int CLuaACLDefs::aclRemoveRight ( lua_State* luaVM ) { // Verify the arguents if ( lua_type ( luaVM, 1 ) == LUA_TLIGHTUSERDATA && lua_type ( luaVM, 2 ) == LUA_TSTRING ) { // Grab the argument strings CAccessControlList* pACL = lua_toacl ( luaVM, 1 ); char* szRight = (char*) lua_tostring ( luaVM, 2 ); // Verify the ACL pointer if ( pACL ) { // Grab the type from the name passed char* szRightAftedDot = szRight; CAccessControlListRight::ERightType eType; if ( StringBeginsWith ( szRight, "command." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_COMMAND; szRightAftedDot += 8; } else if ( StringBeginsWith ( szRight, "function." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_FUNCTION; szRightAftedDot += 9; } else if ( StringBeginsWith ( szRight, "resource." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_RESOURCE; szRightAftedDot += 9; } else if ( StringBeginsWith ( szRight, "general." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_GENERAL; szRightAftedDot += 8; } else { lua_pushboolean ( luaVM, false ); return 1; } // Try removing the right CAccessControlListRight* pACLRight = pACL->GetRight ( szRightAftedDot, eType ); bool bAccess = pACLRight && pACLRight->GetRightAccess (); if ( pACL->RemoveRight ( szRightAftedDot, eType ) ) { CLogger::LogPrintf ( "ACL: %s: Right '%s' %s removed from ACL '%s'\n", GetResourceName ( luaVM ), szRight, bAccess ? "ALLOW" : "DISALLOW", pACL->GetName () ); // Return success lua_pushboolean ( luaVM, true ); return 1; } } } else m_pScriptDebugging->LogBadType ( luaVM, "aclRemoveRight" ); lua_pushboolean ( luaVM, false ); return 1; }
/////////////////////////////////////////////////////////////// // // CResource::CommitAclRequest // // Right will be created if not exists // Can't fail // /////////////////////////////////////////////////////////////// void CResource::CommitAclRequest ( const SAclRequest& request ) { CAccessControlListRight* pAclRight = GetAutoAcl ()->AddRight ( request.rightName.GetName (), request.rightName.GetType (), request.bAccess ); pAclRight->SetRightAccess ( request.bAccess ); pAclRight->SetAttributeValue ( "pending", request.bPending ? "true" : "false" ); pAclRight->SetAttributeValue ( "who", request.strWho ); pAclRight->SetAttributeValue ( "date", request.strDate ); }
int CLuaACLDefs::aclGetRight ( lua_State* luaVM ) { // Verify the argument types if ( lua_type ( luaVM, 1 ) == LUA_TLIGHTUSERDATA && lua_type ( luaVM, 2 ) == LUA_TSTRING ) { // Grab the arguments CAccessControlList* pACL = lua_toacl ( luaVM, 1 ); char* szRight = (char*) lua_tostring ( luaVM, 2 ); // Verify the ACL pointer if ( pACL ) { // Grab the type from the name passed char* szRightAftedDot = szRight; CAccessControlListRight::ERightType eType; if ( StringBeginsWith ( szRight, "command." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_COMMAND; szRightAftedDot += 8; } else if ( StringBeginsWith ( szRight, "function." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_FUNCTION; szRightAftedDot += 9; } else if ( StringBeginsWith ( szRight, "resource." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_RESOURCE; szRightAftedDot += 9; } else if ( StringBeginsWith ( szRight, "general." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_GENERAL; szRightAftedDot += 8; } else { lua_pushboolean ( luaVM, false ); return 1; } // Grab the right from the name and type CAccessControlListRight* pACLRight = pACL->GetRight ( szRightAftedDot, eType ); if ( pACLRight ) { lua_pushboolean ( luaVM, pACLRight->GetRightAccess () ); return 1; } } } else m_pScriptDebugging->LogBadType ( luaVM, "aclGetRight" ); lua_pushboolean ( luaVM, false ); return 1; }
