Another commit that doesn't completely compile. More work needs to be done

in the implementation for add/remove_object() in order to divine the tuple
that's used for identifying a reference.

M    TAO/orbsvcs/orbsvcs/SecurityLevel2.idl

     Modified the IDL so that there's a TAO-specific AccessDecision
     with the extended access_allowed() operation.

M    TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.h
M    TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.cpp

     Mods to use/implement the new access_allowed/tao-specific access decision.

M    TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Invocation_Interceptor.cpp

     Beginning of changes to use the new access_allowed/access decision.

4 files changed, 79 insertions, 148 deletions

diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Invocation_Interceptor.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Invocation_Interceptor.cpp
index 1b8e35a91bb..a7293f1b11b 100644
--- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Invocation_Interceptor.cpp
+++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Invocation_Interceptor.cpp
@@ -57,11 +57,16 @@ TAO::SSLIOP::Server_Invocation_Interceptor::Server_Invocation_Interceptor
 
   if (! CORBA::is_nil (this->sec2manager_.in ()))
     {
-      // set the slot id?
+      // set the slot id?  things seem to work without doing this
     }
 
+#if 0
+  // Don't need this now that we're not using access_allowed(), but
+  // I'm leaving the code here just in case it would become convenient
+  // for some other use.
   obj = info->resolve_initial_references ("POACurrent");
   this->poa_current_ = PortableServer::Current::_narrow (obj.in ());
+#endif
 }
 
 TAO::SSLIOP::Server_Invocation_Interceptor::~Server_Invocation_Interceptor (
@@ -84,87 +89,6 @@ void
 TAO::SSLIOP::Server_Invocation_Interceptor::receive_request_service_contexts (
                                               PortableInterceptor::ServerRequestInfo_ptr /*ri*/)
 {
-  // The current upcall is not being performed through an SSL
-  // connection.  If server is configured to disallow insecure
-  // invocations then throw a CORBA::NO_PERMISSION exception.
-  // @@ TODO: Once the SecurityManager is implemented, query it
-  //          for the current object's
-  //          SecureInvocationPolicy of type
-  //          SecTargetSecureInvocationPolicy so that we can
-  //          accept or reject requests on a per-object basis
-  //          instead on a per-endpoint basis.
-#if 0
-  CORBA::Boolean const no_ssl = this->ssliop_current_->no_context ();
-
-  if (TAO_debug_level >= 3)
-    ACE_DEBUG ((LM_DEBUG, "SSLIOP (%P|%t) Interceptor (context), ssl=%d\n", !(no_ssl)));
-
-  if (no_ssl && this->qop_ != ::Security::SecQOPNoProtection)
-    throw CORBA::NO_PERMISSION ();
-#endif
-#if defined(SSLIOP_DEBUG_PEER_CERTIFICATE)
-  try
-    {
-      // If the request was not made through an SSL connection, then
-      // this method will throw the SSLIOP::Current::NoContext
-      // exception. Otherwise, it will return a DER encoded X509
-      // certificate.
-      ::SSLIOP::ASN_1_Cert_var cert =
-        this->ssliop_current_->get_peer_certificate ();
-
-      // @@ The following debugging code works but I don't think that
-      //    we should include it since it dumps alot of information,
-      //    i.e. prints two lines of information per request.
-      if (TAO_debug_level > 1)
-        {
-          const CORBA::Octet *der_cert = cert->get_buffer ();
-
-          ::X509 *peer = ::d2i_X509 (0, &der_cert, cert->length ());
-          if (peer != 0)
-            {
-              char buf[BUFSIZ] = { 0 };
-
-              ::X509_NAME_oneline (::X509_get_subject_name (peer),
-                                   buf,
-                                   BUFSIZ);
-
-              ACE_DEBUG ((LM_DEBUG,
-                          "(%P|%t) Certificate subject: %s\n",
-                          buf));
-
-              ::X509_NAME_oneline (::X509_get_issuer_name (peer),
-                                   buf,
-                                   BUFSIZ);
-
-              ACE_DEBUG ((LM_DEBUG,
-                          "(%P|%t) Certificate issuer: %s\n",
-                          buf));
-
-
-              ::X509_free (peer);
-            }
-          else
-            {
-              ACE_DEBUG ((LM_DEBUG,
-                          "(%P|%t) No certificate info\n"));
-            }
-        }
-    }
-  catch (const ::SSLIOP::Current::NoContext& )
-    {
-      // The current upcall is not being performed through an SSL
-      // connection.  If server is configured to disallow insecure
-      // invocations then throw a CORBA::NO_PERMISSION exception.
-      // @@ TODO: Once the SecurityManager is implemented, query it
-      //          for the current object's
-      //          SecureInvocationPolicy of type
-      //          SecTargetSecureInvocationPolicy so that we can
-      //          accept or reject requests on a per-object basis
-      //          instead on a per-endpoint basis.
-      if (this->qop_ != ::Security::SecQOPNoProtection)
-        throw CORBA::NO_PERMISSION ();
-    }
-#endif /* SSLIOP_DEBUG_PEER_CERTIFICATE */
 }
 
