X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/blobdiff_plain/b12be54a68a7738d948d866eb7b9231f8e55a12e..5891b0a8916232a54a4856e186b1d21a44b38a48:/lib/cookies.c

diff --git a/lib/cookies.c b/lib/cookies.c
index 4ac9f65..bc8e9b0 100644
--- a/lib/cookies.c
+++ b/lib/cookies.c
@@ -30,15 +30,19 @@
 #include <errno.h>
 #include <time.h>
 #include <gcrypt.h>
+#include <pcre.h>
 
+#include "rights.h"
 #include "cookies.h"
 #include "hash.h"
 #include "mem.h"
 #include "log.h"
 #include "printf.h"
-#include "mime.h"
+#include "base64.h"
 #include "configuration.h"
 #include "kvp.h"
+#include "rights.h"
+#include "trackdb.h"
 
 /** @brief Hash function used in signing HMAC */
 #define ALGO GCRY_MD_SHA1
@@ -112,10 +116,9 @@ static char *sign(const uint8_t *key,
  * @return Cookie or NULL
  */
 char *make_cookie(const char *user) {
-  char *password;
+  const char *password;
   time_t now;
   char *b, *bp, *c, *g;
-  int n;
 
   /* semicolons aren't allowed in usernames */
   if(strchr(user, ';')) {
@@ -123,14 +126,11 @@ char *make_cookie(const char *user) {
     return 0;
   }
   /* look up the password */
-  for(n = 0; n < config->allow.n
-	&& strcmp(config->allow.s[n].s[0], user); ++n)
-    ;
-  if(n >= config->allow.n) {
+  password = trackdb_get_password(user);
+  if(!password) {
     error(0, "make_cookie for nonexistent user");
     return 0;
   }
-  password = config->allow.s[n].s[1];
   /* make sure we have a valid signing key */
   time(&now);
   if(now >= signing_key_validity_limit)
@@ -149,14 +149,16 @@ char *make_cookie(const char *user) {
 
 /** @brief Verify a cookie
  * @param cookie Cookie to verify
+ * @param rights Where to store rights value
  * @return Verified user or NULL
  */
-char *verify_cookie(const char *cookie) {
+char *verify_cookie(const char *cookie, rights_type *rights) {
   char *c1, *c2;
   intmax_t t;
   time_t now;
-  char *user, *bp, *password, *sig;
-  int n;
+  char *user, *bp, *sig;
+  const char *password;
+  struct kvp *k;
 
   /* check the revocation list */
   if(revoked && hash_find(revoked, cookie)) {
@@ -189,14 +191,15 @@ char *verify_cookie(const char *cookie) {
     return 0;
   }
   /* look up the password */
-  for(n = 0; n < config->allow.n
-	&& strcmp(config->allow.s[n].s[0], user); ++n)
-    ;
-  if(n >= config->allow.n) {
+  k = trackdb_getuserinfo(user);
+  if(!k) {
     error(0, "verify_cookie for nonexistent user");
     return 0;
   }
-  password = config->allow.s[n].s[1];
+  password = kvp_get(k, "password");
+  if(!password) password = "";
+  if(parse_rights(kvp_get(k, "rights"), rights, 1))
+    return 0;
   /* construct the expected subject.  We re-encode the timestamp and the
    * password. */
   byte_xasprintf(&bp, "%jx;%s;%s", t, urlencodestring(user), password);