diff options
Diffstat (limited to 'database/sqlite/edb-sqlite.c')
| -rw-r--r-- | database/sqlite/edb-sqlite.c | 96 |
1 files changed, 66 insertions, 30 deletions
diff --git a/database/sqlite/edb-sqlite.c b/database/sqlite/edb-sqlite.c index 4227234..220d9f7 100644 --- a/database/sqlite/edb-sqlite.c +++ b/database/sqlite/edb-sqlite.c @@ -931,16 +931,23 @@ eurephiaVALUES *eDBget_blacklisted_ip(eurephiaCTX *ctx) { */ // Authenticate admin user against user database -int eDBadminAuth(eurephiaCTX *ctx, const char *uname, const char *pwd) { +int eDBadminAuth(eurephiaCTX *ctx, const char *req_access, const char *uname, const char *pwd) { dbresult *res = NULL; char *crpwd = NULL; char *activated = NULL, *deactivated = NULL, *blid = NULL; - int uid = -1, admacc = 0, pwok = 0; + int uid = -1, pwok = 0; + char interface, *access = NULL; assert(ctx != NULL); - if( (ctx->context_type != ECTX_ADMIN_CONSOLE) - && (ctx->context_type != ECTX_ADMIN_WEB) ) { + switch( ctx->context_type ) { + case ECTX_ADMIN_CONSOLE: + interface = 'C'; + break; + case ECTX_ADMIN_WEB: + interface = 'W'; + break; + default: eurephia_log(ctx, LOG_ERROR, 0, "Wrong eurephia context type (0x%04x)", ctx->context_type); return 0; } @@ -957,7 +964,7 @@ int eDBadminAuth(eurephiaCTX *ctx, const char *uname, const char *pwd) { assert(crpwd != NULL); res = sqlite_query(ctx, "SELECT activated, deactivated, bl.blid, " - " (password = '%q') AS pwok, acc_admin, uid" + " (password = '%q') AS pwok, uid " " FROM openvpn_users ou" " LEFT JOIN openvpn_blacklist bl USING (username)" " WHERE ou.username = '%q'", @@ -965,7 +972,7 @@ int eDBadminAuth(eurephiaCTX *ctx, const char *uname, const char *pwd) { memset(crpwd, 0, strlen_nullsafe(crpwd)); free_nullsafe(crpwd); - if( !res ) { + if( res == NULL ) { eurephia_log(ctx, LOG_FATAL, 0, "Could not authenticate user against the database"); return 0; } @@ -975,8 +982,8 @@ int eDBadminAuth(eurephiaCTX *ctx, const char *uname, const char *pwd) { deactivated = sqlite_get_value(res, 0, 1); blid = sqlite_get_value(res, 0, 2); pwok = atoi_nullsafe(sqlite_get_value(res, 0, 3)); - admacc = atoi_nullsafe(sqlite_get_value(res, 0, 4)); - uid = atoi_nullsafe(sqlite_get_value(res, 0, 5)); + uid = atoi_nullsafe(sqlite_get_value(res, 0, 4)); + sqlite_free_results(res); if( blid != NULL ) { eurephia_log(ctx, LOG_WARNING, 0, @@ -997,57 +1004,83 @@ int eDBadminAuth(eurephiaCTX *ctx, const char *uname, const char *pwd) { return 0; } - if( admacc != 1 ) { - eurephia_log(ctx, LOG_WARNING, 0, "Your user account is lacking privileges"); + if( pwok != 1 ) { + eurephia_log(ctx, LOG_WARNING, 0, "Authentication failed,"); sqlite_free_results(res); return 0; } - if( pwok != 1 ) { - eurephia_log(ctx, LOG_WARNING, 0, "Authentication failed,"); - sqlite_free_results(res); + // Check if access level is granted + // (SQLite do not handle advanced joins so well, so we need to + // do this check with an extra query) + res = sqlite_query(ctx, + "SELECT (count(*) = 1) AS access " + " FROM eurephia_adminaccess" + " WHERE uid = '%i' AND interface = '%c' AND access = '%q'", + uid, interface, req_access); + if( res == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, "Could not check access level"); + return 0; + } + access = atoi_nullsafe(sqlite_get_value(res, 0, 0)); + sqlite_free_results(res); + + if( access == 0 ) { + eurephia_log(ctx, LOG_WARNING, 0, "Your account is lacking privileges for this operation"); return 0; } } else { - eurephia_log(ctx, LOG_WARNING, 0, "Authentication failed. Too many records found."); + eurephia_log(ctx, LOG_WARNING, 0, "Authentication failed. No unique records found."); sqlite_free_results(res); return 0; } - sqlite_free_results(res); // If we reach this place, authentication was successful. Return users uid return uid; } -int eDBadminValidateSession(eurephiaCTX *ctx, char *sesskey) { +int eDBadminValidateSession(eurephiaCTX *ctx, const char *sesskey, const char *req_access) { dbresult *res = NULL; - int valid = 0; + int valid = 0, access = 0, expire_time = 0; + char interface; assert( (ctx != NULL) && (sesskey != NULL) ); - if( (ctx->context_type != ECTX_ADMIN_CONSOLE) - && (ctx->context_type != ECTX_ADMIN_WEB) ) { + switch( ctx->context_type ) { + case ECTX_ADMIN_CONSOLE: + interface = 'C'; + break; + case ECTX_ADMIN_WEB: + interface = 'W'; + break; + default: eurephia_log(ctx, LOG_ERROR, 0, "Wrong eurephia context type (0x%04x)", ctx->context_type); return 0; } - // Check if the session is still valid. + // Check if the session is still valid (not expired) and that this session are allowed to access + // the requested access level. + expire_time = (60 * atoi_nullsafe(defaultValue(eGet_value(ctx->dbc->config, "eurephiadmin_autologout"), + "10") + ) + ); res = sqlite_query(ctx, - "SELECT (strftime('%%s',CURRENT_TIMESTAMP)-strftime('%%s',last_action)) > %i" + "SELECT (strftime('%%s',CURRENT_TIMESTAMP)-strftime('%%s',last_action)) > %i AS exp," + " (access IS NOT NULL) AS access" " FROM eurephia_adminlog" + " LEFT JOIN eurephia_adminaccess USING(uid,interface)" " WHERE status IN (1,2)" - " AND sessionkey = '%q'", - (60 * atoi_nullsafe(defaultValue(eGet_value(ctx->dbc->config, - "eurephiadmin_autologout"), - "10") - )), - sesskey); + " AND sessionkey = '%q'" + " AND access = '%q'", + expire_time, sesskey, req_access); + if( (res == NULL) || (sqlite_get_numtuples(res) != 1) ) { eurephia_log(ctx, LOG_FATAL, 0, "Could not validate session"); return 0; } - valid = (atoi_nullsafe(sqlite_get_value(res, 0, 0)) == 0); + valid = (atoi_nullsafe(sqlite_get_value(res, 0, 0)) == 0); + access = (atoi_nullsafe(sqlite_get_value(res, 0, 1)) == 1); sqlite_free_results(res); // If still valid, update last_action @@ -1060,6 +1093,10 @@ int eDBadminValidateSession(eurephiaCTX *ctx, char *sesskey) { eurephia_log(ctx, LOG_ERROR, 0, "Could not register session activity"); } sqlite_free_results(res); + + if( !access ) { + eurephia_log(ctx, LOG_WARNING, 0, "Your user account is lacking privileges"); + } } else { // If not valid, register session as auto-logged out res = sqlite_query(ctx, @@ -1081,8 +1118,7 @@ int eDBadminValidateSession(eurephiaCTX *ctx, char *sesskey) { } sqlite_free_results(res); } - - return valid; + return (valid && access); } int eDBadminRegisterLogin(eurephiaCTX *ctx, eurephiaSESSION *session) { |