Region access control! Region operators can now specify things like DisallowForeigners (means what it says) and DisallowResidents (means that only admins and managers can get into the region). This puts the never-completed AuthorizationService to good use. Note that I didn't implement a grid-wide Authorization service; this service implementation is done entirely locally on the simulator. This can be changed as usual by pluging in a different AuthorizationServicesConnector.

author: Diva Canto 2012-03-17 10:00:11 -0700
committer: Diva Canto 2012-03-17 10:00:11 -0700
commit: 33c14cb107ecb67a3e971d6adaab17d173d52747 (patch)
tree: 401301804f123e686b23c3ff925a7a393eaf4c2c /OpenSim
parent: Clean up "save iar" help (diff)
download: opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.zip
opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.tar.gz
opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.tar.bz2
opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.tar.xz
3 files changed, 142 insertions, 29 deletions
diff --git a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs
new file mode 100644
index 0000000..f0d21e6
--- /dev/null
+++ b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) Contributors, http://opensimulator.org/
+ * See CONTRIBUTORS.TXT for a full list of copyright holders.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of the OpenSimulator Project nor the
+ *       names of its contributors may be used to endorse or promote products
+ *       derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Reflection;
+using Nini.Config;
+using log4net;
+using OpenSim.Framework;
+using OpenSim.Services.Interfaces;
+using OpenSim.Region.Framework.Interfaces;
+using OpenSim.Region.Framework.Scenes;
+using OpenMetaverse;
+using GridRegion = OpenSim.Services.Interfaces.GridRegion;
+namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
+{
+    public class AuthorizationService : IAuthorizationService
+    {
+        private enum AccessFlags
+        {
+            None = 0,               /* No restrictions */
+            DisallowResidents = 1,  /* Only gods and managers*/
+            DisallowForeigners = 2, /* Only local people */
+        }
+        private static readonly ILog m_log =
+                LogManager.GetLogger(
+                MethodBase.GetCurrentMethod().DeclaringType);
+        private IUserManagement m_UserManagement;
+        private IGridService m_GridService;
+        private Scene m_Scene;
+        AccessFlags m_accessValue = AccessFlags.None;
+        public AuthorizationService(IConfig config, Scene scene)
+        {
+            m_Scene = scene;
+            m_UserManagement = scene.RequestModuleInterface<IUserManagement>();
+            m_GridService = scene.GridService;
+            if (config != null)
+            {
+                string accessStr = config.GetString("Region_" + scene.RegionInfo.RegionName.Replace(' ', '_'), String.Empty);
+                if (accessStr != string.Empty)
+                {
+                    try
+                    {
+                        m_accessValue = (AccessFlags)Enum.Parse(typeof(AccessFlags), accessStr);
+                    }
+                    catch (ArgumentException)
+                    {
+                        m_log.WarnFormat("[AuthorizationService]: {0} is not a valid access flag", accessStr);
+                    }
+                }
+                m_log.DebugFormat("[AuthorizationService]: Region {0} access restrictions: {1}", m_Scene.RegionInfo.RegionName, m_accessValue);
+            }
+        }
+        public bool IsAuthorizedForRegion(
+            string user, string firstName, string lastName, string regionID, out string message)
+        {
+            message = "authorized";
+            // This should not happen
+            if (m_Scene.RegionInfo.RegionID.ToString() != regionID)
+            {
+                m_log.WarnFormat("[AuthorizationService]: Service for region {0} received request to authorize for region {1}",
+                    m_Scene.RegionInfo.RegionID, regionID);
+                return true;
+            }
+            if (m_accessValue == AccessFlags.None)
+                return true;
+            UUID userID = new UUID(user);
+            bool authorized = true;
+            if ((m_accessValue & AccessFlags.DisallowForeigners) == AccessFlags.DisallowForeigners)
+            {
+                authorized = m_UserManagement.IsLocalGridUser(userID);
+                if (!authorized)
+                    message = "no foreigner users allowed in this region";
+            }
+            if (authorized && (m_accessValue & AccessFlags.DisallowResidents) == AccessFlags.DisallowResidents)
+            {
+                authorized = m_Scene.Permissions.IsGod(userID) | m_Scene.Permissions.IsAdministrator(userID);
+                if (!authorized)
+                    message = "only Admins and Managers allowed in this region";
+            }
+            return authorized;
+        }
+    }
+}
+\ No newline at end of file
diff --git a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs
index 18a7177..c982db6 100644
--- a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs
+++ b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs
@@ -39,13 +39,15 @@ using OpenMetaverse;
 namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
 {
-    public class LocalAuthorizationServicesConnector : ISharedRegionModule, IAuthorizationService
+    public class LocalAuthorizationServicesConnector : INonSharedRegionModule, IAuthorizationService
    {
        private static readonly ILog m_log =
                LogManager.GetLogger(
                MethodBase.GetCurrentMethod().DeclaringType);
        private IAuthorizationService m_AuthorizationService;
+        private Scene m_Scene;
+        private IConfig m_AuthorizationConfig;
        private bool m_Enabled = false;
@@ -69,33 +71,8 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
                string name = moduleConfig.GetString("AuthorizationServices", string.Empty);
                if (name == Name)
                {
-                    IConfig authorizationConfig = source.Configs["AuthorizationService"];
-                    if (authorizationConfig == null)
-                    {
-                        m_log.Error("[AUTHORIZATION CONNECTOR]: AuthorizationService missing from OpenSim.ini");
-                        return;
-                    }
-                    string serviceDll = authorizationConfig.GetString("LocalServiceModule",
-                            String.Empty);
-                    if (serviceDll == String.Empty)
-                    {
-                        m_log.Error("[AUTHORIZATION CONNECTOR]: No LocalServiceModule named in section AuthorizationService");
-                        return;
-                    }
-                    Object[] args = new Object[] { source };
-                    m_AuthorizationService =
-                            ServerUtils.LoadPlugin<IAuthorizationService>(serviceDll,
-                            args);
-                    if (m_AuthorizationService == null)
-                    {
-                        m_log.Error("[AUTHORIZATION CONNECTOR]: Can't load authorization service");
-                        return;
-                    }
                    m_Enabled = true;
+                    m_AuthorizationConfig = source.Configs["AuthorizationService"];
                    m_log.Info("[AUTHORIZATION CONNECTOR]: Local authorization connector enabled");
                }
            }
@@ -115,6 +92,9 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
                return;
            scene.RegisterModuleInterface<IAuthorizationService>(this);
+            m_Scene = scene;
+            scene.EventManager.OnLoginsEnabled += new EventManager.LoginsEnabled(OnLoginsEnabled);
        }
        public void RemoveRegion(Scene scene)
@@ -131,9 +111,18 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
                scene.RegionInfo.RegionName);
        }
+        private void OnLoginsEnabled(string regionName)
+        {
+            m_AuthorizationService = new AuthorizationService(m_AuthorizationConfig, m_Scene);
+        }
        public bool IsAuthorizedForRegion(
            string userID, string firstName, string lastName, string regionID, out string message)
        {
+            message = "";
+            if (!m_Enabled)
+                return true;
            return m_AuthorizationService.IsAuthorizedForRegion(userID, firstName, lastName, regionID, out message);
        }
    }
diff --git a/OpenSim/Region/Framework/Scenes/Scene.cs b/OpenSim/Region/Framework/Scenes/Scene.cs
index 5b1b165..0042f7b 100644
--- a/OpenSim/Region/Framework/Scenes/Scene.cs
+++ b/OpenSim/Region/Framework/Scenes/Scene.cs
@@ -3533,8 +3533,8 @@ namespace OpenSim.Region.Framework.Scenes
                if (!AuthorizationService.IsAuthorizedForRegion(
                    agent.AgentID.ToString(), agent.firstname, agent.lastname, RegionInfo.RegionID.ToString(), out reason))
                {
-                    m_log.WarnFormat("[CONNECTION BEGIN]: Denied access to: {0} ({1} {2}) at {3} because the user does not have access to the region",
+                    m_log.WarnFormat("[CONNECTION BEGIN]: Denied access to: {0} ({1} {2}) at {3} because {4}",
-                                     agent.AgentID, agent.firstname, agent.lastname, RegionInfo.RegionName);
+                                     agent.AgentID, agent.firstname, agent.lastname, RegionInfo.RegionName, reason);
                    
                    return false;
                }
author	Diva Canto	2012-03-17 10:00:11 -0700
committer	Diva Canto	2012-03-17 10:00:11 -0700
commit	33c14cb107ecb67a3e971d6adaab17d173d52747 (patch)
tree	401301804f123e686b23c3ff925a7a393eaf4c2c /OpenSim
parent	Clean up "save iar" help (diff)
download	opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.zip opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.tar.gz opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.tar.bz2 opensim-SC_OLD-33c14cb107ecb67a3e971d6adaab17d173d52747.tar.xz

diff --git a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs new file mode 100644 index 0000000..f0d21e6 --- /dev/null +++ b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs
@@ -0,0 +1,124 @@
		1	/*
		2	* Copyright (c) Contributors, http://opensimulator.org/
		3	* See CONTRIBUTORS.TXT for a full list of copyright holders.
