OpenDDS  Snapshot(2023/04/07-19:43)
Classes | Public Member Functions | Static Public Member Functions | Private Types | Private Member Functions | Private Attributes | List of all members
OpenDDS::Security::AccessControlBuiltInImpl Class Reference

Implements the DDS built-in version of the Access Control plugin for the DDS Security Specification. More...

#include <AccessControlBuiltInImpl.h>

Inheritance diagram for OpenDDS::Security::AccessControlBuiltInImpl:
Inheritance graph
[legend]
Collaboration diagram for OpenDDS::Security::AccessControlBuiltInImpl:
Collaboration graph
[legend]

Classes

struct  AccessData
 
class  RevokePermissionsTask
 

Public Member Functions

 AccessControlBuiltInImpl ()
 
virtual ~AccessControlBuiltInImpl ()
 
virtual DDS::Security::PermissionsHandle validate_local_permissions (DDS::Security::Authentication_ptr auth_plugin, DDS::Security::IdentityHandle identity, DDS::Security::DomainId_t domain_id, const DDS::DomainParticipantQos &participant_qos, DDS::Security::SecurityException &ex)
 
virtual DDS::Security::PermissionsHandle validate_remote_permissions (DDS::Security::Authentication_ptr auth_plugin, DDS::Security::IdentityHandle local_identity_handle, DDS::Security::IdentityHandle remote_identity_handle, const DDS::Security::PermissionsToken &remote_permissions_token, const DDS::Security::AuthenticatedPeerCredentialToken &remote_credential_token, DDS::Security::SecurityException &ex)
 
virtual bool check_create_participant (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::DomainParticipantQos &qos, DDS::Security::SecurityException &ex)
 
virtual bool check_create_datawriter (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const char *topic_name, const DDS::DataWriterQos &qos, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTags &data_tag, DDS::Security::SecurityException &ex)
 
virtual bool check_create_datareader (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const char *topic_name, const DDS::DataReaderQos &qos, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTags &data_tag, DDS::Security::SecurityException &ex)
 
virtual bool check_create_topic (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const char *topic_name, const DDS::TopicQos &qos, DDS::Security::SecurityException &ex)
 
virtual bool check_local_datawriter_register_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataWriter_ptr writer, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
 
virtual bool check_local_datawriter_dispose_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataWriter_ptr writer, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
 
virtual bool check_remote_participant (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::Security::ParticipantBuiltinTopicDataSecure &participant_data, DDS::Security::SecurityException &ex)
 
virtual bool check_remote_datawriter (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::Security::PublicationBuiltinTopicDataSecure &publication_data, DDS::Security::SecurityException &ex)
 
virtual bool check_remote_datareader (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::Security::SubscriptionBuiltinTopicDataSecure &subscription_data, bool &relay_only, DDS::Security::SecurityException &ex)
 
virtual bool check_remote_topic (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::TopicBuiltinTopicData &topic_data, DDS::Security::SecurityException &ex)
 
virtual bool check_local_datawriter_match (DDS::Security::PermissionsHandle writer_permissions_handle, DDS::Security::PermissionsHandle reader_permissions_handle, const DDS::Security::PublicationBuiltinTopicDataSecure &publication_data, const DDS::Security::SubscriptionBuiltinTopicDataSecure &subscription_data, DDS::Security::SecurityException &ex)
 
virtual bool check_local_datareader_match (DDS::Security::PermissionsHandle reader_permissions_handle, DDS::Security::PermissionsHandle writer_permissions_handle, const DDS::Security::SubscriptionBuiltinTopicDataSecure &subscription_data, const DDS::Security::PublicationBuiltinTopicDataSecure &publication_data, DDS::Security::SecurityException &ex)
 
virtual bool check_remote_datawriter_register_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataReader_ptr reader, DDS::InstanceHandle_t publication_handle, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
 
virtual bool check_remote_datawriter_dispose_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataReader_ptr reader, DDS::InstanceHandle_t publication_handle, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
 
virtual bool get_permissions_token (DDS::Security::PermissionsToken &permissions_token, DDS::Security::PermissionsHandle handle, DDS::Security::SecurityException &ex)
 
virtual bool get_permissions_credential_token (DDS::Security::PermissionsCredentialToken &permissions_credential_token, DDS::Security::PermissionsHandle handle, DDS::Security::SecurityException &ex)
 
virtual bool set_listener (DDS::Security::AccessControlListener_ptr listener, DDS::Security::SecurityException &ex)
 
virtual bool return_permissions_handle (DDS::Security::PermissionsHandle handle, DDS::Security::SecurityException &ex)
 
virtual bool return_permissions_token (const DDS::Security::PermissionsToken &token, DDS::Security::SecurityException &ex)
 
virtual bool return_permissions_credential_token (const DDS::Security::PermissionsCredentialToken &permissions_credential_token, DDS::Security::SecurityException &ex)
 
virtual bool get_participant_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::ParticipantSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
virtual bool get_topic_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, DDS::Security::TopicSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
virtual bool get_datawriter_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
virtual bool get_datareader_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
virtual bool return_participant_sec_attributes (const DDS::Security::ParticipantSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
virtual bool return_datawriter_sec_attributes (const DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
virtual bool return_datareader_sec_attributes (const DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
SSL::SubjectName get_subject_name (DDS::Security::PermissionsHandle permissions_handle) const
 
- Public Member Functions inherited from DDS::Security::AccessControl
PermissionsHandle validate_local_permissions (in Authentication auth_plugin, in IdentityHandle identity, in DomainId_t domain_id, in DomainParticipantQos participant_qos, inout SecurityException ex)
 
PermissionsHandle validate_remote_permissions (in Authentication auth_plugin, in IdentityHandle local_identity_handle, in IdentityHandle remote_identity_handle, in PermissionsToken remote_permissions_token, in AuthenticatedPeerCredentialToken remote_credential_token, inout SecurityException ex)
 
boolean check_create_participant (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in DomainParticipantQos qos, inout SecurityException ex)
 
boolean check_create_datawriter (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in string topic_name, in DataWriterQos qos, in PartitionQosPolicy partition, in DataTags data_tag, inout SecurityException ex)
 
boolean check_create_datareader (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in string topic_name, in DataReaderQos qos, in PartitionQosPolicy partition, in DataTags data_tag, inout SecurityException ex)
 
boolean check_create_topic (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in string topic_name, in TopicQos qos, inout SecurityException ex)
 
boolean check_local_datawriter_register_instance (in PermissionsHandle permissions_handle, in DataWriter writer, in DynamicData key, inout SecurityException ex)
 
boolean check_local_datawriter_dispose_instance (in PermissionsHandle permissions_handle, in DataWriter writer, in DynamicData key, inout SecurityException ex)
 
boolean check_remote_participant (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in ParticipantBuiltinTopicDataSecure participant_data, inout SecurityException ex)
 
boolean check_remote_datawriter (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in PublicationBuiltinTopicDataSecure publication_data, inout SecurityException ex)
 
boolean check_remote_datareader (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in SubscriptionBuiltinTopicDataSecure subscription_data, inout boolean relay_only, inout SecurityException ex)
 
boolean check_remote_topic (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in TopicBuiltinTopicData topic_data, inout SecurityException ex)
 
boolean check_local_datawriter_match (in PermissionsHandle writer_permissions_handle, in PermissionsHandle reader_permissions_handle, in PublicationBuiltinTopicDataSecure publication_data, in SubscriptionBuiltinTopicDataSecure subscription_data, inout SecurityException ex)
 
boolean check_local_datareader_match (in PermissionsHandle reader_permissions_handle, in PermissionsHandle writer_permissions_handle, in SubscriptionBuiltinTopicDataSecure subscription_data, in PublicationBuiltinTopicDataSecure publication_data, inout SecurityException ex)
 
boolean check_remote_datawriter_register_instance (in PermissionsHandle permissions_handle, in DataReader reader, in InstanceHandle_t publication_handle, in DynamicData key, inout SecurityException ex)
 
boolean check_remote_datawriter_dispose_instance (in PermissionsHandle permissions_handle, in DataReader reader, in InstanceHandle_t publication_handle, in DynamicData key, inout SecurityException ex)
 
boolean get_permissions_token (inout PermissionsToken permissions_token, in PermissionsHandle handle, inout SecurityException ex)
 
boolean get_permissions_credential_token (inout PermissionsCredentialToken permissions_credential_token, in PermissionsHandle handle, inout SecurityException ex)
 
boolean set_listener (in AccessControlListener listener, inout SecurityException ex)
 
boolean return_permissions_handle (in PermissionsHandle handle, inout SecurityException ex)
 
boolean return_permissions_token (in PermissionsToken token, inout SecurityException ex)
 
boolean return_permissions_credential_token (in PermissionsCredentialToken permissions_credential_token, inout SecurityException ex)
 
boolean get_participant_sec_attributes (in PermissionsHandle permissions_handle, inout ParticipantSecurityAttributes attributes, inout SecurityException ex)
 
boolean get_topic_sec_attributes (in PermissionsHandle permissions_handle, in string topic_name, inout TopicSecurityAttributes attributes, inout SecurityException ex)
 
boolean get_datawriter_sec_attributes (in PermissionsHandle permissions_handle, in string topic_name, in PartitionQosPolicy partition, in DataTagQosPolicy data_tag, inout EndpointSecurityAttributes attributes, inout SecurityException ex)
 
boolean get_datareader_sec_attributes (in PermissionsHandle permissions_handle, in string topic_name, in PartitionQosPolicy partition, in DataTagQosPolicy data_tag, inout EndpointSecurityAttributes attributes, inout SecurityException ex)
 
boolean return_participant_sec_attributes (in ParticipantSecurityAttributes attributes, inout SecurityException ex)
 
boolean return_datawriter_sec_attributes (in EndpointSecurityAttributes attributes, inout SecurityException ex)
 
boolean return_datareader_sec_attributes (in EndpointSecurityAttributes attributes, inout SecurityException ex)
 

Static Public Member Functions

static bool pattern_match (const char *string, const char *pattern)
 

Private Types

typedef std::map< DDS::Security::PermissionsHandle, AccessDataACPermsMap
 
typedef std::map< DDS::Security::IdentityHandle, DDS::Security::PermissionsHandleACIdentityMap
 
typedef DCPS::RcHandle< RevokePermissionsTaskRevokePermissionsTask_rch
 

Private Member Functions

 AccessControlBuiltInImpl (const AccessControlBuiltInImpl &)
 
AccessControlBuiltInImploperator= (const AccessControlBuiltInImpl &)
 
int generate_handle ()
 
RevokePermissionsTask_rchmake_task (RevokePermissionsTask_rch &task)
 
bool validate_date_time (const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
 
bool get_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
 
bool search_permissions (const char *topic_name, DDS::Security::DomainId_t domain_id, const DDS::PartitionQosPolicy &partition, Permissions::PublishSubscribe_t pub_or_sub, const Permissions::Grant &grant, DDS::Security::SecurityException &ex)
 
void parse_class_id (const std::string &class_id, std::string &plugin_class_name, int &major_version, int &minor_version)
 

Private Attributes

ACPermsMap local_ac_perms_
 
ACIdentityMap local_identity_map_
 
RevokePermissionsTask_rch local_rp_task_
 
RevokePermissionsTask_rch remote_rp_task_
 
ACE_Thread_Mutex handle_mutex_
 
ACE_Thread_Mutex gen_handle_mutex_
 
int next_handle_
 
DDS::Security::AccessControlListener_ptr listener_ptr_
 

Detailed Description

Implements the DDS built-in version of the Access Control plugin for the DDS Security Specification.

