implement authorisation check

[src/app-framework-binder.git] / src / afb-xreq.c
diff --git a/src/afb-xreq.c b/src/afb-xreq.c

index 4850329..b964b10 100644 (file)
--- a/src/afb-xreq.c
+++ b/src/afb-xreq.c
@@ -16,7 +16,7 @@
   */
  
  #define _GNU_SOURCE
-#define NO_BINDING_VERBOSE_MACRO
+#define AFB_BINDING_PRAGMA_NO_VERBOSE_MACRO
  
  #include <stdlib.h>
  #include <string.h>
@@ -33,6 +33,7 @@
  #include "afb-hook.h"
  #include "afb-api.h"
  #include "afb-apiset.h"
+#include "afb-auth.h"
  #include "jobs.h"
  #include "verbose.h"
  
@@ -375,6 +376,11 @@ static inline struct afb_req to_req(struct afb_xreq *xreq)
         return (struct afb_req){ .itf = xreq->hookflags ? &xreq_hooked_itf : &xreq_itf, .closure = xreq };
  }
  
+struct json_object *afb_xreq_json(struct afb_xreq *xreq)
+{
+       return afb_req_json(to_req(xreq));
+}
+
  void afb_xreq_success(struct afb_xreq *xreq, struct json_object *obj, const char *info)
  {
         afb_req_success(to_req(xreq), obj, info);
@@ -434,62 +440,70 @@ void afb_xreq_subcall(struct afb_xreq *xreq, const char *api, const char *verb,
         afb_req_subcall(to_req(xreq), api, verb, args, callback, cb_closure);
  }
  
-static int xcheck(struct afb_xreq *xreq, int sessionflags)
+static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags, const struct afb_auth *auth)
  {
-       if ((sessionflags & (AFB_SESSION_CREATE|AFB_SESSION_CLOSE|AFB_SESSION_RENEW|AFB_SESSION_CHECK|AFB_SESSION_LOA_EQ)) != 0) {
+       int loa;
+
+       if ((sessionflags & (AFB_SESSION_CLOSE|AFB_SESSION_RENEW|AFB_SESSION_CHECK|AFB_SESSION_LOA_EQ)) != 0) {
                 if (!afb_context_check(&xreq->context)) {
                         afb_context_close(&xreq->context);
-                       afb_xreq_fail_f(xreq, "failed", "invalid token's identity");
-                       return 0;
+                       afb_xreq_fail_f(xreq, "denied", "invalid token's identity");
+                       errno = EINVAL;
+                       return -1;
                 }
         }
  
-       if ((sessionflags & AFB_SESSION_CREATE) != 0) {
-               if (afb_context_check_loa(&xreq->context, 1)) {
-                       afb_xreq_fail_f(xreq, "failed", "invalid creation state");
-                       return 0;
-               }
-               afb_context_change_loa(&xreq->context, 1);
-               afb_context_refresh(&xreq->context);
-       }
-
-       if ((sessionflags & (AFB_SESSION_CREATE | AFB_SESSION_RENEW)) != 0)
-               afb_context_refresh(&xreq->context);
-
-       if ((sessionflags & AFB_SESSION_CLOSE) != 0) {
-               afb_context_change_loa(&xreq->context, 0);
-               afb_context_close(&xreq->context);
-       }
-
         if ((sessionflags & AFB_SESSION_LOA_GE) != 0) {
-               int loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
+               loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
                 if (!afb_context_check_loa(&xreq->context, loa)) {
-                       afb_xreq_fail_f(xreq, "failed", "invalid LOA");
-                       return 0;
+                       afb_xreq_fail_f(xreq, "denied", "invalid LOA");
+                       errno = EPERM;
+                       return -1;
                 }
         }
  
         if ((sessionflags & AFB_SESSION_LOA_LE) != 0) {
-               int loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
+               loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
                 if (afb_context_check_loa(&xreq->context, loa + 1)) {
-                       afb_xreq_fail_f(xreq, "failed", "invalid LOA");
-                       return 0;
+                       afb_xreq_fail_f(xreq, "denied", "invalid LOA");
+                       errno = EPERM;
+                       return -1;
                 }
         }
-       return 1;
+
+       if (auth && !afb_auth_check(auth, xreq)) {
+               afb_xreq_fail_f(xreq, "denied", "authorisation refused");
+               errno = EPERM;
+               return -1;
+       }
+
+       if ((sessionflags & AFB_SESSION_RENEW) != 0) {
+               afb_context_refresh(&xreq->context);
+       }
+       if ((sessionflags & AFB_SESSION_CLOSE) != 0) {
+               afb_context_change_loa(&xreq->context, 0);
+               afb_context_close(&xreq->context);
+       }
+
+       return 0;
  }
  
-void afb_xreq_so_call(struct afb_xreq *xreq, int sessionflags, void (*method)(struct afb_req req))
+void afb_xreq_call_verb_v1(struct afb_xreq *xreq, const struct afb_verb_desc_v1 *verb)
  {
-       if (xcheck(xreq, sessionflags))
-               method(to_req(xreq));
+       if (!verb)
+               afb_xreq_fail_unknown_verb(xreq);
+       else
+               if (!xreq_session_check_apply(xreq, verb->session, NULL))
+                       verb->callback(to_req(xreq));
  }
  
-void afb_xreq_begin(struct afb_xreq *xreq)
+void afb_xreq_call_verb_v2(struct afb_xreq *xreq, const struct afb_verb_v2 *verb)
  {
-       afb_hook_init_xreq(xreq);
-       if (xreq->hookflags)
-               afb_hook_xreq_begin(xreq);
+       if (!verb)
+               afb_xreq_fail_unknown_verb(xreq);
+       else
+               if (!xreq_session_check_apply(xreq, verb->session, verb->auth))
+                       verb->callback(to_req(xreq));
  }
  
  void afb_xreq_init(struct afb_xreq *xreq, const struct afb_xreq_query_itf *queryitf)
@@ -499,6 +513,15 @@ void afb_xreq_init(struct afb_xreq *xreq, const struct afb_xreq_query_itf *query
         xreq->queryitf = queryitf;
  }
  
+void afb_xreq_fail_unknown_api(struct afb_xreq *xreq)
+{
+       afb_xreq_fail_f(xreq, "unknown-api", "api %s not found (for verb %s)", xreq->api, xreq->verb);
+}
+
+void afb_xreq_fail_unknown_verb(struct afb_xreq *xreq)
+{
+       afb_xreq_fail_f(xreq, "unknown-verb", "verb %s unknown within api %s", xreq->verb, xreq->api);
+}
  
  static void process_async(int signum, void *arg)
  {