		4	*
		5	* Redistribution and use in source and binary forms, with or without
		6	* modification, are permitted provided that the following conditions are met:
		7	* * Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* * Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	* * Neither the name of the OpenSimulator Project nor the
		13	* names of its contributors may be used to endorse or promote products
		14	* derived from this software without specific prior written permission.
		15	*
		16	* THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
		17	* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
		18	* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
		19	* DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
		20	* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
		21	* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		22	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
		23	* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
		25	* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		26	*/
		27
		28	using System;
		29	using System.Collections.Generic;
		30	using System.Linq;
		31	using System.Reflection;
		32	using Nini.Config;
		33	using log4net;
		34	using OpenSim.Framework;
		35	using OpenSim.Services.Interfaces;
		36	using OpenSim.Region.Framework.Interfaces;
		37	using OpenSim.Region.Framework.Scenes;
		38	using OpenMetaverse;
		39
		40	using GridRegion = OpenSim.Services.Interfaces.GridRegion;
		41
		42	namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
		43	{
		44	public class AuthorizationService : IAuthorizationService
		45	{
		46	private enum AccessFlags
		47	{
		48	None = 0, /* No restrictions */
		49	DisallowResidents = 1, /* Only gods and managers*/
		50	DisallowForeigners = 2, /* Only local people */
		51	}
		52
		53	private static readonly ILog m_log =
		54	LogManager.GetLogger(
		55	MethodBase.GetCurrentMethod().DeclaringType);
		56
		57	private IUserManagement m_UserManagement;
		58	private IGridService m_GridService;
		59
		60	private Scene m_Scene;
		61	AccessFlags m_accessValue = AccessFlags.None;
		62
		63
		64	public AuthorizationService(IConfig config, Scene scene)
		65	{
		66	m_Scene = scene;
		67	m_UserManagement = scene.RequestModuleInterface<IUserManagement>();
		68	m_GridService = scene.GridService;
		69
		70	if (config != null)
		71	{
		72	string accessStr = config.GetString("Region_" + scene.RegionInfo.RegionName.Replace(' ', '_'), String.Empty);
		73	if (accessStr != string.Empty)
		74	{
		75	try
		76	{
		77	m_accessValue = (AccessFlags)Enum.Parse(typeof(AccessFlags), accessStr);
		78	}
		79	catch (ArgumentException)
		80	{
		81	m_log.WarnFormat("[AuthorizationService]: {0} is not a valid access flag", accessStr);
		82	}
		83	}
		84	m_log.DebugFormat("[AuthorizationService]: Region {0} access restrictions: {1}", m_Scene.RegionInfo.RegionName, m_accessValue);
		85	}
		86
		87	}
		88
		89	public bool IsAuthorizedForRegion(
		90	string user, string firstName, string lastName, string regionID, out string message)
		91	{
		92	message = "authorized";
		93
		94	// This should not happen
		95	if (m_Scene.RegionInfo.RegionID.ToString() != regionID)
		96	{
		97	m_log.WarnFormat("[AuthorizationService]: Service for region {0} received request to authorize for region {1}",
		98	m_Scene.RegionInfo.RegionID, regionID);
		99	return true;
		100	}
		101
		102	if (m_accessValue == AccessFlags.None)
		103	return true;
		104
		105	UUID userID = new UUID(user);
		106	bool authorized = true;
		107	if ((m_accessValue & AccessFlags.DisallowForeigners) == AccessFlags.DisallowForeigners)
		108	{
		109	authorized = m_UserManagement.IsLocalGridUser(userID);
		110	if (!authorized)
		111	message = "no foreigner users allowed in this region";
		112	}
		113	if (authorized && (m_accessValue & AccessFlags.DisallowResidents) == AccessFlags.DisallowResidents)
		114	{
		115	authorized = m_Scene.Permissions.IsGod(userID) \| m_Scene.Permissions.IsAdministrator(userID);
		116	if (!authorized)
		117	message = "only Admins and Managers allowed in this region";
		118	}
		119
		120	return authorized;
		121	}
		122
		123	}
		124	} \ No newline at end of file


diff --git a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs index 18a7177..c982db6 100644 --- a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs +++ b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs
@@ -39,13 +39,15 @@ using OpenMetaverse;
39		39
40	namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization	40	namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