See the DDS security specification, OMG formal/17-09-20, for a description of the interface this class is implementing.

Definition at line 55 of file AccessControlBuiltInImpl.h.

Member Typedef Documentation

◆ ACIdentityMap

typedef std::map<DDS::Security::IdentityHandle, DDS::Security::PermissionsHandle> OpenDDS::Security::AccessControlBuiltInImpl::ACIdentityMap
private

Definition at line 258 of file AccessControlBuiltInImpl.h.

◆ ACPermsMap

typedef std::map<DDS::Security::PermissionsHandle, AccessData> OpenDDS::Security::AccessControlBuiltInImpl::ACPermsMap
private

Definition at line 255 of file AccessControlBuiltInImpl.h.

◆ RevokePermissionsTask_rch

typedef DCPS::RcHandle<RevokePermissionsTask> OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask_rch
private

Definition at line 282 of file AccessControlBuiltInImpl.h.

Constructor & Destructor Documentation

◆ AccessControlBuiltInImpl() [1/2]

OpenDDS::Security::AccessControlBuiltInImpl::AccessControlBuiltInImpl ( )

Definition at line 55 of file AccessControlBuiltInImpl.cpp.

56  : handle_mutex_()
57  , gen_handle_mutex_()
58  , next_handle_(1)
59  , listener_ptr_(0)
60 { }
OpenDDS::Security::AccessControlBuiltInImpl::listener_ptr_
DDS::Security::AccessControlListener_ptr listener_ptr_
Definition: AccessControlBuiltInImpl.h:294

◆ ~AccessControlBuiltInImpl()

OpenDDS::Security::AccessControlBuiltInImpl::~AccessControlBuiltInImpl ( )
virtual

Definition at line 62 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_TEXT(), LM_DEBUG, local_ac_perms_, local_identity_map_, and OpenDDS::DCPS::security_debug.

63 {
64  if (DCPS::security_debug.bookkeeping) {
65  ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
66  ACE_TEXT("AccessControlBuiltInImpl::~AccessControlBuiltInImpl local_ac_perms_ %B local_identity_map_ %B\n"),
67  local_ac_perms_.size(),
68  local_identity_map_.size()));
69  }
70 }
ACE_DEBUG
#define ACE_DEBUG(X)
ACE_TEXT
ACE_TEXT("TCP_Factory")
OpenDDS::DCPS::security_debug
OpenDDS_Dcps_Export SecurityDebug security_debug
Definition: debug.cpp:32

◆ AccessControlBuiltInImpl() [2/2]

OpenDDS::Security::AccessControlBuiltInImpl::AccessControlBuiltInImpl ( const AccessControlBuiltInImpl )
private

Member Function Documentation

◆ check_create_datareader()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_datareader ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const char *  topic_name,
const DDS::DataReaderQos qos,
const DDS::PartitionQosPolicy partition,
const DDS::Security::DataTags data_tag,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 413 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, local_rp_task_, make_task(), pattern_match(), search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), OpenDDS::Security::Permissions::SUBSCRIBE, and validate_date_time().

421 {
422  if (DDS::HANDLE_NIL == permissions_handle) {
423  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: Invalid permissions handle");
424  }
425 
426  if (0 == topic_name) {
427  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: Invalid Topic Name");
428  }
429 
430  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
431 
432  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
433 
434  if (ac_iter == local_ac_perms_.end()) {
435  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: No matching permissions handle present");
436  }
437 
438  gov_iter begin = ac_iter->second.gov->access_rules().begin();
439  gov_iter end = ac_iter->second.gov->access_rules().end();
440 
441  for (gov_iter giter = begin; giter != end; ++giter) {
442 
443  if (giter->domains.has(domain_id)) {
444  Governance::TopicAccessRules::iterator tr_iter;
445 
446  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
447  if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
448  if (!tr_iter->topic_attrs.is_read_protected) {
449  return true;
450  }
451  }
452  }
453  }
454  }
455 
456  // Check the Permissions file
457 
458  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
459  if (!grant) {
460  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: Permissions grant not found");
461  }
462 
463  if (!validate_date_time(grant->validity, ex)) {
464  return false;
465  }
466 
467  if (!search_permissions(topic_name, domain_id, partition, Permissions::SUBSCRIBE, *grant, ex)) {
468  return false;
469  }
470 
471  make_task(local_rp_task_)->insert(permissions_handle, grant->validity.not_after);
472 
473  return true;
474 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert
void insert(DDS::Security::PermissionsHandle pm_handle, const time_t &expiration)
Definition: AccessControlBuiltInImpl.cpp:1575
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time
bool validate_date_time(const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1305
OpenDDS::Security::AccessControlBuiltInImpl::search_permissions
bool search_permissions(const char *topic_name, DDS::Security::DomainId_t domain_id, const DDS::PartitionQosPolicy &partition, Permissions::PublishSubscribe_t pub_or_sub, const Permissions::Grant &grant, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1481
OpenDDS::Security::Permissions::Grant_rch
DCPS::RcHandle< Grant > Grant_rch
Definition: Permissions.h:74
OpenDDS::Security::AccessControlBuiltInImpl::make_task
RevokePermissionsTask_rch & make_task(RevokePermissionsTask_rch &task)
Definition: AccessControlBuiltInImpl.cpp:1297

◆ check_create_datawriter()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_datawriter ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const char *  topic_name,
const DDS::DataWriterQos qos,
const DDS::PartitionQosPolicy partition,
const DDS::Security::DataTags data_tag,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 351 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, local_rp_task_, make_task(), pattern_match(), OpenDDS::Security::Permissions::PUBLISH, search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), and validate_date_time().

359 {
360  if (DDS::HANDLE_NIL == permissions_handle) {
361  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: Invalid permissions handle");
362  }
363  if (0 == topic_name) {
364  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: Invalid Topic Name");
365  }
366 
367  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
368 
369  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
370 
371  if (ac_iter == local_ac_perms_.end()) {
372  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: No matching permissions handle present");
373  }
374 
375  gov_iter begin = ac_iter->second.gov->access_rules().begin();
376  gov_iter end = ac_iter->second.gov->access_rules().end();
377 
378  for (gov_iter giter = begin; giter != end; ++giter) {
379 
380  if (giter->domains.has(domain_id)) {
381  Governance::TopicAccessRules::iterator tr_iter;
382 
383  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
384  if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
385  if (!tr_iter->topic_attrs.is_write_protected) {
386  return true;
387  }
388  }
389  }
390  }
391  }
392 
393  // Check the Permissions file
394 
395  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
396  if (!grant) {
397  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: Permissions grant not found");
398  }
399 
400  if (!validate_date_time(grant->validity, ex)) {
401  return false;
402  }
403 
404  if (!search_permissions(topic_name, domain_id, partition, Permissions::PUBLISH, *grant, ex)) {
405  return false;
406  }
407 
408  make_task(local_rp_task_)->insert(permissions_handle, grant->validity.not_after);
409 
410  return true;
411 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert
void insert(DDS::Security::PermissionsHandle pm_handle, const time_t &expiration)
Definition: AccessControlBuiltInImpl.cpp:1575
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time
bool validate_date_time(const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1305
OpenDDS::Security::AccessControlBuiltInImpl::search_permissions
bool search_permissions(const char *topic_name, DDS::Security::DomainId_t domain_id, const DDS::PartitionQosPolicy &partition, Permissions::PublishSubscribe_t pub_or_sub, const Permissions::Grant &grant, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1481
OpenDDS::Security::Permissions::Grant_rch
DCPS::RcHandle< Grant > Grant_rch
Definition: Permissions.h:74
OpenDDS::Security::AccessControlBuiltInImpl::make_task
RevokePermissionsTask_rch & make_task(RevokePermissionsTask_rch &task)
Definition: AccessControlBuiltInImpl.cpp:1297

◆ check_create_participant()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_participant ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const DDS::DomainParticipantQos qos,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 282 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

287 {
288  if (DDS::HANDLE_NIL == permissions_handle) {
289  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_participant: Invalid permissions handle");
290  }
291 
292 /*
293  * The rules of this method need to be evaluated in this order, however, we need to check
294  * to make sure the permission handle exists in our store prior to assessing these rules
295 */
296  /* From Table 63 of the spec.
297  This operation shall use the permissions_handle to retrieve
298  the cached Permissions and Governance information.
299  If the Governance specifies any topics on the
300  DomainParticipant domain_id with
301  enable_read_access_control set to FALSE or with
302  enable_write_access_control set to FALSE, then the
303  operation shall succeed and return TRUE.
304  If the ParticipantSecurityAttributes has
305  is_access_protected set to FALSE, then the operation shall
306  succeed and return TRUE.
307  Otherwise the operation shall return FALSE.
308  */
309 
310  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
311 
312  ACPermsMap::iterator piter = local_ac_perms_.find(permissions_handle);
313 
314  if (piter == local_ac_perms_.end()) {
315  return CommonUtilities::set_security_error(ex, -1, 0,
316  "AccessControlBuiltInImpl::check_create_participant: "
317  "No matching permissions handle present");
318  }
319 
320  if (domain_id != piter->second.domain_id) {
321  return CommonUtilities::set_security_error(ex, -1, 0,
322  "AccessControlBuiltInImpl::check_create_participant: "
323  "Domain does not match validated permissions handle");
324  }
325 
326  gov_iter begin = piter->second.gov->access_rules().begin();
327  gov_iter end = piter->second.gov->access_rules().end();
328 
329  for (gov_iter giter = begin; giter != end; ++giter) {
330 
331  if (giter->domains.has(domain_id)) {
332  Governance::TopicAccessRules::iterator tr_iter;
333 
334  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
335  if (!tr_iter->topic_attrs.is_read_protected || !tr_iter->topic_attrs.is_write_protected) {
336  return true;
337  }
338  }
339 
340  if (!giter->domain_attrs.is_access_protected) {
341  return true;
342  }
343  }
344  }
345 
346  return CommonUtilities::set_security_error(ex, -1, 0,
347  "AccessControlBuiltInImpl::check_create_participant: "
348  "No governance exists for this domain");
349 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)

◆ check_create_topic()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_topic ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const char *  topic_name,
const DDS::TopicQos qos,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 476 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, OpenDDS::Security::Permissions::ALLOW, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, pattern_match(), OpenDDS::Security::CommonUtilities::set_security_error(), and validate_date_time().

