1 /* MODULE HTGroup.c
2 * GROUP FILE ROUTINES
3 *
4 * Contains group file parser and routines to match IP
5 * address templates and to find out group membership.
6 *
7 *
8 * AUTHORS:
9 * AL Ari Luotonen luotonen@dxcern.cern.ch
10 *
11 * HISTORY:
12 *
13 *
14 * BUGS:
15 *
16 *
17 *
18 * GROUP DEFINITION GRAMMAR:
19 *
20 * string = "sequence of alphanumeric characters"
21 * user_name ::= string
22 * group_name ::= string
23 * group_ref ::= group_name
24 * user_def ::= user_name | group_ref
25 * user_def_list ::= user_def { ',' user_def }
26 * user_part = user_def | '(' user_def_list ')'
27 *
28 * templ = "sequence of alphanumeric characters and '*'s"
29 * ip_number_mask ::= templ '.' templ '.' templ '.' templ
30 * domain_name_mask ::= templ { '.' templ }
31 * address ::= ip_number_mask | domain_name_mask
32 * address_def ::= address
33 * address_def_list ::= address_def { ',' address_def }
34 * address_part = address_def | '(' address_def_list ')'
35 *
36 * item ::= [user_part] ['@' address_part]
37 * item_list ::= item { ',' item }
38 * group_def ::= item_list
39 * group_decl ::= group_name ':' group_def
40 *
41 */
42
43 #include <HTUtils.h>
44
45 #include <HTAAUtil.h>
46 #include <HTLex.h> /* Lexical analysor */
47 #include <HTGroup.h> /* Implemented here */
48
49 #include <LYUtils.h>
50 #include <LYLeaks.h>
51
52 /*
53 * Group file parser
54 */
55
56 typedef HTList UserDefList;
57 typedef HTList AddressDefList;
58
59 typedef struct {
60 UserDefList *user_def_list;
61 AddressDefList *address_def_list;
62 } Item;
63
64 typedef struct {
65 char *name;
66 GroupDef *translation;
67 } Ref;
68
syntax_error(FILE * fp,const char * msg,LexItem lex_item)69 static void syntax_error(FILE *fp, const char *msg,
70 LexItem lex_item)
71 {
72 char buffer[41];
73 int cnt = 0;
74 int ch;
75
76 while ((ch = getc(fp)) != EOF && ch != '\n')
77 if (cnt < 40)
78 buffer[cnt++] = (char) ch;
79 buffer[cnt] = (char) 0;
80
81 CTRACE((tfp, "%s %d before: '%s'\nHTGroup.c: %s (got %s)\n",
82 "HTGroup.c: Syntax error in rule file at line",
83 HTlex_line, buffer, msg, lex_verbose(lex_item)));
84 HTlex_line++;
85 }
86
parse_address_part(FILE * fp)87 static AddressDefList *parse_address_part(FILE *fp)
88 {
89 AddressDefList *address_def_list = NULL;
90 LexItem lex_item;
91 BOOL only_one = NO;
92
93 lex_item = lex(fp);
94 if (lex_item == LEX_ALPH_STR || lex_item == LEX_TMPL_STR)
95 only_one = YES;
96 else if (lex_item != LEX_OPEN_PAREN ||
97 ((lex_item = lex(fp)) != LEX_ALPH_STR &&
98 lex_item != LEX_TMPL_STR)) {
99 syntax_error(fp, "Expecting a single address or '(' beginning list",
100 lex_item);
101 return NULL;
102 }
103 address_def_list = HTList_new();
104
105 for (;;) {
106 Ref *ref = typecalloc(Ref);
107
108 if (ref == NULL)
109 outofmem(__FILE__, "parse_address_part");
110
111 ref->name = NULL;
112 ref->translation = NULL;
113 StrAllocCopy(ref->name, HTlex_buffer);
114
115 HTList_addObject(address_def_list, (void *) ref);
116
117 if (only_one || (lex_item = lex(fp)) != LEX_ITEM_SEP)
118 break;
119 /*
120 * Here lex_item == LEX_ITEM_SEP; after item separator it
121 * is ok to have one or more newlines (LEX_REC_SEP) and
122 * they are ignored (continuation line).
