[omapd] r176 committed - Add metadata authorization layer for publish operations. Policies are...
1 view
Skip to first unread message
om...@googlecode.com
Feb 24, 2013, 5:36:24 PM2/24/13
to omapd...@googlegroups.com
Revision: 176
Author: sma...@gmail.com
Date: Sun Feb 24 14:35:44 2013
Log: Add metadata authorization layer for publish operations.
Policies are defined in omapd.conf and applied to client configurations.
http://code.google.com/p/omapd/source/detail?r=176
Modified:
/trunk/clientconfiguration.cpp
/trunk/clientconfiguration.h
/trunk/clienthandler.cpp
/trunk/clientparser.cpp
/trunk/mapclient.cpp
/trunk/mapclient.h
/trunk/mapsessions.cpp
/trunk/mapsessions.h
/trunk/omapd.conf
/trunk/omapdconfig.cpp
/trunk/omapdconfig.h
=======================================
--- /trunk/clientconfiguration.cpp Thu Jul 12 22:55:18 2012
+++ /trunk/clientconfiguration.cpp Sun Feb 24 14:35:44 2013
@@ -28,16 +28,17 @@
_authz = OmapdConfig::DenyAll;
}
-void ClientConfiguration::createBasicAuthClient(QString clientName,
QString username, QString password, OmapdConfig::AuthzOptions authz)
+void ClientConfiguration::createBasicAuthClient(QString clientName,
QString username, QString password, OmapdConfig::AuthzOptions authz,
QString metadataPolicy)
{
_authType = MapRequest::AuthBasic;
_authz = authz;
_name = clientName;
_username = username;
_password = password;
+ _metadataPolicy = metadataPolicy;
}
-void ClientConfiguration::createCertAuthClient(QString clientName, QString
certFile, QString caCertFile, OmapdConfig::AuthzOptions authz)
+void ClientConfiguration::createCertAuthClient(QString clientName, QString
certFile, QString caCertFile, OmapdConfig::AuthzOptions authz, QString
metadataPolicy)
{
_authType = MapRequest::AuthCert;
_authz = authz;
@@ -45,9 +46,10 @@
_certFileName = certFile;
_caCertFileName = caCertFile;
_haveClientCert = true;
+ _metadataPolicy = metadataPolicy;
}
-void ClientConfiguration::createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz)
+void ClientConfiguration::createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz,
QString metadataPolicy)
{
_authType = MapRequest::AuthCACert;
_authz = authz;
@@ -56,4 +58,5 @@
// In this case, _certFileName and _haveClientCert refer to the
issuingCACertFile
_certFileName = issuingCACertFile;
_haveClientCert = true;
+ _metadataPolicy = metadataPolicy;
}
=======================================
--- /trunk/clientconfiguration.h Thu Jul 12 22:55:18 2012
+++ /trunk/clientconfiguration.h Sun Feb 24 14:35:44 2013
@@ -29,10 +29,11 @@
{
public:
ClientConfiguration();
- void createBasicAuthClient(QString clientName, QString username,
QString password, OmapdConfig::AuthzOptions authz);
- void createCertAuthClient(QString clientName, QString certFile,
QString caCertFile, OmapdConfig::AuthzOptions authz);
- void createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz);
+ void createBasicAuthClient(QString clientName, QString username,
QString password, OmapdConfig::AuthzOptions authz, QString metadataPolicy);
+ void createCertAuthClient(QString clientName, QString certFile,
QString caCertFile, OmapdConfig::AuthzOptions authz, QString
metadataPolicy);
+ void createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz,
QString metadataPolicy);
+ QString metadataPolicy() { return _metadataPolicy; }
QString name() { return _name; }
QString username() { return _username; }
QString password() { return _password; }
@@ -43,6 +44,7 @@
OmapdConfig::AuthzOptions authz() { return _authz; }
private:
+ QString _metadataPolicy;
QString _username;
QString _password;
QString _certFileName;
=======================================
--- /trunk/clienthandler.cpp Thu Feb 21 17:10:53 2013
+++ /trunk/clienthandler.cpp Sun Feb 24 14:35:44 2013
@@ -841,7 +841,7 @@
keepMetaList = results.first;
deleteMetaList = results.second;
- if (metadataDeleted) {
+ if (metadataDeleted && !requestError) {
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":"
<< "Updating map graph because metadata was deleted";
}
@@ -849,11 +849,24 @@
}
} else if (! existingMetaList.isEmpty()) {
- // Default 3rd parameter on replaceMeta (empty QList)
implies no meta to replace
- // No filter provided so we just delete all metadata
- _mapGraph->replaceMeta(pubOper._link, pubOper._isLink);
- metadataDeleted = true;
- deleteMetaList = existingMetaList;
+ QListIterator<Meta> metaListIt(existingMetaList);
+ while (metaListIt.hasNext() && !requestError) {
+ Meta aMeta = metaListIt.next();
+ if
(!_mapSessions->metadataAuthorizationForAuthToken(_authToken,
aMeta.elementName(), aMeta.elementNS())) {
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":"
<< "Client not authorized to delete metadata";
+ }
+ requestError = MapRequest::IfmapAccessDenied;
+ }
+ }
+
+ if (!requestError) {
+ // Default 3rd parameter on replaceMeta (empty QList)
implies no meta to replace
+ // No filter provided so we just delete all metadata
+ _mapGraph->replaceMeta(pubOper._link, pubOper._isLink);
+ metadataDeleted = true;
+ deleteMetaList = existingMetaList;
+ }
} else {
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":" << "No metadata
to delete!";
@@ -900,7 +913,7 @@
QString filter = Subscription::translateFilter(pubOper._deleteFilter);
QListIterator<Meta> metaListIt(existingMetaList);
- while (metaListIt.hasNext()) {
+ while (metaListIt.hasNext() && !requestError) {
Meta aMeta = metaListIt.next();
