| blob | 74d019a6206511ad507ea3e2a3d46704502d95bf |
1 /* authz.c : path-based access control
2 *
3 * ====================================================================
4 * Copyright (c) 2000-2006 CollabNet. All rights reserved.
5 *
6 * This software is licensed as described in the file COPYING, which
7 * you should have received as part of this distribution. The terms
8 * are also available at http://subversion.tigris.org/license-1.html.
9 * If newer versions of this license are posted there, you may use a
10 * newer version instead, at your option.
11 *
12 * This software consists of voluntary contributions made by many
13 * individuals. For exact contribution history, see the revision
14 * history and logs, available at http://subversion.tigris.org/.
15 * ====================================================================
16 */
18 \f
19 /*** Includes. ***/
21 #include <assert.h>
23 #include <apr_pools.h>
24 #include <apr_file_io.h>
33 \f
34 /*** Structures. ***/
36 /* Information for the config enumerators called during authz
37 lookup. */
39 /* The authz configuration. */
42 /* The user to authorize. */
45 /* Explicitly granted rights. */
46 svn_repos_authz_access_t allow;
47 /* Explicitly denied rights. */
48 svn_repos_authz_access_t deny;
50 /* The rights required by the caller of the lookup. */
51 svn_repos_authz_access_t required_access;
53 /* The following are used exclusively in recursive lookups. */
55 /* The path in the repository to authorize. */
57 /* repos_path prefixed by the repository name. */
60 /* Whether, at the end of a recursive lookup, access is granted. */
61 svn_boolean_t access;
62 };
64 /* Information for the config enumeration functions called during the
65 validation process. */
69 enumerator, if any. */
70 };
72 /* Currently this structure is just a wrapper around a
73 svn_config_t. */
74 struct svn_authz_t
75 {
77 };
80 \f
81 /*** Checking access. ***/
83 /* Determine whether the REQUIRED access is granted given what authz
84 * to ALLOW or DENY. Return TRUE if the REQUIRED access is
85 * granted.
86 *
87 * Access is granted either when no required access is explicitly
88 * denied (implicit grant), or when the required access is explicitly
89 * granted, overriding any denials.
90 */
91 static svn_boolean_t
93 svn_repos_authz_access_t deny,
94 svn_repos_authz_access_t required)
95 {
96 svn_repos_authz_access_t stripped_req =
103 else
105 }
108 /* Decide whether the REQUIRED access has been conclusively
109 * determined. Return TRUE if the given ALLOW/DENY authz are
110 * conclusive regarding the REQUIRED authz.
111 *
112 * Conclusive determination occurs when any of the REQUIRED authz are
113 * granted or denied by ALLOW/DENY.
114 */
115 static svn_boolean_t
117 svn_repos_authz_access_t deny,
118 svn_repos_authz_access_t required)
119 {
122 else
124 }
126 /* Return TRUE is USER equals ALIAS. The alias definitions are in the
127 "aliases" sections of CFG. Use POOL for temporary allocations during
128 the lookup. */
129 static svn_boolean_t
134 {
145 }
148 /* Return TRUE if USER is in GROUP. The group definitions are in the
149 "groups" section of CFG. Use POOL for temporary allocations during
150 the lookup. */
151 static svn_boolean_t
156 {
166 {
169 /* If the 'user' is a subgroup, recurse into it. */
171 {
175 }
177 /* If the 'user' is an alias, verify it. */
179 {
183 }
185 /* If the user matches, stop. */
188 }
191 }
194 /* Determines whether an authz rule applies to the current
195 * user, given the name part of the rule's name-value pair
196 * in RULE_MATCH_STRING and the authz_lookup_baton object
197 * B with the username in question.
198 */
199 static svn_boolean_t
203 {
204 /* If the rule has an inversion, recurse and invert the result. */
208 /* Check for special tokens. */
214 /* Check for a wildcard rule. */
218 /* If we get here, then the rule is:
219 * - Not an inversion rule.
220 * - Not an authz token rule.
221 * - Not a wildcard rule.
222 *
223 * All that's left over is regular user or group specifications.
224 */
226 /* If the session is anonymous, then a user/group
227 * rule definitely won't match.
228 */
232 /* Process the rule depending on whether it is
233 * a user, alias or group rule.
234 */
241 else
243 }
246 /* Callback to parse one line of an authz file and update the
247 * authz_baton accordingly.
248 */
249 static svn_boolean_t
252 {
255 /* Stop if the rule doesn't apply to this user. */
259 /* Set the access grants for the rule. */
262 else
267 else
271 }
274 /* Callback to parse a section and update the authz_baton if the
275 * section denies access to the subtree the baton describes.
276 */
277 static svn_boolean_t
279 {
281 svn_boolean_t conclusive;
283 /* Does the section apply to us? */
285 section_name) == FALSE
290 /* Work out what this section grants. */
295 /* Has the section explicitly determined an access? */
299 /* Is access granted OR inconclusive? */
304 /* As long as access isn't conclusively denied, carry on. */
306 }
309 /* Validate access to the given user for the given path. This
310 * function checks rules for exactly the given path, and first tries
311 * to access a section specific to the given repository before falling
312 * back to pan-repository rules.
313 *
314 * Update *access_granted to inform the caller of the outcome of the
315 * lookup. Return a boolean indicating whether the access rights were
316 * successfully determined.
317 */
318 static svn_boolean_t
321 svn_repos_authz_access_t required_access,
324 {
331 /* Try to locate a repository-specific block first. */
337 required_access);
339 /* If the first test has determined access, stop now. */
341 required_access))
344 /* No repository specific rule, try pan-repository rules. */
348 required_access);
350 required_access);
351 }
354 /* Validate access to the given user for the subtree starting at the
355 * given path. This function walks the whole authz file in search of
356 * rules applying to paths in the requested subtree which deny the
357 * requested access.
