1 /* Copyright (C) 2013-2021 Greenbone Networks GmbH 2 * 3 * SPDX-License-Identifier: AGPL-3.0-or-later 4 * 5 * This program is free software: you can redistribute it and/or modify 6 * it under the terms of the GNU Affero General Public License as 7 * published by the Free Software Foundation, either version 3 of the 8 * License, or (at your option) any later version. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU Affero General Public License for more details. 14 * 15 * You should have received a copy of the GNU Affero General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 */ 18 19 /** 20 * @file manage_acl.h 21 * @brief Headers for Greenbone Vulnerability Manager: the Manage library. 22 */ 23 24 #ifndef _GVMD_MANAGE_ACL_H 25 #define _GVMD_MANAGE_ACL_H 26 27 #include "manage_sql.h" 28 #include <glib.h> 29 30 /** 31 * @brief Generate SQL for user permission check. 32 * 33 * @param[in] resource Resource. 34 */ 35 #define ACL_USER_MAY_OPTS(resource) \ 36 /* This part is 'Any resource type' case from acl_where_owned_user. */ \ 37 /* */ \ 38 /* Either the user is the owner. */ \ 39 " ((" resource ".owner = opts.user_id)" \ 40 /* Or the user has super permission on all. */ \ 41 " OR EXISTS (SELECT * FROM permissions_subject" \ 42 " WHERE name = 'Super'" \ 43 " AND (resource = 0))" \ 44 /* Or the user has super permission on the owner, */ \ 45 /* (directly, via the role, or via the group). */ \ 46 " OR " resource ".owner IN (SELECT *" \ 47 " FROM super_on_users)" \ 48 /* Or there's a resource-level permission. */ \ 49 /* */ \ 50 /* This part is permission_clause in acl_where_owned_user. */ \ 51 " OR EXISTS (SELECT id FROM permissions_subject" \ 52 " WHERE resource = " resource ".id" \ 53 " AND resource_type = opts.type" \ 54 " AND resource_location = " G_STRINGIFY (LOCATION_TABLE) \ 55 /* Any permission. */ \ 56 " AND (t ())))" 57 58 /** 59 * @brief Generate SQL for user permission check. 60 * 61 * @param[in] resource Resource. 62 */ 63 #define ACL_USER_MAY(resource) \ 64 "SELECT count(*) > 0 FROM permissions" \ 65 " WHERE resource = " resource \ 66 " AND subject_location = " G_STRINGIFY (LOCATION_TABLE) \ 67 " AND ((subject_type = 'user'" \ 68 " AND subject" \ 69 " = (SELECT id FROM users" \ 70 " WHERE users.uuid = '%s'))" \ 71 " OR (subject_type = 'group'" \ 72 " AND subject" \ 73 " IN (SELECT DISTINCT \"group\"" \ 74 " FROM group_users" \ 75 " WHERE \"user\" = (SELECT id" \ 76 " FROM users" \ 77 " WHERE users.uuid" \ 78 " = '%s')))" \ 79 " OR (subject_type = 'role'" \ 80 " AND subject" \ 81 " IN (SELECT DISTINCT role" \ 82 " FROM role_users" \ 83 " WHERE \"user\" = (SELECT id" \ 84 " FROM users" \ 85 " WHERE users.uuid" \ 86 " = '%s'))))" \ 87 /* Any permission implies GET. */ \ 88 " AND ((lower (substr ('%s', 1, 3)) = 'get'" \ 89 " AND name LIKE '%%'" \ 90 " || lower (substr ('%s'," \ 91 " 5," \ 92 " length ('%s') - 5)))" \ 93 " OR name = lower ('%s'))" 94 95 /** 96 * @brief Generate SQL for global check. 97 * 98 * This is the SQL clause for selecting global resources. 99 */ 100 #define ACL_IS_GLOBAL() \ 101 "owner IS NULL" 102 103 /** 104 * @brief Generate SQL for user ownership check. 105 * 106 * This is the SQL clause for selecting global resources and resources owned 107 * directly by the user. 108 * 109 * Caller must organise the single argument, the user's UUID, as a string. 110 */ 111 #define ACL_USER_OWNS() \ 112 " (owner = (SELECT users.id FROM users" \ 113 " WHERE users.uuid = '%s'))" 114 115 /** 116 * @brief Generate SQL for user ownership check. 117 * 118 * This is the SQL clause for selecting global resources and resources owned 119 * directly by the user. 120 * 121 * Caller must organise the single argument, the user's UUID, as a string. 122 */ 123 #define ACL_GLOBAL_OR_USER_OWNS() \ 124 " ((" ACL_IS_GLOBAL () ")" \ 125 " OR (owner = (SELECT users.id FROM users" \ 126 " WHERE users.uuid = '%s')))" 127 128 command_t * 129 acl_commands (gchar **); 130 131 int 132 acl_user_may (const char *); 133 134 int 135 acl_user_can_everything (const char *); 136 137 int 138 acl_role_can_super_everyone (const char *); 139 140 int 141 acl_user_can_super_everyone (const char *); 142 143 int 144 acl_user_has_super (const char *, user_t); 145 146 int 147 acl_user_is_admin (const char *); 148 149 int 150 acl_user_is_user (const char *); 151 152 int 153 acl_user_is_super_admin (const char *); 154 155 int 156 acl_user_is_observer (const char *); 157 158 int 159 acl_user_owns (const char *, resource_t, int); 160 161 int 162 acl_user_is_owner (const char *, const char *); 163 164 int 165 acl_user_owns_uuid (const char *, const char *, int); 166 167 int 168 acl_user_owns_trash_uuid (const char *resource, const char *uuid); 169 170 int 171 acl_user_has_access_uuid (const char *, const char *, const char *, int); 172 173 gchar * 174 acl_where_owned (const char *, const get_data_t *, int, const gchar *, resource_t, 175 array_t *, int, gchar **); 176 177 gchar * 178 acl_where_owned_for_get (const char *, const char *, const char *, gchar **); 179 180 gchar * 181 acl_users_with_access_sql (const char *, const char *, const char *); 182 183 gchar * 184 acl_users_with_access_where (const char *, const char *, const char *, 185 const char*); 186 187 #endif /* not _GVMD_MANAGE_ACL_H */ 188