diff options
author | Jose Bollo <jose.bollo@iot.bzh> | 2019-11-27 16:58:55 +0100 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2019-12-02 10:18:03 +0100 |
commit | af003cd2241146fd4fc67e5e6fdc0835c0aca66d (patch) | |
tree | 2c659575e03ef5563f248cf1f3e4411723be589a | |
parent | 74a7ebbea3d36158aabbda85d2aeb5a1b3a9daa9 (diff) |
afb-auth: Increase and improve use of afb-auth
This change factorize code for version V1 of bindings
and centralizes management of authorisations in a
single place.
Bug-AGL: SPEC-2968
Change-Id: I6ad95d5bfa0d85dbb6d2060fc9ebca08b68eb4e9
Signed-off-by: Jose Bollo <jose.bollo@iot.bzh>
-rw-r--r-- | src/afb-api-so-v1.c | 45 | ||||
-rw-r--r-- | src/afb-api-so-v2.c | 2 | ||||
-rw-r--r-- | src/afb-api-v3.c | 2 | ||||
-rw-r--r-- | src/afb-auth.c | 80 | ||||
-rw-r--r-- | src/afb-auth.h | 8 | ||||
-rw-r--r-- | src/afb-xreq.c | 63 |
6 files changed, 93 insertions, 107 deletions
diff --git a/src/afb-api-so-v1.c b/src/afb-api-so-v1.c index c6317ba7..09165807 100644 --- a/src/afb-api-so-v1.c +++ b/src/afb-api-so-v1.c @@ -36,6 +36,7 @@ #include "afb-context.h" #include "afb-api-so.h" #include "afb-xreq.h" +#include "afb-auth.h" #include "verbose.h" /* @@ -63,40 +64,6 @@ void afb_api_so_v1_process_call(struct afb_binding_v1 *binding, struct afb_xreq afb_xreq_call_verb_v1(xreq, verb); } -static struct json_object *addperm(struct json_object *o, struct json_object *x) -{ - struct json_object *a; - - if (!o) - return x; - - if (!json_object_object_get_ex(o, "allOf", &a)) { - a = json_object_new_array(); - json_object_array_add(a, o); - o = json_object_new_object(); - json_object_object_add(o, "allOf", a); - } - json_object_array_add(a, x); - return o; -} - -static struct json_object *addperm_key_val(struct json_object *o, const char *key, struct json_object *val) -{ - struct json_object *x = json_object_new_object(); - json_object_object_add(x, key, val); - return addperm(o, x); -} - -static struct json_object *addperm_key_valstr(struct json_object *o, const char *key, const char *val) -{ - return addperm_key_val(o, key, json_object_new_string(val)); -} - -static struct json_object *addperm_key_valint(struct json_object *o, const char *key, int val) -{ - return addperm_key_val(o, key, json_object_new_int(val)); -} - struct json_object *afb_api_so_v1_make_description_openAPIv3(struct afb_binding_v1 *binding, const char *apiname) { char buffer[256]; @@ -124,15 +91,7 @@ struct json_object *afb_api_so_v1_make_description_openAPIv3(struct afb_binding_ g = json_object_new_object(); json_object_object_add(f, "get", g); - a = NULL; - if (verb->session & AFB_SESSION_CLOSE_X1) - a = addperm_key_valstr(a, "session", "close"); - if (verb->session & AFB_SESSION_CHECK_X1) - a = addperm_key_valstr(a, "session", "check"); - if (verb->session & AFB_SESSION_RENEW_X1) - a = addperm_key_valstr(a, "token", "refresh"); - if (verb->session & AFB_SESSION_LOA_MASK_X1) - a = addperm_key_valint(a, "LOA", (verb->session >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1); + a = afb_auth_json_x1(verb->session); if (a) json_object_object_add(g, "x-permissions", a); diff --git a/src/afb-api-so-v2.c b/src/afb-api-so-v2.c index f10e18d3..692d7377 100644 --- a/src/afb-api-so-v2.c +++ b/src/afb-api-so-v2.c @@ -106,7 +106,7 @@ struct json_object *afb_api_so_v2_make_description_openAPIv3(const struct afb_bi g = json_object_new_object(); json_object_object_add(f, "get", g); - a = afb_auth_json_v2(verb->auth, verb->session); + a = afb_auth_json_x2(verb->auth, verb->session); if (a) json_object_object_add(g, "x-permissions", a); diff --git a/src/afb-api-v3.c b/src/afb-api-v3.c index 6469b886..ea691761 100644 --- a/src/afb-api-v3.c +++ b/src/afb-api-v3.c @@ -134,7 +134,7 @@ static