/*
- * Copyright (C) 2016, 2017, 2018 "IoT.bzh"
+ * Copyright (C) 2015-2020 "IoT.bzh"
* Author "Fulup Ar Foll"
* Author José Bollo <jose.bollo@iot.bzh>
*
#include <json-c/json.h>
#include <afb/afb-auth.h>
-#include <afb/afb-session-v2.h>
+#include <afb/afb-session-x2.h>
+#if WITH_LEGACY_BINDING_V1
+#include <afb/afb-session-x1.h>
+#endif
#include "afb-auth.h"
#include "afb-context.h"
#include "afb-xreq.h"
-#include "afb-cred.h"
#include "verbose.h"
-int afb_auth_check(struct afb_xreq *xreq, const struct afb_auth *auth)
+int afb_auth_check(struct afb_context *context, const struct afb_auth *auth)
{
switch (auth->type) {
default:
return 0;
case afb_auth_Token:
- return afb_context_check(&xreq->context);
+ return afb_context_check(context);
case afb_auth_LOA:
- return afb_context_check_loa(&xreq->context, auth->loa);
+ return afb_context_check_loa(context, auth->loa);
case afb_auth_Permission:
- return afb_auth_has_permission(xreq, auth->text);
+ return afb_context_has_permission(context, auth->text);
case afb_auth_Or:
- return afb_auth_check(xreq, auth->first) || afb_auth_check(xreq, auth->next);
+ return afb_auth_check(context, auth->first) || afb_auth_check(context, auth->next);
case afb_auth_And:
- return afb_auth_check(xreq, auth->first) && afb_auth_check(xreq, auth->next);
+ return afb_auth_check(context, auth->first) && afb_auth_check(context, auth->next);
case afb_auth_Not:
- return !afb_auth_check(xreq, auth->first);
+ return !afb_auth_check(context, auth->first);
case afb_auth_Yes:
return 1;
}
}
-/*********************************************************************************/
-#ifdef BACKEND_PERMISSION_IS_CYNARA
-#include <pthread.h>
-#include <cynara-client.h>
+#if WITH_LEGACY_BINDING_V1
+int afb_auth_check_and_set_session_x1(struct afb_xreq *xreq, int sessionflags)
+{
+ int loa;
-static cynara *handle;
-static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+ if ((sessionflags & (AFB_SESSION_CLOSE_X1|AFB_SESSION_CHECK_X1|AFB_SESSION_LOA_EQ_X1)) != 0) {
+ if (!afb_context_check(&xreq->context)) {
+ afb_context_close(&xreq->context);
+ return afb_xreq_reply_invalid_token(xreq);
+ }
+ }
-int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission)
-{
- int rc;
+ if ((sessionflags & AFB_SESSION_LOA_GE_X1) != 0) {
+ loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1;
+ if (!afb_context_check_loa(&xreq->context, loa))
+ return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
+ }
- if (!xreq->cred) {
- /* case of permission for self */
- return 1;
+ if ((sessionflags & AFB_SESSION_LOA_LE_X1) != 0) {
+ loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1;
+ if (afb_context_check_loa(&xreq->context, loa + 1))
+ return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
}
- if (!permission) {
- ERROR("Got a null permission!");
- return 0;
+
+ if ((sessionflags & AFB_SESSION_CLOSE_X1) != 0) {
+ afb_context_change_loa(&xreq->context, 0);
+ afb_context_close(&xreq->context);
}
- /* cynara isn't reentrant */
- pthread_mutex_lock(&mutex);
+ return 1;
+}
+#endif
- /* lazy initialisation */
- if (!handle) {
- rc = cynara_initialize(&handle, NULL);
- if (rc != CYNARA_API_SUCCESS) {
- handle = NULL;
- ERROR("cynara initialisation failed with code %d", rc);
- return 0;
+int afb_auth_check_and_set_session_x2(struct afb_xreq *xreq, const struct afb_auth *auth, uint32_t sessionflags)
+{
+ int loa;
+
+ if (sessionflags != 0) {
+ if (!afb_context_check(&xreq->context)) {
+ afb_context_close(&xreq->context);
+ return afb_xreq_reply_invalid_token(xreq);
}
}
- /* query cynara permission */
- rc = cynara_check(handle, xreq->cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission);
+ loa = (int)(sessionflags & AFB_SESSION_LOA_MASK_X2);
+ if (loa && !afb_context_check_loa(&xreq->context, loa))
+ return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
- pthread_mutex_unlock(&mutex);
- return rc == CYNARA_API_ACCESS_ALLOWED;
-}
+ if (auth && !afb_auth_check(&xreq->context, auth))
+ return afb_xreq_reply_insufficient_scope(xreq, NULL /* TODO */);
-/*********************************************************************************/
-#else
-int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission)
-{
- WARNING("Granting permission %s by default of backend", permission ?: "(null)");
- return !!permission;
+ if ((sessionflags & AFB_SESSION_CLOSE_X2) != 0)
+ afb_context_close(&xreq->context);
+
+ return 1;
}
-#endif
/*********************************************************************************/
return o;
}
-struct json_object *afb_auth_json_v2(const struct afb_auth *auth, int session)
+struct json_object *afb_auth_json_x2(const struct afb_auth *auth, uint32_t session)
{
struct json_object *result = NULL;
- if (session & AFB_SESSION_CLOSE_V2)
+ if (session & AFB_SESSION_CLOSE_X2)
result = addperm_key_valstr(result, "session", "close");
- if (session & AFB_SESSION_CHECK_V2)
+ if (session & AFB_SESSION_CHECK_X2)
result = addperm_key_valstr(result, "session", "check");
- if (session & AFB_SESSION_REFRESH_V2)
+ if (session & AFB_SESSION_REFRESH_X2)
result = addperm_key_valstr(result, "token", "refresh");
- if (session & AFB_SESSION_LOA_MASK_V2)
- result = addperm_key_valint(result, "LOA", session & AFB_SESSION_LOA_MASK_V2);
+ if (session & AFB_SESSION_LOA_MASK_X2)
+ result = addperm_key_valint(result, "LOA", session & AFB_SESSION_LOA_MASK_X2);
if (auth)
result = addauth(result, auth);
return result;
}
+
+#if WITH_LEGACY_BINDING_V1
+struct json_object *afb_auth_json_x1(int session)
+{
+ struct json_object *result = NULL;
+
+ if (session & AFB_SESSION_CLOSE_X1)
+ result = addperm_key_valstr(result, "session", "close");
+ if (session & AFB_SESSION_CHECK_X1)
+ result = addperm_key_valstr(result, "session", "check");
+ if (session & AFB_SESSION_RENEW_X1)
+ result = addperm_key_valstr(result, "token", "refresh");
+ if (session & AFB_SESSION_LOA_MASK_X1)
+ result = addperm_key_valint(result, "LOA", (session >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1);
+
+ return result;
+}
+#endif