Greenbone Vulnerability Manager  22.4.0~dev1
Macros | Functions
manage_acl.c File Reference

The Greenbone Vulnerability Manager management library (Access Control Layer). More...

#include "manage_acl.h"
#include "manage_sql.h"
#include "sql.h"
#include <assert.h>
#include <stdlib.h>
#include <string.h>

Macros

#define G_LOG_DOMAIN   "md manage"
 GLib log domain.
 
#define ACL_SUPER_CLAUSE(format)
 Super clause. More...
 
#define ACL_SUPER_CLAUSE_ARGS(type, field, value, user_id, trash)
 Super clause arguments. More...
 

Functions

static int user_may_internal (const char *operation)
 Test whether the current user may perform an operation. More...
 
static int strv_case_eq (gchar **strv, const gchar *string)
 Check if a string array contains a string, ignoring case. More...
 
command_tacl_commands (gchar **disabled_commands)
 Get commands that the current user may run. More...
 
int acl_user_may (const char *operation)
 Test whether a user may perform an operation. More...
 
int acl_role_can_super_everyone (const char *role_id)
 Check whether a role has Super Admin capability. More...
 
int acl_user_can_super_everyone (const char *uuid)
 Check whether a user is a Super Admin. More...
 
int acl_user_can_everything (const char *user_id)
 Test whether a user may perform any operation. More...
 
int acl_user_has_super (const char *super_user_id, user_t other_user)
 Test whether a user has super permission on another user. More...
 
int acl_user_is_admin (const char *uuid)
 Check whether a user is an Admin. More...
 
int acl_user_is_observer (const char *uuid)
 Check whether a user is an Observer. More...
 
int acl_user_is_super_admin (const char *uuid)
 Check whether a user is a Super Admin. More...
 
int acl_user_is_user (const char *uuid)
 Check whether a user has the User role. More...
 
static int acl_user_has_super_on (const char *type, const char *field, const char *value, int trash)
 Test whether a user has Super permission on a resource. More...
 
static int acl_user_has_super_on_resource (const char *type, const char *field, resource_t resource, int trash)
 Test whether a user has Super permission on a resource. More...
 
int acl_user_is_owner (const char *type, const char *uuid)
 Test whether a user is the actual owner of a resource. More...
 
int acl_user_owns_uuid (const char *type, const char *uuid, int trash)
 Test whether a user effectively owns a resource. More...
 
int acl_user_owns (const char *type, resource_t resource, int trash)
 Test whether a user effectively owns a resource. More...
 
int acl_user_owns_trash_uuid (const char *type, const char *uuid)
 Test whether a user effectively owns a resource. More...
 
int acl_user_has_access_uuid (const char *type, const char *uuid, const char *permission, int trash)
 Test whether the user may access a resource. More...
 
static gchar * acl_where_owned_user (const char *user_id, const char *user_sql, const char *type, const get_data_t *get, int owned, const gchar *owner_filter, resource_t resource, array_t *permissions, int with_optional, const char *with_prefix, gchar **with)
 Generate the ownership part of an SQL WHERE clause for a given user. More...
 
gchar * acl_where_owned (const char *type, const get_data_t *get, int owned, const gchar *owner_filter, resource_t resource, array_t *permissions, int with_optional, gchar **with)
 Generate the ownership part of an SQL WHERE clause. More...
 
gchar * acl_where_owned_for_get (const char *type, const char *user_sql, const char *with_prefix, gchar **with)
 Generate ownership part of WHERE, for getting a type of resource. More...
 
gchar * acl_users_with_access_sql (const char *type, const char *resource_id, const char *users_where)
 Get an SQL values expression of users that can get a resource. More...
 
gchar * acl_users_with_access_where (const char *type, const char *resource_id, const char *users_where, const char *user_expr)
 Get a static SQL condition selecting users that can get a resource. More...
 

Detailed Description

The Greenbone Vulnerability Manager management library (Access Control Layer).

This file isolates the access control portions of the GVM management library.

Macro Definition Documentation

◆ ACL_SUPER_CLAUSE

#define ACL_SUPER_CLAUSE (   format)

Super clause.

Parameters
[in]formatValue format specifier.

