From ff7455af24ff40eb4a02dc5cfb087d6f9a408dff Mon Sep 17 00:00:00 2001
From: stephb9959 <stephane.bourque@gmail.com>
Date: Fri, 12 Nov 2021 22:25:29 -0800
Subject: [PATCH] improving ACL processing.

---
 CMakeLists.txt                       |  2 +-
 build                                |  2 +-
 src/ACLProcessor.h                   | 42 ++++++++++++++++++++++++++++
 src/RESTAPI/RESTAPI_user_handler.cpp | 25 ++++-------------
 test_scripts/curl/cli                |  2 +-
 5 files changed, 50 insertions(+), 23 deletions(-)
 create mode 100644 src/ACLProcessor.h

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 069ffa4..b8f4b5d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -90,7 +90,7 @@ add_executable( owsec
         src/storage/storage_actionLinks.cpp src/storage/storage_actionLinks.h
         src/storage/storage_tokens.h
         src/ActionLinkManager.cpp src/ActionLinkManager.h
-        )
+        src/ACLProcessor.h)
 
 if(NOT SMALL_BUILD)
     target_link_libraries(owsec PUBLIC
diff --git a/build b/build
index 8783e30..7c6ba0f 100644
--- a/build
+++ b/build
@@ -1 +1 @@
-53
\ No newline at end of file
+55
\ No newline at end of file
diff --git a/src/ACLProcessor.h b/src/ACLProcessor.h
new file mode 100644
index 0000000..dafa106
--- /dev/null
+++ b/src/ACLProcessor.h
@@ -0,0 +1,42 @@
+//
+// Created by stephane bourque on 2021-11-12.
+//
+
+#ifndef OWSEC_ACLPROCESSOR_H
+#define OWSEC_ACLPROCESSOR_H
+
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+
+namespace OpenWifi {
+
+    class ACLProcessor {
+    public:
+        enum ACL_OPS {
+            READ,
+            MODIFY,
+            DELETE,
+            CREATE
+        };
+        static inline bool Can( const SecurityObjects::UserInfo & User, const SecurityObjects::UserInfo & Target, ACL_OPS Op) {
+            if(User.Id == Target.Id && Op==DELETE)
+                return false;
+
+            if(User.userRole==SecurityObjects::ROOT)
+                return true;
+
+            if((User.userRole!=SecurityObjects::ADMIN || Target.userRole!=SecurityObjects::ROOT) && Op!=READ)
+                return false;
+
+            if(User.userRole==SecurityObjects::ADMIN && Target.userRole==SecurityObjects::ROOT && Op!=READ)
+                return false;
+
+            return true;
+        }
+    private:
+
+    };
+
+}
+
+
+#endif //OWSEC_ACLPROCESSOR_H
diff --git a/src/RESTAPI/RESTAPI_user_handler.cpp b/src/RESTAPI/RESTAPI_user_handler.cpp
index 3a3a29e..d7e3feb 100644
--- a/src/RESTAPI/RESTAPI_user_handler.cpp
+++ b/src/RESTAPI/RESTAPI_user_handler.cpp
@@ -7,6 +7,7 @@
 #include "Poco/JSON/Parser.h"
 #include "framework/RESTAPI_errors.h"
 #include "SMSSender.h"
+#include "ACLProcessor.h"
 
 namespace OpenWifi {
     void RESTAPI_user_handler::DoGet() {
@@ -40,20 +41,12 @@ namespace OpenWifi {
             return BadRequest(RESTAPI::Errors::MissingUserID);
         }
 
-        if(UserInfo_.userinfo.userRole!= SecurityObjects::ROOT && UserInfo_.userinfo.userRole!=SecurityObjects::ADMIN) {
-            return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
-        }
-
-        if(UserInfo_.userinfo.Id == Id) {
-            return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
-        }
-
         SecurityObjects::UserInfo UInfo;
         if(!StorageService()->GetUserById(Id,UInfo)) {
             return NotFound();
         }
 
-        if(UInfo.userRole==SecurityObjects::ROOT && UserInfo_.userinfo.userRole!=SecurityObjects::ROOT) {
+        if(!ACLProcessor::Can(UserInfo_.userinfo, UInfo,ACLProcessor::DELETE)) {
             return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
         }
 
@@ -83,11 +76,7 @@ namespace OpenWifi {
             return BadRequest(RESTAPI::Errors::InvalidUserRole);
         }
 
-        if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && UserInfo_.userinfo.userRole!=SecurityObjects::ADMIN) {
-            return UnAuthorized("Insufficient access rights.", ACCESS_DENIED);
-        }
-
-        if(UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && UInfo.userRole == SecurityObjects::ROOT) {
+        if(!ACLProcessor::Can(UserInfo_.userinfo,UInfo,ACLProcessor::CREATE)) {
             return UnAuthorized("Insufficient access rights.", ACCESS_DENIED);
         }
 
@@ -140,12 +129,8 @@ namespace OpenWifi {
             return NotFound();
         }
 
-        if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && UserInfo_.userinfo.userRole!=SecurityObjects::ADMIN) {
-            return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
-        }
-
-        if(UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && Existing.userRole == SecurityObjects::ROOT) {
-            return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
+        if(!ACLProcessor::Can(UserInfo_.userinfo,Existing,ACLProcessor::MODIFY)) {
+            return UnAuthorized("Insufficient access rights.", ACCESS_DENIED);
         }
 
         SecurityObjects::UserInfo   NewUser;
diff --git a/test_scripts/curl/cli b/test_scripts/curl/cli
index 9e67d15..366586f 100755
--- a/test_scripts/curl/cli
+++ b/test_scripts/curl/cli
@@ -35,7 +35,7 @@ fi
 token=""
 result_file=result.json
 username="tip@ucentral.com"
-password="openwifi"
+password="Snoopy99!!!"
 #username="stephb@incognito.com"
 #password="Snoopy98!"
 browser_list=(firefox sensible-browser xdg-open w3m links links2 lynx youtube-dl)