implement authorisation check
[src/app-framework-binder.git] / src / afb-xreq.c
index cf98222..b964b10 100644 (file)
@@ -16,7 +16,7 @@
  */
 
 #define _GNU_SOURCE
-#define NO_BINDING_VERBOSE_MACRO
+#define AFB_BINDING_PRAGMA_NO_VERBOSE_MACRO
 
 #include <stdlib.h>
 #include <string.h>
 #include "afb-msg-json.h"
 #include "afb-subcall.h"
 #include "afb-hook.h"
+#include "afb-api.h"
+#include "afb-apiset.h"
+#include "afb-auth.h"
+#include "jobs.h"
 #include "verbose.h"
 
 
 static struct json_object *xreq_json_cb(void *closure)
 {
        struct afb_xreq *xreq = closure;
-       return xreq->json ? : (xreq->json = xreq->queryitf->json(xreq->query));
+       return xreq->json ? : (xreq->json = xreq->queryitf->json(xreq));
 }
 
 static struct afb_arg xreq_get_cb(void *closure, const char *name)
 {
        struct afb_xreq *xreq = closure;
        if (xreq->queryitf->get)
-               return xreq->queryitf->get(xreq->query, name);
+               return xreq->queryitf->get(xreq, name);
        else
                return afb_msg_json_get_arg(xreq_json_cb(closure), name);
 }
@@ -59,9 +63,9 @@ static void xreq_success_cb(void *closure, struct json_object *obj, const char *
        } else {
                xreq->replied = 1;
                if (xreq->queryitf->success)
-                       xreq->queryitf->success(xreq->query, obj, info);
+                       xreq->queryitf->success(xreq, obj, info);
                else
-                       xreq->queryitf->reply(xreq->query, 0, afb_msg_json_reply_ok(info, obj, &xreq->context, NULL));
+                       xreq->queryitf->reply(xreq, 0, afb_msg_json_reply_ok(info, obj, &xreq->context, NULL));
        }
 }
 
@@ -74,9 +78,9 @@ static void xreq_fail_cb(void *closure, const char *status, const char *info)
        } else {
                xreq->replied = 1;
                if (xreq->queryitf->fail)
-                       xreq->queryitf->fail(xreq->query, status, info);
+                       xreq->queryitf->fail(xreq, status, info);
                else
-                       xreq->queryitf->reply(xreq->query, 1, afb_msg_json_reply_error(status, info, &xreq->context, NULL));
+                       xreq->queryitf->reply(xreq, 1, afb_msg_json_reply_error(status, info, &xreq->context, NULL));
        }
 }
 
@@ -120,7 +124,7 @@ static void xreq_unref_cb(void *closure)
 {
        struct afb_xreq *xreq = closure;
        if (!__atomic_sub_fetch(&xreq->refcount, 1, __ATOMIC_RELAXED)) {
-               xreq->queryitf->unref(xreq->query);
+               xreq->queryitf->unref(xreq);
        }
 }
 
@@ -147,7 +151,7 @@ int afb_xreq_subscribe(struct afb_xreq *xreq, struct afb_event event)
        if (xreq->listener)
                return afb_evt_add_watch(xreq->listener, event);
        if (xreq->queryitf->subscribe)
-               return xreq->queryitf->subscribe(xreq->query, event);
+               return xreq->queryitf->subscribe(xreq, event);
        ERROR("no event listener, subscription impossible");
        errno = EINVAL;
        return -1;
@@ -164,7 +168,7 @@ int afb_xreq_unsubscribe(struct afb_xreq *xreq, struct afb_event event)
        if (xreq->listener)
                return afb_evt_remove_watch(xreq->listener, event);
        if (xreq->queryitf->unsubscribe)
-               return xreq->queryitf->unsubscribe(xreq->query, event);
+               return xreq->queryitf->unsubscribe(xreq, event);
        ERROR("no event listener, unsubscription impossible");
        errno = EINVAL;
        return -1;
@@ -175,7 +179,7 @@ static void xreq_subcall_cb(void *closure, const char *api, const char *verb, st
        struct afb_xreq *xreq = closure;
 
