/*******************************************************************************
 * Copyright 2019 UChicago Argonne, LLC.
 * (c.f. AUTHORS, LICENSE)
 *
 * This file is part of the Argo containers project.
 * For more info, see https://xgitlab.cels.anl.gov/argo/containers
 *
 * SPDX-License-Identifier: BSD-3-Clause
*******************************************************************************/

#include "acl.hpp"
#include "utils.hpp"
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <cstdlib>


Acl::Acl(string config_file, uid_t uid):
	_config_file(config_file)
{
	if(uid == INVALID_UID)
		_uid = ruid;
	else 
		_uid = uid;

	check_config_file();

	_syslog_disable_info = DEFAULT_ACL_CONTROL;
	_syslog_disable_warning = DEFAULT_ACL_CONTROL;
	_syslog_disable_warning = DEFAULT_ACL_CONTROL;
	_syslog_enable_debug = DEFAULT_ACL_CONTROL;
}

Acl::~Acl()
{
}


void Acl::check_config_file()
{
	struct stat stat_buf;
	if(stat(_config_file.c_str(), &stat_buf) == -1)
		return;

	if(stat_buf.st_uid != 0)
		argo_exit(EXIT_FAILURE, "The ACL config file must be owned by root");

	if((stat_buf.st_mode&S_IWGRP || stat_buf.st_mode& S_IWOTH))
		argo_exit(EXIT_FAILURE, 
				"The ACL config file must be writable only for root. " +
				string(APP_NAME) + " cannot use it! ");
}

bool Acl::is_allowed(Acl_token token)
{
	if(_uid == 0)
		return true; //always allowed for root
	map<Acl_token, bool>::const_iterator it = 
		_single_value_privileges.find(token);
	if(it == _single_value_privileges.end())
		return DEFAULT_ACL_CONTROL;
	return it->second;
}