summaryrefslogtreecommitdiffstats
path: root/web/api/web_api.c
diff options
context:
space:
mode:
Diffstat (limited to 'web/api/web_api.c')
-rw-r--r--web/api/web_api.c33
1 files changed, 31 insertions, 2 deletions
diff --git a/web/api/web_api.c b/web/api/web_api.c
index 7c1d0fa09..4372bb8cb 100644
--- a/web/api/web_api.c
+++ b/web/api/web_api.c
@@ -2,6 +2,35 @@
#include "web_api.h"
+bool netdata_is_protected_by_bearer = false; // this is controlled by cloud, at the point the agent logs in - this should also be saved to /var/lib/netdata
+DICTIONARY *netdata_authorized_bearers = NULL;
+
+static bool web_client_check_acl_and_bearer(struct web_client *w, WEB_CLIENT_ACL endpoint_acl) {
+ if(endpoint_acl == WEB_CLIENT_ACL_NOCHECK)
+ // the endpoint is totally public
+ return true;
+
+ bool acl_allows = w->acl & endpoint_acl;
+ if(!acl_allows)
+ // the channel we received the request from (w->acl) is not compatible with the endpoint
+ return false;
+
+ if(!netdata_is_protected_by_bearer && !(endpoint_acl & WEB_CLIENT_ACL_BEARER_REQUIRED))
+ // bearer protection is not enabled and is not required by the endpoint
+ return true;
+
+ if(!(endpoint_acl & (WEB_CLIENT_ACL_BEARER_REQUIRED|WEB_CLIENT_ACL_BEARER_OPTIONAL)))
+ // endpoint does not require a bearer
+ return true;
+
+ if((w->acl & (WEB_CLIENT_ACL_ACLK|WEB_CLIENT_ACL_WEBRTC)) || api_check_bearer_token(w))
+ // the request is coming from ACLK or WEBRTC (authorized already),
+ // or we have a valid bearer on the request
+ return true;
+
+ return false;
+}
+
int web_client_api_request_vX(RRDHOST *host, struct web_client *w, char *url_path_endpoint, struct web_api_command *api_commands) {
if(unlikely(!url_path_endpoint || !*url_path_endpoint)) {
buffer_flush(w->response.data);
@@ -13,8 +42,8 @@ int web_client_api_request_vX(RRDHOST *host, struct web_client *w, char *url_pat
for(int i = 0; api_commands[i].command ; i++) {
if(unlikely(hash == api_commands[i].hash && !strcmp(url_path_endpoint, api_commands[i].command))) {
- if(unlikely(api_commands[i].acl != WEB_CLIENT_ACL_NOCHECK) && !(w->acl & api_commands[i].acl))
- return web_client_permission_denied(w);
+ if(unlikely(!web_client_check_acl_and_bearer(w, api_commands[i].acl)))
+ return web_client_bearer_required(w);
char *query_string = (char *)buffer_tostring(w->url_query_string_decoded);