diff -r 5ec9abba1027 -r 3a1d5a52adfc src/server/daemon/acl.h --- a/src/server/daemon/acl.h Fri Mar 01 22:44:54 2013 +0100 +++ b/src/server/daemon/acl.h Sat Mar 16 23:11:34 2013 +0100 @@ -36,16 +36,15 @@ extern "C" { #endif -typedef struct ACLList ACLList; -typedef struct ACLEntry ACLEntry; // ACLListHandle typedef in nsapi.h +typedef struct ACLListElm ACLListElm; +typedef struct ACLList ACLList; -typedef struct ACLListElm ACLListElm; +typedef struct WSAcl WSAcl; +typedef struct WSAce WSAce; /* * a wrapper struct for acls - * - * TODO: store more than one acl */ struct ACLListHandle { AuthDB *defaultauthdb; @@ -59,22 +58,33 @@ }; /* - * a access control list + * abstract ACL + */ +typedef int(*acl_check_f)(ACLList*, User*, int); +struct ACLList { + AuthDB *authdb; + char *authprompt; + int isextern; + /* int check(ACLList *acl, User *user, int access_mask) */ + int(*check)(ACLList *acl, User *user, int access_mask); +}; + +/* + * a webserver access control list * * Access control is determined by the ace field. The ece field is a separat * list for audit and alarm entries. */ -struct ACLList { - AuthDB *authdb; - char *authprompt; - ACLEntry **ace; // access control entries - ACLEntry **ece; // event control entries (audit/alarm entries) +struct WSAcl { + ACLList acl; + WSAce **ace; // access control entries + WSAce **ece; // event control entries (audit/alarm entries) int acenum; // number of aces int ecenum; // number of eces }; -struct ACLEntry { +struct WSAce { char *who; // user or group name uint32_t access_mask; uint16_t flags; @@ -138,13 +148,48 @@ void acllist_append(Session *sn, Request *rq, ACLList *acl); void acllist_prepend(Session *sn, Request *rq, ACLList *acl); -// eval +/* + * gets a access mask from open flags + */ +uint32_t acl_oflag2mask(int oflags); + +/* + * authenticates the user with the user database specified in the acl list + */ +User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list); + +/* + * sets the status to 403 or 401 and sets www-authenticate + * + * use this only if a ACL denies access + */ +void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user); + +/* + * acl_evaluate + * + * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and + * access_mask. If access is denied and no user is authenticated it sets the + * www-authenticate header and the status to 401 Unauthorized. + * + * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied + */ int acl_evaluate(Session *sn, Request *rq, int access_mask); +/* + * acl_evallist + * + * evalutes all ACLs in acllist + * + * returns NULL if access is allowed or a pointer to the ACLList which + * denied access + */ +ACLList* acl_evallist(ACLListHandle *acllist, User *user, int access_mask); + // private -int wsacl_affects_user(ACLEntry *ace, User *user); -int wsacl_check(ACLList *acl, User *user, int access_mask); +int wsacl_affects_user(WSAce *ace, User *user); +int wsacl_check(WSAcl *acl, User *user, int access_mask); #ifdef __cplusplus