// SPDX-License-Identifier: GPL-3.0-or-later #ifndef NETDATA_HTTP_ACCESS_H #define NETDATA_HTTP_ACCESS_H typedef enum __attribute__((packed)) { HTTP_USER_ROLE_NONE = 0, HTTP_USER_ROLE_ADMIN = 1, HTTP_USER_ROLE_MANAGER = 2, HTTP_USER_ROLE_TROUBLESHOOTER = 3, HTTP_USER_ROLE_OBSERVER = 4, HTTP_USER_ROLE_MEMBER = 5, HTTP_USER_ROLE_BILLING = 6, HTTP_USER_ROLE_ANY = 7, // keep this list so that lower numbers are more strict access levels } HTTP_USER_ROLE; const char *http_id2user_role(HTTP_USER_ROLE role); HTTP_USER_ROLE http_user_role2id(const char *role); typedef enum __attribute__((packed)) { HTTP_ACCESS_NONE = 0, // adm man trb obs mem bil HTTP_ACCESS_SIGNED_ID = (1 << 0), // User is authenticated A A A A A A HTTP_ACCESS_SAME_SPACE = (1 << 1), // NC user+agent = same space A A A A A A HTTP_ACCESS_COMMERCIAL_SPACE = (1 << 2), // NC P P P P P P HTTP_ACCESS_ANONYMOUS_DATA = (1 << 3), // NC room:Read A A A SR SR - HTTP_ACCESS_SENSITIVE_DATA = (1 << 4), // NC agent:ViewSensitiveData A A A - SR - HTTP_ACCESS_VIEW_AGENT_CONFIG = (1 << 5), // NC agent:ReadDynCfg P P - - - - HTTP_ACCESS_EDIT_AGENT_CONFIG = (1 << 6), // NC agent:EditDynCfg P P - - - - HTTP_ACCESS_VIEW_NOTIFICATIONS_CONFIG = (1 << 7), // NC agent:ViewNotificationsConfig P - - - - - HTTP_ACCESS_EDIT_NOTIFICATIONS_CONFIG = (1 << 8), // NC agent:EditNotificationsConfig P - - - - - HTTP_ACCESS_VIEW_ALERTS_SILENCING = (1 << 9), // NC space:GetSystemSilencingRules A A A - A - HTTP_ACCESS_EDIT_ALERTS_SILENCING = (1 << 10), // NC space:CreateSystemSilencingRule P P - - P - } HTTP_ACCESS; // --------------------- // A = always // P = commercial plan // SR = same room (Us+Ag) #define HTTP_ACCESS_FORMAT "0x%" PRIx32 #define HTTP_ACCESS_FORMAT_CAST uint32_t #define HTTP_ACCESS_ALL (HTTP_ACCESS)( \ HTTP_ACCESS_SIGNED_ID \ | HTTP_ACCESS_SAME_SPACE \ | HTTP_ACCESS_COMMERCIAL_SPACE \ | HTTP_ACCESS_ANONYMOUS_DATA \ | HTTP_ACCESS_SENSITIVE_DATA \ | HTTP_ACCESS_VIEW_AGENT_CONFIG \ | HTTP_ACCESS_EDIT_AGENT_CONFIG \ | HTTP_ACCESS_VIEW_NOTIFICATIONS_CONFIG \ | HTTP_ACCESS_EDIT_NOTIFICATIONS_CONFIG \ | HTTP_ACCESS_VIEW_ALERTS_SILENCING \ | HTTP_ACCESS_EDIT_ALERTS_SILENCING \ ) #define HTTP_ACCESS_MAP_OLD_ANY (HTTP_ACCESS)(HTTP_ACCESS_ANONYMOUS_DATA) #define HTTP_ACCESS_MAP_OLD_MEMBER (HTTP_ACCESS)( \ HTTP_ACCESS_SIGNED_ID \ | HTTP_ACCESS_SAME_SPACE \ | HTTP_ACCESS_ANONYMOUS_DATA | HTTP_ACCESS_SENSITIVE_DATA) #define HTTP_ACCESS_MAP_OLD_ADMIN (HTTP_ACCESS)( \ HTTP_ACCESS_SIGNED_ID \ | HTTP_ACCESS_SAME_SPACE \ | HTTP_ACCESS_ANONYMOUS_DATA | HTTP_ACCESS_SENSITIVE_DATA | HTTP_ACCESS_VIEW_AGENT_CONFIG \ | HTTP_ACCESS_EDIT_AGENT_CONFIG \ ) HTTP_ACCESS http_access2id_one(const char *str); HTTP_ACCESS http_access2id(char *str); struct web_buffer; void