pvAccessCPP  7.1.7
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Groups Pages
security.h
1 
7 #ifndef SECURITY_H
8 #define SECURITY_H
9 
76 #ifdef epicsExportSharedSymbols
77 # define securityEpicsExportSharedSymbols
78 # undef epicsExportSharedSymbols
79 #endif
80 
81 #include <string>
82 #include <osiSock.h>
83 #include <epicsMutex.h>
84 
85 #include <pv/status.h>
86 #include <pv/pvData.h>
87 #include <pv/sharedPtr.h>
88 
89 #ifdef securityEpicsExportSharedSymbols
90 # define epicsExportSharedSymbols
91 # undef securityEpicsExportSharedSymbols
92 #endif
93 
94 #include <pv/pvaDefs.h>
95 #include <pv/pvaConstants.h>
96 #include <pv/serializationHelper.h>
97 #include <pv/logger.h>
98 
99 #include <shareLib.h>
100 
101 namespace epics {
102 namespace pvAccess {
103 
119 struct epicsShareClass PeerInfo {
120  POINTER_DEFINITIONS(PeerInfo);
121 
122  static size_t num_instances;
123 
124  std::string peer;
125  std::string transport;
126  std::string authority;
127  std::string realm;
128  std::string account;
129 
131  pvData::PVStructure::const_shared_pointer aux;
132 
133  typedef std::set<std::string> roles_t;
135  roles_t roles;
136 
137  unsigned transportVersion;
138 
139  // attributes for programatic consumption
140  bool local;
141  bool identified;
142 
143  PeerInfo();
144  virtual ~PeerInfo();
145 };
146 
151 class epicsShareClass AuthenticationSession
152 {
153 public:
154  POINTER_DEFINITIONS(AuthenticationSession);
155 
156  virtual ~AuthenticationSession();
157 
160  virtual epics::pvData::PVStructure::const_shared_pointer initializationData()
161  { return epics::pvData::PVStructure::const_shared_pointer(); }
162 
166  virtual void messageReceived(epics::pvData::PVStructure::const_shared_pointer const & data) {}
167 
172  virtual void authenticationComplete(const epics::pvData::Status& status) {}
173 };
174 
176 class epicsShareClass AuthenticationPluginControl
177 {
178 public:
179  POINTER_DEFINITIONS(AuthenticationPluginControl);
180  virtual ~AuthenticationPluginControl();
181 
184  virtual void sendSecurityPluginMessage(epics::pvData::PVStructure::const_shared_pointer const & data) = 0;
185 
193  virtual void authenticationCompleted(const epics::pvData::Status& status,
194  const std::tr1::shared_ptr<PeerInfo>& peer) = 0;
195 };
196 
198 class epicsShareClass AuthenticationPlugin
199 {
200 public:
201  POINTER_DEFINITIONS(AuthenticationPlugin);
202  virtual ~AuthenticationPlugin();
203 
209  virtual bool isValidFor(const PeerInfo& peer) const { return true; }
210 
220  virtual std::tr1::shared_ptr<AuthenticationSession> createSession(
221  const std::tr1::shared_ptr<PeerInfo>& peer,
222  std::tr1::shared_ptr<AuthenticationPluginControl> const & control,
223  epics::pvData::PVStructure::shared_pointer const & data) = 0;
224 };
225 
228 class epicsShareClass AuthenticationRegistry
229 {
230  EPICS_NOT_COPYABLE(AuthenticationRegistry) // would need locking
231 public:
232  POINTER_DEFINITIONS(AuthenticationRegistry);
233 
234 private:
235  typedef std::map<int, std::pair<std::string, AuthenticationPlugin::shared_pointer> > map_t;
236  map_t map;
237  mutable epicsMutex mutex;
238 public:
239  typedef std::vector<map_t::mapped_type> list_t;
240 
242  static AuthenticationRegistry& clients();
244  static AuthenticationRegistry& servers();
245 
246  AuthenticationRegistry() {}
247  ~AuthenticationRegistry();
248 
250  void snapshot(list_t& plugmap) const;
251 
258  void add(int prio, const std::string& name, const AuthenticationPlugin::shared_pointer& plugin);
260  bool remove(const AuthenticationPlugin::shared_pointer& plugin);
263  AuthenticationPlugin::shared_pointer lookup(const std::string& name) const;
264 };
265 
268 class epicsShareClass AuthorizationPlugin
269 {
270 public:
271  POINTER_DEFINITIONS(AuthorizationPlugin);
272 
273  virtual ~AuthorizationPlugin();
274 
276  virtual void authorize(const std::tr1::shared_ptr<PeerInfo>& peer) =0;
277 };
278 
279 class epicsShareClass AuthorizationRegistry
280 {
281  EPICS_NOT_COPYABLE(AuthorizationRegistry)
282 public:
283  POINTER_DEFINITIONS(AuthenticationRegistry);
284 
285  static AuthorizationRegistry &plugins();
286 
287  AuthorizationRegistry();
288  ~AuthorizationRegistry();
289 
290 private:
291  typedef std::map<int, AuthorizationPlugin::shared_pointer> map_t;
292  map_t map;
293  size_t busy;
294  mutable epicsMutex mutex;
295 public:
296 
297  void add(int prio, const AuthorizationPlugin::shared_pointer& plugin);
298  bool remove(const AuthorizationPlugin::shared_pointer& plugin);
299  void run(const std::tr1::shared_ptr<PeerInfo>& peer);
300 };
301 
306 epicsShareFunc
307 void osdGetRoles(const std::string &account, PeerInfo::roles_t& roles);
308 
309 }
310 }
311 
312 #endif // SECURITY_H
epics::pvAccess::PeerInfo::transport
std::string transport
transport protocol used eg. &quot;pva&quot;. Must not be empty.