int CLuaACLDefs::aclRemoveRight ( lua_State* luaVM ) { // bool aclRemoveRight ( acl theAcl, string rightName ) CAccessControlList* pACL; SString strRight; CScriptArgReader argStream ( luaVM ); argStream.ReadUserData ( pACL ); argStream.ReadString ( strRight ); if ( !argStream.HasErrors () ) { // Grab the type from the name passed const char* szRightAftedDot = strRight; CAccessControlListRight::ERightType eType; if ( StringBeginsWith ( strRight, "command." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_COMMAND; szRightAftedDot += 8; } else if ( StringBeginsWith ( strRight, "function." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_FUNCTION; szRightAftedDot += 9; } else if ( StringBeginsWith ( strRight, "resource." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_RESOURCE; szRightAftedDot += 9; } else if ( StringBeginsWith ( strRight, "general." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_GENERAL; szRightAftedDot += 8; } else { lua_pushboolean ( luaVM, false ); return 1; } // Try removing the right CAccessControlListRight* pACLRight = pACL->GetRight ( szRightAftedDot, eType ); bool bAccess = pACLRight && pACLRight->GetRightAccess (); if ( pACL->RemoveRight ( szRightAftedDot, eType ) ) { CLogger::LogPrintf ( "ACL: %s: Right '%s' %s removed from ACL '%s'\n", GetResourceName ( luaVM ), strRight.c_str (), bAccess ? "ALLOW" : "DISALLOW", pACL->GetName () ); // Return success lua_pushboolean ( luaVM, true ); return 1; } } else m_pScriptDebugging->LogCustom ( luaVM, argStream.GetFullErrorMessage () ); lua_pushboolean ( luaVM, false ); return 1; }
int CLuaACLDefs::aclGetRight ( lua_State* luaVM ) { // bool aclGetRight ( acl theAcl, string rightName ) CAccessControlList* pACL; SString strRight; CScriptArgReader argStream ( luaVM ); argStream.ReadUserData ( pACL ); argStream.ReadString ( strRight ); if ( !argStream.HasErrors () ) { // Grab the type from the name passed const char* szRightAftedDot = strRight; CAccessControlListRight::ERightType eType; if ( StringBeginsWith ( strRight, "command." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_COMMAND; szRightAftedDot += 8; } else if ( StringBeginsWith ( strRight, "function." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_FUNCTION; szRightAftedDot += 9; } else if ( StringBeginsWith ( strRight, "resource." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_RESOURCE; szRightAftedDot += 9; } else if ( StringBeginsWith ( strRight, "general." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_GENERAL; szRightAftedDot += 8; } else { lua_pushboolean ( luaVM, false ); return 1; } // Grab the right from the name and type CAccessControlListRight* pACLRight = pACL->GetRight ( szRightAftedDot, eType ); if ( pACLRight ) { lua_pushboolean ( luaVM, pACLRight->GetRightAccess () ); return 1; } } else m_pScriptDebugging->LogCustom ( luaVM, argStream.GetFullErrorMessage () ); lua_pushboolean ( luaVM, false ); return 1; }
bool CAccessControlListManager::InternalCanObjectUseRight ( const char* szObjectName, CAccessControlListGroupObject::EObjectType eObjectType, const char* szRightName, CAccessControlListRight::ERightType eRightType, bool bDefaultAccessRight ) { // This is set to true if we were explicitly denied access by an ACL bool bDenied = false; // Look through the groups list < CAccessControlListGroup* > ::iterator group = m_Groups.begin (); for ( ; group != m_Groups.end (); group++ ) { // Look for a group that has our user/resource in it if ( (*group)->FindObjectMatch ( szObjectName, eObjectType ) ) { // Look through its access lists for our 'right' name list < CAccessControlList* > ::iterator acl = (*group)->IterBeginACL (); for ( ; acl != (*group)->IterEndACL (); acl++ ) { // Grab the right with this name CAccessControlListRight* pRight = (*acl)->GetRight ( szRightName, eRightType ); if ( pRight ) { // If he has access, return that he can use this object. Otherwize keep looking // for an ACL that gives him permission to do so. if ( pRight->GetRightAccess () ) { return true; } else { bDenied = true; } } } } } // An ACL denied us access and no ACL gave us access. No access given. if ( bDenied ) return false; // Otherwize if nothing specified, return the default right return bDefaultAccessRight; }
CAccessControlListRight* CAccessControlList::GetRight ( const char* szRightName, CAccessControlListRight::ERightType eRightType ) { unsigned int uiHash = HashString ( szRightName ); list < CAccessControlListRight* > ::iterator iter = m_Rights.begin (); for ( ; iter != m_Rights.end (); iter++ ) { CAccessControlListRight* pACLRight = *iter; if ( eRightType == pACLRight->GetRightType () ) { if ( pACLRight->GetRightNameHash () == uiHash && SStringX ( szRightName ) == pACLRight->GetRightName () ) { // Exact match return pACLRight; } } } return NULL; }
void CAccessControlList::WriteToXMLNode ( CXMLNode* pNode ) { assert ( pNode ); // Create the subnode for this CXMLNode* pSubNode = pNode->CreateSubNode ( "acl" ); assert ( pSubNode ); // Create attribute for the name and set it CXMLAttribute* pAttribute = pSubNode->GetAttributes ().Create ( "name" ); pAttribute->SetValue ( m_strACLName ); // Loop through each right and write it to the ACL list < CAccessControlListRight* > ::iterator iter = m_Rights.begin (); for ( ; iter != m_Rights.end (); iter++ ) { CAccessControlListRight* pRight = *iter; pRight->WriteToXMLNode ( pSubNode ); } }
bool CAccessControlList::RemoveRight ( const char* szRightName, CAccessControlListRight::ERightType eRightType ) { unsigned int uiHash = HashString ( szRightName ); list < CAccessControlListRight* > ::iterator iter = m_Rights.begin (); for ( ; iter != m_Rights.end (); iter++ ) { CAccessControlListRight* pACLRight = *iter; if ( pACLRight->GetRightNameHash () == uiHash && eRightType == pACLRight->GetRightType () && SStringX ( szRightName ) == pACLRight->GetRightName () ) { m_Rights.remove ( pACLRight ); delete pACLRight; OnChange (); return true; } } return false; }
/////////////////////////////////////////////////////////////// // // CResource::GetAclRequests // // Get all acl requests for this resource // /////////////////////////////////////////////////////////////// void CResource::GetAclRequests ( std::vector < SAclRequest >& outResultList ) { outResultList.clear (); CAccessControlList* pAutoAcl = FindAutoAcl (); if ( !pAutoAcl ) return; // Get each right for ( std::list < CAccessControlListRight* >::const_iterator iter = pAutoAcl->IterBegin () ; iter != pAutoAcl->IterEnd () ; ++iter ) { CAccessControlListRight* pAclRight = *iter; // Create SAclRequest from ACL SAclRequest request ( CAclRightName ( pAclRight->GetRightType (), pAclRight->GetRightName () ) ); request.bAccess = StringToBool ( pAclRight->GetAttributeValue ( "access" ) ); request.bPending = StringToBool ( pAclRight->GetAttributeValue ( "pending" ) ); request.strWho = pAclRight->GetAttributeValue ( "who" ); request.strDate = pAclRight->GetAttributeValue ( "date" ); outResultList.push_back ( request ); } }
/////////////////////////////////////////////////////////////// // // CResource::FindAclRequest // // Will fail if right does not have a pending attribute // /////////////////////////////////////////////////////////////// bool CResource::FindAclRequest ( SAclRequest& result ) { if ( !FindAutoAcl () ) return false; CAccessControlListRight* pAclRight = GetAutoAcl ()->GetRight ( result.rightName.GetName (), result.rightName.GetType () ); if ( !pAclRight ) return false; // Fill SAclRequest result.bAccess = StringToBool ( pAclRight->GetAttributeValue ( "access" ) ); result.bPending = StringToBool ( pAclRight->GetAttributeValue ( "pending" ) ); result.strWho = pAclRight->GetAttributeValue ( "who" ); result.strDate = pAclRight->GetAttributeValue ( "date" ); // Ensure not pending and allow if ( result.bPending && result.bAccess ) { result.bAccess = false; CommitAclRequest ( result ); } return pAclRight->GetAttributeValue ( "pending" ) != ""; }
bool CAccessControlListManager::Load ( void ) { // Eventually destroy the previously loaded xml if ( m_pXML ) { delete m_pXML; } // Load the XML m_pXML = g_pServerInterface->GetXML ()->CreateXML ( GetFileName ().c_str () ); if ( !m_pXML ) { CLogger::ErrorPrintf ( "Error loading Access Control List file\n" ); return false; } // Parse it if ( !m_pXML->Parse () ) { CLogger::ErrorPrintf ( "Error parsing Access Control List file\n" ); return false; } // Grab the XML root node m_pRootNode = m_pXML->GetRootNode (); if ( !m_pRootNode ) { CLogger::ErrorPrintf ( "Missing root node ('ACL')\n" ); return false; } // Clear previous ACL stuff