#include "afb-auth.h"
#include "afb-context.h"
#include "afb-xreq.h"
+#include "afb-cred.h"
#include "verbose.h"
-static int check_permission(const char *permission, struct afb_xreq *xreq);
-
-int afb_auth_check(const struct afb_auth *auth, struct afb_xreq *xreq)
+int afb_auth_check(struct afb_xreq *xreq, const struct afb_auth *auth)
{
switch (auth->type) {
default:
return afb_context_check_loa(&xreq->context, auth->loa);
case afb_auth_Permission:
- return xreq->cred && auth->text && check_permission(auth->text, xreq);
+ return afb_auth_has_permission(xreq, auth->text);
case afb_auth_Or:
- return afb_auth_check(auth->first, xreq) || afb_auth_check(auth->next, xreq);
+ return afb_auth_check(xreq, auth->first) || afb_auth_check(xreq, auth->next);
case afb_auth_And:
- return afb_auth_check(auth->first, xreq) && afb_auth_check(auth->next, xreq);
+ return afb_auth_check(xreq, auth->first) && afb_auth_check(xreq, auth->next);
case afb_auth_Not:
- return !afb_auth_check(auth->first, xreq);
+ return !afb_auth_check(xreq, auth->first);
case afb_auth_Yes:
return 1;
}
}
+/*********************************************************************************/
#ifdef BACKEND_PERMISSION_IS_CYNARA
+
+#include <pthread.h>
#include <cynara-client.h>
-static int check_permission(const char *permission, struct afb_xreq *xreq)
+
+static cynara *handle;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission)
{
- static cynara *cynara;
- char uid[64];
int rc;
- if (!cynara) {
- rc = cynara_initialize(&cynara, NULL);
+ if (!xreq->cred) {
+ /* case of permission for self */
+ return 1;
+ }
+ if (!permission) {
+ ERROR("Got a null permission!");
+ return 0;
+ }
+
+ /* cynara isn't reentrant */
+ pthread_mutex_lock(&mutex);
+
+ /* lazy initialisation */
+ if (!handle) {
+ rc = cynara_initialize(&handle, NULL);
if (rc != CYNARA_API_SUCCESS) {
- cynara = NULL;
+ handle = NULL;
ERROR("cynara initialisation failed with code %d", rc);
return 0;
}
}
- rc = cynara_check(cynara, cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission);
+
+ /* query cynara permission */
+ rc = cynara_check(handle, xreq->cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission);
+
+ pthread_mutex_unlock(&mutex);
return rc == CYNARA_API_ACCESS_ALLOWED;
}
+
+/*********************************************************************************/
#else
-static int check_permission(const char *permission, struct afb_xreq *xreq)
+int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission)
{
- WARNING("Granting permission %s by default", permission);
- return 1;
+ WARNING("Granting permission %s by default of backend", permission ?: "(null)");
+ return !!permission;
}
#endif
Code Review / src / app-framework-binder.git / blobdiff