diff options
Diffstat (limited to 'web/api/web_api.c')
-rw-r--r-- | web/api/web_api.c | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/web/api/web_api.c b/web/api/web_api.c index 7c1d0fa09..4372bb8cb 100644 --- a/web/api/web_api.c +++ b/web/api/web_api.c @@ -2,6 +2,35 @@ #include "web_api.h" +bool netdata_is_protected_by_bearer = false; // this is controlled by cloud, at the point the agent logs in - this should also be saved to /var/lib/netdata +DICTIONARY *netdata_authorized_bearers = NULL; + +static bool web_client_check_acl_and_bearer(struct web_client *w, WEB_CLIENT_ACL endpoint_acl) { + if(endpoint_acl == WEB_CLIENT_ACL_NOCHECK) + // the endpoint is totally public + return true; + + bool acl_allows = w->acl & endpoint_acl; + if(!acl_allows) + // the channel we received the request from (w->acl) is not compatible with the endpoint + return false; + + if(!netdata_is_protected_by_bearer && !(endpoint_acl & WEB_CLIENT_ACL_BEARER_REQUIRED)) + // bearer protection is not enabled and is not required by the endpoint + return true; + + if(!(endpoint_acl & (WEB_CLIENT_ACL_BEARER_REQUIRED|WEB_CLIENT_ACL_BEARER_OPTIONAL))) + // endpoint does not require a bearer + return true; + + if((w->acl & (WEB_CLIENT_ACL_ACLK|WEB_CLIENT_ACL_WEBRTC)) || api_check_bearer_token(w)) + // the request is coming from ACLK or WEBRTC (authorized already), + // or we have a valid bearer on the request + return true; + + return false; +} + int web_client_api_request_vX(RRDHOST *host, struct web_client *w, char *url_path_endpoint, struct web_api_command *api_commands) { if(unlikely(!url_path_endpoint || !*url_path_endpoint)) { buffer_flush(w->response.data); @@ -13,8 +42,8 @@ int web_client_api_request_vX(RRDHOST *host, struct web_client *w, char *url_pat for(int i = 0; api_commands[i].command ; i++) { if(unlikely(hash == api_commands[i].hash && !strcmp(url_path_endpoint, api_commands[i].command))) { - if(unlikely(api_commands[i].acl != WEB_CLIENT_ACL_NOCHECK) && !(w->acl & api_commands[i].acl)) - return web_client_permission_denied(w); + if(unlikely(!web_client_check_acl_and_bearer(w, api_commands[i].acl))) + return web_client_bearer_required(w); char *query_string = (char *)buffer_tostring(w->url_query_string_decoded); |