Definition: security.h:125
epics::pvAccess::AuthenticationSession::initializationData
virtual epics::pvData::PVStructure::const_shared_pointer initializationData()
For client plugins only, call to find the payload returned with CONNECTION_VALIDATION.
Definition: security.h:160
epics::pvAccess::AuthorizationPlugin
I modify PeerInfo after authentication is complete.
Definition: security.h:268
remove
_ForwardIterator remove(_ForwardIterator __first, _ForwardIterator __last, const _Tp &__value)
epics::pvAccess::PeerInfo::roles
roles_t roles
Set of strings which may be used to modify access control decisions.
Definition: security.h:135
epics::pvAccess::PeerInfo
Information provded by a client to a server-type ChannelProvider.
Definition: security.h:119
epics::pvAccess::AuthenticationPlugin::isValidFor
virtual bool isValidFor(const PeerInfo &peer) const
Allow this plugin to be advertised to a particular peer.
Definition: security.h:209
epics::pvAccess::PeerInfo::aux
pvData::PVStructure::const_shared_pointer aux
NULL or extra authority specific information.
Definition: security.h:131
epics::pvAccess::PeerInfo::identified
bool identified
Short-hand for authority!=&quot;anonymous&quot;.
Definition: security.h:141
epics::pvAccess::PeerInfo::authority
std::string authority
authentication mechanism used. eg. &quot;anonymous&quot; or &quot;gssapi&quot;. Must not be empty.
Definition: security.h:126
epics::pvAccess::AuthenticationSession
A particular authentication exchange.
Definition: security.h:151
epics::pvAccess::AuthenticationPlugin
Actor through which authentication exchanges are initiated.
Definition: security.h:198
epics::pvAccess::osdGetRoles
void osdGetRoles(const std::string &account, PeerInfo::roles_t &roles)
Query OS specific DB for role/group names assocated with a user account.
epics::pvAccess::PeerInfo::realm
std::string realm
scope of authority. eg. &quot;mylab.gov&quot;
Definition: security.h:127
epics::pvAccess::PeerInfo::account
std::string account
aka. user name
Definition: security.h:128
epics::pvAccess::AuthenticationRegistry
Registry(s) for plugins.
Definition: security.h:228
epics::pvAccess::AuthenticationSession::authenticationComplete
virtual void authenticationComplete(const epics::pvData::Status &status)
For client plugins only.
Definition: security.h:172
epics::pvAccess::PeerInfo::transportVersion
unsigned transportVersion
If applicable, the protocol minor version number.
Definition: security.h:137
epics::pvAccess::AuthenticationSession::messageReceived
virtual void messageReceived(epics::pvData::PVStructure::const_shared_pointer const &data)
Called when an AUTHZ message is recieved from the peer.
Definition: security.h:166
epics::pvAccess::PeerInfo::peer
std::string peer
network address of remote peer. eg. &quot;192.168.1.1:5075&quot;.
Definition: security.h:124
epics::pvAccess::PeerInfo::local
bool local
Short-hand for transport==&quot;local&quot;.
Definition: security.h:140
epics::pvAccess::AuthenticationPluginControl
Callbacks for use by AuthenticationSession.
Definition: security.h:176
Generated on Mon Dec 18 2023 14:51:34 for pvAccessCPP by   doxygen 1.8.5