X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?p=src%2Fapp-framework-binder.git;a=blobdiff_plain;f=src%2Fafb-auth.c;h=0d58d6a2303a01f66f3b1503c33c15e9e70f32c5;hp=47a98d5a3591c4e8deb0840d0a5440ac076a6727;hb=65353dce81a629e042800bb7b86fcd869a76727e;hpb=24d000c2290126abf88204089d132229d63f9a05 diff --git a/src/afb-auth.c b/src/afb-auth.c index 47a98d5a..0d58d6a2 100644 --- a/src/afb-auth.c +++ b/src/afb-auth.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016, 2017, 2018 "IoT.bzh" + * Copyright (C) 2015-2020 "IoT.bzh" * Author "Fulup Ar Foll" * Author José Bollo * @@ -22,15 +22,17 @@ #include #include -#include +#include +#if WITH_LEGACY_BINDING_V1 +#include +#endif #include "afb-auth.h" #include "afb-context.h" #include "afb-xreq.h" -#include "afb-cred.h" #include "verbose.h" -int afb_auth_check(struct afb_xreq *xreq, const struct afb_auth *auth) +int afb_auth_check(struct afb_context *context, const struct afb_auth *auth) { switch (auth->type) { default: @@ -38,78 +40,85 @@ int afb_auth_check(struct afb_xreq *xreq, const struct afb_auth *auth) return 0; case afb_auth_Token: - return afb_context_check(&xreq->context); + return afb_context_check(context); case afb_auth_LOA: - return afb_context_check_loa(&xreq->context, auth->loa); + return afb_context_check_loa(context, auth->loa); case afb_auth_Permission: - return afb_auth_has_permission(xreq, auth->text); + return afb_context_has_permission(context, auth->text); case afb_auth_Or: - return afb_auth_check(xreq, auth->first) || afb_auth_check(xreq, auth->next); + return afb_auth_check(context, auth->first) || afb_auth_check(context, auth->next); case afb_auth_And: - return afb_auth_check(xreq, auth->first) && afb_auth_check(xreq, auth->next); + return afb_auth_check(context, auth->first) && afb_auth_check(context, auth->next); case afb_auth_Not: - return !afb_auth_check(xreq, auth->first); + return !afb_auth_check(context, auth->first); case afb_auth_Yes: return 1; } } -/*********************************************************************************/ -#ifdef BACKEND_PERMISSION_IS_CYNARA -#include -#include +#if WITH_LEGACY_BINDING_V1 +int afb_auth_check_and_set_session_x1(struct afb_xreq *xreq, int sessionflags) +{ + int loa; -static cynara *handle; -static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + if ((sessionflags & (AFB_SESSION_CLOSE_X1|AFB_SESSION_CHECK_X1|AFB_SESSION_LOA_EQ_X1)) != 0) { + if (!afb_context_check(&xreq->context)) { + afb_context_close(&xreq->context); + return afb_xreq_reply_invalid_token(xreq); + } + } -int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission) -{ - int rc; + if ((sessionflags & AFB_SESSION_LOA_GE_X1) != 0) { + loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1; + if (!afb_context_check_loa(&xreq->context, loa)) + return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); + } - if (!xreq->cred) { - /* case of permission for self */ - return 1; + if ((sessionflags & AFB_SESSION_LOA_LE_X1) != 0) { + loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1; + if (afb_context_check_loa(&xreq->context, loa + 1)) + return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); } - if (!permission) { - ERROR("Got a null permission!"); - return 0; + + if ((sessionflags & AFB_SESSION_CLOSE_X1) != 0) { + afb_context_change_loa(&xreq->context, 0); + afb_context_close(&xreq->context); } - /* cynara isn't reentrant */ - pthread_mutex_lock(&mutex); + return 1; +} +#endif - /* lazy initialisation */ - if (!handle) { - rc = cynara_initialize(&handle, NULL); - if (rc != CYNARA_API_SUCCESS) { - handle = NULL; - ERROR("cynara initialisation failed with code %d", rc); - return 0; +int afb_auth_check_and_set_session_x2(struct afb_xreq *xreq, const struct afb_auth *auth, uint32_t sessionflags) +{ + int loa; + + if (sessionflags != 0) { + if (!afb_context_check(&xreq->context)) { + afb_context_close(&xreq->context); + return afb_xreq_reply_invalid_token(xreq); } } - /* query cynara permission */ - rc = cynara_check(handle, xreq->cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission); + loa = (int)(sessionflags & AFB_SESSION_LOA_MASK_X2); + if (loa && !afb_context_check_loa(&xreq->context, loa)) + return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); - pthread_mutex_unlock(&mutex); - return rc == CYNARA_API_ACCESS_ALLOWED; -} + if (auth && !afb_auth_check(&xreq->context, auth)) + return afb_xreq_reply_insufficient_scope(xreq, NULL /* TODO */); -/*********************************************************************************/ -#else -int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission) -{ - WARNING("Granting permission %s by default of backend", permission ?: "(null)"); - return !!permission; + if ((sessionflags & AFB_SESSION_CLOSE_X2) != 0) + afb_context_close(&xreq->context); + + return 1; } -#endif /*********************************************************************************/ @@ -176,21 +185,21 @@ static struct json_object *addauth_or_array(struct json_object *o, const struct return o; } -struct json_object *afb_auth_json_v2(const struct afb_auth *auth, int session) +struct json_object *afb_auth_json_x2(const struct afb_auth *auth, uint32_t session) { struct json_object *result = NULL; - if (session & AFB_SESSION_CLOSE_V2) + if (session & AFB_SESSION_CLOSE_X2) result = addperm_key_valstr(result, "session", "close"); - if (session & AFB_SESSION_CHECK_V2) + if (session & AFB_SESSION_CHECK_X2) result = addperm_key_valstr(result, "session", "check"); - if (session & AFB_SESSION_REFRESH_V2) + if (session & AFB_SESSION_REFRESH_X2) result = addperm_key_valstr(result, "token", "refresh"); - if (session & AFB_SESSION_LOA_MASK_V2) - result = addperm_key_valint(result, "LOA", session & AFB_SESSION_LOA_MASK_V2); + if (session & AFB_SESSION_LOA_MASK_X2) + result = addperm_key_valint(result, "LOA", session & AFB_SESSION_LOA_MASK_X2); if (auth) result = addauth(result, auth); @@ -198,3 +207,21 @@ struct json_object *afb_auth_json_v2(const struct afb_auth *auth, int session) return result; } + +#if WITH_LEGACY_BINDING_V1 +struct json_object *afb_auth_json_x1(int session) +{ + struct json_object *result = NULL; + + if (session & AFB_SESSION_CLOSE_X1) + result = addperm_key_valstr(result, "session", "close"); + if (session & AFB_SESSION_CHECK_X1) + result = addperm_key_valstr(result, "session", "check"); + if (session & AFB_SESSION_RENEW_X1) + result = addperm_key_valstr(result, "token", "refresh"); + if (session & AFB_SESSION_LOA_MASK_X1) + result = addperm_key_valint(result, "LOA", (session >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1); + + return result; +} +#endif