1 /* MODULE HTGroup.c
2 * GROUP FILE ROUTINES
3 *
4 * Contains group file parser and routines to match IP
5 * address templates and to find out group membership.
6 *
7 *
8 * AUTHORS:
9 * AL Ari Luotonen luotonen@dxcern.cern.ch
10 *
11 * HISTORY:
12 *
13 *
14 * BUGS:
15 *
16 *
17 *
18 * GROUP DEFINITION GRAMMAR:
19 *
20 * string = "sequence of alphanumeric characters"
21 * user_name ::= string
22 * group_name ::= string
23 * group_ref ::= group_name
24 * user_def ::= user_name | group_ref
25 * user_def_list ::= user_def { ',' user_def }
26 * user_part = user_def | '(' user_def_list ')'
27 *
28 * templ = "sequence of alphanumeric characters and '*'s"
29 * ip_number_mask ::= templ '.' templ '.' templ '.' templ
30 * domain_name_mask ::= templ { '.' templ }
31 * address ::= ip_number_mask | domain_name_mask
32 * address_def ::= address
33 * address_def_list ::= address_def { ',' address_def }
34 * address_part = address_def | '(' address_def_list ')'
35 *
36 * item ::= [user_part] ['@' address_part]
37 * item_list ::= item { ',' item }
38 * group_def ::= item_list
39 * group_decl ::= group_name ':' group_def
40 *
41 */
42
43 #include <HTUtils.h>
44
45 #include <HTAAUtil.h>
46 #include <HTLex.h> /* Lexical analysor */
47 #include <HTGroup.h> /* Implemented here */
48
49 #include <LYUtils.h>
50 #include <LYLeaks.h>
51
52 /*
53 * Group file parser
54 */
55
56 typedef HTList UserDefList;
57 typedef HTList AddressDefList;
58
59 typedef struct {
60 UserDefList *user_def_list;
61 AddressDefList *address_def_list;
62 } Item;
63
64 typedef struct {
65 char *name;
66 GroupDef *translation;
67 } Ref;
68
syntax_error(FILE * fp,const char * msg,LexItem lex_item)69 static void syntax_error(FILE *fp, const char *msg,
70 LexItem lex_item)
71 {
72 char buffer[41];
73 int cnt = 0;
74 int ch;
75
76 while ((ch = getc(fp)) != EOF && ch != '\n')
77 if (cnt < 40)
78 buffer[cnt++] = (char) ch;
79 buffer[cnt] = (char) 0;
80
81 CTRACE((tfp, "%s %d before: '%s'\nHTGroup.c: %s (got %s)\n",
82 "HTGroup.c: Syntax error in rule file at line",
83 HTlex_line, buffer, msg, lex_verbose(lex_item)));
84 HTlex_line++;
85 }
86
parse_address_part(FILE * fp)87 static AddressDefList *parse_address_part(FILE *fp)
88 {
89 AddressDefList *address_def_list = NULL;
90 LexItem lex_item;
91 BOOL only_one = NO;
92
93 lex_item = lex(fp);
94 if (lex_item == LEX_ALPH_STR || lex_item == LEX_TMPL_STR)
95 only_one = YES;
96 else if (lex_item != LEX_OPEN_PAREN ||
97 ((lex_item = lex(fp)) != LEX_ALPH_STR &&
98 lex_item != LEX_TMPL_STR)) {
99 syntax_error(fp, "Expecting a single address or '(' beginning list",
100 lex_item);
101 return NULL;
102 }
103 address_def_list = HTList_new();
104
105 for (;;) {
106 Ref *ref = typecalloc(Ref);
107
108 if (ref == NULL)
109 outofmem(__FILE__, "parse_address_part");
110
111 assert(ref != NULL);
112
113 ref->name = NULL;
114 ref->translation = NULL;
115 StrAllocCopy(ref->name, HTlex_buffer);
116
117 HTList_addObject(address_def_list, (void *) ref);
118
119 if (only_one || (lex_item = lex(fp)) != LEX_ITEM_SEP)
120 break;
121 /*
122 * Here lex_item == LEX_ITEM_SEP; after item separator it
123 * is ok to have one or more newlines (LEX_REC_SEP) and
124 * they are ignored (continuation line).
125 */
126 do {
127 lex_item = lex(fp);
128 } while (lex_item == LEX_REC_SEP);
129
130 if (lex_item != LEX_ALPH_STR && lex_item != LEX_TMPL_STR) {
131 syntax_error(fp, "Expecting an address template", lex_item);
132 HTList_delete(address_def_list);
133 address_def_list = NULL;
134 return NULL;
135 }
136 }
137
138 if (!only_one && lex_item != LEX_CLOSE_PAREN) {
139 HTList_delete(address_def_list);
140 address_def_list = NULL;
141 syntax_error(fp, "Expecting ')' closing address list", lex_item);
142 return NULL;
143 }
144 return address_def_list;
145 }
146
parse_user_part(FILE * fp)147 static UserDefList *parse_user_part(FILE *fp)
148 {
149 UserDefList *user_def_list = NULL;
150 LexItem lex_item;
151 BOOL only_one = NO;
152
153 lex_item = lex(fp);
154 if (lex_item == LEX_ALPH_STR)
155 only_one = YES;
156 else if (lex_item != LEX_OPEN_PAREN ||
157 (lex_item = lex(fp)) != LEX_ALPH_STR) {
158 syntax_error(fp, "Expecting a single name or '(' beginning list",
159 lex_item);
160 return NULL;
161 }
162 user_def_list = HTList_new();
163
164 for (;;) {
165 Ref *ref = typecalloc(Ref);
166
167 if (ref == NULL)
168 outofmem(__FILE__, "parse_user_part");
169
170 assert(ref != NULL);
171
172 ref->name = NULL;
173 ref->translation = NULL;
174 StrAllocCopy(ref->name, HTlex_buffer);
175
176 HTList_addObject(user_def_list, (void *) ref);
177
178 if (only_one || (lex_item = lex(fp)) != LEX_ITEM_SEP)
179 break;
180 /*
181 * Here lex_item == LEX_ITEM_SEP; after item separator it
182 * is ok to have one or more newlines (LEX_REC_SEP) and
183 * they are ignored (continuation line).
184 */
185 do {
186 lex_item = lex(fp);
187 } while (lex_item == LEX_REC_SEP);
188
189 if (lex_item != LEX_ALPH_STR) {
190 syntax_error(fp, "Expecting user or group name", lex_item);
191 HTList_delete(user_def_list);
192 user_def_list = NULL;
193 return NULL;
194 }
195 }
196
197 if (!only_one && lex_item != LEX_CLOSE_PAREN) {
198 HTList_delete(user_def_list);
199 user_def_list = NULL;
200 syntax_error(fp, "Expecting ')' closing user/group list", lex_item);
201 return NULL;
202 }
203 return user_def_list;
204 }
205
parse_item(FILE * fp)206 static Item *parse_item(FILE *fp)
207 {
208 Item *item = NULL;
209 UserDefList *user_def_list = NULL;
210 AddressDefList *address_def_list = NULL;
211 LexItem lex_item;
212
213 lex_item = lex(fp);
214 if (lex_item == LEX_ALPH_STR || lex_item == LEX_OPEN_PAREN) {
215 unlex(lex_item);
216 user_def_list = parse_user_part(fp);
217 lex_item = lex(fp);
218 }
219
220 if (lex_item == LEX_AT_SIGN) {
221 lex_item = lex(fp);
222 if (lex_item == LEX_ALPH_STR || lex_item == LEX_TMPL_STR ||
223 lex_item == LEX_OPEN_PAREN) {
224 unlex(lex_item);
225 address_def_list = parse_address_part(fp);
226 } else {
227 if (user_def_list) {
228 HTList_delete(user_def_list); /* @@@@ */
229 user_def_list = NULL;
230 }
231 syntax_error(fp, "Expected address part (single address or list)",
232 lex_item);
233 return NULL;
234 }
235 } else
236 unlex(lex_item);
237
238 if (!user_def_list && !address_def_list) {
239 syntax_error(fp, "Empty item not allowed", lex_item);
240 return NULL;
241 }
242 item = typecalloc(Item);
243 if (item == NULL)
244 outofmem(__FILE__, "parse_item");
245
246 assert(item != NULL);
247
248 item->user_def_list = user_def_list;
249 item->address_def_list = address_def_list;
250 return item;
251 }
252
parse_item_list(FILE * fp)253 static ItemList *parse_item_list(FILE *fp)
254 {
255 ItemList *item_list = HTList_new();
256 Item *item;
257 LexItem lex_item;
258
259 for (;;) {
260 if (!(item = parse_item(fp))) {
261 HTList_delete(item_list); /* @@@@ */
262 item_list = NULL;
263 return NULL;
264 }
265 HTList_addObject(item_list, (void *) item);
266 lex_item = lex(fp);
267 if (lex_item != LEX_ITEM_SEP) {
268 unlex(lex_item);
269 return item_list;
270 }
271 /*
272 * Here lex_item == LEX_ITEM_SEP; after item separator it
273 * is ok to have one or more newlines (LEX_REC_SEP) and
274 * they are ignored (continuation line).
275 */
276 do {
277 lex_item = lex(fp);
278 } while (lex_item == LEX_REC_SEP);
279 unlex(lex_item);
280 }
281 }
282
HTAA_parseGroupDef(FILE * fp)283 GroupDef *HTAA_parseGroupDef(FILE *fp)
284 {
285 ItemList *item_list = NULL;
286 GroupDef *group_def = NULL;
287 LexItem lex_item;
288
289 if (!(item_list = parse_item_list(fp))) {
290 return NULL;
291 }
292 group_def = typecalloc(GroupDef);
293 if (group_def == NULL)
294 outofmem(__FILE__, "HTAA_parseGroupDef");
295
296 assert(group_def != NULL);
297
298 group_def->group_name = NULL;
299 group_def->item_list = item_list;
300
301 if ((lex_item = lex(fp)) != LEX_REC_SEP) {
302 syntax_error(fp, "Garbage after group definition", lex_item);
303 }
304
305 return group_def;
306 }
307
308 #if 0
309 static GroupDef *parse_group_decl(FILE *fp)
310 {
311 char *group_name = NULL;
312 GroupDef *group_def = NULL;
313 LexItem lex_item;
314
315 do {
316 lex_item = lex(fp);
317 } while (lex_item == LEX_REC_SEP); /* Ignore empty lines */
318
319 if (lex_item != LEX_ALPH_STR) {
320 if (lex_item != LEX_EOF)
321 syntax_error(fp, "Expecting group name", lex_item);
322 return NULL;
323 }
324 StrAllocCopy(group_name, HTlex_buffer);
325
326 if (LEX_FIELD_SEP != (lex_item = lex(fp))) {
327 syntax_error(fp, "Expecting field separator", lex_item);
328 FREE(group_name);
329 return NULL;
330 }
331
332 if (!(group_def = HTAA_parseGroupDef(fp))) {
333 FREE(group_name);
334 return NULL;
335 }
336 group_def->group_name = group_name;
337
338 return group_def;
339 }
340
341 /*
342 * Group manipulation routines
343 */
344
345 static GroupDef *find_group_def(GroupDefList *group_list,
346 const char *group_name)
347 {
348 if (group_list && group_name) {
349 GroupDefList *cur = group_list;
350 GroupDef *group_def;
351
352 while (NULL != (group_def = (GroupDef *) HTList_nextObject(cur))) {
353 if (!strcmp(group_name, group_def->group_name)) {
354 return group_def;
355 }
356 }
357 }
358 return NULL;
359 }
360
361 void HTAA_resolveGroupReferences(GroupDef *group_def,
362 GroupDefList *group_def_list)
363 {
364 if (group_def && group_def->item_list && group_def_list) {
365 ItemList *cur1 = group_def->item_list;
366 Item *item;
367
368 while (NULL != (item = (Item *) HTList_nextObject(cur1))) {
369 UserDefList *cur2 = item->user_def_list;
370 Ref *ref;
371
372 while (NULL != (ref = (Ref *) HTList_nextObject(cur2)))
373 ref->translation = find_group_def(group_def_list, ref->name);
374
375 /* Does NOT translate address_def_list */
376 }
377 }
378 }
379
380 static void add_group_def(GroupDefList *group_def_list,
381 GroupDef *group_def)
382 {
383 HTAA_resolveGroupReferences(group_def, group_def_list);
384 HTList_addObject(group_def_list, (void *) group_def);
385 }
386
387 static GroupDefList *parse_group_file(FILE *fp)
388 {
389 GroupDefList *group_def_list = HTList_new();
390 GroupDef *group_def;
391
392 while (NULL != (group_def = parse_group_decl(fp)))
393 add_group_def(group_def_list, group_def);
394
395 return group_def_list;
396 }
397 #endif
398
399 /*
400 * Trace functions
401 */
402
print_item(Item * item)403 static void print_item(Item *item)
404 {
405 if (!item)
406 fprintf(tfp, "\tNULL-ITEM\n");
407 else {
408 UserDefList *cur1 = item->user_def_list;
409 AddressDefList *cur2 = item->address_def_list;
410 Ref *user_ref = (Ref *) HTList_nextObject(cur1);
411 Ref *addr_ref = (Ref *) HTList_nextObject(cur2);
412
413 if (user_ref) {
414 fprintf(tfp, "\t[%s%s", user_ref->name,
415 (user_ref->translation ? "*REF*" : ""));
416 while (NULL != (user_ref = (Ref *) HTList_nextObject(cur1)))
417 fprintf(tfp, "; %s%s", user_ref->name,
418 (user_ref->translation ? "*REF*" : ""));
419 fprintf(tfp, "] ");
420 } else
421 fprintf(tfp, "\tANYBODY ");
422
423 if (addr_ref) {
424 fprintf(tfp, "@ [%s", addr_ref->name);
425 while (NULL != (addr_ref = (Ref *) HTList_nextObject(cur2)))
426 fprintf(tfp, "; %s", addr_ref->name);
427 fprintf(tfp, "]\n");
428 } else
429 fprintf(tfp, "@ ANYADDRESS\n");
430 }
431 }
432
print_item_list(ItemList * item_list)433 static void print_item_list(ItemList *item_list)
434 {
435 ItemList *cur = item_list;
436 Item *item;
437
438 if (!item_list)
439 fprintf(tfp, "EMPTY");
440 else
441 while (NULL != (item = (Item *) HTList_nextObject(cur)))
442 print_item(item);
443 }
444
HTAA_printGroupDef(GroupDef * group_def)445 void HTAA_printGroupDef(GroupDef *group_def)
446 {
447 if (!group_def) {
448 fprintf(tfp, "\nNULL RECORD\n");
449 return;
450 }
451
452 fprintf(tfp, "\nGroup %s:\n",
453 (group_def->group_name ? group_def->group_name : "NULL"));
454
455 print_item_list(group_def->item_list);
456 fprintf(tfp, "\n");
457 }
458
459 #if 0
460 static void print_group_def_list(GroupDefList *group_list)
461 {
462 GroupDefList *cur = group_list;
463 GroupDef *group_def;
464
465 while (NULL != (group_def = (GroupDef *) HTList_nextObject(cur)))
466 HTAA_printGroupDef(group_def);
467 }
468
469 /*
470 * IP address template matching
471 */
472
473 /* static part_match()
474 * MATCH ONE PART OF INET ADDRESS AGAIST
475 * A PART OF MASK (inet address has 4 parts)
476 * ON ENTRY:
477 * tcur pointer to the beginning of template part.
478 * icur pointer to the beginning of actual inet
479 * number part.
480 *
481 * ON EXIT:
482 * returns YES, if match.
483 */
484 static BOOL part_match(const char *tcur,
485 const char *icur)
486 {
487 char required[4];
488 char actual[4];
489 const char *cur;
490 int cnt;
491 BOOL status;
492
493 if (!tcur || !icur)
494 return NO;
495
496 cur = tcur;
497 cnt = 0;
498 while (cnt < 3 && *cur && *cur != '.')
499 required[cnt++] = *(cur++);
500 required[cnt] = (char) 0;
501
502 cur = icur;
503 cnt = 0;
504 while (cnt < 3 && *cur && *cur != '.')
505 actual[cnt++] = *(cur++);
506 actual[cnt] = (char) 0;
507
508 status = HTAA_templateMatch(required, actual);
509 CTRACE((tfp, "part_match: req: '%s' act: '%s' match: %s\n",
510 required, actual, (status ? "yes" : "no")));
511
512 return status;
513 }
514
515 /* static ip_number_match()
516 * MATCH INET NUMBER AGAINST AN INET NUMBER MASK
517 * ON ENTRY:
518 * template mask to match agaist, e.g., 128.141.*.*
519 * the_inet_addr actual inet address, e.g., 128.141.201.74
520 *
521 * ON EXIT:
522 * returns YES, if match; NO, if not.
523 */
524 static BOOL ip_number_match(const char *ctemplate,
525 const char *the_inet_addr)
526 {
527 const char *tcur = ctemplate;
528 const char *icur = the_inet_addr;
529 int cnt;
530
531 for (cnt = 0; cnt < 4; cnt++) {
532 if (!tcur || !icur || !part_match(tcur, icur))
533 return NO;
534 if (NULL != (tcur = strchr(tcur, '.')))
535 tcur++;
536 if (NULL != (icur = strchr(icur, '.')))
537 icur++;
538 }
539 return YES;
540 }
541
542 /* static is_domain_mask()
543 * DETERMINE IF A GIVEN MASK IS A
544 * DOMAIN NAME MASK OR AN INET NUMBER MASK
545 * ON ENTRY:
546 * mask either a domain name mask,
547 * e.g.
548 * *.cern.ch
549 *
550 * or an inet number mask,
551 * e.g.
552 * 128.141.*.*
553 *
554 * ON EXIT:
555 * returns YES, if mask is a domain name mask.
556 * NO, if it is an inet number mask.
557 */
558 static BOOL is_domain_mask(const char *mask)
559 {
560 const char *cur = mask;
561
562 if (!mask)
563 return NO;
564
565 while (*cur) {
566 if (*cur != '.' && *cur != '*' && (*cur < '0' || *cur > '9'))
567 return YES; /* Even one non-digit makes it a domain name mask */
568 cur++;
569 }
570 return NO; /* All digits and dots, so it is an inet number mask */
571 }
572
573 /* static ip_mask_match()
574 * MATCH AN IP NUMBER MASK OR IP NAME MASK
575 * AGAINST ACTUAL IP NUMBER OR IP NAME
576 *
577 * ON ENTRY:
578 * mask mask. Mask may be either an inet number
579 * mask or a domain name mask,
580 * e.g.
581 * 128.141.*.*
582 * or
583 * *.cern.ch
584 *
585 * ip_number IP number of connecting host.
586 * ip_name IP name of the connecting host.
587 *
588 * ON EXIT:
589 * returns YES, if hostname/internet number
590 * matches the mask.
591 * NO, if no match (no fire).
592 */
593 static BOOL ip_mask_match(const char *mask,
594 const char *ip_number,
595 const char *ip_name)
596 {
597 if (mask && (ip_number || ip_name)) {
598 if (is_domain_mask(mask)) {
599 if (HTAA_templateMatch(mask, ip_name))
600 return YES;
601 } else {
602 if (ip_number_match(mask, ip_number))
603 return YES;
604 }
605 }
606 return NO;
607 }
608
609 static BOOL ip_in_def_list(AddressDefList *address_def_list,
610 char *ip_number,
611 char *ip_name)
612 {
613 if (address_def_list && (ip_number || ip_name)) {
614 AddressDefList *cur = address_def_list;
615 Ref *ref;
616
617 while (NULL != (ref = (Ref *) HTList_nextObject(cur))) {
618 /* Value of ref->translation is ignored, i.e., */
619 /* no recursion for ip address tamplates. */
620 if (ip_mask_match(ref->name, ip_number, ip_name))
621 return YES;
622 }
623 }
624 return NO;
625 }
626
627 /*
628 * Group file cached reading
629 */
630
631 typedef struct {
632 char *group_filename;
633 GroupDefList *group_list;
634 } GroupCache;
635
636 typedef HTList GroupCacheList;
637
638 static GroupCacheList *group_cache_list = NULL;
639
640 GroupDefList *HTAA_readGroupFile(const char *filename)
641 {
642 FILE *fp;
643 GroupCache *group_cache;
644
645 if (isEmpty(filename))
646 return NULL;
647
648 if (!group_cache_list)
649 group_cache_list = HTList_new();
650 else {
651 GroupCacheList *cur = group_cache_list;
652
653 while (NULL != (group_cache = (GroupCache *) HTList_nextObject(cur))) {
654 if (!strcmp(filename, group_cache->group_filename)) {
655 CTRACE((tfp, "%s '%s' %s\n",
656 "HTAA_readGroupFile: group file",
657 filename, "already found in cache"));
658 return group_cache->group_list;
659 } /* if cache match */
660 } /* while cached files remain */
661 } /* cache exists */
662
663 CTRACE((tfp, "HTAA_readGroupFile: reading group file `%s'\n",
664 filename));
665
666 if (!(fp = fopen(filename, TXT_R))) {
667 CTRACE((tfp, "%s '%s'\n",
668 "HTAA_readGroupFile: unable to open group file",
669 filename));
670 return NULL;
671 }
672
673 if ((group_cache = typecalloc(GroupCache)) == 0)
674 outofmem(__FILE__, "HTAA_readGroupFile");
675
676 group_cache->group_filename = NULL;
677 StrAllocCopy(group_cache->group_filename, filename);
678 group_cache->group_list = parse_group_file(fp);
679 HTList_addObject(group_cache_list, (void *) group_cache);
680 fclose(fp);
681
682 CTRACE((tfp, "Read group file '%s', results follow:\n", filename));
683 if (TRACE)
684 print_group_def_list(group_cache->group_list);
685
686 return group_cache->group_list;
687 }
688
689 /* PUBLIC HTAA_userAndInetInGroup()
690 * CHECK IF USER BELONGS TO TO A GIVEN GROUP
691 * AND THAT THE CONNECTION COMES FROM AN
692 * ADDRESS THAT IS ALLOWED BY THAT GROUP
693 * ON ENTRY:
694 * group the group definition structure.
695 * username connecting user.
696 * ip_number browser host IP number, optional.
697 * ip_name browser host IP name, optional.
698 * However, one of ip_number or ip_name
699 * must be given.
700 * ON EXIT:
701 * returns HTAA_IP_MASK, if IP address mask was
702 * reason for failing.
703 * HTAA_NOT_MEMBER, if user does not belong
704 * to the group.
705 * HTAA_OK if both IP address and user are ok.
706 */
707 HTAAFailReasonType HTAA_userAndInetInGroup(GroupDef *group,
708 char *username,
709 char *ip_number,
710 char *ip_name)
711 {
712 HTAAFailReasonType reason = HTAA_NOT_MEMBER;
713
714 if (group && username) {
715 ItemList *cur1 = group->item_list;
716 Item *item;
717
718 while (NULL != (item = (Item *) HTList_nextObject(cur1))) {
719 if (!item->address_def_list || /* Any address allowed */
720 ip_in_def_list(item->address_def_list, ip_number, ip_name)) {
721
722 if (!item->user_def_list) /* Any user allowed */
723 return HTAA_OK;
724 else {
725 UserDefList *cur2 = item->user_def_list;
726 Ref *ref;
727
728 while (NULL != (ref = (Ref *) HTList_nextObject(cur2))) {
729
730 if (ref->translation) { /* Group, check recursively */
731 reason = HTAA_userAndInetInGroup(ref->translation,
732 username,
733 ip_number, ip_name);
734 if (reason == HTAA_OK)
735 return HTAA_OK;
736 } else { /* Username, check directly */
737 if (username && *username &&
738 0 == strcmp(ref->name, username))
739 return HTAA_OK;
740 }
741 /* Every user/group name in this group */
742 }
743 /* search for username */
744 }
745 /* IP address ok */
746 } else {
747 reason = HTAA_IP_MASK;
748 }
749 } /* while items in group */
750 }
751 /* valid parameters */
752 return reason; /* No match, or invalid parameters */
753 }
754
755 void GroupDef_delete(GroupDef *group_def)
756 {
757 if (group_def) {
758 FREE(group_def->group_name);
759 if (group_def->item_list) {
760 HTList_delete(group_def->item_list); /* @@@@ */
761 group_def->item_list = NULL;
762 }
763 FREE(group_def);
764 }
765 }
766 #endif
767