interreality.org [VOS]
[Home] [About]
[Screenshots]
 [Download]
[News]
 [Community]
[Documentation] [Manual]
[Bugs & Requests] [Wiki]

/home/tetron/hack/vos/libs/vos/vos/accesscontrolstate.hh

Go to the documentation of this file.
00001 #ifndef _ACCESSCONTROLSTATE_HH_
00002 #define _ACCESSCONTROLSTATE_HH_
00003 
00004 #include <vos/vos/acl.hh>
00005 #include <vos/vutil/readwritemutex.hh>
00006 
00007 namespace VOS {
00008     class VobjectBase;
00009 
00010 /** @class AccessControlState accesscontrolstate.hh vos/vos/accesscontrolstate.hh
00011     @ingroup libvos
00012 
00013     This class stores and manages the access control lists for a
00014     particular local Vobject.
00015 */
00016 class VOS_API AccessControlState
00017 {
00018 private:
00019     VobjectBase* myvobject;
00020 
00021     VUtil::read_write_mutex accessControlLists_mutex;
00022     std::map<std::string, AccessControlList*> accessControlLists;
00023 
00024     VUtil::read_write_mutex default_AC_policies_mutex;
00025     std::map<std::string, std::string> default_AC_policies;
00026 
00027 public:
00028     /** Constructor.
00029         @param myvobject the Vobject to be managed by this
00030         AccessControlState object.
00031     */
00032     AccessControlState(VobjectBase* myvobject);
00033 
00034     /** Destructor. */
00035     ~AccessControlState();
00036 
00037     /** @return the Vobject that these access control policies are
00038         applied to. */
00039     VUtil::vRef<VobjectBase> getBase();
00040 
00041     /** Do an access control lookup; for some identity requesting
00042         access, this will return the appropriate policy in some domain
00043         based on the current access control lists.
00044 
00045         Access control lookup works like this:
00046 
00047           -# Check each ACL to see if it lists this Identity.  If so,
00048           we use that ACL's policy.
00049           -# Otherwise, check each ACL for groups that this Identity
00050           belongs to.  If the Identity is a member of several Groups
00051           that are in different ACLs, then return the policy for each
00052           relevant ACL.  The caller should check *every* policy to
00053           determine pass or fail -- this is up to the caller, but
00054           commonly in VOS code if any policy grants permission then
00055           permission is given.  This means that groups can be used to
00056           add permissions, but not take them away!  Design you access
00057           control scheme accordingly (and make the default permissions
00058           as restrictive as possible).
00059           -# Otherwise, because neither the Identity nor any Group it
00060           is a member of appear in any ACL, the default access control
00061           is returned.
00062 
00063         @param domain the policy domain of interest
00064         @param id the identity requesting access
00065     */
00066     StringIterator getPolicy(const std::string& domain, Identity* id);
00067 
00068     /** @return all policies in a particular policy domain that are
00069         available for use.
00070      */
00071     StringIterator getAvailablePolicies(const std::string& domain);
00072 
00073     /** Add an identity to an access control list (ACL).  If this identity
00074         exists in another ACL, it will be removed from that ACL first.
00075 
00076         @param ACLname the name of the ACL.  This is a comma-separated
00077         list of the access control policies to apply for each domain.
00078         For example "core:read-only,property:accept-all".  Order does
00079         not matter (it will be sorted) but this access control list name is
00080         distict from just "core:read-only"!
00081         @param id the Identity to add
00082     */
00083     void addToACL(const std::string& ACLname, Identity* id);
00084 
00085 
00086     /** Add a group to an access control list (ACL).  If this group
00087         exists in another ACL, it will be removed from that ACL first.
00088         @param ACLname the name of the ACL.  This is a comma-separated
00089         list of the access control policies to apply for each domain.
00090         For example "core:read-only,property:accept-all".  Order does
00091         not matter (it will be sorted) but this access control list name is
00092         distict from just "core:read-only"!
00093         @param grp the Group to add
00094     */
00095     void addToACL(const std::string& ACLname, Group* grp);
00096 
00097     /** Remove an Identity from an access control list (ACL).  The ACL
00098         will be deleted when the last member is removed.
00099 
00100         @param ACLname the name of the ACL.  This is a comma-separated
00101         list of the access control policies to apply for each domain.
00102         For example "core:read-only,property:accept-all".  Order does
00103         not matter (it will be sorted) but this access control list name is
00104         distict from just "core:read-only"!
00105         @param id the Identity to add
00106      */
00107     void removeFromACL(const std::string& ACLname, Identity* id);
00108 
00109     /** Remove a Group from an access control list (ACL).  The ACL
00110         will be deleted when the last member is removed.
00111 
00112         @param ACLname the name of the ACL.  This
00113         is a comma-separated list of the access control policies to
00114         apply for each domain.  For example
00115         "core:read-only,property:accept-all".  Order does not matter
00116         (it will be sorted) but this access control list name is
00117         distict from just "core:read-only"!  @param grp the Group to
00118         add
00119      */
00120     void removeFromACL(const std::string& ACLname, Group* grp);
00121 
00122     /** Completely delete an ACL.
00123         @param policies the name of the ACL.  This is a comma-separated
00124         list of the access control policies to apply for each domain.
00125         For example "core:read-only,property:accept-all".  Order does
00126         not matter (it will be sorted) but this access control list name is
00127         distict from just "core:read-only"!
00128      */
00129     void deleteACL(const std::string& policies);
00130 
00131     /** Get the policy that is applied by default if the requester's
00132         identity or groups were not found in any ACL.  This is also
00133         the policy applied to anonymous users (users with no
00134         identity.)
00135 
00136         @param domain the policy domain you are interested in.  If
00137         blank, returns a comma-separated list of the policy in each
00138         domain.
00139     */
00140     std::string getDefaultPolicy(const std::string& domain = "");
00141 
00142     /** Set the default policy.
00143 
00144         @param policy the policy.  This only affects the domains
00145         listed.  For example, if your current default policy is
00146         "core:read-only,property:accept-all" and you call
00147         setDefaultPolicy("property:read-only") the resulting default
00148         policy will be "core:read-only,property:read-only".
00149      */
00150     void setDefaultPolicy(const std::string& policy);
00151 
00152     /** Get the access control list (ACL) associated with a particular
00153         name.
00154 
00155         @param policies the ACL name, a comma-separated list of domain:policy
00156         pairs, the same as used by addToACL(), removeFromACL() and
00157         deleteACL().
00158     */
00159     VUtil::vRef<AccessControlList> getACL(const std::string& policies);
00160 
00161     /** @return all access control lists (ACL) that have been set.
00162      */
00163     ACLIterator getAllACLs();
00164 };
00165 };
00166 
00167 #endif