|
1 /* |
|
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. |
|
3 * |
|
4 * Copyright 2013 Olaf Wintermann. All rights reserved. |
|
5 * |
|
6 * Redistribution and use in source and binary forms, with or without |
|
7 * modification, are permitted provided that the following conditions are met: |
|
8 * |
|
9 * 1. Redistributions of source code must retain the above copyright |
|
10 * notice, this list of conditions and the following disclaimer. |
|
11 * |
|
12 * 2. Redistributions in binary form must reproduce the above copyright |
|
13 * notice, this list of conditions and the following disclaimer in the |
|
14 * documentation and/or other materials provided with the distribution. |
|
15 * |
|
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
|
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE |
|
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
|
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
|
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
|
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
|
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
26 * POSSIBILITY OF SUCH DAMAGE. |
|
27 */ |
|
28 |
|
29 #include <stdio.h> |
|
30 #include <stdlib.h> |
|
31 |
|
32 #include "acl.h" |
|
33 |
|
34 ACLFile* load_acl_file(char *file) { |
|
35 FILE *in = fopen(file, "r"); |
|
36 if(in == NULL) { |
|
37 return NULL; |
|
38 } |
|
39 |
|
40 ACLFile *conf = malloc(sizeof(ACLFile)); |
|
41 conf->parser.parse = acl_parse; |
|
42 conf->file = file; |
|
43 conf->namedACLs = NULL; |
|
44 conf->uriACLs = NULL; |
|
45 conf->pathACLs = NULL; |
|
46 |
|
47 int r = cfg_parse_basic_file((ConfigParser*)conf, in); |
|
48 if(r != 0) { |
|
49 free_acl_file(conf); |
|
50 return NULL; |
|
51 } |
|
52 |
|
53 return conf; |
|
54 } |
|
55 |
|
56 void free_acl_file(ACLFile *aclfile) { |
|
57 |
|
58 } |
|
59 |
|
60 int acl_parse(void *p, ConfigLine *begin, ConfigLine *end, sstr_t line) { |
|
61 ACLFile *aclf = p; |
|
62 UcxMempool *mp = aclf->parser.mp; |
|
63 |
|
64 if(sstr_startswith(line, sstr("ACL "))) { |
|
65 sstr_t param = sstrsubs(line, 4); |
|
66 UcxList *plist = cfg_param_list(param, mp); |
|
67 ACLConfig *acl = OBJ_NEW(mp, ACLConfig); |
|
68 acl->type.ptr = NULL; |
|
69 acl->authparam = NULL; |
|
70 acl->entries = NULL; |
|
71 aclf->cur = acl; |
|
72 |
|
73 sstr_t type = cfg_param_get(plist, sstr("type")); |
|
74 sstr_t name = cfg_param_get(plist, sstr("name")); |
|
75 sstr_t path = cfg_param_get(plist, sstr("path")); |
|
76 sstr_t uri = cfg_param_get(plist, sstr("uri")); |
|
77 |
|
78 if(name.ptr) { |
|
79 acl->id = name; |
|
80 aclf->namedACLs = ucx_list_append(aclf->namedACLs, acl); |
|
81 } else if(path.ptr) { |
|
82 acl->id = path; |
|
83 aclf->pathACLs = ucx_list_append(aclf->pathACLs, acl); |
|
84 } else if(uri.ptr) { |
|
85 acl->id = uri; |
|
86 aclf->uriACLs = ucx_list_append(aclf->uriACLs, acl); |
|
87 } |
|
88 |
|
89 if(type.ptr) { |
|
90 acl->type = type; |
|
91 } |
|
92 } else if(sstr_startswith(line, sstr("Authenticate "))) { |
|
93 sstr_t param = sstrsubs(line, 13); |
|
94 UcxList *plist = cfg_param_list(param, mp); |
|
95 aclf->cur->authparam = plist; |
|
96 } else { |
|
97 if(parse_ace(aclf, line)) { |
|
98 // TODO: error |
|
99 return 1; |
|
100 } |
|
101 } |
|
102 |
|
103 return 0; |
|
104 } |
|
105 |
|
106 int parse_ace(ACLFile *f, sstr_t line) { |
|
107 ACLConfig *cur = f->cur; |
|
108 UcxMempool *mp = f->parser.mp; |
|
109 |
|
110 size_t tkn = 0; |
|
111 sstr_t *tk = sstrsplit(line, sstr(":"), &tkn); |
|
112 if(!tk || tkn < 3) { |
|
113 fprintf(stderr, "parse_ace: to few tokens\n"); |
|
114 return 1; |
|
115 } |
|
116 |
|
117 ACEConfig *ace = OBJ_NEW(mp, ACEConfig); |
|
118 memset(ace, 0, sizeof(ACEConfig)); |
|
119 |
|
120 /* |
|
121 * first step: determine who is affected by this ace |
|
122 */ |
|
123 int n = 0; |
|
124 sstr_t s = tk[0]; |
|
125 |
|
126 if(!sstrcmp(s, sstr("user"))) { |
|
127 // next token is the user name |
|
128 s = tk[1]; |
|
129 n++; |
|
130 ace->who = sstrdup_mp(mp, s); |
|
131 } else if(!sstrcmp(s, sstr("group"))) { |
|
132 // next token is the group name |
|
133 s = tk[1]; |
|
134 n++; |
|
135 ace->who = sstrdup_mp(mp, s); |
|
136 ace->flags = ACLCFG_IDENTIFIER_GROUP; |
|
137 } else if(!sstrcmp(s, sstr("owner@"))) { |
|
138 ace->flags = ACLCFG_OWNER; |
|
139 } else if(!sstrcmp(s, sstr("group@"))) { |
|
140 ace->flags = ACLCFG_GROUP; |
|
141 } else if(!sstrcmp(s, sstr("everyone@"))) { |
|
142 ace->flags = ACLCFG_EVERYONE; |
|
143 } else { |
|
144 // you can specify only the user name in the ace |
|
145 ace->who = sstrdup_mp(mp, s); |
|
146 } |
|
147 |
|
148 n++; //next token |
|
149 |
|
150 /* |
|
151 * get the access mask |
|
152 */ |
|
153 |
|
154 if(n >= tkn) { |
|
155 // to few tokens |
|
156 fprintf(stderr, "parse_ace: ace incomplete\n"); |
|
157 return 1; |
|
158 } |
|
159 s = tk[n]; |
|
160 |
|
161 size_t maskn = 0; |
|
162 sstr_t *accessmask = sstrsplit(s, sstr(","), &maskn); |
|
163 for(int i=0;i<maskn;i++) { |
|
164 sstr_t access = accessmask[i]; |
|
165 if(!sstrcmp(access, sstr("read"))) { |
|
166 ace->access_mask = ace->access_mask | ACLCFG_READ; |
|
167 } else if(!sstrcmp(access, sstr("write"))) { |
|
168 ace->access_mask = ace->access_mask | ACLCFG_WRITE; |
|
169 } else if(!sstrcmp(access, sstr("read_data"))) { |
|
170 ace->access_mask = ace->access_mask | ACLCFG_READ_DATA; |
|
171 } else if(!sstrcmp(access, sstr("write_data"))) { |
|
172 ace->access_mask = ace->access_mask | ACLCFG_WRITE_DATA; |
|
173 } else if(!sstrcmp(access, sstr("append"))) { |
|
174 ace->access_mask = ace->access_mask | ACLCFG_APPEND; |
|
175 } else if(!sstrcmp(access, sstr("add_file"))) { |
|
176 ace->access_mask = ace->access_mask | ACLCFG_ADD_FILE; |
|
177 } else if(!sstrcmp(access, sstr("add_subdirectory"))) { |
|
178 ace->access_mask = ace->access_mask | ACLCFG_ADD_SUBDIRECTORY; |
|
179 } else if(!sstrcmp(access, sstr("read_xattr"))) { |
|
180 ace->access_mask = ace->access_mask | ACLCFG_READ_XATTR; |
|
181 } else if(!sstrcmp(access, sstr("write_xattr"))) { |
|
182 ace->access_mask = ace->access_mask | ACLCFG_WRITE_XATTR; |
|
183 } else if(!sstrcmp(access, sstr("execute"))) { |
|
184 ace->access_mask = ace->access_mask | ACLCFG_EXECUTE; |
|
185 } else if(!sstrcmp(access, sstr("delete_child"))) { |
|
186 ace->access_mask = ace->access_mask | ACLCFG_DELETE_CHILD; |
|
187 } else if(!sstrcmp(access, sstr("delete"))) { |
|
188 ace->access_mask = ace->access_mask | ACLCFG_DELETE; |
|
189 } else if(!sstrcmp(access, sstr("read_attributes"))) { |
|
190 ace->access_mask = ace->access_mask | ACLCFG_READ_ATTRIBUTES; |
|
191 } else if(!sstrcmp(access, sstr("write_attributes"))) { |
|
192 ace->access_mask = ace->access_mask | ACLCFG_WRITE_ATTRIBUTES; |
|
193 } else if(!sstrcmp(access, sstr("list"))) { |
|
194 ace->access_mask = ace->access_mask | ACLCFG_LIST; |
|
195 } else if(!sstrcmp(access, sstr("read_acl"))) { |
|
196 ace->access_mask = ace->access_mask | ACLCFG_READ_ACL; |
|
197 } else if(!sstrcmp(access, sstr("write_acl"))) { |
|
198 ace->access_mask = ace->access_mask | ACLCFG_WRITE_ACL; |
|
199 } else if(!sstrcmp(access, sstr("write_owner"))) { |
|
200 ace->access_mask = ace->access_mask | ACLCFG_WRITE_OWNER; |
|
201 } else if(!sstrcmp(access, sstr("synchronize"))) { |
|
202 ace->access_mask = ace->access_mask | ACLCFG_SYNCHRONIZE; |
|
203 } |
|
204 } |
|
205 free(accessmask); |
|
206 n++; // next token |
|
207 |
|
208 /* |
|
209 * get flags (optional) and ace type |
|
210 */ |
|
211 |
|
212 int complete = 0; |
|
213 while(n < tkn) { |
|
214 s = tk[n]; |
|
215 if(!sstrcmp(s, sstr("allow"))) { |
|
216 ace->type = ACLCFG_TYPE_ALLOWED; |
|
217 complete = 1; |
|
218 break; |
|
219 } else if(!sstrcmp(s, sstr("deny"))) { |
|
220 ace->type = ACLCFG_TYPE_DENIED; |
|
221 complete = 1; |
|
222 break; |
|
223 } else if(!sstrcmp(s, sstr("audit"))) { |
|
224 ace->type = ACLCFG_TYPE_AUDIT; |
|
225 complete = 1; |
|
226 break; |
|
227 } else if(!sstrcmp(s, sstr("alarm"))) { |
|
228 ace->type = ACLCFG_TYPE_ALARM; |
|
229 complete = 1; |
|
230 break; |
|
231 } else { |
|
232 // set flags |
|
233 size_t fln = 0; |
|
234 sstr_t *flags = sstrsplit(s, sstr(","), &fln); |
|
235 for(int i=0;i<fln;i++) { |
|
236 sstr_t flag = flags[i]; |
|
237 if(!sstrcmp(flag, sstr("successful_access_flag"))) { |
|
238 ace->flags = ace->flags | ACLCFG_SUCCESSFUL_ACCESS_FLAG; |
|
239 } else if(!sstrcmp(flag, sstr("failed_access_flag"))) { |
|
240 ace->flags = ace->flags | ACLCFG_FAILED_ACCESS_ACE_FLAG; |
|
241 } |
|
242 // TODO: other flags |
|
243 } |
|
244 free(flags); |
|
245 } |
|
246 n++; |
|
247 } |
|
248 |
|
249 if(!complete) { |
|
250 fprintf(stderr, "parse_ace: ace incomplete\n"); |
|
251 return 1; |
|
252 } |
|
253 |
|
254 cur->entries = ucx_list_append(cur->entries, ace); |
|
255 |
|
256 return 0; |
|
257 } |