summaryrefslogtreecommitdiffstats
path: root/src/libnetdata/http/http_access.h
blob: afc2e1dc71b20b0661c1a851385a473c76ca4a13 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
// SPDX-License-Identifier: GPL-3.0-or-later

#ifndef NETDATA_HTTP_ACCESS_H
#define NETDATA_HTTP_ACCESS_H

typedef enum __attribute__((packed)) {
    HTTP_USER_ROLE_NONE = 0,
    HTTP_USER_ROLE_ADMIN = 1,
    HTTP_USER_ROLE_MANAGER = 2,
    HTTP_USER_ROLE_TROUBLESHOOTER = 3,
    HTTP_USER_ROLE_OBSERVER = 4,
    HTTP_USER_ROLE_MEMBER = 5,
    HTTP_USER_ROLE_BILLING = 6,
    HTTP_USER_ROLE_ANY = 7,

    // keep this list so that lower numbers are more strict access levels
} HTTP_USER_ROLE;
const char *http_id2user_role(HTTP_USER_ROLE role);
HTTP_USER_ROLE http_user_role2id(const char *role);

typedef enum __attribute__((packed)) {
    HTTP_ACCESS_NONE                        = 0,         //                                    adm man trb obs mem bil
    HTTP_ACCESS_SIGNED_ID                   = (1 << 0),  // User is authenticated               A   A   A   A   A   A
    HTTP_ACCESS_SAME_SPACE                  = (1 << 1),  // NC user+agent = same space          A   A   A   A   A   A
    HTTP_ACCESS_COMMERCIAL_SPACE            = (1 << 2),  // NC                                  P   P   P   P   P   P
    HTTP_ACCESS_ANONYMOUS_DATA              = (1 << 3),  // NC room:Read                        A   A   A   SR  SR  -
    HTTP_ACCESS_SENSITIVE_DATA              = (1 << 4),  // NC agent:ViewSensitiveData          A   A   A   -   SR  -
    HTTP_ACCESS_VIEW_AGENT_CONFIG           = (1 << 5),  // NC agent:ReadDynCfg                 P   P   -   -   -   -
    HTTP_ACCESS_EDIT_AGENT_CONFIG           = (1 << 6),  // NC agent:EditDynCfg                 P   P   -   -   -   -
    HTTP_ACCESS_VIEW_NOTIFICATIONS_CONFIG   = (1 << 7),  // NC agent:ViewNotificationsConfig    P   -   -   -   -   -
    HTTP_ACCESS_EDIT_NOTIFICATIONS_CONFIG   = (1 << 8),  // NC agent:EditNotificationsConfig    P   -   -   -   -   -
    HTTP_ACCESS_VIEW_ALERTS_SILENCING       = (1 << 9),  // NC space:GetSystemSilencingRules    A   A   A   -   A   -
    HTTP_ACCESS_EDIT_ALERTS_SILENCING       = (1 << 10), // NC space:CreateSystemSilencingRule  P   P   -   -   P   -
} HTTP_ACCESS;                                           //                                     ---------------------
                                                         //                                     A  = always
                                                         //                                     P  = commercial plan
                                                         //                                     SR = same room (Us+Ag)

#define HTTP_ACCESS_FORMAT "0x%" PRIx32
#define HTTP_ACCESS_FORMAT_CAST uint32_t

#define HTTP_ACCESS_ALL (HTTP_ACCESS)( \
      HTTP_ACCESS_SIGNED_ID \
    | HTTP_ACCESS_SAME_SPACE \
    | HTTP_ACCESS_COMMERCIAL_SPACE \
    | HTTP_ACCESS_ANONYMOUS_DATA \
    | HTTP_ACCESS_SENSITIVE_DATA \
    | HTTP_ACCESS_VIEW_AGENT_CONFIG \
    | HTTP_ACCESS_EDIT_AGENT_CONFIG \
    | HTTP_ACCESS_VIEW_NOTIFICATIONS_CONFIG \
    | HTTP_ACCESS_EDIT_NOTIFICATIONS_CONFIG \
    | HTTP_ACCESS_VIEW_ALERTS_SILENCING \
    | HTTP_ACCESS_EDIT_ALERTS_SILENCING \
)

#define HTTP_ACCESS_MAP_OLD_ANY (HTTP_ACCESS)(HTTP_ACCESS_ANONYMOUS_DATA)

#define HTTP_ACCESS_MAP_OLD_MEMBER (HTTP_ACCESS)( \
      HTTP_ACCESS_SIGNED_ID \
    | HTTP_ACCESS_SAME_SPACE \
    | HTTP_ACCESS_ANONYMOUS_DATA | HTTP_ACCESS_SENSITIVE_DATA)

