2 Bacula(R) - The Network Backup Solution
4 Copyright (C) 2000-2017 Kern Sibbald
6 The original author of Bacula is Kern Sibbald, with contributions
7 from many others, a complete list can be found in the file AUTHORS.
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
14 This notice must be preserved when any source code is
15 conveyed and/or propagated.
17 Bacula(R) is a registered trademark of Kern Sibbald.
20 * Bacula Director -- User Agent Access Control List (ACL) handling
22 * Kern Sibbald, January MMIV
29 * Check if access is permitted to item in acl
31 bool acl_access_ok(UAContext *ua, int acl, const char *item)
33 return acl_access_ok(ua, acl, item, strlen(item));
36 bool acl_access_client_ok(UAContext *ua, const char *name, int32_t jobtype)
38 if (acl_access_ok(ua, Client_ACL, name)) {
41 if (jobtype == JT_BACKUP && acl_access_ok(ua, BackupClient_ACL, name)) {
44 if (jobtype == JT_RESTORE && acl_access_ok(ua, RestoreClient_ACL, name)) {
47 /* Some commands such as "status client" are for both Backup and Restore */
48 if (jobtype == JT_BACKUP_RESTORE &&
49 (acl_access_ok(ua, RestoreClient_ACL, name) ||
50 acl_access_ok(ua, BackupClient_ACL, name)))
59 /* This version expects the length of the item which we must check. */
60 bool acl_access_ok(UAContext *ua, int acl, const char *item, int len)
62 /* The resource name contains nasty characters */
63 if (acl != Where_ACL && !is_name_valid(item, NULL)) {
64 Dmsg1(1400, "Access denied for item=%s\n", item);
68 /* If no console resource => default console and all is permitted */
69 if (!ua || !ua->cons) {
70 Dmsg0(1400, "Root cons access OK.\n");
71 return true; /* No cons resource -> root console OK for everything */
74 alist *list = ua->cons->ACL_lists[acl];
75 if (!list) { /* empty list */
76 if (len == 0 && acl == Where_ACL) {
77 return true; /* Empty list for Where => empty where */
79 return false; /* List empty, reject everything */
82 /* Special case *all* gives full access */
83 if (list->size() == 1 && strcasecmp("*all*", (char *)list->get(0)) == 0) {
87 /* Search list for item */
88 for (int i=0; i<list->size(); i++) {
89 if (strcasecmp(item, (char *)list->get(i)) == 0) {
90 Dmsg3(1400, "ACL found %s in %d %s\n", item, acl, (char *)list->get(i));
98 * Return true if we have a restriction on the ACL
99 * false if there is no ACL restriction
101 bool have_restricted_acl(UAContext *ua, int acl)
105 /* If no console resource => default console and all is permitted */
106 if (!ua || !ua->cons) {
107 return false; /* no restrictions */
110 list = ua->cons->ACL_lists[acl];
114 /* Special case *all* gives full access */
115 if (list->size() == 1 && strcasecmp("*all*", (char *)list->get(0)) == 0) {
118 return list->size() > 0;