1 /* -*- Mode: C++; tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3  *     Copyright 2017 Couchbase, Inc.
4  *
5  *   Licensed under the Apache License, Version 2.0 (the "License");
6  *   you may not use this file except in compliance with the License.
7  *   You may obtain a copy of the License at
8  *
9  *       http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *   Unless required by applicable law or agreed to in writing, software
12  *   distributed under the License is distributed on an "AS IS" BASIS,
13  *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *   See the License for the specific language governing permissions and
15  *   limitations under the License.
16  */
17 #pragma once
18 
19 #include <memcached/rbac/visibility.h>
20 
21 #include <string>
22 
23 namespace cb {
24 namespace rbac {
25 
26 /**
27  * The Privilege enum contains all of the Privileges available im memcached.
28  */
29 enum class Privilege {
30     /**
31      * The `Read` privilege allows for reading documents in the selected
32      * bucket.
33      */
34     Read,
35     /**
36      * The `Insert` privilege allows for inserting data by using the
37      * 'add' command.
38      */
39     Insert,
40     /**
41      * The `Delete` privilege allows for deleting documents by using
42      * the `delete` command.
43      */
44     Delete,
45     /**
46      * The `Upsert` privilege allows for adding or modifying documents
47      * by using add, set, replace, append/prepend/arithmetic
48      */
49     Upsert,
50     /**
51      * The `SimpleStats` privilege allows for requesting basic statistics
52      * information from the system (restricted to the selected bucket)
53      */
54     SimpleStats,
55     /**
56      * The `Stats` privilege allows for requesting all the statistics
57      * information in the system (system configuration, vbucket state,
58      * dcp information etc).
59      */
60     Stats,
61     /**
62      * The `BucketManagement` privilege allows for bucket management
63      * (create or delete buckets, toggle vbucket states etc).
64      */
65     BucketManagement,
66     /**
67      * The `NodeManagement` privilege allows for changing verbosity
68      * level, reloading configuration files (This privilege should
69      * be split into multiple others)
70      */
71     NodeManagement,
72     /**
73      * The `SessionManagement` privilege allows for changing (and fetching)
74      * the session context registered by ns_server
75      */
76     SessionManagement,
77     /**
78      * The `Audit` privilege allows for adding audit events to the
79      * audit trail
80      */
81     Audit,
82     /**
83      * The `AuditManagement` privilege allows for reconfigure audit
84      * subsystem
85      */
86     AuditManagement,
87     /**
88      * The `DcpConsumer` privilege allows for setting up a DCP stream in the
89      * selected bucket to apply DCP mutations.
90      */
91     DcpConsumer,
92     /**
93      * The `DcpProducer` privilege allows for setting up a DCP stream in the
94      * selected bucket.
95      */
96     DcpProducer,
97     /**
98      * The `Tap` privilege allows for setting up a TAP stream
99      */
100     Tap,
101     /**
102      * The `MetaRead` privilege allows for reading the meta information
103      * on documents.
104      */
105     MetaRead,
106     /**
107      * The `MetaWrite` privilege allows for updating the meta information
108      * on documents.
109      */
110     MetaWrite,
111     /**
112      * The `IdleConnection` privilege allows a client to hold on to an
113      * idle connection witout being disconnected.
114      */
115     IdleConnection,
116     /**
117      * The `XattrRead` privilege allows the connection to read the
118      * attributes on the documents
119      */
120     XattrRead,
121     /**
122      * The `SystemXattrRead` privilege allows the connection to read
123      * the system attributes on the document.
124      */
125     SystemXattrRead,
126     /**
127      * The `XattrWrite` privilege allows the connection to write to the
128      * attributes on the documents
129      */
130     XattrWrite,
131     /**
132      * The `SystemXattrWrite` privilege allows the connection to write to the
133      * system attributes on the documents
134      */
135     SystemXattrWrite,
136     /**
137      * The `CollectionManagement` privilege allows the connection to create or
138      * delete collections.
139      */
140     CollectionManagement,
141 
142     /**
143      * The `SecurityManagement` privilege allows the connection to perform
144      * security related functionality (like reloading password database,
145      * SSL certificates, reload RBAC database, set cluster config, )
146      */
147     SecurityManagement,
148 
149     /**
150      * The `Impersonate` privilege allows the connection to execute commands
151      * by using a different authentication context. The intented use is
152      * for other components in the system which is part of the TCB so that
153      * they don't have to open separate connections to memcached with the
154      * users creds to run the command with the users privilege context.
155      * For Spock this won't be used as all access is per bucket level, but
156      * moving forward we might get per collection/doc access control and at
157      * that time we can't have all components in our system to evaluate
158      * RBAC access
159      */
160     Impersonate
161 
162     /**
163      * Remember to update the rest of the internals of the RBAC module when
164      * you add new privileges.
165      */
166 };
167 
168 enum class PrivilegeAccess { Ok, Fail, Stale };
169 
170 /**
171  * Get a textual representation of the privilege access
172  */
173 RBAC_PUBLIC_API
174 std::string to_string(const PrivilegeAccess privilegeAccess);
175 
176 /**
177  * Convert a textual string to a Privilege
178  *
179  * @param str the textual representation of a privilege
180  * @return The privilege
181  * @throws std::invalid_argument if the text doesn't map to a privilege
182  */
183 RBAC_PUBLIC_API
184 Privilege to_privilege(const std::string& str);
185 
186 /**
187  * Get the textual representation of a privilege
188  */
189 RBAC_PUBLIC_API
190 std::string to_string(const Privilege& privilege);
191 
192 }
193 }
194