comparison: src/server/daemon/acl.c
src/server/daemon/acl.c
- changeset 52
- aced2245fb1c
- parent 51
- b28cf69f42e8
- child 53
- 5ec9abba1027
equal
deleted
inserted
replaced
| 51:b28cf69f42e8 | 52:aced2245fb1c |
|---|---|
| 39 handle->listhead = NULL; | 39 handle->listhead = NULL; |
| 40 handle->listtail = NULL; | 40 handle->listtail = NULL; |
| 41 rq->acllist = handle; | 41 rq->acllist = handle; |
| 42 } | 42 } |
| 43 | 43 |
| 44 void acllist_append(Session *sn, Request *rq, ACLList *acl) { | 44 /* |
| 45 * append or prepend an ACL | |
| 46 */ | |
| 47 void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) { | |
| 45 if(!rq->acllist) { | 48 if(!rq->acllist) { |
| 46 acllist_createhandle(sn, rq); | 49 acllist_createhandle(sn, rq); |
| 47 } | 50 } |
| 48 ACLListHandle *list = rq->acllist; | 51 ACLListHandle *list = rq->acllist; |
| 49 | 52 |
| 56 elm->next = NULL; | 59 elm->next = NULL; |
| 57 if(list->listhead == NULL) { | 60 if(list->listhead == NULL) { |
| 58 list->listhead = elm; | 61 list->listhead = elm; |
| 59 list->listtail = elm; | 62 list->listtail = elm; |
| 60 } else { | 63 } else { |
| 61 list->listtail->next = elm; | 64 if(append) { |
| 62 list->listtail = elm; | 65 list->listtail->next = elm; |
| 63 } | 66 list->listtail = elm; |
| 67 } else { | |
| 68 elm->next = list->listhead; | |
| 69 list->listhead = elm; | |
| 70 } | |
| 71 } | |
| 72 } | |
| 73 | |
| 74 void acllist_append(Session *sn, Request *rq, ACLList *acl) { | |
| 75 acllist_add(sn, rq, acl, 1); | |
| 64 } | 76 } |
| 65 | 77 |
| 66 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { | 78 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { |
| 67 if(!rq->acllist) { | 79 acllist_add(sn, rq, acl, 0); |
| 68 acllist_createhandle(sn, rq); | |
| 69 } | |
| 70 ACLListHandle *list = rq->acllist; | |
| 71 | |
| 72 if(!list->defaultauthdb && acl->authdb) { | |
| 73 list->defaultauthdb = acl->authdb; | |
| 74 } | |
| 75 | |
| 76 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm)); | |
| 77 elm->acl = acl; | |
| 78 elm->next = NULL; | |
| 79 if(list->listhead == NULL) { | |
| 80 list->listhead = elm; | |
| 81 list->listtail = elm; | |
| 82 } else { | |
| 83 elm->next = list->listhead; | |
| 84 list->listhead = elm; | |
| 85 } | |
| 86 } | 80 } |
| 87 | 81 |
| 88 | 82 |
| 89 int acl_evaluate(Session *sn, Request *rq, int access_mask) { | 83 int acl_evaluate(Session *sn, Request *rq, int access_mask) { |
| 90 ACLListHandle *list = rq->acllist; | 84 ACLListHandle *list = rq->acllist; |
| 91 if(!list) { | 85 if(!list) { |
| 92 return REQ_PROCEED; | 86 return REQ_PROCEED; |
| 93 } | 87 } |
| 88 | |
| 89 // we combine access_mask with the required access rights | |
| 90 access_mask = access_mask | rq->aclreqaccess; | |
| 91 | |
| 94 | 92 |
| 95 // get user | 93 // get user |
| 96 User *user = NULL; | 94 User *user = NULL; |
| 97 if(list->defaultauthdb) { | 95 if(list->defaultauthdb) { |
| 98 char *usr; | 96 char *usr; |
| 103 // wrong user name | 101 // wrong user name |
| 104 return REQ_ABORTED; | 102 return REQ_ABORTED; |
| 105 } | 103 } |
| 106 if(!user->verify_password(user, pw)) { | 104 if(!user->verify_password(user, pw)) { |
| 107 // wrong password | 105 // wrong password |
| 106 user->free(user); | |
| 108 return REQ_ABORTED; | 107 return REQ_ABORTED; |
| 109 } | 108 } |
| 110 // ok - user is authenticated | 109 // ok - user is authenticated |
| 111 } | 110 } |
| 112 } else { | 111 } else { |
| 126 "www-authenticate", | 125 "www-authenticate", |
| 127 "Basic realm=\"Webserver\"", | 126 "Basic realm=\"Webserver\"", |
| 128 rq->srvhdrs); | 127 rq->srvhdrs); |
| 129 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); | 128 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); |
| 130 } | 129 } |
| 130 user->free(user); | |
| 131 return REQ_ABORTED; | 131 return REQ_ABORTED; |
