/*
- * Copyright (C) 2017, 2018 "IoT.bzh"
+ * Copyright (C) 2017-2019 "IoT.bzh"
* Author: José Bollo <jose.bollo@iot.bzh>
*
* Licensed under the Apache License, Version 2.0 (the "License");
#include <stdlib.h>
#include <stdio.h>
+#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include "afb-cred.h"
+#include "afb-context.h"
+#include "afb-token.h"
#include "verbose.h"
-
#define MAX_LABEL_LENGTH 1024
#if !defined(NO_DEFAULT_PEERCRED) && !defined(ADD_DEFAULT_PEERCRED)
# define DEFAULT_PEERCRED_PID 0 /* no process */
#endif
-static char on_behalf_credential_permission[] = "urn:AGL:permission:*:partner:on-behalf-credentials";
static char export_format[] = "%x:%x:%x-%s";
static char import_format[] = "%x:%x:%x-%n";
void afb_cred_unref(struct afb_cred *cred)
{
if (cred && !__atomic_sub_fetch(&cred->refcount, 1, __ATOMIC_RELAXED)) {
- if (cred != current)
- free(cred);
- else
+ if (cred == current)
cred->refcount = 1;
+ else {
+ free((void*)cred->exported);
+ free(cred);
+ }
}
}
return cred;
}
-struct afb_cred *afb_cred_mixed_on_behalf_import(struct afb_cred *cred, const char *context, const char *exported)
-
+/*********************************************************************************/
+static const char *token_of_context(struct afb_context *context)
{
- struct afb_cred *imported;
- if (exported) {
- if (afb_cred_has_permission(cred, on_behalf_credential_permission, context)) {
- imported = afb_cred_import(exported);
- if (imported)
- return imported;
- ERROR("Can't import on behalf credentials: %m");
- } else {
- ERROR("On behalf credentials refused");
- }
- }
- return afb_cred_addref(cred);
+ return context && context->token ? afb_token_string(context->token) : "X";
}
/*********************************************************************************/
static cynara *handle;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const char *context)
+int afb_cred_has_permission(struct afb_cred *cred, const char *permission, struct afb_context *context)
{
int rc;
}
/* query cynara permission */
- rc = cynara_check(handle, cred->label, context ?: "", cred->user, permission);
+ rc = cynara_check(handle, cred->label, token_of_context(context), cred->user, permission);
pthread_mutex_unlock(&mutex);
return rc == CYNARA_API_ACCESS_ALLOWED;
/*********************************************************************************/
#else
-int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const char *context)
+int afb_cred_has_permission(struct afb_cred *cred, const char *permission, struct afb_context *context)
{
WARNING("Granting permission %s by default of backend", permission ?: "(null)");
return !!permission;