Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Static Public Member Functions | Protected Attributes | Static Protected Attributes | Private Attributes
ArcSec::GACLPolicy Class Reference

#include <GACLPolicy.h>

Inheritance diagram for ArcSec::GACLPolicy:
Inheritance graph
[legend]
Collaboration diagram for ArcSec::GACLPolicy:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 GACLPolicy (void)
 GACLPolicy (const Source &source)
 GACLPolicy (const Arc::XMLNode source)
virtual ~GACLPolicy ()
virtual operator bool (void) const
 Returns true is object is valid.
virtual Result eval (EvaluationCtx *ctx)
 Evaluate policy For the <Rule> of Arc, only get the "Effect" from rules; For the <Policy> of Arc, combine the evaluation result from <Rule>; For the <Rule> of XACML, evaluate the <Condition> node by using information from request, and use the "Effect" attribute of <Rule>; For the <Policy> of XACML, combine the evaluation result from <Rule>
virtual MatchResult match (EvaluationCtx *ctx)
 Evaluate whether the two targets to be evaluated match to each other.
virtual std::string getEffect () const
 Get the "Effect" attribute.
virtual EvalResultgetEvalResult ()
 Get eveluation result.
virtual void setEvalResult (EvalResult &res)
 Set eveluation result.
Arc::XMLNode getXML (void)
virtual const char * getEvalName () const
 Get the name of Evaluator which can evaluate this policy.
virtual const char * getName () const
 Get the name of this policy.
virtual void addPolicy (Policy *pl)
 Add a policy element to into "this" object.
virtual void setEvaluatorContext (EvaluatorContext *)
 Set Evaluator Context for the usage in creating low-level policy object.
virtual void make_policy ()
 Parse XMLNode, and construct the low-level Rule object.

Static Public Member Functions

static Arc::Pluginget_policy (Arc::PluginArgument *arg)

Protected Attributes

std::list< Policy * > subelements

Static Protected Attributes

static Arc::Logger logger

Private Attributes

EvalResult evalres
Arc::XMLNode policynode

Detailed Description

Definition at line 8 of file GACLPolicy.h.


Constructor & Destructor Documentation

Definition at line 39 of file GACLPolicy.cpp.

                           : Policy() {
  NS ns;
  policynode.Replace(XMLNode(ns,"gacl"));
}

Here is the call graph for this function:

Here is the caller graph for this function:

GACLPolicy::GACLPolicy ( const Source source)

Definition at line 56 of file GACLPolicy.cpp.

                                           : Policy(source.Get()) {
  XMLNode node = source.Get();
  if((!node) || (node.Size() == 0)) {
    logger.msg(ERROR,"Policy is empty");
    return;
  };
  if(node.Name() != "gacl") {
    logger.msg(ERROR,"Policy is not gacl");
    return;
  };
  node.New(policynode);
}

Here is the call graph for this function:

Definition at line 44 of file GACLPolicy.cpp.

                                         : Policy(node) {
  if((!node) || (node.Size() == 0)) {
    logger.msg(ERROR,"Policy is empty");
    return;
  };
  if(node.Name() != "gacl") {
    logger.msg(ERROR,"Policy is not gacl");
    return;
  };
  node.New(policynode);
}

Here is the call graph for this function:

GACLPolicy::~GACLPolicy ( ) [virtual]

Definition at line 165 of file GACLPolicy.cpp.

                       {
}

Member Function Documentation

virtual void ArcSec::Policy::addPolicy ( Policy pl) [inline, virtual, inherited]

Add a policy element to into "this" object.

Definition at line 64 of file Policy.h.

{subelements.push_back(pl);};

Evaluate policy For the <Rule> of Arc, only get the "Effect" from rules; For the <Policy> of Arc, combine the evaluation result from <Rule>; For the <Rule> of XACML, evaluate the <Condition> node by using information from request, and use the "Effect" attribute of <Rule>; For the <Policy> of XACML, combine the evaluation result from <Rule>

Implements ArcSec::Policy.

Definition at line 99 of file GACLPolicy.cpp.

