Greenbone Vulnerability Manager  22.4.0~dev1
Macros | Functions
manage_acl.h File Reference

Headers for Greenbone Vulnerability Manager: the Manage library. More...

#include "manage_sql.h"
#include <glib.h>

Go to the source code of this file.

Macros

#define ACL_USER_MAY_OPTS(resource)
 Generate SQL for user permission check. More...
 
#define ACL_USER_MAY(resource)
 Generate SQL for user permission check. More...
 
#define ACL_IS_GLOBAL()    "owner IS NULL"
 Generate SQL for global check. More...
 
#define ACL_USER_OWNS()
 Generate SQL for user ownership check. More...
 
#define ACL_GLOBAL_OR_USER_OWNS()
 Generate SQL for user ownership check. More...
 

Functions

command_tacl_commands (gchar **)
 Get commands that the current user may run. More...
 
int acl_user_may (const char *)
 Test whether a user may perform an operation. More...
 
int acl_user_can_everything (const char *)
 Test whether a user may perform any operation. More...
 
int acl_role_can_super_everyone (const char *)
 Check whether a role has Super Admin capability. More...
 
int acl_user_can_super_everyone (const char *)
 Check whether a user is a Super Admin. More...
 
int acl_user_has_super (const char *, user_t)
 Test whether a user has super permission on another user. More...
 
int acl_user_is_admin (const char *)
 Check whether a user is an Admin. More...
 
int acl_user_is_user (const char *)
 Check whether a user has the User role. More...
 
int acl_user_is_super_admin (const char *)
 Check whether a user is a Super Admin. More...
 
int acl_user_is_observer (const char *)
 Check whether a user is an Observer. More...
 
int acl_user_owns (const char *, resource_t, int)
 Test whether a user effectively owns a resource. More...
 
int acl_user_is_owner (const char *, const char *)
 Test whether a user is the actual owner of a resource. More...
 
int acl_user_owns_uuid (const char *, const char *, int)
 Test whether a user effectively owns a resource. More...
 
int acl_user_owns_trash_uuid (const char *resource, const char *uuid)
 Test whether a user effectively owns a resource. More...
 
int acl_user_has_access_uuid (const char *, const char *, const char *, int)
 Test whether the user may access a resource. More...
 
gchar * acl_where_owned (const char *, const get_data_t *, int, const gchar *, resource_t, array_t *, int, gchar **)
 Generate the ownership part of an SQL WHERE clause. More...
 
gchar * acl_where_owned_for_get (const char *, const char *, const char *, gchar **)
 Generate ownership part of WHERE, for getting a type of resource. More...
 
gchar * acl_users_with_access_sql (const char *, const char *, const char *)
 Get an SQL values expression of users that can get a resource. More...
 
gchar * acl_users_with_access_where (const char *, const char *, const char *, const char *)
 Get a static SQL condition selecting users that can get a resource. More...
 

Detailed Description

Headers for Greenbone Vulnerability Manager: the Manage library.

Macro Definition Documentation

◆ ACL_GLOBAL_OR_USER_OWNS

#define ACL_GLOBAL_OR_USER_OWNS ( )
Value:
" ((" ACL_IS_GLOBAL () ")" \
" OR (owner = (SELECT users.id FROM users" \
" WHERE users.uuid = '%s')))"
#define ACL_IS_GLOBAL()
Generate SQL for global check.
Definition: manage_acl.h:100

Generate SQL for user ownership check.

This is the SQL clause for selecting global resources and resources owned directly by the user.

Caller must organise the single argument, the user's UUID, as a string.

◆ ACL_IS_GLOBAL

#define ACL_IS_GLOBAL ( )     "owner IS NULL"

Generate SQL for global check.

This is the SQL clause for selecting global resources.

