56 elm->next = NULL; |
59 elm->next = NULL; |
57 if(list->listhead == NULL) { |
60 if(list->listhead == NULL) { |
58 list->listhead = elm; |
61 list->listhead = elm; |
59 list->listtail = elm; |
62 list->listtail = elm; |
60 } else { |
63 } else { |
61 list->listtail->next = elm; |
64 if(append) { |
62 list->listtail = elm; |
65 list->listtail->next = elm; |
63 } |
66 list->listtail = elm; |
|
67 } else { |
|
68 elm->next = list->listhead; |
|
69 list->listhead = elm; |
|
70 } |
|
71 } |
|
72 } |
|
73 |
|
74 void acllist_append(Session *sn, Request *rq, ACLList *acl) { |
|
75 acllist_add(sn, rq, acl, 1); |
64 } |
76 } |
65 |
77 |
66 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { |
78 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { |
67 if(!rq->acllist) { |
79 acllist_add(sn, rq, acl, 0); |
68 acllist_createhandle(sn, rq); |
|
69 } |
|
70 ACLListHandle *list = rq->acllist; |
|
71 |
|
72 if(!list->defaultauthdb && acl->authdb) { |
|
73 list->defaultauthdb = acl->authdb; |
|
74 } |
|
75 |
|
76 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm)); |
|
77 elm->acl = acl; |
|
78 elm->next = NULL; |
|
79 if(list->listhead == NULL) { |
|
80 list->listhead = elm; |
|
81 list->listtail = elm; |
|
82 } else { |
|
83 elm->next = list->listhead; |
|
84 list->listhead = elm; |
|
85 } |
|
86 } |
80 } |
87 |
81 |
88 |
82 |
89 int acl_evaluate(Session *sn, Request *rq, int access_mask) { |
83 int acl_evaluate(Session *sn, Request *rq, int access_mask) { |
90 ACLListHandle *list = rq->acllist; |
84 ACLListHandle *list = rq->acllist; |
91 if(!list) { |
85 if(!list) { |
92 return REQ_PROCEED; |
86 return REQ_PROCEED; |
93 } |
87 } |
|
88 |
|
89 // we combine access_mask with the required access rights |
|
90 access_mask = access_mask | rq->aclreqaccess; |
|
91 |
94 |
92 |
95 // get user |
93 // get user |
96 User *user = NULL; |
94 User *user = NULL; |
97 if(list->defaultauthdb) { |
95 if(list->defaultauthdb) { |
98 char *usr; |
96 char *usr; |
126 "www-authenticate", |
125 "www-authenticate", |
127 "Basic realm=\"Webserver\"", |
126 "Basic realm=\"Webserver\"", |
128 rq->srvhdrs); |
127 rq->srvhdrs); |
129 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); |
128 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); |
130 } |
129 } |
|
130 user->free(user); |
131 return REQ_ABORTED; |
131 return REQ_ABORTED; |
132 } |
132 } |
133 elm = elm->next; |
133 elm = elm->next; |
134 } |
134 } |
135 |
135 |
136 // ok - all acls allowed access |
136 // ok - all acls allowed access |
|
137 user->free(user); |
137 return REQ_PROCEED; |
138 return REQ_PROCEED; |
|
139 } |
|
140 |
|
141 int wsacl_affects_user(ACLEntry *ace, User *user) { |
|
142 int check_access = 0; |
|
143 |
|
144 /* |
|
145 * an ace can affect |
|
146 * a named user or group (ace->who is set) |
|
147 * the owner of the resource (ACL_OWNER is set) |
|
148 * the owning group of the resource (ACL_GROUP is set) |
|
149 * everyone (ACL_EVERYONE is set) |
|
150 * |
|
151 * Only one of this conditions should be true. The behavior on |
|
152 * illegal flag combination is undefined. We assume that the acls |
|
153 * are created correctly by the configuration loader. |
|
154 */ |
|
155 |
|
156 if(ace->who && user) { |
|
157 // this ace is defined for a named user or group |
|
158 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { |
|
159 if(user->check_group(user, ace->who)) { |
|
160 // the user is in the group |
|
161 check_access = 1; |
|
162 } |
|
163 } else { |
|
164 if(!strcmp(user->name, ace->who)) { |
|
165 check_access = 1; |
|
166 } |
|
167 } |
|
168 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { |
|
169 // TODO |
|
170 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { |
|
171 // TODO |
|
172 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { |
|
173 check_access = 1; |
|
174 } |
|
175 |
|
176 return check_access; |
138 } |
177 } |
139 |
178 |
140 int wsacl_check(ACLList *acl, User *user, int access_mask) { |
179 int wsacl_check(ACLList *acl, User *user, int access_mask) { |
141 int allow = 0; |
180 int allow = 0; |
142 uint32_t allowed_access = 0; |
181 uint32_t allowed_access = 0; |
143 // check each access control entry |
182 // check each access control entry |
144 for(int i=0;i<acl->acenum;i++) { |
183 for(int i=0;i<acl->acenum;i++) { |
145 ACLEntry *ace = acl->ace[i]; |
184 ACLEntry *ace = acl->ace[i]; |
146 int check_access = 0; |
185 if(wsacl_affects_user(ace, user)) { |
147 |
|
148 /* |
|
149 * an ace can affect |
|
150 * a named user or group (ace->who is set) |
|
151 * the owner of the resource (ACL_OWNER is set) |
|
152 * the owning group of the resource (ACL_GROUP is set) |
|
153 * everyone (ACL_EVERYONE is set) |
|
154 * |
|
155 * Only one of this conditions should be true. The behavior on |
|
156 * illegal flag combination is undefined. We assume that the acls |
|
157 * are created correctly by the configuration loader. |
|
158 */ |
|
159 |
|
160 if(ace->who && user) { |
|
161 // this ace is defined for a named user or group |
|
162 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { |
|
163 if(user->check_group(user, ace->who)) { |
|
164 // the user is in the group |
|
165 check_access = 1; |
|
166 } |
|
167 } else { |
|
168 if(!strcmp(user->name, ace->who)) { |
|
169 check_access = 1; |
|
170 } |
|
171 } |
|
172 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { |
|
173 // TODO |
|
174 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { |
|
175 // TODO |
|
176 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { |
|
177 check_access = 1; |
|
178 } |
|
179 |
|
180 |
|
181 if(check_access) { |
|
182 if(ace->type == ACL_TYPE_ALLOWED) { |
186 if(ace->type == ACL_TYPE_ALLOWED) { |
183 // add all new access rights |
187 // add all new access rights |
184 allowed_access = allowed_access | |
188 allowed_access = allowed_access | |
185 (access_mask & ace->access_mask); |
189 (access_mask & ace->access_mask); |
186 // check if we have all requested rights |
190 // check if we have all requested rights |