This is Unofficial EPICS BASE Doxygen Site
security.h
Go to the documentation of this file.
1 
7 #ifndef SECURITY_H
8 #define SECURITY_H
9 
76 #ifdef epicsExportSharedSymbols
77 # define securityEpicsExportSharedSymbols
78 # undef epicsExportSharedSymbols
79 #endif
80 
81 #include <string>
82 #include <osiSock.h>
83 #include <epicsMutex.h>
84 
85 #include <pv/status.h>
86 #include <pv/pvData.h>
87 #include <pv/sharedPtr.h>
88 
89 #ifdef securityEpicsExportSharedSymbols
90 # define epicsExportSharedSymbols
91 # undef securityEpicsExportSharedSymbols
92 #endif
93 
94 #include <pv/pvaDefs.h>
95 #include <pv/pvaConstants.h>
96 #include <pv/serializationHelper.h>
97 #include <pv/logger.h>
98 
99 #include <shareLib.h>
100 
101 namespace epics {
102 namespace pvAccess {
103 
119 struct epicsShareClass PeerInfo {
120  POINTER_DEFINITIONS(PeerInfo);
121 
122  static size_t num_instances;
123 
124  std::string peer;
125  std::string transport;
126  std::string authority;
127  std::string realm;
128  std::string account;
129 
131  pvData::PVStructure::const_shared_pointer aux;
132 
133  typedef std::set<std::string> roles_t;
135  roles_t roles;
136 
137  unsigned transportVersion;
138 
139  // attributes for programatic consumption
140  bool local;
141  bool identified;
142 
143  PeerInfo();
144  virtual ~PeerInfo();
145 };
146 
151 class epicsShareClass AuthenticationSession
152 {
153 public:
154  POINTER_DEFINITIONS(AuthenticationSession);
155 
156  virtual ~AuthenticationSession();
157 
160  virtual epics::pvData::PVStructure::const_shared_pointer initializationData()
161  { return epics::pvData::PVStructure::const_shared_pointer(); }
162 
166  virtual void messageReceived(epics::pvData::PVStructure::const_shared_pointer const & data) {}
167 
172  virtual void authenticationComplete(const epics::pvData::Status& status) {}
173 };
174 
176 class epicsShareClass AuthenticationPluginControl
177 {
178 public:
179  POINTER_DEFINITIONS(AuthenticationPluginControl);
180  virtual ~AuthenticationPluginControl();
181 
184  virtual void sendSecurityPluginMessage(epics::pvData::PVStructure::const_shared_pointer const & data) = 0;
185 
193  virtual void authenticationCompleted(const epics::pvData::Status& status,
194  const std::tr1::shared_ptr<PeerInfo>& peer) = 0;
195 };
196 
198 class epicsShareClass AuthenticationPlugin
199 {
200 public:
201  POINTER_DEFINITIONS(AuthenticationPlugin);
202  virtual ~AuthenticationPlugin();
203 
209  virtual bool isValidFor(const PeerInfo& peer) const { return true; }
210 
220  virtual std::tr1::shared_ptr<AuthenticationSession> createSession(
221  const std::tr1::shared_ptr<PeerInfo>& peer,
222  std::tr1::shared_ptr<AuthenticationPluginControl> const & control,
223  epics::pvData::PVStructure::shared_pointer const & data) = 0;
224 };
225 
228 class epicsShareClass AuthenticationRegistry
229 {
230  EPICS_NOT_COPYABLE(AuthenticationRegistry) // would need locking
231 public:
232  POINTER_DEFINITIONS(AuthenticationRegistry);
233 
234 private:
235  typedef std::map<int, std::pair<std::string, AuthenticationPlugin::shared_pointer> > map_t;
236  map_t map;
237  mutable epicsMutex mutex;
238 public:
239  typedef std::vector<map_t::mapped_type> list_t;
240 
242  static AuthenticationRegistry& clients();
244  static AuthenticationRegistry& servers();
245 
246  AuthenticationRegistry() {}
247  ~AuthenticationRegistry();
248 
250  void snapshot(list_t& plugmap) const;
251 
258  void add(int prio, const std::string& name, const AuthenticationPlugin::shared_pointer& plugin);
260  bool remove(const AuthenticationPlugin::shared_pointer& plugin);
263  AuthenticationPlugin::shared_pointer lookup(const std::string& name) const;
264 };
265 
268 class epicsShareClass AuthorizationPlugin
269 {
270 public:
271  POINTER_DEFINITIONS(AuthorizationPlugin);
272 
273  virtual ~AuthorizationPlugin();
274 
276  virtual void authorize(const std::tr1::shared_ptr<PeerInfo>& peer) =0;
277 };
278 
279 class epicsShareClass AuthorizationRegistry
280 {
281  EPICS_NOT_COPYABLE(AuthorizationRegistry)
282 public:
283  POINTER_DEFINITIONS(AuthenticationRegistry);
284 
285  static AuthorizationRegistry &plugins();
286 
287  AuthorizationRegistry();
288  ~AuthorizationRegistry();
289 
290 private:
291  typedef std::map<int, AuthorizationPlugin::shared_pointer> map_t;
292  map_t map;
293  size_t busy;
294  mutable epicsMutex mutex;
295 public:
296 
297  void add(int prio, const AuthorizationPlugin::shared_pointer& plugin);
298  bool remove(const AuthorizationPlugin::shared_pointer& plugin);
299  void run(const std::tr1::shared_ptr<PeerInfo>& peer);
300 };
301 
306 epicsShareFunc
307 void osdGetRoles(const std::string &account, PeerInfo::roles_t& roles);
308 
309 }
310 }
311 
312 #endif // SECURITY_H
epics::pvAccess::PeerInfo::realm
std::string realm
scope of authority. eg. "mylab.gov"
Definition: security.h:127
epics::pvAccess::PeerInfo
Information provded by a client to a server-type ChannelProvider.
Definition: security.h:119
status
pvd::Status status
Definition: sharedstate_pv.cpp:122
epics::pvAccess::AuthenticationSession::messageReceived
virtual void messageReceived(epics::pvData::PVStructure::const_shared_pointer const &data)
Definition: security.h:166
epics::pvAccess::AuthenticationPlugin::isValidFor
virtual bool isValidFor(const PeerInfo &peer) const
Definition: security.h:209
epics::pvAccess::AuthenticationPlugin
Actor through which authentication exchanges are initiated.
Definition: security.h:198
epics::pvAccess::PeerInfo::transport
std::string transport
transport protocol used eg. "pva". Must not be empty.
Definition: security.h:125
epicsShareFunc
#define epicsShareFunc
Definition: shareLib.h:209
epics
TODO only here because of the Lockable.
Definition: ntaggregate.cpp:16
epics::pvAccess::osdGetRoles
epicsShareFunc void osdGetRoles(const std::string &account, PeerInfo::roles_t &roles)
Query OS specific DB for role/group names assocated with a user account.
Definition: getgroups.cpp:51
shareLib.h
Mark external symbols and entry points for shared libraries.
lookup
bucket * lookup(char *name)
Definition: symtab.c:66
epics::pvAccess::PeerInfo::aux
pvData::PVStructure::const_shared_pointer aux
NULL or extra authority specific information.
Definition: security.h:131
epics::pvAccess::PeerInfo::roles
roles_t roles
Set of strings which may be used to modify access control decisions.
Definition: security.h:135
epics::pvAccess::PeerInfo::num_instances
static size_t num_instances
Definition: security.h:122
epics::pvAccess::PeerInfo::peer
std::string peer
network address of remote peer. eg. "192.168.1.1:5075".
Definition: security.h:124
POINTER_DEFINITIONS
#define POINTER_DEFINITIONS(clazz)
Definition: sharedPtr.h:198
epics::pvAccess::PeerInfo::account
std::string account
aka. user name
Definition: security.h:128
mutex
epicsMutex mutex
Definition: pvAccess.cpp:71
epicsMutex.h
APIs for the epicsMutex mutual exclusion semaphore.
clients
ChannelProviderRegistry::shared_pointer clients
Definition: ChannelAccessFactory.cpp:196
epicsShareClass
#define epicsShareClass
Definition: shareLib.h:206
epics::pvAccess::PeerInfo::roles_t
std::set< std::string > roles_t
Definition: security.h:133
epics::pvAccess::PeerInfo::identified
bool identified
Short-hand for authority!="anonymous".
Definition: security.h:141
epics::pvAccess::AuthenticationSession::authenticationComplete
virtual void authenticationComplete(const epics::pvData::Status &status)
Definition: security.h:172
epics::pvAccess::PeerInfo::local
bool local
Short-hand for transport=="local".
Definition: security.h:140
epics::pvAccess::AuthenticationSession::initializationData
virtual epics::pvData::PVStructure::const_shared_pointer initializationData()
Definition: security.h:160
epics::pvAccess::AuthenticationRegistry::list_t
std::vector< map_t::mapped_type > list_t
Definition: security.h:239
epics::pvAccess::PeerInfo::authority
std::string authority
authentication mechanism used. eg. "anonymous" or "gssapi". Must not be empty.
Definition: security.h:126
EPICS_NOT_COPYABLE
#define EPICS_NOT_COPYABLE(CLASS)
Disable implicit copyable.
Definition: noDefaultMethods.h:38
epics::pvAccess::PeerInfo::transportVersion
unsigned transportVersion
If applicable, the protocol minor version number.
Definition: security.h:137
servers
GLBLTYPE ELLLIST servers
Definition: server.h:193
epics::pvAccess::AuthenticationPluginControl
Callbacks for use by AuthenticationSession.
Definition: security.h:176