OpenDDS::Security::AccessControlBuiltInImpl Class Reference

Implements the DDS built-in version of the Access Control plugin for the DDS Security Specification. More...

#include <AccessControlBuiltInImpl.h>

Inheritance diagram for OpenDDS::Security::AccessControlBuiltInImpl:

Collaboration diagram for OpenDDS::Security::AccessControlBuiltInImpl:

Classes
struct	AccessData
class	RevokePermissionsTask

Public Member Functions
	AccessControlBuiltInImpl ()
virtual	~AccessControlBuiltInImpl ()
virtual DDS::Security::PermissionsHandle	validate_local_permissions (DDS::Security::Authentication_ptr auth_plugin, DDS::Security::IdentityHandle identity, DDS::Security::DomainId_t domain_id, const DDS::DomainParticipantQos &participant_qos, DDS::Security::SecurityException &ex)
virtual DDS::Security::PermissionsHandle	validate_remote_permissions (DDS::Security::Authentication_ptr auth_plugin, DDS::Security::IdentityHandle local_identity_handle, DDS::Security::IdentityHandle remote_identity_handle, const DDS::Security::PermissionsToken &remote_permissions_token, const DDS::Security::AuthenticatedPeerCredentialToken &remote_credential_token, DDS::Security::SecurityException &ex)
virtual bool	check_create_participant (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::DomainParticipantQos &qos, DDS::Security::SecurityException &ex)
virtual bool	check_create_datawriter (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const char *topic_name, const DDS::DataWriterQos &qos, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTags &data_tag, DDS::Security::SecurityException &ex)
virtual bool	check_create_datareader (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const char *topic_name, const DDS::DataReaderQos &qos, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTags &data_tag, DDS::Security::SecurityException &ex)
virtual bool	check_create_topic (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const char *topic_name, const DDS::TopicQos &qos, DDS::Security::SecurityException &ex)
virtual bool	check_local_datawriter_register_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataWriter_ptr writer, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
virtual bool	check_local_datawriter_dispose_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataWriter_ptr writer, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
virtual bool	check_remote_participant (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::Security::ParticipantBuiltinTopicDataSecure &participant_data, DDS::Security::SecurityException &ex)
virtual bool	check_remote_datawriter (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::Security::PublicationBuiltinTopicDataSecure &publication_data, DDS::Security::SecurityException &ex)
virtual bool	check_remote_datareader (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::Security::SubscriptionBuiltinTopicDataSecure &subscription_data, bool &relay_only, DDS::Security::SecurityException &ex)
virtual bool	check_remote_topic (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::DomainId_t domain_id, const DDS::TopicBuiltinTopicData &topic_data, DDS::Security::SecurityException &ex)
virtual bool	check_local_datawriter_match (DDS::Security::PermissionsHandle writer_permissions_handle, DDS::Security::PermissionsHandle reader_permissions_handle, const DDS::Security::PublicationBuiltinTopicDataSecure &publication_data, const DDS::Security::SubscriptionBuiltinTopicDataSecure &subscription_data, DDS::Security::SecurityException &ex)
virtual bool	check_local_datareader_match (DDS::Security::PermissionsHandle reader_permissions_handle, DDS::Security::PermissionsHandle writer_permissions_handle, const DDS::Security::SubscriptionBuiltinTopicDataSecure &subscription_data, const DDS::Security::PublicationBuiltinTopicDataSecure &publication_data, DDS::Security::SecurityException &ex)
virtual bool	check_remote_datawriter_register_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataReader_ptr reader, DDS::InstanceHandle_t publication_handle, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
virtual bool	check_remote_datawriter_dispose_instance (DDS::Security::PermissionsHandle permissions_handle, DDS::DataReader_ptr reader, DDS::InstanceHandle_t publication_handle, DDS::DynamicData_ptr key, DDS::Security::SecurityException &ex)
virtual bool	get_permissions_token (DDS::Security::PermissionsToken &permissions_token, DDS::Security::PermissionsHandle handle, DDS::Security::SecurityException &ex)
virtual bool	get_permissions_credential_token (DDS::Security::PermissionsCredentialToken &permissions_credential_token, DDS::Security::PermissionsHandle handle, DDS::Security::SecurityException &ex)
virtual bool	set_listener (DDS::Security::AccessControlListener_ptr listener, DDS::Security::SecurityException &ex)
virtual bool	return_permissions_handle (DDS::Security::PermissionsHandle handle, DDS::Security::SecurityException &ex)
virtual bool	return_permissions_token (const DDS::Security::PermissionsToken &token, DDS::Security::SecurityException &ex)
virtual bool	return_permissions_credential_token (const DDS::Security::PermissionsCredentialToken &permissions_credential_token, DDS::Security::SecurityException &ex)
virtual bool	get_participant_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, DDS::Security::ParticipantSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
virtual bool	get_topic_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, DDS::Security::TopicSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
virtual bool	get_datawriter_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
virtual bool	get_datareader_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
virtual bool	return_participant_sec_attributes (const DDS::Security::ParticipantSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
virtual bool	return_datawriter_sec_attributes (const DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
virtual bool	return_datareader_sec_attributes (const DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
SSL::SubjectName	get_subject_name (DDS::Security::PermissionsHandle permissions_handle) const
Public Member Functions inherited from DDS::Security::AccessControl
PermissionsHandle	validate_local_permissions (in Authentication auth_plugin, in IdentityHandle identity, in DomainId_t domain_id, in DomainParticipantQos participant_qos, inout SecurityException ex)
PermissionsHandle	validate_remote_permissions (in Authentication auth_plugin, in IdentityHandle local_identity_handle, in IdentityHandle remote_identity_handle, in PermissionsToken remote_permissions_token, in AuthenticatedPeerCredentialToken remote_credential_token, inout SecurityException ex)
boolean	check_create_participant (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in DomainParticipantQos qos, inout SecurityException ex)
boolean	check_create_datawriter (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in string topic_name, in DataWriterQos qos, in PartitionQosPolicy partition, in DataTags data_tag, inout SecurityException ex)
boolean	check_create_datareader (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in string topic_name, in DataReaderQos qos, in PartitionQosPolicy partition, in DataTags data_tag, inout SecurityException ex)
boolean	check_create_topic (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in string topic_name, in TopicQos qos, inout SecurityException ex)
boolean	check_local_datawriter_register_instance (in PermissionsHandle permissions_handle, in DataWriter writer, in DynamicData key, inout SecurityException ex)
boolean	check_local_datawriter_dispose_instance (in PermissionsHandle permissions_handle, in DataWriter writer, in DynamicData key, inout SecurityException ex)
boolean	check_remote_participant (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in ParticipantBuiltinTopicDataSecure participant_data, inout SecurityException ex)
boolean	check_remote_datawriter (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in PublicationBuiltinTopicDataSecure publication_data, inout SecurityException ex)
boolean	check_remote_datareader (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in SubscriptionBuiltinTopicDataSecure subscription_data, inout boolean relay_only, inout SecurityException ex)
boolean	check_remote_topic (in PermissionsHandle permissions_handle, in DomainId_t domain_id, in TopicBuiltinTopicData topic_data, inout SecurityException ex)
boolean	check_local_datawriter_match (in PermissionsHandle writer_permissions_handle, in PermissionsHandle reader_permissions_handle, in PublicationBuiltinTopicDataSecure publication_data, in SubscriptionBuiltinTopicDataSecure subscription_data, inout SecurityException ex)
boolean	check_local_datareader_match (in PermissionsHandle reader_permissions_handle, in PermissionsHandle writer_permissions_handle, in SubscriptionBuiltinTopicDataSecure subscription_data, in PublicationBuiltinTopicDataSecure publication_data, inout SecurityException ex)
boolean	check_remote_datawriter_register_instance (in PermissionsHandle permissions_handle, in DataReader reader, in InstanceHandle_t publication_handle, in DynamicData key, inout SecurityException ex)
boolean	check_remote_datawriter_dispose_instance (in PermissionsHandle permissions_handle, in DataReader reader, in InstanceHandle_t publication_handle, in DynamicData key, inout SecurityException ex)
boolean	get_permissions_token (inout PermissionsToken permissions_token, in PermissionsHandle handle, inout SecurityException ex)
boolean	get_permissions_credential_token (inout PermissionsCredentialToken permissions_credential_token, in PermissionsHandle handle, inout SecurityException ex)
boolean	set_listener (in AccessControlListener listener, inout SecurityException ex)
boolean	return_permissions_handle (in PermissionsHandle handle, inout SecurityException ex)
boolean	return_permissions_token (in PermissionsToken token, inout SecurityException ex)
boolean	return_permissions_credential_token (in PermissionsCredentialToken permissions_credential_token, inout SecurityException ex)
boolean	get_participant_sec_attributes (in PermissionsHandle permissions_handle, inout ParticipantSecurityAttributes attributes, inout SecurityException ex)
boolean	get_topic_sec_attributes (in PermissionsHandle permissions_handle, in string topic_name, inout TopicSecurityAttributes attributes, inout SecurityException ex)
boolean	get_datawriter_sec_attributes (in PermissionsHandle permissions_handle, in string topic_name, in PartitionQosPolicy partition, in DataTagQosPolicy data_tag, inout EndpointSecurityAttributes attributes, inout SecurityException ex)
boolean	get_datareader_sec_attributes (in PermissionsHandle permissions_handle, in string topic_name, in PartitionQosPolicy partition, in DataTagQosPolicy data_tag, inout EndpointSecurityAttributes attributes, inout SecurityException ex)
boolean	return_participant_sec_attributes (in ParticipantSecurityAttributes attributes, inout SecurityException ex)
boolean	return_datawriter_sec_attributes (in EndpointSecurityAttributes attributes, inout SecurityException ex)
boolean	return_datareader_sec_attributes (in EndpointSecurityAttributes attributes, inout SecurityException ex)

