1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
/*
* Copyright (C) 2016-2019 "IoT.bzh"
* Author "Fulup Ar Foll"
* Author José Bollo <jose.bollo@iot.bzh>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define _GNU_SOURCE
#include <stdlib.h>
#include <json-c/json.h>
#include <afb/afb-auth.h>
#include <afb/afb-session-x2.h>
#if WITH_LEGACY_BINDING_V1
#include <afb/afb-session-x1.h>
#endif
#include "afb-auth.h"
#include "afb-context.h"
#include "afb-xreq.h"
#include "afb-cred.h"
#include "verbose.h"
int afb_auth_check(struct afb_xreq *xreq, const struct afb_auth *auth)
{
switch (auth->type) {
default:
case afb_auth_No:
return 0;
case afb_auth_Token:
return afb_context_check(&xreq->context);
case afb_auth_LOA:
return afb_context_check_loa(&xreq->context, auth->loa);
case afb_auth_Permission:
return afb_auth_has_permission(xreq, auth->text);
case afb_auth_Or:
return afb_auth_check(xreq, auth->first) || afb_auth_check(xreq, auth->next);
case afb_auth_And:
return afb_auth_check(xreq, auth->first) && afb_auth_check(xreq, auth->next);
case afb_auth_Not:
return !afb_auth_check(xreq, auth->first);
case afb_auth_Yes:
return 1;
}
}
int afb_auth_has_permission(struct afb_xreq *xreq, const char *permission)
{
return afb_cred_has_permission(xreq->cred, permission, &xreq->context);
}
#if WITH_LEGACY_BINDING_V1
int afb_auth_check_and_set_session_x1(struct afb_xreq *xreq, int sessionflags)
{
int loa;
if ((sessionflags & (AFB_SESSION_CLOSE_X1|AFB_SESSION_RENEW_X1|AFB_SESSION_CHECK_X1|AFB_SESSION_LOA_EQ_X1)) != 0) {
if (!afb_context_check(&xreq->context)) {
afb_context_close(&xreq->context);
return afb_xreq_reply_invalid_token(xreq);
}
}
if ((sessionflags & AFB_SESSION_LOA_GE_X1) != 0) {
loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1;
if (!afb_context_check_loa(&xreq->context, loa))
return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
}
if ((sessionflags & AFB_SESSION_LOA_LE_X1) != 0) {
loa = (sessionflags >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1;
if (afb_context_check_loa(&xreq->context, loa + 1))
return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
}
if ((sessionflags & AFB_SESSION_CLOSE_X1) != 0) {
afb_context_change_loa(&xreq->context, 0);
afb_context_close(&xreq->context);
}
return 0;
}
#endif
int afb_auth_check_and_set_session_x2(struct afb_xreq *xreq, uint32_t sessionflags, const struct afb_auth *auth)
{
int loa;
if (sessionflags != 0) {
if (!afb_context_check(&xreq->context)) {
afb_context_close(&xreq->context);
return afb_xreq_reply_invalid_token(xreq);
}
}
loa = (int)(sessionflags & AFB_SESSION_LOA_MASK_X2);
if (loa && !afb_context_check_loa(&xreq->context, loa))
return afb_xreq_reply_insufficient_scope(xreq, "invalid LOA");
if (auth && !afb_auth_check(xreq, auth))
return afb_xreq_reply_insufficient_scope(xreq, NULL /* TODO */);
if ((sessionflags & AFB_SESSION_CLOSE_X2) != 0)
afb_context_close(&xreq->context);
return 0;
}
/*********************************************************************************/
static struct json_object *addperm(struct json_object *o, struct json_object *x)
{
struct json_object *a;
if (!o)
return x;
if (!json_object_object_get_ex(o, "allOf", &a)) {
a = json_object_new_array();
json_object_array_add(a, o);
o = json_object_new_object();
json_object_object_add(o, "allOf", a);
}
json_object_array_add(a, x);
return o;
}
static struct json_object *addperm_key_val(struct json_object *o, const char *key, struct json_object *val)
{
struct json_object *x = json_object_new_object();
json_object_object_add(x, key, val);
return addperm(o, x);
}
static struct json_object *addperm_key_valstr(struct json_object *o, const char *key, const char *val)
{
return addperm_key_val(o, key, json_object_new_string(val));
}
static struct json_object *addperm_key_valint(struct json_object *o, const char *key, int val)
{
return addperm_key_val(o, key, json_object_new_int(val));
}
static struct json_object *addauth_or_array(struct json_object *o, const struct afb_auth *auth);
static struct json_object *addauth(struct json_object *o, const struct afb_auth *auth)
{
switch(auth->type) {
case afb_auth_No: return addperm(o, json_object_new_boolean(0));
case afb_auth_Token: return addperm_key_valstr(o, "session", "check");
case afb_auth_LOA: return addperm_key_valint(o, "LOA", auth->loa);
case afb_auth_Permission: return addperm_key_valstr(o, "permission", auth->text);
case afb_auth_Or: return addperm_key_val(o, "anyOf", addauth_or_array(json_object_new_array(), auth));
case afb_auth_And: return addauth(addauth(o, auth->first), auth->next);
case afb_auth_Not: return addperm_key_val(o, "not", addauth(NULL, auth->first));
case afb_auth_Yes: return addperm(o, json_object_new_boolean(1));
}
return o;
}
static struct json_object *addauth_or_array(struct json_object *o, const struct afb_auth *auth)
{
if (auth->type != afb_auth_Or)
json_object_array_add(o, addauth(NULL, auth));
else {
addauth_or_array(o, auth->first);
addauth_or_array(o, auth->next);
}
return o;
}
struct json_object *afb_auth_json_x2(const struct afb_auth *auth, uint32_t session)
{
struct json_object *result = NULL;
if (session & AFB_SESSION_CLOSE_X2)
result = addperm_key_valstr(result, "session", "close");
if (session & AFB_SESSION_CHECK_X2)
result = addperm_key_valstr(result, "session", "check");
if (session & AFB_SESSION_REFRESH_X2)
result = addperm_key_valstr(result, "token", "refresh");
if (session & AFB_SESSION_LOA_MASK_X2)
result = addperm_key_valint(result, "LOA", session & AFB_SESSION_LOA_MASK_X2);
if (auth)
result = addauth(result, auth);
return result;
}
#if WITH_LEGACY_BINDING_V1
struct json_object *afb_auth_json_x1(int session)
{
struct json_object *result = NULL;
if (session & AFB_SESSION_CLOSE_X1)
result = addperm_key_valstr(result, "session", "close");
if (session & AFB_SESSION_CHECK_X1)
result = addperm_key_valstr(result, "session", "check");
if (session & AFB_SESSION_RENEW_X1)
result = addperm_key_valstr(result, "token", "refresh");
if (session & AFB_SESSION_LOA_MASK_X1)
result = addperm_key_valint(result, "LOA", (session >> AFB_SESSION_LOA_SHIFT_X1) & AFB_SESSION_LOA_MASK_X1);
return result;
}
#endif
|
