Sat, 22 Jun 2013 13:54:41 +0200
added file system ACLs for linux
23
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
1 | /* |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
3 | * |
44
3da1f7b6847f
added some error messages
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
23
diff
changeset
|
4 | * Copyright 2013 Olaf Wintermann. All rights reserved. |
23
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
5 | * |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
6 | * Redistribution and use in source and binary forms, with or without |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
7 | * modification, are permitted provided that the following conditions are met: |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
8 | * |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
9 | * 1. Redistributions of source code must retain the above copyright |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
10 | * notice, this list of conditions and the following disclaimer. |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
11 | * |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
12 | * 2. Redistributions in binary form must reproduce the above copyright |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
13 | * notice, this list of conditions and the following disclaimer in the |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
14 | * documentation and/or other materials provided with the distribution. |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
15 | * |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
26 | * POSSIBILITY OF SUCH DAMAGE. |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
27 | */ |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
28 | |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
29 | #include "pathcheck.h" |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
30 | |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
31 | #include "../util/pblock.h" |
51 | 32 | #include "../daemon/config.h" |
33 | #include "../daemon/acl.h" | |
34 | #include "../daemon/acldata.h" | |
35 | #include "../daemon/session.h" | |
61
c858850f3d3a
improved configuration reloading
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
52
diff
changeset
|
36 | #include "../daemon/vserver.h" |
23
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
37 | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
38 | #include "../ucx/string.h" |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
39 | #include "../config/acl.h" |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
40 | |
23
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
41 | int require_auth(pblock *pb, Session *sn, Request *rq) { |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
42 | char *user = pblock_findkeyval(pb_key_auth_user, rq->vars); |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
43 | |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
44 | if(user == NULL) { |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
45 | pblock_nvinsert( |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
46 | "www-authenticate", |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
47 | "Basic realm=\"Webserver\"", |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
48 | rq->srvhdrs); |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
49 | |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
50 | protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
51 | return REQ_ABORTED; |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
52 | } |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
53 | |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
54 | return REQ_PROCEED; |
a2c8fc23c90e
Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff
changeset
|
55 | } |
51 | 56 | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
57 | int require_access(pblock *pb, Session *sn, Request *rq) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
58 | char *mask_str = pblock_findval("mask", rq->vars); |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
59 | if(!mask_str) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
60 | // misconfig |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
61 | // TODO: log |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
62 | return REQ_ABORTED; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
63 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
64 | |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
65 | uint32_t access_mask = 0; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
66 | size_t n = 0; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
67 | sstr_t *rights = sstrsplit(sstr(mask_str), sstrn(",", 1), &n); |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
68 | for(int i=0;i<n;i++) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
69 | sstr_t right = rights[i]; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
70 | access_mask = access_mask | accstr2int(right); |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
71 | } |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
61
diff
changeset
|
72 | |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
61
diff
changeset
|
73 | return REQ_PROCEED; |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
74 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
75 | |
51 | 76 | int append_acl(pblock *pb, Session *sn, Request *rq) { |
61
c858850f3d3a
improved configuration reloading
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
52
diff
changeset
|
77 | const VirtualServer *vs = request_get_vs(rq); |
51 | 78 | |
79 | char *aclname = pblock_findval("acl", pb); | |
80 | if(aclname) { | |
61
c858850f3d3a
improved configuration reloading
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
52
diff
changeset
|
81 | ACLList *acl = acl_get(vs->acls, aclname); |
51 | 82 | if(!acl) { |
83 | // TODO: error | |
84 | fprintf(stderr, "acl %s not found\n", aclname); | |
85 | return REQ_ABORTED; | |
86 | } | |
87 | ||
88 | acllist_append(sn, rq, acl); | |
89 | } | |
90 | ||
91 | return REQ_NOACTION; // TODO: should return REQ_PROCEED, fix nsapi_pathcheck | |
92 | } | |
93 | ||
94 | ||
95 | int check_acl(pblock *pb, Session *sn, Request *rq) { | |
96 | int access_mask = ACL_READ_DATA; // TODO: check method and path | |
97 | ||
98 | int ret = acl_evaluate(sn, rq, access_mask); | |
99 | if(ret == REQ_ABORTED) { | |
100 | // TODO: status, error, ... | |
101 | return REQ_ABORTED; | |
102 | } | |
103 | ||
104 | return REQ_PROCEED; | |
105 | } |