src/server/daemon/acl.c

Sat, 16 Mar 2013 23:11:34 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Sat, 16 Mar 2013 23:11:34 +0100
changeset 54
3a1d5a52adfc
parent 53
5ec9abba1027
child 63
66442f81f823
permissions
-rw-r--r--

new vfs api

51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
1 /*
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
3 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
4 * Copyright 2013 Olaf Wintermann. All rights reserved.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
5 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
6 * Redistribution and use in source and binary forms, with or without
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
7 * modification, are permitted provided that the following conditions are met:
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
8 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
9 * 1. Redistributions of source code must retain the above copyright
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
10 * notice, this list of conditions and the following disclaimer.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
11 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
12 * 2. Redistributions in binary form must reproduce the above copyright
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
13 * notice, this list of conditions and the following disclaimer in the
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
14 * documentation and/or other materials provided with the distribution.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
15 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
26 * POSSIBILITY OF SUCH DAMAGE.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
27 */
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
28
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
29 #include <stdio.h>
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
30 #include <stdlib.h>
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
31
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
32 #include "../util/pool.h"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
33 #include "../safs/auth.h"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
34 #include "acl.h"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
35
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
36 void acllist_createhandle(Session *sn, Request *rq) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
37 ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle));
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
38 handle->defaultauthdb = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
39 handle->listhead = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
40 handle->listtail = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
41 rq->acllist = handle;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
42 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
43
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
44 /*
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
45 * append or prepend an ACL
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
46 */
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
47 void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
48 if(!rq->acllist) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
49 acllist_createhandle(sn, rq);
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
50 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
51 ACLListHandle *list = rq->acllist;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
52
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
53 if(!list->defaultauthdb && acl->authdb) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
54 list->defaultauthdb = acl->authdb;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
55 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
56
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
57 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
58 elm->acl = acl;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
59 elm->next = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
60 if(list->listhead == NULL) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
61 list->listhead = elm;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
62 list->listtail = elm;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
63 } else {
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
64 if(append) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
65 list->listtail->next = elm;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
66 list->listtail = elm;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
67 } else {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
68 elm->next = list->listhead;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
69 list->listhead = elm;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
70 }
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
71 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
72 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
73
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
74 void acllist_append(Session *sn, Request *rq, ACLList *acl) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
75 acllist_add(sn, rq, acl, 1);
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
76 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
77
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
78 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) {
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
79 acllist_add(sn, rq, acl, 0);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
80 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
81
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
82 uint32_t acl_oflag2mask(int oflags) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
83 /* TODO:
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
84 * maybe there is a plattform where O_RDWR is not O_RDONLY | O_WRONLY
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
85 */
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
86 uint32_t access_mask = 0;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
87 if((oflags & O_RDONLY) == O_RDONLY) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
88 access_mask |= ACL_READ_DATA;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
89 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
90 if((oflags & O_WRONLY) == O_WRONLY) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
91 access_mask |= ACL_WRITE_DATA;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
92 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
93 return access_mask;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
94 }
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
95
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
96 User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
97 if(!sn || !rq || !list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
98 return NULL;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
99 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
100
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
101 // get user
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
102 User *user = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
103 if(list->defaultauthdb) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
104 char *usr;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
105 char *pw;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
106 if(!basicauth_getuser(sn, rq, &usr, &pw)) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
107 user = list->defaultauthdb->get_user(list->defaultauthdb, usr);
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
108 if(!user) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
109 // wrong user name
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
110 return NULL;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
111 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
112 if(!user->verify_password(user, pw)) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
113 // wrong password
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
114 user->free(user);
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
115 return NULL;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
116 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
117 // ok - user is authenticated
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
118 }
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
119 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
120
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
121 return user;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
122 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
123
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
124 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
125 if(!user) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
126 char *value = NULL;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
127 if(acl->authprompt) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
128 size_t realmlen = strlen(acl->authprompt);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
129 size_t len = realmlen + 16;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
130 value = pool_malloc(sn->pool, len);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
131 if(value) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
132 snprintf(
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
133 value,
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
134 len,
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
135 "Basic realm=\"%s\"",
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
136 acl->authprompt);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
137 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
138 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
139 if(!value) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
140 value = "Basic realm=\"login\"";
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
141 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
142 pblock_nvinsert("www-authenticate", value, rq->srvhdrs);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
143 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
144 } else {
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
145 protocol_status(sn, rq, PROTOCOL_FORBIDDEN, NULL);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
146 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
147 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
148
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
149 int acl_evaluate(Session *sn, Request *rq, int access_mask) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
150 ACLListHandle *list = rq->acllist;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
151 if(!list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
152 return REQ_PROCEED;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
153 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
154
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
155 // we combine access_mask with the required access rights
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
156 access_mask |= rq->aclreqaccess;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
157
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
158 // get user
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
159 User *user = acllist_getuser(sn, rq, list);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
160
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
161 // evalutate all ACLs
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
162 ACLList *acl = acl_evallist(list, user, access_mask);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
163 if(acl) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
164 acl_set_error_status(sn, rq, acl, user);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
165 // TODO: don't free the user here
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
166 if(user) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
167 user->free(user);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
168 }
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
169 return REQ_ABORTED;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
170 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
171
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
172 // access allowed, we can free the user
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
173 if(user) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
174 user->free(user);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
175 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
176
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
177 return REQ_PROCEED;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
178 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
179
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
180 ACLList* acl_evallist(ACLListHandle *list, User *user, int access_mask) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
181 if(!list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
182 return NULL;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
183 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
184
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
185 // evaluate each acl until one denies access
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
186 ACLListElm *elm = list->listhead;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
187 while(elm) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
188 ACLList *acl = elm->acl;
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
189 if(!acl->check(acl, user, access_mask)) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
190 // the acl denies access
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
191 return acl;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
192 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
193 elm = elm->next;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
194 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
195
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
196 // ok - all acls allowed access
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
197
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
198 return NULL;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
199 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
200
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
201 int wsacl_affects_user(WSAce *ace, User *user) {
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
202 int check_access = 0;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
203
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
204 /*
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
205 * an ace can affect
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
206 * a named user or group (ace->who is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
207 * the owner of the resource (ACL_OWNER is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
208 * the owning group of the resource (ACL_GROUP is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
209 * everyone (ACL_EVERYONE is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
210 *
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
211 * Only one of this conditions should be true. The behavior on
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
212 * illegal flag combination is undefined. We assume that the acls
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
213 * are created correctly by the configuration loader.
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
214 */
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
215
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
216 if(ace->who && user) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
217 // this ace is defined for a named user or group
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
218 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
219 if(user->check_group(user, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
220 // the user is in the group
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
221 check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
222 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
223 } else {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
224 if(!strcmp(user->name, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
225 check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
226 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
227 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
228 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
229 // TODO
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
230 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
231 // TODO
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
232 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
233 check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
234 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
235
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
236 return check_access;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
237 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
238
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
239 int wsacl_check(WSAcl *acl, User *user, int access_mask) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
240 int allow = 0;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
241 uint32_t allowed_access = 0;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
242 // check each access control entry
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
243 for(int i=0;i<acl->acenum;i++) {
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
244 WSAce *ace = acl->ace[i];
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
245 if(wsacl_affects_user(ace, user)) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
246 if(ace->type == ACL_TYPE_ALLOWED) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
247 // add all new access rights
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
248 allowed_access |= (access_mask & ace->access_mask);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
249 // check if we have all requested rights
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
250 if((allowed_access & access_mask) == access_mask) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
251 allow = 1;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
252 break;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
253 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
254 } else {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
255 // ACL_TYPE_DENIED
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
256
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
257 if((ace->access_mask & access_mask) != 0) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
258 // access denied
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
259 break;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
260 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
261 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
262 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
263 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
264
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
265 // TODO: events
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
266
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
267 return allow; // allow is 0, if no ace set it to 1
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
268 }

mercurial