• file
• latest
• revisions
• annotate
• diff
• comparison
• raw

src/server/daemon/acl.c@b7908bf38f9f (annotated)

src/server/daemon/acl.c

Sun, 17 Mar 2013 12:47:59 +0100

author

Olaf Wintermann <olaf.wintermann@gmail.com>

date

Sun, 17 Mar 2013 12:47:59 +0100

changeset 55

b7908bf38f9f

parent 54

3a1d5a52adfc

child 63

66442f81f823

permissions

-rw-r--r--

vfs can read directories

51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	1	/*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	2	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	3	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	4	* Copyright 2013 Olaf Wintermann. All rights reserved.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	5	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	6	* Redistribution and use in source and binary forms, with or without
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	7	* modification, are permitted provided that the following conditions are met:
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	8	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	9	* 1. Redistributions of source code must retain the above copyright
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	10	* notice, this list of conditions and the following disclaimer.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	11	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	12	* 2. Redistributions in binary form must reproduce the above copyright
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	13	* notice, this list of conditions and the following disclaimer in the
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	14	* documentation and/or other materials provided with the distribution.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	15	*
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	16	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	17	* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	18	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	19	* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	20	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	21	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	22	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	23	* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	24	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	25	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	26	* POSSIBILITY OF SUCH DAMAGE.
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	27	*/
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	28
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	29	#include <stdio.h>
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	30	#include <stdlib.h>
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	31
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	32	#include "../util/pool.h"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	33	#include "../safs/auth.h"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	34	#include "acl.h"
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	35
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	36	void acllist_createhandle(Session *sn, Request *rq) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	37	ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle));
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	38	handle->defaultauthdb = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	39	handle->listhead = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	40	handle->listtail = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	41	rq->acllist = handle;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	42	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	43
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	44	/*
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	45	* append or prepend an ACL
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	46	*/
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	47	void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) {
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	48	if(!rq->acllist) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	49	acllist_createhandle(sn, rq);
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	50	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	51	ACLListHandle *list = rq->acllist;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	52
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	53	if(!list->defaultauthdb && acl->authdb) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	54	list->defaultauthdb = acl->authdb;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	55	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	56
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	57	ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	58	elm->acl = acl;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	59	elm->next = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	60	if(list->listhead == NULL) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	61	list->listhead = elm;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	62	list->listtail = elm;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	63	} else {
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	64	if(append) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	65	list->listtail->next = elm;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	66	list->listtail = elm;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	67	} else {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	68	elm->next = list->listhead;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	69	list->listhead = elm;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	70	}
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	71	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	72	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	73
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	74	void acllist_append(Session *sn, Request *rq, ACLList *acl) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	75	acllist_add(sn, rq, acl, 1);
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	76	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	77
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	78	void acllist_prepend(Session *sn, Request *rq, ACLList *acl) {
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	79	acllist_add(sn, rq, acl, 0);
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	80	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	81
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	82	uint32_t acl_oflag2mask(int oflags) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	83	/* TODO:
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	84	* maybe there is a plattform where O_RDWR is not O_RDONLY | O_WRONLY
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	85	*/
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	86	uint32_t access_mask = 0;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	87	if((oflags & O_RDONLY) == O_RDONLY) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	88	access_mask |= ACL_READ_DATA;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	89	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	90	if((oflags & O_WRONLY) == O_WRONLY) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	91	access_mask |= ACL_WRITE_DATA;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	92	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	93	return access_mask;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	94	}
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	95
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	96	User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	97	if(!sn || !rq || !list) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	98	return NULL;
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	99	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	100
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	101	// get user
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	102	User *user = NULL;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	103	if(list->defaultauthdb) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	104	char *usr;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	105	char *pw;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	106	if(!basicauth_getuser(sn, rq, &usr, &pw)) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	107	user = list->defaultauthdb->get_user(list->defaultauthdb, usr);
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	108	if(!user) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	109	// wrong user name
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	110	return NULL;
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	111	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	112	if(!user->verify_password(user, pw)) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	113	// wrong password
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	114	user->free(user);
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	115	return NULL;
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	116	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	117	// ok - user is authenticated
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	118	}
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	119	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	120
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	121	return user;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	122	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	123
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	124	void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	125	if(!user) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	126	char *value = NULL;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	127	if(acl->authprompt) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	128	size_t realmlen = strlen(acl->authprompt);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	129	size_t len = realmlen + 16;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	130	value = pool_malloc(sn->pool, len);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	131	if(value) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	132	snprintf(
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	133	value,