http_access2buffer_json_array(struct web_buffer *wb, const char *key, HTTP_ACCESS access); void http_access2txt(char *buf, size_t size, const char *separator, HTTP_ACCESS access); HTTP_ACCESS http_access_from_hex(const char *str); HTTP_ACCESS http_access_from_hex_mapping_old_roles(const char *str); HTTP_ACCESS http_access_from_source(const char *str); bool log_cb_http_access_to_hex(struct web_buffer *wb, void *data); #define HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(access) ((access & HTTP_ACCESS_SIGNED_ID) ? HTTP_RESP_FORBIDDEN : HTTP_RESP_PRECOND_FAIL) typedef enum __attribute__((packed)) { HTTP_ACL_NONE = (0), HTTP_ACL_NOCHECK = (1 << 0), // Don't check anything - adding this to an endpoint, disables ACL checking // transports HTTP_ACL_API = (1 << 1), // from the internal web server (TCP port) HTTP_ACL_API_UDP = (1 << 2), // from the internal web server (UDP port) HTTP_ACL_API_UNIX = (1 << 3), // from the internal web server (UNIX socket) HTTP_ACL_H2O = (1 << 4), // from the h2o web server HTTP_ACL_ACLK = (1 << 5), // from ACLK HTTP_ACL_WEBRTC = (1 << 6), // from WebRTC // HTTP_ACL_API takes the following additional ACLs, based on pattern matching of the client IP HTTP_ACL_DASHBOARD = (1 << 10), HTTP_ACL_REGISTRY = (1 << 11), HTTP_ACL_BADGES = (1 << 12), HTTP_ACL_MANAGEMENT = (1 << 13), HTTP_ACL_STREAMING = (1 << 14), HTTP_ACL_NETDATACONF = (1 << 15), // SSL related HTTP_ACL_SSL_OPTIONAL = (1 << 28), HTTP_ACL_SSL_FORCE = (1 << 29), HTTP_ACL_SSL_DEFAULT = (1 << 30), } HTTP_ACL; #define HTTP_ACL_TRANSPORTS (HTTP_ACL)( \ HTTP_ACL_API \ | HTTP_ACL_API_UDP \ | HTTP_ACL_API_UNIX \ | HTTP_ACL_H2O \ | HTTP_ACL_ACLK \ | HTTP_ACL_WEBRTC \ ) #define HTTP_ACL_TRANSPORTS_WITHOUT_CLIENT_IP_VALIDATION (HTTP_ACL)( \ HTTP_ACL_ACLK \ | HTTP_ACL_WEBRTC \ ) #define HTTP_ACL_ALL_FEATURES (HTTP_ACL)( \ HTTP_ACL_DASHBOARD \ | HTTP_ACL_REGISTRY \ | HTTP_ACL_BADGES \ | HTTP_ACL_MANAGEMENT \ | HTTP_ACL_STREAMING \ | HTTP_ACL_NETDATACONF \ ) #ifdef NETDATA_DEV_MODE #define ACL_DEV_OPEN_ACCESS HTTP_ACL_NOCHECK #else #define ACL_DEV_OPEN_ACCESS 0 #endif #define http_can_access_dashboard(w) ((w)->acl & HTTP_ACL_DASHBOARD) #define http_can_access_registry(w) ((w)->acl & HTTP_ACL_REGISTRY) #define http_can_access_badges(w) ((w)->acl & HTTP_ACL_BADGES) #define http_can_access_mgmt(w) ((w)->acl & HTTP_ACL_MANAGEMENT) #define http_can_access_stream(w) ((w)->acl & HTTP_ACL_STREAMING) #define http_can_access_netdataconf(w) ((w)->acl & HTTP_ACL_NETDATACONF) #define http_is_using_ssl_optional(w) ((w)->port_acl & HTTP_ACL_SSL_OPTIONAL) #define http_is_using_ssl_force(w) ((w)->port_acl & HTTP_ACL_SSL_FORCE) #define http_is_using_ssl_default(w) ((w)->port_acl & HTTP_ACL_SSL_DEFAULT) #endif //NETDATA_HTTP_ACCESS_H