#define HTTP_ACCESS_MAP_OLD_ADMIN (HTTP_ACCESS)( \
      HTTP_ACCESS_SIGNED_ID \
    | HTTP_ACCESS_SAME_SPACE \
    | HTTP_ACCESS_ANONYMOUS_DATA | HTTP_ACCESS_SENSITIVE_DATA | HTTP_ACCESS_VIEW_AGENT_CONFIG \
    | HTTP_ACCESS_EDIT_AGENT_CONFIG \
)

HTTP_ACCESS http_access2id_one(const char *str);
HTTP_ACCESS http_access2id(char *str);
struct web_buffer;
void http_access2buffer_json_array(struct web_buffer *wb, const char *key, HTTP_ACCESS access);
void http_access2txt(char *buf, size_t size, const char *separator, HTTP_ACCESS access);
HTTP_ACCESS http_access_from_hex(const char *str);
HTTP_ACCESS http_access_from_hex_mapping_old_roles(const char *str);
HTTP_ACCESS http_access_from_source(const char *str);
bool log_cb_http_access_to_hex(struct web_buffer *wb, void *data);

#define HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(access) ((access & HTTP_ACCESS_SIGNED_ID) ? HTTP_RESP_FORBIDDEN : HTTP_RESP_PRECOND_FAIL)

typedef enum __attribute__((packed)) {
    HTTP_ACL_NONE                   = (0),

    HTTP_ACL_NOCHECK                = (1 << 0), // Don't check anything - adding this to an endpoint, disables ACL checking

    // transports
    HTTP_ACL_API                    = (1 << 1), // from the internal web server (TCP port)
    HTTP_ACL_API_UDP                = (1 << 2), // from the internal web server (UDP port)
    HTTP_ACL_API_UNIX               = (1 << 3), // from the internal web server (UNIX socket)
    HTTP_ACL_H2O                    = (1 << 4), // from the h2o web server
    HTTP_ACL_ACLK                   = (1 << 5), // from ACLK
    HTTP_ACL_WEBRTC                 = (1 << 6), // from WebRTC

    // HTTP_ACL_API takes the following additional ACLs, based on pattern matching of the client IP
    HTTP_ACL_DASHBOARD              = (1 << 10),
    HTTP_ACL_REGISTRY               = (1 << 11),
    HTTP_ACL_BADGES                 = (1 << 12),
    HTTP_ACL_MANAGEMENT             = (1 << 13),
    HTTP_ACL_STREAMING              = (1 << 14),
    HTTP_ACL_NETDATACONF            = (1 << 15),

    // SSL related
    HTTP_ACL_SSL_OPTIONAL           = (1 << 28),
    HTTP_ACL_SSL_FORCE              = (1 << 29),
    HTTP_ACL_SSL_DEFAULT            = (1 << 30),
} HTTP_ACL;

#define HTTP_ACL_TRANSPORTS (HTTP_ACL)(                                 \
      HTTP_ACL_API                                                      \
    | HTTP_ACL_API_UDP                                                  \
    | HTTP_ACL_API_UNIX                                                 \
    | HTTP_ACL_H2O                                                      \
    | HTTP_ACL_ACLK                                                     \
    | HTTP_ACL_WEBRTC                                                   \
)

#define HTTP_ACL_TRANSPORTS_WITHOUT_CLIENT_IP_VALIDATION (HTTP_ACL)(    \
      HTTP_ACL_ACLK                                                     \
    | HTTP_ACL_WEBRTC                                                   \
)

#define HTTP_ACL_ALL_FEATURES (HTTP_ACL)(                               \
      HTTP_ACL_DASHBOARD                                                \
    | HTTP_ACL_REGISTRY                                                 \
    | HTTP_ACL_BADGES                                                   \
    | HTTP_ACL_MANAGEMENT                                               \
    | HTTP_ACL_STREAMING                                                \
    | HTTP_ACL_NETDATACONF                                              \
)

#ifdef NETDATA_DEV_MODE
#define ACL_DEV_OPEN_ACCESS HTTP_ACL_NOCHECK
#else
#define ACL_DEV_OPEN_ACCESS 0
#endif

#define http_can_access_dashboard(w) ((w)->acl & HTTP_ACL_DASHBOARD)
#define http_can_access_registry(w) ((w)->acl & HTTP_ACL_REGISTRY)
#define http_can_access_badges(w) ((w)->acl & HTTP_ACL_BADGES)
#define http_can_access_mgmt(w) ((w)->acl & HTTP_ACL_MANAGEMENT)
#define http_can_access_stream(w) ((w)->acl & HTTP_ACL_STREAMING)
#define http_can_access_netdataconf(w) ((w)->acl & HTTP_ACL_NETDATACONF)
#define http_is_using_ssl_optional(w) ((w)->port_acl & HTTP_ACL_SSL_OPTIONAL)
#define http_is_using_ssl_force(w) ((w)->port_acl & HTTP_ACL_SSL_FORCE)
#define http_is_using_ssl_default(w) ((w)->port_acl & HTTP_ACL_SSL_DEFAULT)

#endif //NETDATA_HTTP_ACCESS_H