                                         {
  if(!ctx) return DECISION_INDETERMINATE;
  Request* req = ctx->getRequest();
  if(!req) return DECISION_INDETERMINATE;
  GACLRequest* greq = dynamic_cast<GACLRequest*>(req);
  if(!greq) return DECISION_INDETERMINATE;
  // Although it is possible to split GACL request and policy to 
  // attributes current implementation simply evaluates XMLs directly.
  // Doing it "right way" is TODO.
  //Result result = DECISION_DENY;
  XMLNode requestentry = greq->getXML();
  if(requestentry.Name() == "gacl") requestentry=requestentry["entry"];
  if(requestentry.Name() != "entry") return DECISION_INDETERMINATE;
  for(;(bool)requestentry;++requestentry) {
    XMLNode policyentry = policynode["entry"];  
    std::list<std::string> allow;
    std::list<std::string> deny;
    for(;(bool)policyentry;++policyentry) {
      bool matched = false;
      for(int n = 0;;++n) {
        XMLNode pid = policyentry.Child(n);
        if(!pid) break;
        if(pid.Name() == "allow") continue;
        if(pid.Name() == "deny") continue;
        if(pid.Name() == "any-user") { matched=true; break; };
        // TODO: somehow check if user really authenticated
        if(pid.Name() == "auth-user") { matched=true; break; };
        XMLNode rid = requestentry[pid.Name()];
        for(;(bool)rid;++rid) {
          if(CompareIdentity(pid,rid)) break;
        };
        if((bool)rid) { matched=true; break; };
      };
      if(matched) {
        XMLNode pallow = policyentry["allow"];
        XMLNode pdeny  = policyentry["deny"];
        CollectActions(pallow,allow);
        CollectActions(pdeny,deny);
      };
    };
    allow.sort(); allow.unique();
    deny.sort();  deny.unique();
    if(allow.empty()) return DECISION_DENY;
    std::list<std::string> rallow;
    CollectActions(requestentry["allow"],rallow);
    if(rallow.empty()) return DECISION_DENY; // Unlikely to happen 
    std::list<std::string>::iterator act = rallow.begin();
    for(;act!=rallow.end();++act) {
      if(!FindAction(*act,allow)) break;
      if(FindAction(*act,deny)) break;
    };
    if(act != rallow.end()) return DECISION_DENY;
    //if(act == rallow.end()) result=DECISION_PERMIT;
  };
  return DECISION_PERMIT;
  //return result;
}

Here is the call graph for this function:

Here is the caller graph for this function:

Definition at line 12 of file GACLPolicy.cpp.

                                                              {
  if(arg==NULL) return NULL;
  Arc::ClassLoaderPluginArgument* clarg =
          arg?dynamic_cast<Arc::ClassLoaderPluginArgument*>(arg):NULL;
  if(!clarg) return NULL;
  Arc::XMLNode* doc = (Arc::XMLNode*)(*clarg);
  if(doc==NULL) {
    std::cerr<<"GACLPolicy creation needs XMLNode as argument"<<std::endl;
    return NULL;
  };
  if(!(*doc)) return new ArcSec::GACLPolicy;
  ArcSec::GACLPolicy* policy = new ArcSec::GACLPolicy(*doc);
  if(!(*policy)) {
    delete policy;
    return NULL;
  };
  return policy;
}

Here is the call graph for this function:

virtual std::string ArcSec::GACLPolicy::getEffect ( ) const [inline, virtual]

Get the "Effect" attribute.

Implements ArcSec::Policy.

Definition at line 24 of file GACLPolicy.h.

{ return ""; };
virtual const char* ArcSec::GACLPolicy::getEvalName ( ) const [inline, virtual]

Get the name of Evaluator which can evaluate this policy.

Implements ArcSec::Policy.

Definition at line 32 of file GACLPolicy.h.

{ return "gacl.evaluator"; };

Get eveluation result.

Implements ArcSec::Policy.

Definition at line 157 of file GACLPolicy.cpp.

                                     {
  return evalres;
}
virtual const char* ArcSec::GACLPolicy::getName ( ) const [inline, virtual]

Get the name of this policy.

Implements ArcSec::Policy.

Definition at line 34 of file GACLPolicy.h.

{ return "gacl.policy"; };

Definition at line 30 of file GACLPolicy.h.

{ return policynode; };
virtual void ArcSec::Policy::make_policy ( ) [inline, virtual, inherited]

Parse XMLNode, and construct the low-level Rule object.

Reimplemented in ArcSec::XACMLPolicy, and ArcSec::ArcPolicy.

Definition at line 70 of file Policy.h.

{};

Here is the caller graph for this function:

virtual MatchResult ArcSec::GACLPolicy::match ( EvaluationCtx ) [inline, virtual]

Evaluate whether the two targets to be evaluated match to each other.

Implements ArcSec::Policy.

Definition at line 22 of file GACLPolicy.h.

{ };
virtual ArcSec::GACLPolicy::operator bool ( void  ) const [inline, virtual]

Returns true is object is valid.

Implements ArcSec::Policy.

Definition at line 18 of file GACLPolicy.h.

{ return (bool)policynode; };
void GACLPolicy::setEvalResult ( EvalResult res) [virtual]

Set eveluation result.

Implements ArcSec::Policy.

Definition at line 161 of file GACLPolicy.cpp.

                                             {
  evalres = res;
}
virtual void ArcSec::Policy::setEvaluatorContext ( EvaluatorContext ) [inline, virtual, inherited]

Set Evaluator Context for the usage in creating low-level policy object.

Reimplemented in ArcSec::XACMLPolicy, and ArcSec::ArcPolicy.

Definition at line 67 of file Policy.h.

{};

Here is the caller graph for this function:


Member Data Documentation

Definition at line 40 of file GACLPolicy.h.

Reimplemented from ArcSec::Policy.

Definition at line 45 of file GACLPolicy.h.

Definition at line 42 of file GACLPolicy.h.

std::list<Policy*> ArcSec::Policy::subelements [protected, inherited]

Definition at line 26 of file Policy.h.


The documentation for this class was generated from the following files: