Governance.cpp

Go to the documentation of this file.
00001 /*
00002  * Distributed under the OpenDDS License.
00003  * See: http://www.OpenDDS.org/license.html
00004  */
00005 
00006 #include "Governance.h"
00007 
00008 #include "xercesc/parsers/XercesDOMParser.hpp"
00009 #include "xercesc/dom/DOM.hpp"
00010 #include "xercesc/sax/HandlerBase.hpp"
00011 #include "xercesc/framework/MemBufInputSource.hpp"
00012 
00013 #include "ace/OS_NS_strings.h"
00014 #include "ace/XML_Utils/XercesString.h"
00015 
00016 #include <stdexcept>
00017 
00018 namespace OpenDDS {
00019 namespace Security {
00020 
00021 Governance::Governance() : access_rules_()
00022 {
00023 
00024 }
00025 
00026 int Governance::load(const SSL::SignedDocument& doc)
00027 {
00028   using XML::XStr;
00029   static const char* gMemBufId = "gov buffer id";
00030 
00031   DCPS::unique_ptr<xercesc::XercesDOMParser> parser(new xercesc::XercesDOMParser());
00032 
00033   if (!parser) {
00034     ACE_DEBUG((LM_ERROR, ACE_TEXT(
00035       "(%P|%t) AccessControlBuiltInImpl::load_governance_file: Governance XML DOMParser Exception.\n")));
00036     return -1;
00037   }
00038 
00039   parser->setValidationScheme(xercesc::XercesDOMParser::Val_Always);
00040   parser->setDoNamespaces(true);    // optional
00041   parser->setCreateCommentNodes(false);
00042 
00043   DCPS::unique_ptr<xercesc::ErrorHandler> errHandler((xercesc::ErrorHandler*) new xercesc::HandlerBase());
00044   parser->setErrorHandler(errHandler.get());
00045 
00046   // buffer for parsing
00047 
00048   std::string cleaned;
00049   doc.get_original_minus_smime(cleaned);
00050 
00051   xercesc::MemBufInputSource contentbuf((const XMLByte*) cleaned.c_str(),
00052                                         cleaned.size(),
00053                                         gMemBufId);
00054 
00055   try {
00056     parser->parse(contentbuf);
00057   }
00058   catch (const xercesc::XMLException& toCatch) {
00059     char* message = xercesc::XMLString::transcode(toCatch.getMessage());
00060     ACE_DEBUG((LM_ERROR, ACE_TEXT(
00061         "(%P|%t) AccessControlBuiltInImpl::load_governance_file: Exception message is %C.\n"), message));
00062     xercesc::XMLString::release(&message);
00063     return -1;
00064   }
00065   catch (const xercesc::DOMException& toCatch) {
00066     char* message = xercesc::XMLString::transcode(toCatch.msg);
00067     ACE_DEBUG((LM_ERROR, ACE_TEXT(
00068         "(%P|%t) AccessControlBuiltInImpl::load_governance_file: Exception message is %C.\n"), message));
00069     xercesc::XMLString::release(&message);
00070     return -1;
00071   }
00072   catch (...) {
00073     ACE_DEBUG((LM_ERROR, ACE_TEXT(
00074         "(%P|%t) AccessControlBuiltInImpl::load_governance_file: Unexpected Governance XML Parser Exception.\n")));
00075     return -1;
00076   }
00077 
00078   // Successfully parsed the governance file
00079 
00080   xercesc::DOMDocument* xmlDoc = parser->getDocument();
00081 
00082   xercesc::DOMElement* elementRoot = xmlDoc->getDocumentElement();
00083   if ( !elementRoot ) throw(std::runtime_error( "empty XML document" ));
00084 
00085   // Find the domain rules
00086   xercesc::DOMNodeList * domainRules = xmlDoc->getElementsByTagName(XStr("domain_rule"));
00087 
00088   for (XMLSize_t r = 0; r < domainRules->getLength(); r++) {
00089     Governance::DomainRule rule_holder_;
00090     rule_holder_.domain_attrs.plugin_participant_attributes = 0;
00091 
00092     // Pull out domain ids used in the rule. We are NOT supporting ranges at this time
00093     xercesc::DOMNodeList * ruleNodes = domainRules->item(r)->getChildNodes();
00094 
00095     for (XMLSize_t rn = 0; rn < ruleNodes->getLength(); rn++) {
00096       const XStr dn_tag = ruleNodes->item(rn)->getNodeName();
00097 
00098       if ("domains" == dn_tag) {
00099         xercesc::DOMNodeList * domainIdNodes = ruleNodes->item(rn)->getChildNodes();
00100 
00101         for (XMLSize_t did = 0; did < domainIdNodes->getLength(); did++) {
00102           if ("id" == XStr(domainIdNodes->item(did)->getNodeName())) {
00103             const XMLCh* t = domainIdNodes->item(did)->getTextContent();
00104             unsigned int i;
00105             if (xercesc::XMLString::textToBin(t, i)) {
00106               rule_holder_.domain_list.insert(i);
00107             }
00108           }
00109           else if ("id_range" == XStr(domainIdNodes->item(did)->getNodeName())) {
00110             int min_value = 0;
