};
static const struct blobmsg_policy sid_policy = {
- .name = "sid", .type = BLOBMSG_TYPE_STRING
+ .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING
};
enum {
__RPC_SS_MAX,
};
static const struct blobmsg_policy set_policy[__RPC_SS_MAX] = {
- [RPC_SS_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING },
+ [RPC_SS_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING },
[RPC_SS_VALUES] = { .name = "values", .type = BLOBMSG_TYPE_TABLE },
};
__RPC_SG_MAX,
};
static const struct blobmsg_policy get_policy[__RPC_SG_MAX] = {
- [RPC_SG_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING },
+ [RPC_SG_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING },
[RPC_SG_KEYS] = { .name = "keys", .type = BLOBMSG_TYPE_ARRAY },
};
__RPC_SA_MAX,
};
static const struct blobmsg_policy acl_policy[__RPC_SA_MAX] = {
- [RPC_SA_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING },
+ [RPC_SA_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING },
[RPC_SA_SCOPE] = { .name = "scope", .type = BLOBMSG_TYPE_STRING },
[RPC_SA_OBJECTS] = { .name = "objects", .type = BLOBMSG_TYPE_ARRAY },
};
__RPC_SP_MAX,
};
static const struct blobmsg_policy perm_policy[__RPC_SP_MAX] = {
- [RPC_SP_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING },
+ [RPC_SP_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING },
[RPC_SP_SCOPE] = { .name = "scope", .type = BLOBMSG_TYPE_STRING },
[RPC_SP_OBJECT] = { .name = "object", .type = BLOBMSG_TYPE_STRING },
[RPC_SP_FUNCTION] = { .name = "function", .type = BLOBMSG_TYPE_STRING },
__RPC_DUMP_MAX,
};
static const struct blobmsg_policy dump_policy[__RPC_DUMP_MAX] = {
- [RPC_DUMP_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING },
+ [RPC_DUMP_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING },
[RPC_DUMP_TIMEOUT] = { .name = "timeout", .type = BLOBMSG_TYPE_INT32 },
[RPC_DUMP_EXPIRES] = { .name = "expires", .type = BLOBMSG_TYPE_INT32 },
[RPC_DUMP_DATA] = { .name = "data", .type = BLOBMSG_TYPE_TABLE },
}
static void
-rpc_session_to_blob(struct rpc_session *ses)
+rpc_session_to_blob(struct rpc_session *ses, bool acls)
{
void *c;
blob_buf_init(&buf, 0);
- blobmsg_add_string(&buf, "sid", ses->id);
+ blobmsg_add_string(&buf, "ubus_rpc_session", ses->id);
blobmsg_add_u32(&buf, "timeout", ses->timeout);
blobmsg_add_u32(&buf, "expires", uloop_timeout_remaining(&ses->t) / 1000);
+ if (acls) {
+ c = blobmsg_open_table(&buf, "acls");
+ rpc_session_dump_acls(ses, &buf);
+ blobmsg_close_table(&buf, c);
+ }
+
c = blobmsg_open_table(&buf, "data");
rpc_session_dump_data(ses, &buf);
blobmsg_close_table(&buf, c);
rpc_session_dump(struct rpc_session *ses, struct ubus_context *ctx,
struct ubus_request_data *req)
{
- rpc_session_to_blob(ses);
+ rpc_session_to_blob(ses, true);
ubus_send_reply(ctx, req, buf.head);
}
}
static int
-rpc_session_grant(struct rpc_session *ses, struct ubus_context *ctx,
+rpc_session_grant(struct rpc_session *ses,
const char *scope, const char *object, const char *function)
{
struct rpc_session_acl *acl;
}
static int
-rpc_session_revoke(struct rpc_session *ses, struct ubus_context *ctx,
+rpc_session_revoke(struct rpc_session *ses,
const char *scope, const char *object, const char *function)
{
struct rpc_session_acl *acl, *next;
const char *scope = "ubus";
int rem1, rem2;
- int (*cb)(struct rpc_session *ses, struct ubus_context *ctx,
- const char *scope, const char *object, const char *function);
+ int (*cb)(struct rpc_session *ses,
+ const char *scope, const char *object, const char *function);
blobmsg_parse(acl_policy, __RPC_SA_MAX, tb, blob_data(msg), blob_len(msg));
cb = rpc_session_revoke;
if (!tb[RPC_SA_OBJECTS])
- return cb(ses, ctx, scope, NULL, NULL);
+ return cb(ses, scope, NULL, NULL);
blobmsg_for_each_attr(attr, tb[RPC_SA_OBJECTS], rem1) {
- if (blob_id(attr) != BLOBMSG_TYPE_ARRAY)
+ if (blobmsg_type(attr) != BLOBMSG_TYPE_ARRAY)
continue;
object = NULL;
function = NULL;
