Home Explore Help
Sign In
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
mosquitto-2.0.13
/
plugins
/
dynamic-security
/
acl.c

acl.c 6.9 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253 
  1. /*
    2. 

  2. Copyright (c) 2020 Roger Light <roger@atchoo.org>
    3. 

  3. 

  4. All rights reserved. This program and the accompanying materials
    5. 

  5. are made available under the terms of the Eclipse Public License 2.0
    6. 

  6. and Eclipse Distribution License v1.0 which accompany this distribution.
    7. 

  7. 

  8. The Eclipse Public License is available at
    9. 

  9.    https://www.eclipse.org/legal/epl-2.0/
    10. 

  10. and the Eclipse Distribution License is available at
    11. 

  11.   http://www.eclipse.org/org/documents/edl-v10.php.
    12. 

  12. 

  13. SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
    14. 

  14. 

  15. Contributors:
    16. 

  16.    Roger Light - initial implementation and documentation.
    17. 

  17. */
    18. 

  18. 

  19. #include "config.h"
    20. 

  20. 

  21. #include "dynamic_security.h"
    22. 

  22. #include "mosquitto.h"
    23. 

  23. #include "mosquitto_broker.h"
    24. 

  24. #include "mosquitto_plugin.h"
    25. 

  25. 

  26. typedef int (*MOSQ_FUNC_acl_check)(struct mosquitto_evt_acl_check *, struct dynsec__rolelist *);
    27. 

  27. 

  28. /* FIXME - CACHE! */
    29. 

  29. 

  30. /* ################################################################
    31. 

  31.  * #
    32. 

  32.  * # ACL check - publish broker to client
    33. 

  33.  * #
    34. 

  34.  * ################################################################ */
    35. 

  35. 

  36. static int acl_check_publish_c_recv(struct mosquitto_evt_acl_check *ed, struct dynsec__rolelist *base_rolelist)
    37. 

  37. {
    38. 

  38. 	struct dynsec__rolelist *rolelist, *rolelist_tmp = NULL;
    39. 

  39. 	struct dynsec__acl *acl, *acl_tmp = NULL;
    40. 

  40. 	bool result;
    41. 

  41. 

  42. 	HASH_ITER(hh, base_rolelist, rolelist, rolelist_tmp){
    43. 

  43. 		HASH_ITER(hh, rolelist->role->acls.publish_c_recv, acl, acl_tmp){
    44. 

  44. 			mosquitto_topic_matches_sub(acl->topic, ed->topic, &result);
    45. 

  45. 			if(result){
    46. 

  46. 				if(acl->allow){
    47. 

  47. 					return MOSQ_ERR_SUCCESS;
    48. 

  48. 				}else{
    49. 

  49. 					return MOSQ_ERR_ACL_DENIED;
    50. 

  50. 				}
    51. 

  51. 			}
    52. 

  52. 		}
    53. 

  53. 	}
    54. 

  54. 	return MOSQ_ERR_NOT_FOUND;
    55. 

  55. }
    56. 

  56. 

  57. 

  58. /* ################################################################
    59. 

  59.  * #
    60. 

  60.  * # ACL check - publish client to broker
    61. 

  61.  * #
    62. 

  62.  * ################################################################ */
    63. 

  63. 

  64. static int acl_check_publish_c_send(struct mosquitto_evt_acl_check *ed, struct dynsec__rolelist *base_rolelist)
    65. 

  65. {
    66. 

  66. 	struct dynsec__rolelist *rolelist, *rolelist_tmp = NULL;
    67. 

  67. 	struct dynsec__acl *acl, *acl_tmp = NULL;
    68. 

  68. 	bool result;
    69. 

  69. 

  70. 	HASH_ITER(hh, base_rolelist, rolelist, rolelist_tmp){
    71. 

  71. 		HASH_ITER(hh, rolelist->role->acls.publish_c_send, acl, acl_tmp){
    72. 

  72. 			mosquitto_topic_matches_sub(acl->topic, ed->topic, &result);
    73. 

  73. 			if(result){
    74. 

  74. 				if(acl->allow){
    75. 

  75. 					return MOSQ_ERR_SUCCESS;
    76. 

  76. 				}else{
    77. 

  77. 					return MOSQ_ERR_ACL_DENIED;
    78. 

  78. 				}
    79. 

  79. 			}
    80. 

  80. 		}
    81. 

  81. 	}
    82. 

  82. 	return MOSQ_ERR_NOT_FOUND;
    83. 

  83. }
    84. 

  84. 

  85. 

  86. /* ################################################################
    87. 

  87.  * #
    88. 

  88.  * # ACL check - subscribe
    89. 

  89.  * #
    90. 

  90.  * ################################################################ */
    91. 

  91. 

  92. static int acl_check_subscribe(struct mosquitto_evt_acl_check *ed, struct dynsec__rolelist *base_rolelist)
    93. 

  93. {
    94. 

  94. 	struct dynsec__rolelist *rolelist, *rolelist_tmp = NULL;
    95. 

  95. 	struct dynsec__acl *acl, *acl_tmp = NULL;
    96. 

  96. 	size_t len;
    97. 

  97. 

  98. 	len = strlen(ed->topic);
    99. 

  99. 

  100. 	HASH_ITER(hh, base_rolelist, rolelist, rolelist_tmp){
    101. 

  101. 		HASH_FIND(hh, rolelist->role->acls.subscribe_literal, ed->topic, len, acl);
    102. 

  102. 		if(acl){
    103. 

  103. 			if(acl->allow){
    104. 

  104. 				return MOSQ_ERR_SUCCESS;
    105. 

  105. 			}else{
    106. 

  106. 				return MOSQ_ERR_ACL_DENIED;
    107. 

  107. 			}
    108. 

  108. 		}
    109. 

  109. 		HASH_ITER(hh, rolelist->role->acls.subscribe_pattern, acl, acl_tmp){
    110. 

  110. 			if(sub_acl_check(acl->topic, ed->topic)){
    111. 

  111. 				if(acl->allow){
    112. 

  112. 					return MOSQ_ERR_SUCCESS;
    113. 

  113. 				}else{
    114. 

  114. 					return MOSQ_ERR_ACL_DENIED;
    115. 

  115. 				}
    116. 

  116. 			}
    117. 

  117. 		}
    118. 

  118. 	}
    119. 

  119. 	return MOSQ_ERR_NOT_FOUND;
    120. 

  120. }
    121. 

  121. 

  122. 

  123. /* ################################################################
    124. 

  124.  * #
    125. 

  125.  * # ACL check - unsubscribe
    126. 

  126.  * #
    127. 

  127.  * ################################################################ */
    128. 

  128. 

  129. static int acl_check_unsubscribe(struct mosquitto_evt_acl_check *ed, struct dynsec__rolelist *base_rolelist)
    130. 

  130. {
    131. 

  131. 	struct dynsec__rolelist *rolelist, *rolelist_tmp = NULL;
    132. 

  132. 	struct dynsec__acl *acl, *acl_tmp = NULL;
    133. 

  133. 	size_t len;
    134. 

  134. 

  135. 	len = strlen(ed->topic);
    136. 

  136. 

  137. 	HASH_ITER(hh, base_rolelist, rolelist, rolelist_tmp){
    138. 

  138. 		HASH_FIND(hh, rolelist->role->acls.unsubscribe_literal, ed->topic, len, acl);
    139. 

  139. 		if(acl){
    140. 

  140. 			if(acl->allow){
    141. 

  141. 				return MOSQ_ERR_SUCCESS;
    142. 

  142. 			}else{
    143. 

  143. 				return MOSQ_ERR_ACL_DENIED;
    144. 

  144. 			}
    145. 

  145. 		}
    146. 

  146. 		HASH_ITER(hh, rolelist->role->acls.unsubscribe_pattern, acl, acl_tmp){
    147. 

  147. 			if(sub_acl_check(acl->topic, ed->topic)){
    148. 

  148. 				if(acl->allow){
    149. 

  149. 					return MOSQ_ERR_SUCCESS;
    150. 

  150. 				}else{
    151. 

  151. 					return MOSQ_ERR_ACL_DENIED;
    152. 

  152. 				}
    153. 

  153. 			}
    154. 

  154. 		}
    155. 

  155. 	}
    156. 

  156. 	return MOSQ_ERR_NOT_FOUND;
    157. 

  157. }
    158. 

  158. 

  159. 

  160. /* ################################################################
    161. 

  161.  * #
    162. 

  162.  * # ACL check - generic check
    163. 

  163.  * #
    164. 

  164.  * ################################################################ */
    165. 

  165. 

  166. static int acl_check(struct mosquitto_evt_acl_check *ed, MOSQ_FUNC_acl_check check, bool acl_default_access)
    167. 

  167. {
    168. 

  168. 	struct dynsec__client *client;
    169. 

  169. 	struct dynsec__grouplist *grouplist, *grouplist_tmp = NULL;
    170. 

  170. 	const char *username;
    171. 

