Greenbone Vulnerability Manager  22.4.0~dev1
manage_acl.h
Go to the documentation of this file.
1 /* Copyright (C) 2013-2022 Greenbone Networks GmbH
2  *
3  * SPDX-License-Identifier: AGPL-3.0-or-later
4  *
5  * This program is free software: you can redistribute it and/or modify
6  * it under the terms of the GNU Affero General Public License as
7  * published by the Free Software Foundation, either version 3 of the
8  * License, or (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU Affero General Public License for more details.
14  *
15  * You should have received a copy of the GNU Affero General Public License
16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
17  */
18 
24 #ifndef _GVMD_MANAGE_ACL_H
25 #define _GVMD_MANAGE_ACL_H
26 
27 #include "manage_sql.h"
28 #include <glib.h>
29 
35 #define ACL_USER_MAY_OPTS(resource) \
36  /* This part is 'Any resource type' case from acl_where_owned_user. */ \
37  /* */ \
38  /* Either the user is the owner. */ \
39  " ((" resource ".owner = opts.user_id)" \
40  /* Or the user has super permission on all. */ \
41  " OR EXISTS (SELECT * FROM permissions_subject" \
42  " WHERE name = 'Super'" \
43  " AND (resource = 0))" \
44  /* Or the user has super permission on the owner, */ \
45  /* (directly, via the role, or via the group). */ \
46  " OR " resource ".owner IN (SELECT *" \
47  " FROM super_on_users)" \
48  /* Or there's a resource-level permission. */ \
49  /* */ \
50  /* This part is permission_clause in acl_where_owned_user. */ \
51  " OR EXISTS (SELECT id FROM permissions_subject" \
52  " WHERE resource = " resource ".id" \
53  " AND resource_type = opts.type" \
54  " AND resource_location = " G_STRINGIFY (LOCATION_TABLE) \
55  /* Any permission. */ \
56  " AND (t ())))"
57 
63 #define ACL_USER_MAY(resource) \
64  "SELECT count(*) > 0 FROM permissions" \
65  " WHERE resource = " resource \
66  " AND subject_location = " G_STRINGIFY (LOCATION_TABLE) \
67  " AND ((subject_type = 'user'" \
68  " AND subject" \
69  " = (SELECT id FROM users" \
70  " WHERE users.uuid = '%s'))" \
71  " OR (subject_type = 'group'" \
72  " AND subject" \
73  " IN (SELECT DISTINCT \"group\"" \
74  " FROM group_users" \
75  " WHERE \"user\" = (SELECT id" \
76  " FROM users" \
77  " WHERE users.uuid" \
78  " = '%s')))" \
79  " OR (subject_type = 'role'" \
80  " AND subject" \
81  " IN (SELECT DISTINCT role" \
82  " FROM role_users" \
83  " WHERE \"user\" = (SELECT id" \
84  " FROM users" \
85  " WHERE users.uuid" \
86  " = '%s'))))" \
87  /* Any permission implies GET. */ \
88  " AND ((lower (substr ('%s', 1, 3)) = 'get'" \
89  " AND name LIKE '%%'" \
90  " || lower (substr ('%s'," \
91  " 5," \
92  " length ('%s') - 5)))" \
93  " OR name = lower ('%s'))"
94 
100 #define ACL_IS_GLOBAL() \
101  "owner IS NULL"
102 
111 #define ACL_USER_OWNS() \
112  " (owner = (SELECT users.id FROM users" \
113  " WHERE users.uuid = '%s'))"
114 
123 #define ACL_GLOBAL_OR_USER_OWNS() \
124  " ((" ACL_IS_GLOBAL () ")" \
125  " OR (owner = (SELECT users.id FROM users" \
126  " WHERE users.uuid = '%s')))"
127 
128 command_t *
129 acl_commands (gchar **);
130 
131 int
132 acl_user_may (const char *);
133 
134 int
135 acl_user_can_everything (const char *);
136 
137 int
138 acl_role_can_super_everyone (const char *);
139 
140 int
141 acl_user_can_super_everyone (const char *);
142 
143 int
144 acl_user_has_super (const char *, user_t);
145 
146 int
147 acl_user_is_admin (const char *);
148 
149 int
150 acl_user_is_user (const char *);
151 
152 int
153 acl_user_is_super_admin (const char *);
154 
155 int
156 acl_user_is_observer (const char *);