/* First need to know if the delete filter will match anything,
because if it does match, then we'll need to notify any
@@ -915,12 +928,20 @@
qDebug() << __PRETTY_FUNCTION__ << ":" << "Found Meta
to keep:" << aMeta.elementName();
}
} else {
- deleteMetaList.append(aMeta);
- if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
- qDebug() << __PRETTY_FUNCTION__ << ":" << "Meta will
be deleted:" << aMeta.elementName();
+ // Check metadata policy for client authorized to delete
this metadata
+ if
(_mapSessions->metadataAuthorizationForAuthToken(_authToken,
aMeta.elementName(), aMeta.elementNS())) {
+ deleteMetaList.append(aMeta);
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":" << "Meta
will be deleted:" << aMeta.elementName();
+ }
+ // Delete matched something, so this may affect
subscriptions
+ *metadataDeleted = true;
+ } else {
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":" << "Client
not authorized to delete metadata";
+ }
+ requestError = MapRequest::IfmapAccessDenied;
}
- // Delete matched something, so this may affect
subscriptions
- *metadataDeleted = true;
}
}
}
=======================================
--- /trunk/clientparser.cpp Thu Aug 23 16:39:33 2012
+++ /trunk/clientparser.cpp Sun Feb 24 14:35:44 2013
@@ -1282,6 +1282,15 @@
_requestError = MapRequest::IfmapInvalidMetadata;
_xml.raiseError("Metadata did not pass validation test");
}
+
+ QString authToken = ((ClientHandler*)this->parent())->authToken();
+ bool metaPolicy =
MapSessions::getInstance()->metadataAuthorizationForAuthToken(authToken,
metaName, metaNS);
+ if (!metaPolicy) {
+ pubReq.setRequestError(MapRequest::IfmapAccessDenied);
+ _requestError = MapRequest::IfmapAccessDenied;
+ _xml.raiseError("Client not authorized to publish metadata in
request");
+ }
+
}
// Can check metadata length here too
=======================================
--- /trunk/mapclient.cpp Tue Nov 15 10:21:53 2011
+++ /trunk/mapclient.cpp Sun Feb 24 14:35:44 2013
@@ -30,7 +30,7 @@
_hasActivePoll = false;
}
-MapClient::MapClient(QString authToken, MapRequest::AuthenticationType
authType, OmapdConfig::AuthzOptions authz, QString pubId)
+MapClient::MapClient(QString authToken, MapRequest::AuthenticationType
authType, OmapdConfig::AuthzOptions authz, QString pubId, QString
metadataPolicy)
{
_hasActiveSSRC = false;
_hasActiveARC = false;
@@ -39,4 +39,5 @@
_authType = authType;
_authz = authz;
_pubId = pubId;
+ _metadataPolicy = metadataPolicy;
}
=======================================
--- /trunk/mapclient.h Tue Nov 15 10:21:53 2011
+++ /trunk/mapclient.h Sun Feb 24 14:35:44 2013
@@ -32,12 +32,17 @@
// that return a default constructed value
MapClient();
- MapClient(QString authToken, MapRequest::AuthenticationType authType,
OmapdConfig::AuthzOptions authz, QString pubId);
+ MapClient(QString authToken,
+ MapRequest::AuthenticationType authType,
+ OmapdConfig::AuthzOptions authz,
+ QString pubId,
+ QString metadataPolicy);
QString pubId() const { return _pubId; }
QString authToken() const { return _authToken; }
MapRequest::AuthenticationType authType() const { return _authType; }
OmapdConfig::AuthzOptions authz() const { return _authz; }
+ QString metadataPolicy() const { return _metadataPolicy; }
QString sessId() const { return _sessId; }
bool hasActiveSSRC() const { return _hasActiveSSRC; }
@@ -58,6 +63,7 @@
QString _authToken;
MapRequest::AuthenticationType _authType;
OmapdConfig::AuthzOptions _authz;
+ QString _metadataPolicy;
QString _sessId;
bool _hasActiveSSRC;
=======================================
--- /trunk/mapsessions.cpp Wed Oct 31 14:20:35 2012
+++ /trunk/mapsessions.cpp Sun Feb 24 14:35:44 2013
@@ -135,25 +135,27 @@
if (clientConfigOk) {
if (client->authType() == MapRequest::AuthCACert) {
- MapClient mapClient(authToken, client->authType(),
client->authz(), "");
+ MapClient mapClient(authToken, client->authType(),
client->authz(), "", client->metadataPolicy());
_mapClientCAs.insert(authToken, mapClient);
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":" << "Created CA
Authentication MapClient for configuration named:" << client->name()
<< "authToken:" << authToken
- << "authz:" << client->authz();
+ << "authz:" << client->authz()
+ << "metadataPolicy" <<
client->metadataPolicy();
}
} else {
// Create a new publisher-id for this client
QString pubId;
pubId.setNum(_pubIdIndex++);
- MapClient mapClient(authToken, client->authType(),
client->authz(), pubId);
+ MapClient mapClient(authToken, client->authType(),
client->authz(), pubId, client->metadataPolicy());
_mapClients.insert(authToken, mapClient);
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":" << "Created
MapClient for client configuration named:" << client->name()
<< "with publisher-id:" << pubId
<< "authToken:" << authToken
- << "authz:" << client->authz();
+ << "authz:" << client->authz()
+ << "metadataPolicy:" <<
client->metadataPolicy();
}
}
} else {
@@ -213,7 +215,8 @@
pubId.setNum(_pubIdIndex++);
// Set the client authorization as determined by CA Cert
setting
OmapdConfig::AuthzOptions authz =
_mapClientCAs.value(compToken.last()).authz();
- MapClient client(authToken, authType, authz, pubId);
+ QString metadataPolicy =
_mapClientCAs.value(compToken.last()).metadataPolicy();
+ MapClient client(authToken, authType, authz, pubId,
metadataPolicy);
_mapClients.insert(authToken, client);
registered = true;
@@ -225,7 +228,8 @@
