Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Static Private Attributes
ArcSec::DenyOverridesCombiningAlg Class Reference

Implement the "Deny-Overrides" algorithm. More...

#include <DenyOverridesAlg.h>

Inheritance diagram for ArcSec::DenyOverridesCombiningAlg:
Inheritance graph
Collaboration diagram for ArcSec::DenyOverridesCombiningAlg:
Collaboration graph

List of all members.

Public Member Functions

 DenyOverridesCombiningAlg ()
virtual ~DenyOverridesCombiningAlg ()
virtual Result combine (EvaluationCtx *ctx, std::list< Policy * > policies)
 If there is one policy which return negative evaluation result, then omit the *other policies and return DECISION_DENY.
virtual const std::string & getalgId (void) const
 Get the identifier.

Static Private Attributes

static std::string algId = "Deny-Overrides"

Detailed Description

Implement the "Deny-Overrides" algorithm.

Deny-Overrides, scans the policy set which is given as the parameters of "combine" *method, if gets "deny" result from any policy, then stops scanning and gives "deny" *as result, otherwise gives "permit".

Definition at line 13 of file DenyOverridesAlg.h.

Constructor & Destructor Documentation

Definition at line 17 of file DenyOverridesAlg.h.


Definition at line 18 of file DenyOverridesAlg.h.


Member Function Documentation

Result ArcSec::DenyOverridesCombiningAlg::combine ( EvaluationCtx ctx,
std::list< Policy * >  policies 
) [virtual]

If there is one policy which return negative evaluation result, then omit the *other policies and return DECISION_DENY.

ctxThis object contains request information which will be used to evaluated *against policy.
policliesThis is a container which contains policy objects.
The combined result according to the algorithm.

Implements ArcSec::CombiningAlg.

Definition at line 11 of file DenyOverridesAlg.cpp.

  bool atleast_onepermit = false;
  bool atleast_onenotapplicable = false;
  std::list<Policy*>::iterator it;
  for(it = policies.begin(); it != policies.end(); it++) {
    Policy* policy = *it;
    Result res = policy->eval(ctx);

    //If get a return DECISION_DENY, then regardless of whatelse result from the other Rule,
    //always return DENY 
    if(res == DECISION_DENY)
      return DECISION_DENY;

    //If get a return DECISION_NOT_APPLICABLE (this usually happens when Attribute with corrsponding
    //AttributeId can be found from RequestItem, but value does not match).
      atleast_onenotapplicable = true;
    //Keep track of whether we had at least one rule that is pertained to the request
    else if(res == DECISION_PERMIT)
      atleast_onepermit = true;
  //Some Rule said PERMIT, so since nothing could have denied, return PERMIT
  if(atleast_onepermit) return DECISION_PERMIT;

  //No Rule said DENY, none of the rules actually applied, return NOT_APPLICABLE
  if(atleast_onenotapplicable) return DECISION_NOT_APPLICABLE;

  //If here, there is problem with one of the Rules, then return INDETERMINATE

Here is the call graph for this function:

virtual const std::string& ArcSec::DenyOverridesCombiningAlg::getalgId ( void  ) const [inline, virtual]

Get the identifier.

Implements ArcSec::CombiningAlg.

Definition at line 31 of file DenyOverridesAlg.h.

{return algId;};

Member Data Documentation

std::string ArcSec::DenyOverridesCombiningAlg::algId = "Deny-Overrides" [static, private]

Definition at line 15 of file DenyOverridesAlg.h.

The documentation for this class was generated from the following files: