pvAccessCPP/security_8h_source.html

#ifndef SECURITY_H

#define SECURITY_H


#ifdef epicsExportSharedSymbols

#   define securityEpicsExportSharedSymbols

#   undef epicsExportSharedSymbols

#endif


#include <string>

#include <osiSock.h>

#include <epicsMutex.h>


#include <pv/status.h>

#include <pv/pvData.h>

#include <pv/sharedPtr.h>


#ifdef securityEpicsExportSharedSymbols

#   define epicsExportSharedSymbols

#       undef securityEpicsExportSharedSymbols

#endif


#include <pv/pvaDefs.h>

#include <pv/pvaConstants.h>

#include <pv/serializationHelper.h>

#include <pv/logger.h>


#include <shareLib.h>


namespace epics {

namespace pvAccess {


struct epicsShareClass PeerInfo {

    POINTER_DEFINITIONS(PeerInfo);


    static size_t num_instances;


    std::string peer;

    std::string transport;

    std::string authority;

    std::string realm;

    std::string account;


    pvData::PVStructure::const_shared_pointer aux;


    typedef std::set<std::string> roles_t;

    roles_t roles;


    unsigned transportVersion;


    // attributes for programatic consumption

    bool local;

    bool identified;


    PeerInfo();

    virtual ~PeerInfo();

};


class epicsShareClass AuthenticationSession

{

public:

    POINTER_DEFINITIONS(AuthenticationSession);


    virtual ~AuthenticationSession();


    virtual epics::pvData::PVStructure::const_shared_pointer initializationData()

    { return epics::pvData::PVStructure::const_shared_pointer(); }


    virtual void messageReceived(epics::pvData::PVStructure::const_shared_pointer const & data) {}


    virtual void authenticationComplete(const epics::pvData::Status& status) {}

};


class epicsShareClass AuthenticationPluginControl

{

public:

    POINTER_DEFINITIONS(AuthenticationPluginControl);

    virtual ~AuthenticationPluginControl();


    virtual void sendSecurityPluginMessage(epics::pvData::PVStructure::const_shared_pointer const & data) = 0;


    virtual void authenticationCompleted(const epics::pvData::Status& status,

                                         const std::tr1::shared_ptr<PeerInfo>& peer) = 0;

};


class epicsShareClass AuthenticationPlugin

{

public:

    POINTER_DEFINITIONS(AuthenticationPlugin);

    virtual ~AuthenticationPlugin();


    virtual bool isValidFor(const PeerInfo& peer) const { return true; }


    virtual std::tr1::shared_ptr<AuthenticationSession> createSession(

        const std::tr1::shared_ptr<PeerInfo>& peer,

        std::tr1::shared_ptr<AuthenticationPluginControl> const & control,

        epics::pvData::PVStructure::shared_pointer const & data) = 0;

};


class epicsShareClass AuthenticationRegistry

{

    EPICS_NOT_COPYABLE(AuthenticationRegistry) // would need locking

public:

    POINTER_DEFINITIONS(AuthenticationRegistry);


private:

    typedef std::map<int, std::pair<std::string, AuthenticationPlugin::shared_pointer> > map_t;

    map_t map;

    mutable epicsMutex mutex;

public:

    typedef std::vector<map_t::mapped_type> list_t;


    static AuthenticationRegistry& clients();

    static AuthenticationRegistry& servers();


    AuthenticationRegistry() {}

    ~AuthenticationRegistry();


    void snapshot(list_t& plugmap) const;


    void add(int prio, const std::string& name, const AuthenticationPlugin::shared_pointer& plugin);

    bool remove(const AuthenticationPlugin::shared_pointer& plugin);

    AuthenticationPlugin::shared_pointer lookup(const std::string& name) const;

};


class epicsShareClass AuthorizationPlugin

{

public:

    POINTER_DEFINITIONS(AuthorizationPlugin);


    virtual ~AuthorizationPlugin();


    virtual void authorize(const std::tr1::shared_ptr<PeerInfo>& peer) =0;

};


class epicsShareClass AuthorizationRegistry

{

    EPICS_NOT_COPYABLE(AuthorizationRegistry)

public:

    POINTER_DEFINITIONS(AuthenticationRegistry);


    static AuthorizationRegistry &plugins();


    AuthorizationRegistry();

    ~AuthorizationRegistry();


private:

    typedef std::map<int, AuthorizationPlugin::shared_pointer> map_t;

    map_t map;

    size_t busy;

    mutable epicsMutex mutex;

public:


    void add(int prio, const AuthorizationPlugin::shared_pointer& plugin);

    bool remove(const AuthorizationPlugin::shared_pointer& plugin);

    void run(const std::tr1::shared_ptr<PeerInfo>& peer);

};


epicsShareFunc

void osdGetRoles(const std::string &account, PeerInfo::roles_t& roles);


