src/server/safs/pathcheck.c

Mon, 26 Dec 2016 16:46:55 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Mon, 26 Dec 2016 16:46:55 +0100
changeset 129
fd324464f56f
parent 100
e9bb8449df02
child 131
70010b94bda5
permissions
-rw-r--r--

adds support for ssl cert chain files and improves ssl error handling

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright 2013 Olaf Wintermann. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *   1. Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 *
 *   2. Redistributions in binary form must reproduce the above copyright
 *      notice, this list of conditions and the following disclaimer in the
 *      documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <ucx/string.h>

#include "pathcheck.h"

#include "../util/pblock.h"
#include "../daemon/config.h"
#include "../daemon/acl.h"
#include "../daemon/acldata.h"
#include "../daemon/session.h"
#include "../daemon/vserver.h"

#include "../config/acl.h"

int require_auth(pblock *pb, Session *sn, Request *rq) {
    char *user = pblock_findkeyval(pb_key_auth_user, rq->vars);

    if(user == NULL) {
        pblock_nvinsert(
                "www-authenticate",
                "Basic realm=\"Webserver\"",
                rq->srvhdrs);

        protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
        return REQ_ABORTED;
    }

    return REQ_PROCEED;
}

int require_access(pblock *pb, Session *sn, Request *rq) {
    char *mask_str = pblock_findval("mask", rq->vars);
    if(!mask_str) {
        log_ereport(LOG_MISCONFIG, "require-access: missing mask parameter");
        protocol_status(sn, rq, 500, NULL);
        return REQ_ABORTED;
    }
    
    uint32_t access_mask = 0;
    ssize_t n = 0;
    sstr_t *rights = sstrsplit(sstr(mask_str), sstrn(",", 1), &n);
    for(int i=0;i<n;i++) {
        sstr_t right = rights[i];
        access_mask = access_mask | accstr2int(right);
    }
    
    return REQ_PROCEED;
}

int append_acl(pblock *pb, Session *sn, Request *rq) {
    const VirtualServer *vs = request_get_vs(rq);
    
    WS_ASSERT(vs);
    
    char *aclname = pblock_findval("acl", pb);
    if(aclname) {
        ACLList *acl = acl_get(vs->acls, aclname);
        if(!acl) {
            log_ereport(
                    LOG_MISCONFIG,
                    "append-acl: acl %s not found", aclname);
            protocol_status(sn, rq, 500, NULL);
            return REQ_ABORTED;
        }
        
        acllist_append(sn, rq, acl);
    }
    
    return REQ_PROCEED;
}


int check_acl(pblock *pb, Session *sn, Request *rq) {
    int access_mask = ACL_READ_DATA; // TODO: check method and path
    
    int ret = acl_evaluate(sn, rq, access_mask);
    if(ret == REQ_ABORTED) {
        // TODO: status, error, ...
        return REQ_ABORTED;
    }
    
    return REQ_PROCEED;
}

mercurial