1 /* 2 Copyright 2021 Northern.tech AS 3 4 This file is part of CFEngine 3 - written and maintained by Northern.tech AS. 5 6 This program is free software; you can redistribute it and/or modify it 7 under the terms of the GNU General Public License as published by the 8 Free Software Foundation; version 3. 9 10 This program is distributed in the hope that it will be useful, 11 but WITHOUT ANY WARRANTY; without even the implied warranty of 12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 GNU General Public License for more details. 14 15 You should have received a copy of the GNU General Public License 16 along with this program; if not, write to the Free Software 17 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA 18 19 To the extent this program is licensed as part of the Enterprise 20 versions of CFEngine, the applicable Commercial Open Source License 21 (COSL) may apply to this file if you as a licensee so wish it. See 22 included file COSL.txt. 23 */ 24 #ifndef CFENGINE_ACCESS_H 25 #define CFENGINE_ACCESS_H 26 27 28 #include <platform.h> 29 30 #include <map.h> /* StringMap */ 31 #include "strlist.h" /* StrList */ 32 33 34 /** 35 * Access control list referring to one resource, e.g. path, class, variable, 36 * literal, bundle. 37 * 38 * @note: Each strlist might be NULL, which is equivalent to having 0 39 * elements. 40 * 41 * @note: Currently these lists are binary searched, so after filling them up 42 * make sure you call StrList_Sort() to sort them. 43 */ 44 struct admitdeny_acl 45 { 46 StrList *ips; /* admit_ips, deny_ips */ 47 StrList *hostnames; /* admit_hostnames, deny_hostnames */ 48 StrList *keys; /* admit_keys, deny_keys */ 49 StrList *usernames; /* currently used only in roles access promise */ 50 }; 51 52 /** 53 * This is a list of all resorce ACLs for one resource. E.g. for resource_type 54 * == path, this should contain a list of all paths together with a list of 55 * ACLs (struct resource_acl) referring to the relevant path. 56 * 57 * @note Currently this list of resource_names may be binary searched so it 58 * must be sorted once populated. 59 * 60 * @WARNING Remember to store directories *always* with traling '/', else they 61 * won't match for children dirs (on purpose, and this functionality 62 * was built into StrList_SearchLongestPrefix()). 63 */ 64 struct acl 65 { 66 // enum acl_type resource_type; 67 size_t len; /* Length of resource_names,acls[] */ 68 size_t alloc_len; /* Used for realloc() economy */ 69 StrList *resource_names; /* paths, class names, variables etc */ 70 struct resource_acl 71 { 72 struct admitdeny_acl admit; 73 struct admitdeny_acl deny; 74 } acls[]; 75 }; 76 77 78 /* These acls are set on server startup or when promises change, and are 79 * read-only for the rest of their life, thus are thread-safe. */ 80 81 /* The paths_acl should be populated with directories having a trailing '/' 82 * to be able to tell apart from files. */ 83 extern struct acl *paths_acl; 84 extern struct acl *classes_acl; /* remoteclassesmatching */ 85 extern struct acl *vars_acl; /* remotescalar */ 86 extern struct acl *literals_acl; 87 extern struct acl *query_acl; /* reporting */ 88 extern struct acl *bundles_acl; /* cf-runagent connections*/ 89 /* Roles ACL contains classes regexes under resource_names, but currently only 90 * lists of admit usernames under the admitdeny_acl, no 91 * ips,hostnames,keys. It's used for the "roles" access promise. TODO convert 92 * to a common access promise with resource_type=>"role". */ 93 extern struct acl *roles_acl; /* cf-runagent connections */ 94 95 96 size_t ReplaceSpecialVariables(char *buf, size_t buf_size, 97 const char *find1, const char *repl1, 98 const char *find2, const char *repl2, 99 const char *find3, const char *repl3); 100 101 size_t acl_SortedInsert(struct acl **a, const char *handle); 102 void acl_Free(struct acl *a); 103 void acl_Summarise(const struct acl *acl, const char *title); 104 105 /* TODO instead of getting all kind of different parameters like 106 * ipaddr,hostname,key, the following functions should get a 107 * "struct peer_id" with all this plus more. */ 108 109 bool acl_CheckExact(const struct acl *acl, const char *req_string, 110 const char *ipaddr, const char *hostname, 111 const char *key); 112 bool acl_CheckPath(const struct acl *acl, const char *reqpath, 113 const char *ipaddr, const char *hostname, 114 const char *key); 115 bool acl_CheckRegex(const struct acl *acl, const char *req_string, 116 const char *ipaddr, const char *hostname, 117 const char *key, const char *username); 118 119 #endif 120