diff -r 66c22e54aa90 -r ab25c0a231d0 src/server/daemon/acl.h --- a/src/server/daemon/acl.h Tue Mar 19 17:38:32 2013 +0100 +++ b/src/server/daemon/acl.h Mon May 06 13:44:27 2013 +0200 @@ -29,164 +29,12 @@ #ifndef ACL_H #define ACL_H -#include "../public/nsapi.h" -#include "authdb.h" +#include "../public/acl.h" #ifdef __cplusplus extern "C" { #endif -// ACLListHandle typedef in nsapi.h -typedef struct ACLListElm ACLListElm; -typedef struct ACLList ACLList; - -typedef struct WSAcl WSAcl; -typedef struct WSAce WSAce; - -/* - * a wrapper struct for acls - */ -struct ACLListHandle { - AuthDB *defaultauthdb; - ACLListElm *listhead; - ACLListElm *listtail; -}; - -struct ACLListElm { - ACLList *acl; - ACLListElm *next; -}; - -/* - * abstract ACL - */ -typedef int(*acl_check_f)(ACLList*, User*, int); -struct ACLList { - AuthDB *authdb; - char *authprompt; - int isextern; - /* int check(ACLList *acl, User *user, int access_mask) */ - int(*check)(ACLList *acl, User *user, int access_mask); -}; - -/* - * a webserver access control list - * - * Access control is determined by the ace field. The ece field is a separat - * list for audit and alarm entries. - */ -struct WSAcl { - ACLList acl; - WSAce **ace; // access control entries - WSAce **ece; // event control entries (audit/alarm entries) - int acenum; // number of aces - int ecenum; // number of eces -}; - - -struct WSAce { - char *who; // user or group name - uint32_t access_mask; - uint16_t flags; - uint16_t type; -}; - - -/* - * access permissions - */ -#define ACL_READ_DATA 0x0001 -#define ACL_WRITE_DATA 0x0002 -#define ACL_APPEND 0x0002 -#define ACL_ADD_FILE 0x0004 -#define ACL_ADD_SUBDIRECTORY 0x0004 -#define ACL_READ_XATTR 0x0008 -#define ACL_WRITE_XATTR 0x0010 -#define ACL_EXECUTE 0x0020 -#define ACL_DELETE_CHILD 0x0040 -#define ACL_DELETE 0x0040 -#define ACL_READ_ATTRIBUTES 0x0080 -#define ACL_WRITE_ATTRIBUTES 0x0100 -#define ACL_LIST 0x0200 -#define ACL_READ_ACL 0x0400 -#define ACL_WRITE_ACL 0x0800 -#define ACL_WRITE_OWNER 0x1000 -#define ACL_SYNCHRONIZE 0x2000 -#define ACL_READ \ - (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES) -#define ACL_WRITE \ - (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES) - -/* - * ace flags - */ -#define ACL_FILE_INHERIT 0x0001 -#define ACL_DIR_INHERIT 0x0002 -#define ACL_NO_PROPAGATE 0x0004 -#define ACL_INHERIT_ONLY 0x0008 -#define ACL_SUCCESSFUL_ACCESS_FLAG 0x0010 -#define ACL_FAILED_ACCESS_ACE_FLAG 0x0020 -#define ACL_IDENTIFIER_GROUP 0x0040 -#define ACL_OWNER 0x1000 -#define ACL_GROUP 0x2000 -#define ACL_EVERYONE 0x4000 - -/* - * ace type - */ -#define ACL_TYPE_ALLOWED 0x01 -#define ACL_TYPE_DENIED 0x02 -#define ACL_TYPE_AUDIT 0x03 -#define ACL_TYPE_ALARM 0x04 - - -/* - * public API - */ - -// list -void acllist_append(Session *sn, Request *rq, ACLList *acl); -void acllist_prepend(Session *sn, Request *rq, ACLList *acl); - -/* - * gets a access mask from open flags - */ -uint32_t acl_oflag2mask(int oflags); - -/* - * authenticates the user with the user database specified in the acl list - */ -User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list); - -/* - * sets the status to 403 or 401 and sets www-authenticate - * - * use this only if a ACL denies access - */ -void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user); - -/* - * acl_evaluate - * - * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and - * access_mask. If access is denied and no user is authenticated it sets the - * www-authenticate header and the status to 401 Unauthorized. - * - * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied - */ -int acl_evaluate(Session *sn, Request *rq, int access_mask); - -/* - * acl_evallist - * - * evalutes all ACLs in acllist - * - * returns NULL if access is allowed or a pointer to the ACLList which - * denied access - */ -ACLList* acl_evallist(ACLListHandle *acllist, User *user, int access_mask); - - // private int wsacl_affects_user(WSAce *ace, User *user); int wsacl_check(WSAcl *acl, User *user, int access_mask);