml)) {
        logger.msg(ERROR,"Failed to convert security information to ARC policy");
        throw std::exception();
      };
      if(policyxml.Name() == "Policy") {
        eval->addPolicy(policyxml); ++policies_num;
      } else if(policyxml.Name() == "Policies") {
        for(XMLNode p = policyxml["Policy"];(bool)p;++p) {
          eval->addPolicy(p); ++policies_num;
        };
      };
    };
    if(cpolicy_attr) {
      NS ns; XMLNode policyxml(ns,"");
      if(!cpolicy_attr->Export(SecAttr::ARCAuth,policyxml)) {
        logger.msg(ERROR,"Failed to convert security information to ARC policy");
        throw std::exception();
      };
      if(policyxml.Name() == "Policy") {
        eval->addPolicy(policyxml); ++policies_num;
        {
          std::string s; policyxml.GetXML(s);
          logger.msg(DEBUG,"ARC delegation policy: %s",s);
        };
      } else if(policyxml.Name() == "Policies") {
        for(XMLNode p = policyxml["Policy"];(bool)p;++p) {
          eval->addPolicy(p); ++policies_num;
          {
            std::string s; policyxml.GetXML(s);
            logger.msg(DEBUG,"ARC delegation policy: %s",s);
          };
        };
      };
    };
    if(policies_num == 0) {
      logger.msg(INFO,"No delegation policies in this context and message - passing through");
      result=true; throw std::exception();
    };

    // Generate request
    NS ns; XMLNode requestxml(ns,"");
    if(mauth) {
      if(!mauth->Export(SecAttr::ARCAuth,requestxml)) {
        logger.msg(ERROR,"Failed to convert security information to ARC request");
        throw std::exception();
      };
    };
    if(cauth) {
      if(!cauth->Export(SecAttr::ARCAuth,requestxml)) {
        logger.msg(ERROR,"Failed to convert security information to ARC request");
        throw std::exception();
      };
    };
    {
      std::string s;
      requestxml.GetXML(s);
      logger.msg(DEBUG,"ARC Auth. request: %s",s);
    };
    if(requestxml.Size() <= 0) {
      logger.msg(ERROR,"No requested security information was collected");
      throw std::exception();
    };

   
    //Call the evaluation functionality inside Evaluator
    Response *resp = eval->evaluate(requestxml);
    logger.msg(INFO, "There are %d requests, which satisfy at least one policy", (resp->getResponseItems()).size());
    bool atleast_onedeny = false;
    bool atleast_onepermit = false;
    if(!resp) {
      logger.msg(ERROR,"No authorization response was returned");
      throw std::exception();
    };

    ResponseList rlist = resp->getResponseItems();
    int size = rlist.size();
    for(int i = 0; i < size; i++) {
      ResponseItem* item = rlist[i];
      RequestTuple* tp = item->reqtp;
      if(item->res == DECISION_DENY) atleast_onedeny = true;
      if(item->res == DECISION_PERMIT) atleast_onepermit = true;
    }
    delete resp;

    if(atleast_onepermit) result = true;
    if(atleast_onedeny) result = false;

  } catch(std::exception&) {
  };
  if(result) {
    logger.msg(INFO, "Delegation authorization passed");
  } else {
    logger.msg(INFO, "Delegation authorization failed");
  };
  if(mauth) delete mauth;
  if(cauth) delete cauth;
  if(eval) delete eval;
  return result;
}

Here is the call graph for this function:

void ArcSec::PDP::SetId ( std::string &  id) [inline, inherited]

Definition at line 87 of file PDP.h.

{ id_ = id; };

Member Data Documentation

std::string ArcSec::PDP::id_ [protected, inherited]

Definition at line 88 of file PDP.h.

Reimplemented from ArcSec::PDP.

Definition at line 24 of file DelegationPDP.h.

std::list<std::string> ArcSec::DelegationPDP::reject_attrs [private]

Definition at line 22 of file DelegationPDP.h.

std::list<std::string> ArcSec::DelegationPDP::select_attrs [private]

Definition at line 21 of file DelegationPDP.h.


The documentation for this class was generated from the following files: