• file
• latest
• revisions
• annotate
• diff
• comparison
• raw

src/server/daemon/acl.c@aced2245fb1c (annotated)

src/server/daemon/acl.c

Fri, 01 Mar 2013 21:15:52 +0100

author

Olaf Wintermann <olaf.wintermann@gmail.com>

date

Fri, 01 Mar 2013 21:15:52 +0100

changeset 52

aced2245fb1c

parent 51

b28cf69f42e8

child 53

5ec9abba1027

permissions

-rw-r--r--

new pathcheck saf and code cleanup

51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	1	/*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	2	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	3	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	4	* Copyright 2013 Olaf Wintermann. All rights reserved.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	5	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	6	* Redistribution and use in source and binary forms, with or without
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	7	* modification, are permitted provided that the following conditions are met:
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	8	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	9	* 1. Redistributions of source code must retain the above copyright
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	10	* notice, this list of conditions and the following disclaimer.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	11	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	12	* 2. Redistributions in binary form must reproduce the above copyright
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	13	* notice, this list of conditions and the following disclaimer in the
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	14	* documentation and/or other materials provided with the distribution.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	15	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	16	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	17	* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	18	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	19	* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	20	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	21	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	22	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	23	* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	24	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	25	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	26	* POSSIBILITY OF SUCH DAMAGE.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	27	*/
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	28
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	29	#include <stdio.h>
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	30	#include <stdlib.h>
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	31
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	32	#include "../util/pool.h"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	33	#include "../safs/auth.h"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	34	#include "acl.h"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	35
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	36	void acllist_createhandle(Session *sn, Request *rq) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	37	ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle));
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	38	handle->defaultauthdb = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	39	handle->listhead = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	40	handle->listtail = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	41	rq->acllist = handle;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	42	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	43
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	44	/*
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	45	* append or prepend an ACL
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	46	*/
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	47	void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) {
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	48	if(!rq->acllist) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	49	acllist_createhandle(sn, rq);
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	50	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	51	ACLListHandle *list = rq->acllist;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	52
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	53	if(!list->defaultauthdb && acl->authdb) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	54	list->defaultauthdb = acl->authdb;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	55	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	56
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	57	ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	58	elm->acl = acl;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	59	elm->next = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	60	if(list->listhead == NULL) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	61	list->listhead = elm;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	62	list->listtail = elm;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	63	} else {
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	64	if(append) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	65	list->listtail->next = elm;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	66	list->listtail = elm;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	67	} else {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	68	elm->next = list->listhead;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	69	list->listhead = elm;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	70	}
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	71	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	72	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	73
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	74	void acllist_append(Session *sn, Request *rq, ACLList *acl) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	75	acllist_add(sn, rq, acl, 1);
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	76	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	77
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	78	void acllist_prepend(Session *sn, Request *rq, ACLList *acl) {
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	79	acllist_add(sn, rq, acl, 0);
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	80	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	81
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	82
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	83	int acl_evaluate(Session *sn, Request *rq, int access_mask) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	84	ACLListHandle *list = rq->acllist;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	85	if(!list) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	86	return REQ_PROCEED;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	87	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	88
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	89	// we combine access_mask with the required access rights
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	90	access_mask = access_mask | rq->aclreqaccess;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	91
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	92
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	93	// get user
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	94	User *user = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	95	if(list->defaultauthdb) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	96	char *usr;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	97	char *pw;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	98	if(!basicauth_getuser(sn, rq, &usr, &pw)) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	99	user = list->defaultauthdb->get_user(list->defaultauthdb, usr);
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	100	if(!user) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	101	// wrong user name
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	102	return REQ_ABORTED;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	103	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	104	if(!user->verify_password(user, pw)) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	105	// wrong password
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	106	user->free(user);
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	107	return REQ_ABORTED;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	108	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	109	// ok - user is authenticated
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	110	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	111	} else {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	112	// TODO
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	113	return REQ_ABORTED;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	114	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	115
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	116	// evaluate each acl until one denies access
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	117	ACLListElm *elm = list->listhead;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	118	while(elm) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	119	ACLList *acl = elm->acl;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	120	if(!wsacl_check(acl, user, access_mask)) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	121	// the acl denies access
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	122
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	123	if(!user) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	124	pblock_nvinsert(
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	125	"www-authenticate",
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	126	"Basic realm=\"Webserver\"",
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	127	rq->srvhdrs);
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	128	protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	129	}
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	130	user->free(user);
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	131	return REQ_ABORTED;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	132	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	133	elm = elm->next;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	134	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	135
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	136	// ok - all acls allowed access
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	137	user->free(user);
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	138	return REQ_PROCEED;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	139	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	140
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	141	int wsacl_affects_user(ACLEntry *ace, User *user) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	142	int check_access = 0;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	143
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	144	/*
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	145	* an ace can affect
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	146	* a named user or group (ace->who is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	147	* the owner of the resource (ACL_OWNER is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	148	* the owning group of the resource (ACL_GROUP is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	149	* everyone (ACL_EVERYONE is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	150	*
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	151	* Only one of this conditions should be true. The behavior on
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	152	* illegal flag combination is undefined. We assume that the acls
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	153	* are created correctly by the configuration loader.
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	154	*/
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	155
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	156	if(ace->who && user) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	157	// this ace is defined for a named user or group
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	158	if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	159	if(user->check_group(user, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	160	// the user is in the group
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	161	check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	162	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	163	} else {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	164	if(!strcmp(user->name, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	165	check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	166	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	167	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	168	} else if((ace->flags & ACL_OWNER) == ACL_OWNER) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	169	// TODO
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	170	} else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	171	// TODO
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	172	} else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	173	check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	174	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	175
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	176	return check_access;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	177	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	178
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	179	int wsacl_check(ACLList *acl, User *user, int access_mask) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	180	int allow = 0;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	181	uint32_t allowed_access = 0;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	182	// check each access control entry
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	183	for(int i=0;i<acl->acenum;i++) {
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	184	ACLEntry *ace = acl->ace[i];
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	185	if(wsacl_affects_user(ace, user)) {
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	186	if(ace->type == ACL_TYPE_ALLOWED) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	187	// add all new access rights
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	188	allowed_access = allowed_access |
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	189	(access_mask & ace->access_mask);
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	190	// check if we have all requested rights
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	191	if((allowed_access & access_mask) == access_mask) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	192	allow = 1;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	193	break;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	194	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	195	} else {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	196	// ACL_TYPE_DENIED
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	197
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	198	if((ace->access_mask & access_mask) != 0) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	199	// access denied
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	200	break;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	201	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	202	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	203	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	204	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	205
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	206	// TODO: events
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	207
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	208	return allow;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	209	}