Static Public Member Functions
static bool	pattern_match (const char *string, const char *pattern)

Private Types
typedef std::map< DDS::Security::PermissionsHandle, AccessData >	ACPermsMap
typedef std::map< DDS::Security::IdentityHandle, DDS::Security::PermissionsHandle >	ACIdentityMap
typedef DCPS::RcHandle< RevokePermissionsTask >	RevokePermissionsTask_rch

Private Member Functions
	AccessControlBuiltInImpl (const AccessControlBuiltInImpl &)
AccessControlBuiltInImpl &	operator= (const AccessControlBuiltInImpl &)
int	generate_handle ()
RevokePermissionsTask_rch &	make_task (RevokePermissionsTask_rch &task)
bool	validate_date_time (const Permissions::Validity_t &validity, DDS::Security::SecurityException &ex)
bool	get_sec_attributes (DDS::Security::PermissionsHandle permissions_handle, const char *topic_name, const DDS::PartitionQosPolicy &partition, const DDS::Security::DataTagQosPolicy &data_tag, DDS::Security::EndpointSecurityAttributes &attributes, DDS::Security::SecurityException &ex)
bool	search_permissions (const char *topic_name, DDS::Security::DomainId_t domain_id, const DDS::PartitionQosPolicy &partition, Permissions::PublishSubscribe_t pub_or_sub, const Permissions::Grant &grant, DDS::Security::SecurityException &ex)
void	parse_class_id (const std::string &class_id, std::string &plugin_class_name, int &major_version, int &minor_version)

Private Attributes
ACPermsMap	local_ac_perms_
ACIdentityMap	local_identity_map_
RevokePermissionsTask_rch	local_rp_task_
RevokePermissionsTask_rch	remote_rp_task_
ACE_Thread_Mutex	handle_mutex_
ACE_Thread_Mutex	gen_handle_mutex_
int	next_handle_
DDS::Security::AccessControlListener_ptr	listener_ptr_

Detailed Description

Implements the DDS built-in version of the Access Control plugin for the DDS Security Specification.

See the DDS security specification, OMG formal/17-09-20, for a description of the interface this class is implementing.

Definition at line 55 of file AccessControlBuiltInImpl.h.

Member Typedef Documentation

ACIdentityMap

typedef std::map<DDS::Security::IdentityHandle, DDS::Security::PermissionsHandle> OpenDDS::Security::AccessControlBuiltInImpl::ACIdentityMap

private

Definition at line 258 of file AccessControlBuiltInImpl.h.

ACPermsMap

typedef std::map<DDS::Security::PermissionsHandle, AccessData> OpenDDS::Security::AccessControlBuiltInImpl::ACPermsMap

private

Definition at line 255 of file AccessControlBuiltInImpl.h.

RevokePermissionsTask_rch

typedef DCPS::RcHandle<RevokePermissionsTask> OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask_rch

private

Definition at line 282 of file AccessControlBuiltInImpl.h.

Constructor & Destructor Documentation

AccessControlBuiltInImpl() [1/2]

OpenDDS::Security::AccessControlBuiltInImpl::AccessControlBuiltInImpl

(

)

Definition at line 55 of file AccessControlBuiltInImpl.cpp.

  : handle_mutex_()
  , gen_handle_mutex_()
  , next_handle_(1)
  , listener_ptr_(0)
{  }

~AccessControlBuiltInImpl()

OpenDDS::Security::AccessControlBuiltInImpl::~AccessControlBuiltInImpl ( )

virtual

Definition at line 62 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_TEXT(), LM_DEBUG, local_ac_perms_, local_identity_map_, and OpenDDS::DCPS::security_debug.

{
  if (DCPS::security_debug.bookkeeping) {
    ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
               ACE_TEXT("AccessControlBuiltInImpl::~AccessControlBuiltInImpl local_ac_perms_ %B local_identity_map_ %B\n"),
               local_ac_perms_.size(),
               local_identity_map_.size()));
  }
}

AccessControlBuiltInImpl() [2/2]

OpenDDS::Security::AccessControlBuiltInImpl::AccessControlBuiltInImpl ( const AccessControlBuiltInImpl &  )

private

Member Function Documentation

check_create_datareader()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_datareader ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const char *  topic_name, const DDS::DataReaderQos &  qos, const DDS::PartitionQosPolicy &  partition, const DDS::Security::DataTags &  data_tag, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 413 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, local_rp_task_, make_task(), pattern_match(), search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), OpenDDS::Security::Permissions::SUBSCRIBE, and validate_date_time().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: Invalid permissions handle");
  }

  if (0 == topic_name) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: Invalid Topic Name");
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: No matching permissions handle present");
  }

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(domain_id)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
          if (!tr_iter->topic_attrs.is_read_protected) {
            return true;
          }
        }
      }
    }
  }

  // Check the Permissions file

  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
  if (!grant) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: Permissions grant not found");
  }

  if (!validate_date_time(grant->validity, ex)) {
    return false;
  }

  if (!search_permissions(topic_name, domain_id, partition, Permissions::SUBSCRIBE, *grant, ex)) {
    return false;
  }

  make_task(local_rp_task_)->insert(permissions_handle, grant->validity.not_after);

  return true;
}

check_create_datawriter()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_datawriter ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const char *  topic_name, const DDS::DataWriterQos &  qos, const DDS::PartitionQosPolicy &  partition, const DDS::Security::DataTags &  data_tag, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 351 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, local_rp_task_, make_task(), pattern_match(), OpenDDS::Security::Permissions::PUBLISH, search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), and validate_date_time().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: Invalid permissions handle");
  }
  if (0 == topic_name) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: Invalid Topic Name");
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: No matching permissions handle present");
  }

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(domain_id)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
          if (!tr_iter->topic_attrs.is_write_protected) {
            return true;
          }
        }
      }
    }
  }

  // Check the Permissions file

  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
  if (!grant) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datawriter: Permissions grant not found");
  }

  if (!validate_date_time(grant->validity, ex)) {
    return false;
  }

  if (!search_permissions(topic_name, domain_id, partition, Permissions::PUBLISH, *grant, ex)) {
    return false;
  }

  make_task(local_rp_task_)->insert(permissions_handle, grant->validity.not_after);

  return true;
}

check_create_participant()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_participant ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const DDS::DomainParticipantQos &  qos, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 282 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_participant: Invalid permissions handle");
  }

