diff options
author | José Bollo <jose.bollo@iot.bzh> | 2017-05-05 19:22:55 +0200 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2017-05-11 15:29:49 +0200 |
commit | 1d24a50bda149604760cdc1fd53f65b988c61f0c (patch) | |
tree | e044860a8842375e6ae0d854f9a0e3c5ebdd770b /src/afb-xreq.c | |
parent | 22cba30f139a006fadb5fdf521f9c4c5bfbfac4a (diff) |
implement authorisation check
Change-Id: I2ef74b715a115acd11fa13744ba921e875f0bc65
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'src/afb-xreq.c')
-rw-r--r-- | src/afb-xreq.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/src/afb-xreq.c b/src/afb-xreq.c index 0aef608a..b964b104 100644 --- a/src/afb-xreq.c +++ b/src/afb-xreq.c @@ -33,6 +33,7 @@ #include "afb-hook.h" #include "afb-api.h" #include "afb-apiset.h" +#include "afb-auth.h" #include "jobs.h" #include "verbose.h" @@ -439,14 +440,14 @@ void afb_xreq_subcall(struct afb_xreq *xreq, const char *api, const char *verb, afb_req_subcall(to_req(xreq), api, verb, args, callback, cb_closure); } -static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags) +static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags, const struct afb_auth *auth) { int loa; if ((sessionflags & (AFB_SESSION_CLOSE|AFB_SESSION_RENEW|AFB_SESSION_CHECK|AFB_SESSION_LOA_EQ)) != 0) { if (!afb_context_check(&xreq->context)) { afb_context_close(&xreq->context); - afb_xreq_fail_f(xreq, "failed", "invalid token's identity"); + afb_xreq_fail_f(xreq, "denied", "invalid token's identity"); errno = EINVAL; return -1; } @@ -455,7 +456,7 @@ static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags) if ((sessionflags & AFB_SESSION_LOA_GE) != 0) { loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK; if (!afb_context_check_loa(&xreq->context, loa)) { - afb_xreq_fail_f(xreq, "failed", "invalid LOA"); + afb_xreq_fail_f(xreq, "denied", "invalid LOA"); errno = EPERM; return -1; } @@ -464,12 +465,18 @@ static int xreq_session_check_apply(struct afb_xreq *xreq, int sessionflags) if ((sessionflags & AFB_SESSION_LOA_LE) != 0) { loa = (sessionflags >> AFB_SESSION_LOA_SHIFT) & AFB_SESSION_LOA_MASK; if (afb_context_check_loa(&xreq->context, loa + 1)) { - afb_xreq_fail_f(xreq, "failed", "invalid LOA"); + afb_xreq_fail_f(xreq, "denied", "invalid LOA"); errno = EPERM; return -1; } } + if (auth && !afb_auth_check(auth, xreq)) { + afb_xreq_fail_f(xreq, "denied", "authorisation refused"); + errno = EPERM; + return -1; + } + if ((sessionflags & AFB_SESSION_RENEW) != 0) { afb_context_refresh(&xreq->context); } @@ -486,7 +493,7 @@ void afb_xreq_call_verb_v1(struct afb_xreq *xreq, const struct afb_verb_desc_v1 if (!verb) afb_xreq_fail_unknown_verb(xreq); else - if (!xreq_session_check_apply(xreq, verb->session)) + if (!xreq_session_check_apply(xreq, verb->session, NULL)) verb->callback(to_req(xreq)); } @@ -495,7 +502,7 @@ void afb_xreq_call_verb_v2(struct afb_xreq *xreq, const struct afb_verb_v2 *verb if (!verb) afb_xreq_fail_unknown_verb(xreq); else - if (!xreq_session_check_apply(xreq, verb->session)) + if (!xreq_session_check_apply(xreq, verb->session, verb->auth)) verb->callback(to_req(xreq)); } |