aboutsummaryrefslogtreecommitdiffstats
path: root/vespalib/src/vespa/vespalib/net/tls/peer_policies.h
blob: e79a75ca20c9cb814c1f5523cd9b81761875fb90 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
#pragma once

#include "capability_set.h"
#include <vespa/vespalib/stllike/string.h>
#include <memory>
#include <vector>
#include <iosfwd>

namespace vespalib::net::tls {

struct CredentialMatchPattern {
    virtual ~CredentialMatchPattern() = default;
    [[nodiscard]] virtual bool matches(vespalib::stringref str) const noexcept = 0;

    static std::shared_ptr<const CredentialMatchPattern> create_from_dns_glob(vespalib::stringref glob_pattern);
    static std::shared_ptr<const CredentialMatchPattern> create_from_uri_glob(vespalib::stringref glob_pattern);
    static std::shared_ptr<const CredentialMatchPattern> create_exact_match(vespalib::stringref pattern);
};

class RequiredPeerCredential {
public:
    enum class Field {
        CN, SAN_DNS, SAN_URI
    };
private:
    Field _field = Field::SAN_DNS;
    vespalib::string _original_pattern;
    std::shared_ptr<const CredentialMatchPattern> _match_pattern;
public:
    RequiredPeerCredential() = default;
    RequiredPeerCredential(Field field, vespalib::string must_match_pattern);
    RequiredPeerCredential(const RequiredPeerCredential &) noexcept;
    RequiredPeerCredential & operator=(const RequiredPeerCredential &) = delete;
    RequiredPeerCredential(RequiredPeerCredential &&) noexcept;
    RequiredPeerCredential & operator=(RequiredPeerCredential &&) noexcept;
    ~RequiredPeerCredential();

    bool operator==(const RequiredPeerCredential& rhs) const {
        // We assume (opaque) _match_pattern matches rhs._match_pattern if the pattern
        // strings they were created from are equal. This should be fully deterministic.
        return ((_field == rhs._field)
                && (_original_pattern == rhs._original_pattern));
    }

    [[nodiscard]] bool matches(vespalib::stringref str) const noexcept {
        return (_match_pattern && _match_pattern->matches(str));
    }

    [[nodiscard]] Field field() const noexcept { return _field; }
    [[nodiscard]] const vespalib::string& original_pattern() const noexcept { return _original_pattern; }
};

class PeerPolicy {
    // _All_ credentials must match for the policy itself to match.
    std::vector<RequiredPeerCredential> _required_peer_credentials;
    CapabilitySet                       _granted_capabilities;
public:
    PeerPolicy();
    // This policy is created with a full capability set, i.e. unrestricted access.
    explicit PeerPolicy(std::vector<RequiredPeerCredential> required_peer_credentials);

    PeerPolicy(std::vector<RequiredPeerCredential> required_peer_credentials,
               CapabilitySet granted_capabilities);

    ~PeerPolicy();

    bool operator==(const PeerPolicy& rhs) const noexcept {
        return ((_required_peer_credentials == rhs._required_peer_credentials) &&
                (_granted_capabilities == rhs._granted_capabilities));
    }
    [[nodiscard]] const std::vector<RequiredPeerCredential>& required_peer_credentials() const noexcept {
        return _required_peer_credentials;
    }
    [[nodiscard]] const CapabilitySet& granted_capabilities() const noexcept {
        return _granted_capabilities;
    }
};

class AuthorizedPeers {
    // A peer will be authorized iff it matches _one or more_ policies.
    std::vector<PeerPolicy> _peer_policies;
    bool _allow_all_if_empty;

    explicit AuthorizedPeers(bool allow_all_if_empty)
        : _peer_policies(),
          _allow_all_if_empty(allow_all_if_empty)
    {}
public:
    AuthorizedPeers() : _peer_policies(), _allow_all_if_empty(false) {}
    explicit AuthorizedPeers(std::vector<PeerPolicy> peer_policies_)
        : _peer_policies(std::move(peer_policies_)),
          _allow_all_if_empty(false)
    {}

    AuthorizedPeers(const AuthorizedPeers&);
    AuthorizedPeers& operator=(const AuthorizedPeers&) = delete;
    AuthorizedPeers(AuthorizedPeers&&) noexcept;
    AuthorizedPeers& operator=(AuthorizedPeers&&) noexcept;
    ~AuthorizedPeers();

    static AuthorizedPeers allow_all_authenticated() {
        return AuthorizedPeers(true);
    }

    bool operator==(const AuthorizedPeers& rhs) const {
        return (_peer_policies == rhs._peer_policies);
    }
    [[nodiscard]] bool allows_all_authenticated() const noexcept {
        return _allow_all_if_empty;
    }
    [[nodiscard]] const std::vector<PeerPolicy>& peer_policies() const noexcept { return _peer_policies; }
};

std::ostream& operator<<(std::ostream&, const RequiredPeerCredential&);
std::ostream& operator<<(std::ostream&, const PeerPolicy&);
std::ostream& operator<<(std::ostream&, const AuthorizedPeers&);

} // vespalib::net::tls