/* Part of SWISH Author: Jan Wielemaker E-mail: J.Wielemaker@cs.vu.nl WWW: http://www.swi-prolog.org Copyright (C): 2017, VU University Amsterdam CWI Amsterdam All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ :- module(swish_pep, [ authorized/2, % +Action, +Options ws_authorized/2 % +Action, +WSID ]). :- use_module(library(debug)). :- use_module(library(option)). :- use_module(library(error)). :- use_module(library(http/http_wrapper)). :- use_module(authenticate). :- use_module(storage). :- use_module(config). /** SWISH PEP (Policy Enforcement Point) This module implements the _Policy Enforcement Point_. It is called by modules that perform operations that may not be publically accessible. Examples are: - Access to files (download, create, update, delete, list, search) - Control of the sandboxing - Access to users (profile management) */ :- multifile swish_config:approve/3. %! authorized(+Action, +Options) is det. % % Verify that Action is authorized. Options: % % - indentity(+Identity) % Indentity is the identity dict as collected by autenticate.pl. % % Actions defined: % % * Gitty store actions % - gitty(download(Obj, Format)) % Attempt to download Obj, one of file(File) or hash(Hash) in % Format, see storage_get/4 from storage.pl % - gitty(create(File,Named,Meta)) % Create file name File with the given meta-data. Named is one % of `named` or `random` and indicates whether the file is named % by the user or the name is generated by the system. % - gitty(update(File,PrevMeta,Meta)) % Update File and change meta-data from PrevMeta to Meta. % - gitty(delete(File,Meta)) % Delete File that has the given meta data. % * File actions % - file(update(File,Meta)) % Update (save) a physical file outside the versioned gitty % store. % * Social options % - chat(open) % Open websocket chat channel % - chat(post(Message, About)) % Post a chat message about a specific topic % % @throws http_reply(forbidden(URL)) if the action is not allowed. Can % we generate a JSON error object? authorized(Action, _Options) :- var(Action), !, instantiation_error(Action). authorized(Action, Options) :- option(identity(Id), Options), ( authorize(Action, Id) -> debug(pep, 'Approved gitty action ~p to ~p', [Action, Id]) ; debug(pep, 'Denied action ~p to ~p', [Action, Id]), http_current_request(Request), option(path(Path), Request), throw(http_reply(forbidden(Path))) ). %! ws_authorized(+Action, +WSUser) is semidet. % % True when WSUser is allowed to perform action. WSUser is a dict % containing the user info as provided by chat:chat_add_user_id/3. It % notably has a key `profile_id` if the user is logged on. % % @tbd Generalise. Notably, how do we get the identity as % authenticate/2 returns? ws_authorized(Action, _WSUser) :- var(Action), !, instantiation_error(Action). ws_authorized(chat(post(_,_)), WSUser) :- _Profile = WSUser.get(profile_id). :- multifile approve/2, deny/2. authorize(Action, Id) :- swish_config:approve(Action, Id, Approve), !, Approve == true. authorize(Action, Id) :- approve(Action, Id), !, \+ deny(Action, Id). %! approve(+Action, +Id) approve(gitty(update(_File,PrevMeta,_Meta)), Auth) :- !, storage_meta_property(PrevMeta, modify(Modify)), ( memberchk(any, Modify) -> true ; memberchk(login, Modify) -> user_property(Auth, login(_)) ; storage_meta_property(PrevMeta, identity(Id)), user_property(Auth, identity(Id)) ). approve(gitty(_), _). approve(file(update(_File, _Meta)), Auth) :- user_property(Auth, login(local)). approve(run(any, _), Auth) :- user_property(Auth, login(local)). approve(chat(open), _). %! deny(+Action, +Id) %! swish_config:approve(+Action, +Identity, -Approve) is semidet. % % This hook is called by approve/2 and deny/2 before the default % rules. If this hook succeeds it must unify Approve with `true` % or `false`. Action is approved if Approve is `true`. /******************************* * PENGINES * *******************************/ %! pengines:not_sandboxed(+User, +Application) is semidet. % % Called by Pengines to see whether User may call non-sandboxed % operations in Application. :- multifile pengines:not_sandboxed/2. pengines:not_sandboxed(User, Application) :- authorized(run(any, Application), [identity(User)]).