OpenVAS Manager  7.0.3~git
manage_acl.h
Go to the documentation of this file.
1 /* OpenVAS Manager
2  * $Id$
3  * Description: Headers for OpenVAS Manager: the Manage library.
4  *
5  * Authors:
6  * Matthew Mundell <matthew.mundell@greenbone.net>
7  *
8  * Copyright:
9  * Copyright (C) 2013 Greenbone Networks GmbH
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software
23  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #ifndef OPENVAS_MANAGER_MANAGE_ACL_H
27 #define OPENVAS_MANAGER_MANAGE_ACL_H
28 
29 #include "manage_sql.h"
30 #include <glib.h>
31 
37 #define ACL_USER_MAY(resource) \
38  "SELECT count(*) > 0 FROM permissions" \
39  " WHERE resource = " resource \
40  " AND subject_location = " G_STRINGIFY (LOCATION_TABLE) \
41  " AND ((subject_type = 'user'" \
42  " AND subject" \
43  " = (SELECT id FROM users" \
44  " WHERE users.uuid = '%s'))" \
45  " OR (subject_type = 'group'" \
46  " AND subject" \
47  " IN (SELECT DISTINCT \"group\"" \
48  " FROM group_users" \
49  " WHERE \"user\" = (SELECT id" \
50  " FROM users" \
51  " WHERE users.uuid" \
52  " = '%s')))" \
53  " OR (subject_type = 'role'" \
54  " AND subject" \
55  " IN (SELECT DISTINCT role" \
56  " FROM role_users" \
57  " WHERE \"user\" = (SELECT id" \
58  " FROM users" \
59  " WHERE users.uuid" \
60  " = '%s'))))" \
61  /* Any permission implies GET. */ \
62  " AND ((lower (substr ('%s', 1, 3)) = 'get'" \
63  " AND name LIKE '%%'" \
64  " || lower (substr ('%s'," \
65  " 5," \
66  " length ('%s') - 5)))" \
67  " OR name = lower ('%s'))"
68 
74 #define ACL_IS_GLOBAL() \
75  "owner IS NULL"
76 
85 #define ACL_USER_OWNS() \
86  " ((" ACL_IS_GLOBAL () ")" \
87  " OR (owner = (SELECT users.id FROM users" \
88  " WHERE users.uuid = '%s')))"
89 
90 int
91 acl_user_may (const char *);
92 
93 int
94 acl_user_can_everything (const char *);
95 
96 int
97 acl_role_can_super_everyone (const char *);
98 
99 int
100 acl_user_can_super_everyone (const char *);
101 
102 int
103 acl_user_has_super (const char *, user_t);
104 
105 int
106 acl_user_is_admin (const char *);
107 
108 int
109 acl_user_is_user (const char *);
110 
111 int
112 acl_user_is_super_admin (const char *);
113 
114 int
115 acl_user_is_observer (const char *);
116 
117 int
118 acl_user_owns_name (const char *, const char *);
119 
120 int
121 acl_user_owns (const char *, resource_t, int);
122 
123 int
124 acl_user_is_owner (const char *, const char *);
125 
126 int
127 acl_user_owns_uuid (const char *, const char *, int);
128 
129 int
130 acl_user_owns_trash_uuid (const char *resource, const char *uuid);
131 
132 int
133 acl_user_has_access_uuid (const char *, const char *, const char *, int);
134 
135 gchar *
136 acl_where_owned_user (const char *, const char *, const char *, const get_data_t *,
137  int, const gchar *, resource_t, array_t *);
138 
139 gchar *
140 acl_where_owned (const char *, const get_data_t *, int, const gchar *, resource_t,
141  array_t *);
142 
143 gchar *
144 acl_where_owned_for_get (const char *, const char *);
145 
146 gchar *
147 acl_users_with_access_sql (const char *, const char *, const char *);
148 
149 gchar *
150 acl_users_with_access_where (const char *, const char *, const char *,
151  const char*);
152 
153 #endif /* not OPENVAS_MANAGER_MANAGE_ACL_H */
acl_user_is_user
int acl_user_is_user(const char *uuid)
Check whether a user has the User role.
