afb-context & afb-token: rework token validation

Validation of token is now linked to backend permission
database.

Bug-AGL: SPEC-2968

Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Change-Id: I30b049f92b8324740abecbb9539f7413ad55f7ec

diff --git a/src/afb-context.c b/src/afb-context.c
index 5235707..3d6dee0 100644 (file)
--- a/src/afb-context.c
+++ b/src/afb-context.c
@@ -41,25 +41,6 @@ static void init_context(struct afb_context *context, struct afb_session *sessio
        context->api_key = NULL;
        context->token = afb_token_addref(token);
        context->credentials = afb_cred_addref(cred);
-
-       /* check the token */
-       if (token != NULL) {
-               if (afb_token_check(token))
-                       context->validated = 1;
-               else
-                       context->invalidated = 1;
-       }
-}
-
-void afb_context_init(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
-{
-       init_context(context, afb_session_addref(session), token, cred);
-}
-
-void afb_context_init_validated(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
-{
-       afb_context_init(context, session, token, cred);
-       context->validated = 1;
 }
 
 void afb_context_subinit(struct afb_context *context, struct afb_context *super)
@@ -72,6 +53,11 @@ void afb_context_subinit(struct afb_context *context, struct afb_context *super)
        context->credentials = afb_cred_addref(super->credentials);
 }
 
+void afb_context_init(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
+{
+       init_context(context, afb_session_addref(session), token, cred);
+}
+
 int afb_context_connect(struct afb_context *context, const char *uuid, struct afb_token *token, struct afb_cred *cred)
 {
        int created;
@@ -95,6 +81,12 @@ int afb_context_connect_validated(struct afb_context *context, const char *uuid,
        return rc;
 }
 
+void afb_context_init_validated(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
+{
+       afb_context_init(context, session, token, cred);
+       context->validated = 1;
+}
+
 void afb_context_disconnect(struct afb_context *context)
 {
        if (context->session && !context->super && context->closing && !context->closed) {
@@ -123,8 +115,6 @@ void afb_context_change_token(struct afb_context *context, struct afb_token *tok
 {
        struct afb_token *otoken = context->token;
        if (otoken != token) {
-               context->validated = 0;
-               context->invalidated = 0;
                context->token = afb_token_addref(token);
                afb_token_unref(otoken);
        }
@@ -203,14 +193,23 @@ void afb_context_close(struct afb_context *context)
 
 int afb_context_check(struct afb_context *context)
 {
-       if (context->super)
-               return afb_context_check(context);
-       return context->validated;
-}
+       int r;
 
-int afb_context_check_loa(struct afb_context *context, unsigned loa)
-{
-       return afb_context_get_loa(context) >= loa;
+       if (context->validated)
+               r = 1;
+       else if (context->invalidated)
+               r = 0;
+       else {
+               if (context->super)
+                       r = afb_context_check(context->super);
+               else
+                       r = afb_context_has_permission(context, afb_permission_token_valid);
+               if (r)
+                       context->validated = 1;
+               else
+                       context->invalidated = 1;
+       }
+       return r;
 }
 
 static inline const void *loa_key(struct afb_context *context)
@@ -230,10 +229,14 @@ static inline unsigned ptr2loa(void *ptr)
 
 int afb_context_change_loa(struct afb_context *context, unsigned loa)
 {
-       if (!context->validated || loa > 7) {
+       if (loa > 7) {
                errno = EINVAL;
                return -1;
        }
+       if (!afb_context_check(context)) {
+               errno = EPERM;
+               return -1;
+       }
 
        return afb_session_set_cookie(context->session, loa_key(context), loa2ptr(loa), NULL);
 }
@@ -243,3 +246,8 @@ unsigned afb_context_get_loa(struct afb_context *context)
        assert(context->session != NULL);
        return ptr2loa(afb_session_get_cookie(context->session, loa_key(context)));
 }
+
+int afb_context_check_loa(struct afb_context *context, unsigned loa)
+{
+       return afb_context_get_loa(context) >= loa;
+}

diff --git a/src/afb-permission-text.c b/src/afb-permission-text.c
index 21069df..43ce530 100644 (file)
--- a/src/afb-permission-text.c
+++ b/src/afb-permission-text.c
@@ -18,3 +18,4 @@
 #include "afb-permission-text.h"
 
 const char afb_permission_on_behalf_credential[] = "urn:AGL:permission:*:partner:on-behalf-credentials";
+const char afb_permission_token_valid[]          = "urn:AGL:token:valid";

diff --git a/src/afb-permission-text.h b/src/afb-permission-text.h
index 1340f71..3037e40 100644 (file)
--- a/src/afb-permission-text.h
+++ b/src/afb-permission-text.h
@@ -18,3 +18,4 @@
 #pragma once
 
 extern const char afb_permission_on_behalf_credential[];
+extern const char afb_permission_token_valid[];

diff --git a/src/afb-token.c b/src/afb-token.c
index b81a87d..f6f5eb7 100644 (file)
--- a/src/afb-token.c
+++ b/src/afb-token.c
@@ -147,18 +147,6 @@ void afb_token_unref(struct afb_token *token)
        }
 }
 
-/**
- * Check whether the token is valid or not
- *
- * @param token the token to check
- * @return a boolean value: 0 if not valid, 1 if valid
- */
-int afb_token_check(struct afb_token *token)
-{
-       /* TODO */
-       return 1;
-}
-
 /**
  * Get the string value of the token
  *

diff --git a/src/afb-token.h b/src/afb-token.h
index 69b0fa0..5dd1d33 100644 (file)
--- a/src/afb-token.h
+++ b/src/afb-token.h
@@ -23,6 +23,5 @@ extern int afb_token_get(struct afb_token **token, const char *tokenstring);
 extern struct afb_token *afb_token_addref(struct afb_token *token);
 extern void afb_token_unref(struct afb_token *token);
 
-extern int afb_token_check(struct afb_token *token);
 extern const char *afb_token_string(const struct afb_token *token);
 extern uint16_t afb_token_id(const struct afb_token *token);