1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#ifndef QPID_ACL_ACLDATA_H
#define QPID_ACL_ACLDATA_H
/*
*
* Copyright (c) 2006 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#include "qpid/broker/AclModule.h"
#include <vector>
#include <sstream>
namespace qpid {
namespace acl {
class AclData {
public:
typedef std::map<qpid::acl::Property, std::string> propertyMap;
typedef propertyMap::const_iterator propertyMapItr;
typedef std::map<qpid::acl::SpecProperty, std::string> specPropertyMap;
typedef specPropertyMap::const_iterator specPropertyMapItr;
//
// rule
//
// Created by AclReader and stored in a ruleSet vector for subsequent
// run-time lookup matching and allow/deny decisions.
// RuleSet vectors are indexed by Action-Object-actorId so these
// attributes are not part of a rule.
// A single ACL file entry may create many rule entries in
// many ruleset vectors.
//
struct rule {
int rawRuleNum; // rule number in ACL file
qpid::acl::AclResult ruleMode; // combined allow/deny log/nolog
specPropertyMap props; //
rule (int ruleNum, qpid::acl::AclResult res, specPropertyMap& p) :
rawRuleNum(ruleNum),
ruleMode(res),
props(p)
{};
std::string toString () const {
std::ostringstream ruleStr;
ruleStr << "[rule " << rawRuleNum
<< " ruleMode = " << AclHelper::getAclResultStr(ruleMode)
<< " props{";
for (specPropertyMapItr pMItr = props.begin();
pMItr != props.end();
pMItr++) {
ruleStr << " "
<< AclHelper::getPropertyStr((SpecProperty) pMItr-> first)
<< "=" << pMItr->second;
}
ruleStr << " }]";
return ruleStr.str();
}
};
typedef std::vector<rule> ruleSet;
typedef ruleSet::const_iterator ruleSetItr;
typedef std::map<std::string, ruleSet > actionObject; // user
typedef actionObject::iterator actObjItr;
typedef actionObject* aclAction;
// Action*[] -> Object*[] -> map<user -> set<Rule> >
aclAction* actionList[qpid::acl::ACTIONSIZE];
qpid::acl::AclResult decisionMode; // allow/deny[-log] if no matching rule found
bool transferAcl;
std::string aclSource;
AclResult lookup(
const std::string& id, // actor id
const Action& action,
const ObjectType& objType,
const std::string& name, // object name
std::map<Property, std::string>* params=0);
AclResult lookup(
const std::string& id, // actor id
const Action& action,
const ObjectType& objType,
const std::string& ExchangeName,
const std::string& RoutingKey);
bool matchProp(const std::string & src, const std::string& src1);
void clear ();
AclData();
virtual ~AclData();
private:
bool compareIntMax(const qpid::acl::SpecProperty theProperty,
const std::string theAclValue,
const std::string theLookupValue);
bool compareIntMin(const qpid::acl::SpecProperty theProperty,
const std::string theAclValue,
const std::string theLookupValue);
};
}} // namespace qpid::acl
#endif // QPID_ACL_ACLDATA_H
|
