#ifndef __ACC_AUTHORIZE__ #define __ACC_AUTHORIZE__ /******************************************************************************/ /* */ /* X r d A c c A u t h o r i z e . h h */ /* */ /* (c) 2000 by the Board of Trustees of the Leland Stanford, Jr., University */ /* All Rights Reserved */ /* Produced by Andrew Hanushevsky for Stanford University under contract */ /* DE-AC02-76-SFO0515 with the Department of Energy */ /* */ /* This file is part of the XRootD software suite. */ /* */ /* XRootD is free software: you can redistribute it and/or modify it under */ /* the terms of the GNU Lesser General Public License as published by the */ /* Free Software Foundation, either version 3 of the License, or (at your */ /* option) any later version. */ /* */ /* XRootD is distributed in the hope that it will be useful, but WITHOUT */ /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */ /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */ /* License for more details. */ /* */ /* You should have received a copy of the GNU Lesser General Public License */ /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */ /* COPYING (GPL license). If not, see . */ /* */ /* The copyright holder's institutional names and contributor's names may not */ /* be used to endorse or promote products derived from this software without */ /* specific prior written permission of the institution or contributor. */ /******************************************************************************/ #include "XrdAcc/XrdAccPrivs.hh" /******************************************************************************/ /* A c c e s s _ O p e r a t i o n */ /******************************************************************************/ //! The following are supported operations enum Access_Operation {AOP_Any = 0, //!< Special for getting privs AOP_Chmod = 1, //!< chmod() AOP_Chown = 2, //!< chown() AOP_Create = 3, //!< open() with create AOP_Delete = 4, //!< rm() or rmdir() AOP_Insert = 5, //!< mv() for target AOP_Lock = 6, //!< n/a AOP_Mkdir = 7, //!< mkdir() AOP_Read = 8, //!< open() r/o, prepare() AOP_Readdir = 9, //!< opendir() AOP_Rename = 10, //!< mv() for source AOP_Stat = 11, //!< exists(), stat() AOP_Update = 12, //!< open() r/w or append AOP_Excl_Create = 13, //!< open() with O_EXCL|O_CREAT AOP_Excl_Insert = 14, //!< mv() where destination doesn't exist. AOP_LastOp = 14 // For limits testing }; /******************************************************************************/ /* X r d A c c A u t h o r i z e */ /******************************************************************************/ class XrdOucEnv; class XrdSecEntity; class XrdSysLogger; class XrdAccAuthorize { public: //------------------------------------------------------------------------------ //! Check whether or not the client is permitted specified access to a path. //! //! @param Entity -> Authentication information //! @param path -> The logical path which is the target of oper //! @param oper -> The operation being attempted (see the enum above). //! If the oper is AOP_Any, then the actual privileges //! are returned and the caller may make subsequent //! tests using Test(). //! @param Env -> Environmental information at the time of the //! operation as supplied by the path CGI string. //! This is optional and the pointer may be zero. //! //! @return Permit: a non-zero value (access is permitted) //! Deny: zero (access is denied) //------------------------------------------------------------------------------ virtual XrdAccPrivs Access(const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0) = 0; //------------------------------------------------------------------------------ //! Route an audit message to the appropriate audit exit routine. See //! XrdAccAudit.h for more information on how the default implementation works. //! Currently, this method is not called by the ofs but should be used by the //! implementation to record denials or grants, as warranted. //! //! @param accok -> True is access was grated; false otherwise. //! @param Entity -> Authentication information //! @param path -> The logical path which is the target of oper //! @param oper -> The operation being attempted (see above) //! @param Env -> Environmental information at the time of the //! operation as supplied by the path CGI string. //! This is optional and the pointer may be zero. //! //! @return Success: !0 information recorded. //! Failure: 0 information could not be recorded. //------------------------------------------------------------------------------ virtual int Audit(const int accok, const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0) = 0; //------------------------------------------------------------------------------ //! Check whether the specified operation is permitted. //! //! @param priv -> the privileges as returned by Access(). //! @param oper -> The operation being attempted (see above) //! //! @return Permit: a non-zero value (access is permitted) //! Deny: zero (access is denied) //------------------------------------------------------------------------------ virtual int Test(const XrdAccPrivs priv, const Access_Operation oper) = 0; //------------------------------------------------------------------------------ //! Constructor //------------------------------------------------------------------------------ XrdAccAuthorize() {} //------------------------------------------------------------------------------ //! Destructor //------------------------------------------------------------------------------ virtual ~XrdAccAuthorize() {} }; /******************************************************************************/ /* X r d A c c A u t h o r i z e O b j e c t */ /******************************************************************************/ //------------------------------------------------------------------------------ //! Obtain an authorization object. //! //! XrdAccAuthorizeObject() is an extern "C" function that is called to obtain //! an instance of the auth object that will be used for all subsequent //! authorization decisions. It must be defined in the plug-in shared library. //! A second version which is used preferentially if it exists should be //! used if accessto theenvironmental pointer s needed. //! All the following extern symbols must be defined at file level! //! //! @param lp -> XrdSysLogger to be tied to an XrdSysError object for messages //! @param cfn -> The name of the configuration file //! @param parm -> Parameters specified on the authlib directive. If none it //! is zero. //! @param envP -> Pointer to environment only available for version 2. //! //! @return Success: A pointer to the authorization object. //! Failure: Null pointer which causes initialization to fail. //------------------------------------------------------------------------------ typedef XrdAccAuthorize *(*XrdAccAuthorizeObject_t)(XrdSysLogger *lp, const char *cfn, const char *parm); /*! extern "C" XrdAccAuthorize *XrdAccAuthorizeObject(XrdSysLogger *lp, const char *cfn, const char *parm) {...} */ // Alternatively: typedef XrdAccAuthorize *(*XrdAccAuthorizeObject2_t)(XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP); /*! extern "C" XrdAccAuthorize *XrdAccAuthorizeObject2(XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP) {...} */ //------------------------------------------------------------------------------ //! Add an authorization object as a wrapper to the existing object. //! //! XrdAccAuthorizeObjAdd() is an extern "C" function that is called to obtain //! an instance of the auth object that should wrap the existing object. The //! wrapper becomes the actual authorization object. The wrapper must be //! in the plug-in shared library, it is passed additional parameters. //! All the following extern symbols must be defined at file level! //! //! @param lp -> XrdSysLogger to be tied to an XrdSysError object for messages //! @param cfn -> The name of the configuration file //! @param parm -> Parameters specified on the authlib directive. If none it //! is zero. //! @param envP -> Environmental information and may be nil. //! @param accP -> to the existing authorization object. //! //! @return Success: A pointer to the authorization object. //! Failure: Null pointer which causes initialization to fail. //------------------------------------------------------------------------------ typedef XrdAccAuthorize *(*XrdAccAuthorizeObjAdd_t)(XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP, XrdAccAuthorize *accP); /*! extern "C" XrdAccAuthorize *XrdAccAuthorizeObjAdd(XrdSysLogger *lp, const char *cfn, const char *parm, XrdOucEnv *envP, XrdAccAuthorize *accP) {...} */ //------------------------------------------------------------------------------ //! Specify the compilation version. //! //! Additionally, you *should* declare the xrootd version you used to compile //! your plug-in. While not currently required, it is highly recommended to //! avoid execution issues should the class definition change. Declare it as: //------------------------------------------------------------------------------ /*! #include "XrdVersion.hh" XrdVERSIONINFO(XrdAccAuthorizeObject,); where is a 1- to 15-character unquoted name identifying your plugin. For the default statically linked authorization framework, the non-extern C XrdAccDefaultAuthorizeObject() is called instead so as to not conflict with that symbol in a shared library plug-in. */ #endif