27 */ |
27 */ |
28 |
28 |
29 #ifndef ACL_H |
29 #ifndef ACL_H |
30 #define ACL_H |
30 #define ACL_H |
31 |
31 |
32 #include "../public/nsapi.h" |
32 #include "../public/acl.h" |
33 #include "authdb.h" |
|
34 |
33 |
35 #ifdef __cplusplus |
34 #ifdef __cplusplus |
36 extern "C" { |
35 extern "C" { |
37 #endif |
36 #endif |
38 |
|
39 // ACLListHandle typedef in nsapi.h |
|
40 typedef struct ACLListElm ACLListElm; |
|
41 typedef struct ACLList ACLList; |
|
42 |
|
43 typedef struct WSAcl WSAcl; |
|
44 typedef struct WSAce WSAce; |
|
45 |
|
46 /* |
|
47 * a wrapper struct for acls |
|
48 */ |
|
49 struct ACLListHandle { |
|
50 AuthDB *defaultauthdb; |
|
51 ACLListElm *listhead; |
|
52 ACLListElm *listtail; |
|
53 }; |
|
54 |
|
55 struct ACLListElm { |
|
56 ACLList *acl; |
|
57 ACLListElm *next; |
|
58 }; |
|
59 |
|
60 /* |
|
61 * abstract ACL |
|
62 */ |
|
63 typedef int(*acl_check_f)(ACLList*, User*, int); |
|
64 struct ACLList { |
|
65 AuthDB *authdb; |
|
66 char *authprompt; |
|
67 int isextern; |
|
68 /* int check(ACLList *acl, User *user, int access_mask) */ |
|
69 int(*check)(ACLList *acl, User *user, int access_mask); |
|
70 }; |
|
71 |
|
72 /* |
|
73 * a webserver access control list |
|
74 * |
|
75 * Access control is determined by the ace field. The ece field is a separat |
|
76 * list for audit and alarm entries. |
|
77 */ |
|
78 struct WSAcl { |
|
79 ACLList acl; |
|
80 WSAce **ace; // access control entries |
|
81 WSAce **ece; // event control entries (audit/alarm entries) |
|
82 int acenum; // number of aces |
|
83 int ecenum; // number of eces |
|
84 }; |
|
85 |
|
86 |
|
87 struct WSAce { |
|
88 char *who; // user or group name |
|
89 uint32_t access_mask; |
|
90 uint16_t flags; |
|
91 uint16_t type; |
|
92 }; |
|
93 |
|
94 |
|
95 /* |
|
96 * access permissions |
|
97 */ |
|
98 #define ACL_READ_DATA 0x0001 |
|
99 #define ACL_WRITE_DATA 0x0002 |
|
100 #define ACL_APPEND 0x0002 |
|
101 #define ACL_ADD_FILE 0x0004 |
|
102 #define ACL_ADD_SUBDIRECTORY 0x0004 |
|
103 #define ACL_READ_XATTR 0x0008 |
|
104 #define ACL_WRITE_XATTR 0x0010 |
|
105 #define ACL_EXECUTE 0x0020 |
|
106 #define ACL_DELETE_CHILD 0x0040 |
|
107 #define ACL_DELETE 0x0040 |
|
108 #define ACL_READ_ATTRIBUTES 0x0080 |
|
109 #define ACL_WRITE_ATTRIBUTES 0x0100 |
|
110 #define ACL_LIST 0x0200 |
|
111 #define ACL_READ_ACL 0x0400 |
|
112 #define ACL_WRITE_ACL 0x0800 |
|
113 #define ACL_WRITE_OWNER 0x1000 |
|
114 #define ACL_SYNCHRONIZE 0x2000 |
|
115 #define ACL_READ \ |
|
116 (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES) |
|
117 #define ACL_WRITE \ |
|
118 (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES) |
|
119 |
|
120 /* |
|
121 * ace flags |
|
122 */ |
|
123 #define ACL_FILE_INHERIT 0x0001 |
|
124 #define ACL_DIR_INHERIT 0x0002 |
|
125 #define ACL_NO_PROPAGATE 0x0004 |
|
126 #define ACL_INHERIT_ONLY 0x0008 |
|
127 #define ACL_SUCCESSFUL_ACCESS_FLAG 0x0010 |
|
128 #define ACL_FAILED_ACCESS_ACE_FLAG 0x0020 |
|
129 #define ACL_IDENTIFIER_GROUP 0x0040 |
|
130 #define ACL_OWNER 0x1000 |
|
131 #define ACL_GROUP 0x2000 |
|
132 #define ACL_EVERYONE 0x4000 |
|
133 |
|
134 /* |
|
135 * ace type |
|
136 */ |
|
137 #define ACL_TYPE_ALLOWED 0x01 |
|
138 #define ACL_TYPE_DENIED 0x02 |
|
139 #define ACL_TYPE_AUDIT 0x03 |
|
140 #define ACL_TYPE_ALARM 0x04 |
|
141 |
|
142 |
|
143 /* |
|
144 * public API |
|
145 */ |
|
146 |
|
147 // list |
|
148 void acllist_append(Session *sn, Request *rq, ACLList *acl); |
|
149 void acllist_prepend(Session *sn, Request *rq, ACLList *acl); |
|
150 |
|
151 /* |
|
152 * gets a access mask from open flags |
|
153 */ |
|
154 uint32_t acl_oflag2mask(int oflags); |
|
155 |
|
156 /* |
|
157 * authenticates the user with the user database specified in the acl list |
|
158 */ |
|
159 User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list); |
|
160 |
|
161 /* |
|
162 * sets the status to 403 or 401 and sets www-authenticate |
|
163 * |
|
164 * use this only if a ACL denies access |
|
165 */ |
|
166 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user); |
|
167 |
|
168 /* |
|
169 * acl_evaluate |
|
170 * |
|
171 * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and |
|
172 * access_mask. If access is denied and no user is authenticated it sets the |
|
173 * www-authenticate header and the status to 401 Unauthorized. |
|
174 * |
|
175 * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied |
|
176 */ |
|
177 int acl_evaluate(Session *sn, Request *rq, int access_mask); |
|
178 |
|
179 /* |
|
180 * acl_evallist |
|
181 * |
|
182 * evalutes all ACLs in acllist |
|
183 * |
|
184 * returns NULL if access is allowed or a pointer to the ACLList which |
|
185 * denied access |
|
186 */ |
|
187 ACLList* acl_evallist(ACLListHandle *acllist, User *user, int access_mask); |
|
188 |
|
189 |
37 |
190 // private |
38 // private |
191 int wsacl_affects_user(WSAce *ace, User *user); |
39 int wsacl_affects_user(WSAce *ace, User *user); |
192 int wsacl_check(WSAcl *acl, User *user, int access_mask); |
40 int wsacl_check(WSAcl *acl, User *user, int access_mask); |
193 |
41 |