blobmsg_for_each_attr(sattr, attr, rem2) {
- if (blob_id(sattr) != BLOBMSG_TYPE_STRING)
+ if (blobmsg_type(sattr) != BLOBMSG_TYPE_STRING)
continue;
if (!object)
}
if (object && function)
- cb(ses, ctx, scope, object, function);
+ cb(ses, scope, object, function);
}
return 0;
struct blob_attr *msg)
{
struct rpc_session *ses;
- struct blob_attr *tb[__RPC_SA_MAX];
+ struct blob_attr *tb[__RPC_SS_MAX];
struct blob_attr *attr;
int rem;
{
struct rpc_session *ses;
struct rpc_session_data *data;
- struct blob_attr *tb[__RPC_SA_MAX];
+ struct blob_attr *tb[__RPC_SG_MAX];
struct blob_attr *attr;
void *c;
int rem;
if (tb[RPC_SG_KEYS])
blobmsg_for_each_attr(attr, tb[RPC_SG_KEYS], rem) {
- if (blob_id(attr) != BLOBMSG_TYPE_STRING)
+ if (blobmsg_type(attr) != BLOBMSG_TYPE_STRING)
continue;
data = avl_find_element(&ses->data, blobmsg_data(attr), data, avl);
}
blobmsg_for_each_attr(attr, tb[RPC_SG_KEYS], rem) {
- if (blob_id(attr) != BLOBMSG_TYPE_STRING)
+ if (blobmsg_type(attr) != BLOBMSG_TYPE_STRING)
continue;
data = avl_find_element(&ses->data, blobmsg_data(attr), data, avl);
rpc_login_test_permission(struct uci_section *s,
const char *perm, const char *group)
{
+ const char *p;
struct uci_option *o;
struct uci_element *e, *l;
if (strcmp(o->e.name, perm))
continue;
- uci_foreach_element(&o->v.list, l)
- if (l->name && !fnmatch(l->name, group, 0))
+ /* Match negative expressions first. If a negative expression matches
+ * the current group name then deny access. */
+ uci_foreach_element(&o->v.list, l) {
+ p = l->name;
+
+ if (!p || *p != '!')
+ continue;
+
+ while (isspace(*++p));
+
+ if (!*p)
+ continue;
+
+ if (!fnmatch(p, group, 0))
+ return false;
+ }
+
+ uci_foreach_element(&o->v.list, l) {
+ if (!l->name || !*l->name || *l->name == '!')
+ continue;
+
+ if (!fnmatch(l->name, group, 0))
return true;
+ }
}
/* make sure that write permission implies read permission */
* ]
* }
*/
- if (blob_id(acl_scope) == BLOBMSG_TYPE_TABLE) {
+ if (blobmsg_type(acl_scope) == BLOBMSG_TYPE_TABLE) {
blobmsg_for_each_attr(acl_obj, acl_scope, rem) {
- if (blob_id(acl_obj) != BLOBMSG_TYPE_ARRAY)
+ if (blobmsg_type(acl_obj) != BLOBMSG_TYPE_ARRAY)
continue;
blobmsg_for_each_attr(acl_func, acl_obj, rem2) {
- if (blob_id(acl_func) != BLOBMSG_TYPE_STRING)
+ if (blobmsg_type(acl_func) != BLOBMSG_TYPE_STRING)
continue;
- rpc_session_grant(ses, NULL, blobmsg_name(acl_scope),
- blobmsg_name(acl_obj),
- blobmsg_data(acl_func));
+ rpc_session_grant(ses, blobmsg_name(acl_scope),
+ blobmsg_name(acl_obj),
+ blobmsg_data(acl_func));
}
}
}
* ...
* ]
*/
- else if (blob_id(acl_scope) == BLOBMSG_TYPE_ARRAY) {
+ else if (blobmsg_type(acl_scope) == BLOBMSG_TYPE_ARRAY) {
blobmsg_for_each_attr(acl_obj, acl_scope, rem) {
- if (blob_id(acl_obj) != BLOBMSG_TYPE_STRING)
+ if (blobmsg_type(acl_obj) != BLOBMSG_TYPE_STRING)
continue;
- rpc_session_grant(ses, NULL, blobmsg_name(acl_scope),
- blobmsg_data(acl_obj),
- blobmsg_name(acl_perm));
+ rpc_session_grant(ses, blobmsg_name(acl_scope),
+ blobmsg_data(acl_obj),
+ blobmsg_name(acl_perm));
}
}
}
blob_for_each_attr(acl_group, acl.head, rem) {
/* Iterate permission objects in each access group object */
blobmsg_for_each_attr(acl_perm, acl_group, rem2) {
- if (blob_id(acl_perm) != BLOBMSG_TYPE_TABLE)
+ if (blobmsg_type(acl_perm) != BLOBMSG_TYPE_TABLE)
continue;
/* Only "read" and "write" permissions are defined */
* access groups without having to test access of each single
* <scope>/<object>/<function> tuple defined in a group.
*/
- rpc_session_grant(ses, NULL, "access-group",
- blobmsg_name(acl_group),
- blobmsg_name(acl_perm));
+ rpc_session_grant(ses, "access-group",
+ blobmsg_name(acl_group),
+ blobmsg_name(acl_perm));
}
}
}
if (len != blob_pad_len(&head))
goto fail;
+ close(fd);
+
return attr;
fail:
continue;
snprintf(path, sizeof(path) - 1, RPC_SESSION_DIRECTORY "/%s", ses->id);
- rpc_session_to_blob(ses);
+ rpc_session_to_blob(ses, false);
rpc_blob_to_file(path, buf.head);
}
}