2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
3 * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/types.h>
19 #include <sys/queue.h>
34 #include "got_error.h"
41 parseuid(const char *s, uid_t *uid)
46 if ((pw = getpwnam(s)) != NULL) {
52 *uid = strtonum(s, 0, UID_MAX - 1, &errstr);
59 uidcheck(const char *s, uid_t desired)
63 if (parseuid(s, &uid) != 0)
71 parsegid(const char *s, gid_t *gid)
76 if ((gr = getgrnam(s)) != NULL) {
82 *gid = strtonum(s, 0, GID_MAX - 1, &errstr);
89 match_identifier(const char *identifier, gid_t *groups, int ngroups,
90 uid_t euid, gid_t egid)
94 if (identifier[0] == ':') {
96 if (parsegid(identifier + 1, &rgid) == -1)
100 for (i = 0; i < ngroups; i++) {
101 if (rgid == groups[i])
106 } else if (uidcheck(identifier, euid) != 0)
112 const struct got_error *
113 gotd_auth_check(struct gotd_access_rule_list *rules, const char *repo_name,
114 uid_t euid, gid_t egid, int required_auth)
116 struct gotd_access_rule *rule;
117 enum gotd_access access = GOTD_ACCESS_DENIED;
119 gid_t groups[NGROUPS_MAX];
120 int ngroups = NGROUPS_MAX;
125 return got_error_from_errno("getpwuid");
127 return got_error_set_errno(EACCES, repo_name);
130 if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1)
131 log_warnx("group membership list truncated");
133 STAILQ_FOREACH(rule, rules, entry) {
134 if (!match_identifier(rule->identifier, groups, ngroups,
138 access = rule->access;
139 if (rule->access == GOTD_ACCESS_PERMITTED &&
140 (rule->authorization & required_auth) != required_auth)
141 access = GOTD_ACCESS_DENIED;
144 if (access == GOTD_ACCESS_DENIED)
145 return got_error_set_errno(EACCES, repo_name);
147 if (access == GOTD_ACCESS_PERMITTED)
150 /* should not happen, this would be a bug */
151 return got_error_msg(GOT_ERR_NOT_IMPL, "bad access rule");