482 {
483  if (DDS::HANDLE_NIL == permissions_handle) {
484  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Invalid permissions handle");
485  }
486  if (0 == topic_name) {
487  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Invalid Topic Name");
488  }
489 
490  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
491 
492  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
493 
494  if (ac_iter == local_ac_perms_.end()) {
495  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: No matching permissions handle present");
496  }
497 
498  // Check the Governance file for allowable topic attributes
499 
500  if (domain_id != ac_iter->second.domain_id) {
501  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Requested domain ID does not match permissions handle");
502  }
503 
504  ::DDS::Security::DomainId_t domain_to_find = ac_iter->second.domain_id;
505 
506  gov_iter begin = ac_iter->second.gov->access_rules().begin();
507  gov_iter end = ac_iter->second.gov->access_rules().end();
508 
509  for (gov_iter giter = begin; giter != end; ++giter) {
510 
511  if (giter->domains.has(domain_to_find)) {
512  Governance::TopicAccessRules::iterator tr_iter;
513 
514  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
515  if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
516  if (!tr_iter->topic_attrs.is_read_protected || !tr_iter->topic_attrs.is_write_protected) {
517  return true;
518  }
519  }
520  }
521  }
522  }
523 
524  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
525  if (!grant) {
526  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: grant not found");
527  }
528 
529  if (!validate_date_time(grant->validity, ex)) {
530  return false;
531  }
532 
533  Permissions::PublishSubscribe_t denied_type;
534  bool found_deny = false;
535  // Iterate over allow / deny rules
536  for (perm_topic_rules_iter ptr_iter = grant->rules.begin(); ptr_iter != grant->rules.end(); ++ptr_iter) {
537 
538  if (ptr_iter->domains.has(domain_to_find)) {
539 
540  perm_topic_actions_iter tpsr_iter;
541  for (tpsr_iter = ptr_iter->actions.begin(); tpsr_iter != ptr_iter->actions.end(); ++tpsr_iter) {
542 
543  std::vector<std::string>::iterator tl_iter;
544  for (tl_iter = tpsr_iter->topics.begin(); tl_iter != tpsr_iter->topics.end(); ++tl_iter) {
545 
546  if (pattern_match(topic_name, tl_iter->c_str())) {
547  if (ptr_iter->ad_type == Permissions::ALLOW) {
548  return true;
549  }
550  if (found_deny && denied_type != tpsr_iter->ps_type) {
551  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Both publish and subscribe are denied for this topic.");
552  } else if (!found_deny) {
553  found_deny = true;
554  denied_type = tpsr_iter->ps_type;
555  }
556  }
557  }
558  }
559  }
560  }
561 
562  // There is no matching rule for topic_name so use the value in default_permission
563  if (grant->default_permission == Permissions::ALLOW) {
564  return true;
565  } else {
566  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: No matching rule for topic, default permission is DENY.");
567  }
568 }
OpenDDS::Security::perm_topic_actions_iter
Permissions::Actions::iterator perm_topic_actions_iter
Definition: AccessControlBuiltInImpl.cpp:41
OpenDDS::Security::perm_topic_rules_iter
Permissions::Rules::iterator perm_topic_rules_iter
Definition: AccessControlBuiltInImpl.cpp:40
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time
bool validate_date_time(const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1305
OpenDDS::Security::Permissions::Grant_rch
DCPS::RcHandle< Grant > Grant_rch
Definition: Permissions.h:74
DDS::Security::DomainId_t
DDS::DomainId_t DomainId_t
Definition: DdsSecurityCore.idl:217

◆ check_local_datareader_match()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datareader_match ( DDS::Security::PermissionsHandle  reader_permissions_handle,
DDS::Security::PermissionsHandle  writer_permissions_handle,
const DDS::Security::SubscriptionBuiltinTopicDataSecure subscription_data,
const DDS::Security::PublicationBuiltinTopicDataSecure publication_data,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 959 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

965 {
966  if (DDS::HANDLE_NIL == writer_permissions_handle) {
967  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datareader_match: Invalid writer permissions handle");
968  }
969  if (DDS::HANDLE_NIL == reader_permissions_handle) {
970  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datareader_match: Invalid reader permissions handle");
971  }
972 
973  return true;
974 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ check_local_datawriter_dispose_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datawriter_dispose_instance ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::DataWriter_ptr  writer,
DDS::DynamicData_ptr  key,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 589 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

594 {
595  if (DDS::HANDLE_NIL == permissions_handle) {
596  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_dispose_instance: Invalid permissions handle");
597  }
598  if (0 == writer) {
599  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_dispose_instance: Invalid Writer");
600  }
601  if (0 == key) {
602  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_dispose_instance: Invalid Topic Key");
603  }
604 
605  return true;
606 }
key
sequence< octet > key
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ check_local_datawriter_match()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datawriter_match ( DDS::Security::PermissionsHandle  writer_permissions_handle,
DDS::Security::PermissionsHandle  reader_permissions_handle,
const DDS::Security::PublicationBuiltinTopicDataSecure publication_data,
const DDS::Security::SubscriptionBuiltinTopicDataSecure subscription_data,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 942 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

948 {
949  if (DDS::HANDLE_NIL == writer_permissions_handle) {
950  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_match: Invalid writer permissions handle");
951  }
952  if (DDS::HANDLE_NIL == reader_permissions_handle) {
953  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_match: Invalid reader permissions handle");
954  }
955 
956  return true;
957 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ check_local_datawriter_register_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datawriter_register_instance ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::DataWriter_ptr  writer,
DDS::DynamicData_ptr  key,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 570 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

575 {
576  if (DDS::HANDLE_NIL == permissions_handle) {
577  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_register_instance: Invalid permissions handle");
578  }
579  if (0 == writer) {
580  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_register_instance: Invalid Writer");
581  }
582  if (0 == key) {
583  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_register_instance: Invalid Topic Key");
584  }
585 
586  return true;
587 }
key
sequence< octet > key
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ check_remote_datareader()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datareader ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const DDS::Security::SubscriptionBuiltinTopicDataSecure subscription_data,
bool &  relay_only,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 750 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, make_task(), pattern_match(), remote_rp_task_, search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), OpenDDS::Security::Permissions::SUBSCRIBE, and validate_date_time().

756 {
757  if (DDS::HANDLE_NIL == permissions_handle) {
758  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datareader: Invalid permissions handle");
759  }
760 
761  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
762 
763  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
764 
765  if (ac_iter == local_ac_perms_.end()) {
766  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: No matching permissions handle present");
767  }
768 
769  // Default this to false for now
770  relay_only = false;
771 
772  gov_iter begin = ac_iter->second.gov->access_rules().begin();
773  gov_iter end = ac_iter->second.gov->access_rules().end();
774 
775  for (gov_iter giter = begin; giter != end; ++giter) {
776 
777  if (giter->domains.has(domain_id)) {
778  Governance::TopicAccessRules::iterator tr_iter;
779 
780  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
781  if (pattern_match(subscription_data.base.base.topic_name, tr_iter->topic_expression.c_str())) {
782  if (!tr_iter->topic_attrs.is_read_protected) {
783  return true;
784  }
785  }
786  }
787  }
788  }
789 
790  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
791  if (!grant) {
792  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datareader: Permissions grant not found");
793  }
794 
795  if (!validate_date_time(grant->validity, ex)) {
796  return false;
797  }
798 
799  if (!search_permissions(subscription_data.base.base.topic_name, domain_id,
800  subscription_data.base.base.partition, Permissions::SUBSCRIBE,
801  *grant, ex)) {
802  return false;
803  }
804 
805  make_task(remote_rp_task_)->insert(permissions_handle, grant->validity.not_after);
806 
807  return true;
808 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert
void insert(DDS::Security::PermissionsHandle pm_handle, const time_t &expiration)
Definition: AccessControlBuiltInImpl.cpp:1575
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
DDS::Security::SubscriptionBuiltinTopicData::base
DDS::SubscriptionBuiltinTopicData base
Definition: DdsSecurityCore.idl:137
OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time
bool validate_date_time(const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1305
OpenDDS::Security::AccessControlBuiltInImpl::search_permissions
bool search_permissions(const char *topic_name, DDS::Security::DomainId_t domain_id, const DDS::PartitionQosPolicy &partition, Permissions::PublishSubscribe_t pub_or_sub, const Permissions::Grant &grant, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1481
OpenDDS::Security::Permissions::Grant_rch
DCPS::RcHandle< Grant > Grant_rch
Definition: Permissions.h:74
OpenDDS::Security::AccessControlBuiltInImpl::make_task
RevokePermissionsTask_rch & make_task(RevokePermissionsTask_rch &task)
Definition: AccessControlBuiltInImpl.cpp:1297

◆ check_remote_datawriter()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datawriter ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const DDS::Security::PublicationBuiltinTopicDataSecure publication_data,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 690 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, make_task(), pattern_match(), OpenDDS::Security::Permissions::PUBLISH, remote_rp_task_, search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), and validate_date_time().