struct json_object *describe_verb_v3(const struct afb_verb_v3 *verb) g = json_object_new_object(); json_object_object_add(f, "get", g); - a = afb_auth_json_v2(verb->auth, verb->session); + a = afb_auth_json_x2(verb->auth, verb->session); if (a) json_object_object_add(g, "x-permissions", a); diff --git a/src/afb-auth.c b/src/afb-auth.c index 6747c9ee..01412128 100644 --- a/src/afb-auth.c +++ b/src/afb-auth.c @@ -23,6 +23,9 @@ #include <json-c/json.h> #include <afb/afb-auth.h> #include <afb/afb-session-x2.h> +#if WITH_LEGACY_BINDING_V1 +#include <afb/afb-session-x1.h> +#endif #include "afb-auth.h" #include "afb-context.h" @@ -65,6 +68,63 @@ int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission) return afb_cred_has_permission(xreq->cred, permission, &xreq->context); } +#if WITH_LEGACY_BINDING_V1 +int afb_auth_check_and_set_session_x1(struct afb_xreq *xreq, int sessionflags) +{ + int loa; + + if ((sessionflags & (AFB_SESSION_CLOSE_X1|AFB_SESSION_RENEW_X1|AFB_SESSION_CHECK_X1|AFB_SESSION_LOA_EQ_X1)) != 0) { + if (!afb_context_check(&xreq->context)) { + afb_context_close(&xreq->context); + return afb_xreq_reply_invalid_token(xreq); + } + } + + if ((sessionflags & AFB_SESSION_LOA_GE_X1) != 0) { + loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1; + if (!afb_context_check_loa(&xreq->context, loa)) + return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); + } + + if ((sessionflags & AFB_SESSION_LOA_LE_X1) != 0) { + loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1; + if (afb_context_check_loa(&xreq->context, loa + 1)) + return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); + } + + if ((sessionflags & AFB_SESSION_CLOSE_X1) != 0) { + afb_context_change_loa(&xreq->context, 0); + afb_context_close(&xreq->context); + } + + return 0; +} +#endif + +int afb_auth_check_and_set_session_x2(struct afb_xreq *xreq, uint32_t sessionflags, const struct afb_auth *auth) +{ + int loa; + + if (sessionflags != 0) { + if (!afb_context_check(&xreq->context)) { + afb_context_close(&xreq->context); + return afb_xreq_reply_invalid_token(xreq); + } + } + + loa = (int)(sessionflags & AFB_SESSION_LOA_MASK_X2); + if (loa && !afb_context_check_loa(&xreq->context, loa)) + return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); + + if (auth && !afb_auth_check(xreq, auth)) + return afb_xreq_reply_insufficient_scope(xreq, NULL /* TODO */); + + if ((sessionflags & AFB_SESSION_CLOSE_X2) != 0) + afb_context_close(&xreq->context); + + return 0; +} + /*********************************************************************************/ static struct json_object *addperm(struct json_object *o, struct json_object *x) @@ -130,7 +190,7 @@ static struct json_object *addauth_or_array(struct json_object *o, const struct return o; } -struct json_object *afb_auth_json_v2(const struct afb_auth *auth, int session) +struct json_object *afb_auth_json_x2(const struct afb_auth *auth, uint32_t session) { struct json_object *result = NULL; @@ -152,3 +212,21 @@ struct json_object *afb_auth_json_v2(const struct afb_auth *auth, int session) return result; } + +#if WITH_LEGACY_BINDING_V1 +struct json_object *afb_auth_json_x1(int session) +{ + struct json_object *result = NULL; + + if (session & AFB_SESSION_CLOSE_X1) + result = addperm_key_valstr(result, "session", "close"); + if (session & AFB_SESSION_CHECK_X1) + result = addperm_key_valstr(result, "session", "check"); + if (session & AFB_SESSION_RENEW_X1) + result = addperm_key_valstr(result, "token", "refresh"); + if (session & AFB_SESSION_LOA_MASK_X1) + result = addperm_key_valint(result, "LOA", (session >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1); + + return result; +} +#endif diff --git a/src/afb-auth.h b/src/afb-auth.h index 