Implement checking policies with Cynara

Support calling libcynara-client to check for applications permissions.

Change-Id: Icb44dc9a24f0ef519863075203b3be8eb0b07c2c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

4 files changed, 66 insertions, 0 deletions

diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec
index c4552c99..4f36bc55 100644
--- a/packaging/security-manager.spec
+++ b/packaging/security-manager.spec
@@ -20,6 +20,7 @@ BuildRequires: pkgconfig(libtzplatform-config)
 BuildRequires: pkgconfig(sqlite3)
 BuildRequires: pkgconfig(db-util)
 BuildRequires: pkgconfig(cynara-admin)
+BuildRequires: pkgconfig(cynara-client)
 BuildRequires: boost-devel
 %{?systemd_requires}
 
diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
index 85951118..8049cbeb 100644
--- a/src/server/CMakeLists.txt
+++ b/src/server/CMakeLists.txt
@@ -7,6 +7,7 @@ PKG_CHECK_MODULES(SERVER_DEP
     sqlite3
     db-util
     cynara-admin
+    cynara-client
     )
 
 FIND_PACKAGE(Boost REQUIRED)
diff --git a/src/server/service/cynara.cpp b/src/server/service/cynara.cpp
index 60504447..6db3e9e7 100644
--- a/src/server/service/cynara.cpp
+++ b/src/server/service/cynara.cpp
@@ -208,5 +208,45 @@ void CynaraAdmin::UpdatePackagePolicy(
     cynaraAdmin.SetPolicies(policies);
 }
 
+static bool checkCynaraError(int result, const std::string &msg)
+{
+    // TODO: Cynara client error codes are being currently refactored
+    // This function must be updated when the refactor is finished.
+    switch (result) {
+        case CYNARA_API_SUCCESS:
+            return true;
+        case CYNARA_API_ACCESS_DENIED:
+            return false;
+        case CYNARA_API_OUT_OF_MEMORY:
+            ThrowMsg(CynaraException::OutOfMemory, msg);
+        case CYNARA_API_INVALID_PARAM:
+            ThrowMsg(CynaraException::InvalidParam, msg);
+        case CYNARA_API_SERVICE_NOT_AVAILABLE:
+            ThrowMsg(CynaraException::ServiceNotAvailable, msg);
+        default:
+            ThrowMsg(CynaraException::UnknownError, msg);
+    }
+}
+
+Cynara::Cynara()
+{
+    checkCynaraError(
+        cynara_initialize(&m_Cynara, nullptr),
+        "Cannot connect to Cynara policy interface.");
+}
+
+Cynara::~Cynara()
+{
+    cynara_finish(m_Cynara);
+}
+
+bool Cynara::check(const std::string &label, const std::string &privilege,
+        const std::string &user, const std::string &session)
+{
+    return checkCynaraError(
+        cynara_check(m_Cynara,
+            label.c_str(), session.c_str(), user.c_str(), privilege.c_str()),
+        "Cannot check permission with Cynara.");
+}
 
 } // namespace SecurityManager
diff --git a/src/server/service/include/cynara.h b/src/server/service/include/cynara.h
index 187b53f5..c660a2ec 100644
--- a/src/server/service/include/cynara.h
+++ b/src/server/service/include/cynara.h
@@ -24,6 +24,7 @@
 #ifndef _SECURITY_MANAGER_CYNARA_
 #define _SECURITY_MANAGER_CYNARA_
 
+#include <cynara-client.h>
 #include <cynara-admin.h>
 #include <dpl/exception.h>
 #include <string>
@@ -106,6 +107,29 @@ private:
     struct cynara_admin *m_CynaraAdmin;
 };
 
+class Cynara
+{
+public:
+    Cynara();
+    virtual ~Cynara();
+
+    /**
+     * Ask Cynara for permission.
+     *
+     * @param label application Smack label
+     * @param privilege privilege identifier
+     * @param user user identifier (uid)
+     * @param session session identifier
+     * @return true if access is permitted, false if denied
+     */
+    bool check(const std::string &label, const std::string &privilege,
+        const std::string &user, const std::string &session);
+
+private:
+    struct cynara *m_Cynara;
+};
+
+
 } // namespace SecurityManager
 
 #endif // _SECURITY_MANAGER_CYNARA_