X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fafb-auth.c;h=2f5daf0cf6163adeaa89fc93d26a8553668d5d31;hb=e51d68ddc998f558507217e3c849b16ce94c068f;hp=fc62bd594cb5d04fc53b3faadef11cc7e0a239ac;hpb=1d24a50bda149604760cdc1fd53f65b988c61f0c;p=src%2Fapp-framework-binder.git diff --git a/src/afb-auth.c b/src/afb-auth.c index fc62bd59..2f5daf0c 100644 --- a/src/afb-auth.c +++ b/src/afb-auth.c @@ -17,7 +17,6 @@ */ #define _GNU_SOURCE -#define AFB_BINDING_PRAGMA_NO_VERBOSE_MACRO #include @@ -26,11 +25,10 @@ #include "afb-auth.h" #include "afb-context.h" #include "afb-xreq.h" +#include "afb-cred.h" #include "verbose.h" -static int check_permission(const char *permission, struct afb_xreq *xreq); - -int afb_auth_check(const struct afb_auth *auth, struct afb_xreq *xreq) +int afb_auth_check(struct afb_xreq *xreq, const struct afb_auth *auth) { switch (auth->type) { default: @@ -44,46 +42,70 @@ int afb_auth_check(const struct afb_auth *auth, struct afb_xreq *xreq) return afb_context_check_loa(&xreq->context, auth->loa); case afb_auth_Permission: - return xreq->cred && auth->text && check_permission(auth->text, xreq); + return afb_auth_has_permission(xreq, auth->text); case afb_auth_Or: - return afb_auth_check(auth->first, xreq) || afb_auth_check(auth->next, xreq); + return afb_auth_check(xreq, auth->first) || afb_auth_check(xreq, auth->next); case afb_auth_And: - return afb_auth_check(auth->first, xreq) && afb_auth_check(auth->next, xreq); + return afb_auth_check(xreq, auth->first) && afb_auth_check(xreq, auth->next); case afb_auth_Not: - return !afb_auth_check(auth->first, xreq); + return !afb_auth_check(xreq, auth->first); case afb_auth_Yes: return 1; } } +/*********************************************************************************/ #ifdef BACKEND_PERMISSION_IS_CYNARA + +#include #include -static int check_permission(const char *permission, struct afb_xreq *xreq) + +static cynara *handle; +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + +int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission) { - static cynara *cynara; - char uid[64]; int rc; - if (!cynara) { - rc = cynara_initialize(&cynara, NULL); + if (!xreq->cred) { + /* case of permission for self */ + return 1; + } + if (!permission) { + ERROR("Got a null permission!"); + return 0; + } + + /* cynara isn't reentrant */ + pthread_mutex_lock(&mutex); + + /* lazy initialisation */ + if (!handle) { + rc = cynara_initialize(&handle, NULL); if (rc != CYNARA_API_SUCCESS) { - cynara = NULL; + handle = NULL; ERROR("cynara initialisation failed with code %d", rc); return 0; } } - rc = cynara_check(cynara, cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission); + + /* query cynara permission */ + rc = cynara_check(handle, xreq->cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission); + + pthread_mutex_unlock(&mutex); return rc == CYNARA_API_ACCESS_ALLOWED; } + +/*********************************************************************************/ #else -static int check_permission(const char *permission, struct afb_xreq *xreq) +int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission) { - WARNING("Granting permission %s by default", permission); - return 1; + WARNING("Granting permission %s by default of backend", permission ?: "(null)"); + return !!permission; } #endif