358 *
359 * As soon as one is found, or else when the whole ACL file has been
360 * searched, return the updated authorization status.
361 */
362 static svn_boolean_t
365 svn_repos_authz_access_t required_access,
367 {
376 /* Default to access granted if no rules say otherwise. */
383 }
386 /* Callback to parse sections of the configuration file, looking for
387 any kind of granted access. Implements the
388 svn_config_section_enumerator2_t interface. */
389 static svn_boolean_t
392 {
395 /* Does the section apply to the query? */
399 {
407 /* Continue as long as we don't find a determined, granted access. */
411 }
414 }
417 /* Walk through the authz CFG to check if USER has the REQUIRED_ACCESS
418 * to any path within the REPOSITORY. Return TRUE if so. Use POOL
419 * for temporary allocations. */
420 static svn_boolean_t
423 svn_repos_authz_access_t required_access,
425 {
437 /* If walking the configuration was inconclusive, deny access. */
443 }
446 \f
447 /*** Validating the authz file. ***/
449 /* Check for errors in GROUP's definition of CFG. The errors
450 * detected are references to non-existent groups and circular
451 * dependencies between groups. If an error is found, return
452 * SVN_ERR_AUTHZ_INVALID_CONFIG. Use POOL for temporary
453 * allocations only.
454 *
455 * CHECKED_GROUPS should be an empty (it is used for recursive calls).
456 */
462 {
468 /* Having a non-existent group in the ACL configuration might be the
469 sign of a typo. Refuse to perform authz on uncertain rules. */
472 "An authz rule refers to group '%s', "
474 group);
479 {
482 /* If the 'user' is a subgroup, recurse into it. */
484 {
485 /* A circular dependency between groups is a Bad Thing. We
486 don't do authz with invalid ACL files. */
488 APR_HASH_KEY_STRING))
490 NULL,
491 "Circular dependency between "
495 /* Add group to hash of checked groups. */
499 /* Recurse on that group. */
503 /* Remove group from hash of checked groups, so that we don't
504 incorrectly report an error if we see it again as part of
505 another group. */
508 }
510 {
514 /* Having a non-existent alias in the ACL configuration might be the
515 sign of a typo. Refuse to perform authz on uncertain rules. */
518 "An authz rule refers to alias '%s', "
521 }
522 }
525 }
528 /* Callback to perform some simple sanity checks on an authz rule.
529 *
530 * - If RULE_MATCH_STRING references a group or an alias, verify that
531 * the group or alias definition exists.
532 * - If RULE_MATCH_STRING specifies a token (starts with $), verify
533 * that the token name is valid.
534 * - If RULE_MATCH_STRING is using inversion, verify that it isn't
535 * doing it more than once within the one rule, and that it isn't
536 * "~*", as that would never match.
537 * - Check that VALUE part of the rule specifies only allowed rule
538 * flag characters ('r' and 'w').
539 *
540 * Return TRUE if the rule has no errors. Use BATON for context and
541 * error reporting.
542 */
547 {
552 /* Make sure the user isn't using double-negatives. */
554 {
555 /* Bump the pointer past the inversion for the other checks. */
556 match++;
558 /* Another inversion is a double negative; we can't not stop. */
560 {
562 "Rule '%s' has more than one "
563 "inversion; double negatives are "
565 rule_match_string);
567 }
569 /* Make sure that the rule isn't "~*", which won't ever match. */
571 {
573 "Authz rules with match string '~*' "
574 "are not allowed, because they never "
577 }
578 }
580 /* If the rule applies to a group, check its existence. */
582 {
587 /* Having a non-existent group in the ACL configuration might be
588 the sign of a typo. Refuse to perform authz on uncertain
589 rules. */
591 {
593 "An authz rule refers to group "
595 rule_match_string);
597 }
598 }
600 /* If the rule applies to an alias, check its existence. */
602 {
608 {
610 "An authz rule refers to alias "
612 rule_match_string);
614 }
615 }
617 /* If the rule specifies a token, check its validity. */
619 {
624 {
627 rule_match_string);
629 }
630 }
635 {
637 {
639 "The character '%c' in rule '%s' is not "
641 rule_match_string);
643 }
646 }
649 }
651 /* Callback to check ALIAS's definition for validity. Use
652 BATON for context and error reporting. */
657 {
658 /* No checking at the moment, every alias is valid */
660 }
663 /* Callback to check GROUP's definition for cyclic dependancies. Use
664 BATON for context and error reporting. */
669 {
677 }
680 /* Callback to check the contents of the configuration section given
681 by NAME. Use BATON for context and error reporting. */
685 {
688 /* If the section is the groups definition, use the group checking
689 callback. Otherwise, use the rule checking callback. */
696 else
704 }
707 \f
708 /*** Public functions. ***/
710 svn_error_t *
713 {
719 /* Load the rule file. */
723 /* Step through the entire rule file, stopping on error. */
730 }
733 svn_error_t *
736 svn_repos_authz_access_t required_access,
739 {
742 /* If PATH is NULL, do a global access lookup. */
744 {
747 pool);
749 }
751 /* Determine the granted access for the requested path. */
754 required_access,
755 access_granted,
756 pool))
757 {
758 /* Stop if the loop hits the repository root with no
759 results. */
761 {
762 /* Deny access by default. */
765 }
767 /* Work back to the parent path. */
769 }
771 /* If the caller requested recursive access, we need to walk through
772 the entire authz config to see whether any child paths are denied
773 to the requested user. */
779 }