Localhost should be able to request all ressources if this is set via a config option

Signed-off-by: DL6ER <dl6er@dl6er.de>
2021-01-14 21:12:06 +01:00 · 2021-01-14 21:12:06 +01:00 · 9966c84f54
parent 8e63f75a71
commit 9966c84f54
6 changed files with 36 additions and 28 deletions
--- a/src/api/auth.c
+++ b/src/api/auth.c
@ -54,9 +54,6 @@ static void sha256_hex(uint8_t *data, char *buffer)
 // Returns >= 0 for any valid authentication
 #define LOCALHOSTv4 "127.0.0.1"
 #define LOCALHOSTv6 "::1"
-#define API_AUTH_UNUSED -1
-#define API_AUTH_LOCALHOST -2
-#define API_AUTH_EMPTYPASS -3
 int check_client_auth(struct mg_connection *conn)
 {
 	int user_id = -1;
@ -114,7 +111,7 @@ int check_client_auth(struct mg_connection *conn)
 				break;
 			}
 		}
-		if(user_id > API_AUTH_UNUSED)
+		if(user_id > API_AUTH_UNAUTHORIZED)
 		{
 			// Authentication succesful:
 			// - We know this client
@ -187,7 +184,7 @@ static int get_session_object(struct mg_connection *conn, cJSON *json, const int
 	}

 	// Valid session
-	if(user_id > API_AUTH_UNUSED && auth_data[user_id].used)
+	if(user_id > API_AUTH_UNAUTHORIZED && auth_data[user_id].used)
 	{
 		cJSON *session = JSON_NEW_OBJ();
 		JSON_OBJ_ADD_BOOL(session, "valid", true);
@ -240,7 +237,7 @@ static int send_api_auth_status(struct mg_connection *conn, const int user_id, c
 		JSON_SEND_OBJECT(json);
 	}

-	if(user_id > API_AUTH_UNUSED && (method == HTTP_GET || method == HTTP_POST))
+	if(user_id > API_AUTH_UNAUTHORIZED && (method == HTTP_GET || method == HTTP_POST))
 	{
 		if(config.debug & DEBUG_API)
 			logg("API Auth status: OK");
@ -257,7 +254,7 @@ static int send_api_auth_status(struct mg_connection *conn, const int user_id, c
 		get_session_object(conn, json, user_id, now);
 		JSON_SEND_OBJECT(json);
 	}
-	else if(user_id > API_AUTH_UNUSED && method == HTTP_DELETE)
+	else if(user_id > API_AUTH_UNAUTHORIZED && method == HTTP_DELETE)
 	{
 		if(config.debug & DEBUG_API)
 			logg("API Auth status: Logout, asking to delete cookie");
@ -351,7 +348,7 @@ int api_auth(struct mg_connection *conn)
 	char *password_hash = get_password_hash();
 	const bool empty_password = (strlen(password_hash) == 0u);

-	int user_id = API_AUTH_UNUSED;
+	int user_id = API_AUTH_UNAUTHORIZED;
 	const struct mg_request_info *request = mg_get_request_info(conn);

 	bool reponse_set = false;
@ -391,7 +388,7 @@ int api_auth(struct mg_connection *conn)
 	}

 	// If this is a valid session, we can exit early at this point
-	if(user_id != API_AUTH_UNUSED)
+	if(user_id != API_AUTH_UNAUTHORIZED)
 		return send_api_auth_status(conn, user_id, method, now);

 	// Login attempt and/or auth check
@ -432,7 +429,7 @@ int api_auth(struct mg_connection *conn)
 			}