ClearACLs (); ClearGroups (); // load the acl's CXMLNode* pSubNode = NULL; unsigned int uiSubNodesCount = m_pRootNode->GetSubNodeCount (); for ( unsigned int i = 0 ; i < uiSubNodesCount ; i++ ) { pSubNode = m_pRootNode->GetSubNode ( i ); if ( !pSubNode ) continue; if ( pSubNode->GetTagName ().compare ( "acl" ) == 0 ) { CXMLAttribute* pAttribute = pSubNode->GetAttributes ().Find ( "name" ); if ( pAttribute ) { CAccessControlList* pACL = AddACL ( pAttribute->GetValue ().c_str () ); CXMLNode* pSubSubNode = NULL; unsigned int uiSubSubNodesCount = pSubNode->GetSubNodeCount (); for ( unsigned int j = 0 ; j < uiSubSubNodesCount ; j++ ) { // If this subnode doesn't exist, return to the for loop and continue it pSubSubNode = pSubNode->GetSubNode ( j ); if ( !pSubSubNode ) continue; // Check that this subsub node is named "right" if ( pSubSubNode->GetTagName ().compare ( "right" ) == 0 ) { // Grab the name and the access attributes CXMLAttribute* pNameAttribute = pSubSubNode->GetAttributes ().Find ( "name" ); CXMLAttribute* pAccessAttribute = pSubSubNode->GetAttributes ().Find ( "access" ); if ( pNameAttribute && pAccessAttribute ) { // See if the access attribute is true or false bool bAccess = false; std::string strAccess = pAccessAttribute->GetValue (); if ( stricmp ( strAccess.c_str (), "true" ) == 0 || stricmp ( strAccess.c_str (), "yes" ) == 0 || strcmp ( strAccess.c_str (), "1" ) == 0 ) { bAccess = true; } // Grab the name of the 'right' name const char *szRightName = pNameAttribute->GetValue ().c_str (); // Create the rights control list CAccessControlListRight* pRight = NULL; if ( StringBeginsWith ( szRightName, "command." ) ) { pRight = pACL->AddRight ( &szRightName[8], CAccessControlListRight::RIGHT_TYPE_COMMAND, bAccess ); } else if ( StringBeginsWith ( szRightName, "function." ) ) { pRight = pACL->AddRight ( &szRightName[9], CAccessControlListRight::RIGHT_TYPE_FUNCTION, bAccess ); } else if ( StringBeginsWith ( szRightName, "resource." ) ) { pRight = pACL->AddRight ( &szRightName[9], CAccessControlListRight::RIGHT_TYPE_RESOURCE, bAccess ); } else if ( StringBeginsWith ( szRightName, "general." ) ) { pRight = pACL->AddRight ( &szRightName[8], CAccessControlListRight::RIGHT_TYPE_GENERAL, bAccess ); } else continue; // Set all the extra attributes for ( uint i = 0 ; i < pSubSubNode->GetAttributes ().Count () ; i++ ) { CXMLAttribute* pAttribute = pSubSubNode->GetAttributes ().Get ( i ); pRight->SetAttributeValue ( pAttribute->GetName (), pAttribute->GetValue () ); } } } } } } } // Load the groups pSubNode = NULL; uiSubNodesCount = m_pRootNode->GetSubNodeCount (); for ( unsigned int i = 0 ; i < uiSubNodesCount ; i++ ) { pSubNode = m_pRootNode->GetSubNode ( i ); if ( !pSubNode ) continue; if ( pSubNode->GetTagName ().compare ( "group" ) == 0 ) { CXMLAttribute* pAttribute = pSubNode->GetAttributes ().Find ( "name" ); if ( pAttribute ) { CAccessControlListGroup* pGroup = AddGroup ( pAttribute->GetValue ().c_str () ); CXMLNode* pSubSubNode = NULL; unsigned int uiSubSubNodesCount = pSubNode->GetSubNodeCount (); for ( unsigned int j = 0 ; j < uiSubSubNodesCount ; j++ ) { pSubSubNode = pSubNode->GetSubNode ( j ); if ( !pSubSubNode ) continue; if ( pSubSubNode->GetTagName ().compare ( "object" ) == 0 ) { CXMLAttribute* pSubAttribute = pSubSubNode->GetAttributes ().Find ( "name" ); if ( pSubAttribute ) { const char *szAccountName = pSubAttribute->GetValue ().c_str (); if ( StringBeginsWith ( szAccountName, "user." ) ) { pGroup->AddObject ( &szAccountName[5], CAccessControlListGroupObject::OBJECT_TYPE_USER ); } else if ( StringBeginsWith ( szAccountName, "resource." ) ) { pGroup->AddObject ( &szAccountName[9], CAccessControlListGroupObject::OBJECT_TYPE_RESOURCE ); } } } else if ( pSubSubNode->GetTagName ().compare ( "acl" ) == 0 ) { CXMLAttribute* pSubAttribute = pSubSubNode->GetAttributes ().Find ( "name" ); if ( pSubAttribute ) { CAccessControlList* pACL = GetACL ( pSubAttribute->GetValue ().c_str () ); if ( pACL ) { pGroup->AddACL ( pACL ); } } } } } } } m_bNeedsSave = false; return true; }
int CLuaACLDefs::aclSetRight ( lua_State* luaVM ) { // bool aclSetRight ( acl theAcl, string rightName, bool hasAccess ) CAccessControlList* pACL; SString strRight; bool bAccess; CScriptArgReader argStream ( luaVM ); argStream.ReadUserData ( pACL ); argStream.ReadString ( strRight ); argStream.ReadBool ( bAccess ); if ( !argStream.HasErrors () ) { // Grab the type from the name passed const char* szRightAftedDot = strRight; CAccessControlListRight::ERightType eType; if ( StringBeginsWith ( strRight, "command." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_COMMAND; szRightAftedDot += 8; } else if ( StringBeginsWith ( strRight, "function." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_FUNCTION; szRightAftedDot += 9; } else if ( StringBeginsWith ( strRight, "resource." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_RESOURCE; szRightAftedDot += 9; } else if ( StringBeginsWith ( strRight, "general." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_GENERAL; szRightAftedDot += 8; } else { lua_pushboolean ( luaVM, false ); return 1; } // Grab the right from the name and type CAccessControlListRight* pACLRight = pACL->GetRight ( szRightAftedDot, eType ); if ( pACLRight ) { // Set the new access right if ( pACLRight->GetRightAccess () != bAccess ) CLogger::LogPrintf ( "ACL: %s: Right '%s' changed to %s in ACL '%s'\n", GetResourceName ( luaVM ), strRight.c_str (), bAccess ? "ALLOW" : "DISALLOW", pACL->GetName () ); pACLRight->SetRightAccess ( bAccess ); lua_pushboolean ( luaVM, true ); return 1; } // Try to add it pACLRight = pACL->AddRight ( szRightAftedDot, eType, bAccess ); if ( pACLRight ) { // LOGLEVEL_LOW to stop spam from admin resource at new server startup CLogger::LogPrintf ( LOGLEVEL_LOW, "ACL: %s: Right '%s' %s added in ACL '%s'\n", GetResourceName ( luaVM ), strRight.c_str (), bAccess ? "ALLOW" : "DISALLOW", pACL->GetName () ); lua_pushboolean ( luaVM, true ); return 1; } } else m_pScriptDebugging->LogCustom ( luaVM, argStream.GetFullErrorMessage () ); lua_pushboolean ( luaVM, false ); return 1; }
int CLuaACLDefs::aclSetRight ( lua_State* luaVM ) { // Verify the argument types if ( lua_type ( luaVM, 1 ) == LUA_TLIGHTUSERDATA && lua_type ( luaVM, 2 ) == LUA_TSTRING && lua_type ( luaVM, 3 ) == LUA_TBOOLEAN ) { // Grab the arguments CAccessControlList* pACL = lua_toacl ( luaVM, 1 ); char* szRight = (char*) lua_tostring ( luaVM, 2 ); bool bAccess = lua_toboolean ( luaVM, 3 ) ?true:false; // Verify the ACL pointer if ( pACL ) { // Grab the type from the name passed char* szRightAftedDot = szRight; CAccessControlListRight::ERightType eType; if ( StringBeginsWith ( szRight, "command." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_COMMAND; szRightAftedDot += 8; } else if ( StringBeginsWith ( szRight, "function." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_FUNCTION; szRightAftedDot += 9; } else if ( StringBeginsWith ( szRight, "resource." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_RESOURCE; szRightAftedDot += 9; } else if ( StringBeginsWith ( szRight, "general." ) ) { eType = CAccessControlListRight::RIGHT_TYPE_GENERAL; szRightAftedDot += 8; } else { lua_pushboolean ( luaVM, false ); return 1; } // Grab the right from the name and type CAccessControlListRight* pACLRight = pACL->GetRight ( szRightAftedDot, eType ); if ( pACLRight ) { // Set the new access right if ( pACLRight->GetRightAccess () != bAccess ) CLogger::LogPrintf ( "ACL: %s: Right '%s' changed to %s in ACL '%s'\n", GetResourceName ( luaVM ), szRight, bAccess ? "ALLOW" : "DISALLOW", pACL->GetName () ); pACLRight->SetRightAccess ( bAccess ); lua_pushboolean ( luaVM, true ); return 1; } // Try to add it pACLRight = pACL->AddRight ( szRightAftedDot, eType, bAccess ); if ( pACLRight ) { // Return success CLogger::LogPrintf ( "ACL: %s: Right '%s' %s added in ACL '%s'\n", GetResourceName ( luaVM ), szRight, bAccess ? "ALLOW" : "DISALLOW", pACL->GetName () ); lua_pushboolean ( luaVM, true ); return 1; } } } else m_pScriptDebugging->LogBadType ( luaVM, "aclSetRight" ); lua_pushboolean ( luaVM, false ); return 1; }