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	134	len,
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	135	"Basic realm=\"%s\"",
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	136	acl->authprompt);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	137	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	138	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	139	if(!value) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	140	value = "Basic realm=\"login\"";
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	141	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	142	pblock_nvinsert("www-authenticate", value, rq->srvhdrs);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	143	protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	144	} else {
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	145	protocol_status(sn, rq, PROTOCOL_FORBIDDEN, NULL);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	146	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	147	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	148
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	149	int acl_evaluate(Session *sn, Request *rq, int access_mask) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	150	ACLListHandle *list = rq->acllist;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	151	if(!list) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	152	return REQ_PROCEED;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	153	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	154
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	155	// we combine access_mask with the required access rights
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	156	access_mask |= rq->aclreqaccess;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	157
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	158	// get user
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	159	User *user = acllist_getuser(sn, rq, list);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	160
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	161	// evalutate all ACLs
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	162	ACLList *acl = acl_evallist(list, user, access_mask);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	163	if(acl) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	164	acl_set_error_status(sn, rq, acl, user);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	165	// TODO: don't free the user here
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	166	if(user) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	167	user->free(user);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	168	}
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	169	return REQ_ABORTED;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	170	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	171
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	172	// access allowed, we can free the user
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	173	if(user) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	174	user->free(user);
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	175	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	176
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	177	return REQ_PROCEED;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	178	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	179
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	180	ACLList* acl_evallist(ACLListHandle *list, User *user, int access_mask) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	181	if(!list) {
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	182	return NULL;
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	183	}
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	184
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	185	// evaluate each acl until one denies access
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	186	ACLListElm *elm = list->listhead;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	187	while(elm) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	188	ACLList *acl = elm->acl;
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	189	if(!acl->check(acl, user, access_mask)) {
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	190	// the acl denies access
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	191	return acl;
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	192	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	193	elm = elm->next;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	194	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	195
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	196	// ok - all acls allowed access
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	197
3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	198	return NULL;
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	199	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	200
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	201	int wsacl_affects_user(WSAce *ace, User *user) {
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	202	int check_access = 0;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	203
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	204	/*
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	205	* an ace can affect
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	206	* a named user or group (ace->who is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	207	* the owner of the resource (ACL_OWNER is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	208	* the owning group of the resource (ACL_GROUP is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	209	* everyone (ACL_EVERYONE is set)
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	210	*
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	211	* Only one of this conditions should be true. The behavior on
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	212	* illegal flag combination is undefined. We assume that the acls
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	213	* are created correctly by the configuration loader.
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	214	*/
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	215
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	216	if(ace->who && user) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	217	// this ace is defined for a named user or group
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	218	if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	219	if(user->check_group(user, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	220	// the user is in the group
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	221	check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	222	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	223	} else {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	224	if(!strcmp(user->name, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	225	check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	226	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	227	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	228	} else if((ace->flags & ACL_OWNER) == ACL_OWNER) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	229	// TODO
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	230	} else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	231	// TODO
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	232	} else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	233	check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	234	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	235
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	236	return check_access;
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	237	}
aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	238
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	239	int wsacl_check(WSAcl *acl, User *user, int access_mask) {
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	240	int allow = 0;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	241	uint32_t allowed_access = 0;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	242	// check each access control entry
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	243	for(int i=0;i<acl->acenum;i++) {
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	244	WSAce *ace = acl->ace[i];
52 aced2245fb1c new pathcheck saf and code cleanup Olaf Wintermann <olaf.wintermann@gmail.com> parents: 51 diff changeset	245	if(wsacl_affects_user(ace, user)) {
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	246	if(ace->type == ACL_TYPE_ALLOWED) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	247	// add all new access rights
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	248	allowed_access |= (access_mask & ace->access_mask);
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	249	// check if we have all requested rights
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	250	if((allowed_access & access_mask) == access_mask) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	251	allow = 1;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	252	break;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	253	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	254	} else {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	255	// ACL_TYPE_DENIED
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	256
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	257	if((ace->access_mask & access_mask) != 0) {
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	258	// access denied
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	259	break;
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	260	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	261	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	262	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	263	}
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	264
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	265	// TODO: events
b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	266
54 3a1d5a52adfc new vfs api Olaf Wintermann <olaf.wintermann@gmail.com> parents: 53 diff changeset	267	return allow; // allow is 0, if no ace set it to 1
51 b28cf69f42e8 added acls Olaf Wintermann <olaf.wintermann@gmail.com> parents: diff changeset	268	}