 
@@ -172,9 +96,10 @@ void
 TAO::SSLIOP::Server_Invocation_Interceptor::receive_request (
     PortableInterceptor::ServerRequestInfo_ptr ri )
 {
-  SecurityLevel2::AccessDecision_var ad =
+  SecurityLevel2::AccessDecision_var ad_tmp =
     this->sec2manager_->access_decision ();
-
+  TAO::SL2::AccessDecision_var ad =
+    TAO::SL2::AccessDecision::_narrow (ad_tmp.in ());
   
   CORBA::Boolean const no_ssl =
     this->ssliop_current_->no_context ();
@@ -221,21 +146,22 @@ TAO::SSLIOP::Server_Invocation_Interceptor::receive_request (
       }
 #endif
 
-      /* Get the target object */
-      CORBA::Object_var target = CORBA::Object::_nil ();
-
-      target = this->poa_current_->get_reference ();
+      /* Gather the elements that uniquely identify the target object */
+      CORBA::ORBid_var orb_id = ri->orbid ();
+      CORBA::OctetSeq_var adapter_id = ri->adapter_id ();
+      CORBA::OctetSeq_var object_id = ri->object_id ();
 
       CORBA::String_var operation_name = ri->operation ();
-      CORBA::String_var target_interface_name = ri->target_most_derived_interface(); // is this the repository ID?
 
       CORBA::Boolean it_should_happen = false;
-      it_should_happen = ad->access_allowed (cred_list,
-					     target.in(),
-					     operation_name.in(),
-					     target_interface_name.in());
+      it_should_happen = ad->access_allowed_ex (orb_id.in (),
+						adapter_id.in (),
+						object_id.in (),
+						cred_list.in (),
+						operation_name.in());
       if (TAO_debug_level >= 3)
-	ACE_DEBUG ((LM_DEBUG, "TAO (%P|%t) SL2::access_allowed returned %s\n",
+	ACE_DEBUG ((LM_DEBUG,
+		    "TAO (%P|%t) SL2::access_allowed_ex returned %s\n",
 		    it_should_happen ? "true" : "false"));
 
       if (! it_should_happen)
diff --git a/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.cpp b/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.cpp
index b33ebbf1491..6b0b4bfb15c 100644
--- a/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.cpp
+++ b/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.cpp
@@ -11,19 +11,6 @@ ACE_RCSID (Security,
 
 TAO_BEGIN_VERSIONED_NAMESPACE_DECL
 
-unsigned long
-ACE_Hash<CORBA::Object_var>::operator() (const CORBA::Object_var& o) const
-{
-  return o->_hash ((CORBA::ULong)-1);
-}
-
-int
-ACE_Equal_To<CORBA::Object_var>::operator () (const CORBA::Object_var& lhs,
-					      const CORBA::Object_var& rhs) const
-{
-  return lhs->_is_equivalent (rhs.in ());
-}
-
 TAO::Security::SecurityManager::SecurityManager (/* unknown */)
   : principal_authenticator_ (SecurityLevel2::PrincipalAuthenticator::_nil ())
 {
@@ -46,28 +33,24 @@ TAO::Security::SecurityManager::~SecurityManager (void)
 
 Security::MechandOptionsList*
 TAO::Security::SecurityManager::supported_mechanisms ()
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   throw CORBA::NO_IMPLEMENT ();
 }
 
 SecurityLevel2::CredentialsList*
 TAO::Security::SecurityManager::own_credentials ()
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   throw CORBA::NO_IMPLEMENT ();
 }
 
 SecurityLevel2::RequiredRights_ptr
 TAO::Security::SecurityManager::required_rights_object ()
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   throw CORBA::NO_IMPLEMENT ();
 }
 
