UNIXworkcode

1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 3 * 4 * Copyright 2018 Olaf Wintermann. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 * POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #ifndef WS_ACL_H 30 #define WS_ACL_H 31 32 #include "nsapi.h" 33 #include "auth.h" 34 35 #ifdef __cplusplus 36 extern "C" { 37 #endif 38 39 // ACLListHandle typedef in nsapi.h 40 typedef struct ACLListElm ACLListElm; 41 typedef struct ACLList ACLList; 42 43 typedef struct WSAcl WSAcl; 44 typedef struct WSAce WSAce; 45 46 /* 47 * a wrapper struct for acls 48 */ 49 struct ACLListHandle { 50 AuthDB *defaultauthdb; 51 ACLListElm *listhead; 52 ACLListElm *listtail; 53 }; 54 55 struct ACLListElm { 56 ACLList *acl; 57 ACLListElm *next; 58 }; 59 60 /* 61 * abstract ACL 62 */ 63 typedef int(*acl_check_f)(ACLList*, User*, int); 64 struct ACLList { 65 AuthDB *authdb; 66 char *authprompt; 67 int isextern; 68 /* int check(ACLList *acl, User *user, int access_mask) */ 69 int(*check)(ACLList *acl, User *user, int access_mask); 70 }; 71 72 /* 73 * a webserver access control list 74 * 75 * Access control is determined by the ace field. The ece field is a separat 76 * list for audit and alarm entries. 77 */ 78 struct WSAcl { 79 ACLList acl; 80 WSAce **ace; // access control entries 81 WSAce **ece; // event control entries (audit/alarm entries) 82 int acenum; // number of aces 83 int ecenum; // number of eces 84 }; 85 86 87 struct WSAce { 88 char *who; // user or group name 89 uint32_t access_mask; 90 uint16_t flags; 91 uint16_t type; 92 }; 93 94 95 /* 96 * access permissions 97 */ 98 #define ACL_READ_DATA 0x0001 99 #define ACL_WRITE_DATA 0x0002 100 #define ACL_APPEND 0x0002 101 #define ACL_ADD_FILE 0x0004 102 #define ACL_ADD_SUBDIRECTORY 0x0004 103 #define ACL_READ_XATTR 0x0008 104 #define ACL_WRITE_XATTR 0x0010 105 #define ACL_EXECUTE 0x0020 106 #define ACL_DELETE_CHILD 0x0040 107 #define ACL_DELETE 0x0040 108 #define ACL_READ_ATTRIBUTES 0x0080 109 #define ACL_WRITE_ATTRIBUTES 0x0100 110 #define ACL_LIST 0x0200 111 #define ACL_READ_ACL 0x0400 112 #define ACL_WRITE_ACL 0x0800 113 #define ACL_WRITE_OWNER 0x1000 114 #define ACL_SYNCHRONIZE 0x2000 115 #define ACL_READ \ 116 (ACL_READ_DATA|ACL_READ_XATTR|ACL_READ_ATTRIBUTES) 117 #define ACL_WRITE \ 118 (ACL_WRITE_DATA|ACL_WRITE_XATTR|ACL_WRITE_ATTRIBUTES) 119 120 /* 121 * ace flags 122 */ 123 #define ACL_FILE_INHERIT 0x0001 124 #define ACL_DIR_INHERIT 0x0002 125 #define ACL_NO_PROPAGATE 0x0004 126 #define ACL_INHERIT_ONLY 0x0008 127 #define ACL_SUCCESSFUL_ACCESS_FLAG 0x0010 128 #define ACL_FAILED_ACCESS_ACE_FLAG 0x0020 129 #define ACL_IDENTIFIER_GROUP 0x0040 130 #define ACL_OWNER 0x1000 131 #define ACL_GROUP 0x2000 132 #define ACL_EVERYONE 0x4000 133 134 /* 135 * ace type 136 */ 137 #define ACL_TYPE_ALLOWED 0x01 138 #define ACL_TYPE_DENIED 0x02 139 #define ACL_TYPE_AUDIT 0x03 140 #define ACL_TYPE_ALARM 0x04 141 142 143 /* 144 * public API 145 */ 146 147 // list 148 void acllist_append(Session *sn, Request *rq, ACLList *acl); 149 void acllist_prepend(Session *sn, Request *rq, ACLList *acl); 150 151 /* 152 * gets a access mask from open flags 153 */ 154 uint32_t acl_oflag2mask(int oflags); 155 156 /* 157 * authenticates the user with the user database specified in the acl list 158 */ 159 User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list); 160 161 /* 162 * sets the status to 403 or 401 and sets www-authenticate 163 * 164 * use this only if a ACL denies access 165 */ 166 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user); 167 168 /* 169 * acl_evaluate 170 * 171 * Evaluates all ACLs in rq->acllist. It combines rq->aclreqaccess and 172 * access_mask. If access is denied and no user is authenticated it sets the 173 * www-authenticate header and the status to 401 Unauthorized. 174 * 175 * returns REQ_PROCEED if access is allowed or REQ_ABORTED if access is denied 176 */ 177 int acl_evaluate(Session *sn, Request *rq, int access_mask); 178 179 /* 180 * acl_evallist 181 * 182 * evalutes all ACLs in acllist 183 * 184 * externacl is set if an acl is extern, otherwise it is set to NULL 185 * 186 * returns NULL if access is allowed or a pointer to the ACLList which 187 * denied access 188 */ 189 ACLList* acl_evallist( 190 ACLListHandle *acllist, 191 User *user, 192 int access_mask, 193 ACLList **externacl); 194 195 #ifdef __cplusplus 196 } 197 #endif 198 199 #endif /* WS_ACL_H */ 200 201