*/
enum afb_auth_type
{
- afb_auth_No = 0,
- afb_auth_Permission,
- afb_auth_Or,
- afb_auth_And,
- afb_auth_Yes
+ afb_auth_No = 0, /** never authorized, no data */
+ afb_auth_Token, /** authorized if token valid, no data */
+ afb_auth_LOA, /** authorized if LOA greater than data 'loa' */
+ afb_auth_Permission, /** authorized if permission 'text' is granted */
+ afb_auth_Or, /** authorized if 'first' or 'next' is authorized */
+ afb_auth_And, /** authorized if 'first' and 'next' are authorized */
+ afb_auth_Not, /** authorized if 'first' is not authorized */
+ afb_auth_Yes /** always authorized, no data */
};
-struct afb_auth_desc
+struct afb_auth
{
- enum afb_auth_type type;
+ const enum afb_auth_type type;
union {
const char *text;
- struct afb_auth_desc *child[2];
+ const unsigned loa;
+ const struct afb_auth *first;
};
+ const struct afb_auth *next;
};
{
const char *verb; /* name of the verb */
void (*callback)(struct afb_req req); /* callback function implementing the verb */
- struct afb_auth *auth; /* required authorisation */
+ const struct afb_auth *auth; /* required authorisation */
uint32_t session; /* authorisation and session requirements of the verb */
};
afb-api-so-v2.c
afb-api-ws.c
afb-apiset.c
+ afb-auth.c
afb-common.c
afb-config.c
afb-context.c
--- /dev/null
+/*
+ * Copyright (C) 2016, 2017 "IoT.bzh"
+ * Author "Fulup Ar Foll"
+ * Author José Bollo <jose.bollo@iot.bzh>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#define AFB_BINDING_PRAGMA_NO_VERBOSE_MACRO
+
+#include <stdlib.h>
+
+#include <afb/afb-auth.h>
+
+#include "afb-auth.h"
+#include "afb-context.h"
+#include "afb-xreq.h"
+#include "verbose.h"
+
+static int check_permission(const char *permission, struct afb_xreq *xreq);
+
+int afb_auth_check(const struct afb_auth *auth, struct afb_xreq *xreq)
+{
+ switch (auth->type) {
+ default:
+ case afb_auth_No:
+ return 0;
+
+ case afb_auth_Token:
+ return afb_context_check(&xreq->context);
+
+ case afb_auth_LOA:
+ return afb_context_check_loa(&xreq->context, auth->loa);
+
+ case afb_auth_Permission:
+ return xreq->cred && auth->text && check_permission(auth->text, xreq);
+
+ case afb_auth_Or:
+ return afb_auth_check(auth->first, xreq) || afb_auth_check(auth->next, xreq);
+
+ case afb_auth_And:
+ return afb_auth_check(auth->first, xreq) && afb_auth_check(auth->next, xreq);
+
+ case afb_auth_Not:
+ return !afb_auth_check(auth->first, xreq);
+
+ case afb_auth_Yes:
+ return 1;
+ }
+}
+
+#ifdef BACKEND_PERMISSION_IS_CYNARA
+#include <cynara-client.h>
+static int check_permission(const char *permission, struct afb_xreq *xreq)
+{
+ static cynara *cynara;
+ char uid[64];
+ int rc;
+
+ if (!cynara) {
+ rc = cynara_initialize(&cynara, NULL);
+ if (rc != CYNARA_API_SUCCESS) {
+ cynara = NULL;
+ ERROR("cynara initialisation failed with code %d", rc);
+ return 0;
+ }
+ }
+ rc = cynara_check(cynara, cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission);
+ return rc == CYNARA_API_ACCESS_ALLOWED;
+}
+#else
+static int check_permission(const char *permission, struct afb_xreq *xreq)
+{
+ WARNING("Granting permission %s by default", permission);
+ return 1;
+}
+#endif
+
--- /dev/null
+/*
+ * Copyright (C) 2016, 2017 "IoT.bzh"
+ * Author: José Bollo <jose.bollo@iot.bzh>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+struct afb_auth;
+struct afb_xreq;
+
+extern int afb_auth_check(const struct afb_auth *auth, struct afb_xreq *xreq);
#include "afb-hook.h"
#include "afb-api.h"
#include "afb-apiset.h"
+#include "afb-auth.h"
#include "jobs.h"
#include "verbose.h"
afb_req_subcall(to_req(xreq), api, verb, args, callback, cb_closure);
}
-static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags)
+static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags, const struct afb_auth *auth)
{
int loa;
if ((sessionflags & (AFB_SESSION_CLOSE|AFB_SESSION_RENEW|AFB_SESSION_CHECK|AFB_SESSION_LOA_EQ)) != 0) {
if (!afb_context_check(&xreq->context)) {
afb_context_close(&xreq->context);
- afb_xreq_fail_f(xreq, "failed", "invalid token's identity");
+ afb_xreq_fail_f(xreq, "denied", "invalid token's identity");
errno = EINVAL;
return -1;
}
if ((sessionflags & AFB_SESSION_LOA_GE) != 0) {
loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
if (!afb_context_check_loa(&xreq->context, loa)) {
- afb_xreq_fail_f(xreq, "failed", "invalid LOA");
+ afb_xreq_fail_f(xreq, "denied", "invalid LOA");
errno = EPERM;
return -1;
}
if ((sessionflags & AFB_SESSION_LOA_LE) != 0) {
loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK;
if (afb_context_check_loa(&xreq->context, loa + 1)) {
- afb_xreq_fail_f(xreq, "failed", "invalid LOA");
+ afb_xreq_fail_f(xreq, "denied", "invalid LOA");
errno = EPERM;
return -1;
}
}
+ if (auth && !afb_auth_check(auth, xreq)) {
+ afb_xreq_fail_f(xreq, "denied", "authorisation refused");
+ errno = EPERM;
+ return -1;
+ }
+
if ((sessionflags & AFB_SESSION_RENEW) != 0) {
afb_context_refresh(&xreq->context);
}
if (!verb)
afb_xreq_fail_unknown_verb(xreq);
else
- if (!xreq_session_check_apply(xreq, verb->session))
+ if (!xreq_session_check_apply(xreq, verb->session, NULL))
verb->callback(to_req(xreq));
}
if (!verb)
afb_xreq_fail_unknown_verb(xreq);
else
- if (!xreq_session_check_apply(xreq, verb->session))
+ if (!xreq_session_check_apply(xreq, verb->session, verb->auth))
verb->callback(to_req(xreq));
}