1 /*
2   Copyright 2021 Northern.tech AS
3 
4   This file is part of CFEngine 3 - written and maintained by Northern.tech AS.
5 
6   This program is free software; you can redistribute it and/or modify it
7   under the terms of the GNU General Public License as published by the
8   Free Software Foundation; version 3.
9 
10   This program is distributed in the hope that it will be useful,
11   but WITHOUT ANY WARRANTY; without even the implied warranty of
12   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13   GNU General Public License for more details.
14 
15   You should have received a copy of the GNU General Public License
16   along with this program; if not, write to the Free Software
17   Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
18 
19   To the extent this program is licensed as part of the Enterprise
20   versions of CFEngine, the applicable Commercial Open Source License
21   (COSL) may apply to this file if you as a licensee so wish it. See
22   included file COSL.txt.
23 */
24 #ifndef CFENGINE_ACCESS_H
25 #define CFENGINE_ACCESS_H
26 
27 
28 #include <platform.h>
29 
30 #include <map.h>                                         /* StringMap */
31 #include "strlist.h"                                     /* StrList */
32 
33 
34 /**
35  * Access control list referring to one resource, e.g. path, class, variable,
36  * literal, bundle.
37  *
38  * @note: Each strlist might be NULL, which is equivalent to having 0
39  *        elements.
40  *
41  * @note: Currently these lists are binary searched, so after filling them up
42  *        make sure you call StrList_Sort() to sort them.
43  */
44 struct admitdeny_acl
45 {
46     StrList *ips;                        /* admit_ips, deny_ips */
47     StrList *hostnames;                  /* admit_hostnames, deny_hostnames */
48     StrList *keys;                       /* admit_keys, deny_keys */
49     StrList *usernames;      /* currently used only in roles access promise */
50 };
51 
52 /**
53  * This is a list of all resorce ACLs for one resource. E.g. for resource_type
54  * == path, this should contain a list of all paths together with a list of
55  * ACLs (struct resource_acl) referring to the relevant path.
56  *
57  * @note Currently this list of resource_names may be binary searched so it
58  *       must be sorted once populated.
59  *
60  * @WARNING Remember to store directories *always* with traling '/', else they
61  *          won't match for children dirs (on purpose, and this functionality
62  *          was built into StrList_SearchLongestPrefix()).
63  */
64 struct acl
65 {
66 //    enum acl_type resource_type;
67     size_t len;                        /* Length of resource_names,acls[] */
68     size_t alloc_len;                  /* Used for realloc() economy  */
69     StrList *resource_names;           /* paths, class names, variables etc */
70     struct resource_acl
71     {
72         struct admitdeny_acl admit;
73         struct admitdeny_acl deny;
74     } acls[];
75 };
76 
77 
78 /* These acls are set on server startup or when promises change, and are
79  * read-only for the rest of their life, thus are thread-safe. */
80 
81 /* The paths_acl should be populated with directories having a trailing '/'
82  * to be able to tell apart from files. */
83 extern struct acl *paths_acl;
84 extern struct acl *classes_acl;                    /* remoteclassesmatching */
85 extern struct acl *vars_acl;                       /* remotescalar */
86 extern struct acl *literals_acl;
87 extern struct acl *query_acl;                     /* reporting */
88 extern struct acl *bundles_acl;                   /* cf-runagent connections*/
89 /* Roles ACL contains classes regexes under resource_names, but currently only
90  * lists of admit usernames under the admitdeny_acl, no
91  * ips,hostnames,keys. It's used for the "roles" access promise. TODO convert
92  * to a common access promise with resource_type=>"role". */
93 extern struct acl *roles_acl;                    /* cf-runagent connections */
94 
95 
96 size_t ReplaceSpecialVariables(char *buf, size_t buf_size,
97                                const char *find1, const char *repl1,
98                                const char *find2, const char *repl2,
99                                const char *find3, const char *repl3);
100 
101 size_t acl_SortedInsert(struct acl **a, const char *handle);
102 void   acl_Free(struct acl *a);
103 void   acl_Summarise(const struct acl *acl, const char *title);
104 
105 /* TODO instead of getting all kind of different parameters like
106  * ipaddr,hostname,key, the following functions should get a
107  * "struct peer_id" with all this plus more. */
108 
109 bool acl_CheckExact(const struct acl *acl, const char *req_string,
110                     const char *ipaddr, const char *hostname,
111                     const char *key);
112 bool acl_CheckPath(const struct acl *acl, const char *reqpath,
113                    const char *ipaddr, const char *hostname,
114                    const char *key);
115 bool acl_CheckRegex(const struct acl *acl, const char *req_string,
116                     const char *ipaddr, const char *hostname,
117                     const char *key, const char *username);
118 
119 #endif
120