/* MODULE HTGroup.c * GROUP FILE ROUTINES * * Contains group file parser and routines to match IP * address templates and to find out group membership. * * * AUTHORS: * AL Ari Luotonen luotonen@dxcern.cern.ch * * HISTORY: * * * BUGS: * * * * GROUP DEFINITION GRAMMAR: * * string = "sequence of alphanumeric characters" * user_name ::= string * group_name ::= string * group_ref ::= group_name * user_def ::= user_name | group_ref * user_def_list ::= user_def { ',' user_def } * user_part = user_def | '(' user_def_list ')' * * templ = "sequence of alphanumeric characters and '*'s" * ip_number_mask ::= templ '.' templ '.' templ '.' templ * domain_name_mask ::= templ { '.' templ } * address ::= ip_number_mask | domain_name_mask * address_def ::= address * address_def_list ::= address_def { ',' address_def } * address_part = address_def | '(' address_def_list ')' * * item ::= [user_part] ['@' address_part] * item_list ::= item { ',' item } * group_def ::= item_list * group_decl ::= group_name ':' group_def * */ #include #include #include /* Lexical analysor */ #include /* Implemented here */ #include #include /* * Group file parser */ typedef HTList UserDefList; typedef HTList AddressDefList; typedef struct { UserDefList *user_def_list; AddressDefList *address_def_list; } Item; typedef struct { char *name; GroupDef *translation; } Ref; static void syntax_error(FILE *fp, const char *msg, LexItem lex_item) { char buffer[41]; int cnt = 0; int ch; while ((ch = getc(fp)) != EOF && ch != '\n') if (cnt < 40) buffer[cnt++] = (char) ch; buffer[cnt] = (char) 0; CTRACE((tfp, "%s %d before: '%s'\nHTGroup.c: %s (got %s)\n", "HTGroup.c: Syntax error in rule file at line", HTlex_line, buffer, msg, lex_verbose(lex_item))); HTlex_line++; } static AddressDefList *parse_address_part(FILE *fp) { AddressDefList *address_def_list = NULL; LexItem lex_item; BOOL only_one = NO; lex_item = lex(fp); if (lex_item == LEX_ALPH_STR || lex_item == LEX_TMPL_STR) only_one = YES; else if (lex_item != LEX_OPEN_PAREN || ((lex_item = lex(fp)) != LEX_ALPH_STR && lex_item != LEX_TMPL_STR)) { syntax_error(fp, "Expecting a single address or '(' beginning list", lex_item); return NULL; } address_def_list = HTList_new(); for (;;) { Ref *ref = typecalloc(Ref); if (ref == NULL) outofmem(__FILE__, "parse_address_part"); assert(ref != NULL); ref->name = NULL; ref->translation = NULL; StrAllocCopy(ref->name, HTlex_buffer); HTList_addObject(address_def_list, (void *) ref); if (only_one || (lex_item = lex(fp)) != LEX_ITEM_SEP) break; /* * Here lex_item == LEX_ITEM_SEP; after item separator it * is ok to have one or more newlines (LEX_REC_SEP) and * they are ignored (continuation line). */ do { lex_item = lex(fp); } while (lex_item == LEX_REC_SEP); if (lex_item != LEX_ALPH_STR && lex_item != LEX_TMPL_STR) { syntax_error(fp, "Expecting an address template", lex_item); HTList_delete(address_def_list); address_def_list = NULL; return NULL; } } if (!only_one && lex_item != LEX_CLOSE_PAREN) { HTList_delete(address_def_list); address_def_list = NULL; syntax_error(fp, "Expecting ')' closing address list", lex_item); return NULL; } return address_def_list; } static UserDefList *parse_user_part(FILE *fp) { UserDefList *user_def_list = NULL; LexItem lex_item; BOOL only_one = NO; lex_item = lex(fp); if (lex_item == LEX_ALPH_STR) only_one = YES; else if (lex_item != LEX_OPEN_PAREN || (lex_item = lex(fp)) != LEX_ALPH_STR) { syntax_error(fp, "Expecting a single name or '(' beginning list", lex_item); return NULL; } user_def_list = HTList_new(); for (;;) { Ref *ref = typecalloc(Ref); if (ref == NULL) outofmem(__FILE__, "parse_user_part"); assert(ref != NULL); ref->name = NULL; ref->translation = NULL; StrAllocCopy(ref->name, HTlex_buffer); HTList_addObject(user_def_list, (void *) ref); if (only_one || (lex_item = lex(fp)) != LEX_ITEM_SEP) break; /* * Here lex_item == LEX_ITEM_SEP; after item separator it * is ok to have one or more newlines (LEX_REC_SEP) and * they are ignored (continuation line). */ do { lex_item = lex(fp); } while (lex_item == LEX_REC_SEP); if (lex_item != LEX_ALPH_STR) { syntax_error(fp, "Expecting user or group name", lex_item); HTList_delete(user_def_list); user_def_list = NULL; return NULL; } } if (!only_one && lex_item != LEX_CLOSE_PAREN) { HTList_delete(user_def_list); user_def_list = NULL; syntax_error(fp, "Expecting ')' closing user/group list", lex_item); return NULL; } return user_def_list; } static Item *parse_item(FILE *fp) { Item *item = NULL; UserDefList *user_def_list = NULL; AddressDefList *address_def_list = NULL; LexItem lex_item; lex_item = lex(fp); if (lex_item == LEX_ALPH_STR || lex_item == LEX_OPEN_PAREN) { unlex(lex_item); user_def_list = parse_user_part(fp); lex_item = lex(fp); } if (lex_item == LEX_AT_SIGN) { lex_item = lex(fp); if (lex_item == LEX_ALPH_STR || lex_item == LEX_TMPL_STR || lex_item == LEX_OPEN_PAREN) { unlex(lex_item); address_def_list = parse_address_part(fp); } else { if (user_def_list) { HTList_delete(user_def_list); /* @@@@ */ user_def_list = NULL; } syntax_error(fp, "Expected address part (single address or list)", lex_item); return NULL; } } else unlex(lex_item); if (!user_def_list && !address_def_list) { syntax_error(fp, "Empty item not allowed", lex_item); return NULL; } item = typecalloc(Item); if (item == NULL) outofmem(__FILE__, "parse_item"); assert(item != NULL); item->user_def_list = user_def_list; item->address_def_list = address_def_list; return item; } static ItemList *parse_item_list(FILE *fp) { ItemList *item_list = HTList_new(); Item *item; LexItem lex_item; for (;;) { if (!(item = parse_item(fp))) { HTList_delete(item_list); /* @@@@ */ item_list = NULL; return NULL; } HTList_addObject(item_list, (void *) item); lex_item = lex(fp); if (lex_item != LEX_ITEM_SEP) { unlex(lex_item); return item_list; } /* * Here lex_item == LEX_ITEM_SEP; after item separator it * is ok to have one or more newlines (LEX_REC_SEP) and * they are ignored (continuation line). */ do { lex_item = lex(fp); } while (lex_item == LEX_REC_SEP); unlex(lex_item); } } GroupDef *HTAA_parseGroupDef(FILE *fp) { ItemList *item_list = NULL; GroupDef *group_def = NULL; LexItem lex_item; if (!(item_list = parse_item_list(fp))) { return NULL; } group_def = typecalloc(GroupDef); if (group_def == NULL) outofmem(__FILE__, "HTAA_parseGroupDef"); assert(group_def != NULL); group_def->group_name = NULL; group_def->item_list = item_list; if ((lex_item = lex(fp)) != LEX_REC_SEP) { syntax_error(fp, "Garbage after group definition", lex_item); } return group_def; } #if 0 static GroupDef *parse_group_decl(FILE *fp) { char *group_name = NULL; GroupDef *group_def = NULL; LexItem lex_item; do { lex_item = lex(fp); } while (lex_item == LEX_REC_SEP); /* Ignore empty lines */ if (lex_item != LEX_ALPH_STR) { if (lex_item != LEX_EOF) syntax_error(fp, "Expecting group name", lex_item); return NULL; } StrAllocCopy(group_name, HTlex_buffer); if (LEX_FIELD_SEP != (lex_item = lex(fp))) { syntax_error(fp, "Expecting field separator", lex_item); FREE(group_name); return NULL; } if (!(group_def = HTAA_parseGroupDef(fp))) { FREE(group_name); return NULL; } group_def->group_name = group_name; return group_def; } /* * Group manipulation routines */ static GroupDef *find_group_def(GroupDefList *group_list, const char *group_name) { if (group_list && group_name) { GroupDefList *cur = group_list; GroupDef *group_def; while (NULL != (group_def = (GroupDef *) HTList_nextObject(cur))) { if (!strcmp(group_name, group_def->group_name)) { return group_def; } } } return NULL; } void HTAA_resolveGroupReferences(GroupDef *group_def, GroupDefList *group_def_list) { if (group_def && group_def->item_list && group_def_list) { ItemList *cur1 = group_def->item_list; Item *item; while (NULL != (item = (Item *) HTList_nextObject(cur1))) { UserDefList *cur2 = item->user_def_list; Ref *ref; while (NULL != (ref = (Ref *) HTList_nextObject(cur2))) ref->translation = find_group_def(group_def_list, ref->name); /* Does NOT translate address_def_list */ } } } static void add_group_def(GroupDefList *group_def_list, GroupDef *group_def) { HTAA_resolveGroupReferences(group_def, group_def_list); HTList_addObject(group_def_list, (void *) group_def); } static GroupDefList *parse_group_file(FILE *fp) { GroupDefList *group_def_list = HTList_new(); GroupDef *group_def; while (NULL != (group_def = parse_group_decl(fp))) add_group_def(group_def_list, group_def); return group_def_list; } #endif /* * Trace functions */ static void print_item(Item *item) { if (!item) fprintf(tfp, "\tNULL-ITEM\n"); else { UserDefList *cur1 = item->user_def_list; AddressDefList *cur2 = item->address_def_list; Ref *user_ref = (Ref *) HTList_nextObject(cur1); Ref *addr_ref = (Ref *) HTList_nextObject(cur2); if (user_ref) { fprintf(tfp, "\t[%s%s", user_ref->name, (user_ref->translation ? "*REF*" : "")); while (NULL != (user_ref = (Ref *) HTList_nextObject(cur1))) fprintf(tfp, "; %s%s", user_ref->name, (user_ref->translation ? "*REF*" : "")); fprintf(tfp, "] "); } else fprintf(tfp, "\tANYBODY "); if (addr_ref) { fprintf(tfp, "@ [%s", addr_ref->name); while (NULL != (addr_ref = (Ref *) HTList_nextObject(cur2))) fprintf(tfp, "; %s", addr_ref->name); fprintf(tfp, "]\n"); } else fprintf(tfp, "@ ANYADDRESS\n"); } } static void print_item_list(ItemList *item_list) { ItemList *cur = item_list; Item *item; if (!item_list) fprintf(tfp, "EMPTY"); else while (NULL != (item = (Item *) HTList_nextObject(cur))) print_item(item); } void HTAA_printGroupDef(GroupDef *group_def) { if (!group_def) { fprintf(tfp, "\nNULL RECORD\n"); return; } fprintf(tfp, "\nGroup %s:\n", (group_def->group_name ? group_def->group_name : "NULL")); print_item_list(group_def->item_list); fprintf(tfp, "\n"); } #if 0 static void print_group_def_list(GroupDefList *group_list) { GroupDefList *cur = group_list; GroupDef *group_def; while (NULL != (group_def = (GroupDef *) HTList_nextObject(cur))) HTAA_printGroupDef(group_def); } /* * IP address template matching */ /* static part_match() * MATCH ONE PART OF INET ADDRESS AGAIST * A PART OF MASK (inet address has 4 parts) * ON ENTRY: * tcur pointer to the beginning of template part. * icur pointer to the beginning of actual inet * number part. * * ON EXIT: * returns YES, if match. */ static BOOL part_match(const char *tcur, const char *icur) { char required[4]; char actual[4]; const char *cur; int cnt; BOOL status; if (!tcur || !icur) return NO; cur = tcur; cnt = 0; while (cnt < 3 && *cur && *cur != '.') required[cnt++] = *(cur++); required[cnt] = (char) 0; cur = icur; cnt = 0; while (cnt < 3 && *cur && *cur != '.') actual[cnt++] = *(cur++); actual[cnt] = (char) 0; status = HTAA_templateMatch(required, actual); CTRACE((tfp, "part_match: req: '%s' act: '%s' match: %s\n", required, actual, (status ? "yes" : "no"))); return status; } /* static ip_number_match() * MATCH INET NUMBER AGAINST AN INET NUMBER MASK * ON ENTRY: * template mask to match agaist, e.g., 128.141.*.* * the_inet_addr actual inet address, e.g., 128.141.201.74 * * ON EXIT: * returns YES, if match; NO, if not. */ static BOOL ip_number_match(const char *ctemplate, const char *the_inet_addr) { const char *tcur = ctemplate; const char *icur = the_inet_addr; int cnt; for (cnt = 0; cnt < 4; cnt++) { if (!tcur || !icur || !part_match(tcur, icur)) return NO; if (NULL != (tcur = StrChr(tcur, '.'))) tcur++; if (NULL != (icur = StrChr(icur, '.'))) icur++; } return YES; } /* static is_domain_mask() * DETERMINE IF A GIVEN MASK IS A * DOMAIN NAME MASK OR AN INET NUMBER MASK * ON ENTRY: * mask either a domain name mask, * e.g. * *.cern.ch * * or an inet number mask, * e.g. * 128.141.*.* * * ON EXIT: * returns YES, if mask is a domain name mask. * NO, if it is an inet number mask. */ static BOOL is_domain_mask(const char *mask) { const char *cur = mask; if (!mask) return NO; while (*cur) { if (*cur != '.' && *cur != '*' && (*cur < '0' || *cur > '9')) return YES; /* Even one non-digit makes it a domain name mask */ cur++; } return NO; /* All digits and dots, so it is an inet number mask */ } /* static ip_mask_match() * MATCH AN IP NUMBER MASK OR IP NAME MASK * AGAINST ACTUAL IP NUMBER OR IP NAME * * ON ENTRY: * mask mask. Mask may be either an inet number * mask or a domain name mask, * e.g. * 128.141.*.* * or * *.cern.ch * * ip_number IP number of connecting host. * ip_name IP name of the connecting host. * * ON EXIT: * returns YES, if hostname/internet number * matches the mask. * NO, if no match (no fire). */ static BOOL ip_mask_match(const char *mask, const char *ip_number, const char *ip_name) { if (mask && (ip_number || ip_name)) { if (is_domain_mask(mask)) { if (HTAA_templateMatch(mask, ip_name)) return YES; } else { if (ip_number_match(mask, ip_number)) return YES; } } return NO; } static BOOL ip_in_def_list(AddressDefList *address_def_list, char *ip_number, char *ip_name) { if (address_def_list && (ip_number || ip_name)) { AddressDefList *cur = address_def_list; Ref *ref; while (NULL != (ref = (Ref *) HTList_nextObject(cur))) { /* Value of ref->translation is ignored, i.e., */ /* no recursion for ip address tamplates. */ if (ip_mask_match(ref->name, ip_number, ip_name)) return YES; } } return NO; } /* * Group file cached reading */ typedef