Greenbone Vulnerability Manager
22.4.0~dev1
|
The Greenbone Vulnerability Manager management library (Access Control Layer). More...
#include "manage_acl.h"
#include "manage_sql.h"
#include "sql.h"
#include <assert.h>
#include <stdlib.h>
#include <string.h>
Macros | |
#define | G_LOG_DOMAIN "md manage" |
GLib log domain. | |
#define | ACL_SUPER_CLAUSE(format) |
Super clause. More... | |
#define | ACL_SUPER_CLAUSE_ARGS(type, field, value, user_id, trash) |
Super clause arguments. More... | |
Functions | |
static int | user_may_internal (const char *operation) |
Test whether the current user may perform an operation. More... | |
static int | strv_case_eq (gchar **strv, const gchar *string) |
Check if a string array contains a string, ignoring case. More... | |
command_t * | acl_commands (gchar **disabled_commands) |
Get commands that the current user may run. More... | |
int | acl_user_may (const char *operation) |
Test whether a user may perform an operation. More... | |
int | acl_role_can_super_everyone (const char *role_id) |
Check whether a role has Super Admin capability. More... | |
int | acl_user_can_super_everyone (const char *uuid) |
Check whether a user is a Super Admin. More... | |
int | acl_user_can_everything (const char *user_id) |
Test whether a user may perform any operation. More... | |
int | acl_user_has_super (const char *super_user_id, user_t other_user) |
Test whether a user has super permission on another user. More... | |
int | acl_user_is_admin (const char *uuid) |
Check whether a user is an Admin. More... | |
int | acl_user_is_observer (const char *uuid) |
Check whether a user is an Observer. More... | |
int | acl_user_is_super_admin (const char *uuid) |
Check whether a user is a Super Admin. More... | |
int | acl_user_is_user (const char *uuid) |
Check whether a user has the User role. More... | |
static int | acl_user_has_super_on (const char *type, const char *field, const char *value, int trash) |
Test whether a user has Super permission on a resource. More... | |
static int | acl_user_has_super_on_resource (const char *type, const char *field, resource_t resource, int trash) |
Test whether a user has Super permission on a resource. More... | |
int | acl_user_is_owner (const char *type, const char *uuid) |
Test whether a user is the actual owner of a resource. More... | |
int | acl_user_owns_uuid (const char *type, const char *uuid, int trash) |
Test whether a user effectively owns a resource. More... | |
int | acl_user_owns (const char *type, resource_t resource, int trash) |
Test whether a user effectively owns a resource. More... | |
int | acl_user_owns_trash_uuid (const char *type, const char *uuid) |
Test whether a user effectively owns a resource. More... | |
int | acl_user_has_access_uuid (const char *type, const char *uuid, const char *permission, int trash) |
Test whether the user may access a resource. More... | |
static gchar * | acl_where_owned_user (const char *user_id, const char *user_sql, const char *type, const get_data_t *get, int owned, const gchar *owner_filter, resource_t resource, array_t *permissions, int with_optional, const char *with_prefix, gchar **with) |
Generate the ownership part of an SQL WHERE clause for a given user. More... | |
gchar * | acl_where_owned (const char *type, const get_data_t *get, int owned, const gchar *owner_filter, resource_t resource, array_t *permissions, int with_optional, gchar **with) |
Generate the ownership part of an SQL WHERE clause. More... | |
gchar * | acl_where_owned_for_get (const char *type, const char *user_sql, const char *with_prefix, gchar **with) |
Generate ownership part of WHERE, for getting a type of resource. More... | |
gchar * | acl_users_with_access_sql (const char *type, const char *resource_id, const char *users_where) |
Get an SQL values expression of users that can get a resource. More... | |
gchar * | acl_users_with_access_where (const char *type, const char *resource_id, const char *users_where, const char *user_expr) |
Get a static SQL condition selecting users that can get a resource. More... | |
The Greenbone Vulnerability Manager management library (Access Control Layer).
This file isolates the access control portions of the GVM management library.
#define ACL_SUPER_CLAUSE | ( | format | ) |
Super clause.
[in] | format | Value format specifier. |
#define ACL_SUPER_CLAUSE_ARGS | ( | type, | |
field, | |||
value, | |||
user_id, | |||
trash | |||
) |
Super clause arguments.
[in] | type | Type of resource. |
[in] | field | Field to compare. Typically "uuid". |
[in] | value | Expected value of field. |
[in] | user_id | UUID of user. |
[in] | trash | Whether to search trash. |
command_t* acl_commands | ( | gchar ** | disabled_commands | ) |
Get commands that the current user may run.
[in] | disabled_commands | All disabled commands. |
int acl_role_can_super_everyone | ( | const char * | role_id | ) |
Check whether a role has Super Admin capability.
[in] | role_id | ID of role. |
int acl_user_can_everything | ( | const char * | user_id | ) |
Test whether a user may perform any operation.
[in] | user_id | UUID of user. |
int acl_user_can_super_everyone | ( | const char * | uuid | ) |
Check whether a user is a Super Admin.
[in] | uuid | Uuid of user. |
int acl_user_has_access_uuid | ( | const char * | type, |
const char * | uuid, | ||
const char * | permission, | ||
int | trash | ||
) |
Test whether the user may access a resource.