// Create a new publisher-id for this client
pubId.setNum(_pubIdIndex++);
OmapdConfig::AuthzOptions authz =
_omapdConfig->valueFor("default_authorization").value<OmapdConfig::AuthzOptions>();
- MapClient client(authToken, authType, authz, pubId);
+ // TODO: Allow application of metadataPolicy to clients
created this way
+ MapClient client(authToken, authType, authz, pubId, "");
_mapClients.insert(authToken, client);
registered = true;
@@ -343,6 +347,36 @@
}
return authz;
}
+
+bool MapSessions::metadataAuthorizationForAuthToken(QString authToken,
QString metaName, QString metaNamespace)
+{
+ bool clientAuthorized = false;
+ if (_mapClients.contains(authToken)) {
+ QString policyName = _mapClients.value(authToken).metadataPolicy();
+
+ if (policyName.isEmpty()) {
+ // No policy defined for client
+ clientAuthorized = true;
+ } else {
+ QList<VSM> metaAllowed =
_omapdConfig->metadataPolicies().values(policyName);
+ QListIterator<VSM> i(metaAllowed);
+ while (i.hasNext() && !clientAuthorized) {
+ VSM metaAllowed = i.next();
+ if (metaAllowed.first == metaName && metaAllowed.second ==
metaNamespace) {
+ clientAuthorized = true;
+ }
+ }
+ }
+
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":" << "Client
authorization for:"
+ << metaNamespace << ":" << metaName
+ << ":" << clientAuthorized;
+ }
+ }
+
+ return clientAuthorized;
+}
bool MapSessions::haveActivePollForClient(QString authToken)
{
=======================================
--- /trunk/mapsessions.h Tue Jul 17 15:01:45 2012
+++ /trunk/mapsessions.h Sun Feb 24 14:35:44 2013
@@ -32,8 +32,6 @@
#include "server.h"
#include "clienthandler.h"
-typedef QPair<QString, QString> VSM;
-
class MapClient;
class MapSessions : public QObject
@@ -67,6 +65,7 @@
QString pubIdForAuthToken(QString authToken);
QString pubIdForSessId(QString sessId);
OmapdConfig::AuthzOptions authzForAuthToken(QString authToken);
+ bool metadataAuthorizationForAuthToken(QString authToken, QString
metaName, QString metaNamespace);
QList<Subscription> subscriptionListForClient(QString authToken);
QList<Subscription> removeSubscriptionListForClient(QString authToken);
@@ -88,7 +87,6 @@
QHash<QString, MapClient> _mapClients; // authToken --> MapClient
QHash<QString, MapClient> _mapClientCAs; // CA AuthToken --> MapClient
-
// Registry for published vendor specific metadata cardinalities
QHash<VSM, Meta::Cardinality> _vsmRegistry;
=======================================
--- /trunk/omapd.conf Thu Jan 3 16:44:35 2013
+++ /trunk/omapd.conf Sun Feb 24 14:35:44 2013
@@ -119,6 +119,22 @@
<send_tcp_keepalives enable="no"/>
</service_configuration>
+ <!-- Define metadata policies to apply to clients for publish operations.
+ These policies must each have a unique name and the policies must
be defined
+ prior to using the policies in client definitions.
+ -->
+ <metadata_policies>
+ <metadata_policy name="policy1">
+ <metadata name="metaname1" metaNS="meta.ns.1"/>
+ </metadata_policy>
+ <metadata_policy name="policy2">
+ <metadata name="metaname1" metaNS="meta.ns.1"/>
+ <metadata name="metaname2" metaNS="meta.ns.1"/>
+ <metadata name="metaname3" metaNS="meta.ns.1"/>
+ <metadata name="metaname3" metaNS="meta.ns.2"/>
+ </metadata_policy>
+ </metadata_policies>
+
<!-- Define specific authorized clients
The default authorization for all clients can be specified with the
default-authorization attribute. The default value for the
default-authorization
@@ -150,9 +166,14 @@
<username>reader</username>
<password>reader</password>
</client>
+ <!-- policy-constrained client with basic auth -->
+ <client name="client3" authorization="1F" authentication="basic"
metadata_policy="policy1">
+ <username>policy</username>
+ <password>policy</password>
+ </client>
<!-- read-only client with cert auth -->
<!--
- <client name="client4" authorization="0E" authentication="certificate">
+ <client name="client4" authorization="0E" authentication="certificate"
metadata_policy="policy1">
<certificate_file format="pem">filename</certificate_file>
<ca_certificates_file format="pem">cacerts.pem</ca_certificates_file>
</client>
@@ -163,7 +184,7 @@
included in the CA Certificates file.
-->
<!--
- <client name="ca-client-" authorization="1F"
authentication="ca-certificate">
+ <client name="ca-client-" authorization="1F"
authentication="ca-certificate" metadata_policy="policy2">
<issuing_ca_certificate_file
format="pem">issuing-cacert.pem</issuing_ca_certificate_file>
<ca_certificates_file
format="pem">client-cacert.pem</ca_certificates_file>
</client>
=======================================
--- /trunk/omapdconfig.cpp Thu Jan 3 16:44:35 2013
+++ /trunk/omapdconfig.cpp Sun Feb 24 14:35:44 2013
@@ -220,6 +220,17 @@
}
qDebug() << fnName << "Num client configurations loaded:" <<
_clientConfigurations.count();
+
+ qDebug() << fnName << "Number of metadata policy definitions:" <<
_metadataPolicies.uniqueKeys().size();
+ QHashIterator<QString, VSM> i(_metadataPolicies);
+ while (i.hasNext()) {
+ i.next();
+ QString policyName = i.key();
+ VSM metadataPolicy = i.value();
+ qDebug() << fnName << " policy:" << policyName
+ << "metadata:" << metadataPolicy.first
+ << "namespace:" << metadataPolicy.second;
+ }
}
bool OmapdConfig::readConfigXML(QIODevice *device)
@@ -390,6 +401,64 @@
}
xmlReader.readNext();
} // service_configuration
+ } else if (xmlReader.name() == "metadata_policies") {
+ bool policiesDone = false;