 			// Debug logging
-			if(config.debug & DEBUG_API && user_id > API_AUTH_UNUSED)
+			if(config.debug & DEBUG_API && user_id > API_AUTH_UNAUTHORIZED)
 			{
 				char timestr[128];
 				get_timestr(timestr, auth_data[user_id].valid_until);
@ -440,7 +437,7 @@ int api_auth(struct mg_connection *conn)
 				     user_id, timestr, auth_data[user_id].remote_addr,
 				     response_correct ? "correct response" : "empty password");
 			}
-			if(user_id == API_AUTH_UNUSED)
+			if(user_id == API_AUTH_UNAUTHORIZED)
 			{
 				logg("WARNING: No free API seats available, not authenticating client");
 			}
--- a/src/api/dns.c
+++ b/src/api/dns.c
@ -48,7 +48,7 @@ static int get_blocking(struct mg_connection *conn)
 static int set_blocking(struct mg_connection *conn)
 {
 	// Verify requesting client is allowed to access this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -131,7 +131,7 @@ int api_dns_blockingstatus(struct mg_connection *conn)
 int api_dns_cacheinfo(struct mg_connection *conn)
 {
 	// Verify requesting client is allowed to access this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
--- a/src/api/ftl.c
+++ b/src/api/ftl.c
@ -63,7 +63,7 @@ fifologData *fifo_log = NULL;
 int api_ftl_dnsmasq_log(struct mg_connection *conn)
 {
 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -128,7 +128,7 @@ int api_ftl_dnsmasq_log(struct mg_connection *conn)
 int api_ftl_database(struct mg_connection *conn)
 {
 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		send_json_unauthorized(conn);
 	}
--- a/src/api/network.c
+++ b/src/api/network.c
@ -18,7 +18,7 @@
 int api_network(struct mg_connection *conn)
 {
 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
--- a/src/api/stats.c
+++ b/src/api/stats.c
@ -175,7 +175,7 @@ int api_stats_top_domains(bool blocked, struct mg_connection *conn)
 	bool audit = false;

 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -333,7 +333,7 @@ int api_stats_top_clients(bool blocked, struct mg_connection *conn)
 	bool includezeroclients = false;

 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -457,7 +457,7 @@ int api_stats_upstreams(struct mg_connection *conn)
 	int temparray[counters->forwarded][2];

 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -558,7 +558,7 @@ int api_stats_upstreams(struct mg_connection *conn)
 int api_stats_query_types(struct mg_connection *conn)
 {
 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -594,7 +594,7 @@ int api_stats_history(struct mg_connection *conn)
 	}

 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -1042,7 +1042,7 @@ int api_stats_recentblocked(struct mg_connection *conn)
 	unsigned int show = 1;

 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
@ -1113,7 +1113,7 @@ int api_stats_overTime_clients(struct mg_connection *conn)
 	int sendit = -1, until = OVERTIME_SLOTS;

 	// Verify requesting client is allowed to see this ressource
-	if(check_client_auth(conn) < 0)
+	if(check_client_auth(conn) == API_AUTH_UNAUTHORIZED)
 	{
 		return send_json_unauthorized(conn);
 	}
--- a/src/enums.h
+++ b/src/enums.h
@ -156,11 +156,16 @@ enum events {
 } __attribute__ ((packed));


-enum gravitry_domainlist_indices {
-	GRAVITY_DOMAINLIST_EXACT_WHITELIST = 0,
-	GRAVITY_DOMAINLIST_EXACT_BLACKLIST = 1,
-	GRAVITY_DOMAINLIST_REGEX_WHITELIST = 2,
-	GRAVITY_DOMAINLIST_REGEX_BLACKLIST = 3
+enum domainlist_type {
+	GRAVITY_DOMAINLIST_ALLOW_EXACT,
+	GRAVITY_DOMAINLIST_ALLOW_REGEX,
+	GRAVITY_DOMAINLIST_ALLOW_ALL,
+	GRAVITY_DOMAINLIST_DENY_EXACT,
+	GRAVITY_DOMAINLIST_DENY_REGEX,
+	GRAVITY_DOMAINLIST_DENY_ALL,
+	GRAVITY_DOMAINLIST_ALL_EXACT,
+	GRAVITY_DOMAINLIST_ALL_REGEX,
+	GRAVITY_DOMAINLIST_ALL_ALL
 } __attribute__ ((packed));

 enum gravity_tables {
@ -194,4 +199,10 @@ enum refresh_hostnames {
 	REFRESH_NONE
 } __attribute__ ((packed));

+enum api_auth_status {
+	API_AUTH_UNAUTHORIZED  = -1,
+	API_AUTH_LOCALHOST  = -2,
+	API_AUTH_EMPTYPASS  = -3,
+} __attribute__ ((packed));
+
 #endif // ENUMS_H