2 * Copyright (C) 2015-2020 "IoT.bzh"
3 * Author "Fulup Ar Foll"
4 * Author José Bollo <jose.bollo@iot.bzh>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
23 #include <json-c/json.h>
24 #include <afb/afb-auth.h>
25 #include <afb/afb-session-x2.h>
26 #if WITH_LEGACY_BINDING_V1
27 #include <afb/afb-session-x1.h>
31 #include "afb-context.h"
35 int afb_auth_check(struct afb_context *context, const struct afb_auth *auth)
43 return afb_context_check(context);
46 return afb_context_check_loa(context, auth->loa);
48 case afb_auth_Permission:
49 return afb_context_has_permission(context, auth->text);
52 return afb_auth_check(context, auth->first) || afb_auth_check(context, auth->next);
55 return afb_auth_check(context, auth->first) && afb_auth_check(context, auth->next);
58 return !afb_auth_check(context, auth->first);
66 #if WITH_LEGACY_BINDING_V1
67 int afb_auth_check_and_set_session_x1(struct afb_xreq *xreq, int sessionflags)
71 if ((sessionflags & (AFB_SESSION_CLOSE_X1|AFB_SESSION_CHECK_X1|AFB_SESSION_LOA_EQ_X1)) != 0) {
72 if (!afb_context_check(&xreq->context)) {
73 afb_context_close(&xreq->context);
74 return afb_xreq_reply_invalid_token(xreq);
78 if ((sessionflags & AFB_SESSION_LOA_GE_X1) != 0) {
79 loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1;
80 if (!afb_context_check_loa(&xreq->context, loa))
81 return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
84 if ((sessionflags & AFB_SESSION_LOA_LE_X1) != 0) {
85 loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1;
86 if (afb_context_check_loa(&xreq->context, loa + 1))
87 return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
90 if ((sessionflags & AFB_SESSION_CLOSE_X1) != 0) {
91 afb_context_change_loa(&xreq->context, 0);
92 afb_context_close(&xreq->context);
99 int afb_auth_check_and_set_session_x2(struct afb_xreq *xreq, const struct afb_auth *auth, uint32_t sessionflags)
103 if (sessionflags != 0) {
104 if (!afb_context_check(&xreq->context)) {
105 afb_context_close(&xreq->context);
106 return afb_xreq_reply_invalid_token(xreq);
110 loa = (int)(sessionflags & AFB_SESSION_LOA_MASK_X2);
111 if (loa && !afb_context_check_loa(&xreq->context, loa))
112 return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
114 if (auth && !afb_auth_check(&xreq->context, auth))
115 return afb_xreq_reply_insufficient_scope(xreq, NULL /* TODO */);
117 if ((sessionflags & AFB_SESSION_CLOSE_X2) != 0)
118 afb_context_close(&xreq->context);
123 /*********************************************************************************/
125 static struct json_object *addperm(struct json_object *o, struct json_object *x)
127 struct json_object *a;
132 if (!json_object_object_get_ex(o, "allOf", &a)) {
133 a = json_object_new_array();
134 json_object_array_add(a, o);
135 o = json_object_new_object();
136 json_object_object_add(o, "allOf", a);
138 json_object_array_add(a, x);
142 static struct json_object *addperm_key_val(struct json_object *o, const char *key, struct json_object *val)
144 struct json_object *x = json_object_new_object();
145 json_object_object_add(x, key, val);
146 return addperm(o, x);
149 static struct json_object *addperm_key_valstr(struct json_object *o, const char *key, const char *val)
151 return addperm_key_val(o, key, json_object_new_string(val));
154 static struct json_object *addperm_key_valint(struct json_object *o, const char *key, int val)
156 return addperm_key_val(o, key, json_object_new_int(val));
159 static struct json_object *addauth_or_array(struct json_object *o, const struct afb_auth *auth);
161 static struct json_object *addauth(struct json_object *o, const struct afb_auth *auth)
164 case afb_auth_No: return addperm(o, json_object_new_boolean(0));
165 case afb_auth_Token: return addperm_key_valstr(o, "session", "check");
166 case afb_auth_LOA: return addperm_key_valint(o, "LOA", auth->loa);
167 case afb_auth_Permission: return addperm_key_valstr(o, "permission", auth->text);
168 case afb_auth_Or: return addperm_key_val(o, "anyOf", addauth_or_array(json_object_new_array(), auth));
169 case afb_auth_And: return addauth(addauth(o, auth->first), auth->next);
170 case afb_auth_Not: return addperm_key_val(o, "not", addauth(NULL, auth->first));
171 case afb_auth_Yes: return addperm(o, json_object_new_boolean(1));
176 static struct json_object *addauth_or_array(struct json_object *o, const struct afb_auth *auth)
178 if (auth->type != afb_auth_Or)
179 json_object_array_add(o, addauth(NULL, auth));
181 addauth_or_array(o, auth->first);
182 addauth_or_array(o, auth->next);
188 struct json_object *afb_auth_json_x2(const struct afb_auth *auth, uint32_t session)
190 struct json_object *result = NULL;
192 if (session & AFB_SESSION_CLOSE_X2)
193 result = addperm_key_valstr(result, "session", "close");
195 if (session & AFB_SESSION_CHECK_X2)
196 result = addperm_key_valstr(result, "session", "check");
198 if (session & AFB_SESSION_REFRESH_X2)
199 result = addperm_key_valstr(result, "token", "refresh");
201 if (session & AFB_SESSION_LOA_MASK_X2)
202 result = addperm_key_valint(result, "LOA", session & AFB_SESSION_LOA_MASK_X2);
205 result = addauth(result, auth);
211 #if WITH_LEGACY_BINDING_V1
212 struct json_object *afb_auth_json_x1(int session)
214 struct json_object *result = NULL;
216 if (session & AFB_SESSION_CLOSE_X1)
217 result = addperm_key_valstr(result, "session", "close");
218 if (session & AFB_SESSION_CHECK_X1)
219 result = addperm_key_valstr(result, "session", "check");
220 if (session & AFB_SESSION_RENEW_X1)
221 result = addperm_key_valstr(result, "token", "refresh");
222 if (session & AFB_SESSION_LOA_MASK_X1)
223 result = addperm_key_valint(result, "LOA", (session >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1);