}

}


#endif // SECURITY_H

string

perm_options::add
@ add

remove
constexpr _ForwardIterator remove(_ForwardIterator __first, _ForwardIterator __last, const _Tp &__value)

std::map

std::set

std::vector

epics::pvAccess::AuthenticationPluginControl
Callbacks for use by AuthenticationSession.
Definition security.h:177

epics::pvAccess::AuthenticationPluginControl::authenticationCompleted
virtual void authenticationCompleted(const epics::pvData::Status &status, const std::tr1::shared_ptr< PeerInfo > &peer)=0
Called by server plugin to indicate the the exchange has completed.

epics::pvAccess::AuthenticationPluginControl::sendSecurityPluginMessage
virtual void sendSecurityPluginMessage(epics::pvData::PVStructure::const_shared_pointer const &data)=0
Send AUTHZ to peer with payload.

epics::pvAccess::AuthenticationPlugin
Actor through which authentication exchanges are initiated.
Definition security.h:199

epics::pvAccess::AuthenticationPlugin::createSession
virtual std::tr1::shared_ptr< AuthenticationSession > createSession(const std::tr1::shared_ptr< PeerInfo > &peer, std::tr1::shared_ptr< AuthenticationPluginControl > const &control, epics::pvData::PVStructure::shared_pointer const &data)=0
Begin a new session with a peer.

epics::pvAccess::AuthenticationPlugin::isValidFor
virtual bool isValidFor(const PeerInfo &peer) const
Allow this plugin to be advertised to a particular peer.
Definition security.h:209

epics::pvAccess::AuthenticationRegistry
Registry(s) for plugins.
Definition security.h:229

epics::pvAccess::AuthenticationRegistry::remove
bool remove(const AuthenticationPlugin::shared_pointer &plugin)
Remove an existing entry. Remove true if the entry was actually removed.

epics::pvAccess::AuthenticationRegistry::servers
static AuthenticationRegistry & servers()
The server side of the conversation.

epics::pvAccess::AuthenticationRegistry::add
void add(int prio, const std::string &name, const AuthenticationPlugin::shared_pointer &plugin)
Add a new plugin to this registry.

epics::pvAccess::AuthenticationRegistry::snapshot
void snapshot(list_t &plugmap) const
Save a copy of the current registry in order of increasing priority.

epics::pvAccess::AuthenticationRegistry::clients
static AuthenticationRegistry & clients()
The client side of the conversation.

epics::pvAccess::AuthenticationRegistry::lookup
AuthenticationPlugin::shared_pointer lookup(const std::string &name) const
Fetch a single plugin explicitly by name.

epics::pvAccess::AuthenticationSession
A particular authentication exchange.
Definition security.h:152

epics::pvAccess::AuthenticationSession::authenticationComplete
virtual void authenticationComplete(const epics::pvData::Status &status)
For client plugins only.
Definition security.h:172

epics::pvAccess::AuthenticationSession::initializationData
virtual epics::pvData::PVStructure::const_shared_pointer initializationData()
For client plugins only, call to find the payload returned with CONNECTION_VALIDATION.
Definition security.h:160

epics::pvAccess::AuthenticationSession::messageReceived
virtual void messageReceived(epics::pvData::PVStructure::const_shared_pointer const &data)
Called when an AUTHZ message is recieved from the peer.
Definition security.h:166

epics::pvAccess::AuthorizationPlugin
I modify PeerInfo after authentication is complete.
Definition security.h:269

epics::pvAccess::AuthorizationPlugin::authorize
virtual void authorize(const std::tr1::shared_ptr< PeerInfo > &peer)=0
Hook to modify PeerInfo.

epics::pvData::Status

epics::pvAccess::osdGetRoles
void osdGetRoles(const std::string &account, PeerInfo::roles_t &roles)
Query OS specific DB for role/group names assocated with a user account.

epics
Copyright - See the COPYRIGHT that is included with this distribution.

epics::pvAccess::PeerInfo
Information provded by a client to a server-type ChannelProvider.
Definition security.h:119

epics::pvAccess::PeerInfo::roles
roles_t roles
Set of strings which may be used to modify access control decisions.
Definition security.h:135

epics::pvAccess::PeerInfo::aux
pvData::PVStructure::const_shared_pointer aux
NULL or extra authority specific information.
Definition security.h:131

epics::pvAccess::PeerInfo::peer
std::string peer
network address of remote peer. eg. "192.168.1.1:5075".
Definition security.h:124

epics::pvAccess::PeerInfo::realm
std::string realm
scope of authority. eg. "mylab.gov"
Definition security.h:127

epics::pvAccess::PeerInfo::identified
bool identified
Short-hand for authority!="anonymous".
Definition security.h:141

epics::pvAccess::PeerInfo::local
bool local
Short-hand for transport=="local".
Definition security.h:140

epics::pvAccess::PeerInfo::authority
std::string authority
authentication mechanism used. eg. "anonymous" or "gssapi". Must not be empty.
Definition security.h:126

epics::pvAccess::PeerInfo::transportVersion
unsigned transportVersion
If applicable, the protocol minor version number.
Definition security.h:137

epics::pvAccess::PeerInfo::account
std::string account
aka. user name
Definition security.h:128

epics::pvAccess::PeerInfo::transport
std::string transport
transport protocol used eg. "pva". Must not be empty.
Definition security.h:125