OpenDDS  Snapshot(2023/04/28-20:55)
AccessControlBuiltInImpl.h
Go to the documentation of this file.
1 /*
2  *
3  *
4  * Distributed under the OpenDDS License.
5  * See: http://www.OpenDDS.org/license.html
6  */
7 
8 #ifndef OPENDDS_DCPS_SECURITY_ACCESSCONTROLBUILTINIMPL_H
9 #define OPENDDS_DCPS_SECURITY_ACCESSCONTROLBUILTINIMPL_H
10 
11 #include "OpenDDS_Security_Export.h"
12 #include "AccessControl/LocalAccessCredentialData.h"
13 #include "AccessControl/Governance.h"
14 #include "AccessControl/Permissions.h"
15 #include "SSL/SubjectName.h"
16 
17 #include <dds/DCPS/Service_Participant.h>
18 #include <dds/DCPS/TimeTypes.h>
19 #include <dds/DCPS/SporadicTask.h>
20 #include <dds/Versioned_Namespace.h>
21 
22 #include <dds/DdsSecurityCoreC.h>
23 
24 #include <ace/Thread_Mutex.h>
25 #include <ace/Reactor.h>
26 
27 #include <map>
28 #include <set>
29 #include <list>
30 #include <vector>
31 #include <string>
32 #include <memory>
33 
34 #if !defined (ACE_LACKS_PRAGMA_ONCE)
35 #pragma once
36 #endif /* ACE_LACKS_PRAGMA_ONCE */
37 
38 class DDS_TEST;
39 
40 OPENDDS_BEGIN_VERSIONED_NAMESPACE_DECL
41 
42 namespace OpenDDS {
43 namespace Security {
44 
45 /**
46 * @class AccessControlBuiltInImpl
47 *
48 * @brief Implements the DDS built-in version of the Access Control
49 * plugin for the DDS Security Specification
50 *
51 * See the DDS security specification, OMG formal/17-09-20, for a description of
52 * the interface this class is implementing.
53 *
54 */
55 class OpenDDS_Security_Export AccessControlBuiltInImpl
56  : public virtual DDS::Security::AccessControl {
57 public:
58  AccessControlBuiltInImpl();
59  virtual ~AccessControlBuiltInImpl();
60 
61  virtual DDS::Security::PermissionsHandle validate_local_permissions(
62  DDS::Security::Authentication_ptr auth_plugin,
63  DDS::Security::IdentityHandle identity,
64  DDS::Security::DomainId_t domain_id,
65  const DDS::DomainParticipantQos& participant_qos,
66  DDS::Security::SecurityException& ex);
67 
68  virtual DDS::Security::PermissionsHandle validate_remote_permissions(
69  DDS::Security::Authentication_ptr auth_plugin,
70  DDS::Security::IdentityHandle local_identity_handle,
71  DDS::Security::IdentityHandle remote_identity_handle,
72  const DDS::Security::PermissionsToken& remote_permissions_token,
73  const DDS::Security::AuthenticatedPeerCredentialToken& remote_credential_token,
74  DDS::Security::SecurityException& ex);
75 
76  virtual bool check_create_participant(
77  DDS::Security::PermissionsHandle permissions_handle,
78  DDS::Security::DomainId_t domain_id,
79  const DDS::DomainParticipantQos& qos,
80  DDS::Security::SecurityException& ex);
81 
82  virtual bool check_create_datawriter(
83  DDS::Security::PermissionsHandle permissions_handle,
84  DDS::Security::DomainId_t domain_id,
85  const char* topic_name,
86  const DDS::DataWriterQos& qos,
87  const DDS::PartitionQosPolicy& partition,
88  const DDS::Security::DataTags& data_tag,
89  DDS::Security::SecurityException& ex);
90 
91  virtual bool check_create_datareader(
92  DDS::Security::PermissionsHandle permissions_handle,
93  DDS::Security::DomainId_t domain_id,
94  const char* topic_name,
95  const DDS::DataReaderQos& qos,
96  const DDS::PartitionQosPolicy& partition,
97  const DDS::Security::DataTags& data_tag,
98  DDS::Security::SecurityException& ex);
99 
100  virtual bool check_create_topic(
101  DDS::Security::PermissionsHandle permissions_handle,
102  DDS::Security::DomainId_t domain_id,
103  const char* topic_name,
104  const DDS::TopicQos& qos,
105  DDS::Security::SecurityException& ex);