+ while (!xmlReader.atEnd() && !policiesDone) {
+ xmlReader.readNext();
+
+ if (xmlReader.isStartElement() && xmlReader.name()
== "metadata_policy") {
+ QString policyName;
+ if
(xmlReader.attributes().hasAttribute("name")) {
+ policyName =
xmlReader.attributes().value("name").toString();
+ } else {
+ xmlReader.raiseError(QObject::tr("name
attribute not specified for policy"));
+ }
+ if (policyName.isEmpty()) {
+ xmlReader.raiseError(QObject::tr("invalid
policy name attribute"));
+ }
+
+ bool metadataDone = false;
+ while (!xmlReader.atEnd() && !metadataDone) {
+ xmlReader.readNext();
+
+ if (xmlReader.isStartElement() &&
xmlReader.name() == "metadata") {
+ QString metadataName;
+ if
(xmlReader.attributes().hasAttribute("name")) {
+ metadataName =
xmlReader.attributes().value("name").toString();
+ } else {
+
xmlReader.raiseError(QObject::tr("name attribute not specified for
metadata"));
+ }
+ QString metadataNamespace;
+ if
(xmlReader.attributes().hasAttribute("metaNS")) {
+ metadataNamespace =
xmlReader.attributes().value("metaNS").toString();
+ } else {
+
xmlReader.raiseError(QObject::tr("namespace attribute not specified for
metadata"));
+ }
+
+ if (metadataName.isEmpty() ||
metadataNamespace.isEmpty()) {
+
xmlReader.raiseError(QObject::tr("metadata name or namespace attribute not
specified"));
+ }
+ VSM mpol;
+ mpol.first = metadataName;
+ mpol.second = metadataNamespace;
+ _metadataPolicies.insert(policyName,
mpol);
+ }
+
+ if (xmlReader.tokenType() ==
QXmlStreamReader::EndElement &&
+ xmlReader.name()
== "metadata_policy") {
+ metadataDone = true;
+ }
+ }
+ // End while (metadata)
+ }
+
+ if (xmlReader.tokenType() ==
QXmlStreamReader::EndElement &&
+ xmlReader.name() == "metadata_policies") {
+ policiesDone = true;
+ }
+ }
+ // End while (metadata_policies
+
} else if (xmlReader.name() == "client_configuration") {
QVariant defaultAuthzVar;
if
(xmlReader.attributes().hasAttribute("default-authorization")) {
@@ -397,7 +466,7 @@
unsigned int authzVal =
xmlReader.attributes().value("default-authorization").toString().toUInt(&ok,
16);
if (ok) {
defaultAuthzVar.setValue(authzVal);
- addConfigItem("default_authorization", defaultAuthzVar);
+ addConfigItem("default_authorization",
defaultAuthzVar);
}
}
@@ -409,6 +478,7 @@
unsigned int clientAuthz =
_omapdConfig.value("default_authorization").toUInt();
QString clientName;
QString authType;
+ QString metadataPolicy;
if
(xmlReader.attributes().hasAttribute("name")) {
clientName =
xmlReader.attributes().value("name").toString();
} else {
@@ -426,7 +496,12 @@
} else {
xmlReader.raiseError(QObject::tr("authentication attribute not specified
for client"));
}
-
+ if
(xmlReader.attributes().hasAttribute("metadata_policy")) {
+ metadataPolicy =
xmlReader.attributes().value("metadata_policy").toString();
+ if
(!_metadataPolicies.contains(metadataPolicy)) {
+
xmlReader.raiseError(QObject::tr("metadata_policy not found for client"));
+ }
+ }
xmlReader.readNextStartElement();
if (authType == "basic") {
@@ -447,7 +522,11 @@
if (haveUsername && havePassword) {
// Create client
ClientConfiguration *clientConfig =
new ClientConfiguration();
-
clientConfig->createBasicAuthClient(clientName, username, password,
OmapdConfig::authzOptions(clientAuthz));
+
clientConfig->createBasicAuthClient(clientName,
+
username,
+
password,
+
OmapdConfig::authzOptions(clientAuthz),
+
metadataPolicy);
_clientConfigurations.append(clientConfig);
}
} else if (authType == "certificate") {
@@ -472,7 +551,11 @@
if (haveCACertFile && haveClientCertFile) {
// Create client
ClientConfiguration *clientConfig =
new ClientConfiguration();
-
clientConfig->createCertAuthClient(clientName, certFileName,
caCertFileName, OmapdConfig::authzOptions(clientAuthz));
+
clientConfig->createCertAuthClient(clientName,
+
certFileName,
+
caCertFileName,
+
OmapdConfig::authzOptions(clientAuthz),
+
metadataPolicy);
_clientConfigurations.append(clientConfig);
}
@@ -498,7 +581,11 @@
if (haveCACertFile &&
haveIssuingCACertFile) {
// Create client
ClientConfiguration *clientConfig =
new ClientConfiguration();
-
clientConfig->createCAAuthClient(clientName, issuingCaCertFileName,
caCertFileName, OmapdConfig::authzOptions(clientAuthz));
+
clientConfig->createCAAuthClient(clientName,
+
issuingCaCertFileName,
+
caCertFileName,
+
OmapdConfig::authzOptions(clientAuthz),
+
metadataPolicy);
_clientConfigurations.append(clientConfig);
}
=======================================
--- /trunk/omapdconfig.h Thu Jan 3 16:44:35 2013
+++ /trunk/omapdconfig.h Sun Feb 24 14:35:44 2013
@@ -26,6 +26,8 @@
class ClientConfiguration;
+typedef QPair<QString, QString> VSM; // elementName, elementNamespace
+
class OmapdConfig : public QObject
{
Q_OBJECT
@@ -80,6 +82,7 @@
void showConfigValues();
QList<ClientConfiguration *> clientConfigurations() { return
_clientConfigurations; }
+ QMultiHash<QString, VSM> metadataPolicies() { return
_metadataPolicies; }
int readConfigFile(QString configFileName = "omapd.conf");
@@ -95,6 +98,7 @@
QMap<QString,QVariant> _omapdConfig;
QList<ClientConfiguration *> _clientConfigurations;
+ QMultiHash<QString,VSM> _metadataPolicies; // policyName, (metaName,
metaNS)
};
Q_DECLARE_OPERATORS_FOR_FLAGS(OmapdConfig::IfmapDebugOptions)
Q_DECLARE_OPERATORS_FOR_FLAGS(OmapdConfig::MapVersionSupportOptions)
Author: sma...@gmail.com
Date: Sun Feb 24 14:35:44 2013
Log: Add metadata authorization layer for publish operations.