0a4ab4ae..bf4a8466 100644 --- a/src/afb-auth.h +++ b/src/afb-auth.h @@ -24,4 +24,10 @@ struct json_object; extern int afb_auth_check(struct afb_xreq *xreq, const struct afb_auth *auth); extern int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission); -extern struct json_object *afb_auth_json_v2(const struct afb_auth *auth, int session); +extern int afb_auth_check_and_set_session_x2(struct afb_xreq *xreq, uint32_t session, const struct afb_auth *auth); +extern struct json_object *afb_auth_json_x2(const struct afb_auth *auth, uint32_t session); + +#if WITH_LEGACY_BINDING_V1 +extern int afb_auth_check_and_set_session_x1(struct afb_xreq *xreq, int session); +extern struct json_object *afb_auth_json_x1(int session); +#endif
\ No newline at end of file diff --git a/src/afb-xreq.c b/src/afb-xreq.c index a9703b7a..297681c5 100644 --- a/src/afb-xreq.c +++ b/src/afb-xreq.c @@ -758,69 +758,12 @@ int afb_xreq_reply_insufficient_scope(struct afb_xreq *xreq, const char *scope) } #if WITH_LEGACY_BINDING_V1 -static int xreq_session_check_apply_v1(struct afb_xreq *xreq, int sessionflags) -{ - int loa; - - if ((sessionflags & (AFB_SESSION_CLOSE_X1|AFB_SESSION_RENEW_X1|AFB_SESSION_CHECK_X1|AFB_SESSION_LOA_EQ_X1)) != 0) { - if (!afb_context_check(&xreq->context)) { - afb_context_close(&xreq->context); - return afb_xreq_reply_invalid_token(xreq); - } - } - - if ((sessionflags & AFB_SESSION_LOA_GE_X1) != 0) { - loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1; - if (!afb_context_check_loa(&xreq->context, loa)) - return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); - } - - if ((sessionflags & AFB_SESSION_LOA_LE_X1) != 0) { - loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1; - if (afb_context_check_loa(&xreq->context, loa + 1)) - return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); - } - - if ((sessionflags & AFB_SESSION_CLOSE_X1) != 0) { - afb_context_change_loa(&xreq->context, 0); - afb_context_close(&xreq->context); - } - - return 0; -} -#endif - -static int xreq_session_check_apply_v2(struct afb_xreq *xreq, uint32_t sessionflags, const struct afb_auth *auth) -{ - int loa; - - if (sessionflags != 0) { - if (!afb_context_check(&xreq->context)) { - afb_context_close(&xreq->context); - return afb_xreq_reply_invalid_token(xreq); - } - } - - loa = (int)(sessionflags & AFB_SESSION_LOA_MASK_X2); - if (loa && !afb_context_check_loa(&xreq->context, loa)) - return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA"); - - if (auth && !afb_auth_check(xreq, auth)) - return afb_xreq_reply_insufficient_scope(xreq, NULL /* TODO */); - - if ((sessionflags & AFB_SESSION_CLOSE_X2) != 0) - afb_context_close(&xreq->context); - - return 0; -} - -#if WITH_LEGACY_BINDING_V1 void afb_xreq_call_verb_v1(struct afb_xreq *xreq, const struct afb_verb_desc_v1 *verb) { if (!verb) afb_xreq_reply_unknown_verb(xreq); else - if (!xreq_session_check_apply_v1(xreq, verb->session)) + if (afb_auth_check_and_set_session_x1(xreq, verb->session) >= 0) verb->callback(xreq_to_req_x1(xreq)); } #endif @@ -831,7 +774,7 @@ void afb_xreq_call_verb_v2(struct afb_xreq *xreq, const struct afb_verb_v2 *verb if (!verb) afb_xreq_reply_unknown_verb(xreq); else - if (!xreq_session_check_apply_v2(xreq, verb->session, verb->auth)) + if (afb_auth_check_and_set_session_x2(xreq, verb->session, verb->auth) >= 0) verb->callback(xreq_to_req_x1(xreq)); } #endif @@ -841,7 +784,7 @@ void afb_xreq_call_verb_v3(struct afb_xreq *xreq, const struct afb_verb_v3 *verb if (!verb) afb_xreq_reply_unknown_verb(xreq); else - if (xreq_session_check_apply_v2(xreq, verb->session, verb->auth) >= 0) + if (afb_auth_check_and_set_session_x2(xreq, verb->session, verb->auth) >= 0) verb->callback(xreq_to_req_x2(xreq)); } |