[in] | type | Type of resource, for example "task". |
[in] | uuid | UUID of resource. |
[in] | permission | Permission. |
[in] | trash | Whether the resource is in the trash. |
int acl_user_has_super | ( | const char * | super_user_id, |
user_t | other_user | ||
) |
Test whether a user has super permission on another user.
[in] | super_user_id | UUID of user who may have super permission. |
[in] | other_user | Other user. |
|
static |
Test whether a user has Super permission on a resource.
[in] | type | Type of resource. |
[in] | field | Field to compare with value. |
[in] | value | Identifier value of resource. |
[in] | trash | Whether resource is in trash. |
|
static |
Test whether a user has Super permission on a resource.
[in] | type | Type of resource. |
[in] | field | Field to compare with resource. |
[in] | resource | Resource. |
[in] | trash | Whether resource is in trash. |
int acl_user_is_admin | ( | const char * | uuid | ) |
Check whether a user is an Admin.
[in] | uuid | Uuid of user. |
int acl_user_is_observer | ( | const char * | uuid | ) |
Check whether a user is an Observer.
[in] | uuid | Uuid of user. |
int acl_user_is_owner | ( | const char * | type, |
const char * | uuid | ||
) |
Test whether a user is the actual owner of a resource.
[in] | type | Type of resource, for example "task". |
[in] | uuid | UUID of resource. |
int acl_user_is_super_admin | ( | const char * | uuid | ) |
Check whether a user is a Super Admin.
[in] | uuid | Uuid of user. |
int acl_user_is_user | ( | const char * | uuid | ) |
Check whether a user has the User role.
[in] | uuid | Uuid of user. |
int acl_user_may | ( | const char * | operation | ) |
Test whether a user may perform an operation.
[in] | operation | Name of operation. |
int acl_user_owns | ( | const char * | type, |
resource_t | resource, | ||
int | trash | ||
) |
Test whether a user effectively owns a resource.
A Super permissions can give a user effective ownership of another user's resource.
[in] | type | Type of resource, for example "task". |
[in] | resource | Resource. |
[in] | trash | Whether the resource is in the trash. |
int acl_user_owns_trash_uuid | ( | const char * | type, |
const char * | uuid | ||
) |
Test whether a user effectively owns a resource.
A Super permissions can give a user effective ownership of another user's resource.
[in] | type | Type of resource, for example "task". |
[in] | uuid | UUID of resource. |
int acl_user_owns_uuid | ( | const char * | type, |
const char * | uuid, | ||
int | trash | ||
) |
Test whether a user effectively owns a resource.
A Super permissions can give a user effective ownership of another user's resource.
[in] | type | Type of resource, for example "task". |
[in] | uuid | UUID of resource. |
[in] | trash | Whether the resource is in the trash. |
gchar* acl_users_with_access_sql | ( | const char * | type, |
const char * | resource_id, | ||
const char * | users_where | ||
) |
Get an SQL values expression of users that can get a resource.
[in] | type | The resource type. |
[in] | resource_id | The UUID of the resource. |
[in] | users_where | Optional clause to limit users. |
gchar* acl_users_with_access_where | ( | const char * | type, |
const char * | resource_id, | ||
const char * | users_where, | ||
const char * | user_expr | ||
) |
Get a static SQL condition selecting users that can get a resource.
[in] | type | The resource type. |
[in] | resource_id | The UUID of the resource. |
[in] | users_where | Optional clause to limit users. |
[in] | user_expr | Expression for the user, e.g. the column name. |
gchar* acl_where_owned | ( | const char * | type, |
const get_data_t * | get, | ||
int | owned, | ||
const gchar * | owner_filter, | ||
resource_t | resource, | ||
array_t * | permissions, | ||
int | with_optional, | ||
gchar ** | with | ||
) |
Generate the ownership part of an SQL WHERE clause.
[in] | type | Type of resource. |
[in] | get | GET data. |
[in] | owned | Only get items owned by the current user. |
[in] | owner_filter | Owner filter keyword. |
[in] | resource | Resource. |
[in] | permissions | Permissions. |
[in] | with_optional | Whether permissions WITH clauses are optional. |
[out] | with | Address for WITH clause if allowed, else NULL. |
gchar* acl_where_owned_for_get | ( | const char * | type, |
const char * | user_sql, | ||
const char * | with_prefix, | ||
gchar ** | with | ||
) |
Generate ownership part of WHERE, for getting a type of resource.
[in] | type | Type of resource. |
[in] | user_sql | SQL for getting user. If NULL SQL will be for current user. |
[in] | with_prefix | Optional prefix for WITH clause. |
[out] | with | Return location for WITH preselection clause if desired, else NULL. |
|
static |
Generate the ownership part of an SQL WHERE clause for a given user.
[in] | user_id | UUID of user. "" can be used to rely on user_sql alone, except when type is "permission". |
[in] | user_sql | SQL to get user. |
[in] | type | Type of resource. |
[in] | get | GET data. |
[in] | owned | Only get items accessible by the given user. |
[in] | owner_filter | Owner filter keyword. |
[in] | resource | Resource. |
[in] | permissions | Permissions. |
[in] | with_optional | Whether the WITH clause is optional. |
[in] | with_prefix | Optional prefix for WITH subqueries. |
[out] | with | Address for WITH clause if allowed, else NULL. |
|
static |
Check if a string array contains a string, ignoring case.
[in] | strv | String array. |
[in] | string | String. |
|
static |
Test whether the current user may perform an operation.
Does not check if the user is special.
[in] | operation | Name of operation. |