X-Git-Url: http://git.archive.openwrt.org/?p=project%2Frpcd.git;a=blobdiff_plain;f=session.c;h=fd003ac08674bd43edcf4fd83f70e571715fe2a5;hp=a4ed5f354e6c0dc906c1f191c8d19c923a72c91f;hb=835b8b768da374075af56f624537d03d8ec97647;hpb=d0d1a92432699eaa2d97e871117230b1f809a2f9 diff --git a/session.c b/session.c index a4ed5f3..fd003ac 100644 --- a/session.c +++ b/session.c @@ -2,7 +2,7 @@ * rpcd - UBUS RPC server * * Copyright (C) 2013 Felix Fietkau - * Copyright (C) 2013 Jo-Philipp Wich + * Copyright (C) 2013-2014 Jo-Philipp Wich * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -44,7 +44,7 @@ static const struct blobmsg_policy new_policy = { }; static const struct blobmsg_policy sid_policy = { - .name = "sid", .type = BLOBMSG_TYPE_STRING + .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING }; enum { @@ -53,7 +53,7 @@ enum { __RPC_SS_MAX, }; static const struct blobmsg_policy set_policy[__RPC_SS_MAX] = { - [RPC_SS_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING }, + [RPC_SS_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING }, [RPC_SS_VALUES] = { .name = "values", .type = BLOBMSG_TYPE_TABLE }, }; @@ -63,7 +63,7 @@ enum { __RPC_SG_MAX, }; static const struct blobmsg_policy get_policy[__RPC_SG_MAX] = { - [RPC_SG_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING }, + [RPC_SG_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING }, [RPC_SG_KEYS] = { .name = "keys", .type = BLOBMSG_TYPE_ARRAY }, }; @@ -74,7 +74,7 @@ enum { __RPC_SA_MAX, }; static const struct blobmsg_policy acl_policy[__RPC_SA_MAX] = { - [RPC_SA_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING }, + [RPC_SA_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING }, [RPC_SA_SCOPE] = { .name = "scope", .type = BLOBMSG_TYPE_STRING }, [RPC_SA_OBJECTS] = { .name = "objects", .type = BLOBMSG_TYPE_ARRAY }, }; @@ -87,7 +87,7 @@ enum { __RPC_SP_MAX, }; static const struct blobmsg_policy perm_policy[__RPC_SP_MAX] = { - [RPC_SP_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING }, + [RPC_SP_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING }, [RPC_SP_SCOPE] = { .name = "scope", .type = BLOBMSG_TYPE_STRING }, [RPC_SP_OBJECT] = { .name = "object", .type = BLOBMSG_TYPE_STRING }, [RPC_SP_FUNCTION] = { .name = "function", .type = BLOBMSG_TYPE_STRING }, @@ -101,7 +101,7 @@ enum { __RPC_DUMP_MAX, }; static const struct blobmsg_policy dump_policy[__RPC_DUMP_MAX] = { - [RPC_DUMP_SID] = { .name = "sid", .type = BLOBMSG_TYPE_STRING }, + [RPC_DUMP_SID] = { .name = "ubus_rpc_session", .type = BLOBMSG_TYPE_STRING }, [RPC_DUMP_TIMEOUT] = { .name = "timeout", .type = BLOBMSG_TYPE_INT32 }, [RPC_DUMP_EXPIRES] = { .name = "expires", .type = BLOBMSG_TYPE_INT32 }, [RPC_DUMP_DATA] = { .name = "data", .type = BLOBMSG_TYPE_TABLE }, @@ -203,16 +203,22 @@ rpc_session_dump_acls(struct rpc_session *ses, struct blob_buf *b) } static void -rpc_session_to_blob(struct rpc_session *ses) +rpc_session_to_blob(struct rpc_session *ses, bool acls) { void *c; blob_buf_init(&buf, 0); - blobmsg_add_string(&buf, "sid", ses->id); + blobmsg_add_string(&buf, "ubus_rpc_session", ses->id); blobmsg_add_u32(&buf, "timeout", ses->timeout); blobmsg_add_u32(&buf, "expires", uloop_timeout_remaining(&ses->t) / 1000); + if (acls) { + c = blobmsg_open_table(&buf, "acls"); + rpc_session_dump_acls(ses, &buf); + blobmsg_close_table(&buf, c); + } + c = blobmsg_open_table(&buf, "data"); rpc_session_dump_data(ses, &buf); blobmsg_close_table(&buf, c); @@ -222,7 +228,7 @@ static void rpc_session_dump(struct rpc_session *ses, struct ubus_context *ctx, struct ubus_request_data *req) { - rpc_session_to_blob(ses); + rpc_session_to_blob(ses, true); ubus_send_reply(ctx, req, buf.head); } @@ -380,7 +386,7 @@ uh_id_len(const char *str) } static int -rpc_session_grant(struct rpc_session *ses, struct ubus_context *ctx, +rpc_session_grant(struct rpc_session *ses, const char *scope, const char *object, const char *function) { struct rpc_session_acl *acl; @@ -431,7 +437,7 @@ rpc_session_grant(struct rpc_session *ses, struct ubus_context *ctx, } static int -rpc_session_revoke(struct rpc_session *ses, struct ubus_context *ctx, +rpc_session_revoke(struct rpc_session *ses, const char *scope, const char *object, const char *function) { struct rpc_session_acl *acl, *next; @@ -496,8 +502,8 @@ rpc_handle_acl(struct ubus_context *ctx, struct ubus_object *obj, const char *scope = "ubus"; int rem1, rem2; - int (*cb)(struct rpc_session *ses, struct ubus_context *ctx, - const char *scope, const char *object, const char *function); + int (*cb)(struct rpc_session *ses, + const char *scope, const char *object, const char *function); blobmsg_parse(acl_policy, __RPC_SA_MAX, tb, blob_data(msg), blob_len(msg)); @@ -517,17 +523,17 @@ rpc_handle_acl(struct ubus_context *ctx, struct ubus_object *obj, cb = rpc_session_revoke; if (!tb[RPC_SA_OBJECTS]) - return cb(ses, ctx, scope, NULL, NULL); + return cb(ses, scope, NULL, NULL); blobmsg_for_each_attr(attr, tb[RPC_SA_OBJECTS], rem1) { - if (blob_id(attr) != BLOBMSG_TYPE_ARRAY) + if (blobmsg_type(attr) != BLOBMSG_TYPE_ARRAY) continue; object = NULL; function = NULL; blobmsg_for_each_attr(sattr, attr, rem2) { - if (blob_id(sattr) != BLOBMSG_TYPE_STRING) + if (blobmsg_type(sattr) != BLOBMSG_TYPE_STRING) continue; if (!object) @@ -539,7 +545,7 @@ rpc_handle_acl(struct ubus_context *ctx, struct ubus_object *obj, } if (object && function) - cb(ses, ctx, scope, object, function); + cb(ses, scope, object, function); } return 0; @@ -574,22 +580,31 @@ rpc_handle_access(struct ubus_context *ctx, struct ubus_object *obj, blobmsg_parse(perm_policy, __RPC_SP_MAX, tb, blob_data(msg), blob_len(msg)); - if (!tb[RPC_SP_SID] || !tb[RPC_SP_OBJECT] || !tb[RPC_SP_FUNCTION]) + if (!tb[RPC_SP_SID]) return UBUS_STATUS_INVALID_ARGUMENT; ses = rpc_session_get(blobmsg_data(tb[RPC_SP_SID])); if (!ses) return UBUS_STATUS_NOT_FOUND; - if (tb[RPC_SP_SCOPE]) - scope = blobmsg_data(tb[RPC_SP_SCOPE]); + blob_buf_init(&buf, 0); - allow = rpc_session_acl_allowed(ses, scope, - blobmsg_data(tb[RPC_SP_OBJECT]), - blobmsg_data(tb[RPC_SP_FUNCTION])); + if (tb[RPC_SP_OBJECT] && tb[RPC_SP_FUNCTION]) + { + if (tb[RPC_SP_SCOPE]) + scope = blobmsg_data(tb[RPC_SP_SCOPE]); + + allow = rpc_session_acl_allowed(ses, scope, + blobmsg_data(tb[RPC_SP_OBJECT]), + blobmsg_data(tb[RPC_SP_FUNCTION])); + + blobmsg_add_u8(&buf, "access", allow); + } + else + { + rpc_session_dump_acls(ses, &buf); + } - blob_buf_init(&buf, 0); - blobmsg_add_u8(&buf, "access", allow); ubus_send_reply(ctx, req, buf.head); return 0; @@ -621,7 +636,7 @@ rpc_handle_set(struct ubus_context *ctx, struct ubus_object *obj, struct blob_attr *msg) { struct rpc_session *ses; - struct blob_attr *tb[__RPC_SA_MAX]; + struct blob_attr *tb[__RPC_SS_MAX]; struct blob_attr *attr; int rem; @@ -651,7 +666,7 @@ rpc_handle_get(struct ubus_context *ctx, struct ubus_object *obj, { struct rpc_session *ses; struct rpc_session_data *data; - struct blob_attr *tb[__RPC_SA_MAX]; + struct blob_attr *tb[__RPC_SG_MAX]; struct blob_attr *attr; void *c; int rem; @@ -670,7 +685,7 @@ rpc_handle_get(struct ubus_context *ctx, struct ubus_object *obj, if (tb[RPC_SG_KEYS]) blobmsg_for_each_attr(attr, tb[RPC_SG_KEYS], rem) { - if (blob_id(attr) != BLOBMSG_TYPE_STRING) + if (blobmsg_type(attr) != BLOBMSG_TYPE_STRING) continue; data = avl_find_element(&ses->data, blobmsg_data(attr), data, avl); @@ -718,7 +733,7 @@ rpc_handle_unset(struct ubus_context *ctx, struct ubus_object *obj, } blobmsg_for_each_attr(attr, tb[RPC_SG_KEYS], rem) { - if (blob_id(attr) != BLOBMSG_TYPE_STRING) + if (blobmsg_type(attr) != BLOBMSG_TYPE_STRING) continue; data = avl_find_element(&ses->data, blobmsg_data(attr), data, avl); @@ -857,6 +872,7 @@ static bool rpc_login_test_permission(struct uci_section *s, const char *perm, const char *group) { + const char *p; struct uci_option *o; struct uci_element *e, *l; @@ -877,9 +893,30 @@ rpc_login_test_permission(struct uci_section *s, if (strcmp(o->e.name, perm)) continue; - uci_foreach_element(&o->v.list, l) - if (l->name && !fnmatch(l->name, group, 0)) + /* Match negative expressions first. If a negative expression matches + * the current group name then deny access. */ + uci_foreach_element(&o->v.list, l) { + p = l->name; + + if (!p || *p != '!') + continue; + + while (isspace(*++p)); + + if (!*p) + continue; + + if (!fnmatch(p, group, 0)) + return false; + } + + uci_foreach_element(&o->v.list, l) { + if (!l->name || !*l->name || *l->name == '!') + continue; + + if (!fnmatch(l->name, group, 0)) return true; + } } /* make sure that write permission implies read permission */ @@ -908,18 +945,18 @@ rpc_login_setup_acl_scope(struct rpc_session *ses, * ] * } */ - if (blob_id(acl_scope) == BLOBMSG_TYPE_TABLE) { + if (blobmsg_type(acl_scope) == BLOBMSG_TYPE_TABLE) { blobmsg_for_each_attr(acl_obj, acl_scope, rem) { - if (blob_id(acl_obj) != BLOBMSG_TYPE_ARRAY) + if (blobmsg_type(acl_obj) != BLOBMSG_TYPE_ARRAY) continue; blobmsg_for_each_attr(acl_func, acl_obj, rem2) { - if (blob_id(acl_func) != BLOBMSG_TYPE_STRING) + if (blobmsg_type(acl_func) != BLOBMSG_TYPE_STRING) continue; - rpc_session_grant(ses, NULL, blobmsg_name(acl_scope), - blobmsg_name(acl_obj), - blobmsg_data(acl_func)); + rpc_session_grant(ses, blobmsg_name(acl_scope), + blobmsg_name(acl_obj), + blobmsg_data(acl_func)); } } } @@ -934,14 +971,14 @@ rpc_login_setup_acl_scope(struct rpc_session *ses, * ... * ] */ - else if (blob_id(acl_scope) == BLOBMSG_TYPE_ARRAY) { + else if (blobmsg_type(acl_scope) == BLOBMSG_TYPE_ARRAY) { blobmsg_for_each_attr(acl_obj, acl_scope, rem) { - if (blob_id(acl_obj) != BLOBMSG_TYPE_STRING) + if (blobmsg_type(acl_obj) != BLOBMSG_TYPE_STRING) continue; - rpc_session_grant(ses, NULL, blobmsg_name(acl_scope), - blobmsg_data(acl_obj), - blobmsg_name(acl_perm)); + rpc_session_grant(ses, blobmsg_name(acl_scope), + blobmsg_data(acl_obj), + blobmsg_name(acl_perm)); } } } @@ -965,7 +1002,7 @@ rpc_login_setup_acl_file(struct rpc_session *ses, struct uci_section *login, blob_for_each_attr(acl_group, acl.head, rem) { /* Iterate permission objects in each access group object */ blobmsg_for_each_attr(acl_perm, acl_group, rem2) { - if (blob_id(acl_perm) != BLOBMSG_TYPE_TABLE) + if (blobmsg_type(acl_perm) != BLOBMSG_TYPE_TABLE) continue; /* Only "read" and "write" permissions are defined */ @@ -1006,9 +1043,9 @@ rpc_login_setup_acl_file(struct rpc_session *ses, struct uci_section *login, * access groups without having to test access of each single * // tuple defined in a group. */ - rpc_session_grant(ses, NULL, "access-group", - blobmsg_name(acl_group), - blobmsg_name(acl_perm)); + rpc_session_grant(ses, "access-group", + blobmsg_name(acl_group), + blobmsg_name(acl_perm)); } } } @@ -1160,6 +1197,8 @@ rpc_blob_from_file(const char *path) if (len != blob_pad_len(&head)) goto fail; + close(fd); + return attr; fail: @@ -1296,7 +1335,7 @@ void rpc_session_freeze(void) continue; snprintf(path, sizeof(path) - 1, RPC_SESSION_DIRECTORY "/%s", ses->id); - rpc_session_to_blob(ses); + rpc_session_to_blob(ses, false); rpc_blob_to_file(path, buf.head); } }