Policies are defined in omapd.conf and applied to client configurations.
http://code.google.com/p/omapd/source/detail?r=176
Modified:
/trunk/clientconfiguration.cpp
/trunk/clientconfiguration.h
/trunk/clienthandler.cpp
/trunk/clientparser.cpp
/trunk/mapclient.cpp
/trunk/mapclient.h
/trunk/mapsessions.cpp
/trunk/mapsessions.h
/trunk/omapd.conf
/trunk/omapdconfig.cpp
/trunk/omapdconfig.h
=======================================
--- /trunk/clientconfiguration.cpp Thu Jul 12 22:55:18 2012
+++ /trunk/clientconfiguration.cpp Sun Feb 24 14:35:44 2013
@@ -28,16 +28,17 @@
_authz = OmapdConfig::DenyAll;
}
-void ClientConfiguration::createBasicAuthClient(QString clientName,
QString username, QString password, OmapdConfig::AuthzOptions authz)
+void ClientConfiguration::createBasicAuthClient(QString clientName,
QString username, QString password, OmapdConfig::AuthzOptions authz,
QString metadataPolicy)
{
_authType = MapRequest::AuthBasic;
_authz = authz;
_name = clientName;
_username = username;
_password = password;
+ _metadataPolicy = metadataPolicy;
}
-void ClientConfiguration::createCertAuthClient(QString clientName, QString
certFile, QString caCertFile, OmapdConfig::AuthzOptions authz)
+void ClientConfiguration::createCertAuthClient(QString clientName, QString
certFile, QString caCertFile, OmapdConfig::AuthzOptions authz, QString
metadataPolicy)
{
_authType = MapRequest::AuthCert;
_authz = authz;
@@ -45,9 +46,10 @@
_certFileName = certFile;
_caCertFileName = caCertFile;
_haveClientCert = true;
+ _metadataPolicy = metadataPolicy;
}
-void ClientConfiguration::createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz)
+void ClientConfiguration::createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz,
QString metadataPolicy)
{
_authType = MapRequest::AuthCACert;
_authz = authz;
@@ -56,4 +58,5 @@
// In this case, _certFileName and _haveClientCert refer to the
issuingCACertFile
_certFileName = issuingCACertFile;
_haveClientCert = true;
+ _metadataPolicy = metadataPolicy;
}
=======================================
--- /trunk/clientconfiguration.h Thu Jul 12 22:55:18 2012
+++ /trunk/clientconfiguration.h Sun Feb 24 14:35:44 2013
@@ -29,10 +29,11 @@
{
public:
ClientConfiguration();
- void createBasicAuthClient(QString clientName, QString username,
QString password, OmapdConfig::AuthzOptions authz);
- void createCertAuthClient(QString clientName, QString certFile,
QString caCertFile, OmapdConfig::AuthzOptions authz);
- void createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz);
+ void createBasicAuthClient(QString clientName, QString username,
QString password, OmapdConfig::AuthzOptions authz, QString metadataPolicy);
+ void createCertAuthClient(QString clientName, QString certFile,
QString caCertFile, OmapdConfig::AuthzOptions authz, QString
metadataPolicy);
+ void createCAAuthClient(QString clientPrefix, QString
issuingCACertFile, QString caCertFile, OmapdConfig::AuthzOptions authz,
QString metadataPolicy);
+ QString metadataPolicy() { return _metadataPolicy; }
QString name() { return _name; }
QString username() { return _username; }
QString password() { return _password; }
@@ -43,6 +44,7 @@
OmapdConfig::AuthzOptions authz() { return _authz; }
private:
+ QString _metadataPolicy;
QString _username;
QString _password;
QString _certFileName;
=======================================
--- /trunk/clienthandler.cpp Thu Feb 21 17:10:53 2013
+++ /trunk/clienthandler.cpp Sun Feb 24 14:35:44 2013
@@ -841,7 +841,7 @@
keepMetaList = results.first;
deleteMetaList = results.second;
- if (metadataDeleted) {
+ if (metadataDeleted && !requestError) {
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":"
<< "Updating map graph because metadata was deleted";
}
@@ -849,11 +849,24 @@
}
} else if (! existingMetaList.isEmpty()) {
- // Default 3rd parameter on replaceMeta (empty QList)
implies no meta to replace
- // No filter provided so we just delete all metadata
- _mapGraph->replaceMeta(pubOper._link, pubOper._isLink);
- metadataDeleted = true;
- deleteMetaList = existingMetaList;
+ QListIterator<Meta> metaListIt(existingMetaList);
+ while (metaListIt.hasNext() && !requestError) {
+ Meta aMeta = metaListIt.next();
+ if
(!_mapSessions->metadataAuthorizationForAuthToken(_authToken,
aMeta.elementName(), aMeta.elementNS())) {
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":"
<< "Client not authorized to delete metadata";
+ }
+ requestError = MapRequest::IfmapAccessDenied;
+ }
+ }
+
+ if (!requestError) {
+ // Default 3rd parameter on replaceMeta (empty QList)
implies no meta to replace
+ // No filter provided so we just delete all metadata
+ _mapGraph->replaceMeta(pubOper._link, pubOper._isLink);
+ metadataDeleted = true;
+ deleteMetaList = existingMetaList;
+ }
} else {
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":" << "No metadata
to delete!";
@@ -900,7 +913,7 @@
QString filter = Subscription::translateFilter(pubOper._deleteFilter);
QListIterator<Meta> metaListIt(existingMetaList);
- while (metaListIt.hasNext()) {
+ while (metaListIt.hasNext() && !requestError) {
Meta aMeta = metaListIt.next();
/* First need to know if the delete filter will match anything,
because if it does match, then we'll need to notify any
@@ -915,12 +928,20 @@
qDebug() << __PRETTY_FUNCTION__ << ":" << "Found Meta
to keep:" << aMeta.elementName();
}
} else {
