--- a/src/server/daemon/acl.h Fri Mar 01 22:44:54 2013 +0100
+++ b/src/server/daemon/acl.h Sat Mar 16 23:11:34 2013 +0100
@@ -36,16 +36,15 @@
extern "C" {
#endif
-typedef struct ACLList ACLList;
-typedef struct ACLEntry ACLEntry;
// ACLListHandle typedef in nsapi.h
+typedef struct ACLListElm ACLListElm;
+typedef struct ACLList ACLList;
-typedef struct ACLListElm ACLListElm;
+typedef struct WSAcl WSAcl;
+typedef struct WSAce WSAce;
/*
* a wrapper struct for acls
- *
- * TODO: store more than one acl
*/
struct ACLListHandle {
AuthDB *defaultauthdb;
@@ -59,22 +58,33 @@
};
/*
- * a access control list
+ * abstract ACL
+ */
+typedef int(*acl_check_f)(ACLList*, User*, int);
+struct ACLList {
+ AuthDB *authdb;
+ char *authprompt;
+ int isextern;
+ /* int check(ACLList *acl, User *user, int access_mask) */
+ int(*check)(ACLList *acl, User *user, int access_mask);
+};
+
+/*
+ * a webserver access control list
*
* Access control is determined by the ace field. The ece field is a separat
* list for audit and alarm entries.
*/
-struct ACLList {
- AuthDB *authdb;
- char *authprompt;
- ACLEntry **ace; // access control entries
- ACLEntry **ece; // event control entries (audit/alarm entries)
+struct WSAcl {
+ ACLList acl;
+ WSAce **ace; // access control entries
+ WSAce **ece; // event control entries (audit/alarm entries)
int acenum; // number of aces
int ecenum; // number of eces
};
-struct ACLEntry {
+struct WSAce {
char *who; // user or group name
uint32_t access_mask;
uint16_t flags;
@@ -138,13 +148,48 @@
void acllist_append(Session *sn, Request *rq, ACLList *acl);
void acllist_prepend(Session *sn, Request *rq, ACLList *acl);
-// eval
+/*
+ * gets a access mask from open flags
+ */
+uint32_t acl_oflag2mask(int oflags);
+
+/*
+ * authenticates the user with the user database specified in the acl list
+ */
+User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list);
+
+/*
+ * sets the status to 403 or 401 and sets www-authenticate
+ *
+ * use this only if a ACL denies access
+ */
+void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user);
+
+/*
+ * acl_evaluate
+ *
+ * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and
+ * access_mask. If access is denied and no user is authenticated it sets the
+ * www-authenticate header and the status to 401 Unauthorized.
+ *
+ * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied
+ */
int acl_evaluate(Session *sn, Request *rq, int access_mask);
+/*
+ * acl_evallist
+ *
+ * evalutes all ACLs in acllist
+ *
+ * returns NULL if access is allowed or a pointer to the ACLList which
+ * denied access
+ */
+ACLList* acl_evallist(ACLListHandle *acllist, User *user, int access_mask);
+
// private
-int wsacl_affects_user(ACLEntry *ace, User *user);
-int wsacl_check(ACLList *acl, User *user, int access_mask);
+int wsacl_affects_user(WSAce *ace, User *user);
+int wsacl_check(WSAcl *acl, User *user, int access_mask);
#ifdef __cplusplus