◆ ACL_SUPER_CLAUSE_ARGS

#define ACL_SUPER_CLAUSE_ARGS (   type,
  field,
  value,
  user_id,
  trash 
)
Value:
type, \
trash ? (strcasecmp (type, "task") ? "_trash" : "") : "", \
type, \
trash ? (strcasecmp (type, "task") ? "_trash" : "") : "", \
field, \
value, \
type, \
trash ? (strcasecmp (type, "task") ? "_trash" : "") : "", \
type, \
trash ? (strcasecmp (type, "task") ? "_trash" : "") : "", \
field, \
value, \
type, \
trash ? (strcasecmp (type, "task") ? "_trash" : "") : "", \
type, \
trash ? (strcasecmp (type, "task") ? "_trash" : "") : "", \
field, \
value, \
user_id, \
user_id, \
user_id

Super clause arguments.

Parameters
[in]typeType of resource.
[in]fieldField to compare. Typically "uuid".
[in]valueExpected value of field.
[in]user_idUUID of user.
[in]trashWhether to search trash.

Function Documentation

◆ acl_commands()

command_t* acl_commands ( gchar **  disabled_commands)

Get commands that the current user may run.

Parameters
[in]disabled_commandsAll disabled commands.
Returns
Freshly allocated list of commands. Free with g_free.

◆ acl_role_can_super_everyone()

int acl_role_can_super_everyone ( const char *  role_id)

Check whether a role has Super Admin capability.

Parameters
[in]role_idID of role.
Returns
1 if role can Super Admin, else 0.

◆ acl_user_can_everything()

int acl_user_can_everything ( const char *  user_id)

Test whether a user may perform any operation.

Parameters
[in]user_idUUID of user.
Returns
1 if user has permission, else 0.

◆ acl_user_can_super_everyone()

int acl_user_can_super_everyone ( const char *  uuid)

Check whether a user is a Super Admin.

Parameters
[in]uuidUuid of user.
Returns
1 if user is a Super Admin, else 0.

◆ acl_user_has_access_uuid()

int acl_user_has_access_uuid ( const char *  type,
const char *  uuid,
const char *  permission,
int  trash 
)

Test whether the user may access a resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
[in]permissionPermission.
[in]trashWhether the resource is in the trash.
Returns
1 if user may access resource, else 0.

◆ acl_user_has_super()

int acl_user_has_super ( const char *  super_user_id,
user_t  other_user 
)

Test whether a user has super permission on another user.

Parameters
[in]super_user_idUUID of user who may have super permission.
[in]other_userOther user.
Returns
1 if user has permission, else 0.

◆ acl_user_has_super_on()

static int acl_user_has_super_on ( const char *  type,
const char *  field,
const char *  value,
int  trash 
)
static

Test whether a user has Super permission on a resource.

Parameters
[in]typeType of resource.
[in]fieldField to compare with value.
[in]valueIdentifier value of resource.
[in]trashWhether resource is in trash.
Returns
1 if user has Super, else 0.

◆ acl_user_has_super_on_resource()

static int acl_user_has_super_on_resource ( const char *  type,
const char *  field,
resource_t  resource,
int  trash 
)
static

Test whether a user has Super permission on a resource.

Parameters
[in]typeType of resource.
[in]fieldField to compare with resource.
[in]resourceResource.
[in]trashWhether resource is in trash.
Returns
1 if user has Super, else 0.

◆ acl_user_is_admin()

int acl_user_is_admin ( const char *  uuid)

Check whether a user is an Admin.

Parameters
[in]uuidUuid of user.
Returns
1 if user is an Admin, else 0.

◆ acl_user_is_observer()

int acl_user_is_observer ( const char *  uuid)

Check whether a user is an Observer.

Parameters
[in]uuidUuid of user.
Returns
1 if user is an Observer, else 0.

◆ acl_user_is_owner()

int acl_user_is_owner ( const char *  type,
const char *  uuid 
)

Test whether a user is the actual owner of a resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
Returns
1 if user actually owns resource, else 0.

◆ acl_user_is_super_admin()

int acl_user_is_super_admin ( const char *  uuid)

Check whether a user is a Super Admin.

Parameters
[in]uuidUuid of user.
Returns
1 if user is a Super Admin, else 0.

◆ acl_user_is_user()

int acl_user_is_user ( const char *  uuid)

Check whether a user has the User role.

Parameters
[in]uuidUuid of user.
Returns
1 if user has the User role, else 0.

◆ acl_user_may()

int acl_user_may ( const char *  operation)

Test whether a user may perform an operation.

Parameters
[in]operationName of operation.
Returns
1 if user has permission, else 0.