695 {
696  if (DDS::HANDLE_NIL == permissions_handle) {
697  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: Invalid permissions handle");
698  }
699 
700  if (publication_data.base.base.topic_name[0] == 0) {
701  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: Invalid topic name");
702  }
703 
704  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
705 
706  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
707 
708  if (ac_iter == local_ac_perms_.end()) {
709  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: No matching permissions handle present");
710  }
711 
712  gov_iter begin = ac_iter->second.gov->access_rules().begin();
713  gov_iter end = ac_iter->second.gov->access_rules().end();
714 
715  for (gov_iter giter = begin; giter != end; ++giter) {
716 
717  if (giter->domains.has(domain_id)) {
718  Governance::TopicAccessRules::iterator tr_iter;
719 
720  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
721  if (pattern_match(publication_data.base.base.topic_name, tr_iter->topic_expression.c_str())) {
722  if (!tr_iter->topic_attrs.is_write_protected) {
723  return true;
724  }
725  }
726  }
727  }
728  }
729 
730  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
731  if (!grant) {
732  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: Permissions grant not found");
733  }
734 
735  if (!validate_date_time(grant->validity, ex)) {
736  return false;
737  }
738 
739  if (!search_permissions(publication_data.base.base.topic_name, domain_id,
740  publication_data.base.base.partition, Permissions::PUBLISH,
741  *grant, ex)) {
742  return false;
743  }
744 
745  make_task(remote_rp_task_)->insert(permissions_handle, grant->validity.not_after);
746 
747  return true;
748 }
DDS::Security::PublicationBuiltinTopicData::base
DDS::PublicationBuiltinTopicData base
Definition: DdsSecurityCore.idl:130
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert
void insert(DDS::Security::PermissionsHandle pm_handle, const time_t &expiration)
Definition: AccessControlBuiltInImpl.cpp:1575
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time
bool validate_date_time(const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1305
OpenDDS::Security::AccessControlBuiltInImpl::search_permissions
bool search_permissions(const char *topic_name, DDS::Security::DomainId_t domain_id, const DDS::PartitionQosPolicy &partition, Permissions::PublishSubscribe_t pub_or_sub, const Permissions::Grant &grant, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1481
OpenDDS::Security::Permissions::Grant_rch
DCPS::RcHandle< Grant > Grant_rch
Definition: Permissions.h:74
OpenDDS::Security::AccessControlBuiltInImpl::make_task
RevokePermissionsTask_rch & make_task(RevokePermissionsTask_rch &task)
Definition: AccessControlBuiltInImpl.cpp:1297

◆ check_remote_datawriter_dispose_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datawriter_dispose_instance ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::DataReader_ptr  reader,
DDS::InstanceHandle_t  publication_handle,
DDS::DynamicData_ptr  key,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 997 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

1003 {
1004  if (DDS::HANDLE_NIL == permissions_handle ||
1005  DDS::HANDLE_NIL == publication_handle) {
1006  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_dispose_instance: Invalid handle");
1007  }
1008  if (0 == reader) {
1009  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_dispose_instance: Invalid Reader pointer");
1010  }
1011  if (0 == key) {
1012  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_dispose_instance: Invalid Topic Key");
1013  }
1014  return true;
1015 }
key
sequence< octet > key
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ check_remote_datawriter_register_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datawriter_register_instance ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::DataReader_ptr  reader,
DDS::InstanceHandle_t  publication_handle,
DDS::DynamicData_ptr  key,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 976 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

982 {
983  if (DDS::HANDLE_NIL == permissions_handle ||
984  DDS::HANDLE_NIL == publication_handle) {
985  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_register_instance: Invalid handle");
986  }
987  if (0 == reader) {
988  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_register_instance: Invalid Reader pointer");
989  }
990  if (0 == key) {
991  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_register_instance: Invalid Topic Key");
992  }
993 
994  return true;
995 }
key
sequence< octet > key
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ check_remote_participant()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_participant ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const DDS::Security::ParticipantBuiltinTopicDataSecure participant_data,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 608 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, OpenDDS::Security::Permissions::ALLOW, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, parse_class_id(), OpenDDS::Security::CommonUtilities::set_security_error(), and strcmp().

613 {
614  if (DDS::HANDLE_NIL == permissions_handle) {
615  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Invalid permissions handle");
616  }
617 
618  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
619 
620  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
621 
622  if (ac_iter == local_ac_perms_.end()) {
623  return CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::check_remote_participant: No matching permissions handle present");
624  }
625 
626  gov_iter begin = ac_iter->second.gov->access_rules().begin();
627  gov_iter end = ac_iter->second.gov->access_rules().end();
628 
629  for (gov_iter giter = begin; giter != end; ++giter) {
630  if (giter->domains.has(domain_id) && !giter->domain_attrs.is_access_protected) {
631  return true;
632  }
633  }
634 
635  // Check the PluginClassName and MajorVersion of the local permissions vs. remote See Table 63 of spec
636  const std::string remote_class_id = participant_data.base.permissions_token.class_id.in();
637 
638  std::string local_plugin_class_name,
639  remote_plugin_class_name;
640  int local_major_ver = 0,
641  local_minor_ver,
642  remote_major_ver,
643  remote_minor_ver;
644 
645  if (remote_class_id.length() > 0) {
646  parse_class_id(remote_class_id, remote_plugin_class_name, remote_major_ver, remote_minor_ver);
647  } else {
648  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Invalid remote class ID");
649  }
650 
651  for (ACPermsMap::iterator local_iter = local_ac_perms_.begin(); local_iter != local_ac_perms_.end(); ++local_iter) {
652  if (local_iter->second.domain_id == domain_id && local_iter->first != permissions_handle) {
653  const std::string local_class_id = local_iter->second.perm->perm_token_.class_id.in();
654 
655  if (local_class_id.length() > 0) {
656  parse_class_id(local_class_id, local_plugin_class_name, local_major_ver, local_minor_ver);
657  break;
658  } else {
659  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Invalid local class ID");
660  }
661  }
662  }
663 
664  if (strcmp(local_plugin_class_name.c_str(), remote_plugin_class_name.c_str())) {
665  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Class ID plugin class name do not match");
666  }
667 
668  if (local_major_ver != remote_major_ver) {
669  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Class ID major versions do not match");
670  }
671 
672  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
673  if (!grant) {
674  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Permissions grant not found");
675  }
676 
677  for (perm_topic_rules_iter ptr_iter = grant->rules.begin(); ptr_iter != grant->rules.end(); ++ptr_iter) {
678  if (ptr_iter->domains.has(domain_id) && ptr_iter->ad_type == Permissions::ALLOW) {
679  return true;
680  }
681  }
682 
683  if (grant->default_permission == Permissions::ALLOW) {
684  return true; // DDSSEC12-85
685  }
686 
687  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Not authorized for domain");
688 }
OpenDDS::Security::perm_topic_rules_iter
Permissions::Rules::iterator perm_topic_rules_iter
Definition: AccessControlBuiltInImpl.cpp:40
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::parse_class_id
void parse_class_id(const std::string &class_id, std::string &plugin_class_name, int &major_version, int &minor_version)
Definition: AccessControlBuiltInImpl.cpp:1512
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
strcmp
int strcmp(const char *s, const char *t)
OpenDDS::Security::Permissions::Grant_rch
DCPS::RcHandle< Grant > Grant_rch
Definition: Permissions.h:74

◆ check_remote_topic()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_topic ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::DomainId_t  domain_id,
const DDS::TopicBuiltinTopicData topic_data,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 810 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, OpenDDS::Security::Permissions::ALLOW, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, parse_class_id(), pattern_match(), OpenDDS::Security::Permissions::PUBLISH, OpenDDS::Security::CommonUtilities::set_security_error(), strcmp(), OpenDDS::Security::Permissions::SUBSCRIBE, and validate_date_time().

815 {
816  // NOTE: permissions_handle is for the remote DomainParticipant.
817  if (DDS::HANDLE_NIL == permissions_handle) {
818  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid permissions handle");
819  }
820 
821  if (topic_data.name[0] == 0) {
822  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid topic data");
823  }
824 
825  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
826 
827  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
828 
829  if (ac_iter == local_ac_perms_.end()) {
830  return CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::check_remote_topic: No matching permissions handle present");
831  }
832 
833  // Compare the PluginClassName and MajorVersion of the local permissions_token
834  // with those in the remote_permissions_token.
835  const std::string remote_class_id = ac_iter->second.perm->perm_token_.class_id.in();
836 
837  std::string local_plugin_class_name,
838  remote_plugin_class_name;
839  int local_major_ver = 0,
840  local_minor_ver,
841  remote_major_ver,
842  remote_minor_ver;
843 
844  if (remote_class_id.length() > 0) {
845  parse_class_id(remote_class_id, remote_plugin_class_name, remote_major_ver, remote_minor_ver);
846  } else {
847  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid remote class ID");
848  }
849 
850  for (ACPermsMap::iterator local_iter = local_ac_perms_.begin(); local_iter != local_ac_perms_.end(); ++local_iter) {
851  if (local_iter->second.domain_id == domain_id && local_iter->first != permissions_handle) {
852  const std::string local_class_id = local_iter->second.perm->perm_token_.class_id.in();
853 
854  if (local_class_id.length() > 0) {
855  parse_class_id(local_class_id, local_plugin_class_name, local_major_ver, local_minor_ver);
856  break;
857  } else {
858  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid local class ID");
859  }
860  }
861  }
862 
863  if (strcmp(local_plugin_class_name.c_str(), remote_plugin_class_name.c_str())) {
864  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Class ID plugin class name do not match");
865  }
866 
867  if (local_major_ver != remote_major_ver) {
868  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Class ID major versions do not match");
869  }
870 
871  // Check the Governance file for allowable topic attributes
872 
873  gov_iter begin = ac_iter->second.gov->access_rules().begin();
874  gov_iter end = ac_iter->second.gov->access_rules().end();
875 
876  for (gov_iter giter = begin; giter != end; ++giter) {
877 
878  if (giter->domains.has(domain_id)) {
879  Governance::TopicAccessRules::iterator tr_iter;
880 
881  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
882  if (pattern_match(topic_data.name, tr_iter->topic_expression.c_str())) {
883  if (!tr_iter->topic_attrs.is_read_protected || !tr_iter->topic_attrs.is_write_protected) {
884  return true;
885  }
886  }
887  }
888  }
889  }
890 
891  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
892  if (!grant) {
893  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: grant not found");
894  }
895 
896  if (!validate_date_time(grant->validity, ex)) {
897  return false;
898  }
899 
900  Permissions::PublishSubscribe_t denied_type;
901  bool found_deny = false;
902  for (perm_topic_rules_iter ptr_iter = grant->rules.begin(); ptr_iter != grant->rules.end(); ++ptr_iter) {
903 
904  if (ptr_iter->domains.has(domain_id)) {
905 
906  // Iterate over pub / sub rules
907  perm_topic_actions_iter tpsr_iter;
908  for (tpsr_iter = ptr_iter->actions.begin(); tpsr_iter != ptr_iter->actions.end(); ++tpsr_iter) {
909 
910  // Check to make sure they can publish or subscribe to the topic
911  // TODO Add support for relay permissions once relay only key exchange is supported
912  if (tpsr_iter->ps_type == Permissions::PUBLISH || tpsr_iter->ps_type == Permissions::SUBSCRIBE) {
913 
914  std::vector<std::string>::iterator tl_iter;
915  for (tl_iter = tpsr_iter->topics.begin(); tl_iter != tpsr_iter->topics.end(); ++tl_iter) {
916 
917  if (pattern_match(topic_data.name, tl_iter->c_str())) {
918  if (ptr_iter->ad_type == Permissions::ALLOW) {
919  return true;
920  }
921  if (found_deny && denied_type != tpsr_iter->ps_type) {
922  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Both publish and subscribe are denied for this topic.");
923  } else if (!found_deny) {
924  found_deny = true;
925  denied_type = tpsr_iter->ps_type;
926  }
927  }
928  }
929  }
930  }
931  }
932  }
933 
934  // There is no matching rule for topic_name so use the value in default_permission
935  if (grant->default_permission == Permissions::ALLOW) {
936  return true;
937  } else {
938  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: No matching rule for topic, default permission is DENY.");
939  }
940 }
OpenDDS::Security::perm_topic_actions_iter
Permissions::Actions::iterator perm_topic_actions_iter
Definition: AccessControlBuiltInImpl.cpp:41
OpenDDS::Security::perm_topic_rules_iter
Permissions::Rules::iterator perm_topic_rules_iter
Definition: AccessControlBuiltInImpl.cpp:40
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::AccessControlBuiltInImpl::parse_class_id
void parse_class_id(const std::string &class_id, std::string &plugin_class_name, int &major_version, int &minor_version)
Definition: AccessControlBuiltInImpl.cpp:1512
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
strcmp
int strcmp(const char *s, const char *t)
OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time
bool validate_date_time(const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1305
OpenDDS::Security::Permissions::Grant_rch
DCPS::RcHandle< Grant > Grant_rch
Definition: Permissions.h:74

