else if (key == "TokenLife") {
this->tokenLife_ = (unsigned)atoi(value.c_str());
}
+ else if (key == "Allow") {
+ this->allow_ = value;
+ }
+ else if (key == "Deny") {
+ this->deny_ = value;
+ }
else
throw DmException(DMLITE_CFGERR(DMLITE_UNKNOWN_KEY),
"Unrecognised option " + key);
Catalog* VfsFactory::createCatalog(PluginManager*) throw (DmException)
{
- return new VfsCatalog(this->hostName_);
+ return new VfsCatalog(this->hostName_, this->allow_, this->deny_);
}
#include <dmlite/cpp/dmlite.h>
#include <dmlite/cpp/utils/urls.h>
#include <errno.h>
+#include <regex.h>
#include <unistd.h>
#include <algorithm>
#include "Vfs.h"
}
-VfsCatalog::VfsCatalog(const std::string& host) throw (DmException): Catalog(),
+VfsCatalog::VfsCatalog(const std::string& host, const std::string &allow, const std::string &deny) throw (DmException): Catalog(),
hostName_(host)
{
- // Nothing
+ regex_t regex;
+ int ret;
+ char buf[256];
+
+ this->allowRegex = 0;
+ if (!allow.empty()) {
+//fprintf(stderr, "allow regex: '%s'\n", allow.c_str());
+ if ((ret = regcomp(®ex, allow.c_str(), REG_EXTENDED | REG_NOSUB)) != 0) {
+ regerror(ret, ®ex, buf, sizeof buf);
+ vfsThrow(EINVAL, "invalid regular expresion for 'Allow': %s", buf);
+ }
+ this->allowRegex = new regex_t(regex);
+ }
+ this->denyRegex = 0;
+ if (!deny.empty()) {
+//fprintf(stderr, "deny regex: '%s'\n", deny.c_str());
+ if ((ret = regcomp(®ex, deny.c_str(), REG_EXTENDED | REG_NOSUB)) != 0)
+ vfsThrow(EINVAL, "invalid regular expresion for 'Deny': %s", buf);
+ this->denyRegex = new regex_t(regex);
+ }
}
VfsCatalog::~VfsCatalog()
{
- // Nothing
+ if (this->allowRegex) {
+ regfree(this->allowRegex);
+ delete this->allowRegex;
+ }
+ if (this->denyRegex) {
+ regfree(this->denyRegex);
+ delete this->denyRegex;
+ }
}
void VfsCatalog::setSecurityContext(const SecurityContext* ctx) throw (DmException)
{
+ std::string subj = ctx->credentials.clientName;
secCtx_ = ctx;
+ int ret;
+
+ this->allowCurrent = false;
+ if (this->allowRegex) {
+ if ((ret = regexec(this->allowRegex, subj.c_str(), 0, NULL, 0)) == 0)
+ this->allowCurrent = true;
+//fprintf(stderr, "'%s' %s allow regexp\n", subj.c_str(), ((ret == 0) ? "matches" : "not matches"));
+ }
+ if (this->allowCurrent && this->denyRegex) {
+ if ((ret = regexec(this->denyRegex, subj.c_str(), 0, NULL, 0)) == 0)
+ this->allowCurrent = false;
+//fprintf(stderr, "'%s' %s deny regexp\n", subj.c_str(), ret == 0 ? "matches" : "not matches");
+ }
}
int VfsCatalog::checkPermissions(const SecurityContext *context, const Acl &acl, const struct stat &stat, mode_t mode) {
- fprintf(stderr, "VfsCatalog::checkPermissions(inode %lu, %04o)\n", stat.st_ino, mode);
- return 0;
+//fprintf(stderr, "VfsCatalog::checkPermissions(inode %lu, %04o)\n", stat.st_ino, mode);
+ return this->allowCurrent ? 0 : 1;
}
git://scientific.zcu.cz / dmlite-plugins-vfs.git / commitdiff