106 
107  virtual bool check_local_datawriter_register_instance(
108  DDS::Security::PermissionsHandle permissions_handle,
109  DDS::DataWriter_ptr writer,
110  DDS::DynamicData_ptr key,
111  DDS::Security::SecurityException& ex);
112 
113  virtual bool check_local_datawriter_dispose_instance(
114  DDS::Security::PermissionsHandle permissions_handle,
115  DDS::DataWriter_ptr writer,
116  DDS::DynamicData_ptr key,
117  DDS::Security::SecurityException& ex);
118 
119  virtual bool check_remote_participant(
120  DDS::Security::PermissionsHandle permissions_handle,
121  DDS::Security::DomainId_t domain_id,
122  const DDS::Security::ParticipantBuiltinTopicDataSecure& participant_data,
123  DDS::Security::SecurityException& ex);
124 
125  virtual bool check_remote_datawriter(
126  DDS::Security::PermissionsHandle permissions_handle,
127  DDS::Security::DomainId_t domain_id,
128  const DDS::Security::PublicationBuiltinTopicDataSecure& publication_data,
129  DDS::Security::SecurityException& ex);
130 
131  virtual bool check_remote_datareader(
132  DDS::Security::PermissionsHandle permissions_handle,
133  DDS::Security::DomainId_t domain_id,
134  const DDS::Security::SubscriptionBuiltinTopicDataSecure& subscription_data,
135  bool& relay_only,
136  DDS::Security::SecurityException& ex);
137 
138  virtual bool check_remote_topic(
139  DDS::Security::PermissionsHandle permissions_handle,
140  DDS::Security::DomainId_t domain_id,
141  const DDS::TopicBuiltinTopicData& topic_data,
142  DDS::Security::SecurityException& ex);
143 
144  virtual bool check_local_datawriter_match(
145  DDS::Security::PermissionsHandle writer_permissions_handle,
146  DDS::Security::PermissionsHandle reader_permissions_handle,
147  const DDS::Security::PublicationBuiltinTopicDataSecure& publication_data,
148  const DDS::Security::SubscriptionBuiltinTopicDataSecure& subscription_data,
149  DDS::Security::SecurityException& ex);
150 
151  virtual bool check_local_datareader_match(
152  DDS::Security::PermissionsHandle reader_permissions_handle,
153  DDS::Security::PermissionsHandle writer_permissions_handle,
154  const DDS::Security::SubscriptionBuiltinTopicDataSecure& subscription_data,
155  const DDS::Security::PublicationBuiltinTopicDataSecure& publication_data,
156  DDS::Security::SecurityException& ex);
157 
158  virtual bool check_remote_datawriter_register_instance(
159  DDS::Security::PermissionsHandle permissions_handle,
160  DDS::DataReader_ptr reader,
161  DDS::InstanceHandle_t publication_handle,
162  DDS::DynamicData_ptr key,
163  DDS::Security::SecurityException& ex);
164 
165  virtual bool check_remote_datawriter_dispose_instance(
166  DDS::Security::PermissionsHandle permissions_handle,
167  DDS::DataReader_ptr reader,
168  DDS::InstanceHandle_t publication_handle,
169  DDS::DynamicData_ptr key,
170  DDS::Security::SecurityException& ex);
171 
172  virtual bool get_permissions_token(
173  DDS::Security::PermissionsToken& permissions_token,
174  DDS::Security::PermissionsHandle handle,
175  DDS::Security::SecurityException& ex);
176 
177  virtual bool get_permissions_credential_token(
178  DDS::Security::PermissionsCredentialToken& permissions_credential_token,
179  DDS::Security::PermissionsHandle handle,
180  DDS::Security::SecurityException& ex);
181 
182  virtual bool set_listener(
183  DDS::Security::AccessControlListener_ptr listener,
184  DDS::Security::SecurityException& ex);
185 
186  virtual bool return_permissions_handle(
187  DDS::Security::PermissionsHandle handle,
188  DDS::Security::SecurityException& ex);
189 
