Leosac  0.8.0
Open Source Access Control
Classes | Public Types | Public Member Functions | Protected Attributes | Private Member Functions | List of all members
Leosac::SecurityContext Class Referenceabstract

A SecurityContext is used to query permission while doing an operation. More...

#include <SecurityContext.hpp>

+ Inheritance diagram for Leosac::SecurityContext:
+ Collaboration diagram for Leosac::SecurityContext:

Classes

struct  AccessPointActionParam
 
union  ActionParam
 
struct  CredentialActionParam
 
struct  DoorActionParam
 
struct  GroupActionParam
 
struct  HardwareDeviceActionParam
 
struct  MembershipActionParam
 
struct  ScheduleActionParam
 
struct  UserActionParam
 
struct  ZoneActionParam
 

Public Types

enum  Action {
  Action::IS_ADMIN, Action::IS_MANAGER, Action::USER_CREATE, Action::USER_READ,
  Action::USER_READ_EMAIL, Action::USER_UPDATE, Action::USER_CHANGE_PASSWORD, Action::USER_SEARCH,
  Action::USER_UPDATE_RANK, Action::USER_MANAGE_VALIDITY, Action::USER_DELETE, Action::GROUP_CREATE,
  Action::GROUP_READ, Action::GROUP_UPDATE, Action::GROUP_DELETE, Action::GROUP_SEARCH,
  Action::GROUP_LIST_MEMBERSHIP, Action::GROUP_MEMBERSHIP_JOINED, Action::GROUP_MEMBERSHIP_LEFT, Action::MEMBERSHIP_READ,
  Action::CREDENTIAL_READ, Action::CREDENTIAL_UPDATE, Action::CREDENTIAL_CREATE, Action::CREDENTIAL_DELETE,
  Action::SCHEDULE_READ, Action::SCHEDULE_UPDATE, Action::SCHEDULE_CREATE, Action::SCHEDULE_DELETE,
  Action::SCHEDULE_SEARCH, Action::DOOR_READ, Action::DOOR_UPDATE, Action::DOOR_CREATE,
  Action::DOOR_DELETE, Action::DOOR_SEARCH, Action::ACCESS_POINT_READ, Action::ACCESS_POINT_CREATE,
  Action::ACCESS_POINT_UPDATE, Action::ACCESS_POINT_DELETE, Action::ACCESS_POINT_SEARCH, Action::ZONE_READ,
  Action::ZONE_UPDATE, Action::ZONE_CREATE, Action::ZONE_DELETE, Action::ZONE_SEARCH,
  Action::SMTP_GETCONFIG, Action::SMTP_SETCONFIG, Action::SMTP_SENDMAIL, Action::LOG_READ,
  Action::AUDIT_READ, Action::AUDIT_READ_FULL, Action::ACCESS_OVERVIEW, Action::RESTART_SERVER,
  Action::HARDWARE_READ, Action::HARDWARE_UPDATE, Action::HARDWARE_CREATE, Action::HARDWARE_DELETE,
  Action::HARDWARE_SEARCH
}
 

Public Member Functions

 SecurityContext (DBServicePtr dbsrv)
 
virtual ~SecurityContext ()=default
 
virtual bool check_permission (Action a, const ActionParam &ap) const
 Check for the permission to perform action a with parameters ap. More...
 
bool check_permission (Action a) const
 Check for the permission to perform a given action. More...
 
void enforce_permission (Action a, const ActionParam &ap) const
 Similar to check_permission(), but throws is the permission is denied. More...
 
void enforce_permission (Action a) const
 Make sure that we have the permission to perform action a, otherwise throws. More...
 

Protected Attributes

DBServicePtr dbsrv_
 

Private Member Functions

virtual bool check_permission_impl (Action a, const ActionParam &ap) const =0
 Reimplement this method to provide permission checking. More...
 

Detailed Description

A SecurityContext is used to query permission while doing an operation.

For example, JSON serializers could use a SecurityContext to determine what to serialize.

todo: fix doc

Definition at line 40 of file SecurityContext.hpp.

Member Enumeration Documentation

◆ Action

enum Leosac::SecurityContext::Action
strong
Enumerator
IS_ADMIN 

A workaround permission that requires the user to be administrator.

IS_MANAGER 

Requires that the user be at least manager.