41	{	41	{
42	public class LocalAuthorizationServicesConnector : ISharedRegionModule, IAuthorizationService	42	public class LocalAuthorizationServicesConnector : INonSharedRegionModule, IAuthorizationService
43	{	43	{
44	private static readonly ILog m_log =	44	private static readonly ILog m_log =
45	LogManager.GetLogger(	45	LogManager.GetLogger(
46	MethodBase.GetCurrentMethod().DeclaringType);	46	MethodBase.GetCurrentMethod().DeclaringType);
47		47
48	private IAuthorizationService m_AuthorizationService;	48	private IAuthorizationService m_AuthorizationService;
		49	private Scene m_Scene;
		50	private IConfig m_AuthorizationConfig;
49		51
50	private bool m_Enabled = false;	52	private bool m_Enabled = false;
51		53
@@ -69,33 +71,8 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
69	string name = moduleConfig.GetString("AuthorizationServices", string.Empty);	71	string name = moduleConfig.GetString("AuthorizationServices", string.Empty);
70	if (name == Name)	72	if (name == Name)
71	{	73	{
72	IConfig authorizationConfig = source.Configs["AuthorizationService"];
73	if (authorizationConfig == null)
74	{
75	m_log.Error("[AUTHORIZATION CONNECTOR]: AuthorizationService missing from OpenSim.ini");
76	return;
77	}
78
79	string serviceDll = authorizationConfig.GetString("LocalServiceModule",
80	String.Empty);
81
82	if (serviceDll == String.Empty)
83	{
84	m_log.Error("[AUTHORIZATION CONNECTOR]: No LocalServiceModule named in section AuthorizationService");
85	return;
86	}
87
88	Object[] args = new Object[] { source };
89	m_AuthorizationService =
90	ServerUtils.LoadPlugin<IAuthorizationService>(serviceDll,
91	args);
92
93	if (m_AuthorizationService == null)
94	{
95	m_log.Error("[AUTHORIZATION CONNECTOR]: Can't load authorization service");
96	return;
97	}
98	m_Enabled = true;	74	m_Enabled = true;
		75	m_AuthorizationConfig = source.Configs["AuthorizationService"];
99	m_log.Info("[AUTHORIZATION CONNECTOR]: Local authorization connector enabled");	76	m_log.Info("[AUTHORIZATION CONNECTOR]: Local authorization connector enabled");
100	}	77	}
101	}	78	}
@@ -115,6 +92,9 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
115	return;	92	return;
116		93
117	scene.RegisterModuleInterface<IAuthorizationService>(this);	94	scene.RegisterModuleInterface<IAuthorizationService>(this);
		95	m_Scene = scene;
		96
		97	scene.EventManager.OnLoginsEnabled += new EventManager.LoginsEnabled(OnLoginsEnabled);
118	}	98	}
119		99
120	public void RemoveRegion(Scene scene)	100	public void RemoveRegion(Scene scene)
@@ -131,9 +111,18 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
131	scene.RegionInfo.RegionName);	111	scene.RegionInfo.RegionName);
132	}	112	}
133		113
		114	private void OnLoginsEnabled(string regionName)
		115	{
		116	m_AuthorizationService = new AuthorizationService(m_AuthorizationConfig, m_Scene);
		117	}
		118
134	public bool IsAuthorizedForRegion(	119	public bool IsAuthorizedForRegion(
135	string userID, string firstName, string lastName, string regionID, out string message)	120	string userID, string firstName, string lastName, string regionID, out string message)
136	{	121	{
		122	message = "";
		123	if (!m_Enabled)
		124	return true;
		125
137	return m_AuthorizationService.IsAuthorizedForRegion(userID, firstName, lastName, regionID, out message);	126	return m_AuthorizationService.IsAuthorizedForRegion(userID, firstName, lastName, regionID, out message);
138	}	127	}
139	}	128	}


diff --git a/OpenSim/Region/Framework/Scenes/Scene.cs b/OpenSim/Region/Framework/Scenes/Scene.cs index 5b1b165..0042f7b 100644 --- a/OpenSim/Region/Framework/Scenes/Scene.cs +++ b/OpenSim/Region/Framework/Scenes/Scene.cs
@@ -3533,8 +3533,8 @@ namespace OpenSim.Region.Framework.Scenes
3533	if (!AuthorizationService.IsAuthorizedForRegion(	3533	if (!AuthorizationService.IsAuthorizedForRegion(
3534	agent.AgentID.ToString(), agent.firstname, agent.lastname, RegionInfo.RegionID.ToString(), out reason))	3534	agent.AgentID.ToString(), agent.firstname, agent.lastname, RegionInfo.RegionID.ToString(), out reason))
3535	{	3535	{
3536	m_log.WarnFormat("[CONNECTION BEGIN]: Denied access to: {0} ({1} {2}) at {3} because the user does not have access to the region",	3536	m_log.WarnFormat("[CONNECTION BEGIN]: Denied access to: {0} ({1} {2}) at {3} because {4}",
3537	agent.AgentID, agent.firstname, agent.lastname, RegionInfo.RegionName);	3537	agent.AgentID, agent.firstname, agent.lastname, RegionInfo.RegionName, reason);
3538		3538
3539	return false;	3539	return false;
3540	}	3540	}