        if (xreq->queryitf->subcall)
-               xreq->queryitf->subcall(xreq->query, api, verb, args, callback, cb_closure);
+               xreq->queryitf->subcall(xreq, api, verb, args, callback, cb_closure);
        else
                afb_subcall(xreq, api, verb, args, callback, cb_closure);
 }
@@ -256,7 +260,7 @@ static void xreq_hooked_unref_cb(void *closure)
        afb_hook_xreq_unref(xreq);
        if (!__atomic_sub_fetch(&xreq->refcount, 1, __ATOMIC_RELAXED)) {
                afb_hook_xreq_end(xreq);
-               xreq->queryitf->unref(xreq->query);
+               xreq->queryitf->unref(xreq);
        }
 }
 
@@ -372,6 +376,11 @@ static inline struct afb_req to_req(struct afb_xreq *xreq)
        return (struct afb_req){ .itf = xreq->hookflags ? &xreq_hooked_itf : &xreq_itf, .closure = xreq };
 }
 
+struct json_object *afb_xreq_json(struct afb_xreq *xreq)
+{
+       return afb_req_json(to_req(xreq));
+}
+
 void afb_xreq_success(struct afb_xreq *xreq, struct json_object *obj, const char *info)
 {
        afb_req_success(to_req(xreq), obj, info);
@@ -431,62 +440,124 @@ void afb_xreq_subcall(struct afb_xreq *xreq, const char *api, const char *verb,
        afb_req_subcall(to_req(xreq), api, verb, args, callback, cb_closure);
 }
 
-static int xcheck(struct afb_xreq *xreq, int sessionflags)
+static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags, const struct afb_auth *auth)
 {
-       if ((sessionflags & (AFB_SESSION_CREATE|AFB_SESSION_CLOSE|AFB_SESSION_RENEW|AFB_SESSION_CHECK|AFB_SESSION_LOA_EQ)) != 0) {
+       int loa;
+
+       if ((sessionflags & (AFB_SESSION_CLOSE|AFB_SESSION_RENEW|AFB_SESSION_CHECK|AFB_SESSION_LOA_EQ)) != 0) {
                if (!afb_context_check(&xreq->context)) {
                        afb_context_close(&xreq->context);
-                       afb_xreq_fail_f(xreq, "failed", "invalid token's identity");
-                       return 0;
+                       afb_xreq_fail_f(xreq, "denied", "invalid token's identity");
+                       errno = EINVAL;
+                       return -1;
                }
        }
 
-       if ((sessionflags & AFB_SESSION_CREATE) != 0) {
-               if (afb_context_check_loa(&xreq->context, 1)) {
-                       afb_xreq_fail_f(xreq, "failed", "invalid creation state");
-                       return 0;
+       if ((sessionflags & AFB_SESSION_LOA_GE) != 0) {
+               loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
+               if (!afb_context_check_loa(&xreq->context, loa)) {
+                       afb_xreq_fail_f(xreq, "denied", "invalid LOA");
+                       errno = EPERM;
+                       return -1;
                }
-               afb_context_change_loa(&xreq->context, 1);
-               afb_context_refresh(&xreq->context);
        }
 
-       if ((sessionflags & (AFB_SESSION_CREATE | AFB_SESSION_RENEW)) != 0)
-               afb_context_refresh(&xreq->context);
+       if ((sessionflags & AFB_SESSION_LOA_LE) != 0) {
+               loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
+               if (afb_context_check_loa(&xreq->context, loa + 1)) {
+                       afb_xreq_fail_f(xreq, "denied", "invalid LOA");
+                       errno = EPERM;
+                       return -1;
+               }
+       }
 
+       if (auth && !afb_auth_check(auth, xreq)) {
+               afb_xreq_fail_f(xreq, "denied", "authorisation refused");
+               errno = EPERM;
+               return -1;
+       }
+
+       if ((sessionflags & AFB_SESSION_RENEW) != 0) {
+               afb_context_refresh(&xreq->context);
+       }
        if ((sessionflags & AFB_SESSION_CLOSE) != 0) {
                afb_context_change_loa(&xreq->context, 0);
                afb_context_close(&xreq->context);
        }
 
