1/* -*- Mode: C++; tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2/*
3 *     Copyright 2017 Couchbase, Inc.
4 *
5 *   Licensed under the Apache License, Version 2.0 (the "License");
6 *   you may not use this file except in compliance with the License.
7 *   You may obtain a copy of the License at
8 *
9 *       http://www.apache.org/licenses/LICENSE-2.0
10 *
11 *   Unless required by applicable law or agreed to in writing, software
12 *   distributed under the License is distributed on an "AS IS" BASIS,
13 *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 *   See the License for the specific language governing permissions and
15 *   limitations under the License.
16 */
17#pragma once
18
19#include <memcached/rbac/visibility.h>
20
21#include <string>
22
23namespace cb {
24namespace rbac {
25
26/**
27 * The Privilege enum contains all of the Privileges available im memcached.
28 */
29enum class Privilege {
30    /**
31     * The `Read` privilege allows for reading documents in the selected
32     * bucket.
33     */
34    Read,
35    /**
36     * The `Insert` privilege allows for inserting data by using the
37     * 'add' command.
38     */
39    Insert,
40    /**
41     * The `Delete` privilege allows for deleting documents by using
42     * the `delete` command.
43     */
44    Delete,
45    /**
46     * The `Upsert` privilege allows for adding or modifying documents
47     * by using add, set, replace, append/prepend/arithmetic
48     */
49    Upsert,
50    /**
51     * The `SimpleStats` privilege allows for requesting basic statistics
52     * information from the system (restricted to the selected bucket)
53     */
54    SimpleStats,
55    /**
56     * The `Stats` privilege allows for requesting all the statistics
57     * information in the system (system configuration, vbucket state,
58     * dcp information etc).
59     */
60    Stats,
61    /**
62     * The `BucketManagement` privilege allows for bucket management
63     * (create or delete buckets, toggle vbucket states etc).
64     */
65    BucketManagement,
66    /**
67     * The `NodeManagement` privilege allows for changing verbosity
68     * level, reloading configuration files (This privilege should
69     * be split into multiple others)
70     */
71    NodeManagement,
72    /**
73     * The `SessionManagement` privilege allows for changing (and fetching)
74     * the session context registered by ns_server
75     */
76    SessionManagement,
77    /**
78     * The `Audit` privilege allows for adding audit events to the
79     * audit trail
80     */
81    Audit,
82    /**
83     * The `AuditManagement` privilege allows for reconfigure audit
84     * subsystem
85     */
86    AuditManagement,
87    /**
88     * The `DcpConsumer` privilege allows for setting up a DCP stream in the
89     * selected bucket to apply DCP mutations.
90     */
91    DcpConsumer,
92    /**
93     * The `DcpProducer` privilege allows for setting up a DCP stream in the
94     * selected bucket.
95     */
96    DcpProducer,
97    /**
98     * The `Tap` privilege allows for setting up a TAP stream
99     */
100    Tap,
101    /**
102     * The `MetaRead` privilege allows for reading the meta information
103     * on documents.
104     */
105    MetaRead,
106    /**
107     * The `MetaWrite` privilege allows for updating the meta information
108     * on documents.
109     */
110    MetaWrite,
111    /**
112     * The `IdleConnection` privilege allows a client to hold on to an
113     * idle connection witout being disconnected.
114     */
115    IdleConnection,
116    /**
117     * The `XattrRead` privilege allows the connection to read the
118     * attributes on the documents
119     */
120    XattrRead,
121    /**
122     * The `SystemXattrRead` privilege allows the connection to read
123     * the system attributes on the document.
124     */
125    SystemXattrRead,
126    /**
127     * The `XattrWrite` privilege allows the connection to write to the
128     * attributes on the documents
129     */
130    XattrWrite,
131    /**
132     * The `SystemXattrWrite` privilege allows the connection to write to the
133     * system attributes on the documents
134     */
135    SystemXattrWrite,
136    /**
137     * The `CollectionManagement` privilege allows the connection to create or
138     * delete collections.
139     */
140    CollectionManagement,
141
142    /**
143     * The `SecurityManagement` privilege allows the connection to perform
144     * security related functionality (like reloading password database,
145     * SSL certificates, reload RBAC database, set cluster config, )
146     */
147    SecurityManagement,
148
149    /**
150     * The `Impersonate` privilege allows the connection to execute commands
151     * by using a different authentication context. The intented use is
152     * for other components in the system which is part of the TCB so that
153     * they don't have to open separate connections to memcached with the
154     * users creds to run the command with the users privilege context.
155     * For Spock this won't be used as all access is per bucket level, but
156     * moving forward we might get per collection/doc access control and at
157     * that time we can't have all components in our system to evaluate
158     * RBAC access
159     */
160    Impersonate
161
162    /**
163     * Remember to update the rest of the internals of the RBAC module when
164     * you add new privileges.
165     */
166};
167
168enum class PrivilegeAccess { Ok, Fail, Stale };
169
170/**
171 * Get a textual representation of the privilege access
172 */
173RBAC_PUBLIC_API
174std::string to_string(const PrivilegeAccess privilegeAccess);
175
176/**
177 * Convert a textual string to a Privilege
178 *
179 * @param str the textual representation of a privilege
180 * @return The privilege
181 * @throws std::invalid_argument if the text doesn't map to a privilege
182 */
183RBAC_PUBLIC_API
184Privilege to_privilege(const std::string& str);
185
186/**
187 * Get the textual representation of a privilege
188 */
189RBAC_PUBLIC_API
190std::string to_string(const Privilege& privilege);
191
192}
193}
194