◆ generate_handle()

CORBA::Long OpenDDS::Security::AccessControlBuiltInImpl::generate_handle ( )
private

Definition at line 1290 of file AccessControlBuiltInImpl.cpp.

References gen_handle_mutex_, OpenDDS::Security::CommonUtilities::increment_handle(), and next_handle_.

Referenced by validate_local_permissions(), and validate_remote_permissions().

1291 {
1292  ACE_Guard<ACE_Thread_Mutex> guard(gen_handle_mutex_);
1293  return CommonUtilities::increment_handle(next_handle_);
1294 }

◆ get_datareader_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_datareader_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle,
const char *  topic_name,
const DDS::PartitionQosPolicy partition,
const DDS::Security::DataTagQosPolicy data_tag,
DDS::Security::EndpointSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1235 of file AccessControlBuiltInImpl.cpp.

References get_sec_attributes(), DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

1242 {
1243  if (DDS::HANDLE_NIL == permissions_handle) {
1244  CommonUtilities::set_security_error(ex, -1, 0, "Invalid permissions handle");
1245  return false;
1246  }
1247 
1248  if (0 == topic_name) {
1249  CommonUtilities::set_security_error(ex, -1, 0, "Invalid topic name");
1250  return false;
1251  }
1252 
1253  if (!get_sec_attributes(permissions_handle, topic_name, partition, data_tag, attributes, ex)) {
1254  return false;
1255  }
1256 
1257  return true;
1258 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::AccessControlBuiltInImpl::get_sec_attributes
bool get_sec_attributes(DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1341

◆ get_datawriter_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_datawriter_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle,
const char *  topic_name,
const DDS::PartitionQosPolicy partition,
const DDS::Security::DataTagQosPolicy data_tag,
DDS::Security::EndpointSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1207 of file AccessControlBuiltInImpl.cpp.

References get_sec_attributes(), DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

1214 {
1215  // The spec claims there is supposed to be a topic name parameter
1216  // to this function which is not in the IDL at this time
1217 
1218  if (DDS::HANDLE_NIL == permissions_handle) {
1219  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_datawriter_sec_attributes: Invalid permissions handle");
1220  return false;
1221  }
1222 
1223  if (0 == topic_name) {
1224  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_datawriter_sec_attributes: Invalid topic name");
1225  return false;
1226  }
1227 
1228  if (!get_sec_attributes(permissions_handle, topic_name, partition, data_tag, attributes, ex)) {
1229  return false;
1230  }
1231 
1232  return true;
1233 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::AccessControlBuiltInImpl::get_sec_attributes
bool get_sec_attributes(DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
Definition: AccessControlBuiltInImpl.cpp:1341

◆ get_participant_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_participant_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle,
DDS::Security::ParticipantSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1126 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

1130 {
1131  if (DDS::HANDLE_NIL == permissions_handle) {
1132  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_participant_sec_attributes: Invalid permissions handle");
1133  return false;
1134  }
1135 
1136  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
1137 
1138  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
1139 
1140  if (ac_iter == local_ac_perms_.end()) {
1141  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_participant_sec_attributes: No matching permissions handle present");
1142  return false;
1143  }
1144 
1145  gov_iter begin = ac_iter->second.gov->access_rules().begin();
1146  gov_iter end = ac_iter->second.gov->access_rules().end();
1147 
1148  for (gov_iter giter = begin; giter != end; ++giter) {
1149 
1150  if (giter->domains.has(ac_iter->second.domain_id)) {
1151  attributes = giter->domain_attrs;
1152  return true;
1153  }
1154  }
1155 
1156  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_participant_sec_attributes: No matching domain in governance");
1157  return false;
1158 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)

◆ get_permissions_credential_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_permissions_credential_token ( DDS::Security::PermissionsCredentialToken permissions_credential_token,
DDS::Security::PermissionsHandle  handle,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1040 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

1044 {
1045  if (DDS::HANDLE_NIL == handle) {
1046  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_credential_token: Invalid permissions handle");
1047  return false;
1048  }
1049 
1050  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
1051 
1052  ACPermsMap::iterator iter = local_ac_perms_.find(handle);
1053 
1054  if (iter != local_ac_perms_.end()) {
1055  permissions_credential_token = iter->second.perm->perm_cred_token_;
1056  return true;
1057  } else {
1058  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_credential_token: No PermissionToken found");
1059  return false;
1060  }
1061 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)

◆ get_permissions_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_permissions_token ( DDS::Security::PermissionsToken permissions_token,
DDS::Security::PermissionsHandle  handle,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1017 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

1021 {
1022  if (DDS::HANDLE_NIL == handle) {
1023  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_token: Invalid permissions handle");
1024  return false;
1025  }
1026 
1027  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
1028 
1029  ACPermsMap::iterator iter = local_ac_perms_.find(handle);
1030 
1031  if (iter != local_ac_perms_.end()) {
1032  permissions_token = iter->second.perm->perm_token_;
1033  return true;
1034  } else {
1035  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_token: No PermissionToken found");
1036  return false;
1037  }
1038 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)

◆ get_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle,
const char *  topic_name,
const DDS::PartitionQosPolicy partition,
const DDS::Security::DataTagQosPolicy data_tag,
DDS::Security::EndpointSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
private

Definition at line 1341 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, DDS::Security::EndpointSecurityAttributes::base, handle_mutex_, DDS::Security::TopicSecurityAttributes::is_discovery_protected, DDS::Security::EndpointSecurityAttributes::is_key_protected, DDS::Security::TopicSecurityAttributes::is_liveliness_protected, DDS::Security::EndpointSecurityAttributes::is_payload_protected, DDS::Security::TopicSecurityAttributes::is_read_protected, DDS::Security::EndpointSecurityAttributes::is_submessage_protected, DDS::Security::TopicSecurityAttributes::is_write_protected, local_ac_perms_, pattern_match(), DDS::Security::EndpointSecurityAttributes::plugin_endpoint_attributes, DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED, DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED, DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED, and OpenDDS::Security::CommonUtilities::set_security_error().

Referenced by get_datareader_sec_attributes(), and get_datawriter_sec_attributes().

1347 {
1348  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
1349 
1350  const ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
1351  if (ac_iter == local_ac_perms_.end()) {
1352  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_datawriter_sec_attributes: No matching permissions handle present");
1353  return false;
1354  }
1355 
1356  const gov_iter begin = ac_iter->second.gov->access_rules().begin();
1357  const gov_iter end = ac_iter->second.gov->access_rules().end();
1358  for (gov_iter giter = begin; giter != end; ++giter) {
1359  if (giter->domains.has(ac_iter->second.domain_id)) {
1360  if (std::strcmp(topic_name, "DCPSParticipantVolatileMessageSecure") == 0) {
1361  attributes.base.is_write_protected = false;
1362  attributes.base.is_read_protected = false;
1363  attributes.base.is_liveliness_protected = false;
1364  attributes.base.is_discovery_protected = false;
1365  attributes.is_submessage_protected = true;
1366  attributes.is_payload_protected = false;
1367  attributes.is_key_protected = false;
1368  return true;
1369  }
1370 
1371  if (std::strcmp(topic_name, "DCPSParticipantStatelessMessage") == 0) {
1372  attributes.base.is_write_protected = false;
1373  attributes.base.is_read_protected = false;
1374  attributes.base.is_liveliness_protected = false;
1375  attributes.base.is_discovery_protected = false;
1376  attributes.is_submessage_protected = false;
1377  attributes.is_payload_protected = false;
1378  attributes.is_key_protected = false;
1379  return true;
1380  }
1381 
1382  if (std::strcmp(topic_name, "DCPSParticipantMessageSecure") == 0) {
1383  attributes.base.is_write_protected = false;
1384  attributes.base.is_read_protected = false;
1385  attributes.base.is_liveliness_protected = false;
1386  attributes.base.is_discovery_protected = false;
1387  attributes.is_submessage_protected = giter->domain_attrs.is_liveliness_protected;
1388  attributes.is_payload_protected = false;
1389  attributes.is_key_protected = false;
1390 
1391  if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED) {
1392  attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
1393  }
1394 
1395  if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED) {
1396  attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
1397  }
1398 
1399  return true;
1400  }
1401 
1402  if (std::strcmp(topic_name, "DCPSParticipantSecure") == 0 ||
1403  std::strcmp(topic_name, "DCPSPublicationsSecure") == 0 ||
1404  std::strcmp(topic_name, "DCPSSubscriptionsSecure") == 0 ||
1405  std::strcmp(topic_name, "TypeLookupServiceRequestSecure") == 0 ||
1406  std::strcmp(topic_name, "TypeLookupServiceReplySecure") == 0) {
1407  attributes.base.is_write_protected = false;
1408  attributes.base.is_read_protected = false;
1409  attributes.base.is_liveliness_protected = false;
1410  attributes.base.is_discovery_protected = false;
1411  attributes.is_submessage_protected = giter->domain_attrs.is_discovery_protected;
1412  attributes.is_payload_protected = false;
1413  attributes.is_key_protected = false;
1414 
1415  if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED) {
1416  attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
1417  }
1418 
1419  if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED) {
1420  attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
1421  }
1422 
1423  return true;
1424  }
1425 
1426  Governance::TopicAccessRules::iterator tr_iter;
1427 
1428  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
1429  if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
1430 
1431  // Process the TopicSecurityAttributes base
1432  attributes.base.is_write_protected = tr_iter->topic_attrs.is_write_protected;
1433  attributes.base.is_read_protected = tr_iter->topic_attrs.is_read_protected;
1434  attributes.base.is_liveliness_protected = tr_iter->topic_attrs.is_liveliness_protected;
1435  attributes.base.is_discovery_protected = tr_iter->topic_attrs.is_discovery_protected;
1436 
1437  // Process metadata protection attributes
1438  if (tr_iter->metadata_protection_kind == "NONE") {
1439  attributes.is_submessage_protected = false;
1440  }
1441  else {
1442  attributes.is_submessage_protected = true;
1443 
1444  if (tr_iter->metadata_protection_kind == "ENCRYPT" ||
1445  tr_iter->metadata_protection_kind == "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") {
1446  attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
1447  }
1448 
1449  if (tr_iter->metadata_protection_kind == "SIGN_WITH_ORIGIN_AUTHENTICATION" ||
1450  tr_iter->metadata_protection_kind == "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") {
1451  attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
1452  }
1453  }
1454 
1455  // Process data protection attributes
1456 
1457  if (tr_iter->data_protection_kind == "NONE") {
1458  attributes.is_payload_protected = false;
1459  attributes.is_key_protected = false;
1460  }
1461  else if (tr_iter->data_protection_kind == "SIGN") {
1462  attributes.is_payload_protected = true;
1463  attributes.is_key_protected = false;
1464  }
1465  else if (tr_iter->data_protection_kind == "ENCRYPT") {
1466  attributes.is_payload_protected = true;
1467  attributes.is_key_protected = true;
1468  attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED;
1469  }
1470 
1471  return true;
1472  }
1473  }
1474  }
1475  }
1476 
1477  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_sec_attributes: Invalid topic name");
1478  return false;
1479 }
DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED
const PluginEndpointSecurityAttributesMask PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED
Definition: DdsSecurityParams.idl:93
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED
const PluginEndpointSecurityAttributesMask PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED
Definition: DdsSecurityParams.idl:94
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED
const ParticipantSecurityAttributesMask PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED
Definition: DdsSecurityParams.idl:69
DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED
const PluginEndpointSecurityAttributesMask PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED
Definition: DdsSecurityParams.idl:95
DDS::Security::EndpointSecurityAttributes::plugin_endpoint_attributes
PluginEndpointSecurityAttributesMask plugin_endpoint_attributes
Definition: DdsSecurityCore.idl:356
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED
const ParticipantSecurityAttributesMask PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED
Definition: DdsSecurityParams.idl:71
DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED
const ParticipantSecurityAttributesMask PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED
Definition: DdsSecurityParams.idl:68
DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED
const ParticipantSecurityAttributesMask PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED
Definition: DdsSecurityParams.idl:72