-       if ((sessionflags & AFB_SESSION_LOA_GE) != 0) {
-               int loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
-               if (!afb_context_check_loa(&xreq->context, loa)) {
-                       afb_xreq_fail_f(xreq, "failed", "invalid LOA");
-                       return 0;
-               }
-       }
+       return 0;
+}
 
-       if ((sessionflags & AFB_SESSION_LOA_LE) != 0) {
-               int loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
-               if (afb_context_check_loa(&xreq->context, loa + 1)) {
-                       afb_xreq_fail_f(xreq, "failed", "invalid LOA");
-                       return 0;
-               }
-       }
-       return 1;
+void afb_xreq_call_verb_v1(struct afb_xreq *xreq, const struct afb_verb_desc_v1 *verb)
+{
+       if (!verb)
+               afb_xreq_fail_unknown_verb(xreq);
+       else
+               if (!xreq_session_check_apply(xreq, verb->session, NULL))
+                       verb->callback(to_req(xreq));
+}
+
+void afb_xreq_call_verb_v2(struct afb_xreq *xreq, const struct afb_verb_v2 *verb)
+{
+       if (!verb)
+               afb_xreq_fail_unknown_verb(xreq);
+       else
+               if (!xreq_session_check_apply(xreq, verb->session, verb->auth))
+                       verb->callback(to_req(xreq));
+}
+
+void afb_xreq_init(struct afb_xreq *xreq, const struct afb_xreq_query_itf *queryitf)
+{
+       memset(xreq, 0, sizeof *xreq);
+       xreq->refcount = 1;
+       xreq->queryitf = queryitf;
 }
 
-void afb_xreq_call(struct afb_xreq *xreq, int sessionflags, void (*method)(struct afb_req req))
+void afb_xreq_fail_unknown_api(struct afb_xreq *xreq)
 {
-       if (xcheck(xreq, sessionflags))
-               method(to_req(xreq));
+       afb_xreq_fail_f(xreq, "unknown-api", "api %s not found (for verb %s)", xreq->api, xreq->verb);
 }
 
-void afb_xreq_begin(struct afb_xreq *xreq)
+void afb_xreq_fail_unknown_verb(struct afb_xreq *xreq)
 {
-       afb_hook_init_xreq(xreq);
-       if (xreq->hookflags)
-               afb_hook_xreq_begin(xreq);
+       afb_xreq_fail_f(xreq, "unknown-verb", "verb %s unknown within api %s", xreq->verb, xreq->api);
 }
 
+static void process_async(int signum, void *arg)
+{
+       struct afb_xreq *xreq = arg;
+       struct afb_api api;
+
+       if (signum != 0) {
+               afb_xreq_fail_f(xreq, "aborted", "signal %s(%d) caught", strsignal(signum), signum);
+       } else {
+               /* init hooking */
+               afb_hook_init_xreq(xreq);
+               if (xreq->hookflags)
+                       afb_hook_xreq_begin(xreq);
+
+               /* search the api */
+               if (afb_apiset_get(xreq->apiset, xreq->api, &api) < 0) {
+                       afb_xreq_fail_f(xreq, "unknown-api", "api %s not found", xreq->api);
+               } else {
+                       xreq->context.api_key = api.closure;
+                       api.itf->call(api.closure, xreq);
+               }
+       }
+       afb_xreq_unref(xreq);
+}
+
+void afb_xreq_process(struct afb_xreq *xreq, struct afb_apiset *apiset)
+{
+       xreq->apiset = apiset;
+
+       afb_xreq_addref(xreq);
+       if (jobs_queue(NULL, afb_apiset_timeout_get(apiset), process_async, xreq) < 0) {
+               /* TODO: allows or not to proccess it directly as when no threading? (see above) */
+               ERROR("can't process job with threads: %m");
+               afb_xreq_fail_f(xreq, "cancelled", "not able to create a job for the task");
+               afb_xreq_unref(xreq);
+       }
+       afb_xreq_unref(xreq);
+}