◆ acl_user_owns()

int acl_user_owns ( const char *  type,
resource_t  resource,
int  trash 
)

Test whether a user effectively owns a resource.

A Super permissions can give a user effective ownership of another user's resource.

Parameters
[in]typeType of resource, for example "task".
[in]resourceResource.
[in]trashWhether the resource is in the trash.
Returns
1 if user owns resource, else 0.

◆ acl_user_owns_trash_uuid()

int acl_user_owns_trash_uuid ( const char *  type,
const char *  uuid 
)

Test whether a user effectively owns a resource.

A Super permissions can give a user effective ownership of another user's resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
Returns
1 if user owns resource, else 0.

◆ acl_user_owns_uuid()

int acl_user_owns_uuid ( const char *  type,
const char *  uuid,
int  trash 
)

Test whether a user effectively owns a resource.

A Super permissions can give a user effective ownership of another user's resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
[in]trashWhether the resource is in the trash.
Returns
1 if user owns resource, else 0.

◆ acl_users_with_access_sql()

gchar* acl_users_with_access_sql ( const char *  type,
const char *  resource_id,
const char *  users_where 
)

Get an SQL values expression of users that can get a resource.

Parameters
[in]typeThe resource type.
[in]resource_idThe UUID of the resource.
[in]users_whereOptional clause to limit users.
Returns
Newly allocated SQL string or NULL if no users have access.

◆ acl_users_with_access_where()

gchar* acl_users_with_access_where ( const char *  type,
const char *  resource_id,
const char *  users_where,
const char *  user_expr 
)

Get a static SQL condition selecting users that can get a resource.

Parameters
[in]typeThe resource type.
[in]resource_idThe UUID of the resource.
[in]users_whereOptional clause to limit users.
[in]user_exprExpression for the user, e.g. the column name.
Returns
Newly allocated SQL string or NULL if no users have access.

◆ acl_where_owned()

gchar* acl_where_owned ( const char *  type,
const get_data_t get,
int  owned,
const gchar *  owner_filter,
resource_t  resource,
array_t *  permissions,
int  with_optional,
gchar **  with 
)

Generate the ownership part of an SQL WHERE clause.

Parameters
[in]typeType of resource.
[in]getGET data.
[in]ownedOnly get items owned by the current user.
[in]owner_filterOwner filter keyword.
[in]resourceResource.
[in]permissionsPermissions.
[in]with_optionalWhether permissions WITH clauses are optional.
[out]withAddress for WITH clause if allowed, else NULL.
Returns
Newly allocated owned clause.

◆ acl_where_owned_for_get()

gchar* acl_where_owned_for_get ( const char *  type,
const char *  user_sql,
const char *  with_prefix,
gchar **  with 
)

Generate ownership part of WHERE, for getting a type of resource.

Parameters
[in]typeType of resource.
[in]user_sqlSQL for getting user. If NULL SQL will be for current user.
[in]with_prefixOptional prefix for WITH clause.
[out]withReturn location for WITH preselection clause if desired, else NULL.
Returns
Newly allocated owned clause.

◆ acl_where_owned_user()

static gchar* acl_where_owned_user ( const char *  user_id,
const char *  user_sql,
const char *  type,
const get_data_t get,
int  owned,
const gchar *  owner_filter,
resource_t  resource,
array_t *  permissions,
int  with_optional,
const char *  with_prefix,
gchar **  with 
)
static

Generate the ownership part of an SQL WHERE clause for a given user.

Parameters
[in]user_idUUID of user. "" can be used to rely on user_sql alone, except when type is "permission".
[in]user_sqlSQL to get user.
[in]typeType of resource.
[in]getGET data.
[in]ownedOnly get items accessible by the given user.
[in]owner_filterOwner filter keyword.
[in]resourceResource.
[in]permissionsPermissions.
[in]with_optionalWhether the WITH clause is optional.
[in]with_prefixOptional prefix for WITH subqueries.
[out]withAddress for WITH clause if allowed, else NULL.
Returns
Newly allocated owned clause.

◆ strv_case_eq()

static int strv_case_eq ( gchar **  strv,
const gchar *  string 
)
static

Check if a string array contains a string, ignoring case.

Parameters
[in]strvString array.
[in]stringString.
Returns
1 if strv contains string, else 0.

◆ user_may_internal()

static int user_may_internal ( const char *  operation)
static

Test whether the current user may perform an operation.

Does not check if the user is special.

Parameters
[in]operationName of operation.
Returns
1 if user has permission, else 0.