comparison: src/server/daemon/acl.h
src/server/daemon/acl.h
- changeset 59
- ab25c0a231d0
- parent 54
- 3a1d5a52adfc
- child 63
- 66442f81f823
equal
deleted
inserted
replaced
| 58:66c22e54aa90 | 59:ab25c0a231d0 |
|---|---|
| 27 */ | 27 */ |
| 28 | 28 |
| 29 #ifndef ACL_H | 29 #ifndef ACL_H |
| 30 #define ACL_H | 30 #define ACL_H |
| 31 | 31 |
| 32 #include "../public/nsapi.h" | 32 #include "../public/acl.h" |
| 33 #include "authdb.h" | |
| 34 | 33 |
| 35 #ifdef __cplusplus | 34 #ifdef __cplusplus |
| 36 extern "C" { | 35 extern "C" { |
| 37 #endif | 36 #endif |
| 38 | |
| 39 // ACLListHandle typedef in nsapi.h | |
| 40 typedef struct ACLListElm ACLListElm; | |
| 41 typedef struct ACLList ACLList; | |
| 42 | |
| 43 typedef struct WSAcl WSAcl; | |
| 44 typedef struct WSAce WSAce; | |
| 45 | |
| 46 /* | |
| 47 * a wrapper struct for acls | |
| 48 */ | |
| 49 struct ACLListHandle { | |
| 50 AuthDB *defaultauthdb; | |
| 51 ACLListElm *listhead; | |
| 52 ACLListElm *listtail; | |
| 53 }; | |
| 54 | |
| 55 struct ACLListElm { | |
| 56 ACLList *acl; | |
| 57 ACLListElm *next; | |
| 58 }; | |
| 59 | |
| 60 /* | |
| 61 * abstract ACL | |
| 62 */ | |
| 63 typedef int(*acl_check_f)(ACLList*, User*, int); | |
| 64 struct ACLList { | |
| 65 AuthDB *authdb; | |
| 66 char *authprompt; | |
| 67 int isextern; | |
| 68 /* int check(ACLList *acl, User *user, int access_mask) */ | |
| 69 int(*check)(ACLList *acl, User *user, int access_mask); | |
| 70 }; | |
| 71 | |
| 72 /* | |
| 73 * a webserver access control list | |
| 74 * | |
| 75 * Access control is determined by the ace field. The ece field is a separat | |
| 76 * list for audit and alarm entries. | |
| 77 */ | |
| 78 struct WSAcl { | |
| 79 ACLList acl; | |
| 80 WSAce **ace; // access control entries | |
| 81 WSAce **ece; // event control entries (audit/alarm entries) | |
| 82 int acenum; // number of aces | |
| 83 int ecenum; // number of eces | |
| 84 }; | |
| 85 | |
| 86 | |
| 87 struct WSAce { | |
| 88 char *who; // user or group name | |
| 89 uint32_t access_mask; | |
| 90 uint16_t flags; | |
| 91 uint16_t type; | |
| 92 }; | |
| 93 | |
| 94 | |
| 95 /* | |
| 96 * access permissions | |
| 97 */ | |
| 98 #define ACL_READ_DATA 0x0001 | |
| 99 #define ACL_WRITE_DATA 0x0002 | |
| 100 #define ACL_APPEND 0x0002 | |
| 101 #define ACL_ADD_FILE 0x0004 | |
| 102 #define ACL_ADD_SUBDIRECTORY 0x0004 | |
| 103 #define ACL_READ_XATTR 0x0008 | |
| 104 #define ACL_WRITE_XATTR 0x0010 | |
| 105 #define ACL_EXECUTE 0x0020 | |
| 106 #define ACL_DELETE_CHILD 0x0040 | |
| 107 #define ACL_DELETE 0x0040 | |
| 108 #define ACL_READ_ATTRIBUTES 0x0080 | |
| 109 #define ACL_WRITE_ATTRIBUTES 0x0100 | |
| 110 #define ACL_LIST 0x0200 | |
| 111 #define ACL_READ_ACL 0x0400 | |
| 112 #define ACL_WRITE_ACL 0x0800 | |
| 113 #define ACL_WRITE_OWNER 0x1000 | |
| 114 #define ACL_SYNCHRONIZE 0x2000 | |
| 115 #define ACL_READ \ | |
| 116 (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES) | |
| 117 #define ACL_WRITE \ | |
| 118 (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES) | |
| 119 | |
| 120 /* | |
| 121 * ace flags | |
| 122 */ | |
| 123 #define ACL_FILE_INHERIT 0x0001 | |
| 124 #define ACL_DIR_INHERIT 0x0002 | |
| 125 #define ACL_NO_PROPAGATE 0x0004 | |
| 126 #define ACL_INHERIT_ONLY 0x0008 | |
| 127 #define ACL_SUCCESSFUL_ACCESS_FLAG 0x0010 | |
| 128 #define ACL_FAILED_ACCESS_ACE_FLAG 0x0020 | |
| 129 #define ACL_IDENTIFIER_GROUP 0x0040 | |
| 130 #define ACL_OWNER 0x1000 | |
| 131 #define ACL_GROUP 0x2000 | |
| 132 #define ACL_EVERYONE 0x4000 | |
| 133 | |
| 134 /* | |
| 135 * ace type | |
| 136 */ | |
| 137 #define ACL_TYPE_ALLOWED 0x01 | |
| 138 #define ACL_TYPE_DENIED 0x02 | |
| 139 #define ACL_TYPE_AUDIT 0x03 | |
| 140 #define ACL_TYPE_ALARM 0x04 | |
| 141 | |
| 142 | |
| 143 /* | |
| 144 * public API | |
| 145 */ | |
| 146 | |
| 147 // list | |
| 148 void acllist_append(Session *sn, Request *rq, ACLList *acl); | |
| 149 void acllist_prepend(Session *sn, Request *rq, ACLList *acl); | |
| 150 | |
| 151 /* | |
| 152 * gets a access mask from open flags | |
| 153 */ | |
| 154 uint32_t acl_oflag2mask(int oflags); | |
| 155 | |
| 156 /* | |
| 157 * authenticates the user with the user database specified in the acl list | |
| 158 */ | |
| 159 User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list); | |
| 160 | |
| 161 /* | |
| 162 * sets the status to 403 or 401 and sets www-authenticate | |
| 163 * | |
| 164 * use this only if a ACL denies access | |
| 165 */ | |
| 166 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user); | |
| 167 | |
| 168 /* | |
| 169 * acl_evaluate | |
| 170 * | |
| 171 * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and | |
| 172 * access_mask. If access is denied and no user is authenticated it sets the | |
| 173 * www-authenticate header and the status to 401 Unauthorized. | |
| 174 * | |
| 175 * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied | |
| 176 */ | |
| 177 int acl_evaluate(Session *sn, Request *rq, int access_mask); | |
| 178 | |
| 179 /* | |
| 180 * acl_evallist | |
| 181 * | |
| 182 * evalutes all ACLs in acllist | |
| 183 * | |
| 184 * returns NULL if access is allowed or a pointer to the ACLList which | |
| 185 * denied access | |
| 186 */ | |
| 187 ACLList* acl_evallist(ACLListHandle *acllist, User *user, int access_mask); | |
| 188 | |
| 189 | 37 |
| 190 // private | 38 // private |
| 191 int wsacl_affects_user(WSAce *ace, User *user); | 39 int wsacl_affects_user(WSAce *ace, User *user); |
| 192 int wsacl_check(WSAcl *acl, User *user, int access_mask); | 40 int wsacl_check(WSAcl *acl, User *user, int access_mask); |
| 193 | 41 |