123 */
124 do {
125 lex_item = lex(fp);
126 } while (lex_item == LEX_REC_SEP);
127
128 if (lex_item != LEX_ALPH_STR && lex_item != LEX_TMPL_STR) {
129 syntax_error(fp, "Expecting an address template", lex_item);
130 HTList_delete(address_def_list);
131 address_def_list = NULL;
132 return NULL;
133 }
134 }
135
136 if (!only_one && lex_item != LEX_CLOSE_PAREN) {
137 HTList_delete(address_def_list);
138 address_def_list = NULL;
139 syntax_error(fp, "Expecting ')' closing address list", lex_item);
140 return NULL;
141 }
142 return address_def_list;
143 }
144
parse_user_part(FILE * fp)145 static UserDefList *parse_user_part(FILE *fp)
146 {
147 UserDefList *user_def_list = NULL;
148 LexItem lex_item;
149 BOOL only_one = NO;
150
151 lex_item = lex(fp);
152 if (lex_item == LEX_ALPH_STR)
153 only_one = YES;
154 else if (lex_item != LEX_OPEN_PAREN ||
155 (lex_item = lex(fp)) != LEX_ALPH_STR) {
156 syntax_error(fp, "Expecting a single name or '(' beginning list",
157 lex_item);
158 return NULL;
159 }
160 user_def_list = HTList_new();
161
162 for (;;) {
163 Ref *ref = typecalloc(Ref);
164
165 if (ref == NULL)
166 outofmem(__FILE__, "parse_user_part");
167
168 ref->name = NULL;
169 ref->translation = NULL;
170 StrAllocCopy(ref->name, HTlex_buffer);
171
172 HTList_addObject(user_def_list, (void *) ref);
173
174 if (only_one || (lex_item = lex(fp)) != LEX_ITEM_SEP)
175 break;
176 /*
177 * Here lex_item == LEX_ITEM_SEP; after item separator it
178 * is ok to have one or more newlines (LEX_REC_SEP) and
179 * they are ignored (continuation line).
180 */
181 do {
182 lex_item = lex(fp);
183 } while (lex_item == LEX_REC_SEP);
184
185 if (lex_item != LEX_ALPH_STR) {
186 syntax_error(fp, "Expecting user or group name", lex_item);
187 HTList_delete(user_def_list);
188 user_def_list = NULL;
189 return NULL;
190 }
191 }
192
193 if (!only_one && lex_item != LEX_CLOSE_PAREN) {
194 HTList_delete(user_def_list);
195 user_def_list = NULL;
196 syntax_error(fp, "Expecting ')' closing user/group list", lex_item);
197 return NULL;
198 }
199 return user_def_list;
200 }
201
parse_item(FILE * fp)202 static Item *parse_item(FILE *fp)
203 {
204 Item *item = NULL;
205 UserDefList *user_def_list = NULL;
206 AddressDefList *address_def_list = NULL;
207 LexItem lex_item;
208
209 lex_item = lex(fp);
210 if (lex_item == LEX_ALPH_STR || lex_item == LEX_OPEN_PAREN) {
211 unlex(lex_item);
212 user_def_list = parse_user_part(fp);
213 lex_item = lex(fp);
214 }
215
216 if (lex_item == LEX_AT_SIGN) {
217 lex_item = lex(fp);
218 if (lex_item == LEX_ALPH_STR || lex_item == LEX_TMPL_STR ||
219 lex_item == LEX_OPEN_PAREN) {
220 unlex(lex_item);
221 address_def_list = parse_address_part(fp);
222 } else {
223 if (user_def_list) {
224 HTList_delete(user_def_list); /* @@@@ */
225 user_def_list = NULL;
226 }
227 syntax_error(fp, "Expected address part (single address or list)",
228 lex_item);
229 return NULL;
230 }
231 } else
232 unlex(lex_item);
233
234 if (!user_def_list && !address_def_list) {
235 syntax_error(fp, "Empty item not allowed", lex_item);
236 return NULL;
237 }
238 item = typecalloc(Item);
239 if (item == NULL)
240 outofmem(__FILE__, "parse_item");
241
242 item->user_def_list = user_def_list;
243 item->address_def_list = address_def_list;
244 return item;
245 }
246
parse_item_list(FILE * fp)247 static ItemList *parse_item_list(FILE *fp)
248 {
249 ItemList *item_list = HTList_new();
250 Item *item;
251 LexItem lex_item;
252
253 for (;;) {
254 if (!(item = parse_item(fp))) {
255 HTList_delete(item_list); /* @@@@ */
256 item_list = NULL;
257 return NULL;
258 }
259 HTList_addObject(item_list, (void *) item);
260 lex_item = lex(fp);
261 if (lex_item != LEX_ITEM_SEP) {
262 unlex(lex_item);
263 return item_list;
264 }
265 /*
266 * Here lex_item == LEX_ITEM_SEP; after item separator it
267 * is ok to have one or more newlines (LEX_REC_SEP) and
268 * they are ignored (continuation line).