 SecurityLevel2::PrincipalAuthenticator_ptr
 TAO::Security::SecurityManager::principal_authenticator ()
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   return SecurityLevel2::PrincipalAuthenticator::_duplicate
     (this->principal_authenticator_.in () );
@@ -75,21 +58,18 @@ TAO::Security::SecurityManager::principal_authenticator ()
 
 SecurityLevel2::AccessDecision_ptr
 TAO::Security::SecurityManager::access_decision ()
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   return SecurityLevel2::AccessDecision::_duplicate (this->access_decision_.in () );
 }
 
 SecurityLevel2::AuditDecision_ptr
 TAO::Security::SecurityManager::audit_decision ()
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   throw CORBA::NO_IMPLEMENT ();
 }
 
 SecurityLevel2::TargetCredentials_ptr
 TAO::Security::SecurityManager::get_target_credentials (CORBA::Object_ptr /*o*/)
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   throw CORBA::NO_IMPLEMENT ();
 }
@@ -97,14 +77,12 @@ TAO::Security::SecurityManager::get_target_credentials (CORBA::Object_ptr /*o*/)
 void
 TAO::Security::SecurityManager::remove_own_credentials (
   SecurityLevel2::Credentials_ptr creds)
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   throw CORBA::NO_IMPLEMENT ();
 }
                      
 CORBA::Policy_ptr
 TAO::Security::SecurityManager::get_security_policy (CORBA::PolicyType policy_type)
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   throw CORBA::NO_IMPLEMENT ();
 }
@@ -113,6 +91,29 @@ TAO::Security::SecurityManager::get_security_policy (CORBA::PolicyType policy_ty
  * AccessDecision stuff below here
  */
 
+bool
+TAO::Security::AccessDecision::ReferenceKeyType::operator== (const ReferenceKeyType& other) const
+{
+  if (this->oid_ == other.oid_
+      && this->adapter_id_ == other.adapter_id_
+      && (ACE_OS_String::strcmp (this->orbid_.in(), other.orbid_.in()) == 0) )
+    return true;
+  else
+    return false;
+}
+
+CORBA::ULong
+TAO::Security::AccessDecision::ReferenceKeyType::hash () const
+{
+  return 0;
+}
+
+const char*
+TAO::Security::AccessDecision::ReferenceKeyType::operator const char* () const
+{
+  return "<hardcoded refkey>";
+}
+
 TAO::Security::AccessDecision::AccessDecision ()
   : default_allowance_decision_ (false)
 {
@@ -125,30 +126,21 @@ TAO::Security::AccessDecision::~AccessDecision ()
 TAO::Security::AccessDecision::OBJECT_KEY
 TAO::Security::AccessDecision::map_key_from_objref (CORBA::Object_ptr obj)
 {
-#if 0
-  // Originally this lived in access_allowed, but it was needed
-  // in add_object and remove_object, too, so it's been factored out.
-  //
-  // We need an ORB reference here.  Where do we get it?
-  //
-  // The primary place we need this facility is in access_allowed.
-  // Unfortunately, the interface for access_allowed is cast in
-  // dormant OMG spec stone, so that can't change.  We could pass in a
-  // reference as an argument to the constructor and store it, but
-  // what do we do, then, if the same interceptor is registered with
-  // multiple ORBs (is that possible?!?!)?  Then we could end up using
-  // a different ORB to stringify, which could end up giving us a
-  // different string, which means they won't compare propertly.
-  //
-  // As a hack, we could realize that TAO's CORBA::Object implementation
-  // has a reference to its associated ORB, and just dip in there
-  // to get access to it.  Ugly, but at least it should probably work.
-  CORBA::ORB_var orb = obj->_get_orb ();
-  CORBA::String_var ior = orb->object_to_string (obj);
-  return ior;
-#else
-  return CORBA::Object::_duplicate(obj);
-#endif
+  OBJECT_KEY key;
+
+  return key;
+}
+
+CORBA::Boolean
+TAO::Security::AccessDecision::access_allowed_ex (
+          const char * orb_id,
+          const ::CORBA::OctetSeq & adapter_id,
+          const ::CORBA::OctetSeq & object_id,
+          const ::SecurityLevel2::CredentialsList & cred_list,
+          const char * operation_name)
+{
+  // Obviously this is an incorrect trivial implementation ;)
+  return true;
 }
 
 CORBA::Boolean
@@ -169,7 +161,7 @@ TAO::Security::AccessDecision::access_allowed (
   ACE_GUARD_RETURN (TAO_SYNCH_MUTEX, guard, this->map_lock_,
 		    this->default_allowance_decision_);
 