Definition: manage_acl.c:365
acl_user_is_owner
int acl_user_is_owner(const char *type, const char *uuid)
Test whether a user is the actual owner of a resource.
Definition: manage_acl.c:573
acl_user_owns_name
int acl_user_owns_name(const char *type, const char *value)
Test whether a user effectively owns a resource.
Definition: manage_acl.c:531
acl_user_owns_uuid
int acl_user_owns_uuid(const char *type, const char *uuid, int trash)
Test whether a user effectively owns a resource.
Definition: manage_acl.c:606
acl_user_has_super
int acl_user_has_super(const char *super_user_id, user_t other_user)
Test whether a user has super permission on another user.
Definition: manage_acl.c:226
acl_role_can_super_everyone
int acl_role_can_super_everyone(const char *role_id)
Check whether a role has Super Admin capability.
Definition: manage_acl.c:95
acl_user_has_access_uuid
int acl_user_has_access_uuid(const char *type, const char *uuid, const char *permission, int trash)
Test whether the user may access a resource.
Definition: manage_acl.c:758
acl_where_owned_for_get
gchar * acl_where_owned_for_get(const char *type, const char *user_sql)
Generate ownership part of WHERE, for getting a type of resource.
Definition: manage_acl.c:1378
acl_user_owns_trash_uuid
int acl_user_owns_trash_uuid(const char *type, const char *uuid)
Test whether a user effectively owns a resource.
Definition: manage_acl.c:722
user_t
long long int user_t
Definition: manage.h:302
manage_sql.h
get_data_t
Command data for a get command.
Definition: manage.h:310
acl_user_is_observer
int acl_user_is_observer(const char *uuid)
Check whether a user is an Observer.
Definition: manage_acl.c:319
acl_user_can_everything
int acl_user_can_everything(const char *user_id)
Test whether a user may perform any operation.
Definition: manage_acl.c:179
acl_where_owned_user
gchar * acl_where_owned_user(const char *user_id, const char *user_sql, const char *type, const get_data_t *get, int owned, const gchar *owner_filter, resource_t resource, array_t *permissions)
Generate the ownership part of an SQL WHERE clause for a given user.
Definition: manage_acl.c:948
acl_user_is_admin
int acl_user_is_admin(const char *uuid)
Check whether a user is an Admin.
Definition: manage_acl.c:296
acl_where_owned
gchar * acl_where_owned(const char *type, const get_data_t *get, int owned, const gchar *owner_filter, resource_t resource, array_t *permissions)
Generate the ownership part of an SQL WHERE clause.
Definition: manage_acl.c:1352
acl_user_may
int acl_user_may(const char *operation)
Test whether a user may perform an operation.
Definition: manage_acl.c:56
acl_users_with_access_where
gchar * acl_users_with_access_where(const char *type, const char *resource_id, const char *users_where, const char *user_expr)
Get a static SQL condition selecting users that can get a resource.
Definition: manage_acl.c:1487
acl_user_can_super_everyone
int acl_user_can_super_everyone(const char *uuid)
Check whether a user is a Super Admin.
Definition: manage_acl.c:127
acl_user_is_super_admin
int acl_user_is_super_admin(const char *)
acl_user_owns
int acl_user_owns(const char *type, resource_t resource, int trash)
Test whether a user effectively owns a resource.
Definition: manage_acl.c:666
resource_t
long long int resource_t
A resource, like a task or target.
Definition: iterator.h:42
acl_users_with_access_sql
gchar * acl_users_with_access_sql(const char *type, const char *resource_id, const char *users_where)
Get an SQL values expression of users that can get a resource.
Definition: manage_acl.c:1424