269 */
270 do {
271 lex_item = lex(fp);
272 } while (lex_item == LEX_REC_SEP);
273 unlex(lex_item);
274 }
275 }
276
HTAA_parseGroupDef(FILE * fp)277 GroupDef *HTAA_parseGroupDef(FILE *fp)
278 {
279 ItemList *item_list = NULL;
280 GroupDef *group_def = NULL;
281 LexItem lex_item;
282
283 if (!(item_list = parse_item_list(fp))) {
284 return NULL;
285 }
286 group_def = typecalloc(GroupDef);
287 if (group_def == NULL)
288 outofmem(__FILE__, "HTAA_parseGroupDef");
289
290 group_def->group_name = NULL;
291 group_def->item_list = item_list;
292
293 if ((lex_item = lex(fp)) != LEX_REC_SEP) {
294 syntax_error(fp, "Garbage after group definition", lex_item);
295 }
296
297 return group_def;
298 }
299
300 #if 0
301 static GroupDef *parse_group_decl(FILE *fp)
302 {
303 char *group_name = NULL;
304 GroupDef *group_def = NULL;
305 LexItem lex_item;
306
307 do {
308 lex_item = lex(fp);
309 } while (lex_item == LEX_REC_SEP); /* Ignore empty lines */
310
311 if (lex_item != LEX_ALPH_STR) {
312 if (lex_item != LEX_EOF)
313 syntax_error(fp, "Expecting group name", lex_item);
314 return NULL;
315 }
316 StrAllocCopy(group_name, HTlex_buffer);
317
318 if (LEX_FIELD_SEP != (lex_item = lex(fp))) {
319 syntax_error(fp, "Expecting field separator", lex_item);
320 FREE(group_name);
321 return NULL;
322 }
323
324 if (!(group_def = HTAA_parseGroupDef(fp))) {
325 FREE(group_name);
326 return NULL;
327 }
328 group_def->group_name = group_name;
329
330 return group_def;
331 }
332
333 /*
334 * Group manipulation routines
335 */
336
337 static GroupDef *find_group_def(GroupDefList *group_list,
338 const char *group_name)
339 {
340 if (group_list && group_name) {
341 GroupDefList *cur = group_list;
342 GroupDef *group_def;
343
344 while (NULL != (group_def = (GroupDef *) HTList_nextObject(cur))) {
345 if (!strcmp(group_name, group_def->group_name)) {
346 return group_def;
347 }
348 }
349 }
350 return NULL;
351 }
352
353 void HTAA_resolveGroupReferences(GroupDef *group_def,
354 GroupDefList *group_def_list)
355 {
356 if (group_def && group_def->item_list && group_def_list) {
357 ItemList *cur1 = group_def->item_list;
358 Item *item;
359
360 while (NULL != (item = (Item *) HTList_nextObject(cur1))) {
361 UserDefList *cur2 = item->user_def_list;
362 Ref *ref;
363
364 while (NULL != (ref = (Ref *) HTList_nextObject(cur2)))
365 ref->translation = find_group_def(group_def_list, ref->name);
366
367 /* Does NOT translate address_def_list */
368 }
369 }
370 }
371
372 static void add_group_def(GroupDefList *group_def_list,
373 GroupDef *group_def)
374 {
375 HTAA_resolveGroupReferences(group_def, group_def_list);
376 HTList_addObject(group_def_list, (void *) group_def);
377 }
378
379 static GroupDefList *parse_group_file(FILE *fp)
380 {
381 GroupDefList *group_def_list = HTList_new();
382 GroupDef *group_def;
383
384 while (NULL != (group_def = parse_group_decl(fp)))
385 add_group_def(group_def_list, group_def);
386
387 return group_def_list;
388 }
389 #endif
390
391 /*
392 * Trace functions
393 */
394
print_item(Item * item)395 static void print_item(Item *item)
396 {
397 if (!item)
398 fprintf(tfp, "\tNULL-ITEM\n");
399 else {
400 UserDefList *cur1 = item->user_def_list;
401 AddressDefList *cur2 = item->address_def_list;
402 Ref *user_ref = (Ref *) HTList_nextObject(cur1);
403 Ref *addr_ref = (Ref *) HTList_nextObject(cur2);
404
405 if (user_ref) {
406 fprintf(tfp, "\t[%s%s", user_ref->name,
407 (user_ref->translation ? "*REF*" : ""));
408 while (NULL != (user_ref = (Ref *) HTList_nextObject(cur1)))
409 fprintf(tfp, "; %s%s", user_ref->name,
410 (user_ref->translation ? "*REF*" : ""));
411 fprintf(tfp, "] ");
412 } else
413 fprintf(tfp, "\tANYBODY ");
414
415 if (addr_ref) {
416 fprintf(tfp, "@ [%s", addr_ref->name);
417 while (NULL != (addr_ref = (Ref *) HTList_nextObject(cur2)))
418 fprintf(tfp, "; %s", addr_ref->name);
419 fprintf(tfp, "]\n");
420 } else
421 fprintf(tfp, "@ ANYADDRESS\n");
422 }
423 }
424
print_item_list(ItemList * item_list)425 static void print_item_list(ItemList *item_list)
426 {
427 ItemList *cur = item_list;
428 Item *item;
429
430 if (!item_list)
431 fprintf(tfp, "EMPTY");
432 else
433 while (NULL != (item = (Item *) HTList_nextObject(cur)))
434 print_item(item);
435 }
436
HTAA_printGroupDef(GroupDef * group_def)437 void HTAA_printGroupDef(GroupDef *group_def)
438 {
439 if (!group_def) {
440 fprintf(tfp, "\nNULL RECORD\n");
441 return;
442 }
443
444 fprintf(tfp, "\nGroup %s:\n",
445 (group_def->group_name ? group_def->group_name : "NULL"));
446
447 print_item_list(group_def->item_list);
448 fprintf(tfp, "\n");
449 }
450
451 #if 0
452 static void print_group_def_list(GroupDefList *group_list)
453 {
454 GroupDefList *cur = group_list;
455 GroupDef *group_def;
456
457 while (NULL != (group_def = (GroupDef *) HTList_nextObject(cur)))
458 HTAA_printGroupDef(group_def);
459 }
460
461 /*
462 * IP address template matching
463 */
464
465 /* static part_match()
466 * MATCH ONE PART OF INET ADDRESS AGAIST
467 * A PART OF MASK (inet address has 4 parts)
468 * ON ENTRY:
469 * tcur pointer to the beginning of template part.
470 * icur pointer to the beginning of actual inet
471 * number part.
472 *
473 * ON EXIT:
474 * returns YES, if match.
475 */
476 static BOOL part_match(const char *tcur,
477 const char *icur)
478 {
479 char required[4];
480 char actual[4];
481 const char *cur;
482 int cnt;
483 BOOL status;
484
485 if (!tcur || !icur)
486 return NO;
487
488 cur = tcur;
489 cnt = 0;
490 while (cnt < 3 && *cur && *cur != '.')
491 required[cnt++] = *(cur++);
492 required[cnt] = (char) 0;
493
494 cur = icur;
495 cnt = 0;
496 while (cnt < 3 && *cur && *cur != '.')
