1 /*
2  * This file is part of signon
3  *
4  * Copyright (C) 2011 Intel Corporation.
5  * Copyright (C) 2013-2016 Canonical Ltd.
6  *
7  * Contact: Elena Reshetova <elena.reshetova@intel.com>
8  * Contact: Alberto Mardegan <alberto.mardegan@canonical.com>
9  *
10  * This library is free software; you can redistribute it and/or
11  * modify it under the terms of the GNU Lesser General Public License
12  * version 2.1 as published by the Free Software Foundation.
13  *
14  * This library is distributed in the hope that it will be useful, but
15  * WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17  * Lesser General Public License for more details.
18  *
19  * You should have received a copy of the GNU Lesser General Public
20  * License along with this library; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
22  * 02110-1301 USA
23  */
24 /*!
25  * @file abstract-access-control-manager.h
26  * Definition of the AbstractAccessControlManager object.
27  * @ingroup Accounts_and_SSO_Framework
28  */
29 
30 #ifndef SIGNON_ABSTRACT_ACCESS_CONTROL_MANAGER_H
31 #define SIGNON_ABSTRACT_ACCESS_CONTROL_MANAGER_H
32 
33 #include <SignOn/extension-interface.h>
34 
35 #include <QSharedDataPointer>
36 #include <QString>
37 
38 class QDBusConnection;
39 class QDBusMessage;
40 
41 namespace SignOn {
42 
43 class AbstractAccessControlManager;
44 class AccessRequestData;
45 
46 class SIGNON_EXPORT AccessRequest
47 {
48 public:
49     explicit AccessRequest();
50     AccessRequest(const AccessRequest &other);
51     ~AccessRequest();
52 
53     /*!
54      * Identifies the client requesting the access.
55      * @param peerConnection the connection over which the message was sent.
56      * @param peerMessage, the request message sent over DBUS by the process.
57      */
58     void setPeer(const QDBusConnection &connection,
59                  const QDBusMessage &message);
60     const QDBusConnection &peerConnection() const;
61     const QDBusMessage &peerMessage() const;
62 
63     /*!
64      * Specifies the SignOn::Identity resource being accessed.
65      */
66     void setIdentity(quint32 id);
67     quint32 identity() const;
68 
69 private:
70     QSharedDataPointer<AccessRequestData> d;
71 };
72 
73 class AccessReplyPrivate;
74 class SIGNON_EXPORT AccessReply: public QObject
75 {
76     Q_OBJECT
77 
78 public:
79     ~AccessReply();
80 
81     const AccessRequest &request() const;
82     bool isAccepted() const;
83 
84 Q_SIGNALS:
85     void finished();
86 
87 protected:
88     explicit AccessReply(const AccessRequest &request, QObject *parent = 0);
89 
90 protected Q_SLOTS:
91     void accept();
92     void decline();
93 
94 private:
95     friend class AbstractAccessControlManager;
96     AccessReplyPrivate *d_ptr;
97     Q_DECLARE_PRIVATE(AccessReply)
98 };
99 
100 /*!
101  * @class AbstractAccessControlManager
102  * Helps filtering incoming Singnon Daemon requests,
103  * based on security priviledges of the client processes.
104  * @ingroup Accounts_and_SSO_Framework
105  */
106 class SIGNON_EXPORT AbstractAccessControlManager: public QObject
107 {
108     Q_OBJECT
109 
110 public:
111     /*!
112      * Constructs a AbstractAccessControlManager object with the given parent.
113      * @param parent
114      */
115     explicit AbstractAccessControlManager(QObject *parent = 0);
116 
117     /*!
118      * Destructor.
119      */
120     virtual ~AbstractAccessControlManager();
121 
122     /*!
123      * Checks if a client process is allowed to access objects with a certain
124      * security context.
125      * The access type to be checked depends on the concrete implementation of
126      * this function.
127      * @param peerConnection the connection over which the message was sent.
128      * @param peerMessage, the request message sent over DBUS by the process.
129      * @param securityContext, the securityContext to be checked against.
130      * @returns true, if the peer is allowed, false otherwise.
131      */
132     virtual bool isPeerAllowedToAccess(const QDBusConnection &peerConnection,
133                                        const QDBusMessage &peerMessage,
134                                        const QString &securityContext);
135 
136     /*!
137      * Looks up for the application identifier of a specific client process.
138      * @param peerConnection the connection over which the message was sent.
139      * @param peerMessage, the request message sent over DBUS by the process.
140      * @returns the application identifier of the process, or an empty string
141      * if none found.
142      */
143     virtual QString appIdOfPeer(const QDBusConnection &peerConnection,
144                                 const QDBusMessage &peerMessage);
145 
146     /*!
147      * @returns the application identifier of the keychain widget
148      */
149     virtual QString keychainWidgetAppId();
150 
151     /*!
152      * Asynchronously handle an access request from a client.
153      * @param request, the AccessRequest describing the requested access.
154      * @returns an AccessReply object which can be used to obtain the
155      * asynchronous reply.
156      */
157     virtual AccessReply *handleRequest(const AccessRequest &request);
158 };
159 
160 } // namespace
161 
162 #endif // SIGNON_ABSTRACT_ACCESS_CONTROL_MANAGER_H
163