1 /*
2 * SPDX-License-Identifier: ISC
3 *
4 * Copyright (c) 2020 Robert Manner <robert.manner@oneidentity.com>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 /*
20 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
21 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
22 */
23
24 #include "python_plugin_common.h"
25
26 struct ApprovalPluginContext
27 {
28 struct PluginContext base_ctx;
29 struct approval_plugin *plugin;
30 };
31
32 #define BASE_CTX(approval_ctx) (&(approval_ctx->base_ctx))
33
34 #define PY_APPROVAL_PLUGIN_VERSION SUDO_API_MKVERSION(1, 0)
35
36 #define CALLBACK_PLUGINFUNC(func_name) approval_ctx->plugin->func_name
37
38 // This also verifies compile time that the name matches the sudo plugin API.
39 #define CALLBACK_PYNAME(func_name) ((void)CALLBACK_PLUGINFUNC(func_name), #func_name)
40
41
42 static int
python_plugin_approval_open(struct ApprovalPluginContext * approval_ctx,unsigned int version,sudo_conv_t conversation,sudo_printf_t sudo_printf,char * const settings[],char * const user_info[],int submit_optind,char * const submit_argv[],char * const submit_envp[],char * const plugin_options[],const char ** errstr)43 python_plugin_approval_open(struct ApprovalPluginContext *approval_ctx,
44 unsigned int version, sudo_conv_t conversation, sudo_printf_t sudo_printf,
45 char * const settings[], char * const user_info[], int submit_optind,
46 char * const submit_argv[], char * const submit_envp[],
47 char * const plugin_options[], const char **errstr)
48 {
49 debug_decl(python_plugin_approval_open, PYTHON_DEBUG_CALLBACKS);
50 (void) version;
51
52 int rc = python_plugin_register_logging(conversation, sudo_printf, settings);
53 if (rc != SUDO_RC_OK) {
54 debug_return_int(rc);
55 }
56
57 struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
58
59 rc = python_plugin_init(plugin_ctx, plugin_options, version);
60 if (rc != SUDO_RC_OK) {
61 debug_return_int(rc);
62 }
63
64 PyObject *py_kwargs = NULL, *py_submit_optind = NULL,
65 *py_submit_argv = NULL;
66
67 if ((py_kwargs = python_plugin_construct_args(version, settings, user_info,
68 submit_envp, plugin_options)) == NULL ||
69 (py_submit_optind = PyLong_FromLong(submit_optind)) == NULL ||
70 (py_submit_argv = py_str_array_to_tuple(submit_argv)) == NULL)
71 {
72 py_log_last_error("Failed to construct plugin instance");
73 rc = SUDO_RC_ERROR;
74 } else {
75 PyDict_SetItemString(py_kwargs, "submit_optind", py_submit_optind);
76 PyDict_SetItemString(py_kwargs, "submit_argv", py_submit_argv);
77
78 rc = python_plugin_construct_custom(plugin_ctx, py_kwargs);
79 CALLBACK_SET_ERROR(plugin_ctx, errstr);
80 }
81
82 Py_CLEAR(py_kwargs);
83 Py_CLEAR(py_submit_argv);
84 Py_CLEAR(py_submit_optind);
85
86 if (rc != SUDO_RC_OK) {
87 debug_return_int(rc);
88 }
89
90 debug_return_int(rc);
91 }
92
93 static void
python_plugin_approval_close(struct ApprovalPluginContext * approval_ctx)94 python_plugin_approval_close(struct ApprovalPluginContext *approval_ctx)
95 {
96 debug_decl(python_plugin_approval_close, PYTHON_DEBUG_CALLBACKS);
97
98 struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
99 PyThreadState_Swap(plugin_ctx->py_interpreter);
100 python_plugin_deinit(plugin_ctx);
101
102 debug_return;
103 }
104
105 static int
python_plugin_approval_check(struct ApprovalPluginContext * approval_ctx,char * const command_info[],char * const run_argv[],char * const run_envp[],const char ** errstr)106 python_plugin_approval_check(struct ApprovalPluginContext *approval_ctx,
107 char * const command_info[], char * const run_argv[],
108 char * const run_envp[], const char **errstr)
109 {
110 debug_decl(python_plugin_approval_check, PYTHON_DEBUG_CALLBACKS);
111
112 struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
113
114 PyObject *py_command_info = NULL, *py_run_argv = NULL, *py_run_envp = NULL,
115 *py_args = NULL;
116
117 int rc = SUDO_RC_ERROR;
118 if ((py_command_info = py_str_array_to_tuple(command_info)) != NULL &&
119 (py_run_argv = py_str_array_to_tuple(run_argv)) != NULL &&
120 (py_run_envp = py_str_array_to_tuple(run_envp)) != NULL)
121 {
122 py_args = Py_BuildValue("(OOO)", py_command_info, py_run_argv, py_run_envp);
123 }
124
125 // Note, py_args gets cleared by api_rc_call
126 rc = python_plugin_api_rc_call(plugin_ctx, CALLBACK_PYNAME(check), py_args);
127 CALLBACK_SET_ERROR(plugin_ctx, errstr);
128
129 Py_CLEAR(py_command_info);
130 Py_CLEAR(py_run_argv);
131 Py_CLEAR(py_run_envp);
132
133 debug_return_int(rc);
134 }
135
136 int
python_plugin_approval_show_version(struct ApprovalPluginContext * approval_ctx,int verbose)137 python_plugin_approval_show_version(struct ApprovalPluginContext *approval_ctx, int verbose)
138 {
139 debug_decl(python_plugin_approval_show_version, PYTHON_DEBUG_CALLBACKS);
140
141 struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx);
142 PyThreadState_Swap(plugin_ctx->py_interpreter);
143
144 debug_return_int(python_plugin_show_version(plugin_ctx,
145 CALLBACK_PYNAME(show_version), verbose, PY_APPROVAL_PLUGIN_VERSION, "approval"));
146 }
147
148 sudo_dso_public struct approval_plugin python_approval;
149
150 // generate symbols for loading multiple approval plugins:
151 #define APPROVAL_SYMBOL_NAME(symbol) symbol
152 #include "python_plugin_approval_multi.inc"
153 #define APPROVAL_SYMBOL_NAME(symbol) symbol##1
154 #include "python_plugin_approval_multi.inc"
155 #define APPROVAL_SYMBOL_NAME(symbol) symbol##2
156 #include "python_plugin_approval_multi.inc"
157 #define APPROVAL_SYMBOL_NAME(symbol) symbol##3
158 #include "python_plugin_approval_multi.inc"
159 #define APPROVAL_SYMBOL_NAME(symbol) symbol##4
160 #include "python_plugin_approval_multi.inc"
161 #define APPROVAL_SYMBOL_NAME(symbol) symbol##5
162 #include "python_plugin_approval_multi.inc"
163 #define APPROVAL_SYMBOL_NAME(symbol) symbol##6
164 #include "python_plugin_approval_multi.inc"
165 #define APPROVAL_SYMBOL_NAME(symbol) symbol##7
166 #include "python_plugin_approval_multi.inc"
167
168 static struct approval_plugin *extra_approval_plugins[] = {
169 &python_approval1,
170 &python_approval2,
171 &python_approval3,
172 &python_approval4,
173 &python_approval5,
174 &python_approval6,
175 &python_approval7
176 };
177
178 sudo_dso_public struct approval_plugin *
python_approval_clone(void)179 python_approval_clone(void)
180 {
181 static size_t counter = 0;
182 struct approval_plugin *next_plugin = NULL;
183
184 size_t max = sizeof(extra_approval_plugins) / sizeof(*extra_approval_plugins);
185 if (counter < max) {
186 next_plugin = extra_approval_plugins[counter];
187 ++counter;
188 } else if (counter == max) {
189 ++counter;
190 py_sudo_log(SUDO_CONV_ERROR_MSG,
191 "sudo: loading more than %d sudo python approval plugins is not supported\n", counter);
192 }
193
194 return next_plugin;
195 }
196