497 actual[cnt++] = *(cur++);
498 actual[cnt] = (char) 0;
499
500 status = HTAA_templateMatch(required, actual);
501 CTRACE((tfp, "part_match: req: '%s' act: '%s' match: %s\n",
502 required, actual, (status ? "yes" : "no")));
503
504 return status;
505 }
506
507 /* static ip_number_match()
508 * MATCH INET NUMBER AGAINST AN INET NUMBER MASK
509 * ON ENTRY:
510 * template mask to match agaist, e.g., 128.141.*.*
511 * the_inet_addr actual inet address, e.g., 128.141.201.74
512 *
513 * ON EXIT:
514 * returns YES, if match; NO, if not.
515 */
516 static BOOL ip_number_match(const char *ctemplate,
517 const char *the_inet_addr)
518 {
519 const char *tcur = ctemplate;
520 const char *icur = the_inet_addr;
521 int cnt;
522
523 for (cnt = 0; cnt < 4; cnt++) {
524 if (!tcur || !icur || !part_match(tcur, icur))
525 return NO;
526 if (NULL != (tcur = StrChr(tcur, '.')))
527 tcur++;
528 if (NULL != (icur = StrChr(icur, '.')))
529 icur++;
530 }
531 return YES;
532 }
533
534 /* static is_domain_mask()
535 * DETERMINE IF A GIVEN MASK IS A
536 * DOMAIN NAME MASK OR AN INET NUMBER MASK
537 * ON ENTRY:
538 * mask either a domain name mask,
539 * e.g.
540 * *.cern.ch
541 *
542 * or an inet number mask,
543 * e.g.
544 * 128.141.*.*
545 *
546 * ON EXIT:
547 * returns YES, if mask is a domain name mask.
548 * NO, if it is an inet number mask.
549 */
550 static BOOL is_domain_mask(const char *mask)
551 {
552 const char *cur = mask;
553
554 if (!mask)
555 return NO;
556
557 while (*cur) {
558 if (*cur != '.' && *cur != '*' && (*cur < '0' || *cur > '9'))
559 return YES; /* Even one non-digit makes it a domain name mask */
560 cur++;
561 }
562 return NO; /* All digits and dots, so it is an inet number mask */
563 }
564
565 /* static ip_mask_match()
566 * MATCH AN IP NUMBER MASK OR IP NAME MASK
567 * AGAINST ACTUAL IP NUMBER OR IP NAME
568 *
569 * ON ENTRY:
570 * mask mask. Mask may be either an inet number
571 * mask or a domain name mask,
572 * e.g.
573 * 128.141.*.*
574 * or
575 * *.cern.ch
576 *
577 * ip_number IP number of connecting host.
578 * ip_name IP name of the connecting host.
579 *
580 * ON EXIT:
581 * returns YES, if hostname/internet number
582 * matches the mask.
583 * NO, if no match (no fire).
584 */
585 static BOOL ip_mask_match(const char *mask,
586 const char *ip_number,
587 const char *ip_name)
588 {
589 if (mask && (ip_number || ip_name)) {
590 if (is_domain_mask(mask)) {
591 if (HTAA_templateMatch(mask, ip_name))
592 return YES;
593 } else {
594 if (ip_number_match(mask, ip_number))
595 return YES;
596 }
597 }
598 return NO;
599 }
600
601 static BOOL ip_in_def_list(AddressDefList *address_def_list,
602 char *ip_number,
603 char *ip_name)
604 {
605 if (address_def_list && (ip_number || ip_name)) {
606 AddressDefList *cur = address_def_list;
607 Ref *ref;
608
609 while (NULL != (ref = (Ref *) HTList_nextObject(cur))) {
610 /* Value of ref->translation is ignored, i.e., */
611 /* no recursion for ip address tamplates. */
612 if (ip_mask_match(ref->name, ip_number, ip_name))
613 return YES;
614 }
615 }
616 return NO;
617 }
618
619 /*
620 * Group file cached reading
621 */
622
623 typedef struct {
624 char *group_filename;
625 GroupDefList *group_list;
626 } GroupCache;
627
628 typedef HTList GroupCacheList;
629
630 static GroupCacheList *group_cache_list = NULL;
631
632 GroupDefList *HTAA_readGroupFile(const char *filename)
633 {
634 FILE *fp;
635 GroupCache *group_cache;
636
637 if (isEmpty(filename))
638 return NULL;
639