-  ACE_Hash<CORBA::Object_var> hash;
+  ACE_Hash<OBJECT_KEY> hash;
 
   // Look up the target in access_map_; if there, return the value,
   // otherwise return the default value.
@@ -201,7 +193,6 @@ TAO::Security::AccessDecision::access_allowed (
 void
 TAO::Security::AccessDecision::add_object (CORBA::Object_ptr obj,
 					   CORBA::Boolean allow_insecure_access)
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   // make a key from 'obj'
   OBJECT_KEY key = this->map_key_from_objref (obj);
@@ -210,7 +201,7 @@ TAO::Security::AccessDecision::add_object (CORBA::Object_ptr obj,
   // LOCK THE MAP!
   ACE_GUARD (TAO_SYNCH_MUTEX, guard, this->map_lock_);
 
-  ACE_Hash<CORBA::Object_var> hash;
+  ACE_Hash<OBJECT_KEY> hash;
 
   // Since we want to replace any existing entry in the map, we just
   // use rebind.
@@ -246,12 +237,11 @@ TAO::Security::AccessDecision::add_object (CORBA::Object_ptr obj,
 
 void
 TAO::Security::AccessDecision::remove_object (CORBA::Object_ptr obj)
-  ACE_THROW_SPEC ((CORBA::SystemException))
 {
   // make a key from 'obj'
   OBJECT_KEY key = this->map_key_from_objref (obj);
 
-  ACE_Hash<CORBA::Object_var> hash;
+  ACE_Hash<OBJECT_KEY> hash;
 
   // unbind it from access_map_, no matter if it's not in there...
   // LOCK THE MAP!
@@ -288,14 +278,12 @@ TAO::Security::AccessDecision::remove_object (CORBA::Object_ptr obj)
 
 CORBA::Boolean
 TAO::Security::AccessDecision::default_decision (void)
-  ACE_THROW_SPEC ((::CORBA::SystemException))
 {
   return this->default_allowance_decision_;
 }
 
 void
 TAO::Security::AccessDecision::default_decision (CORBA::Boolean d)
-  ACE_THROW_SPEC ((::CORBA::SystemException))
 {
   this->default_allowance_decision_ = d;
 }
diff --git a/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.h b/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.h
index 00a5343ddcd..5646410dac0 100644
--- a/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.h
+++ b/TAO/orbsvcs/orbsvcs/Security/SL2_SecurityManager.h
@@ -66,6 +66,13 @@ namespace TAO
         const char * target_interface_name
 					       );
 
+      virtual ::CORBA::Boolean access_allowed_ex (
+          const char * orb_id,
+          const ::CORBA::OctetSeq & adapter_id,
+          const ::CORBA::OctetSeq & object_id,
+          const ::SecurityLevel2::CredentialsList & cred_list,
+          const char * operation_name);
+
       virtual ::CORBA::Boolean default_decision (void);
       virtual void default_decision (::CORBA::Boolean d);
 
diff --git a/TAO/orbsvcs/orbsvcs/SecurityLevel2.idl b/TAO/orbsvcs/orbsvcs/SecurityLevel2.idl
index 6a13faa6877..4aad2543911 100644
--- a/TAO/orbsvcs/orbsvcs/SecurityLevel2.idl
+++ b/TAO/orbsvcs/orbsvcs/SecurityLevel2.idl
@@ -189,7 +189,6 @@ module SecurityLevel2 {
     );
   };
 
-
   // Policy interfaces to control bindings
 
   local interface QOPPolicy : CORBA::Policy {
@@ -275,6 +274,17 @@ module TAO {
   module SL2 {
     local interface AccessDecision : SecurityLevel2::AccessDecision
     {
+      /* TAO-specific access_allowed that works around deficiencies in
+	 the SecurityLevel2::AccessDecision::access_allowed() operation. */
+      // Parameter object_id should be PortableInterceptor::ObjectId, but
+      // using that type would require including the PI_Forward.pidl file.
+      // By using the real type, we can avoid that dependency.
+      boolean access_allowed_ex (in ::CORBA::ORBid orb_id,
+				 in ::CORBA::OctetSeq adapter_id,
+				 in ::CORBA::OctetSeq object_id,
+				 in ::SecurityLevel2::CredentialsList cred_list,
+				 in ::CORBA::Identifier operation_name);
+
       /*! Default value returned when a reference is not in the list. */
       // Can't come up with a good name for this.
       attribute boolean default_decision;