◆ get_subject_name()

SSL::SubjectName OpenDDS::Security::AccessControlBuiltInImpl::get_subject_name ( DDS::Security::PermissionsHandle  permissions_handle) const

Definition at line 1709 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, local_ac_perms_, and OPENDDS_END_VERSIONED_NAMESPACE_DECL.

1710 {
1711  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, SSL::SubjectName());
1712 
1713  ACPermsMap::const_iterator pos = local_ac_perms_.find(permissions_handle);
1714  if (pos != local_ac_perms_.end()) {
1715  return pos->second.subject;
1716  }
1717 
1718  return SSL::SubjectName();
1719 }
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)

◆ get_topic_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_topic_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle,
const char *  topic_name,
DDS::Security::TopicSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1160 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, pattern_match(), and OpenDDS::Security::CommonUtilities::set_security_error().

1165 {
1166  if (DDS::HANDLE_NIL == permissions_handle) {
1167  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: Invalid permissions handle");
1168  return false;
1169  }
1170  if (0 == topic_name) {
1171  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: Invalid topic name");
1172  return false;
1173  }
1174 
1175  // Extract Governance and the permissions data for the requested handle
1176 
1177  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);
1178 
1179  ACPermsMap::iterator piter = local_ac_perms_.find(permissions_handle);
1180 
1181  if (piter == local_ac_perms_.end()) {
1182  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: No matching permissions handle present");
1183  return false;
1184  }
1185 
1186  gov_iter begin = piter->second.gov->access_rules().begin();
1187  gov_iter end = piter->second.gov->access_rules().end();
1188 
1189  for (gov_iter giter = begin; giter != end; ++giter) {
1190 
1191  if (giter->domains.has(piter->second.domain_id)) {
1192  Governance::TopicAccessRules::iterator tr_iter;
1193 
1194  for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
1195  if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
1196  attributes = tr_iter->topic_attrs;
1197  return true;
1198  }
1199  }
1200  }
1201  }
1202 
1203  CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: No matching domain/topic in governance");
1204  return false;
1205 }
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::AccessControlBuiltInImpl::pattern_match
static bool pattern_match(const char *string, const char *pattern)
Definition: AccessControlBuiltInImpl.cpp:50
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::gov_iter
Governance::GovernanceAccessRules::iterator gov_iter
Definition: AccessControlBuiltInImpl.cpp:38
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)

◆ make_task()

AccessControlBuiltInImpl::RevokePermissionsTask_rch & OpenDDS::Security::AccessControlBuiltInImpl::make_task ( RevokePermissionsTask_rch task)
private

Definition at line 1297 of file AccessControlBuiltInImpl.cpp.

References OpenDDS::DCPS::ref(), and TheServiceParticipant.

Referenced by check_create_datareader(), check_create_datawriter(), check_remote_datareader(), check_remote_datawriter(), and return_permissions_handle().

1298 {
1299  if (!task) {
1300  task = DCPS::make_rch<RevokePermissionsTask>(TheServiceParticipant->time_source(), TheServiceParticipant->interceptor(), DCPS::ref(*this));
1301  }
1302  return task;
1303 }
OpenDDS::DCPS::ref
reference_wrapper< T > ref(T &r)
Definition: RcHandle_T.h:237
TheServiceParticipant
#define TheServiceParticipant
Definition: Service_Participant.h:792

◆ operator=()

AccessControlBuiltInImpl& OpenDDS::Security::AccessControlBuiltInImpl::operator= ( const AccessControlBuiltInImpl )
private

◆ parse_class_id()

void OpenDDS::Security::AccessControlBuiltInImpl::parse_class_id ( const std::string &  class_id,
std::string &  plugin_class_name,
int &  major_version,
int &  minor_version 
)
private

Definition at line 1512 of file AccessControlBuiltInImpl.cpp.

References atoi().

Referenced by check_remote_participant(), and check_remote_topic().

1517 {
1518  const std::string delimiter = ":";
1519 
1520  major_version = 1;
1521  minor_version = 0;
1522 
1523  size_t pos = class_id.find_last_of(delimiter);
1524 
1525  if ((pos > 0UL) && (pos != class_id.length() - 1)) {
1526  plugin_class_name = class_id.substr(0, (pos - 1));
1527 
1528  const std::string period = ".";
1529 
1530  size_t period_pos = class_id.find_last_of(period);
1531 
1532  if (period_pos > 0UL) {
1533  std::string mv_string = class_id.substr((pos + 1), (period_pos - 1));
1534 
1535  major_version = atoi(mv_string.c_str());
1536 
1537  if (period_pos != class_id.length() - 1) {
1538  mv_string = class_id.substr((period_pos + 1), (class_id.length() - 1));
1539  minor_version = atoi(mv_string.c_str());
1540  }
1541  }
1542  }
1543  else {
1544  plugin_class_name.clear();
1545  }
1546 
1547 }
major_version
u_int major_version(void)
atoi
int atoi(const char *s)
minor_version
u_int minor_version(void)

◆ pattern_match()

bool OpenDDS::Security::AccessControlBuiltInImpl::pattern_match ( const char *  string,
const char *  pattern 
)
static

Definition at line 50 of file AccessControlBuiltInImpl.cpp.

References ACE::wild_match().

Referenced by check_create_datareader(), check_create_datawriter(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), check_remote_topic(), get_sec_attributes(), get_topic_sec_attributes(), OpenDDS::Security::Permissions::Action::partitions_match(), and OpenDDS::Security::Permissions::Action::topic_matches().

51 {
52  return ACE::wild_match(string, pattern, true, true);
53 }
ACE::wild_match
bool wild_match(const char *s, const char *pattern, bool case_sensitive=true, bool character_classes=false)

◆ return_datareader_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_datareader_sec_attributes ( const DDS::Security::EndpointSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1280 of file AccessControlBuiltInImpl.cpp.

1283 {
1284  ACE_UNUSED_ARG(attributes);
1285  ACE_UNUSED_ARG(ex);
1286 
1287  return true;
1288 }

◆ return_datawriter_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_datawriter_sec_attributes ( const DDS::Security::EndpointSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1270 of file AccessControlBuiltInImpl.cpp.

1273 {
1274  ACE_UNUSED_ARG(attributes);
1275  ACE_UNUSED_ARG(ex);
1276 
1277  return true;
1278 }

◆ return_participant_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_participant_sec_attributes ( const DDS::Security::ParticipantSecurityAttributes attributes,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1260 of file AccessControlBuiltInImpl.cpp.

1263 {
1264  ACE_UNUSED_ARG(attributes);
1265  ACE_UNUSED_ARG(ex);
1266 
1267  return true;
1268 }

◆ return_permissions_credential_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_permissions_credential_token ( const DDS::Security::PermissionsCredentialToken permissions_credential_token,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1116 of file AccessControlBuiltInImpl.cpp.

1119 {
1120  ACE_UNUSED_ARG(permissions_credential_token);
1121  ACE_UNUSED_ARG(ex);
1122 
1123  return true;
1124 }

◆ return_permissions_handle()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_permissions_handle ( DDS::Security::PermissionsHandle  handle,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1078 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_TEXT(), OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::erase(), DDS::HANDLE_NIL, LM_DEBUG, local_ac_perms_, local_rp_task_, make_task(), remote_rp_task_, OpenDDS::DCPS::security_debug, and OpenDDS::Security::CommonUtilities::set_security_error().

1081 {
1082  if (DDS::HANDLE_NIL == handle) {
1083  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::return_permissiosn_handle: Invalid permissions handle");
1084  return false;
1085  }
1086 
1087  ACPermsMap::iterator ac_iter = local_ac_perms_.find(handle);
1088 
1089  if (ac_iter == local_ac_perms_.end()) {
1090  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::return_permissions_handle: No matching permissions handle present");
1091  return false;
1092  }
1093 
1094  local_ac_perms_.erase(ac_iter);
1095  if (DCPS::security_debug.bookkeeping) {
1096  ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
1097  ACE_TEXT("AccessControlBuiltInImpl::return_permissions_handle local_ac_perms_ (total %B)\n"),
1098  local_ac_perms_.size()));
1099  }
1100  make_task(local_rp_task_)->erase(handle);
1101  make_task(remote_rp_task_)->erase(handle);
1102 
1103  return true;
1104 }
ACE_DEBUG
#define ACE_DEBUG(X)
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
ACE_TEXT
ACE_TEXT("TCP_Factory")
OpenDDS::Security::AccessControlBuiltInImpl::make_task
RevokePermissionsTask_rch & make_task(RevokePermissionsTask_rch &task)
Definition: AccessControlBuiltInImpl.cpp:1297
OpenDDS::DCPS::security_debug
OpenDDS_Dcps_Export SecurityDebug security_debug
Definition: debug.cpp:32

◆ return_permissions_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_permissions_token ( const DDS::Security::PermissionsToken token,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1106 of file AccessControlBuiltInImpl.cpp.

1109 {
1110  ACE_UNUSED_ARG(token);
1111  ACE_UNUSED_ARG(ex);
1112 
1113  return true;
1114 }

◆ search_permissions()

bool OpenDDS::Security::AccessControlBuiltInImpl::search_permissions ( const char *  topic_name,
DDS::Security::DomainId_t  domain_id,
const DDS::PartitionQosPolicy partition,
Permissions::PublishSubscribe_t  pub_or_sub,
const Permissions::Grant grant,
DDS::Security::SecurityException ex 
)
private

Definition at line 1481 of file AccessControlBuiltInImpl.cpp.

References OpenDDS::Security::Permissions::ALLOW, OpenDDS::Security::Permissions::Grant::default_permission, DDS::PartitionQosPolicy::name, OpenDDS::Security::Permissions::Grant::rules, and OpenDDS::Security::CommonUtilities::set_security_error().

Referenced by check_create_datareader(), check_create_datawriter(), check_remote_datareader(), and check_remote_datawriter().

1488 {
1489  for (Permissions::Rules::const_iterator rit = grant.rules.begin(); rit != grant.rules.end(); ++rit) {
1490  if (rit->domains.has(domain_id)) {
1491  for (Permissions::Actions::const_iterator ait = rit->actions.begin(); ait != rit->actions.end(); ++ait) {
1492  if (ait->ps_type == pub_or_sub &&
1493  ait->topic_matches(topic_name) &&
1494  ait->partitions_match(partition.name, rit->ad_type)) {
1495  if (rit->ad_type == Permissions::ALLOW) {
1496  return true;
1497  } else {
1498  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl: DENY rule matched");
1499  }
1500  }
1501  }
1502  }
1503  }
1504 
1505  if (grant.default_permission == Permissions::ALLOW) {
1506  return true;
1507  } else {
1508  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl: No matching rule for topic, default permission is DENY.");
1509  }
1510 }
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ set_listener()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::set_listener ( DDS::Security::AccessControlListener_ptr  listener,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 1063 of file AccessControlBuiltInImpl.cpp.

References handle_mutex_, listener_ptr_, and OpenDDS::Security::CommonUtilities::set_security_error().

1066 {
1067  if (0 == listener) {
1068  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::set_listener: Invalid Listener pointer");
1069  return false;
1070  }
1071 
1072  ACE_Guard<ACE_Thread_Mutex> guard(handle_mutex_);
1073 
1074  listener_ptr_ = listener;
1075  return true;
1076 }
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
OpenDDS::Security::AccessControlBuiltInImpl::listener_ptr_
DDS::Security::AccessControlListener_ptr listener_ptr_
Definition: AccessControlBuiltInImpl.h:294

◆ validate_date_time()

bool OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time ( const Permissions::Validity_t validity,
DDS::Security::SecurityException ex 
)
private

Definition at line 1305 of file AccessControlBuiltInImpl.cpp.

References OpenDDS::Security::Permissions::Validity_t::not_after, OpenDDS::Security::Permissions::Validity_t::not_before, and OpenDDS::Security::CommonUtilities::set_security_error().

Referenced by check_create_datareader(), check_create_datawriter(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), and check_remote_topic().

1308 {
1309  if (validity.not_before == 0) {
1310  CommonUtilities::set_security_error(ex, -1, 0,
1311  "AccessControlBuiltInImpl::validate_date_time: Permissions not_before time is invalid.");
1312  return false;
1313  }
1314 
1315  if (validity.not_after == 0) {
1316  CommonUtilities::set_security_error(ex, -1, 0,
1317  "AccessControlBuiltInImpl::validate_date_time: Permissions not_after time is invalid.");
1318  return false;
1319  }
1320 
1321  // Get the current time as UTC
1322  const time_t now = std::time(0);
1323  std::tm* const now_utc_tm = std::gmtime(&now);
1324  const time_t now_utc = std::mktime(now_utc_tm);
1325 
1326  if (now_utc < validity.not_before) {
1327  CommonUtilities::set_security_error(ex, -1, 0,
1328  "AccessControlBuiltInImpl::validate_date_time: Permissions grant hasn't started yet.");
1329  return false;
1330  }
1331 
1332  if (now_utc > validity.not_after) {
1333  CommonUtilities::set_security_error(ex, -1, 0,
1334  "AccessControlBuiltInImpl::validate_date_time: Permissions grant has expired.");
1335  return false;
1336  }
1337 
1338  return true;
1339 }
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60

◆ validate_local_permissions()

DDS::Security::PermissionsHandle OpenDDS::Security::AccessControlBuiltInImpl::validate_local_permissions ( DDS::Security::Authentication_ptr  auth_plugin,
DDS::Security::IdentityHandle  identity,
DDS::Security::DomainId_t  domain_id,
const DDS::DomainParticipantQos participant_qos,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 72 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_GUARD_RETURN, ACE_TEXT(), OpenDDS::Security::TokenWriter::add_property(), OpenDDS::Security::dds_cert_sn, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::domain_id, generate_handle(), OpenDDS::Security::TokenReader::get_property_value(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::gov, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::identity, LM_DEBUG, local_ac_perms_, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::local_access_credential_data, local_identity_map_, OpenDDS::Security::SSL::SignedDocument::original(), OpenDDS::Security::SSL::SubjectName::parse(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::perm, OpenDDS::Security::PermissionsCredentialTokenClassId(), OpenDDS::Security::PermissionsTokenClassId(), OpenDDS::DCPS::security_debug, OpenDDS::Security::CommonUtilities::set_security_error(), and OpenDDS::Security::AccessControlBuiltInImpl::AccessData::subject.

78 {
79  if (0 == auth_plugin) {
80  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Null Authentication plugin");
81  return DDS::HANDLE_NIL;
82  }
83 
84  if (DDS::HANDLE_NIL == identity) {
85  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Invalid identity");
86  return DDS::HANDLE_NIL;
87  }
88 
89  DDS::Security::IdentityToken id_token;
90 
91  if (!auth_plugin->get_identity_token(id_token, identity, ex)) {
92  return DDS::HANDLE_NIL;
93  }
94 
95  LocalAccessCredentialData::shared_ptr local_access_credential_data = DCPS::make_rch<LocalAccessCredentialData>();
96 
97  if (! local_access_credential_data->load(participant_qos.property.value, ex)) {
98  return DDS::HANDLE_NIL;
99  }
100 
101  if (!local_access_credential_data->verify(ex)) {
102  return DDS::HANDLE_NIL;
103  }
104 
105  const SSL::SignedDocument& local_gov = local_access_credential_data->get_governance_doc();
106  Governance::shared_ptr governance = DCPS::make_rch<Governance>();
107 
108  if (governance->load(local_gov)) {
109  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Invalid governance file");
110  return DDS::HANDLE_NIL;
111  }
112 
113  const SSL::SignedDocument& local_perm = local_access_credential_data->get_permissions_doc();
114  Permissions::shared_ptr permissions = DCPS::make_rch<Permissions>();
115 
116  if (permissions->load(local_perm)) {
117  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Invalid permission file");
118  return DDS::HANDLE_NIL;
119  }
120 
121  TokenReader tr(id_token);
122  const char* id_sn = tr.get_property_value(dds_cert_sn);
123 
124  OpenDDS::Security::SSL::SubjectName sn_id;
125 
126  if (!id_sn || sn_id.parse(id_sn) != 0 || !permissions->has_grant(sn_id)) {
127  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: No permissions subject name matches identity subject name");
128  return DDS::HANDLE_NIL;
129  }
130 
131  // Set and store the permissions credential token while we have the raw content
132  DDS::Security::PermissionsCredentialToken permissions_cred_token;
133  TokenWriter pctWriter(permissions_cred_token, PermissionsCredentialTokenClassId);
134 
135  pctWriter.add_property("dds.perm.cert", local_perm.original());
136 
137  // Set and store the permissions token
138  DDS::Security::PermissionsToken permissions_token;
139  TokenWriter writer(permissions_token, PermissionsTokenClassId);
140 
141  // If all checks are successful load the content into cache
142  permissions->perm_token_ = permissions_token;
143  permissions->perm_cred_token_ = permissions_cred_token;
144 
145  const int perm_handle = generate_handle();
146 
147  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, DDS::HANDLE_NIL);
148 
149  AccessData cache_this;
150  cache_this.identity = identity;
151  cache_this.subject = sn_id;
152  cache_this.domain_id = domain_id;
153  cache_this.perm = permissions;
154  cache_this.gov = governance;
155  cache_this.local_access_credential_data = local_access_credential_data;
156 
157  local_ac_perms_.insert(std::make_pair(perm_handle, cache_this));
158  if (DCPS::security_debug.bookkeeping) {
159  ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
160  ACE_TEXT("AccessControlBuiltInImpl::validate_local_permissions local_ac_perms_ (total %B)\n"),
161  local_ac_perms_.size()));
162  }
163  local_identity_map_.insert(std::make_pair(identity, perm_handle));
164  if (DCPS::security_debug.bookkeeping) {
165  ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
166  ACE_TEXT("AccessControlBuiltInImpl::validate_local_permissions local_identity_map_ (total %B)\n"),
167  local_identity_map_.size()));
168  }
169 
170  return perm_handle;
171 }
ACE_DEBUG
#define ACE_DEBUG(X)
OpenDDS::Security::LocalAccessCredentialData::shared_ptr
DCPS::RcHandle< LocalAccessCredentialData > shared_ptr
Definition: LocalAccessCredentialData.h:24
OpenDDS::Security::PermissionsTokenClassId
static const std::string PermissionsTokenClassId("DDS:Access:Permissions:1.0")
OpenDDS::Security::PermissionsCredentialTokenClassId
static const std::string PermissionsCredentialTokenClassId("DDS:Access:PermissionsCredential")
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
OpenDDS::Security::SSL::SubjectName::parse
int parse(const char *, bool permissive=false)
Definition: SubjectName.cpp:28
ACE_TEXT
ACE_TEXT("TCP_Factory")
OpenDDS::Security::Governance::shared_ptr
DCPS::RcHandle< Governance > shared_ptr
Definition: Governance.h:26
OpenDDS::DCPS::security_debug
OpenDDS_Dcps_Export SecurityDebug security_debug
Definition: debug.cpp:32
OpenDDS::Security::Permissions::shared_ptr
DCPS::RcHandle< Permissions > shared_ptr
Definition: Permissions.h:30
DDS::DomainParticipantQos::property
PropertyQosPolicy property
Definition: DdsDcpsCore.idl:404