struct { char *group_filename; GroupDefList *group_list; } GroupCache; typedef HTList GroupCacheList; static GroupCacheList *group_cache_list = NULL; GroupDefList *HTAA_readGroupFile(const char *filename) { FILE *fp; GroupCache *group_cache; if (isEmpty(filename)) return NULL; if (!group_cache_list) group_cache_list = HTList_new(); else { GroupCacheList *cur = group_cache_list; while (NULL != (group_cache = (GroupCache *) HTList_nextObject(cur))) { if (!strcmp(filename, group_cache->group_filename)) { CTRACE((tfp, "%s '%s' %s\n", "HTAA_readGroupFile: group file", filename, "already found in cache")); return group_cache->group_list; } /* if cache match */ } /* while cached files remain */ } /* cache exists */ CTRACE((tfp, "HTAA_readGroupFile: reading group file `%s'\n", filename)); if (!(fp = fopen(filename, TXT_R))) { CTRACE((tfp, "%s '%s'\n", "HTAA_readGroupFile: unable to open group file", filename)); return NULL; } if ((group_cache = typecalloc(GroupCache)) == 0) outofmem(__FILE__, "HTAA_readGroupFile"); group_cache->group_filename = NULL; StrAllocCopy(group_cache->group_filename, filename); group_cache->group_list = parse_group_file(fp); HTList_addObject(group_cache_list, (void *) group_cache); fclose(fp); CTRACE((tfp, "Read group file '%s', results follow:\n", filename)); if (TRACE) print_group_def_list(group_cache->group_list); return group_cache->group_list; } /* PUBLIC HTAA_userAndInetInGroup() * CHECK IF USER BELONGS TO TO A GIVEN GROUP * AND THAT THE CONNECTION COMES FROM AN * ADDRESS THAT IS ALLOWED BY THAT GROUP * ON ENTRY: * group the group definition structure. * username connecting user. * ip_number browser host IP number, optional. * ip_name browser host IP name, optional. * However, one of ip_number or ip_name * must be given. * ON EXIT: * returns HTAA_IP_MASK, if IP address mask was * reason for failing. * HTAA_NOT_MEMBER, if user does not belong * to the group. * HTAA_OK if both IP address and user are ok. */ HTAAFailReasonType HTAA_userAndInetInGroup(GroupDef *group, char *username, char *ip_number, char *ip_name) { HTAAFailReasonType reason = HTAA_NOT_MEMBER; if (group && username) { ItemList *cur1 = group->item_list; Item *item; while (NULL != (item = (Item *) HTList_nextObject(cur1))) { if (!item->address_def_list || /* Any address allowed */ ip_in_def_list(item->address_def_list, ip_number, ip_name)) { if (!item->user_def_list) /* Any user allowed */ return HTAA_OK; else { UserDefList *cur2 = item->user_def_list; Ref *ref; while (NULL != (ref = (Ref *) HTList_nextObject(cur2))) { if (ref->translation) { /* Group, check recursively */ reason = HTAA_userAndInetInGroup(ref->translation, username, ip_number, ip_name); if (reason == HTAA_OK) return HTAA_OK; } else { /* Username, check directly */ if (username && *username && 0 == strcmp(ref->name, username)) return HTAA_OK; } /* Every user/group name in this group */ } /* search for username */ } /* IP address ok */ } else { reason = HTAA_IP_MASK; } } /* while items in group */ } /* valid parameters */ return reason; /* No match, or invalid parameters */ } void GroupDef_delete(GroupDef *group_def) { if (group_def) { FREE(group_def->group_name); if (group_def->item_list) { HTList_delete(group_def->item_list); /* @@@@ */ group_def->item_list = NULL; } FREE(group_def); } } #endif