src/server/public/acl.h

Wed, 27 Nov 2024 23:00:07 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Wed, 27 Nov 2024 23:00:07 +0100
changeset 563
6ca97c99173e
parent 211
2160585200ac
permissions
-rw-r--r--

add TODO to use a future ucx feature

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright 2018 Olaf Wintermann. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *   1. Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 *
 *   2. Redistributions in binary form must reproduce the above copyright
 *      notice, this list of conditions and the following disclaimer in the
 *      documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef WS_ACL_H
#define	WS_ACL_H

#include "nsapi.h"
#include "auth.h"

#ifdef	__cplusplus
extern "C" {
#endif

// ACLListHandle typedef in nsapi.h
typedef struct ACLListElm ACLListElm;
typedef struct ACLList ACLList;

typedef struct WSAcl WSAcl;
typedef struct WSAce WSAce;

/*
 * a wrapper struct for acls
 */
struct ACLListHandle {
    AuthDB     *defaultauthdb;
    ACLListElm *listhead;
    ACLListElm *listtail;
};

struct ACLListElm {
    ACLList    *acl;
    ACLListElm *next;
};

/*
 * abstract ACL
 */
typedef int(*acl_check_f)(ACLList*, User*, int);
struct ACLList {
    AuthDB *authdb;
    char   *authprompt;
    int isextern;
    /* int check(ACLList *acl, User *user, int access_mask) */
    int(*check)(ACLList *acl, User *user, int access_mask);
};

/*
 * a webserver access control list
 * 
 * Access control is determined by the ace field. The ece field is a separat
 * list for audit and alarm entries.
 */
struct WSAcl {
    ACLList acl;
    WSAce **ace; // access control entries
    WSAce **ece; // event control entries (audit/alarm entries)
    int acenum; // number of aces
    int ecenum; // number of eces
};


struct WSAce {
    char     *who; // user or group name
    uint32_t access_mask;
    uint16_t flags;
    uint16_t type;
};


/*
 * access permissions
 */
#define ACL_READ_DATA               0x0001
#define ACL_WRITE_DATA              0x0002
#define ACL_APPEND                  0x0002
#define ACL_ADD_FILE                0x0004
#define ACL_ADD_SUBDIRECTORY        0x0004
#define ACL_READ_XATTR              0x0008
#define ACL_WRITE_XATTR             0x0010
#define ACL_EXECUTE                 0x0020
#define ACL_DELETE_CHILD            0x0040
#define ACL_DELETE                  0x0040
#define ACL_READ_ATTRIBUTES         0x0080
#define ACL_WRITE_ATTRIBUTES        0x0100
#define ACL_LIST                    0x0200
#define ACL_READ_ACL                0x0400
#define ACL_WRITE_ACL               0x0800
#define ACL_WRITE_OWNER             0x1000
#define ACL_SYNCHRONIZE             0x2000
#define ACL_READ \
        (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES)
#define ACL_WRITE \
        (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES)

/*
 * ace flags
 */
#define ACL_FILE_INHERIT            0x0001
#define ACL_DIR_INHERIT             0x0002
#define ACL_NO_PROPAGATE            0x0004
#define ACL_INHERIT_ONLY            0x0008
#define ACL_SUCCESSFUL_ACCESS_FLAG  0x0010
#define ACL_FAILED_ACCESS_ACE_FLAG  0x0020
#define ACL_IDENTIFIER_GROUP        0x0040
#define ACL_OWNER                   0x1000
#define ACL_GROUP                   0x2000
#define ACL_EVERYONE                0x4000

/*
 * ace type
 */
#define ACL_TYPE_ALLOWED 0x01
#define ACL_TYPE_DENIED  0x02
#define ACL_TYPE_AUDIT   0x03
#define ACL_TYPE_ALARM   0x04


/*
 * public API
 */

// list
void acllist_append(Session *sn, Request *rq, ACLList *acl);
void acllist_prepend(Session *sn, Request *rq, ACLList *acl);

/*
 * gets a access mask from open flags
 */
uint32_t acl_oflag2mask(int oflags);

/*
 * authenticates the user with the user database specified in the acl list
 */
User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list);

/*
 * sets the status to 403 or 401 and sets www-authenticate
 * 
 * use this only if a ACL denies access
 */
void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user);

/*
 * acl_evaluate
 * 
 * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and
 * access_mask. If access is denied and no user is authenticated it sets the
 * www-authenticate header and the status to 401 Unauthorized.
 * 
 * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied
 */
int acl_evaluate(Session *sn, Request *rq, int access_mask);

/*
 * acl_evallist
 * 
 * evalutes all ACLs in acllist
 * 
 * externacl is set if an acl is extern, otherwise it is set to NULL
 * 
 * returns NULL if access is allowed or a pointer to the ACLList which
 * denied access
 */
ACLList* acl_evallist(
        ACLListHandle *acllist,
        User *user,
        int access_mask,
        ACLList **externacl);

#ifdef	__cplusplus
}
#endif

#endif	/* WS_ACL_H */

mercurial