◆ ACL_USER_MAY

#define ACL_USER_MAY (   resource)
Value:
"SELECT count(*) > 0 FROM permissions" \
" WHERE resource = " resource \
" AND subject_location = " G_STRINGIFY (LOCATION_TABLE) \
" AND ((subject_type = 'user'" \
" AND subject" \
" = (SELECT id FROM users" \
" WHERE users.uuid = '%s'))" \
" OR (subject_type = 'group'" \
" AND subject" \
" IN (SELECT DISTINCT \"group\"" \
" FROM group_users" \
" WHERE \"user\" = (SELECT id" \
" FROM users" \
" WHERE users.uuid" \
" = '%s')))" \
" OR (subject_type = 'role'" \
" AND subject" \
" IN (SELECT DISTINCT role" \
" FROM role_users" \
" WHERE \"user\" = (SELECT id" \
" FROM users" \
" WHERE users.uuid" \
" = '%s'))))" \
/* Any permission implies GET. */ \
" AND ((lower (substr ('%s', 1, 3)) = 'get'" \
" AND name LIKE '%%'" \
" || lower (substr ('%s'," \
" 5," \
" length ('%s') - 5)))" \
" OR name = lower ('%s'))"

Generate SQL for user permission check.

Parameters
[in]resourceResource.

◆ ACL_USER_MAY_OPTS

#define ACL_USER_MAY_OPTS (   resource)
Value:
/* This part is 'Any resource type' case from acl_where_owned_user. */ \
/* */ \
/* Either the user is the owner. */ \
" ((" resource ".owner = opts.user_id)" \
/* Or the user has super permission on all. */ \
" OR EXISTS (SELECT * FROM permissions_subject" \
" WHERE name = 'Super'" \
" AND (resource = 0))" \
/* Or the user has super permission on the owner, */ \
/* (directly, via the role, or via the group). */ \
" OR " resource ".owner IN (SELECT *" \
" FROM super_on_users)" \
/* Or there's a resource-level permission. */ \
/* */ \
/* This part is permission_clause in acl_where_owned_user. */ \
" OR EXISTS (SELECT id FROM permissions_subject" \
" WHERE resource = " resource ".id" \
" AND resource_type = opts.type" \
" AND resource_location = " G_STRINGIFY (LOCATION_TABLE) \
/* Any permission. */ \
" AND (t ())))"

Generate SQL for user permission check.

Parameters
[in]resourceResource.

◆ ACL_USER_OWNS

#define ACL_USER_OWNS ( )
Value:
" (owner = (SELECT users.id FROM users" \
" WHERE users.uuid = '%s'))"

Generate SQL for user ownership check.

This is the SQL clause for selecting global resources and resources owned directly by the user.

Caller must organise the single argument, the user's UUID, as a string.

Function Documentation

◆ acl_commands()

command_t* acl_commands ( gchar **  disabled_commands)

Get commands that the current user may run.

Parameters
[in]disabled_commandsAll disabled commands.
Returns
Freshly allocated list of commands. Free with g_free.

◆ acl_role_can_super_everyone()

int acl_role_can_super_everyone ( const char *  role_id)

Check whether a role has Super Admin capability.

Parameters
[in]role_idID of role.
Returns
1 if role can Super Admin, else 0.

◆ acl_user_can_everything()

int acl_user_can_everything ( const char *  user_id)

Test whether a user may perform any operation.

Parameters
[in]user_idUUID of user.
Returns
1 if user has permission, else 0.

◆ acl_user_can_super_everyone()

int acl_user_can_super_everyone ( const char *  uuid)

Check whether a user is a Super Admin.

Parameters
[in]uuidUuid of user.
Returns
1 if user is a Super Admin, else 0.

◆ acl_user_has_access_uuid()

int acl_user_has_access_uuid ( const char *  type,
const char *  uuid,
const char *  permission,
int  trash 
)

Test whether the user may access a resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
[in]permissionPermission.
[in]trashWhether the resource is in the trash.
Returns
1 if user may access resource, else 0.

◆ acl_user_has_super()

int acl_user_has_super ( const char *  super_user_id,
user_t  other_user 
)

Test whether a user has super permission on another user.

Parameters
[in]super_user_idUUID of user who may have super permission.
[in]other_userOther user.
Returns
1 if user has permission, else 0.

◆ acl_user_is_admin()

int acl_user_is_admin ( const char *  uuid)

Check whether a user is an Admin.

Parameters
[in]uuidUuid of user.
Returns
1 if user is an Admin, else 0.

