Mercurial > hg > webserver / file comparison

comparison: src/server/public/acl.h

src/server/public/acl.h

changeset 59
ab25c0a231d0
child 63
66442f81f823
equal deleted inserted replaced
58:66c22e54aa90 59:ab25c0a231d0
1 /*
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 *
4 * Copyright 2013 Olaf Wintermann. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #ifndef WS_ACL_H
30 #define WS_ACL_H
31
32 #include "nsapi.h"
33 #include "auth.h"
34
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38
39 // ACLListHandle typedef in nsapi.h
40 typedef struct ACLListElm ACLListElm;
41 typedef struct ACLList ACLList;
42
43 typedef struct WSAcl WSAcl;
44 typedef struct WSAce WSAce;
45
46 /*
47 * a wrapper struct for acls
48 */
49 struct ACLListHandle {
50 AuthDB *defaultauthdb;
51 ACLListElm *listhead;
52 ACLListElm *listtail;
53 };
54
55 struct ACLListElm {
56 ACLList *acl;
57 ACLListElm *next;
58 };
59
60 /*
61 * abstract ACL
62 */
63 typedef int(*acl_check_f)(ACLList*, User*, int);
64 struct ACLList {
65 AuthDB *authdb;
66 char *authprompt;
67 int isextern;
68 /* int check(ACLList *acl, User *user, int access_mask) */
69 int(*check)(ACLList *acl, User *user, int access_mask);
70 };
71
72 /*
73 * a webserver access control list
74 *
75 * Access control is determined by the ace field. The ece field is a separat
76 * list for audit and alarm entries.
77 */
78 struct WSAcl {
79 ACLList acl;
80 WSAce **ace; // access control entries
81 WSAce **ece; // event control entries (audit/alarm entries)
82 int acenum; // number of aces
83 int ecenum; // number of eces
84 };
85
86
87 struct WSAce {
88 char *who; // user or group name
89 uint32_t access_mask;
90 uint16_t flags;
91 uint16_t type;
92 };
93
94
95 /*
96 * access permissions
97 */
98 #define ACL_READ_DATA 0x0001
99 #define ACL_WRITE_DATA 0x0002
100 #define ACL_APPEND 0x0002
101 #define ACL_ADD_FILE 0x0004
102 #define ACL_ADD_SUBDIRECTORY 0x0004
103 #define ACL_READ_XATTR 0x0008
104 #define ACL_WRITE_XATTR 0x0010
105 #define ACL_EXECUTE 0x0020
106 #define ACL_DELETE_CHILD 0x0040
107 #define ACL_DELETE 0x0040
108 #define ACL_READ_ATTRIBUTES 0x0080
109 #define ACL_WRITE_ATTRIBUTES 0x0100
110 #define ACL_LIST 0x0200
111 #define ACL_READ_ACL 0x0400
112 #define ACL_WRITE_ACL 0x0800
113 #define ACL_WRITE_OWNER 0x1000
114 #define ACL_SYNCHRONIZE 0x2000
115 #define ACL_READ \
116 (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES)
117 #define ACL_WRITE \
118 (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES)
119
120 /*
121 * ace flags
122 */
123 #define ACL_FILE_INHERIT 0x0001
124 #define ACL_DIR_INHERIT 0x0002
125 #define ACL_NO_PROPAGATE 0x0004
126 #define ACL_INHERIT_ONLY 0x0008
127 #define ACL_SUCCESSFUL_ACCESS_FLAG 0x0010
128 #define ACL_FAILED_ACCESS_ACE_FLAG 0x0020
129 #define ACL_IDENTIFIER_GROUP 0x0040
130 #define ACL_OWNER 0x1000
131 #define ACL_GROUP 0x2000
132 #define ACL_EVERYONE 0x4000
133
134 /*
135 * ace type
136 */
137 #define ACL_TYPE_ALLOWED 0x01
138 #define ACL_TYPE_DENIED 0x02
139 #define ACL_TYPE_AUDIT 0x03
140 #define ACL_TYPE_ALARM 0x04
141
142
143 /*
144 * public API
145 */
146
147 // list
148 void acllist_append(Session *sn, Request *rq, ACLList *acl);
149 void acllist_prepend(Session *sn, Request *rq, ACLList *acl);
150
151 /*
152 * gets a access mask from open flags
153 */
154 uint32_t acl_oflag2mask(int oflags);
155
156 /*
157 * authenticates the user with the user database specified in the acl list
158 */
159 User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list);
160
161 /*
162 * sets the status to 403 or 401 and sets www-authenticate
163 *
164 * use this only if a ACL denies access
165 */
166 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user);
167
168 /*
169 * acl_evaluate
170 *
171 * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and
172 * access_mask. If access is denied and no user is authenticated it sets the
173 * www-authenticate header and the status to 401 Unauthorized.
174 *
175 * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied
176 */
177 int acl_evaluate(Session *sn, Request *rq, int access_mask);
178
179 /*
180 * acl_evallist
181 *
182 * evalutes all ACLs in acllist
183 *
184 * returns NULL if access is allowed or a pointer to the ACLList which
185 * denied access
186 */
187 ACLList* acl_evallist(ACLListHandle *acllist, User *user, int access_mask);
188
189 #ifdef __cplusplus
190 }
191 #endif
192
193 #endif /* WS_ACL_H */
194

Mercurial Repository: webserver

mercurial