diff options
author | José Bollo <jose.bollo@iot.bzh> | 2017-05-05 19:22:55 +0200 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2017-05-11 15:29:49 +0200 |
commit | 1d24a50bda149604760cdc1fd53f65b988c61f0c (patch) | |
tree | e044860a8842375e6ae0d854f9a0e3c5ebdd770b /src/afb-auth.c | |
parent | 22cba30f139a006fadb5fdf521f9c4c5bfbfac4a (diff) |
implement authorisation check
Change-Id: I2ef74b715a115acd11fa13744ba921e875f0bc65
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'src/afb-auth.c')
-rw-r--r-- | src/afb-auth.c | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/src/afb-auth.c b/src/afb-auth.c new file mode 100644 index 00000000..fc62bd59 --- /dev/null +++ b/src/afb-auth.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2016, 2017 "IoT.bzh" + * Author "Fulup Ar Foll" + * Author José Bollo <jose.bollo@iot.bzh> + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define _GNU_SOURCE +#define AFB_BINDING_PRAGMA_NO_VERBOSE_MACRO + +#include <stdlib.h> + +#include <afb/afb-auth.h> + +#include "afb-auth.h" +#include "afb-context.h" +#include "afb-xreq.h" +#include "verbose.h" + +static int check_permission(const char *permission, struct afb_xreq *xreq); + +int afb_auth_check(const struct afb_auth *auth, struct afb_xreq *xreq) +{ + switch (auth->type) { + default: + case afb_auth_No: + return 0; + + case afb_auth_Token: + return afb_context_check(&xreq->context); + + case afb_auth_LOA: + return afb_context_check_loa(&xreq->context, auth->loa); + + case afb_auth_Permission: + return xreq->cred && auth->text && check_permission(auth->text, xreq); + + case afb_auth_Or: + return afb_auth_check(auth->first, xreq) || afb_auth_check(auth->next, xreq); + + case afb_auth_And: + return afb_auth_check(auth->first, xreq) && afb_auth_check(auth->next, xreq); + + case afb_auth_Not: + return !afb_auth_check(auth->first, xreq); + + case afb_auth_Yes: + return 1; + } +} + +#ifdef BACKEND_PERMISSION_IS_CYNARA +#include <cynara-client.h> +static int check_permission(const char *permission, struct afb_xreq *xreq) +{ + static cynara *cynara; + char uid[64]; + int rc; + + if (!cynara) { + rc = cynara_initialize(&cynara, NULL); + if (rc != CYNARA_API_SUCCESS) { + cynara = NULL; + ERROR("cynara initialisation failed with code %d", rc); + return 0; + } + } + rc = cynara_check(cynara, cred->label, afb_context_uuid(&xreq->context), xreq->cred->user, permission); + return rc == CYNARA_API_ACCESS_ALLOWED; +} +#else +static int check_permission(const char *permission, struct afb_xreq *xreq) +{ + WARNING("Granting permission %s by default", permission); + return 1; +} +#endif + |