forked from nicolasff/webdis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
acl.c
98 lines (78 loc) · 2.12 KB
/
acl.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#include "acl.h"
#include "cmd.h"
#include "conf.h"
#include "http.h"
#include "client.h"
#include <string.h>
#include <evhttp.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int
acl_match_client(struct acl *a, struct http_client *client, in_addr_t *ip) {
/* check HTTP Basic Auth */
const char *auth;
auth = client_get_header(client, "Authorization");
if(a->http_basic_auth) {
if(auth && strncasecmp(auth, "Basic ", 6) == 0) { /* sent auth */
if(strcmp(auth + 6, a->http_basic_auth) != 0) { /* bad password */
return 0;
}
} else { /* no auth sent, required to match this ACL */
return 0;
}
}
/* CIDR check. */
if(a->cidr.enabled == 0) { /* none given, all match */
return 1;
}
if(((*ip) & a->cidr.mask) == (a->cidr.subnet & a->cidr.mask)) {
return 1;
}
return 0;
}
int
acl_allow_command(struct cmd *cmd, struct conf *cfg, struct http_client *client) {
char *always_off[] = {"MULTI", "EXEC", "WATCH", "DISCARD"};
unsigned int i;
int authorized = 1;
struct acl *a;
in_addr_t client_addr;
const char *cmd_name;
size_t cmd_len;
if(cmd->count == 0) {
return 0;
}
cmd_name = cmd->argv[0];
cmd_len = cmd->argv_len[0];
/* some commands are always disabled, regardless of the config file. */
for(i = 0; i < sizeof(always_off) / sizeof(always_off[0]); ++i) {
if(strncasecmp(always_off[i], cmd_name, cmd_len) == 0) {
return 0;
}
}
/* find client's address */
client_addr = ntohl(client->addr);
/* go through permissions */
for(a = cfg->perms; a; a = a->next) {
if(!acl_match_client(a, client, &client_addr)) continue; /* match client */
/* go through authorized commands */
for(i = 0; i < a->enabled.count; ++i) {
if(strncasecmp(a->enabled.commands[i], cmd_name, cmd_len) == 0) {
authorized = 1;
}
if(strncasecmp(a->enabled.commands[i], "*", 1) == 0) {
authorized = 1;
}
}
/* go through unauthorized commands */
for(i = 0; i < a->disabled.count; ++i) {
if(strncasecmp(a->disabled.commands[i], cmd_name, cmd_len) == 0) {
authorized = 0;
}
if(strncasecmp(a->disabled.commands[i], "*", 1) == 0) {
authorized = 0;
}
}
}
return authorized;
}