| 132 } | 132 } |
| 133 elm = elm->next; | 133 elm = elm->next; |
| 134 } | 134 } |
| 135 | 135 |
| 136 // ok - all acls allowed access | 136 // ok - all acls allowed access |
| 137 user->free(user); | |
| 137 return REQ_PROCEED; | 138 return REQ_PROCEED; |
| 139 } | |
| 140 | |
| 141 int wsacl_affects_user(ACLEntry *ace, User *user) { | |
| 142 int check_access = 0; | |
| 143 | |
| 144 /* | |
| 145 * an ace can affect | |
| 146 * a named user or group (ace->who is set) | |
| 147 * the owner of the resource (ACL_OWNER is set) | |
| 148 * the owning group of the resource (ACL_GROUP is set) | |
| 149 * everyone (ACL_EVERYONE is set) | |
| 150 * | |
| 151 * Only one of this conditions should be true. The behavior on | |
| 152 * illegal flag combination is undefined. We assume that the acls | |
| 153 * are created correctly by the configuration loader. | |
| 154 */ | |
| 155 | |
| 156 if(ace->who && user) { | |
| 157 // this ace is defined for a named user or group | |
| 158 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { | |
| 159 if(user->check_group(user, ace->who)) { | |
| 160 // the user is in the group | |
| 161 check_access = 1; | |
| 162 } | |
| 163 } else { | |
| 164 if(!strcmp(user->name, ace->who)) { | |
| 165 check_access = 1; | |
| 166 } | |
| 167 } | |
| 168 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { | |
| 169 // TODO | |
| 170 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { | |
| 171 // TODO | |
| 172 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { | |
| 173 check_access = 1; | |
| 174 } | |
| 175 | |
| 176 return check_access; | |
| 138 } | 177 } |
| 139 | 178 |
| 140 int wsacl_check(ACLList *acl, User *user, int access_mask) { | 179 int wsacl_check(ACLList *acl, User *user, int access_mask) { |
| 141 int allow = 0; | 180 int allow = 0; |
| 142 uint32_t allowed_access = 0; | 181 uint32_t allowed_access = 0; |
| 143 // check each access control entry | 182 // check each access control entry |
| 144 for(int i=0;i<acl->acenum;i++) { | 183 for(int i=0;i<acl->acenum;i++) { |
| 145 ACLEntry *ace = acl->ace[i]; | 184 ACLEntry *ace = acl->ace[i]; |
| 146 int check_access = 0; | 185 if(wsacl_affects_user(ace, user)) { |
| 147 | |
| 148 /* | |
| 149 * an ace can affect | |
| 150 * a named user or group (ace->who is set) | |
| 151 * the owner of the resource (ACL_OWNER is set) | |
| 152 * the owning group of the resource (ACL_GROUP is set) | |
| 153 * everyone (ACL_EVERYONE is set) | |
| 154 * | |
| 155 * Only one of this conditions should be true. The behavior on | |
| 156 * illegal flag combination is undefined. We assume that the acls | |
| 157 * are created correctly by the configuration loader. | |
| 158 */ | |
| 159 | |
| 160 if(ace->who && user) { | |
| 161 // this ace is defined for a named user or group | |
| 162 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { | |
| 163 if(user->check_group(user, ace->who)) { | |
| 164 // the user is in the group | |
| 165 check_access = 1; | |
| 166 } | |
| 167 } else { | |
| 168 if(!strcmp(user->name, ace->who)) { | |
| 169 check_access = 1; | |
| 170 } | |
| 171 } | |
| 172 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { | |
| 173 // TODO | |
| 174 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { | |
| 175 // TODO | |
| 176 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { | |
| 177 check_access = 1; | |
| 178 } | |
| 179 | |
| 180 | |
| 181 if(check_access) { | |
| 182 if(ace->type == ACL_TYPE_ALLOWED) { | 186 if(ace->type == ACL_TYPE_ALLOWED) { |
| 183 // add all new access rights | 187 // add all new access rights |
| 184 allowed_access = allowed_access | | 188 allowed_access = allowed_access | |
| 185 (access_mask & ace->access_mask); | 189 (access_mask & ace->access_mask); |
| 186 // check if we have all requested rights | 190 // check if we have all requested rights |
