From d8aff62647736c3f17ff15989ec9f90b48efe1c4 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Fri, 29 Nov 2019 12:44:46 +0100 Subject: afb-context & afb-token: rework token validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Validation of token is now linked to backend permission database. Bug-AGL: SPEC-2968 Signed-off-by: José Bollo Change-Id: I30b049f92b8324740abecbb9539f7413ad55f7ec --- src/afb-context.c | 66 ++++++++++++++++++++++++++--------------------- src/afb-permission-text.c | 1 + src/afb-permission-text.h | 1 + src/afb-token.c | 12 --------- src/afb-token.h | 1 - 5 files changed, 39 insertions(+), 42 deletions(-) diff --git a/src/afb-context.c b/src/afb-context.c index 5235707f..3d6dee06 100644 --- a/src/afb-context.c +++ b/src/afb-context.c @@ -41,25 +41,6 @@ static void init_context(struct afb_context *context, struct afb_session *sessio context->api_key = NULL; context->token = afb_token_addref(token); context->credentials = afb_cred_addref(cred); - - /* check the token */ - if (token != NULL) { - if (afb_token_check(token)) - context->validated = 1; - else - context->invalidated = 1; - } -} - -void afb_context_init(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred) -{ - init_context(context, afb_session_addref(session), token, cred); -} - -void afb_context_init_validated(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred) -{ - afb_context_init(context, session, token, cred); - context->validated = 1; } void afb_context_subinit(struct afb_context *context, struct afb_context *super) @@ -72,6 +53,11 @@ void afb_context_subinit(struct afb_context *context, struct afb_context *super) context->credentials = afb_cred_addref(super->credentials); } +void afb_context_init(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred) +{ + init_context(context, afb_session_addref(session), token, cred); +} + int afb_context_connect(struct afb_context *context, const char *uuid, struct afb_token *token, struct afb_cred *cred) { int created; @@ -95,6 +81,12 @@ int afb_context_connect_validated(struct afb_context *context, const char *uuid, return rc; } +void afb_context_init_validated(struct afb_context *context, struct afb_session *session, struct afb_token *token, struct afb_cred *cred) +{ + afb_context_init(context, session, token, cred); + context->validated = 1; +} + void afb_context_disconnect(struct afb_context *context) { if (context->session && !context->super && context->closing && !context->closed) { @@ -123,8 +115,6 @@ void afb_context_change_token(struct afb_context *context, struct afb_token *tok { struct afb_token *otoken = context->token; if (otoken != token) { - context->validated = 0; - context->invalidated = 0; context->token = afb_token_addref(token); afb_token_unref(otoken); } @@ -203,14 +193,23 @@ void afb_context_close(struct afb_context *context) int afb_context_check(struct afb_context *context) { - if (context->super) - return afb_context_check(context); - return context->validated; -} + int r; -int afb_context_check_loa(struct afb_context *context, unsigned loa) -{ - return afb_context_get_loa(context) >= loa; + if (context->validated) + r = 1; + else if (context->invalidated) + r = 0; + else { + if (context->super) + r = afb_context_check(context->super); + else + r = afb_context_has_permission(context, afb_permission_token_valid); + if (r) + context->validated = 1; + else + context->invalidated = 1; + } + return r; } static inline const void *loa_key(struct afb_context *context) @@ -230,10 +229,14 @@ static inline unsigned ptr2loa(void *ptr) int afb_context_change_loa(struct afb_context *context, unsigned loa) { - if (!context->validated || loa > 7) { + if (loa > 7) { errno = EINVAL; return -1; } + if (!afb_context_check(context)) { + errno = EPERM; + return -1; + } return afb_session_set_cookie(context->session, loa_key(context), loa2ptr(loa), NULL); } @@ -243,3 +246,8 @@ unsigned afb_context_get_loa(struct afb_context *context) assert(context->session != NULL); return ptr2loa(afb_session_get_cookie(context->session, loa_key(context))); } + +int afb_context_check_loa(struct afb_context *context, unsigned loa) +{ + return afb_context_get_loa(context) >= loa; +} diff --git a/src/afb-permission-text.c b/src/afb-permission-text.c index 21069df8..43ce530a 100644 --- a/src/afb-permission-text.c +++ b/src/afb-permission-text.c @@ -18,3 +18,4 @@ #include "afb-permission-text.h" const char afb_permission_on_behalf_credential[] = "urn:AGL:permission:*:partner:on-behalf-credentials"; +const char afb_permission_token_valid[] = "urn:AGL:token:valid"; diff --git a/src/afb-permission-text.h b/src/afb-permission-text.h index 1340f717..3037e402 100644 --- a/src/afb-permission-text.h +++ b/src/afb-permission-text.h @@ -18,3 +18,4 @@ #pragma once extern const char afb_permission_on_behalf_credential[]; +extern const char afb_permission_token_valid[]; diff --git a/src/afb-token.c b/src/afb-token.c index b81a87df..f6f5eb73 100644 --- a/src/afb-token.c +++ b/src/afb-token.c @@ -147,18 +147,6 @@ void afb_token_unref(struct afb_token *token) } } -/** - * Check whether the token is valid or not - * - * @param token the token to check - * @return a boolean value: 0 if not valid, 1 if valid - */ -int afb_token_check(struct afb_token *token) -{ - /* TODO */ - return 1; -} - /** * Get the string value of the token * diff --git a/src/afb-token.h b/src/afb-token.h index 69b0fa05..5dd1d33c 100644 --- a/src/afb-token.h +++ b/src/afb-token.h @@ -23,6 +23,5 @@ extern int afb_token_get(struct afb_token **token, const char *tokenstring); extern struct afb_token *afb_token_addref(struct afb_token *token); extern void afb_token_unref(struct afb_token *token); -extern int afb_token_check(struct afb_token *token); extern const char *afb_token_string(const struct afb_token *token); extern uint16_t afb_token_id(const struct afb_token *token); -- cgit 1.2.3-korg