640 if (!group_cache_list)
641 group_cache_list = HTList_new();
642 else {
643 GroupCacheList *cur = group_cache_list;
644
645 while (NULL != (group_cache = (GroupCache *) HTList_nextObject(cur))) {
646 if (!strcmp(filename, group_cache->group_filename)) {
647 CTRACE((tfp, "%s '%s' %s\n",
648 "HTAA_readGroupFile: group file",
649 filename, "already found in cache"));
650 return group_cache->group_list;
651 } /* if cache match */
652 } /* while cached files remain */
653 } /* cache exists */
654
655 CTRACE((tfp, "HTAA_readGroupFile: reading group file `%s'\n",
656 filename));
657
658 if (!(fp = fopen(filename, TXT_R))) {
659 CTRACE((tfp, "%s '%s'\n",
660 "HTAA_readGroupFile: unable to open group file",
661 filename));
662 return NULL;
663 }
664
665 if ((group_cache = typecalloc(GroupCache)) == 0)
666 outofmem(__FILE__, "HTAA_readGroupFile");
667
668 group_cache->group_filename = NULL;
669 StrAllocCopy(group_cache->group_filename, filename);
670 group_cache->group_list = parse_group_file(fp);
671 HTList_addObject(group_cache_list, (void *) group_cache);
672 fclose(fp);
673
674 CTRACE((tfp, "Read group file '%s', results follow:\n", filename));
675 if (TRACE)
676 print_group_def_list(group_cache->group_list);
677
678 return group_cache->group_list;
679 }
680
681 /* PUBLIC HTAA_userAndInetInGroup()
682 * CHECK IF USER BELONGS TO TO A GIVEN GROUP
683 * AND THAT THE CONNECTION COMES FROM AN
684 * ADDRESS THAT IS ALLOWED BY THAT GROUP
685 * ON ENTRY:
686 * group the group definition structure.
687 * username connecting user.
688 * ip_number browser host IP number, optional.
689 * ip_name browser host IP name, optional.
690 * However, one of ip_number or ip_name
691 * must be given.
692 * ON EXIT:
693 * returns HTAA_IP_MASK, if IP address mask was
694 * reason for failing.
695 * HTAA_NOT_MEMBER, if user does not belong
696 * to the group.
697 * HTAA_OK if both IP address and user are ok.
698 */
699 HTAAFailReasonType HTAA_userAndInetInGroup(GroupDef *group,
700 char *username,
701 char *ip_number,
702 char *ip_name)
703 {
704 HTAAFailReasonType reason = HTAA_NOT_MEMBER;
705
706 if (group && username) {
707 ItemList *cur1 = group->item_list;
708 Item *item;
709
710 while (NULL != (item = (Item *) HTList_nextObject(cur1))) {
711 if (!item->address_def_list || /* Any address allowed */
712 ip_in_def_list(item->address_def_list, ip_number, ip_name)) {
713
714 if (!item->user_def_list) /* Any user allowed */
715 return HTAA_OK;
716 else {
717 UserDefList *cur2 = item->user_def_list;
718 Ref *ref;
719
720 while (NULL != (ref = (Ref *) HTList_nextObject(cur2))) {
721
722 if (ref->translation) { /* Group, check recursively */
723 reason = HTAA_userAndInetInGroup(ref->translation,
724 username,
725 ip_number, ip_name);
726 if (reason == HTAA_OK)
727 return HTAA_OK;
728 } else { /* Username, check directly */
729 if (username && *username &&
730 0 == strcmp(ref->name, username))
731 return HTAA_OK;
732 }
733 /* Every user/group name in this group */
734 }
735 /* search for username */
736 }
737 /* IP address ok */
738 } else {
739 reason = HTAA_IP_MASK;
740 }
741 } /* while items in group */
742 }
743 /* valid parameters */
744 return reason; /* No match, or invalid parameters */
745 }
746
747 void GroupDef_delete(GroupDef *group_def)
748 {
749 if (group_def) {
750 FREE(group_def->group_name);
751 if (group_def->item_list) {
752 HTList_delete(group_def->item_list); /* @@@@ */
753 group_def->item_list = NULL;
754 }
755 FREE(group_def);
756 }
757 }
758 #endif
759