00111             int max_value = 0;
00112             xercesc::DOMNodeList * domRangeIdNodes = domainIdNodes->item(did)->getChildNodes();
00113 
00114             for (XMLSize_t drid = 0; drid < domRangeIdNodes->getLength(); drid++) {
00115               if (strcmp("min", xercesc::XMLString::transcode(domRangeIdNodes->item(drid)->getNodeName())) == 0) {
00116                 min_value = atoi(xercesc::XMLString::transcode(domRangeIdNodes->item(drid)->getTextContent()));
00117               }
00118               else if (strcmp("max", xercesc::XMLString::transcode(domRangeIdNodes->item(drid)->getNodeName())) == 0) {
00119                 max_value = atoi(xercesc::XMLString::transcode(domRangeIdNodes->item(drid)->getTextContent()));
00120 
00121                 if ((min_value == 0) || (min_value > max_value)) {
00122                   ACE_DEBUG((LM_ERROR, ACE_TEXT(
00123                       "(%P|%t) AccessControlBuiltInImpl::load_governance_file: Governance XML Domain Range invalid.\n")));
00124                   return -1;
00125                 }
00126 
00127                 for (int i = min_value; i <= max_value; i++) {
00128                   rule_holder_.domain_list.insert(i);
00129                 }
00130               }
00131             }
00132           }
00133         }
00134 
00135       }
00136     }
00137 
00138     // Process allow_unauthenticated_participants
00139     xercesc::DOMNodeList * allow_unauthenticated_participants_ =
00140               xmlDoc->getElementsByTagName(XStr("allow_unauthenticated_participants"));
00141     char * attr_aup = xercesc::XMLString::transcode(allow_unauthenticated_participants_->item(0)->getTextContent());
00142     rule_holder_.domain_attrs.allow_unauthenticated_participants = (ACE_OS::strcasecmp(attr_aup,"false") == 0 ? false : true);
00143     xercesc::XMLString::release(&attr_aup);
00144 
00145     // Process enable_join_access_control
00146     xercesc::DOMNodeList * enable_join_access_control_ =
00147              xmlDoc->getElementsByTagName(XStr("enable_join_access_control"));
00148     char * attr_ejac = xercesc::XMLString::transcode(enable_join_access_control_->item(0)->getTextContent());
00149     rule_holder_.domain_attrs.is_access_protected = ACE_OS::strcasecmp(attr_ejac, "false") == 0 ? false : true;
00150     xercesc::XMLString::release(&attr_ejac);
00151 
00152     // Process discovery_protection_kind
00153     xercesc::DOMNodeList * discovery_protection_kind_ =
00154              xmlDoc->getElementsByTagName(XStr("discovery_protection_kind"));
00155     char * attr_dpk = xercesc::XMLString::transcode(discovery_protection_kind_->item(0)->getTextContent());
00156     if (ACE_OS::strcasecmp(attr_dpk, "NONE") == 0) {
00157       rule_holder_.domain_attrs.is_discovery_protected = false;
00158     } else if (ACE_OS::strcasecmp(attr_dpk, "SIGN") == 0) {
00159       rule_holder_.domain_attrs.is_discovery_protected = true;
00160     } else if (ACE_OS::strcasecmp(attr_dpk, "ENCRYPT") == 0) {
00161       rule_holder_.domain_attrs.is_discovery_protected = true;
00162       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED;
00163     } else if (ACE_OS::strcasecmp(attr_dpk, "SIGN_WITH_ORIGIN_AUTHENTICATION") == 0) {
00164       rule_holder_.domain_attrs.is_discovery_protected = true;
00165       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED;
00166     } else if (ACE_OS::strcasecmp(attr_dpk, "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") == 0) {
00167       rule_holder_.domain_attrs.is_discovery_protected = true;
00168       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_BUILTIN_IS_DISCOVERY_ENCRYPTED;
00169       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_DISCOVERY_ORIGIN_AUTHENTICATED;
00170     }
00171     xercesc::XMLString::release(&attr_dpk);
00172 
00173     // Process liveliness_protection_kind
00174     xercesc::DOMNodeList * liveliness_protection_kind_ =
00175              xmlDoc->getElementsByTagName(XStr("liveliness_protection_kind"));
00176     char * attr_lpk = xercesc::XMLString::transcode(liveliness_protection_kind_->item(0)->getTextContent());
00177     if (ACE_OS::strcasecmp(attr_lpk, "NONE") == 0) {
00178       rule_holder_.domain_attrs.is_liveliness_protected = false;
00179     } else if (ACE_OS::strcasecmp(attr_lpk, "SIGN") == 0) {
00180       rule_holder_.domain_attrs.is_liveliness_protected = true;
00181     } else if (ACE_OS::strcasecmp(attr_lpk, "ENCRYPT") == 0) {