190  virtual bool return_permissions_token(
191  const DDS::Security::PermissionsToken& token,
192  DDS::Security::SecurityException& ex);
193 
194  virtual bool return_permissions_credential_token(
195  const DDS::Security::PermissionsCredentialToken& permissions_credential_token,
196  DDS::Security::SecurityException& ex);
197 
198  virtual bool get_participant_sec_attributes(
199  DDS::Security::PermissionsHandle permissions_handle,
200  DDS::Security::ParticipantSecurityAttributes& attributes,
201  DDS::Security::SecurityException& ex);
202 
203  virtual bool get_topic_sec_attributes(
204  DDS::Security::PermissionsHandle permissions_handle,
205  const char* topic_name,
206  DDS::Security::TopicSecurityAttributes& attributes,
207  DDS::Security::SecurityException& ex);
208 
209  virtual bool get_datawriter_sec_attributes(
210  DDS::Security::PermissionsHandle permissions_handle,
211  const char* topic_name,
212  const DDS::PartitionQosPolicy& partition,
213  const DDS::Security::DataTagQosPolicy& data_tag,
214  DDS::Security::EndpointSecurityAttributes& attributes,
215  DDS::Security::SecurityException& ex);
216 
217  virtual bool get_datareader_sec_attributes(
218  DDS::Security::PermissionsHandle permissions_handle,
219  const char* topic_name,
220  const DDS::PartitionQosPolicy& partition,
221  const DDS::Security::DataTagQosPolicy& data_tag,
222  DDS::Security::EndpointSecurityAttributes& attributes,
223  DDS::Security::SecurityException& ex);
224 
225  virtual bool return_participant_sec_attributes(
226  const DDS::Security::ParticipantSecurityAttributes& attributes,
227  DDS::Security::SecurityException& ex);
228 
229  virtual bool return_datawriter_sec_attributes(
230  const DDS::Security::EndpointSecurityAttributes& attributes,
231  DDS::Security::SecurityException& ex);
232 
233  virtual bool return_datareader_sec_attributes(
234  const DDS::Security::EndpointSecurityAttributes& attributes,
235  DDS::Security::SecurityException& ex);
236 
237  static bool pattern_match(const char* string, const char* pattern);
238 
239  SSL::SubjectName get_subject_name(DDS::Security::PermissionsHandle permissions_handle) const;
240 
241 private:
242 
243  AccessControlBuiltInImpl(const AccessControlBuiltInImpl&);
244  AccessControlBuiltInImpl& operator=(const AccessControlBuiltInImpl&);
245 
246  struct AccessData {
247  DDS::Security::IdentityHandle identity;
248  DDS::Security::DomainId_t domain_id;
249  SSL::SubjectName subject;
250  Permissions::shared_ptr perm;
251  Governance::shared_ptr gov;
252  LocalAccessCredentialData::shared_ptr local_access_credential_data;
253  };
254 
255  typedef std::map<DDS::Security::PermissionsHandle, AccessData> ACPermsMap;
256  ACPermsMap local_ac_perms_;
257 
258  typedef std::map<DDS::Security::IdentityHandle, DDS::Security::PermissionsHandle> ACIdentityMap;
259  ACIdentityMap local_identity_map_;
260 
261  class RevokePermissionsTask : public DCPS::SporadicTask {
262  public:
263  RevokePermissionsTask(const DCPS::TimeSource& time_source,
264  DCPS::ReactorInterceptor_rch interceptor,
265  AccessControlBuiltInImpl& impl);
266  virtual ~RevokePermissionsTask();
267  void insert(DDS::Security::PermissionsHandle pm_handle, const time_t& expiration);
268  void erase(DDS::Security::PermissionsHandle pm_handle);
269 
270  private:
271  typedef OPENDDS_MAP(DDS::Security::PermissionsHandle, time_t) HandleToExpiration;
272  typedef OPENDDS_MULTIMAP(time_t, DDS::Security::PermissionsHandle) ExpirationToHandle;
273 
274  virtual void execute(const DCPS::MonotonicTimePoint& now);
