Mercurial > hg > webserver / file comparison

comparison: src/server/daemon/acl.c

src/server/daemon/acl.c

changeset 51
b28cf69f42e8
child 52
aced2245fb1c
equal deleted inserted replaced
50:4d39adda7a38 51:b28cf69f42e8
1 /*
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 *
4 * Copyright 2013 Olaf Wintermann. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include <stdio.h>
30 #include <stdlib.h>
31
32 #include "../util/pool.h"
33 #include "../safs/auth.h"
34 #include "acl.h"
35
36 void acllist_createhandle(Session *sn, Request *rq) {
37 ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle));
38 handle->defaultauthdb = NULL;
39 handle->listhead = NULL;
40 handle->listtail = NULL;
41 rq->acllist = handle;
42 }
43
44 void acllist_append(Session *sn, Request *rq, ACLList *acl) {
45 if(!rq->acllist) {
46 acllist_createhandle(sn, rq);
47 }
48 ACLListHandle *list = rq->acllist;
49
50 if(!list->defaultauthdb && acl->authdb) {
51 list->defaultauthdb = acl->authdb;
52 }
53
54 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
55 elm->acl = acl;
56 elm->next = NULL;
57 if(list->listhead == NULL) {
58 list->listhead = elm;
59 list->listtail = elm;
60 } else {
61 list->listtail->next = elm;
62 list->listtail = elm;
63 }
64 }
65
66 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) {
67 if(!rq->acllist) {
68 acllist_createhandle(sn, rq);
69 }
70 ACLListHandle *list = rq->acllist;
71
72 if(!list->defaultauthdb && acl->authdb) {
73 list->defaultauthdb = acl->authdb;
74 }
75
76 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
77 elm->acl = acl;
78 elm->next = NULL;
79 if(list->listhead == NULL) {
80 list->listhead = elm;
81 list->listtail = elm;
82 } else {
83 elm->next = list->listhead;
84 list->listhead = elm;
85 }
86 }
87
88
89 int acl_evaluate(Session *sn, Request *rq, int access_mask) {
90 ACLListHandle *list = rq->acllist;
91 if(!list) {
92 return REQ_PROCEED;
93 }
94
95 // get user
96 User *user = NULL;
97 if(list->defaultauthdb) {
98 char *usr;
99 char *pw;
100 if(!basicauth_getuser(sn, rq, &usr, &pw)) {
101 user = list->defaultauthdb->get_user(list->defaultauthdb, usr);
102 if(!user) {
103 // wrong user name
104 return REQ_ABORTED;
105 }
106 if(!user->verify_password(user, pw)) {
107 // wrong password
108 return REQ_ABORTED;
109 }
110 // ok - user is authenticated
111 }
112 } else {
113 // TODO
114 return REQ_ABORTED;
115 }
116
117 // evaluate each acl until one denies access
118 ACLListElm *elm = list->listhead;
119 while(elm) {
120 ACLList *acl = elm->acl;
121 if(!wsacl_check(acl, user, access_mask)) {
122 // the acl denies access
123
124 if(!user) {
125 pblock_nvinsert(
126 "www-authenticate",
127 "Basic realm=\"Webserver\"",
128 rq->srvhdrs);
129 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
130 }
131 return REQ_ABORTED;
132 }
133 elm = elm->next;
134 }
135
136 // ok - all acls allowed access
137 return REQ_PROCEED;
138 }
139
140 int wsacl_check(ACLList *acl, User *user, int access_mask) {
141 int allow = 0;
142 uint32_t allowed_access = 0;
143 // check each access control entry
144 for(int i=0;i<acl->acenum;i++) {
145 ACLEntry *ace = acl->ace[i];
146 int check_access = 0;
147
148 /*
149 * an ace can affect
150 * a named user or group (ace->who is set)
151 * the owner of the resource (ACL_OWNER is set)
152 * the owning group of the resource (ACL_GROUP is set)
153 * everyone (ACL_EVERYONE is set)
154 *
155 * Only one of this conditions should be true. The behavior on
156 * illegal flag combination is undefined. We assume that the acls
157 * are created correctly by the configuration loader.
158 */
159
160 if(ace->who && user) {
161 // this ace is defined for a named user or group
162 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
163 if(user->check_group(user, ace->who)) {
164 // the user is in the group
165 check_access = 1;
166 }
167 } else {
168 if(!strcmp(user->name, ace->who)) {
169 check_access = 1;
170 }
171 }
172 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) {
173 // TODO
174 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
175 // TODO
176 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
177 check_access = 1;
178 }
179
180
181 if(check_access) {
182 if(ace->type == ACL_TYPE_ALLOWED) {
183 // add all new access rights
184 allowed_access = allowed_access |
185 (access_mask & ace->access_mask);
186 // check if we have all requested rights
187 if((allowed_access & access_mask) == access_mask) {
188 allow = 1;
189 break;
190 }
191 } else {
192 // ACL_TYPE_DENIED
193
194 if((ace->access_mask & access_mask) != 0) {
195 // access denied
196 break;
197 }
198 }
199 }
200 }
201
202 // TODO: events
203
204 return allow;
205 }

Mercurial Repository: webserver

mercurial