SecurityContext.hpp

Go to the documentation of this file.

/*
    Copyright (C) 2014-2016 Leosac

    This file is part of Leosac.

    Leosac is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    Leosac is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

#pragma once

#include "core/audit/AuditFwd.hpp"
#include "core/auth/AuthFwd.hpp"
#include "core/credentials/CredentialFwd.hpp"
#include "hardware/HardwareFwd.hpp"
#include "tools/ToolsFwd.hpp"
#include "tools/db/db_fwd.hpp"

namespace Leosac
{
class SecurityContext
{
  public:
    // Forward declare the union so we can write cast operator.
    union ActionParam;
    enum class Action
    {
        IS_ADMIN,
        IS_MANAGER,


        USER_CREATE,
        USER_READ,
        USER_READ_EMAIL,
        USER_UPDATE,
        USER_CHANGE_PASSWORD,
        USER_SEARCH,

        USER_UPDATE_RANK,
        USER_MANAGE_VALIDITY,
        USER_DELETE,

        GROUP_CREATE,
        GROUP_READ,
        GROUP_UPDATE,
        GROUP_DELETE,
        GROUP_SEARCH,

        GROUP_LIST_MEMBERSHIP,
        GROUP_MEMBERSHIP_JOINED,
        GROUP_MEMBERSHIP_LEFT,
        MEMBERSHIP_READ,

        CREDENTIAL_READ,
        CREDENTIAL_UPDATE,
        CREDENTIAL_CREATE,
        CREDENTIAL_DELETE,

        SCHEDULE_READ,
        SCHEDULE_UPDATE,
        SCHEDULE_CREATE,
        SCHEDULE_DELETE,
        SCHEDULE_SEARCH,

        DOOR_READ,
        DOOR_UPDATE,
        DOOR_CREATE,
        DOOR_DELETE,
        DOOR_SEARCH,

        ACCESS_POINT_READ,
        ACCESS_POINT_CREATE,
        ACCESS_POINT_UPDATE,
        ACCESS_POINT_DELETE,
        ACCESS_POINT_SEARCH,

        ZONE_READ,
        ZONE_UPDATE,
        ZONE_CREATE,
        ZONE_DELETE,
        ZONE_SEARCH,

        SMTP_GETCONFIG,
        SMTP_SETCONFIG,
        SMTP_SENDMAIL,

        LOG_READ,

        AUDIT_READ,
        AUDIT_READ_FULL,

        ACCESS_OVERVIEW,

        RESTART_SERVER,

        HARDWARE_READ,
        HARDWARE_UPDATE,
        HARDWARE_CREATE,
        HARDWARE_DELETE,
        HARDWARE_SEARCH,
    };

    struct GroupActionParam
    {
        Auth::GroupId group_id;

        operator ActionParam();
    };

    struct UserActionParam
    {
        Auth::UserId user_id;

        operator ActionParam();
    };

    struct CredentialActionParam
    {
        Cred::CredentialId credential_id;

        operator ActionParam();
    };

    struct MembershipActionParam
    {
        Auth::UserGroupMembershipId membership_id;
        Auth::GroupId group_id; // for create/delete
        Auth::UserId user_id;   // for create/delete
        Auth::GroupRank rank;   // for create

        operator ActionParam();
    };

    struct ScheduleActionParam
    {
        Tools::ScheduleId schedule_id;

        operator ActionParam();
    };

    struct DoorActionParam
    {
        Auth::DoorId door_id;

        operator ActionParam();
    };

    struct ZoneActionParam
    {
        Auth::ZoneId zone_id;

        operator ActionParam();
    };

    struct AccessPointActionParam
    {
        Auth::AccessPointId ap_id;

        operator ActionParam();
    };

    struct HardwareDeviceActionParam
    {
        Hardware::DeviceId device_id;

        operator ActionParam();
    };

    union ActionParam {
        GroupActionParam group;
        MembershipActionParam membership;
        UserActionParam user;
        CredentialActionParam cred;
        ScheduleActionParam sched;
        DoorActionParam door;
        AccessPointActionParam access_point;
        ZoneActionParam zone;
        HardwareDeviceActionParam device;
    };

    explicit SecurityContext(DBServicePtr dbsrv);
    virtual ~SecurityContext() = default;

    virtual bool check_permission(Action a, const ActionParam &ap) const;

    bool check_permission(Action a) const;

    void enforce_permission(Action a, const ActionParam &ap) const;

    void enforce_permission(Action a) const;

  protected:
    DBServicePtr dbsrv_;

  private:
    virtual bool check_permission_impl(Action a, const ActionParam &ap) const = 0;
};

class SystemSecurityContext : public SecurityContext
{
  public:
    explicit SystemSecurityContext(DBServicePtr dbsrv);

    static SecurityContext &instance();
    virtual bool check_permission_impl(Action a,
                                       const ActionParam &ap) const override;
};

struct ExecutionContext
{
    explicit ExecutionContext(SecurityContext &sc);

    ExecutionContext(SecurityContext &sc, const Audit::IAuditEntryPtr &);


    SecurityContext &sec;

    Audit::IAuditEntryPtr audit;
};

struct SystemExecutionContext : public ExecutionContext
{
    SystemExecutionContext();
};
}