- deleteMetaList.append(aMeta);
- if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
- qDebug() << __PRETTY_FUNCTION__ << ":" << "Meta will
be deleted:" << aMeta.elementName();
+ // Check metadata policy for client authorized to delete
this metadata
+ if
(_mapSessions->metadataAuthorizationForAuthToken(_authToken,
aMeta.elementName(), aMeta.elementNS())) {
+ deleteMetaList.append(aMeta);
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":" << "Meta
will be deleted:" << aMeta.elementName();
+ }
+ // Delete matched something, so this may affect
subscriptions
+ *metadataDeleted = true;
+ } else {
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":" << "Client
not authorized to delete metadata";
+ }
+ requestError = MapRequest::IfmapAccessDenied;
}
- // Delete matched something, so this may affect
subscriptions
- *metadataDeleted = true;
}
}
}
=======================================
--- /trunk/clientparser.cpp Thu Aug 23 16:39:33 2012
+++ /trunk/clientparser.cpp Sun Feb 24 14:35:44 2013
@@ -1282,6 +1282,15 @@
_requestError = MapRequest::IfmapInvalidMetadata;
_xml.raiseError("Metadata did not pass validation test");
}
+
+ QString authToken = ((ClientHandler*)this->parent())->authToken();
+ bool metaPolicy =
MapSessions::getInstance()->metadataAuthorizationForAuthToken(authToken,
metaName, metaNS);
+ if (!metaPolicy) {
+ pubReq.setRequestError(MapRequest::IfmapAccessDenied);
+ _requestError = MapRequest::IfmapAccessDenied;
+ _xml.raiseError("Client not authorized to publish metadata in
request");
+ }
+
}
// Can check metadata length here too
=======================================
--- /trunk/mapclient.cpp Tue Nov 15 10:21:53 2011
+++ /trunk/mapclient.cpp Sun Feb 24 14:35:44 2013
@@ -30,7 +30,7 @@
_hasActivePoll = false;
}
-MapClient::MapClient(QString authToken, MapRequest::AuthenticationType
authType, OmapdConfig::AuthzOptions authz, QString pubId)
+MapClient::MapClient(QString authToken, MapRequest::AuthenticationType
authType, OmapdConfig::AuthzOptions authz, QString pubId, QString
metadataPolicy)
{
_hasActiveSSRC = false;
_hasActiveARC = false;
@@ -39,4 +39,5 @@
_authType = authType;
_authz = authz;
_pubId = pubId;
+ _metadataPolicy = metadataPolicy;
}
=======================================
--- /trunk/mapclient.h Tue Nov 15 10:21:53 2011
+++ /trunk/mapclient.h Sun Feb 24 14:35:44 2013
@@ -32,12 +32,17 @@
// that return a default constructed value
MapClient();
- MapClient(QString authToken, MapRequest::AuthenticationType authType,
OmapdConfig::AuthzOptions authz, QString pubId);
+ MapClient(QString authToken,
+ MapRequest::AuthenticationType authType,
+ OmapdConfig::AuthzOptions authz,
+ QString pubId,
+ QString metadataPolicy);
QString pubId() const { return _pubId; }
QString authToken() const { return _authToken; }
MapRequest::AuthenticationType authType() const { return _authType; }
OmapdConfig::AuthzOptions authz() const { return _authz; }
+ QString metadataPolicy() const { return _metadataPolicy; }
QString sessId() const { return _sessId; }
bool hasActiveSSRC() const { return _hasActiveSSRC; }
@@ -58,6 +63,7 @@
QString _authToken;
MapRequest::AuthenticationType _authType;
OmapdConfig::AuthzOptions _authz;
+ QString _metadataPolicy;
QString _sessId;
bool _hasActiveSSRC;
=======================================
--- /trunk/mapsessions.cpp Wed Oct 31 14:20:35 2012
+++ /trunk/mapsessions.cpp Sun Feb 24 14:35:44 2013
@@ -135,25 +135,27 @@
if (clientConfigOk) {
if (client->authType() == MapRequest::AuthCACert) {
- MapClient mapClient(authToken, client->authType(),
client->authz(), "");
+ MapClient mapClient(authToken, client->authType(),
client->authz(), "", client->metadataPolicy());
_mapClientCAs.insert(authToken, mapClient);
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":" << "Created CA
Authentication MapClient for configuration named:" << client->name()
<< "authToken:" << authToken
- << "authz:" << client->authz();
+ << "authz:" << client->authz()
+ << "metadataPolicy" <<
client->metadataPolicy();
}
} else {
// Create a new publisher-id for this client
QString pubId;
pubId.setNum(_pubIdIndex++);
- MapClient mapClient(authToken, client->authType(),
client->authz(), pubId);
+ MapClient mapClient(authToken, client->authType(),
client->authz(), pubId, client->metadataPolicy());
_mapClients.insert(authToken, mapClient);
if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
qDebug() << __PRETTY_FUNCTION__ << ":" << "Created
MapClient for client configuration named:" << client->name()
<< "with publisher-id:" << pubId
<< "authToken:" << authToken
- << "authz:" << client->authz();
+ << "authz:" << client->authz()
+ << "metadataPolicy:" <<
client->metadataPolicy();
}
}
} else {
@@ -213,7 +215,8 @@
pubId.setNum(_pubIdIndex++);
// Set the client authorization as determined by CA Cert
setting
OmapdConfig::AuthzOptions authz =
_mapClientCAs.value(compToken.last()).authz();
- MapClient client(authToken, authType, authz, pubId);
+ QString metadataPolicy =
_mapClientCAs.value(compToken.last()).metadataPolicy();
+ MapClient client(authToken, authType, authz, pubId,
metadataPolicy);
_mapClients.insert(authToken, client);
registered = true;
@@ -225,7 +228,8 @@
// Create a new publisher-id for this client
pubId.setNum(_pubIdIndex++);
OmapdConfig::AuthzOptions authz =
_omapdConfig->valueFor("default_authorization").value<OmapdConfig::AuthzOptions>();