/*
 *  The rules of this method need to be evaluated in this order, however, we need to check
 *  to make sure the permission handle exists in our store prior to assessing these rules
*/
  /* From Table 63 of the spec.
     This operation shall use the permissions_handle to retrieve
     the cached Permissions and Governance information.
             If the Governance specifies any topics on the
     DomainParticipant domain_id with
     enable_read_access_control set to FALSE or with
     enable_write_access_control set to FALSE, then the
     operation shall succeed and return TRUE.
             If the ParticipantSecurityAttributes has
     is_access_protected set to FALSE, then the operation shall
     succeed and return TRUE.
             Otherwise the operation shall return FALSE.
 */

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator piter = local_ac_perms_.find(permissions_handle);

  if (piter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex, -1, 0,
      "AccessControlBuiltInImpl::check_create_participant: "
      "No matching permissions handle present");
  }

  if (domain_id != piter->second.domain_id) {
    return CommonUtilities::set_security_error(ex, -1, 0,
      "AccessControlBuiltInImpl::check_create_participant: "
      "Domain does not match validated permissions handle");
  }

  gov_iter begin = piter->second.gov->access_rules().begin();
  gov_iter end = piter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(domain_id)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (!tr_iter->topic_attrs.is_read_protected || !tr_iter->topic_attrs.is_write_protected) {
          return true;
        }
      }

      if (!giter->domain_attrs.is_access_protected) {
        return true;
      }
    }
  }

  return CommonUtilities::set_security_error(ex, -1, 0,
    "AccessControlBuiltInImpl::check_create_participant: "
    "No governance exists for this domain");
}

check_create_topic()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_create_topic ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const char *  topic_name, const DDS::TopicQos &  qos, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 476 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, OpenDDS::Security::Permissions::ALLOW, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, pattern_match(), OpenDDS::Security::CommonUtilities::set_security_error(), and validate_date_time().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Invalid permissions handle");
  }
  if (0 == topic_name) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Invalid Topic Name");
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: No matching permissions handle present");
  }

  // Check the Governance file for allowable topic attributes

  if (domain_id != ac_iter->second.domain_id) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Requested domain ID does not match permissions handle");
  }

  ::DDS::Security::DomainId_t domain_to_find = ac_iter->second.domain_id;

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(domain_to_find)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
          if (!tr_iter->topic_attrs.is_read_protected || !tr_iter->topic_attrs.is_write_protected) {
            return true;
          }
        }
      }
    }
  }

  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
  if (!grant) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: grant not found");
  }

  if (!validate_date_time(grant->validity, ex)) {
    return false;
  }

  Permissions::PublishSubscribe_t denied_type;
  bool found_deny = false;
  // Iterate over allow / deny rules
  for (perm_topic_rules_iter ptr_iter = grant->rules.begin(); ptr_iter != grant->rules.end(); ++ptr_iter) {

    if (ptr_iter->domains.has(domain_to_find)) {

      perm_topic_actions_iter tpsr_iter;
      for (tpsr_iter = ptr_iter->actions.begin(); tpsr_iter != ptr_iter->actions.end(); ++tpsr_iter) {

        std::vector<std::string>::iterator tl_iter;
        for (tl_iter = tpsr_iter->topics.begin(); tl_iter != tpsr_iter->topics.end(); ++tl_iter) {

          if (pattern_match(topic_name, tl_iter->c_str())) {
            if (ptr_iter->ad_type == Permissions::ALLOW) {
              return true;
            }
            if (found_deny && denied_type != tpsr_iter->ps_type) {
              return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: Both publish and subscribe are denied for this topic.");
            } else if (!found_deny) {
              found_deny = true;
              denied_type = tpsr_iter->ps_type;
            }
          }
        }
      }
    }
  }

  // There is no matching rule for topic_name so use the value in default_permission
  if (grant->default_permission == Permissions::ALLOW) {
    return true;
  } else {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_topic: No matching rule for topic, default permission is DENY.");
  }
}

check_local_datareader_match()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datareader_match ( DDS::Security::PermissionsHandle  reader_permissions_handle, DDS::Security::PermissionsHandle  writer_permissions_handle, const DDS::Security::SubscriptionBuiltinTopicDataSecure &  subscription_data, const DDS::Security::PublicationBuiltinTopicDataSecure &  publication_data, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 959 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == writer_permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datareader_match: Invalid writer permissions handle");
  }
  if (DDS::HANDLE_NIL == reader_permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datareader_match: Invalid reader permissions handle");
  }

  return true;
}

check_local_datawriter_dispose_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datawriter_dispose_instance ( DDS::Security::PermissionsHandle  permissions_handle, DDS::DataWriter_ptr  writer, DDS::DynamicData_ptr  key, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 589 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_dispose_instance: Invalid permissions handle");
  }
  if (0 == writer) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_dispose_instance: Invalid Writer");
  }
  if (0 == key) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_dispose_instance: Invalid Topic Key");
  }

  return true;
}

check_local_datawriter_match()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datawriter_match ( DDS::Security::PermissionsHandle  writer_permissions_handle, DDS::Security::PermissionsHandle  reader_permissions_handle, const DDS::Security::PublicationBuiltinTopicDataSecure &  publication_data, const DDS::Security::SubscriptionBuiltinTopicDataSecure &  subscription_data, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 942 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == writer_permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_match: Invalid writer permissions handle");
  }
  if (DDS::HANDLE_NIL == reader_permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_match: Invalid reader permissions handle");
  }

  return true;
}

check_local_datawriter_register_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_local_datawriter_register_instance ( DDS::Security::PermissionsHandle  permissions_handle, DDS::DataWriter_ptr  writer, DDS::DynamicData_ptr  key, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 570 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_register_instance: Invalid permissions handle");
  }
  if (0 == writer) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_register_instance: Invalid Writer");
  }
  if (0 == key) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_local_datawriter_register_instance: Invalid Topic Key");
  }

  return true;
}

check_remote_datareader()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datareader ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const DDS::Security::SubscriptionBuiltinTopicDataSecure &  subscription_data, bool &  relay_only, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 750 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, make_task(), pattern_match(), remote_rp_task_, search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), OpenDDS::Security::Permissions::SUBSCRIBE, and validate_date_time().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datareader: Invalid permissions handle");
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_create_datareader: No matching permissions handle present");
  }

  // Default this to false for now
  relay_only = false;

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(domain_id)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(subscription_data.base.base.topic_name, tr_iter->topic_expression.c_str())) {
          if (!tr_iter->topic_attrs.is_read_protected) {
            return true;
          }
        }
      }
    }
  }

  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
  if (!grant) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datareader: Permissions grant not found");
  }

  if (!validate_date_time(grant->validity, ex)) {
    return false;
  }

  if (!search_permissions(subscription_data.base.base.topic_name, domain_id,
                          subscription_data.base.base.partition, Permissions::SUBSCRIBE,
                          *grant, ex)) {
    return false;
  }

  make_task(remote_rp_task_)->insert(permissions_handle, grant->validity.not_after);

  return true;
}

check_remote_datawriter()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datawriter ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const DDS::Security::PublicationBuiltinTopicDataSecure &  publication_data, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 690 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::insert(), local_ac_perms_, make_task(), pattern_match(), OpenDDS::Security::Permissions::PUBLISH, remote_rp_task_, search_permissions(), OpenDDS::Security::CommonUtilities::set_security_error(), and validate_date_time().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: Invalid permissions handle");
  }

  if (publication_data.base.base.topic_name[0] == 0) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: Invalid topic name");
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: No matching permissions handle present");
  }

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(domain_id)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(publication_data.base.base.topic_name, tr_iter->topic_expression.c_str())) {
          if (!tr_iter->topic_attrs.is_write_protected) {
            return true;
          }
        }
      }
    }
  }

  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
  if (!grant) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter: Permissions grant not found");
  }

  if (!validate_date_time(grant->validity, ex)) {
    return false;
  }

  if (!search_permissions(publication_data.base.base.topic_name, domain_id,
                          publication_data.base.base.partition, Permissions::PUBLISH,
                          *grant, ex)) {
    return false;
  }

  make_task(remote_rp_task_)->insert(permissions_handle, grant->validity.not_after);

  return true;
}

check_remote_datawriter_dispose_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datawriter_dispose_instance ( DDS::Security::PermissionsHandle  permissions_handle, DDS::DataReader_ptr  reader, DDS::InstanceHandle_t  publication_handle, DDS::DynamicData_ptr  key, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 995 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle ||
      DDS::HANDLE_NIL == publication_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_dispose_instance: Invalid handle");
  }
  if (0 == reader) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_dispose_instance: Invalid Reader pointer");
  }
  // Key could be null if we don't have complete type objects
  ACE_UNUSED_ARG(key);
  return true;
}

check_remote_datawriter_register_instance()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_datawriter_register_instance ( DDS::Security::PermissionsHandle  permissions_handle, DDS::DataReader_ptr  reader, DDS::InstanceHandle_t  publication_handle, DDS::DynamicData_ptr  key, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 976 of file AccessControlBuiltInImpl.cpp.

References DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle ||
      DDS::HANDLE_NIL == publication_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_register_instance: Invalid handle");
  }
  if (0 == reader) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_datawriter_register_instance: Invalid Reader pointer");
  }
  // Key could be null if we don't have complete type objects
  ACE_UNUSED_ARG(key);
  return true;
}

check_remote_participant()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_participant ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const DDS::Security::ParticipantBuiltinTopicDataSecure &  participant_data, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 608 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, OpenDDS::Security::Permissions::ALLOW, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, parse_class_id(), OpenDDS::Security::CommonUtilities::set_security_error(), and strcmp().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Invalid permissions handle");
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::check_remote_participant: No matching permissions handle present");
  }

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {
    if (giter->domains.has(domain_id) && !giter->domain_attrs.is_access_protected) {
      return true;
    }
  }

  // Check the PluginClassName and MajorVersion of the local permissions vs. remote  See Table 63 of spec
  const std::string remote_class_id = participant_data.base.permissions_token.class_id.in();

  std::string local_plugin_class_name,
              remote_plugin_class_name;
  int local_major_ver = 0,
      local_minor_ver,
      remote_major_ver,
      remote_minor_ver;

  if (remote_class_id.length() > 0) {
    parse_class_id(remote_class_id, remote_plugin_class_name, remote_major_ver, remote_minor_ver);
  } else {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Invalid remote class ID");
  }

  for (ACPermsMap::iterator local_iter = local_ac_perms_.begin(); local_iter != local_ac_perms_.end(); ++local_iter) {
    if (local_iter->second.domain_id == domain_id && local_iter->first != permissions_handle) {
      const std::string local_class_id = local_iter->second.perm->perm_token_.class_id.in();

      if (local_class_id.length() > 0) {
        parse_class_id(local_class_id, local_plugin_class_name, local_major_ver, local_minor_ver);
        break;
      } else {
        return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Invalid local class ID");
      }
    }
  }

  if (strcmp(local_plugin_class_name.c_str(), remote_plugin_class_name.c_str())) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Class ID plugin class name do not match");
  }

  if (local_major_ver != remote_major_ver) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Class ID major versions do not match");
  }

  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
  if (!grant) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Permissions grant not found");
  }

  for (perm_topic_rules_iter ptr_iter = grant->rules.begin(); ptr_iter != grant->rules.end(); ++ptr_iter) {
    if (ptr_iter->domains.has(domain_id) && ptr_iter->ad_type == Permissions::ALLOW) {
      return true;
    }
  }

  if (grant->default_permission == Permissions::ALLOW) {
    return true; // DDSSEC12-85
  }

  return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_participant: Not authorized for domain");
}

check_remote_topic()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::check_remote_topic ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::DomainId_t  domain_id, const DDS::TopicBuiltinTopicData &  topic_data, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 810 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, OpenDDS::Security::Permissions::ALLOW, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, parse_class_id(), pattern_match(), OpenDDS::Security::Permissions::PUBLISH, OpenDDS::Security::CommonUtilities::set_security_error(), strcmp(), OpenDDS::Security::Permissions::SUBSCRIBE, and validate_date_time().

{
  // NOTE: permissions_handle is for the remote DomainParticipant.
  if (DDS::HANDLE_NIL == permissions_handle) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid permissions handle");
  }

  if (topic_data.name[0] == 0) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid topic data");
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    return CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::check_remote_topic: No matching permissions handle present");
  }

  // Compare the PluginClassName and MajorVersion of the local permissions_token
  // with those in the remote_permissions_token.
  const std::string remote_class_id = ac_iter->second.perm->perm_token_.class_id.in();

  std::string local_plugin_class_name,
              remote_plugin_class_name;
  int local_major_ver = 0,
      local_minor_ver,
      remote_major_ver,
      remote_minor_ver;

  if (remote_class_id.length() > 0) {
    parse_class_id(remote_class_id, remote_plugin_class_name, remote_major_ver, remote_minor_ver);
  } else {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid remote class ID");
  }

  for (ACPermsMap::iterator local_iter = local_ac_perms_.begin(); local_iter != local_ac_perms_.end(); ++local_iter) {
    if (local_iter->second.domain_id == domain_id && local_iter->first != permissions_handle) {
      const std::string local_class_id = local_iter->second.perm->perm_token_.class_id.in();

      if (local_class_id.length() > 0) {
        parse_class_id(local_class_id, local_plugin_class_name, local_major_ver, local_minor_ver);
        break;
      } else {
        return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Invalid local class ID");
      }
    }
  }

  if (strcmp(local_plugin_class_name.c_str(), remote_plugin_class_name.c_str())) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Class ID plugin class name do not match");
  }

  if (local_major_ver != remote_major_ver) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Class ID major versions do not match");
  }

  // Check the Governance file for allowable topic attributes

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(domain_id)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(topic_data.name, tr_iter->topic_expression.c_str())) {
          if (!tr_iter->topic_attrs.is_read_protected || !tr_iter->topic_attrs.is_write_protected) {
            return true;
          }
        }
      }
    }
  }

  const Permissions::Grant_rch grant = ac_iter->second.perm->find_grant(ac_iter->second.subject);
  if (!grant) {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: grant not found");
  }

  if (!validate_date_time(grant->validity, ex)) {
    return false;
  }

  Permissions::PublishSubscribe_t denied_type;
  bool found_deny = false;
  for (perm_topic_rules_iter ptr_iter = grant->rules.begin(); ptr_iter != grant->rules.end(); ++ptr_iter) {

    if (ptr_iter->domains.has(domain_id)) {

      // Iterate over pub / sub rules
      perm_topic_actions_iter tpsr_iter;
      for (tpsr_iter = ptr_iter->actions.begin(); tpsr_iter != ptr_iter->actions.end(); ++tpsr_iter) {

        // Check to make sure they can publish or subscribe to the topic
        // TODO Add support for relay permissions once relay only key exchange is supported
        if (tpsr_iter->ps_type == Permissions::PUBLISH || tpsr_iter->ps_type == Permissions::SUBSCRIBE) {

          std::vector<std::string>::iterator tl_iter;
          for (tl_iter = tpsr_iter->topics.begin(); tl_iter != tpsr_iter->topics.end(); ++tl_iter) {

            if (pattern_match(topic_data.name, tl_iter->c_str())) {
              if (ptr_iter->ad_type == Permissions::ALLOW) {
                return true;
              }
              if (found_deny && denied_type != tpsr_iter->ps_type) {
                return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: Both publish and subscribe are denied for this topic.");
              } else if (!found_deny) {
                found_deny = true;
                denied_type = tpsr_iter->ps_type;
              }
            }
          }
        }
      }
    }
  }

  // There is no matching rule for topic_name so use the value in default_permission
  if (grant->default_permission == Permissions::ALLOW) {
    return true;
  } else {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::check_remote_topic: No matching rule for topic, default permission is DENY.");
  }
}

generate_handle()

CORBA::Long OpenDDS::Security::AccessControlBuiltInImpl::generate_handle ( )

private

Definition at line 1287 of file AccessControlBuiltInImpl.cpp.

References gen_handle_mutex_, OpenDDS::Security::CommonUtilities::increment_handle(), and next_handle_.

Referenced by validate_local_permissions(), and validate_remote_permissions().