275 
276  AccessControlBuiltInImpl& impl_;
277 
278  mutable ACE_Thread_Mutex lock_;
279  HandleToExpiration handle_to_expiration_;
280  ExpirationToHandle expiration_to_handle_;
281  };
282  typedef DCPS::RcHandle<RevokePermissionsTask> RevokePermissionsTask_rch;
283 
284  RevokePermissionsTask_rch local_rp_task_;
285  RevokePermissionsTask_rch remote_rp_task_;
286 
287  int generate_handle();
288 
289  mutable ACE_Thread_Mutex handle_mutex_;
290  mutable ACE_Thread_Mutex gen_handle_mutex_;
291 
292  int next_handle_;
293 
294  DDS::Security::AccessControlListener_ptr listener_ptr_;
295 
296  RevokePermissionsTask_rch& make_task(RevokePermissionsTask_rch& task);
297 
298  bool validate_date_time(const Permissions::Validity_t& validity,
299  DDS::Security::SecurityException& ex);
300 
301  bool get_sec_attributes(DDS::Security::PermissionsHandle permissions_handle,
302  const char* topic_name,
303  const DDS::PartitionQosPolicy& partition,
304  const DDS::Security::DataTagQosPolicy& data_tag,
305  DDS::Security::EndpointSecurityAttributes& attributes,
306  DDS::Security::SecurityException& ex);
307 
308  bool search_permissions(const char* topic_name,
309  DDS::Security::DomainId_t domain_id,
310  const DDS::PartitionQosPolicy& partition,
311  Permissions::PublishSubscribe_t pub_or_sub,
312  const Permissions::Grant& grant,
313  DDS::Security::SecurityException& ex);
314 
315  void parse_class_id(const std::string& class_id,
316  std::string& plugin_class_name,
317  int& major_version,
318  int& minor_version);
319 
320 };
321 
322 } // namespace Security
323 } // namespace OpenDDS
324 
325 OPENDDS_END_VERSIONED_NAMESPACE_DECL
326 
327 #endif // OPENDDS_DCPS_SECURITY_ACCESSCONTROLBUILTINIMPL_H
key
sequence< octet > key
DDS::Security::DomainId_t
DDS::DomainId_t DomainId_t
Definition: DdsSecurityCore.idl:217
OPENDDS_MULTIMAP
#define OPENDDS_MULTIMAP(K, T)
Definition: PoolAllocator.h:167
OpenDDS::Security::AccessControlBuiltInImpl::ACIdentityMap
std::map< DDS::Security::IdentityHandle, DDS::Security::PermissionsHandle > ACIdentityMap
Definition: AccessControlBuiltInImpl.h:258
OpenDDS::Security::AccessControlBuiltInImpl
Implements the DDS built-in version of the Access Control plugin for the DDS Security Specification...
Definition: AccessControlBuiltInImpl.h:55
OpenDDS::Security::AccessControlBuiltInImpl::ACPermsMap
std::map< DDS::Security::PermissionsHandle, AccessData > ACPermsMap
Definition: AccessControlBuiltInImpl.h:255
DDS::InstanceHandle_t
HANDLE_TYPE_NATIVE InstanceHandle_t
Definition: DdsDcpsCore.idl:51
OpenDDS::Security::AccessControlBuiltInImpl::listener_ptr_
DDS::Security::AccessControlListener_ptr listener_ptr_
Definition: AccessControlBuiltInImpl.h:294
OPENDDS_MAP
#define OPENDDS_MAP(K, V)
Definition: PoolAllocator.h:165
OpenDDS_Security_Export
#define OpenDDS_Security_Export
Definition: OpenDDS_Security_Export.h:25
OPENDDS_END_VERSIONED_NAMESPACE_DECL
#define OPENDDS_END_VERSIONED_NAMESPACE_DECL
Definition: Versioned_Namespace.h:48
OpenDDS::Security::AccessControlBuiltInImpl::AccessData::local_access_credential_data
LocalAccessCredentialData::shared_ptr local_access_credential_data
Definition: AccessControlBuiltInImpl.h:252
OpenDDS::DCPS::insert
int insert(Container &c, const ValueType &v)
Definition: Util.h:105
OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask_rch
DCPS::RcHandle< RevokePermissionsTask > RevokePermissionsTask_rch
Definition: AccessControlBuiltInImpl.h:282
OpenDDS
The Internal API and Implementation of OpenDDS.
Definition: AddressCache.h:28
Generated by   doxygen 1.8.13