00182       rule_holder_.domain_attrs.is_liveliness_protected = true;
00183       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED;
00184     } else if (ACE_OS::strcasecmp(attr_lpk, "SIGN_WITH_ORIGIN_AUTHENTICATION") == 0) {
00185       rule_holder_.domain_attrs.is_liveliness_protected = true;
00186       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED;
00187     } else if (ACE_OS::strcasecmp(attr_lpk, "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") == 0) {
00188       rule_holder_.domain_attrs.is_liveliness_protected = true;
00189       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED;
00190       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_LIVELINESS_ORIGIN_AUTHENTICATED;
00191     }
00192     xercesc::XMLString::release(&attr_lpk);
00193 
00194     // Process rtps_protection_kind
00195     xercesc::DOMNodeList * rtps_protection_kind_ =
00196              xmlDoc->getElementsByTagName(XStr("rtps_protection_kind"));
00197     char * attr_rpk = xercesc::XMLString::transcode(rtps_protection_kind_->item(0)->getTextContent());
00198 
00199     if (ACE_OS::strcasecmp(attr_rpk, "NONE") == 0) {
00200       rule_holder_.domain_attrs.is_rtps_protected = false;
00201     } else if (ACE_OS::strcasecmp(attr_rpk, "SIGN") == 0) {
00202       rule_holder_.domain_attrs.is_rtps_protected = true;
00203     } else if (ACE_OS::strcasecmp(attr_rpk, "ENCRYPT") == 0) {
00204       rule_holder_.domain_attrs.is_rtps_protected = true;
00205       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED;
00206     } else if (ACE_OS::strcasecmp(attr_rpk, "SIGN_WITH_ORIGIN_AUTHENTICATION") == 0) {
00207       rule_holder_.domain_attrs.is_rtps_protected = true;
00208       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_RTPS_ORIGIN_AUTHENTICATED;
00209     } else if (ACE_OS::strcasecmp(attr_rpk, "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") == 0) {
00210       rule_holder_.domain_attrs.is_rtps_protected = true;
00211       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED;
00212       rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_RTPS_ORIGIN_AUTHENTICATED;
00213     }
00214     xercesc::XMLString::release(&attr_rpk);
00215 
00216     rule_holder_.domain_attrs.plugin_participant_attributes |= ::DDS::Security::PLUGIN_PARTICIPANT_SECURITY_ATTRIBUTES_FLAG_IS_VALID;
00217 
00218     // Process topic rules
00219 
00220     xercesc::DOMNodeList * topic_rules = xmlDoc->getElementsByTagName(XStr("topic_rule"));
00221 
00222     for (XMLSize_t tr = 0; tr < topic_rules->getLength(); tr++) {
00223       xercesc::DOMNodeList * topic_rule_nodes = topic_rules->item(tr)->getChildNodes();
00224       Governance::TopicAccessRule t_rules;
00225 
00226       for (XMLSize_t trn = 0; trn < topic_rule_nodes->getLength(); trn++) {
00227         XStr tr_tag = topic_rule_nodes->item(trn)->getNodeName();
00228         char * tr_val = xercesc::XMLString::transcode(topic_rule_nodes->item(trn)->getTextContent());
00229 
00230         if (tr_tag == "topic_expression") {
00231           t_rules.topic_expression = tr_val;
00232         }
00233         else if (tr_tag == "enable_discovery_protection") {
00234           t_rules.topic_attrs.is_discovery_protected = ACE_OS::strcasecmp(tr_val, "false") == 0 ? false : true;
00235         }
00236         else if (tr_tag == "enable_liveliness_protection") {
00237           t_rules.topic_attrs.is_liveliness_protected = ACE_OS::strcasecmp(tr_val, "false") == 0 ? false : true;
00238         }
00239         else if (tr_tag == "enable_read_access_control") {
00240           t_rules.topic_attrs.is_read_protected = ACE_OS::strcasecmp(tr_val, "false") == 0 ? false : true;
00241         }
00242         else if (tr_tag == "enable_write_access_control") {
00243           t_rules.topic_attrs.is_write_protected = ACE_OS::strcasecmp(tr_val, "false") == 0 ? false : true;
00244         }
00245         else if (tr_tag == "metadata_protection_kind") {
00246           t_rules.metadata_protection_kind.assign(tr_val);
00247         }
00248         else if (tr_tag == "data_protection_kind") {
00249           t_rules.data_protection_kind.assign(tr_val);
00250         }
00251         xercesc::XMLString::release(&tr_val);
00252       }
00253       rule_holder_.topic_rules.push_back(t_rules);
00254     }
00255 
00256     access_rules_.push_back(rule_holder_);
00257   } // domain_rule
00258 
00259   return 0;
00260 }
00261 
00262 
00263 }
00264 }