{
  ACE_Guard<ACE_Thread_Mutex> guard(gen_handle_mutex_);
  return CommonUtilities::increment_handle(next_handle_);
}

get_datareader_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_datareader_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle, const char *  topic_name, const DDS::PartitionQosPolicy &  partition, const DDS::Security::DataTagQosPolicy &  data_tag, DDS::Security::EndpointSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1232 of file AccessControlBuiltInImpl.cpp.

References get_sec_attributes(), DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "Invalid permissions handle");
    return false;
  }

  if (0 == topic_name) {
    CommonUtilities::set_security_error(ex, -1, 0, "Invalid topic name");
    return false;
  }

  if (!get_sec_attributes(permissions_handle, topic_name, partition, data_tag, attributes, ex)) {
    return false;
  }

  return true;
}

get_datawriter_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_datawriter_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle, const char *  topic_name, const DDS::PartitionQosPolicy &  partition, const DDS::Security::DataTagQosPolicy &  data_tag, DDS::Security::EndpointSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1204 of file AccessControlBuiltInImpl.cpp.

References get_sec_attributes(), DDS::HANDLE_NIL, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  // The spec claims there is supposed to be a topic name parameter
  // to this function which is not in the IDL at this time

  if (DDS::HANDLE_NIL == permissions_handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_datawriter_sec_attributes: Invalid permissions handle");
    return false;
  }

  if (0 == topic_name) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_datawriter_sec_attributes: Invalid topic name");
    return false;
  }

  if (!get_sec_attributes(permissions_handle, topic_name, partition, data_tag, attributes, ex)) {
    return false;
  }

  return true;
}

get_participant_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_participant_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle, DDS::Security::ParticipantSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1123 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_participant_sec_attributes: Invalid permissions handle");
    return false;
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);

  if (ac_iter == local_ac_perms_.end()) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_participant_sec_attributes: No matching permissions handle present");
    return false;
  }

  gov_iter begin = ac_iter->second.gov->access_rules().begin();
  gov_iter end = ac_iter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(ac_iter->second.domain_id)) {
      attributes = giter->domain_attrs;
      return true;
    }
  }

  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_participant_sec_attributes: No matching domain in governance");
  return false;
}

get_permissions_credential_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_permissions_credential_token ( DDS::Security::PermissionsCredentialToken &  permissions_credential_token, DDS::Security::PermissionsHandle  handle, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1037 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_credential_token: Invalid permissions handle");
    return false;
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator iter = local_ac_perms_.find(handle);

  if (iter != local_ac_perms_.end()) {
    permissions_credential_token = iter->second.perm->perm_cred_token_;
    return true;
  } else {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_credential_token: No PermissionToken found");
    return false;
  }
}

get_permissions_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_permissions_token ( DDS::Security::PermissionsToken &  permissions_token, DDS::Security::PermissionsHandle  handle, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1014 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_token: Invalid permissions handle");
    return false;
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator iter = local_ac_perms_.find(handle);

  if (iter != local_ac_perms_.end()) {
    permissions_token = iter->second.perm->perm_token_;
    return true;
  } else {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_permissions_token: No PermissionToken found");
    return false;
  }
}

get_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle, const char *  topic_name, const DDS::PartitionQosPolicy &  partition, const DDS::Security::DataTagQosPolicy &  data_tag, DDS::Security::EndpointSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

private

Definition at line 1338 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, DDS::Security::EndpointSecurityAttributes::base, handle_mutex_, DDS::Security::TopicSecurityAttributes::is_discovery_protected, DDS::Security::EndpointSecurityAttributes::is_key_protected, DDS::Security::TopicSecurityAttributes::is_liveliness_protected, DDS::Security::EndpointSecurityAttributes::is_payload_protected, DDS::Security::TopicSecurityAttributes::is_read_protected, DDS::Security::EndpointSecurityAttributes::is_submessage_protected, DDS::Security::TopicSecurityAttributes::is_write_protected, local_ac_perms_, pattern_match(), DDS::Security::EndpointSecurityAttributes::plugin_endpoint_attributes, DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED, DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED, DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED, DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED, and OpenDDS::Security::CommonUtilities::set_security_error().

Referenced by get_datareader_sec_attributes(), and get_datawriter_sec_attributes().

{
  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  const ACPermsMap::iterator ac_iter = local_ac_perms_.find(permissions_handle);
  if (ac_iter == local_ac_perms_.end()) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_datawriter_sec_attributes: No matching permissions handle present");
    return false;
  }

  const gov_iter begin = ac_iter->second.gov->access_rules().begin();
  const gov_iter end = ac_iter->second.gov->access_rules().end();
  for (gov_iter giter = begin; giter != end; ++giter) {
    if (giter->domains.has(ac_iter->second.domain_id)) {
      if (std::strcmp(topic_name, "DCPSParticipantVolatileMessageSecure") == 0) {
        attributes.base.is_write_protected = false;
        attributes.base.is_read_protected = false;
        attributes.base.is_liveliness_protected = false;
        attributes.base.is_discovery_protected = false;
        attributes.is_submessage_protected = true;
        attributes.is_payload_protected = false;
        attributes.is_key_protected = false;
        return true;
      }

      if (std::strcmp(topic_name, "DCPSParticipantStatelessMessage") == 0) {
        attributes.base.is_write_protected = false;
        attributes.base.is_read_protected = false;
        attributes.base.is_liveliness_protected = false;
        attributes.base.is_discovery_protected = false;
        attributes.is_submessage_protected = false;
        attributes.is_payload_protected = false;
        attributes.is_key_protected = false;
        return true;
      }

      if (std::strcmp(topic_name, "DCPSParticipantMessageSecure") == 0) {
        attributes.base.is_write_protected = false;
        attributes.base.is_read_protected = false;
        attributes.base.is_liveliness_protected = false;
        attributes.base.is_discovery_protected = false;
        attributes.is_submessage_protected = giter->domain_attrs.is_liveliness_protected;
        attributes.is_payload_protected = false;
        attributes.is_key_protected = false;

        if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED) {
          attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
        }

        if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED) {
          attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
        }

        return true;
      }

      if (std::strcmp(topic_name, "DCPSParticipantSecure") == 0 ||
          std::strcmp(topic_name, "DCPSPublicationsSecure") == 0 ||
          std::strcmp(topic_name, "DCPSSubscriptionsSecure") == 0 ||
          std::strcmp(topic_name, "TypeLookupServiceRequestSecure") == 0 ||
          std::strcmp(topic_name, "TypeLookupServiceReplySecure") == 0) {
        attributes.base.is_write_protected = false;
        attributes.base.is_read_protected = false;
        attributes.base.is_liveliness_protected = false;
        attributes.base.is_discovery_protected = false;
        attributes.is_submessage_protected = giter->domain_attrs.is_discovery_protected;
        attributes.is_payload_protected = false;
        attributes.is_key_protected = false;

        if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED) {
          attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
        }

        if (giter->domain_attrs.plugin_participant_attributes & ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED) {
          attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
        }

        return true;
      }

      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {

          // Process the TopicSecurityAttributes base
          attributes.base.is_write_protected = tr_iter->topic_attrs.is_write_protected;
          attributes.base.is_read_protected = tr_iter->topic_attrs.is_read_protected;
          attributes.base.is_liveliness_protected = tr_iter->topic_attrs.is_liveliness_protected;
          attributes.base.is_discovery_protected = tr_iter->topic_attrs.is_discovery_protected;

          // Process metadata protection attributes
          if (tr_iter->metadata_protection_kind == "NONE") {
            attributes.is_submessage_protected = false;
          }
          else {
            attributes.is_submessage_protected = true;

            if (tr_iter->metadata_protection_kind == "ENCRYPT" ||
              tr_iter->metadata_protection_kind == "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") {
              attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
            }

            if (tr_iter->metadata_protection_kind == "SIGN_WITH_ORIGIN_AUTHENTICATION" ||
              tr_iter->metadata_protection_kind == "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") {
              attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
            }
          }

          // Process data protection attributes

          if (tr_iter->data_protection_kind == "NONE") {
            attributes.is_payload_protected = false;
            attributes.is_key_protected = false;
          }
          else if (tr_iter->data_protection_kind == "SIGN") {
            attributes.is_payload_protected = true;
            attributes.is_key_protected = false;
          }
          else if (tr_iter->data_protection_kind == "ENCRYPT") {
            attributes.is_payload_protected = true;
            attributes.is_key_protected = true;
            attributes.plugin_endpoint_attributes |= ::DDS::Security::PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED;
          }

          return true;
        }
      }
    }
  }

  CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_sec_attributes: Invalid topic name");
  return false;
}

get_subject_name()

SSL::SubjectName OpenDDS::Security::AccessControlBuiltInImpl::get_subject_name

(

DDS::Security::PermissionsHandle

permissions_handle

)

const

Definition at line 1706 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, local_ac_perms_, and OPENDDS_END_VERSIONED_NAMESPACE_DECL.

