ACL refactoring.
parent
17669d9768
commit
a7bf6f76e9
@ -0,0 +1,82 @@
|
||||
#include "acl.h"
|
||||
#include "cmd.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include <string.h>
|
||||
#include <evhttp.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
int
|
||||
acl_match_client(struct acl *a, struct evhttp_request *rq, in_addr_t *ip) {
|
||||
|
||||
/* check HTTP Basic Auth */
|
||||
const char *auth;
|
||||
auth = evhttp_find_header(rq->input_headers, "Authorization");
|
||||
if(auth && a->http_basic_auth && strncasecmp(auth, "Basic ", 6) == 0) { /* sent auth */
|
||||
if(strcmp(auth + 6, a->http_basic_auth) != 0) { /* wrong */
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* CIDR check. */
|
||||
if(a->cidr.enabled == 0) { /* none given, all match */
|
||||
return 1;
|
||||
}
|
||||
if(((*ip) & a->cidr.mask) == (a->cidr.subnet & a->cidr.mask)) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
acl_allow_command(struct cmd *cmd, struct conf *cfg, struct evhttp_request *rq) {
|
||||
|
||||
char *always_off[] = {"MULTI", "EXEC", "WATCH", "DISCARD"};
|
||||
|
||||
unsigned int i;
|
||||
int authorized = 1;
|
||||
struct acl *a;
|
||||
|
||||
char *client_ip;
|
||||
u_short client_port;
|
||||
in_addr_t client_addr;
|
||||
|
||||
const char *cmd_name = cmd->argv[0];
|
||||
size_t cmd_len = cmd->argv_len[0];
|
||||
|
||||
/* some commands are always disabled, regardless of the config file. */
|
||||
for(i = 0; i < sizeof(always_off) / sizeof(always_off[0]); ++i) {
|
||||
if(strncasecmp(always_off[i], cmd_name, cmd_len) == 0) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* find client's address */
|
||||
evhttp_connection_get_peer(rq->evcon, &client_ip, &client_port);
|
||||
client_addr = ntohl(inet_addr(client_ip));
|
||||
|
||||
/* go through permissions */
|
||||
for(a = cfg->perms; a; a = a->next) {
|
||||
|
||||
if(!acl_match_client(a, rq, &client_addr)) continue; /* match client */
|
||||
|
||||
/* go through authorized commands */
|
||||
for(i = 0; i < a->enabled.count; ++i) {
|
||||
if(strncasecmp(a->enabled.commands[i], cmd_name, cmd_len) == 0) {
|
||||
authorized = 1;
|
||||
}
|
||||
}
|
||||
|
||||
/* go through unauthorized commands */
|
||||
for(i = 0; i < a->disabled.count; ++i) {
|
||||
if(strncasecmp(a->disabled.commands[i], cmd_name, cmd_len) == 0) {
|
||||
authorized = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return authorized;
|
||||
}
|
||||
|
@ -0,0 +1,39 @@
|
||||
#ifndef ACL_H
|
||||
#define ACL_H
|
||||
|
||||
#include <netinet/in.h>
|
||||
|
||||
struct evhttp_request;
|
||||
struct cmd;
|
||||
struct conf;
|
||||
|
||||
struct acl_commands {
|
||||
unsigned int count;
|
||||
char **commands;
|
||||
};
|
||||
|
||||
struct acl {
|
||||
|
||||
/* CIDR subnet + mask */
|
||||
struct {
|
||||
int enabled;
|
||||
in_addr_t subnet;
|
||||
in_addr_t mask;
|
||||
} cidr;
|
||||
|
||||
char *http_basic_auth;
|
||||
|
||||
/* commands that have been enabled or disabled */
|
||||
struct acl_commands enabled;
|
||||
struct acl_commands disabled;
|
||||
|
||||
struct acl *next;
|
||||
};
|
||||
|
||||
int
|
||||
acl_match_client(struct acl *a, struct evhttp_request *rq, in_addr_t *ip);
|
||||
|
||||
int
|
||||
acl_allow_command(struct cmd *cmd, struct conf *cfg, struct evhttp_request *rq);
|
||||
|
||||
#endif
|
Loading…
Reference in New Issue