◆ validate_remote_permissions()

DDS::Security::PermissionsHandle OpenDDS::Security::AccessControlBuiltInImpl::validate_remote_permissions ( DDS::Security::Authentication_ptr  auth_plugin,
DDS::Security::IdentityHandle  local_identity_handle,
DDS::Security::IdentityHandle  remote_identity_handle,
const DDS::Security::PermissionsToken remote_permissions_token,
const DDS::Security::AuthenticatedPeerCredentialToken remote_credential_token,
DDS::Security::SecurityException ex 
)
virtual

Definition at line 173 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_GUARD_RETURN, ACE_TEXT(), OpenDDS::DCPS::DCPS_debug_level, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::domain_id, generate_handle(), OpenDDS::Security::TokenReader::get_bin_property_value(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::gov, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::identity, LM_DEBUG, local_ac_perms_, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::local_access_credential_data, local_identity_map_, OpenDDS::Security::SSL::SubjectName::parse(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::perm, OpenDDS::DCPS::security_debug, OpenDDS::Security::CommonUtilities::set_security_error(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::subject, and OpenDDS::Security::SSL::Certificate::subject_name_to_str().

180 {
181  if (0 == auth_plugin) {
182  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Null Authentication plugin");
183  return DDS::HANDLE_NIL;
184  }
185 
186  if (DDS::HANDLE_NIL == local_identity_handle) {
187  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Invalid Local Identity");
188  return DDS::HANDLE_NIL;
189  }
190 
191  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, DDS::HANDLE_NIL);
192 
193  ACIdentityMap::iterator iter = local_identity_map_.find(local_identity_handle);
194 
195  if (iter == local_identity_map_.end()) {
196  CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: No matching local identity handle present");
197  return DDS::HANDLE_NIL;
198  }
199 
200  ACPermsMap::iterator piter = local_ac_perms_.find(iter->second);
201 
202  if (piter == local_ac_perms_.end()) {
203  CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: No matching local permissions handle present");
204  return DDS::HANDLE_NIL;
205  }
206 
207  // permissions file
208  TokenReader remote_perm_wrapper(remote_credential_token);
209  SSL::SignedDocument remote_perm_doc(remote_perm_wrapper.get_bin_property_value("c.perm"));
210 
211  const LocalAccessCredentialData::shared_ptr& local_access_credential_data = piter->second.local_access_credential_data;
212 
213  // Validate the signature of the remote permissions
214  const SSL::Certificate& local_ca = local_access_credential_data->get_ca_cert();
215  std::string ca_subject;
216 
217  local_ca.subject_name_to_str(ca_subject);
218 
219  if (!remote_perm_doc.verify(local_ca)) {
220  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Remote permissions signature not verified");
221  return DDS::HANDLE_NIL;
222  }
223 
224  // The remote permissions signature is verified
225  if (DCPS::DCPS_debug_level) {
226  ACE_DEBUG((LM_DEBUG, ACE_TEXT(
227  "(%P|%t) AccessControlBuiltInImpl::validate_remote_permissions: Remote permissions document verified.\n")));
228  }
229 
230  Permissions::shared_ptr remote_permissions = DCPS::make_rch<Permissions>();
231  if (remote_permissions->load(remote_perm_doc)) {
232  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Invalid permission file");
233  return DDS::HANDLE_NIL;
234  }
235 
236  //Extract and compare the remote subject name for validation
237  TokenReader remote_credential_tr(remote_credential_token);
238  const DDS::OctetSeq& cid = remote_credential_tr.get_bin_property_value("c.id");
239 
240  if (cid.length() == 0) {
241  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Invalid remote credential identity");
242  return DDS::HANDLE_NIL;
243  }
244 
245  SSL::Certificate::unique_ptr remote_cert(new SSL::Certificate);
246  remote_cert->deserialize(cid);
247 
248  std::string remote_identity_sn;
249  remote_cert->subject_name_to_str(remote_identity_sn);
250 
251  SSL::SubjectName sn_id_remote;
252 
253  if (remote_identity_sn.empty() || sn_id_remote.parse(remote_identity_sn) != 0 || !remote_permissions->has_grant(sn_id_remote)) {
254  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: "
255  "Remote identity subject name does not match any subject name in remote permissions grants");
256  return DDS::HANDLE_NIL;
257  }
258 
259  // Set and store the permissions credential token while we have the raw content
260  remote_permissions->perm_token_ = remote_permissions_token;
261  remote_permissions->perm_cred_token_ = remote_credential_token;
262 
263 
264  AccessData cache_this;
265  cache_this.identity = remote_identity_handle;
266  cache_this.subject = sn_id_remote;
267  cache_this.domain_id = piter->second.domain_id;
268  cache_this.perm = remote_permissions;
269  cache_this.gov = piter->second.gov;
270  cache_this.local_access_credential_data = local_access_credential_data;
271 
272  const int perm_handle = generate_handle();
273  local_ac_perms_.insert(std::make_pair(perm_handle, cache_this));
274  if (DCPS::security_debug.bookkeeping) {
275  ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
276  ACE_TEXT("AccessControlBuiltInImpl::validate_remote_permissions local_ac_perms_ (total %B)\n"),
277  local_ac_perms_.size()));
278  }
279  return perm_handle;
280 }
ACE_DEBUG
#define ACE_DEBUG(X)
OpenDDS::Security::LocalAccessCredentialData::shared_ptr
DCPS::RcHandle< LocalAccessCredentialData > shared_ptr
Definition: LocalAccessCredentialData.h:24
OpenDDS::Security::SSL::Certificate::unique_ptr
DCPS::unique_ptr< Certificate > unique_ptr
Definition: Certificate.h:33
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::Security::CommonUtilities::set_security_error
bool set_security_error(DDS::Security::SecurityException &ex, int code, int minor_code, const char *message)
Definition: CommonUtilities.cpp:60
ACE_GUARD_RETURN
#define ACE_GUARD_RETURN(MUTEX, OBJ, LOCK, RETURN)
OpenDDS::DCPS::DCPS_debug_level
OpenDDS_Dcps_Export unsigned int DCPS_debug_level
Definition: debug.cpp:30
ACE_TEXT
ACE_TEXT("TCP_Factory")
DDS::OctetSeq
sequence< octet > OctetSeq
Definition: DdsDcpsCore.idl:64
OpenDDS::DCPS::security_debug
OpenDDS_Dcps_Export SecurityDebug security_debug
Definition: debug.cpp:32
OpenDDS::Security::Permissions::shared_ptr
DCPS::RcHandle< Permissions > shared_ptr
Definition: Permissions.h:30

Member Data Documentation

◆ gen_handle_mutex_

ACE_Thread_Mutex OpenDDS::Security::AccessControlBuiltInImpl::gen_handle_mutex_
mutableprivate

Definition at line 290 of file AccessControlBuiltInImpl.h.

Referenced by generate_handle().

◆ handle_mutex_

ACE_Thread_Mutex OpenDDS::Security::AccessControlBuiltInImpl::handle_mutex_
mutableprivate

Definition at line 289 of file AccessControlBuiltInImpl.h.

Referenced by check_create_datareader(), check_create_datawriter(), check_create_participant(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), check_remote_participant(), check_remote_topic(), get_participant_sec_attributes(), get_permissions_credential_token(), get_permissions_token(), get_sec_attributes(), get_subject_name(), get_topic_sec_attributes(), set_listener(), validate_local_permissions(), and validate_remote_permissions().

◆ listener_ptr_

DDS::Security::AccessControlListener_ptr OpenDDS::Security::AccessControlBuiltInImpl::listener_ptr_
private

Definition at line 294 of file AccessControlBuiltInImpl.h.

Referenced by OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::execute(), and set_listener().

◆ local_ac_perms_

ACPermsMap OpenDDS::Security::AccessControlBuiltInImpl::local_ac_perms_
private

Definition at line 256 of file AccessControlBuiltInImpl.h.

Referenced by check_create_datareader(), check_create_datawriter(), check_create_participant(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), check_remote_participant(), check_remote_topic(), OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::execute(), get_participant_sec_attributes(), get_permissions_credential_token(), get_permissions_token(), get_sec_attributes(), get_subject_name(), get_topic_sec_attributes(), return_permissions_handle(), validate_local_permissions(), validate_remote_permissions(), and ~AccessControlBuiltInImpl().

◆ local_identity_map_

ACIdentityMap OpenDDS::Security::AccessControlBuiltInImpl::local_identity_map_
private

Definition at line 259 of file AccessControlBuiltInImpl.h.

Referenced by validate_local_permissions(), validate_remote_permissions(), and ~AccessControlBuiltInImpl().

◆ local_rp_task_

RevokePermissionsTask_rch OpenDDS::Security::AccessControlBuiltInImpl::local_rp_task_
private

Definition at line 284 of file AccessControlBuiltInImpl.h.

Referenced by check_create_datareader(), check_create_datawriter(), and return_permissions_handle().

◆ next_handle_

int OpenDDS::Security::AccessControlBuiltInImpl::next_handle_
private

Definition at line 292 of file AccessControlBuiltInImpl.h.

Referenced by generate_handle().

◆ remote_rp_task_

RevokePermissionsTask_rch OpenDDS::Security::AccessControlBuiltInImpl::remote_rp_task_
private

Definition at line 285 of file AccessControlBuiltInImpl.h.

Referenced by check_remote_datareader(), check_remote_datawriter(), and return_permissions_handle().

The documentation for this class was generated from the following files:
Generated by   doxygen 1.8.13