{
  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, SSL::SubjectName());

  ACPermsMap::const_iterator pos = local_ac_perms_.find(permissions_handle);
  if (pos != local_ac_perms_.end()) {
    return pos->second.subject;
  }

  return SSL::SubjectName();
}

get_topic_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::get_topic_sec_attributes ( DDS::Security::PermissionsHandle  permissions_handle, const char *  topic_name, DDS::Security::TopicSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1157 of file AccessControlBuiltInImpl.cpp.

References ACE_GUARD_RETURN, handle_mutex_, DDS::HANDLE_NIL, local_ac_perms_, pattern_match(), and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == permissions_handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: Invalid permissions handle");
    return false;
  }
  if (0 == topic_name) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: Invalid topic name");
    return false;
  }

  // Extract Governance and the permissions data for the requested handle

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, false);

  ACPermsMap::iterator piter = local_ac_perms_.find(permissions_handle);

  if (piter == local_ac_perms_.end()) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: No matching permissions handle present");
    return false;
  }

  gov_iter begin = piter->second.gov->access_rules().begin();
  gov_iter end = piter->second.gov->access_rules().end();

  for (gov_iter giter = begin; giter != end; ++giter) {

    if (giter->domains.has(piter->second.domain_id)) {
      Governance::TopicAccessRules::iterator tr_iter;

      for (tr_iter = giter->topic_rules.begin(); tr_iter != giter->topic_rules.end(); ++tr_iter) {
        if (pattern_match(topic_name, tr_iter->topic_expression.c_str())) {
          attributes = tr_iter->topic_attrs;
          return true;
        }
      }
    }
  }

  CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::get_topic_sec_attributes: No matching domain/topic in governance");
  return false;
}

make_task()

AccessControlBuiltInImpl::RevokePermissionsTask_rch & OpenDDS::Security::AccessControlBuiltInImpl::make_task ( RevokePermissionsTask_rch &  task )

private

Definition at line 1294 of file AccessControlBuiltInImpl.cpp.

References OpenDDS::DCPS::ref(), and TheServiceParticipant.

Referenced by check_create_datareader(), check_create_datawriter(), check_remote_datareader(), check_remote_datawriter(), and return_permissions_handle().

{
  if (!task) {
    task = DCPS::make_rch<RevokePermissionsTask>(TheServiceParticipant->time_source(), TheServiceParticipant->interceptor(), DCPS::ref(*this));
  }
  return task;
}

operator=()

AccessControlBuiltInImpl& OpenDDS::Security::AccessControlBuiltInImpl::operator= ( const AccessControlBuiltInImpl &  )

private

parse_class_id()

void OpenDDS::Security::AccessControlBuiltInImpl::parse_class_id ( const std::string &  class_id, std::string &  plugin_class_name, int &  major_version, int &  minor_version  )

private

Definition at line 1509 of file AccessControlBuiltInImpl.cpp.

References atoi().

Referenced by check_remote_participant(), and check_remote_topic().

{
  const std::string delimiter = ":";

  major_version = 1;
  minor_version = 0;

  size_t pos = class_id.find_last_of(delimiter);

  if ((pos > 0UL) && (pos != class_id.length() - 1)) {
    plugin_class_name = class_id.substr(0, (pos - 1));

    const std::string period = ".";

    size_t period_pos = class_id.find_last_of(period);

    if (period_pos > 0UL) {
      std::string mv_string = class_id.substr((pos + 1), (period_pos - 1));

      major_version = atoi(mv_string.c_str());

      if (period_pos != class_id.length() - 1) {
        mv_string = class_id.substr((period_pos + 1), (class_id.length() - 1));
        minor_version = atoi(mv_string.c_str());
      }
    }
  }
  else {
    plugin_class_name.clear();
  }

}

pattern_match()

bool OpenDDS::Security::AccessControlBuiltInImpl::pattern_match ( const char *  string, const char *  pattern  )

static

Definition at line 50 of file AccessControlBuiltInImpl.cpp.

References ACE::wild_match().

Referenced by check_create_datareader(), check_create_datawriter(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), check_remote_topic(), get_sec_attributes(), get_topic_sec_attributes(), OpenDDS::Security::Permissions::Action::partitions_match(), and OpenDDS::Security::Permissions::Action::topic_matches().

{
  return ACE::wild_match(string, pattern, true, true);
}

return_datareader_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_datareader_sec_attributes ( const DDS::Security::EndpointSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1277 of file AccessControlBuiltInImpl.cpp.

{
  ACE_UNUSED_ARG(attributes);
  ACE_UNUSED_ARG(ex);

  return true;
}

return_datawriter_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_datawriter_sec_attributes ( const DDS::Security::EndpointSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1267 of file AccessControlBuiltInImpl.cpp.

{
  ACE_UNUSED_ARG(attributes);
  ACE_UNUSED_ARG(ex);

  return true;
}

return_participant_sec_attributes()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_participant_sec_attributes ( const DDS::Security::ParticipantSecurityAttributes &  attributes, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1257 of file AccessControlBuiltInImpl.cpp.

{
  ACE_UNUSED_ARG(attributes);
  ACE_UNUSED_ARG(ex);

  return true;
}

return_permissions_credential_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_permissions_credential_token ( const DDS::Security::PermissionsCredentialToken &  permissions_credential_token, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1113 of file AccessControlBuiltInImpl.cpp.

{
  ACE_UNUSED_ARG(permissions_credential_token);
  ACE_UNUSED_ARG(ex);

  return true;
}

return_permissions_handle()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_permissions_handle ( DDS::Security::PermissionsHandle  handle, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1075 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_TEXT(), OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::erase(), DDS::HANDLE_NIL, LM_DEBUG, local_ac_perms_, local_rp_task_, make_task(), remote_rp_task_, OpenDDS::DCPS::security_debug, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (DDS::HANDLE_NIL == handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::return_permissiosn_handle: Invalid permissions handle");
    return false;
  }

  ACPermsMap::iterator ac_iter = local_ac_perms_.find(handle);

  if (ac_iter == local_ac_perms_.end()) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::return_permissions_handle: No matching permissions handle present");
    return false;
  }

  local_ac_perms_.erase(ac_iter);
  if (DCPS::security_debug.bookkeeping) {
    ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
               ACE_TEXT("AccessControlBuiltInImpl::return_permissions_handle local_ac_perms_ (total %B)\n"),
               local_ac_perms_.size()));
  }
  make_task(local_rp_task_)->erase(handle);
  make_task(remote_rp_task_)->erase(handle);

  return true;
}

return_permissions_token()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::return_permissions_token ( const DDS::Security::PermissionsToken &  token, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1103 of file AccessControlBuiltInImpl.cpp.

{
  ACE_UNUSED_ARG(token);
  ACE_UNUSED_ARG(ex);

  return true;
}

search_permissions()

bool OpenDDS::Security::AccessControlBuiltInImpl::search_permissions ( const char *  topic_name, DDS::Security::DomainId_t  domain_id, const DDS::PartitionQosPolicy &  partition, Permissions::PublishSubscribe_t  pub_or_sub, const Permissions::Grant &  grant, DDS::Security::SecurityException &  ex  )

private

Definition at line 1478 of file AccessControlBuiltInImpl.cpp.