157 
158 int
159 acl_user_owns (const char *, resource_t, int);
160 
161 int
162 acl_user_is_owner (const char *, const char *);
163 
164 int
165 acl_user_owns_uuid (const char *, const char *, int);
166 
167 int
168 acl_user_owns_trash_uuid (const char *resource, const char *uuid);
169 
170 int
171 acl_user_has_access_uuid (const char *, const char *, const char *, int);
172 
173 gchar *
174 acl_where_owned (const char *, const get_data_t *, int, const gchar *, resource_t,
175  array_t *, int, gchar **);
176 
177 gchar *
178 acl_where_owned_for_get (const char *, const char *, const char *, gchar **);
179 
180 gchar *
181 acl_users_with_access_sql (const char *, const char *, const char *);
182 
183 gchar *
184 acl_users_with_access_where (const char *, const char *, const char *,
185  const char*);
186 
187 #endif /* not _GVMD_MANAGE_ACL_H */
long long int resource_t
A resource, like a task or target.
Definition: iterator.h:39
gchar * acl_users_with_access_sql(const char *, const char *, const char *)
Get an SQL values expression of users that can get a resource.
Definition: manage_acl.c:1578
int acl_user_is_super_admin(const char *)
Check whether a user is a Super Admin.
Definition: manage_acl.c:427
int acl_user_can_super_everyone(const char *)
Check whether a user is a Super Admin.
Definition: manage_acl.c:212
int acl_user_is_admin(const char *)
Check whether a user is an Admin.
Definition: manage_acl.c:381
command_t * acl_commands(gchar **)
Get commands that the current user may run.
Definition: manage_acl.c:106
int acl_user_is_user(const char *)
Check whether a user has the User role.
Definition: manage_acl.c:450
int acl_user_has_super(const char *, user_t)
Test whether a user has super permission on another user.
Definition: manage_acl.c:311
int acl_user_owns_trash_uuid(const char *resource, const char *uuid)
Test whether a user effectively owns a resource.
Definition: manage_acl.c:775
int acl_user_owns(const char *, resource_t, int)
Test whether a user effectively owns a resource.
Definition: manage_acl.c:722
gchar * acl_users_with_access_where(const char *, const char *, const char *, const char *)
Get a static SQL condition selecting users that can get a resource.
Definition: manage_acl.c:1641
int acl_role_can_super_everyone(const char *)
Check whether a role has Super Admin capability.
Definition: manage_acl.c:180
int acl_user_is_observer(const char *)
Check whether a user is an Observer.
Definition: manage_acl.c:404
int acl_user_may(const char *)
Test whether a user may perform an operation.
Definition: manage_acl.c:159
gchar * acl_where_owned(const char *, const get_data_t *, int, const gchar *, resource_t, array_t *, int, gchar **)
Generate the ownership part of an SQL WHERE clause.
Definition: manage_acl.c:1498
int acl_user_is_owner(const char *, const char *)
Test whether a user is the actual owner of a resource.
Definition: manage_acl.c:616
int acl_user_has_access_uuid(const char *, const char *, const char *, int)
Test whether the user may access a resource.
Definition: manage_acl.c:810
gchar * acl_where_owned_for_get(const char *, const char *, const char *, gchar **)
Generate ownership part of WHERE, for getting a type of resource.
Definition: manage_acl.c:1528
int acl_user_can_everything(const char *)
Test whether a user may perform any operation.
Definition: manage_acl.c:264
int acl_user_owns_uuid(const char *, const char *, int)
Test whether a user effectively owns a resource.
Definition: manage_acl.c:649
A command.
Definition: manage.h:151
Command data for a get command.
Definition: manage_get.h:35