Introduce RBAC checking via custom authHandler function

c/httpserver.c

@@ -3397,12 +3397,14 @@ static int handleHttpService(HttpServer *server,
 
   AuthResponse authResponse;
 
-  switch (service->authType){
-
-  case SERVICE_AUTH_NONE:
+  int authorized = TRUE;
+
+  if (strcmp(service->authType, SERVICE_AUTH_NONE) == 0)
+  {
     request->authenticated = TRUE;
-    break;
-  case SERVICE_AUTH_SAF:
+  }
+  else if (strcmp(service->authType, SERVICE_AUTH_SAF) == 0)
+  {
     /* SAF Authentication just checks that user is known at ALL to SAF.
        Additional privilege (Facility Class Profile) checking maybe done later
        or added to the generic SAF support in server.
@@ -3411,14 +3413,15 @@ static int handleHttpService(HttpServer *server,
     printf("saf auth needed for service %s\n",service->name);
 #endif
     request->authenticated = safAuthenticate(service, request, &authResponse);
-    break;
-  case SERVICE_AUTH_CUSTOM:
+  }
+  /* case SERVICE_AUTH_CUSTOM: - Safe to remove?
 #ifdef DEBUG
     printf("CUSTOM auth not yet supported\n");
 #endif
     request->authenticated = FALSE;
-    break;
-  case SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN:
+    break; */
+  else if (strcmp(service->authType, SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN_NO_RBAC) == 0)
+  {
     switch (server->config->authTokenType) {
     case SERVICE_AUTH_TOKEN_TYPE_JWT:
     case SERVICE_AUTH_TOKEN_TYPE_JWT_WITH_LEGACY_FALLBACK:
@@ -3433,10 +3436,43 @@ static int handleHttpService(HttpServer *server,
       request->authenticated = serviceAuthNativeWithSessionToken(service,request,response,&clearSessionToken, &authResponse);
       break;
     }
-    break;
+  }
+  else /* Type was not found, checking custom handlers */
+  {
+    switch (server->config->authTokenType) {
+    case SERVICE_AUTH_TOKEN_TYPE_JWT:
+    case SERVICE_AUTH_TOKEN_TYPE_JWT_WITH_LEGACY_FALLBACK:
+      request->authenticated = serviceAuthWithJwt(service, request, response);
+
+      if (request->authenticated  ||
+          service->server->config->authTokenType
+            != SERVICE_AUTH_TOKEN_TYPE_JWT_WITH_LEGACY_FALLBACK) {
+        break;
+      } /* else fall through */
+    case SERVICE_AUTH_TOKEN_TYPE_LEGACY:
+      request->authenticated = serviceAuthNativeWithSessionToken(service,request,response,&clearSessionToken, &authResponse);
+      break;
+    }
+    if (request->authenticated) {
+      int size = sizeof(server->authHandler)/sizeof(server->authHandler[0]);
+      for (int i = 0; i < size; i++) {
+        if (server->authHandler[i] != NULL) {
+          if (strcmp(server->authHandler[i]->type, SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN) == 0) {
+            authorized = service->server->authHandler[i]->authFunction(service, request, response);
+            if (!authorized) {
+              break;
+            }
+          }
+        } else {
+          break;
+        }
+      }
+    } else {
+      authorized = FALSE;
+    }
   }
 #ifdef DEBUG
-  printf("service=%s authenticated=%d\n",service->name,request->authenticated);
+  printf("service=%s authenticated=%d authorized=%d\n",service->name,request->authenticated,authorized);
 #endif
   if (request->authenticated == FALSE){
     if (service->authFlags & SERVICE_AUTH_FLAG_OPTIONAL) {
@@ -3445,6 +3481,8 @@ static int handleHttpService(HttpServer *server,
     } else {
       respondWithAuthError(response, &authResponse);
     }
+  } else if (!authorized) {
+    respondWithError(response, HTTP_STATUS_FORBIDDEN, "Forbidden");
     // Response is finished on return
   } else {
 

h/httpserver.h

@@ -44,10 +44,10 @@
 #define SERVICE_TYPE_PROXY           5
 #define SERVICE_TYPE_FILES_SECURE    6
 
-#define SERVICE_AUTH_NONE   1
-#define SERVICE_AUTH_SAF    2
-#define SERVICE_AUTH_CUSTOM 3 /* done by service */
-#define SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN 4
+#define SERVICE_AUTH_NONE   "NONE"
+#define SERVICE_AUTH_SAF    "SAF"
+#define SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN "NATIVE_WITH_SESSION_TOKEN"
+#define SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN_NO_RBAC "NATIVE_WITH_SESSION_TOKEN_NO_RBAC"
 
 #define SERVICE_AUTH_TOKEN_TYPE_LEGACY                    0
 #define SERVICE_AUTH_TOKEN_TYPE_JWT_WITH_LEGACY_FALLBACK  1
@@ -146,6 +146,7 @@ typedef int HttpServiceServe(struct HttpService_tag *service, HttpResponse *resp
 typedef int AuthExtract(struct HttpService_tag *service, HttpRequest *request);
 typedef int AuthValidate(struct HttpService_tag *service, HttpRequest *request);
 typedef int HttpServiceInsertCustomHeaders(struct HttpService_tag *service, HttpResponse *response);
+typedef int AuthHandle(struct HttpService_tag *service, HttpRequest *request, HttpResponse *response);
 
 /*
   returns HTTP_SERVICE_SUCCESS or other fail codes in same group 
@@ -180,7 +181,7 @@ typedef struct HttpService_tag{
   char **parsedMaskParts;
   int    matchFlags;
   int    serviceType; 
-  int    authType;
+  char   *authType;
   int    runInSubtask;
   void  *authority; /* NULL unless AUTH_CUSTOM */
   AuthExtract                    *authExtractionFunction;
@@ -207,6 +208,11 @@ typedef struct HttpService_tag{
   int    authFlags;
 } HttpService;
 
+typedef struct HttpAuthHandler_tag{
+  char             *type;
+  AuthHandle       *authFunction;
+} HttpAuthHandler;
+
 typedef struct HTTPServerConfig_tag {
   int port;
   HttpService *serviceList;
@@ -229,6 +235,7 @@ typedef struct HttpServer_tag{
   uint64           serverInstanceUID;   /* may be something smart at some point. Now just startup STCK */
   void             *sharedServiceMem; /* address shared by all HttpServices */
   hashtable        *loggingIdsByName; /* contains a map of pluginID -> loggingID */
+  HttpAuthHandler  *authHandler[64]; /* contains array of authHandlers (type + auth func) for HttpServices */
 } HttpServer;
 
 typedef struct WSReadMachine_tag{