afb-context & afb-token: rework token validation

Validation of token is now linked to backend permission
database.

Bug-AGL: SPEC-2968

Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Change-Id: I30b049f92b8324740abecbb9539f7413ad55f7ec

5 files changed, 39 insertions, 42 deletions

diff --git a/src/afb-context.c b/src/afb-context.c
index 5235707f..3d6dee06 100644
--- a/src/afb-context.c
+++ b/src/afb-context.c
@@ -41,25 +41,6 @@ static void init_context(struct afb_context *context, struct afb_session *sessio
 	context->api_key = NULL;
 	context->token = afb_token_addref(token);
 	context->credentials = afb_cred_addref(cred);
-
-	/* check the token */
-	if (token != NULL) {
-		if (afb_token_check(token))
-			context->validated = 1;
-		else
-			context->invalidated = 1;
-	}
-}
-
-void afb_context_init(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
-{
-	init_context(context, afb_session_addref(session), token, cred);
-}
-
-void afb_context_init_validated(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
-{
-	afb_context_init(context, session, token, cred);
-	context->validated = 1;
 }
 
 void afb_context_subinit(struct afb_context *context, struct afb_context *super)
@@ -72,6 +53,11 @@ void afb_context_subinit(struct afb_context *context, struct afb_context *super)
 	context->credentials = afb_cred_addref(super->credentials);
 }
 
+void afb_context_init(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
+{
+	init_context(context, afb_session_addref(session), token, cred);
+}
+
 int afb_context_connect(struct afb_context *context, const char *uuid, struct afb_token *token, struct afb_cred *cred)
 {
 	int created;
@@ -95,6 +81,12 @@ int afb_context_connect_validated(struct afb_context *context, const char *uuid,
 	return rc;
 }
 
+void afb_context_init_validated(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred)
+{
+	afb_context_init(context, session, token, cred);
+	context->validated = 1;
+}
+
 void afb_context_disconnect(struct afb_context *context)
 {
 	if (context->session && !context->super && context->closing && !context->closed) {
@@ -123,8 +115,6 @@ void afb_context_change_token(struct afb_context *context, struct afb_token *tok
 {
 	struct afb_token *otoken = context->token;
 	if (otoken != token) {
-		context->validated = 0;
-		context->invalidated = 0;
 		context->token = afb_token_addref(token);
 		afb_token_unref(otoken);
 	}
@@ -203,14 +193,23 @@ void afb_context_close(struct afb_context *context)
 
 int afb_context_check(struct afb_context *context)
 {
-	if (context->super)
-		return afb_context_check(context);
-	return context->validated;
-}
+	int r;
 
-int afb_context_check_loa(struct afb_context *context, unsigned loa)
-{
-	return afb_context_get_loa(context) >= loa;
+	if (context->validated)
+		r = 1;
+	else if (context->invalidated)
+		r = 0;
+	else {
+		if (context->super)
+			r = afb_context_check(context->super);
+		else
+			r = afb_context_has_permission(context, afb_permission_token_valid);
+		if (r)
+			context->validated = 1;
+		else
+			context->invalidated = 1;
+	}
+	return r;
 }
 
 static inline const void *loa_key(struct afb_context *context)
@@ -230,10 +229,14 @@ static inline unsigned ptr2loa(void *ptr)
 
 int afb_context_change_loa(struct afb_context *context, unsigned loa)
 {
-	if (!context->validated || loa > 7) {
+	if (loa > 7) {
 		errno = EINVAL;
 		return -1;
 	}
+	if (!afb_context_check(context)) {
+		errno = EPERM;
+		return -1;
+	}
 
 	return afb_session_set_cookie(context->session, loa_key(context), loa2ptr(loa), NULL);
 }
@@ -243,3 +246,8 @@ unsigned afb_context_get_loa(struct afb_context *context)
 	assert(context->session != NULL);
 	return ptr2loa(afb_session_get_cookie(context->session, loa_key(context)));
 }
+
+int afb_context_check_loa(struct afb_context *context, unsigned loa)
+{
+	return afb_context_get_loa(context) >= loa;
+}
diff --git a/src/afb-permission-text.c b/src/afb-permission-text.c
index 21069df8..43ce530a 100644
--- a/src/afb-permission-text.c
+++ b/src/afb-permission-text.c
@@ -18,3 +18,4 @@
 #include "afb-permission-text.h"
 
 const char afb_permission_on_behalf_credential[] = "urn:AGL:permission:*:partner:on-behalf-credentials";
+const char afb_permission_token_valid[]          = "urn:AGL:token:valid";
diff --git a/src/afb-permission-text.h b/src/afb-permission-text.h
index 1340f717..3037e402 100644
--- a/src/afb-permission-text.h
+++ b/src/afb-permission-text.h
@@ -18,3 +18,4 @@
 #pragma once
 
 extern const char afb_permission_on_behalf_credential[];
+extern const char afb_permission_token_valid[];
diff --git a/src/afb-token.c b/src/afb-token.c
index b81a87df..f6f5eb73 100644
--- a/src/afb-token.c
+++ b/src/afb-token.c
@@ -148,18 +148,6 @@ void afb_token_unref(struct afb_token *token)
 }
 
 /**
- * Check whether the token is valid or not
- *
- * @param token the token to check
- * @return a boolean value: 0 if not valid, 1 if valid
- */
-int afb_token_check(struct afb_token *token)
-{
-	/* TODO */
-	return 1;
-}
-
-/**
  * Get the string value of the token
  *
  * @param token the token whose string value is queried
diff --git a/src/afb-token.h b/src/afb-token.h
index 69b0fa05..5dd1d33c 100644
--- a/src/afb-token.h
+++ b/src/afb-token.h
@@ -23,6 +23,5 @@ extern int afb_token_get(struct afb_token **token, const char *tokenstring);
 extern struct afb_token *afb_token_addref(struct afb_token *token);
 extern void afb_token_unref(struct afb_token *token);
 
-extern int afb_token_check(struct afb_token *token);
 extern const char *afb_token_string(const struct afb_token *token);
 extern uint16_t afb_token_id(const struct afb_token *token);