References OpenDDS::Security::Permissions::ALLOW, OpenDDS::Security::Permissions::Grant::default_permission, DDS::PartitionQosPolicy::name, OpenDDS::Security::Permissions::Grant::rules, and OpenDDS::Security::CommonUtilities::set_security_error().

Referenced by check_create_datareader(), check_create_datawriter(), check_remote_datareader(), and check_remote_datawriter().

{
  for (Permissions::Rules::const_iterator rit = grant.rules.begin(); rit != grant.rules.end(); ++rit) {
    if (rit->domains.has(domain_id)) {
      for (Permissions::Actions::const_iterator ait = rit->actions.begin(); ait != rit->actions.end(); ++ait) {
        if (ait->ps_type == pub_or_sub &&
            ait->topic_matches(topic_name) &&
            ait->partitions_match(partition.name, rit->ad_type)) {
          if (rit->ad_type == Permissions::ALLOW) {
            return true;
          } else {
            return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl: DENY rule matched");
          }
        }
      }
    }
  }

  if (grant.default_permission == Permissions::ALLOW) {
    return true;
  } else {
    return CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl: No matching rule for topic, default permission is DENY.");
  }
}

set_listener()

CORBA::Boolean OpenDDS::Security::AccessControlBuiltInImpl::set_listener ( DDS::Security::AccessControlListener_ptr  listener, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 1060 of file AccessControlBuiltInImpl.cpp.

References handle_mutex_, listener_ptr_, and OpenDDS::Security::CommonUtilities::set_security_error().

{
  if (0 == listener) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::set_listener: Invalid Listener pointer");
    return false;
  }

  ACE_Guard<ACE_Thread_Mutex> guard(handle_mutex_);

  listener_ptr_ = listener;
  return true;
}

validate_date_time()

bool OpenDDS::Security::AccessControlBuiltInImpl::validate_date_time ( const Permissions::Validity_t &  validity, DDS::Security::SecurityException &  ex  )

private

Definition at line 1302 of file AccessControlBuiltInImpl.cpp.

References OpenDDS::Security::Permissions::Validity_t::not_after, OpenDDS::Security::Permissions::Validity_t::not_before, and OpenDDS::Security::CommonUtilities::set_security_error().

Referenced by check_create_datareader(), check_create_datawriter(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), and check_remote_topic().

{
  if (validity.not_before == 0) {
    CommonUtilities::set_security_error(ex, -1, 0,
      "AccessControlBuiltInImpl::validate_date_time: Permissions not_before time is invalid.");
    return false;
  }

  if (validity.not_after == 0) {
    CommonUtilities::set_security_error(ex, -1, 0,
      "AccessControlBuiltInImpl::validate_date_time: Permissions not_after time is invalid.");
    return false;
  }

  // Get the current time as UTC
  const time_t now = std::time(0);
  std::tm* const now_utc_tm = std::gmtime(&now);
  const time_t now_utc = std::mktime(now_utc_tm);

  if (now_utc < validity.not_before) {
    CommonUtilities::set_security_error(ex, -1, 0,
      "AccessControlBuiltInImpl::validate_date_time: Permissions grant hasn't started yet.");
    return false;
  }

  if (now_utc > validity.not_after) {
    CommonUtilities::set_security_error(ex, -1, 0,
      "AccessControlBuiltInImpl::validate_date_time: Permissions grant has expired.");
    return false;
  }

  return true;
}

validate_local_permissions()

DDS::Security::PermissionsHandle OpenDDS::Security::AccessControlBuiltInImpl::validate_local_permissions ( DDS::Security::Authentication_ptr  auth_plugin, DDS::Security::IdentityHandle  identity, DDS::Security::DomainId_t  domain_id, const DDS::DomainParticipantQos &  participant_qos, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 72 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_GUARD_RETURN, ACE_TEXT(), OpenDDS::Security::TokenWriter::add_property(), OpenDDS::Security::dds_cert_sn, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::domain_id, generate_handle(), OpenDDS::Security::TokenReader::get_property_value(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::gov, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::identity, LM_DEBUG, local_ac_perms_, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::local_access_credential_data, local_identity_map_, OpenDDS::Security::SSL::SignedDocument::original(), OpenDDS::Security::SSL::SubjectName::parse(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::perm, OpenDDS::Security::PermissionsCredentialTokenClassId(), OpenDDS::Security::PermissionsTokenClassId(), OpenDDS::DCPS::security_debug, OpenDDS::Security::CommonUtilities::set_security_error(), and OpenDDS::Security::AccessControlBuiltInImpl::AccessData::subject.

{
  if (0 == auth_plugin) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Null Authentication plugin");
    return DDS::HANDLE_NIL;
  }

  if (DDS::HANDLE_NIL == identity) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Invalid identity");
    return DDS::HANDLE_NIL;
  }

  DDS::Security::IdentityToken id_token;

  if (!auth_plugin->get_identity_token(id_token, identity, ex)) {
    return DDS::HANDLE_NIL;
  }

  LocalAccessCredentialData::shared_ptr local_access_credential_data = DCPS::make_rch<LocalAccessCredentialData>();

  if (! local_access_credential_data->load(participant_qos.property.value, ex)) {
    return DDS::HANDLE_NIL;
  }

  if (!local_access_credential_data->verify(ex)) {
    return DDS::HANDLE_NIL;
  }

  const SSL::SignedDocument& local_gov = local_access_credential_data->get_governance_doc();
  Governance::shared_ptr governance = DCPS::make_rch<Governance>();

  if (governance->load(local_gov)) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Invalid governance file");
    return DDS::HANDLE_NIL;
  }

  const SSL::SignedDocument& local_perm = local_access_credential_data->get_permissions_doc();
  Permissions::shared_ptr permissions = DCPS::make_rch<Permissions>();

  if (permissions->load(local_perm)) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: Invalid permission file");
    return DDS::HANDLE_NIL;
  }

  TokenReader tr(id_token);
  const char* id_sn = tr.get_property_value(dds_cert_sn);

  OpenDDS::Security::SSL::SubjectName sn_id;

  if (!id_sn || sn_id.parse(id_sn) != 0 || !permissions->has_grant(sn_id)) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_local_permissions: No permissions subject name matches identity subject name");
    return DDS::HANDLE_NIL;
  }

  // Set and store the permissions credential token while we have the raw content
  DDS::Security::PermissionsCredentialToken permissions_cred_token;
  TokenWriter pctWriter(permissions_cred_token, PermissionsCredentialTokenClassId);

  pctWriter.add_property("dds.perm.cert", local_perm.original());

  // Set and store the permissions token
  DDS::Security::PermissionsToken permissions_token;
  TokenWriter writer(permissions_token, PermissionsTokenClassId);

  // If all checks are successful load the content into cache
  permissions->perm_token_ = permissions_token;
  permissions->perm_cred_token_ = permissions_cred_token;

  const int perm_handle = generate_handle();

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, DDS::HANDLE_NIL);

  AccessData cache_this;
  cache_this.identity = identity;
  cache_this.subject = sn_id;
  cache_this.domain_id = domain_id;
  cache_this.perm = permissions;
  cache_this.gov = governance;
  cache_this.local_access_credential_data = local_access_credential_data;

  local_ac_perms_.insert(std::make_pair(perm_handle, cache_this));
  if (DCPS::security_debug.bookkeeping) {
    ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
               ACE_TEXT("AccessControlBuiltInImpl::validate_local_permissions local_ac_perms_ (total %B)\n"),
               local_ac_perms_.size()));
  }
  local_identity_map_.insert(std::make_pair(identity, perm_handle));
  if (DCPS::security_debug.bookkeeping) {
    ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
               ACE_TEXT("AccessControlBuiltInImpl::validate_local_permissions local_identity_map_ (total %B)\n"),
               local_identity_map_.size()));
  }

  return perm_handle;
}

validate_remote_permissions()

DDS::Security::PermissionsHandle OpenDDS::Security::AccessControlBuiltInImpl::validate_remote_permissions ( DDS::Security::Authentication_ptr  auth_plugin, DDS::Security::IdentityHandle  local_identity_handle, DDS::Security::IdentityHandle  remote_identity_handle, const DDS::Security::PermissionsToken &  remote_permissions_token, const DDS::Security::AuthenticatedPeerCredentialToken &  remote_credential_token, DDS::Security::SecurityException &  ex  )

virtual

Definition at line 173 of file AccessControlBuiltInImpl.cpp.

