X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fafb-cred.c;h=b6e6febae597d6a28f88cc1abb9291ede0634b01;hb=b70caad7da2eaea85db06dec8377b1cbebcec997;hp=b7b3175e4082c48121f95df519ae2c9ad0ab818a;hpb=4521c1e7ae5371ab9d639adc617d17fb4e8ded0c;p=src%2Fapp-framework-binder.git diff --git a/src/afb-cred.c b/src/afb-cred.c index b7b3175e..b6e6feba 100644 --- a/src/afb-cred.c +++ b/src/afb-cred.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017, 2018 "IoT.bzh" + * Copyright (C) 2017-2019 "IoT.bzh" * Author: José Bollo * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -27,9 +28,10 @@ #include #include "afb-cred.h" +#include "afb-context.h" +#include "afb-token.h" #include "verbose.h" - #define MAX_LABEL_LENGTH 1024 #if !defined(NO_DEFAULT_PEERCRED) && !defined(ADD_DEFAULT_PEERCRED) @@ -49,7 +51,6 @@ # define DEFAULT_PEERCRED_PID 0 /* no process */ #endif -static char on_behalf_credential_permission[] = "urn:AGL:permission:*:partner:on-behalf-credentials"; static char export_format[] = "%x:%x:%x-%s"; static char import_format[] = "%x:%x:%x-%n"; @@ -169,10 +170,12 @@ struct afb_cred *afb_cred_addref(struct afb_cred *cred) void afb_cred_unref(struct afb_cred *cred) { if (cred && !__atomic_sub_fetch(&cred->refcount, 1, __ATOMIC_RELAXED)) { - if (cred != current) - free(cred); - else + if (cred == current) cred->refcount = 1; + else { + free((void*)cred->exported); + free(cred); + } } } @@ -217,21 +220,10 @@ struct afb_cred *afb_cred_import(const char *string) return cred; } -struct afb_cred *afb_cred_mixed_on_behalf_import(struct afb_cred *cred, const char *context, const char *exported) - +/*********************************************************************************/ +static const char *token_of_context(struct afb_context *context) { - struct afb_cred *imported; - if (exported) { - if (afb_cred_has_permission(cred, on_behalf_credential_permission, context)) { - imported = afb_cred_import(exported); - if (imported) - return imported; - ERROR("Can't import on behalf credentials: %m"); - } else { - ERROR("On behalf credentials refused"); - } - } - return afb_cred_addref(cred); + return context && context->token ? afb_token_string(context->token) : "X"; } /*********************************************************************************/ @@ -243,7 +235,7 @@ struct afb_cred *afb_cred_mixed_on_behalf_import(struct afb_cred *cred, const ch static cynara *handle; static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; -int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const char *context) +int afb_cred_has_permission(struct afb_cred *cred, const char *permission, struct afb_context *context) { int rc; @@ -270,7 +262,7 @@ int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const } /* query cynara permission */ - rc = cynara_check(handle, cred->label, context ?: "", cred->user, permission); + rc = cynara_check(handle, cred->label, token_of_context(context), cred->user, permission); pthread_mutex_unlock(&mutex); return rc == CYNARA_API_ACCESS_ALLOWED; @@ -278,7 +270,7 @@ int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const /*********************************************************************************/ #else -int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const char *context) +int afb_cred_has_permission(struct afb_cred *cred, const char *permission, struct afb_context *context) { WARNING("Granting permission %s by default of backend", permission ?: "(null)"); return !!permission;