◆ acl_user_is_observer()

int acl_user_is_observer ( const char *  uuid)

Check whether a user is an Observer.

Parameters
[in]uuidUuid of user.
Returns
1 if user is an Observer, else 0.

◆ acl_user_is_owner()

int acl_user_is_owner ( const char *  type,
const char *  uuid 
)

Test whether a user is the actual owner of a resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
Returns
1 if user actually owns resource, else 0.

◆ acl_user_is_super_admin()

int acl_user_is_super_admin ( const char *  uuid)

Check whether a user is a Super Admin.

Parameters
[in]uuidUuid of user.
Returns
1 if user is a Super Admin, else 0.

◆ acl_user_is_user()

int acl_user_is_user ( const char *  uuid)

Check whether a user has the User role.

Parameters
[in]uuidUuid of user.
Returns
1 if user has the User role, else 0.

◆ acl_user_may()

int acl_user_may ( const char *  operation)

Test whether a user may perform an operation.

Parameters
[in]operationName of operation.
Returns
1 if user has permission, else 0.

◆ acl_user_owns()

int acl_user_owns ( const char *  type,
resource_t  resource,
int  trash 
)

Test whether a user effectively owns a resource.

A Super permissions can give a user effective ownership of another user's resource.

Parameters
[in]typeType of resource, for example "task".
[in]resourceResource.
[in]trashWhether the resource is in the trash.
Returns
1 if user owns resource, else 0.

◆ acl_user_owns_trash_uuid()

int acl_user_owns_trash_uuid ( const char *  type,
const char *  uuid 
)

Test whether a user effectively owns a resource.

A Super permissions can give a user effective ownership of another user's resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
Returns
1 if user owns resource, else 0.

◆ acl_user_owns_uuid()

int acl_user_owns_uuid ( const char *  type,
const char *  uuid,
int  trash 
)

Test whether a user effectively owns a resource.

A Super permissions can give a user effective ownership of another user's resource.

Parameters
[in]typeType of resource, for example "task".
[in]uuidUUID of resource.
[in]trashWhether the resource is in the trash.
Returns
1 if user owns resource, else 0.

◆ acl_users_with_access_sql()

gchar* acl_users_with_access_sql ( const char *  type,
const char *  resource_id,
const char *  users_where 
)

Get an SQL values expression of users that can get a resource.

Parameters
[in]typeThe resource type.
[in]resource_idThe UUID of the resource.
[in]users_whereOptional clause to limit users.
Returns
Newly allocated SQL string or NULL if no users have access.

◆ acl_users_with_access_where()

gchar* acl_users_with_access_where ( const char *  type,
const char *  resource_id,
const char *  users_where,
const char *  user_expr 
)

Get a static SQL condition selecting users that can get a resource.

Parameters
[in]typeThe resource type.
[in]resource_idThe UUID of the resource.
[in]users_whereOptional clause to limit users.
[in]user_exprExpression for the user, e.g. the column name.
Returns
Newly allocated SQL string or NULL if no users have access.

◆ acl_where_owned()

gchar* acl_where_owned ( const char *  type,
const get_data_t get,
int  owned,
const gchar *  owner_filter,
resource_t  resource,
array_t *  permissions,
int  with_optional,
gchar **  with 
)

Generate the ownership part of an SQL WHERE clause.

Parameters
[in]typeType of resource.
[in]getGET data.
[in]ownedOnly get items owned by the current user.
[in]owner_filterOwner filter keyword.
[in]resourceResource.
[in]permissionsPermissions.
[in]with_optionalWhether permissions WITH clauses are optional.
[out]withAddress for WITH clause if allowed, else NULL.
Returns
Newly allocated owned clause.

◆ acl_where_owned_for_get()

gchar* acl_where_owned_for_get ( const char *  type,
const char *  user_sql,
const char *  with_prefix,
gchar **  with 
)

Generate ownership part of WHERE, for getting a type of resource.

Parameters
[in]typeType of resource.
[in]user_sqlSQL for getting user. If NULL SQL will be for current user.
[in]with_prefixOptional prefix for WITH clause.
[out]withReturn location for WITH preselection clause if desired, else NULL.
Returns
Newly allocated owned clause.