// TODO: allow regular expressions in addresses
static int
s_self_authenticate (self_t *self)
{
zap_request_t *request = s_zap_request_new (self->handler, self->verbose);
if (request) {
// Is address explicitly whitelisted or blacklisted?
bool allowed = false;
bool denied = false;
if (zhashx_size (self->whitelist)) {
if (zhashx_lookup (self->whitelist, request->address)) {
allowed = true;
if (self->verbose)
zsys_info ("zauth: - passed (whitelist) address=%s", request->address);
}
else {
denied = true;
if (self->verbose)
zsys_info ("zauth: - denied (not in whitelist) address=%s", request->address);
}
}
else
if (zhashx_size (self->blacklist)) {
if (zhashx_lookup (self->blacklist, request->address)) {
denied = true;
if (self->verbose)
zsys_info ("zauth: - denied (blacklist) address=%s", request->address);
}
else {
allowed = true;
if (self->verbose)
zsys_info ("zauth: - passed (not in blacklist) address=%s", request->address);
}
}
// Mechanism-specific checks
if (!denied) {
if (streq (request->mechanism, "NULL") && !allowed) {
// For NULL, we allow if the address wasn't blacklisted
if (self->verbose)
zsys_info ("zauth: - allowed (NULL)");
allowed = true;
}
else
if (streq (request->mechanism, "PLAIN"))
// For PLAIN, even a whitelisted address must authenticate
allowed = s_authenticate_plain (self, request);
else
if (streq (request->mechanism, "CURVE"))
// For CURVE, even a whitelisted address must authenticate
allowed = s_authenticate_curve (self, request);
else
if (streq (request->mechanism, "GSSAPI"))
// For GSSAPI, even a whitelisted address must authenticate
allowed = s_authenticate_gssapi (self, request);
}
if (allowed)
s_zap_request_reply (request, "200", "OK");
else
s_zap_request_reply (request, "400", "No access");
s_zap_request_destroy (&request);
}
else
s_zap_request_reply (request, "500", "Internal error");
return 0;
}
static int
s_agent_authenticate (agent_t *self)
{
zap_request_t *request = zap_request_new (self->handler);
if (request) {
// Is address explicitly whitelisted or blacklisted?
bool allowed = false;
bool denied = false;
if (zhash_size (self->whitelist)) {
if (zhash_lookup (self->whitelist, request->address)) {
allowed = true;
if (self->verbose)
printf ("I: PASSED (whitelist) address=%s\n", request->address);
}
else {
denied = true;
if (self->verbose)
printf ("I: DENIED (not in whitelist) address=%s\n", request->address);
}
}
else
if (zhash_size (self->blacklist)) {
if (zhash_lookup (self->blacklist, request->address)) {
denied = true;
if (self->verbose)
printf ("I: DENIED (blacklist) address=%s\n", request->address);
}
else {
allowed = true;
if (self->verbose)
printf ("I: PASSED (not in blacklist) address=%s\n", request->address);
}
}
// Mechanism-specific checks
if (!denied) {
if (streq (request->mechanism, "NULL") && !allowed) {
// For NULL, we allow if the address wasn't blacklisted
if (self->verbose)
printf ("I: ALLOWED (NULL)\n");
allowed = true;
}
else
if (streq (request->mechanism, "PLAIN"))
// For PLAIN, even a whitelisted address must authenticate
allowed = s_authenticate_plain (self, request);
else
if (streq (request->mechanism, "CURVE"))
// For CURVE, even a whitelisted address must authenticate
allowed = s_authenticate_curve (self, request);
}
if (allowed)
zap_request_reply (request, "200", "OK");
else
zap_request_reply (request, "400", "NO ACCESS");
zap_request_destroy (&request);
}
else
zap_request_reply (request, "500", "Internal error");
return 0;
}
