src/server/safs/pathcheck.c

Sat, 22 Jun 2013 13:54:41 +0200

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Sat, 22 Jun 2013 13:54:41 +0200
changeset 73
79fa26ecd135
parent 69
4a10bc0ee80d
child 77
f1cff81e425a
permissions
-rw-r--r--

added file system ACLs for linux

23
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
1 /*
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
3 *
44
3da1f7b6847f added some error messages
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 23
diff changeset
4 * Copyright 2013 Olaf Wintermann. All rights reserved.
23
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
5 *
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
6 * Redistribution and use in source and binary forms, with or without
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
7 * modification, are permitted provided that the following conditions are met:
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
8 *
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
9 * 1. Redistributions of source code must retain the above copyright
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
10 * notice, this list of conditions and the following disclaimer.
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
11 *
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
12 * 2. Redistributions in binary form must reproduce the above copyright
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
13 * notice, this list of conditions and the following disclaimer in the
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
14 * documentation and/or other materials provided with the distribution.
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
15 *
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
26 * POSSIBILITY OF SUCH DAMAGE.
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
27 */
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
28
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
29 #include "pathcheck.h"
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
30
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
31 #include "../util/pblock.h"
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
32 #include "../daemon/config.h"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
33 #include "../daemon/acl.h"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
34 #include "../daemon/acldata.h"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
35 #include "../daemon/session.h"
61
c858850f3d3a improved configuration reloading
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 52
diff changeset
36 #include "../daemon/vserver.h"
23
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
37
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
38 #include "../ucx/string.h"
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
39 #include "../config/acl.h"
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
40
23
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
41 int require_auth(pblock *pb, Session *sn, Request *rq) {
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
42 char *user = pblock_findkeyval(pb_key_auth_user, rq->vars);
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
43
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
44 if(user == NULL) {
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
45 pblock_nvinsert(
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
46 "www-authenticate",
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
47 "Basic realm=\"Webserver\"",
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
48 rq->srvhdrs);
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
49
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
50 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
51 return REQ_ABORTED;
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
52 }
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
53
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
54 return REQ_PROCEED;
a2c8fc23c90e Added basic authentication
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
55 }
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
56
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
57 int require_access(pblock *pb, Session *sn, Request *rq) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
58 char *mask_str = pblock_findval("mask", rq->vars);
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
59 if(!mask_str) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
60 // misconfig
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
61 // TODO: log
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
62 return REQ_ABORTED;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
63 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
64
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
65 uint32_t access_mask = 0;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
66 size_t n = 0;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
67 sstr_t *rights = sstrsplit(sstr(mask_str), sstrn(",", 1), &n);
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
68 for(int i=0;i<n;i++) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
69 sstr_t right = rights[i];
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
70 access_mask = access_mask | accstr2int(right);
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
71 }
69
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 61
diff changeset
72
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 61
diff changeset
73 return REQ_PROCEED;
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
74 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
75
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
76 int append_acl(pblock *pb, Session *sn, Request *rq) {
61
c858850f3d3a improved configuration reloading
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 52
diff changeset
77 const VirtualServer *vs = request_get_vs(rq);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
78
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
79 char *aclname = pblock_findval("acl", pb);
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
80 if(aclname) {
61
c858850f3d3a improved configuration reloading
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 52
diff changeset
81 ACLList *acl = acl_get(vs->acls, aclname);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
82 if(!acl) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
83 // TODO: error
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
84 fprintf(stderr, "acl %s not found\n", aclname);
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
85 return REQ_ABORTED;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
86 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
87
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
88 acllist_append(sn, rq, acl);
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
89 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
90
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
91 return REQ_NOACTION; // TODO: should return REQ_PROCEED, fix nsapi_pathcheck
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
92 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
93
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
94
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
95 int check_acl(pblock *pb, Session *sn, Request *rq) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
96 int access_mask = ACL_READ_DATA; // TODO: check method and path
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
97
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
98 int ret = acl_evaluate(sn, rq, access_mask);
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
99 if(ret == REQ_ABORTED) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
100 // TODO: status, error, ...
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
101 return REQ_ABORTED;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
102 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
103
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
104 return REQ_PROCEED;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 44
diff changeset
105 }

mercurial