X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fafb-cred.c;h=b7b3175e4082c48121f95df519ae2c9ad0ab818a;hb=4521c1e7ae5371ab9d639adc617d17fb4e8ded0c;hp=f09d444156ec3da4565643316e04632da57bebbf;hpb=63682b4da9d3e892d1d0a671de860adc43068142;p=src%2Fapp-framework-binder.git diff --git a/src/afb-cred.c b/src/afb-cred.c index f09d4441..b7b3175e 100644 --- a/src/afb-cred.c +++ b/src/afb-cred.c @@ -18,6 +18,7 @@ #define _GNU_SOURCE #include +#include #include #include #include @@ -26,6 +27,8 @@ #include #include "afb-cred.h" +#include "verbose.h" + #define MAX_LABEL_LENGTH 1024 @@ -46,6 +49,10 @@ # define DEFAULT_PEERCRED_PID 0 /* no process */ #endif +static char on_behalf_credential_permission[] = "urn:AGL:permission:*:partner:on-behalf-credentials"; +static char export_format[] = "%x:%x:%x-%s"; +static char import_format[] = "%x:%x:%x-%n"; + static struct afb_cred *current; static struct afb_cred *mkcred(uid_t uid, gid_t gid, pid_t pid, const char *label, size_t size) @@ -70,6 +77,7 @@ static struct afb_cred *mkcred(uid_t uid, gid_t gid, pid_t pid, const char *labe cred->uid = uid; cred->gid = gid; cred->pid = pid; + cred->exported = NULL; dest = (char*)(&cred[1]); cred->user = dest; while(i) @@ -175,3 +183,105 @@ struct afb_cred *afb_cred_current() return afb_cred_addref(current); } +const char *afb_cred_export(struct afb_cred *cred) +{ + int rc; + + if (!cred->exported) { + rc = asprintf((char**)&cred->exported, + export_format, + (int)cred->uid, + (int)cred->gid, + (int)cred->pid, + cred->label); + if (rc < 0) { + errno = ENOMEM; + cred->exported = NULL; + } + } + return cred->exported; +} + +struct afb_cred *afb_cred_import(const char *string) +{ + struct afb_cred *cred; + int rc, uid, gid, pid, pos; + + rc = sscanf(string, import_format, &uid, &gid, &pid, &pos); + if (rc == 3) + cred = afb_cred_create((uid_t)uid, (gid_t)gid, (pid_t)pid, &string[pos]); + else { + errno = EINVAL; + cred = NULL; + } + return cred; +} + +struct afb_cred *afb_cred_mixed_on_behalf_import(struct afb_cred *cred, const char *context, const char *exported) + +{ + struct afb_cred *imported; + if (exported) { + if (afb_cred_has_permission(cred, on_behalf_credential_permission, context)) { + imported = afb_cred_import(exported); + if (imported) + return imported; + ERROR("Can't import on behalf credentials: %m"); + } else { + ERROR("On behalf credentials refused"); + } + } + return afb_cred_addref(cred); +} + +/*********************************************************************************/ +#ifdef BACKEND_PERMISSION_IS_CYNARA + +#include +#include + +static cynara *handle; +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + +int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const char *context) +{ + int rc; + + if (!cred) { + /* case of permission for self */ + return 1; + } + if (!permission) { + ERROR("Got a null permission!"); + return 0; + } + + /* cynara isn't reentrant */ + pthread_mutex_lock(&mutex); + + /* lazy initialisation */ + if (!handle) { + rc = cynara_initialize(&handle, NULL); + if (rc != CYNARA_API_SUCCESS) { + handle = NULL; + ERROR("cynara initialisation failed with code %d", rc); + return 0; + } + } + + /* query cynara permission */ + rc = cynara_check(handle, cred->label, context ?: "", cred->user, permission); + + pthread_mutex_unlock(&mutex); + return rc == CYNARA_API_ACCESS_ALLOWED; +} + +/*********************************************************************************/ +#else +int afb_cred_has_permission(struct afb_cred *cred, const char *permission, const char *context) +{ + WARNING("Granting permission %s by default of backend", permission ?: "(null)"); + return !!permission; +} +#endif +