References ACE_DEBUG, ACE_GUARD_RETURN, ACE_TEXT(), OpenDDS::DCPS::DCPS_debug_level, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::domain_id, generate_handle(), OpenDDS::Security::TokenReader::get_bin_property_value(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::gov, handle_mutex_, DDS::HANDLE_NIL, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::identity, LM_DEBUG, local_ac_perms_, OpenDDS::Security::AccessControlBuiltInImpl::AccessData::local_access_credential_data, local_identity_map_, OpenDDS::Security::SSL::SubjectName::parse(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::perm, OpenDDS::DCPS::security_debug, OpenDDS::Security::CommonUtilities::set_security_error(), OpenDDS::Security::AccessControlBuiltInImpl::AccessData::subject, and OpenDDS::Security::SSL::Certificate::subject_name_to_str().

{
  if (0 == auth_plugin) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Null Authentication plugin");
    return DDS::HANDLE_NIL;
  }

  if (DDS::HANDLE_NIL == local_identity_handle) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Invalid Local Identity");
    return DDS::HANDLE_NIL;
  }

  ACE_GUARD_RETURN(ACE_Thread_Mutex, guard, handle_mutex_, DDS::HANDLE_NIL);

  ACIdentityMap::iterator iter = local_identity_map_.find(local_identity_handle);

  if (iter == local_identity_map_.end()) {
    CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: No matching local identity handle present");
    return DDS::HANDLE_NIL;
  }

  ACPermsMap::iterator piter = local_ac_perms_.find(iter->second);

  if (piter == local_ac_perms_.end()) {
    CommonUtilities::set_security_error(ex,-1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: No matching local permissions handle present");
    return DDS::HANDLE_NIL;
  }

  // permissions file
  TokenReader remote_perm_wrapper(remote_credential_token);
  SSL::SignedDocument remote_perm_doc(remote_perm_wrapper.get_bin_property_value("c.perm"));

  const LocalAccessCredentialData::shared_ptr& local_access_credential_data = piter->second.local_access_credential_data;

  // Validate the signature of the remote permissions
  const SSL::Certificate& local_ca = local_access_credential_data->get_ca_cert();
  std::string ca_subject;

  local_ca.subject_name_to_str(ca_subject);

  if (!remote_perm_doc.verify(local_ca)) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Remote permissions signature not verified");
    return DDS::HANDLE_NIL;
  }

  // The remote permissions signature is verified
  if (DCPS::DCPS_debug_level) {
    ACE_DEBUG((LM_DEBUG, ACE_TEXT(
      "(%P|%t) AccessControlBuiltInImpl::validate_remote_permissions: Remote permissions document verified.\n")));
  }

  Permissions::shared_ptr remote_permissions = DCPS::make_rch<Permissions>();
  if (remote_permissions->load(remote_perm_doc)) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Invalid permission file");
    return DDS::HANDLE_NIL;
  }

  //Extract and compare the remote subject name for validation
  TokenReader remote_credential_tr(remote_credential_token);
  const DDS::OctetSeq& cid = remote_credential_tr.get_bin_property_value("c.id");

  if (cid.length() == 0) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: Invalid remote credential identity");
    return DDS::HANDLE_NIL;
  }

  SSL::Certificate::unique_ptr remote_cert(new SSL::Certificate);
  remote_cert->deserialize(cid);

  std::string remote_identity_sn;
  remote_cert->subject_name_to_str(remote_identity_sn);

  SSL::SubjectName sn_id_remote;

  if (remote_identity_sn.empty() || sn_id_remote.parse(remote_identity_sn) != 0 || !remote_permissions->has_grant(sn_id_remote)) {
    CommonUtilities::set_security_error(ex, -1, 0, "AccessControlBuiltInImpl::validate_remote_permissions: "
                                        "Remote identity subject name does not match any subject name in remote permissions grants");
    return DDS::HANDLE_NIL;
  }

  // Set and store the permissions credential token while we have the raw content
  remote_permissions->perm_token_ = remote_permissions_token;
  remote_permissions->perm_cred_token_ = remote_credential_token;


  AccessData cache_this;
  cache_this.identity = remote_identity_handle;
  cache_this.subject = sn_id_remote;
  cache_this.domain_id = piter->second.domain_id;
  cache_this.perm = remote_permissions;
  cache_this.gov = piter->second.gov;
  cache_this.local_access_credential_data = local_access_credential_data;

  const int perm_handle = generate_handle();
  local_ac_perms_.insert(std::make_pair(perm_handle, cache_this));
  if (DCPS::security_debug.bookkeeping) {
    ACE_DEBUG((LM_DEBUG, ACE_TEXT("(%P|%t) {bookkeeping} ")
               ACE_TEXT("AccessControlBuiltInImpl::validate_remote_permissions local_ac_perms_ (total %B)\n"),
               local_ac_perms_.size()));
  }
  return perm_handle;
}

Member Data Documentation

gen_handle_mutex_

ACE_Thread_Mutex OpenDDS::Security::AccessControlBuiltInImpl::gen_handle_mutex_

mutableprivate

Definition at line 290 of file AccessControlBuiltInImpl.h.

Referenced by generate_handle().

handle_mutex_

ACE_Thread_Mutex OpenDDS::Security::AccessControlBuiltInImpl::handle_mutex_

mutableprivate

Definition at line 289 of file AccessControlBuiltInImpl.h.

Referenced by check_create_datareader(), check_create_datawriter(), check_create_participant(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), check_remote_participant(), check_remote_topic(), get_participant_sec_attributes(), get_permissions_credential_token(), get_permissions_token(), get_sec_attributes(), get_subject_name(), get_topic_sec_attributes(), set_listener(), validate_local_permissions(), and validate_remote_permissions().

listener_ptr_

DDS::Security::AccessControlListener_ptr OpenDDS::Security::AccessControlBuiltInImpl::listener_ptr_

private

Definition at line 294 of file AccessControlBuiltInImpl.h.

Referenced by OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::execute(), and set_listener().

local_ac_perms_

ACPermsMap OpenDDS::Security::AccessControlBuiltInImpl::local_ac_perms_

private

Definition at line 256 of file AccessControlBuiltInImpl.h.

Referenced by check_create_datareader(), check_create_datawriter(), check_create_participant(), check_create_topic(), check_remote_datareader(), check_remote_datawriter(), check_remote_participant(), check_remote_topic(), OpenDDS::Security::AccessControlBuiltInImpl::RevokePermissionsTask::execute(), get_participant_sec_attributes(), get_permissions_credential_token(), get_permissions_token(), get_sec_attributes(), get_subject_name(), get_topic_sec_attributes(), return_permissions_handle(), validate_local_permissions(), validate_remote_permissions(), and ~AccessControlBuiltInImpl().

local_identity_map_

ACIdentityMap OpenDDS::Security::AccessControlBuiltInImpl::local_identity_map_

private

Definition at line 259 of file AccessControlBuiltInImpl.h.

Referenced by validate_local_permissions(), validate_remote_permissions(), and ~AccessControlBuiltInImpl().

local_rp_task_

RevokePermissionsTask_rch OpenDDS::Security::AccessControlBuiltInImpl::local_rp_task_

private

Definition at line 284 of file AccessControlBuiltInImpl.h.

Referenced by check_create_datareader(), check_create_datawriter(), and return_permissions_handle().

next_handle_

int OpenDDS::Security::AccessControlBuiltInImpl::next_handle_

private

Definition at line 292 of file AccessControlBuiltInImpl.h.

Referenced by generate_handle().

remote_rp_task_

RevokePermissionsTask_rch OpenDDS::Security::AccessControlBuiltInImpl::remote_rp_task_

private

Definition at line 285 of file AccessControlBuiltInImpl.h.

Referenced by check_remote_datareader(), check_remote_datawriter(), and return_permissions_handle().

---

The documentation for this class was generated from the following files:

• AccessControlBuiltInImpl.h
• AccessControlBuiltInImpl.cpp