USER_CREATE 
USER_READ 
USER_READ_EMAIL 
USER_UPDATE 
USER_CHANGE_PASSWORD 
USER_SEARCH 
USER_UPDATE_RANK 

Editing rank means being able to become administrator.

USER_MANAGE_VALIDITY 

Can we enable/disable the user or change its validity period ?

USER_DELETE 
GROUP_CREATE 
GROUP_READ 
GROUP_UPDATE 
GROUP_DELETE 
GROUP_SEARCH 
GROUP_LIST_MEMBERSHIP 

Ability to list member of a group.

The ability to list membership gives USER_READ access against the user whose membership is listed.

GROUP_MEMBERSHIP_JOINED 
GROUP_MEMBERSHIP_LEFT 
MEMBERSHIP_READ 
CREDENTIAL_READ 
CREDENTIAL_UPDATE 
CREDENTIAL_CREATE 
CREDENTIAL_DELETE 
SCHEDULE_READ 
SCHEDULE_UPDATE 
SCHEDULE_CREATE 
SCHEDULE_DELETE 
SCHEDULE_SEARCH 
DOOR_READ 
DOOR_UPDATE 
DOOR_CREATE 
DOOR_DELETE 
DOOR_SEARCH 
ACCESS_POINT_READ 
ACCESS_POINT_CREATE 
ACCESS_POINT_UPDATE 
ACCESS_POINT_DELETE 
ACCESS_POINT_SEARCH 
ZONE_READ 
ZONE_UPDATE 
ZONE_CREATE 
ZONE_DELETE 
ZONE_SEARCH 
SMTP_GETCONFIG 

Retrieve SMTP configuration.

SMTP_SETCONFIG 

Edit the SMTP configuration.

SMTP_SENDMAIL 
LOG_READ 
AUDIT_READ 

Read the audit log.

AUDIT_READ_FULL 

Read the audit log and access additional information, such as the JSON "before" and "after" field.

ACCESS_OVERVIEW 

Overview of users/doors access permission.

RESTART_SERVER 

Perform to restart the Leosac server.

HARDWARE_READ 

Permissions for hardware devices.

For now all hardware devices share the same permission set. todo: Permission should probably redesigned in a more extensible way.

HARDWARE_UPDATE 
HARDWARE_CREATE 
HARDWARE_DELETE 
HARDWARE_SEARCH 

Definition at line 45 of file SecurityContext.hpp.

Constructor & Destructor Documentation

◆ SecurityContext()

SecurityContext::SecurityContext ( DBServicePtr  dbsrv)
explicit

Definition at line 25 of file SecurityContext.cpp.

◆ ~SecurityContext()

virtual Leosac::SecurityContext::~SecurityContext ( )
virtualdefault

Member Function Documentation

◆ check_permission() [1/2]

bool SecurityContext::check_permission ( SecurityContext::Action  a) const

Check for the permission to perform a given action.

Returns
true if permission is granted, false otherwise.

Definition at line 43 of file SecurityContext.cpp.

◆ check_permission() [2/2]

bool SecurityContext::check_permission ( SecurityContext::Action  a,
const ActionParam ap 
) const
virtual

Check for the permission to perform action a with parameters ap.

Returns true if the permission is granted, false otherwise.

Definition at line 30 of file SecurityContext.cpp.

◆ check_permission_impl()

virtual bool Leosac::SecurityContext::check_permission_impl ( Action  a,
const ActionParam ap 
) const
privatepure virtual

Reimplement this method to provide permission checking.

Implemented in Leosac::SystemSecurityContext, Leosac::NullSecurityContext, and Leosac::UserSecurityContext.

◆ enforce_permission() [1/2]

void SecurityContext::enforce_permission ( SecurityContext::Action  a) const

Make sure that we have the permission to perform action a, otherwise throws.

Definition at line 48 of file SecurityContext.cpp.

◆ enforce_permission() [2/2]

void SecurityContext::enforce_permission ( SecurityContext::Action  a,
const ActionParam ap 
) const

Similar to check_permission(), but throws is the permission is denied.

Definition at line 36 of file SecurityContext.cpp.

Member Data Documentation

◆ dbsrv_

DBServicePtr Leosac::SecurityContext::dbsrv_
protected

Definition at line 273 of file SecurityContext.hpp.

The documentation for this class was generated from the following files: