|
1 /* |
|
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. |
|
3 * |
|
4 * Copyright 2013 Olaf Wintermann. All rights reserved. |
|
5 * |
|
6 * Redistribution and use in source and binary forms, with or without |
|
7 * modification, are permitted provided that the following conditions are met: |
|
8 * |
|
9 * 1. Redistributions of source code must retain the above copyright |
|
10 * notice, this list of conditions and the following disclaimer. |
|
11 * |
|
12 * 2. Redistributions in binary form must reproduce the above copyright |
|
13 * notice, this list of conditions and the following disclaimer in the |
|
14 * documentation and/or other materials provided with the distribution. |
|
15 * |
|
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
|
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE |
|
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
|
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
|
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
|
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
|
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
26 * POSSIBILITY OF SUCH DAMAGE. |
|
27 */ |
|
28 |
|
29 #include <stdio.h> |
|
30 #include <stdlib.h> |
|
31 |
|
32 #include "../util/pool.h" |
|
33 #include "../safs/auth.h" |
|
34 #include "acl.h" |
|
35 |
|
36 void acllist_createhandle(Session *sn, Request *rq) { |
|
37 ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle)); |
|
38 handle->defaultauthdb = NULL; |
|
39 handle->listhead = NULL; |
|
40 handle->listtail = NULL; |
|
41 rq->acllist = handle; |
|
42 } |
|
43 |
|
44 void acllist_append(Session *sn, Request *rq, ACLList *acl) { |
|
45 if(!rq->acllist) { |
|
46 acllist_createhandle(sn, rq); |
|
47 } |
|
48 ACLListHandle *list = rq->acllist; |
|
49 |
|
50 if(!list->defaultauthdb && acl->authdb) { |
|
51 list->defaultauthdb = acl->authdb; |
|
52 } |
|
53 |
|
54 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm)); |
|
55 elm->acl = acl; |
|
56 elm->next = NULL; |
|
57 if(list->listhead == NULL) { |
|
58 list->listhead = elm; |
|
59 list->listtail = elm; |
|
60 } else { |
|
61 list->listtail->next = elm; |
|
62 list->listtail = elm; |
|
63 } |
|
64 } |
|
65 |
|
66 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { |
|
67 if(!rq->acllist) { |
|
68 acllist_createhandle(sn, rq); |
|
69 } |
|
70 ACLListHandle *list = rq->acllist; |
|
71 |
|
72 if(!list->defaultauthdb && acl->authdb) { |
|
73 list->defaultauthdb = acl->authdb; |
|
74 } |
|
75 |
|
76 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm)); |
|
77 elm->acl = acl; |
|
78 elm->next = NULL; |
|
79 if(list->listhead == NULL) { |
|
80 list->listhead = elm; |
|
81 list->listtail = elm; |
|
82 } else { |
|
83 elm->next = list->listhead; |
|
84 list->listhead = elm; |
|
85 } |
|
86 } |
|
87 |
|
88 |
|
89 int acl_evaluate(Session *sn, Request *rq, int access_mask) { |
|
90 ACLListHandle *list = rq->acllist; |
|
91 if(!list) { |
|
92 return REQ_PROCEED; |
|
93 } |
|
94 |
|
95 // get user |
|
96 User *user = NULL; |
|
97 if(list->defaultauthdb) { |
|
98 char *usr; |
|
99 char *pw; |
|
100 if(!basicauth_getuser(sn, rq, &usr, &pw)) { |
|
101 user = list->defaultauthdb->get_user(list->defaultauthdb, usr); |
|
102 if(!user) { |
|
103 // wrong user name |
|
104 return REQ_ABORTED; |
|
105 } |
|
106 if(!user->verify_password(user, pw)) { |
|
107 // wrong password |
|
108 return REQ_ABORTED; |
|
109 } |
|
110 // ok - user is authenticated |
|
111 } |
|
112 } else { |
|
113 // TODO |
|
114 return REQ_ABORTED; |
|
115 } |
|
116 |
|
117 // evaluate each acl until one denies access |
|
118 ACLListElm *elm = list->listhead; |
|
119 while(elm) { |
|
120 ACLList *acl = elm->acl; |
|
121 if(!wsacl_check(acl, user, access_mask)) { |
|
122 // the acl denies access |
|
123 |
|
124 if(!user) { |
|
125 pblock_nvinsert( |
|
126 "www-authenticate", |
|
127 "Basic realm=\"Webserver\"", |
|
128 rq->srvhdrs); |
|
129 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); |
|
130 } |
|
131 return REQ_ABORTED; |
|
132 } |
|
133 elm = elm->next; |
|
134 } |
|
135 |
|
136 // ok - all acls allowed access |
|
137 return REQ_PROCEED; |
|
138 } |
|
139 |
|
140 int wsacl_check(ACLList *acl, User *user, int access_mask) { |
|
141 int allow = 0; |
|
142 uint32_t allowed_access = 0; |
|
143 // check each access control entry |
|
144 for(int i=0;i<acl->acenum;i++) { |
|
145 ACLEntry *ace = acl->ace[i]; |
|
146 int check_access = 0; |
|
147 |
|
148 /* |
|
149 * an ace can affect |
|
150 * a named user or group (ace->who is set) |
|
151 * the owner of the resource (ACL_OWNER is set) |
|
152 * the owning group of the resource (ACL_GROUP is set) |
|
153 * everyone (ACL_EVERYONE is set) |
|
154 * |
|
155 * Only one of this conditions should be true. The behavior on |
|
156 * illegal flag combination is undefined. We assume that the acls |
|
157 * are created correctly by the configuration loader. |
|
158 */ |
|
159 |
|
160 if(ace->who && user) { |
|
161 // this ace is defined for a named user or group |
|
162 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { |
|
163 if(user->check_group(user, ace->who)) { |
|
164 // the user is in the group |
|
165 check_access = 1; |
|
166 } |
|
167 } else { |
|
168 if(!strcmp(user->name, ace->who)) { |
|
169 check_access = 1; |
|
170 } |
|
171 } |
|
172 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { |
|
173 // TODO |
|
174 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { |
|
175 // TODO |
|
176 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { |
|
177 check_access = 1; |
|
178 } |
|
179 |
|
180 |
|
181 if(check_access) { |
|
182 if(ace->type == ACL_TYPE_ALLOWED) { |
|
183 // add all new access rights |
|
184 allowed_access = allowed_access | |
|
185 (access_mask & ace->access_mask); |
|
186 // check if we have all requested rights |
|
187 if((allowed_access & access_mask) == access_mask) { |
|
188 allow = 1; |
|
189 break; |
|
190 } |
|
191 } else { |
|
192 // ACL_TYPE_DENIED |
|
193 |
|
194 if((ace->access_mask & access_mask) != 0) { |
|
195 // access denied |
|
196 break; |
|
197 } |
|
198 } |
|
199 } |
|
200 } |
|
201 |
|
202 // TODO: events |
|
203 |
|
204 return allow; |
|
205 } |