- MapClient client(authToken, authType, authz, pubId);
+ // TODO: Allow application of metadataPolicy to clients
created this way
+ MapClient client(authToken, authType, authz, pubId, "");
_mapClients.insert(authToken, client);
registered = true;
@@ -343,6 +347,36 @@
}
return authz;
}
+
+bool MapSessions::metadataAuthorizationForAuthToken(QString authToken,
QString metaName, QString metaNamespace)
+{
+ bool clientAuthorized = false;
+ if (_mapClients.contains(authToken)) {
+ QString policyName = _mapClients.value(authToken).metadataPolicy();
+
+ if (policyName.isEmpty()) {
+ // No policy defined for client
+ clientAuthorized = true;
+ } else {
+ QList<VSM> metaAllowed =
_omapdConfig->metadataPolicies().values(policyName);
+ QListIterator<VSM> i(metaAllowed);
+ while (i.hasNext() && !clientAuthorized) {
+ VSM metaAllowed = i.next();
+ if (metaAllowed.first == metaName && metaAllowed.second ==
metaNamespace) {
+ clientAuthorized = true;
+ }
+ }
+ }
+
+ if
(_omapdConfig->valueFor("debug_level").value<OmapdConfig::IfmapDebugOptions>().testFlag(OmapdConfig::ShowClientOps))
{
+ qDebug() << __PRETTY_FUNCTION__ << ":" << "Client
authorization for:"
+ << metaNamespace << ":" << metaName
+ << ":" << clientAuthorized;
+ }
+ }
+
+ return clientAuthorized;
+}
bool MapSessions::haveActivePollForClient(QString authToken)
{
=======================================
--- /trunk/mapsessions.h Tue Jul 17 15:01:45 2012
+++ /trunk/mapsessions.h Sun Feb 24 14:35:44 2013
@@ -32,8 +32,6 @@
#include "server.h"
#include "clienthandler.h"
-typedef QPair<QString, QString> VSM;
-
class MapClient;
class MapSessions : public QObject
@@ -67,6 +65,7 @@
QString pubIdForAuthToken(QString authToken);
QString pubIdForSessId(QString sessId);
OmapdConfig::AuthzOptions authzForAuthToken(QString authToken);
+ bool metadataAuthorizationForAuthToken(QString authToken, QString
metaName, QString metaNamespace);
QList<Subscription> subscriptionListForClient(QString authToken);
QList<Subscription> removeSubscriptionListForClient(QString authToken);
@@ -88,7 +87,6 @@
QHash<QString, MapClient> _mapClients; // authToken --> MapClient
QHash<QString, MapClient> _mapClientCAs; // CA AuthToken --> MapClient
-
// Registry for published vendor specific metadata cardinalities
QHash<VSM, Meta::Cardinality> _vsmRegistry;
=======================================
--- /trunk/omapd.conf Thu Jan 3 16:44:35 2013
+++ /trunk/omapd.conf Sun Feb 24 14:35:44 2013
@@ -119,6 +119,22 @@
<send_tcp_keepalives enable="no"/>
</service_configuration>
+ <!-- Define metadata policies to apply to clients for publish operations.
+ These policies must each have a unique name and the policies must
be defined
+ prior to using the policies in client definitions.
+ -->
+ <metadata_policies>
+ <metadata_policy name="policy1">
+ <metadata name="metaname1" metaNS="meta.ns.1"/>
+ </metadata_policy>
+ <metadata_policy name="policy2">
+ <metadata name="metaname1" metaNS="meta.ns.1"/>
+ <metadata name="metaname2" metaNS="meta.ns.1"/>
+ <metadata name="metaname3" metaNS="meta.ns.1"/>
+ <metadata name="metaname3" metaNS="meta.ns.2"/>
+ </metadata_policy>
+ </metadata_policies>
+
<!-- Define specific authorized clients
The default authorization for all clients can be specified with the
default-authorization attribute. The default value for the
default-authorization
@@ -150,9 +166,14 @@
<username>reader</username>
<password>reader</password>
</client>
+ <!-- policy-constrained client with basic auth -->
+ <client name="client3" authorization="1F" authentication="basic"
metadata_policy="policy1">
+ <username>policy</username>
+ <password>policy</password>
+ </client>
<!-- read-only client with cert auth -->
<!--
- <client name="client4" authorization="0E" authentication="certificate">
+ <client name="client4" authorization="0E" authentication="certificate"
metadata_policy="policy1">
<certificate_file format="pem">filename</certificate_file>
<ca_certificates_file format="pem">cacerts.pem</ca_certificates_file>
</client>
@@ -163,7 +184,7 @@
included in the CA Certificates file.
-->
<!--
- <client name="ca-client-" authorization="1F"
authentication="ca-certificate">
+ <client name="ca-client-" authorization="1F"
authentication="ca-certificate" metadata_policy="policy2">
<issuing_ca_certificate_file
format="pem">issuing-cacert.pem</issuing_ca_certificate_file>
<ca_certificates_file
format="pem">client-cacert.pem</ca_certificates_file>
</client>
=======================================
--- /trunk/omapdconfig.cpp Thu Jan 3 16:44:35 2013
+++ /trunk/omapdconfig.cpp Sun Feb 24 14:35:44 2013
@@ -220,6 +220,17 @@
}
qDebug() << fnName << "Num client configurations loaded:" <<
_clientConfigurations.count();
+
+ qDebug() << fnName << "Number of metadata policy definitions:" <<
_metadataPolicies.uniqueKeys().size();
+ QHashIterator<QString, VSM> i(_metadataPolicies);
+ while (i.hasNext()) {
+ i.next();
+ QString policyName = i.key();
+ VSM metadataPolicy = i.value();
+ qDebug() << fnName << " policy:" << policyName
+ << "metadata:" << metadataPolicy.first
+ << "namespace:" << metadataPolicy.second;
+ }
}
bool OmapdConfig::readConfigXML(QIODevice *device)
@@ -390,6 +401,64 @@
}
xmlReader.readNext();
} // service_configuration
+ } else if (xmlReader.name() == "metadata_policies") {
+ bool policiesDone = false;
