Mon, 26 Dec 2016 16:46:55 +0100
adds support for ssl cert chain files and improves ssl error handling
/* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright 2013 Olaf Wintermann. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #ifndef WS_ACL_H #define WS_ACL_H #include "nsapi.h" #include "auth.h" #ifdef __cplusplus extern "C" { #endif // ACLListHandle typedef in nsapi.h typedef struct ACLListElm ACLListElm; typedef struct ACLList ACLList; typedef struct WSAcl WSAcl; typedef struct WSAce WSAce; /* * a wrapper struct for acls */ struct ACLListHandle { AuthDB *defaultauthdb; ACLListElm *listhead; ACLListElm *listtail; }; struct ACLListElm { ACLList *acl; ACLListElm *next; }; /* * abstract ACL */ typedef int(*acl_check_f)(ACLList*, User*, int); struct ACLList { AuthDB *authdb; char *authprompt; int isextern; /* int check(ACLList *acl, User *user, int access_mask) */ int(*check)(ACLList *acl, User *user, int access_mask); }; /* * a webserver access control list * * Access control is determined by the ace field. The ece field is a separat * list for audit and alarm entries. */ struct WSAcl { ACLList acl; WSAce **ace; // access control entries WSAce **ece; // event control entries (audit/alarm entries) int acenum; // number of aces int ecenum; // number of eces }; struct WSAce { char *who; // user or group name uint32_t access_mask; uint16_t flags; uint16_t type; }; /* * access permissions */ #define ACL_READ_DATA 0x0001 #define ACL_WRITE_DATA 0x0002 #define ACL_APPEND 0x0002 #define ACL_ADD_FILE 0x0004 #define ACL_ADD_SUBDIRECTORY 0x0004 #define ACL_READ_XATTR 0x0008 #define ACL_WRITE_XATTR 0x0010 #define ACL_EXECUTE 0x0020 #define ACL_DELETE_CHILD 0x0040 #define ACL_DELETE 0x0040 #define ACL_READ_ATTRIBUTES 0x0080 #define ACL_WRITE_ATTRIBUTES 0x0100 #define ACL_LIST 0x0200 #define ACL_READ_ACL 0x0400 #define ACL_WRITE_ACL 0x0800 #define ACL_WRITE_OWNER 0x1000 #define ACL_SYNCHRONIZE 0x2000 #define ACL_READ \ (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES) #define ACL_WRITE \ (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES) /* * ace flags */ #define ACL_FILE_INHERIT 0x0001 #define ACL_DIR_INHERIT 0x0002 #define ACL_NO_PROPAGATE 0x0004 #define ACL_INHERIT_ONLY 0x0008 #define ACL_SUCCESSFUL_ACCESS_FLAG 0x0010 #define ACL_FAILED_ACCESS_ACE_FLAG 0x0020 #define ACL_IDENTIFIER_GROUP 0x0040 #define ACL_OWNER 0x1000 #define ACL_GROUP 0x2000 #define ACL_EVERYONE 0x4000 /* * ace type */ #define ACL_TYPE_ALLOWED 0x01 #define ACL_TYPE_DENIED 0x02 #define ACL_TYPE_AUDIT 0x03 #define ACL_TYPE_ALARM 0x04 /* * public API */ // list void acllist_append(Session *sn, Request *rq, ACLList *acl); void acllist_prepend(Session *sn, Request *rq, ACLList *acl); /* * gets a access mask from open flags */ uint32_t acl_oflag2mask(int oflags); /* * authenticates the user with the user database specified in the acl list */ User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list); /* * sets the status to 403 or 401 and sets www-authenticate * * use this only if a ACL denies access */ void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user); /* * acl_evaluate * * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and * access_mask. If access is denied and no user is authenticated it sets the * www-authenticate header and the status to 401 Unauthorized. * * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied */ int acl_evaluate(Session *sn, Request *rq, int access_mask); /* * acl_evallist * * evalutes all ACLs in acllist * * externacl is set if an acl is extern, otherwise it is set to NULL * * returns NULL if access is allowed or a pointer to the ACLList which * denied access */ ACLList* acl_evallist( ACLListHandle *acllist, User *user, int access_mask, ACLList **externacl); #ifdef __cplusplus } #endif #endif /* WS_ACL_H */