redfish_authorization/override.h - gbmcweb - Git at Google

 #ifndef THIRD_PARTY_MILOTIC_EXTERNAL_CC_AUTHZ_OVERRIDE_H_
 #define THIRD_PARTY_MILOTIC_EXTERNAL_CC_AUTHZ_OVERRIDE_H_

 #include <string>
 #include <vector>

 #include "absl/container/flat_hash_map.h"
 #include "absl/strings/string_view.h"
 #include "authorizer_enums.h"
 #include "nlohmann/json.hpp"
 #include "redfish_privileges.h"

 namespace milotic::authz {

 /*
 This class is intended to serve as a base template for all override types.

 There are currently 2 Overrides that implement this abstract class:
 SubordinateOverride and ResourceUriOverride.

 Each Override has two fields as seen by the Redfish Privilege Registry.
 "Override": {
   "Targets": [...],
   "OperationMap": {
     "GET": {
       ...
     },
     ...
   }
 }

 The json above is how the base privilege registry includes overrides.
 Every override has a Targets list of strings that specify its override target.
 Its meaning is different for each override.

 For any override that matches the target, the operation map lists out the
 permissions required for that specific request whose that matches the override
 target.

 The 2 methods IsApplicable and IsPeerAuthorized are used to check if the
 override applies on a specific request and if so, if they are authorized by the
 override.

 IsPeerAuthorized assumes that IsApplicable is true, so if IsApplicable is not
 true in the context that IsPeerAuthorized is run, then IsPeerAuthorized loses
 its meaning but will return false.

 */
 class Override {
  public:
   Override(
       const std::vector<std::string>& override_targets,
       const absl::flat_hash_map<ecclesia::Operation,
                                 std::vector<RedfishPrivileges>>& operation_map)
       : override_targets_(override_targets), operation_map_(operation_map) {}
   virtual ~Override() = default;

   /*
     IsApplicable checks whether this request's rule and uri are the correct
     targets for the override to apply in this context.
   */
   virtual bool IsApplicable(absl::string_view uri,
                             ecclesia::Operation operation) const = 0;

   enum Type { kSubordinateOverride = 0, kResourceUriOverride };
   virtual Type GetOverrideType() const = 0;

   /*
     IsPeerAuthorized checks whether the current peer is authorized with the
     current override mappings
   */
   bool IsPeerAuthorized(absl::string_view uri, ecclesia::Operation operation,
                         const RedfishPrivileges& peer_privileges) const;

   virtual nlohmann::json::object_t ToJson() const;

  protected:
   // Override targets
   const std::vector<std::string> override_targets_;
   // Override mappings
   const absl::flat_hash_map<ecclesia::Operation, std::vector<RedfishPrivileges>>
       operation_map_;
 };

 }  // namespace milotic::authz

 #endif  // THIRD_PARTY_MILOTIC_EXTERNAL_CC_AUTHZ_OVERRIDE_H_
	#ifndef THIRD_PARTY_MILOTIC_EXTERNAL_CC_AUTHZ_OVERRIDE_H_
	#define THIRD_PARTY_MILOTIC_EXTERNAL_CC_AUTHZ_OVERRIDE_H_

	#include <string>
	#include <vector>

	#include "absl/container/flat_hash_map.h"
	#include "absl/strings/string_view.h"
	#include "authorizer_enums.h"
	#include "nlohmann/json.hpp"
	#include "redfish_privileges.h"

	namespace milotic::authz {

	/*
	This class is intended to serve as a base template for all override types.

	There are currently 2 Overrides that implement this abstract class:
	SubordinateOverride and ResourceUriOverride.

	Each Override has two fields as seen by the Redfish Privilege Registry.
	"Override": {
	"Targets": [...],
	"OperationMap": {
	"GET": {
	...
	},
	...
	}
	}

	The json above is how the base privilege registry includes overrides.
	Every override has a Targets list of strings that specify its override target.
	Its meaning is different for each override.

	For any override that matches the target, the operation map lists out the
	permissions required for that specific request whose that matches the override
	target.

	The 2 methods IsApplicable and IsPeerAuthorized are used to check if the
	override applies on a specific request and if so, if they are authorized by the
	override.

	IsPeerAuthorized assumes that IsApplicable is true, so if IsApplicable is not
	true in the context that IsPeerAuthorized is run, then IsPeerAuthorized loses
	its meaning but will return false.

	*/
	class Override {
	public:
	Override(
	const std::vector<std::string>& override_targets,
	const absl::flat_hash_map<ecclesia::Operation,
	std::vector<RedfishPrivileges>>& operation_map)
	: override_targets_(override_targets), operation_map_(operation_map) {}
	virtual ~Override() = default;

	/*
	IsApplicable checks whether this request's rule and uri are the correct
	targets for the override to apply in this context.
	*/
	virtual bool IsApplicable(absl::string_view uri,
	ecclesia::Operation operation) const = 0;

	enum Type { kSubordinateOverride = 0, kResourceUriOverride };
	virtual Type GetOverrideType() const = 0;

	/*
	IsPeerAuthorized checks whether the current peer is authorized with the
	current override mappings
	*/
	bool IsPeerAuthorized(absl::string_view uri, ecclesia::Operation operation,
	const RedfishPrivileges& peer_privileges) const;

	virtual nlohmann::json::object_t ToJson() const;

	protected:
	// Override targets
	const std::vector<std::string> override_targets_;
	// Override mappings
	const absl::flat_hash_map<ecclesia::Operation, std::vector<RedfishPrivileges>>
	operation_map_;
	};

	} // namespace milotic::authz

	#endif // THIRD_PARTY_MILOTIC_EXTERNAL_CC_AUTHZ_OVERRIDE_H_