+ while (!xmlReader.atEnd() && !policiesDone) {
+ xmlReader.readNext();
+
+ if (xmlReader.isStartElement() && xmlReader.name()
== "metadata_policy") {
+ QString policyName;
+ if
(xmlReader.attributes().hasAttribute("name")) {
+ policyName =
xmlReader.attributes().value("name").toString();
+ } else {
+ xmlReader.raiseError(QObject::tr("name
attribute not specified for policy"));
+ }
+ if (policyName.isEmpty()) {
+ xmlReader.raiseError(QObject::tr("invalid
policy name attribute"));
+ }
+
+ bool metadataDone = false;
+ while (!xmlReader.atEnd() && !metadataDone) {
+ xmlReader.readNext();
+
+ if (xmlReader.isStartElement() &&
xmlReader.name() == "metadata") {
+ QString metadataName;
+ if
(xmlReader.attributes().hasAttribute("name")) {
+ metadataName =
xmlReader.attributes().value("name").toString();
+ } else {
+
xmlReader.raiseError(QObject::tr("name attribute not specified for
metadata"));
+ }
+ QString metadataNamespace;
+ if
(xmlReader.attributes().hasAttribute("metaNS")) {
+ metadataNamespace =
xmlReader.attributes().value("metaNS").toString();
+ } else {
+
xmlReader.raiseError(QObject::tr("namespace attribute not specified for
metadata"));
+ }
+
+ if (metadataName.isEmpty() ||
metadataNamespace.isEmpty()) {
+
xmlReader.raiseError(QObject::tr("metadata name or namespace attribute not
specified"));
+ }
+ VSM mpol;
+ mpol.first = metadataName;
+ mpol.second = metadataNamespace;
+ _metadataPolicies.insert(policyName,
mpol);
+ }
+
+ if (xmlReader.tokenType() ==
QXmlStreamReader::EndElement &&
+ xmlReader.name()
== "metadata_policy") {
+ metadataDone = true;
+ }
+ }
+ // End while (metadata)
+ }
+
+ if (xmlReader.tokenType() ==
QXmlStreamReader::EndElement &&
+ xmlReader.name() == "metadata_policies") {
+ policiesDone = true;
+ }
+ }
+ // End while (metadata_policies
+
} else if (xmlReader.name() == "client_configuration") {
QVariant defaultAuthzVar;
if
(xmlReader.attributes().hasAttribute("default-authorization")) {
@@ -397,7 +466,7 @@
unsigned int authzVal =
xmlReader.attributes().value("default-authorization").toString().toUInt(&ok,
16);
if (ok) {
defaultAuthzVar.setValue(authzVal);
- addConfigItem("default_authorization", defaultAuthzVar);
+ addConfigItem("default_authorization",
defaultAuthzVar);
}
}
@@ -409,6 +478,7 @@
unsigned int clientAuthz =
_omapdConfig.value("default_authorization").toUInt();
QString clientName;
QString authType;
+ QString metadataPolicy;
if
(xmlReader.attributes().hasAttribute("name")) {
clientName =
xmlReader.attributes().value("name").toString();
} else {
@@ -426,7 +496,12 @@
} else {
xmlReader.raiseError(QObject::tr("authentication attribute not specified
for client"));
}
-
+ if
(xmlReader.attributes().hasAttribute("metadata_policy")) {
+ metadataPolicy =
xmlReader.attributes().value("metadata_policy").toString();
+ if
(!_metadataPolicies.contains(metadataPolicy)) {
+
xmlReader.raiseError(QObject::tr("metadata_policy not found for client"));
+ }
+ }
xmlReader.readNextStartElement();
if (authType == "basic") {
@@ -447,7 +522,11 @@
if (haveUsername && havePassword) {
// Create client
ClientConfiguration *clientConfig =
new ClientConfiguration();
-
clientConfig->createBasicAuthClient(clientName, username, password,
OmapdConfig::authzOptions(clientAuthz));
+
clientConfig->createBasicAuthClient(clientName,
+
username,
+
password,
+
OmapdConfig::authzOptions(clientAuthz),
+
metadataPolicy);
_clientConfigurations.append(clientConfig);
}
} else if (authType == "certificate") {
@@ -472,7 +551,11 @@
if (haveCACertFile && haveClientCertFile) {
// Create client
ClientConfiguration *clientConfig =
new ClientConfiguration();
-
clientConfig->createCertAuthClient(clientName, certFileName,
caCertFileName, OmapdConfig::authzOptions(clientAuthz));
+
clientConfig->createCertAuthClient(clientName,
+
certFileName,
+
caCertFileName,
+
OmapdConfig::authzOptions(clientAuthz),
+
metadataPolicy);
_clientConfigurations.append(clientConfig);
}
@@ -498,7 +581,11 @@
if (haveCACertFile &&
haveIssuingCACertFile) {
// Create client
ClientConfiguration *clientConfig =
new ClientConfiguration();
-
clientConfig->createCAAuthClient(clientName, issuingCaCertFileName,
caCertFileName, OmapdConfig::authzOptions(clientAuthz));
+
clientConfig->createCAAuthClient(clientName,
+
issuingCaCertFileName,
+
caCertFileName,
+
OmapdConfig::authzOptions(clientAuthz),
+
metadataPolicy);
_clientConfigurations.append(clientConfig);
}
=======================================
--- /trunk/omapdconfig.h Thu Jan 3 16:44:35 2013
+++ /trunk/omapdconfig.h Sun Feb 24 14:35:44 2013
@@ -26,6 +26,8 @@
class ClientConfiguration;
+typedef QPair<QString, QString> VSM; // elementName, elementNamespace
+
class OmapdConfig : public QObject
{
Q_OBJECT
@@ -80,6 +82,7 @@
void showConfigValues();
QList<ClientConfiguration *> clientConfigurations() { return
_clientConfigurations; }
+ QMultiHash<QString, VSM> metadataPolicies() { return
_metadataPolicies; }
int readConfigFile(QString configFileName = "omapd.conf");
@@ -95,6 +98,7 @@
QMap<QString,QVariant> _omapdConfig;
QList<ClientConfiguration *> _clientConfigurations;
+ QMultiHash<QString,VSM> _metadataPolicies; // policyName, (metaName,
metaNS)
};
Q_DECLARE_OPERATORS_FOR_FLAGS(OmapdConfig::IfmapDebugOptions)
Q_DECLARE_OPERATORS_FOR_FLAGS(OmapdConfig::MapVersionSupportOptions)
Reply all
Reply to author
Forward
0 new messages