  171. 	int rc;
    172. 

  172. 

  173. 	username = mosquitto_client_username(ed->client);
    174. 

  174. 

  175. 	if(username){
    176. 

  176. 		client = dynsec_clients__find(username);
    177. 

  177. 		if(client == NULL) return MOSQ_ERR_PLUGIN_DEFER;
    178. 

  178. 

  179. 		/* Client roles */
    180. 

  180. 		rc = check(ed, client->rolelist);
    181. 

  181. 		if(rc != MOSQ_ERR_NOT_FOUND){
    182. 

  182. 			return rc;
    183. 

  183. 		}
    184. 

  184. 

  185. 		HASH_ITER(hh, client->grouplist, grouplist, grouplist_tmp){
    186. 

  186. 			rc = check(ed, grouplist->group->rolelist);
    187. 

  187. 			if(rc != MOSQ_ERR_NOT_FOUND){
    188. 

  188. 				return rc;
    189. 

  189. 			}
    190. 

  190. 		}
    191. 

  191. 	}else if(dynsec_anonymous_group){
    192. 

  192. 		/* If we have a group for anonymous users, use that for checking. */
    193. 

  193. 		rc = check(ed, dynsec_anonymous_group->rolelist);
    194. 

  194. 		if(rc != MOSQ_ERR_NOT_FOUND){
    195. 

  195. 			return rc;
    196. 

  196. 		}
    197. 

  197. 	}
    198. 

  198. 

  199. 	if(acl_default_access == false){
    200. 

  200. 		return MOSQ_ERR_PLUGIN_DEFER;
    201. 

  201. 	}else{
    202. 

  202. 		if(!strncmp(ed->topic, "$CONTROL", strlen("$CONTROL"))){
    203. 

  203. 			/* We never give fall through access to $CONTROL topics, they must
    204. 

  204. 			 * be granted explicitly. */
    205. 

  205. 			return MOSQ_ERR_PLUGIN_DEFER;
    206. 

  206. 		}else{
    207. 

  207. 			return MOSQ_ERR_SUCCESS;
    208. 

  208. 		}
    209. 

  209. 	}
    210. 

  210. }
    211. 

  211. 

  212. 

  213. /* ################################################################
    214. 

  214.  * #
    215. 

  215.  * # ACL check - plugin callback
    216. 

  216.  * #
    217. 

  217.  * ################################################################ */
    218. 

  218. 

  219. int dynsec__acl_check_callback(int event, void *event_data, void *userdata)
    220. 

  220. {
    221. 

  221. 	struct mosquitto_evt_acl_check *ed = event_data;
    222. 

  222. 

  223. 	UNUSED(event);
    224. 

  224. 	UNUSED(userdata);
    225. 

  225. 

  226. 	/* ACL checks are made in the order below until a match occurs, at which
    227. 

  227. 	 * point the decision is made.
    228. 

  228. 	 *
    229. 

  229. 	 * User roles in priority order highest to lowest.
    230. 

  230. 	 *    Roles have their ACLs checked in priority order, highest to lowest
    231. 

  231. 	 * Groups are processed in priority order highest to lowest
    232. 

  232. 	 *    Group roles are processed in priority order, highest to lowest
    233. 

  233. 	 *       Roles have their ACLs checked in priority order, highest to lowest
    234. 

  234. 	 */
    235. 

  235. 

  236. 	switch(ed->access){
    237. 

  237. 		case MOSQ_ACL_SUBSCRIBE:
    238. 

  238. 			return acl_check(event_data, acl_check_subscribe, default_access.subscribe);
    239. 

  239. 			break;
    240. 

  240. 		case MOSQ_ACL_UNSUBSCRIBE:
    241. 

  241. 			return acl_check(event_data, acl_check_unsubscribe, default_access.unsubscribe);
    242. 

  242. 			break;
    243. 

  243. 		case MOSQ_ACL_WRITE: /* Client to broker */
    244. 

  244. 			return acl_check(event_data, acl_check_publish_c_send, default_access.publish_c_send);
    245. 

  245. 			break;
    246. 

  246. 		case MOSQ_ACL_READ:
    247. 

  247. 			return acl_check(event_data, acl_check_publish_c_recv, default_access.publish_c_recv);
    248. 

  248. 			break;
    249. 

  249. 		default:
    250. 

  250. 			return MOSQ_ERR_PLUGIN_DEFER;
    251. 

  251. 	}
    252. 

  252. 	return MOSQ_ERR_PLUGIN_DEFER;
    253. 

  253. }
    254.