--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/server/public/acl.h Mon May 06 13:44:27 2013 +0200 @@ -0,0 +1,194 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright 2013 Olaf Wintermann. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef WS_ACL_H +#define WS_ACL_H + +#include "nsapi.h" +#include "auth.h" + +#ifdef __cplusplus +extern "C" { +#endif + +// ACLListHandle typedef in nsapi.h +typedef struct ACLListElm ACLListElm; +typedef struct ACLList ACLList; + +typedef struct WSAcl WSAcl; +typedef struct WSAce WSAce; + +/* + * a wrapper struct for acls + */ +struct ACLListHandle { + AuthDB *defaultauthdb; + ACLListElm *listhead; + ACLListElm *listtail; +}; + +struct ACLListElm { + ACLList *acl; + ACLListElm *next; +}; + +/* + * abstract ACL + */ +typedef int(*acl_check_f)(ACLList*, User*, int); +struct ACLList { + AuthDB *authdb; + char *authprompt; + int isextern; + /* int check(ACLList *acl, User *user, int access_mask) */ + int(*check)(ACLList *acl, User *user, int access_mask); +}; + +/* + * a webserver access control list + * + * Access control is determined by the ace field. The ece field is a separat + * list for audit and alarm entries. + */ +struct WSAcl { + ACLList acl; + WSAce **ace; // access control entries + WSAce **ece; // event control entries (audit/alarm entries) + int acenum; // number of aces + int ecenum; // number of eces +}; + + +struct WSAce { + char *who; // user or group name + uint32_t access_mask; + uint16_t flags; + uint16_t type; +}; + + +/* + * access permissions + */ +#define ACL_READ_DATA 0x0001 +#define ACL_WRITE_DATA 0x0002 +#define ACL_APPEND 0x0002 +#define ACL_ADD_FILE 0x0004 +#define ACL_ADD_SUBDIRECTORY 0x0004 +#define ACL_READ_XATTR 0x0008 +#define ACL_WRITE_XATTR 0x0010 +#define ACL_EXECUTE 0x0020 +#define ACL_DELETE_CHILD 0x0040 +#define ACL_DELETE 0x0040 +#define ACL_READ_ATTRIBUTES 0x0080 +#define ACL_WRITE_ATTRIBUTES 0x0100 +#define ACL_LIST 0x0200 +#define ACL_READ_ACL 0x0400 +#define ACL_WRITE_ACL 0x0800 +#define ACL_WRITE_OWNER 0x1000 +#define ACL_SYNCHRONIZE 0x2000 +#define ACL_READ \ + (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES) +#define ACL_WRITE \ + (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES) + +/* + * ace flags + */ +#define ACL_FILE_INHERIT 0x0001 +#define ACL_DIR_INHERIT 0x0002 +#define ACL_NO_PROPAGATE 0x0004 +#define ACL_INHERIT_ONLY 0x0008 +#define ACL_SUCCESSFUL_ACCESS_FLAG 0x0010 +#define ACL_FAILED_ACCESS_ACE_FLAG 0x0020 +#define ACL_IDENTIFIER_GROUP 0x0040 +#define ACL_OWNER 0x1000 +#define ACL_GROUP 0x2000 +#define ACL_EVERYONE 0x4000 + +/* + * ace type + */ +#define ACL_TYPE_ALLOWED 0x01 +#define ACL_TYPE_DENIED 0x02 +#define ACL_TYPE_AUDIT 0x03 +#define ACL_TYPE_ALARM 0x04 + + +/* + * public API + */ + +// list +void acllist_append(Session *sn, Request *rq, ACLList *acl); +void acllist_prepend(Session *sn, Request *rq, ACLList *acl); + +/* + * gets a access mask from open flags + */ +uint32_t acl_oflag2mask(int oflags); + +/* + * authenticates the user with the user database specified in the acl list + */ +User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list); + +/* + * sets the status to 403 or 401 and sets www-authenticate + * + * use this only if a ACL denies access + */ +void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user); + +/* + * acl_evaluate + * + * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and + * access_mask. If access is denied and no user is authenticated it sets the + * www-authenticate header and the status to 401 Unauthorized. + * + * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied + */ +int acl_evaluate(Session *sn, Request *rq, int access_mask); + +/* + * acl_evallist + * + * evalutes all ACLs in acllist + * + * returns NULL if access is allowed or a pointer to the ACLList which + * denied access + */ +ACLList* acl_evallist(ACLListHandle *acllist, User *user, int access_mask); + +#ifdef __cplusplus +} +#endif + +#endif /* WS_ACL_H */ +