/******************************************************************************/
/* */
/* X r d A c c A c c e s s . c c */
/* */
/* (c) 2003 by the Board of Trustees of the Leland Stanford, Jr., University */
/* All Rights Reserved */
/* Produced by Andrew Hanushevsky for Stanford University under contract */
/* DE-AC02-76-SFO0515 with the Department of Energy */
/* */
/* This file is part of the XRootD software suite. */
/* */
/* XRootD is free software: you can redistribute it and/or modify it under */
/* the terms of the GNU Lesser General Public License as published by the */
/* Free Software Foundation, either version 3 of the License, or (at your */
/* option) any later version. */
/* */
/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
/* License for more details. */
/* */
/* You should have received a copy of the GNU Lesser General Public License */
/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
/* */
/* The copyright holder's institutional names and contributor's names may not */
/* be used to endorse or promote products derived from this software without */
/* specific prior written permission of the institution or contributor. */
/******************************************************************************/
#include <ctype.h>
#include <stdio.h>
#include <time.h>
#include <sys/param.h>
#include "XrdVersion.hh"
#include "XrdAcc/XrdAccAccess.hh"
#include "XrdAcc/XrdAccCapability.hh"
#include "XrdAcc/XrdAccConfig.hh"
#include "XrdAcc/XrdAccGroups.hh"
#include "XrdNet/XrdNetAddrInfo.hh"
#include "XrdOuc/XrdOucUtils.hh"
#include "XrdSys/XrdSysPlugin.hh"
/******************************************************************************/
/* E x t e r n a l R e f e r e n c e s */
/******************************************************************************/
extern unsigned long XrdOucHashVal2(const char *KeyVal, int KeyLen);
/******************************************************************************/
/* G l o b a l C o n f i g u r a t i o n O b j e c t */
/******************************************************************************/
extern XrdAccConfig XrdAccConfiguration;
/******************************************************************************/
/* Autorization Object Creation via XrdAccDefaultAuthorizeObject */
/******************************************************************************/
XrdAccAuthorize *XrdAccDefaultAuthorizeObject(XrdSysLogger *lp,
const char *cfn,
const char *parm,
XrdVersionInfo &urVer)
{
static XrdVERSIONINFODEF(myVer, XrdAcc, XrdVNUMBER, XrdVERSION);
static XrdSysError Eroute(lp, "acc_");
// Verify version compatability
//
if (urVer.vNum != myVer.vNum && !XrdSysPlugin::VerCmp(urVer,myVer))
return 0;
// Configure the authorization system
//
if (XrdAccConfiguration.Configure(Eroute, cfn)) return (XrdAccAuthorize *)0;
// All is well, return the actual pointer to the object
//
return (XrdAccAuthorize *)XrdAccConfiguration.Authorization;
}
/******************************************************************************/
/* C o n s t r u c t o r */
/******************************************************************************/
XrdAccAccess::XrdAccAccess(XrdSysError *erp)
{
// Get the audit option that we should use
//
Auditor = XrdAccAuditObject(erp);
}
/******************************************************************************/
/* A c c e s s */
/******************************************************************************/
XrdAccPrivs XrdAccAccess::Access(const XrdSecEntity *Entity,
const char *path,
const Access_Operation oper,
XrdOucEnv *Env)
{
const char *xP;
char *gname, xBuff[64];
XrdAccGroupList *glp;
XrdAccPrivCaps caps;
XrdAccCapability *cp;
const int plen = strlen(path);
const long phash = XrdOucHashVal2(path, plen);
const char *id = (Entity->name ? (const char *)Entity->name : "*");
const char *host = 0;
int n, isuser = (*id && (*id != '*' || id[1]));
// Get a shared context for these potentially long running routines
//
Access_Context.Lock(xs_Shared);
// Run through the exclusive list first as only one rule will apply
//
XrdAccAccess_ID *xlP = Atab.SXList;
while (xlP)
{if (xlP->Applies(Entity))
{xlP->caps->Privs(caps, path, plen, phash);
Access_Context.UnLock(xs_Shared);
return Access(caps, Entity, path, oper);
}
xlP = xlP->next;
}
// Check if we really need to resolve the host name
//
if (Atab.D_List || Atab.H_Hash || Atab.N_Hash) host = Resolve(Entity);
// Establish default privileges
//
if (Atab.Z_List) Atab.Z_List->Privs(caps, path, plen, phash);
// Next add in the host domain privileges
//
if (Atab.D_List && host && (cp = Atab.D_List->Find(host)))
cp->Privs(caps, path, plen, phash);
// Next add in the host-specific privileges
//
if (Atab.H_Hash && host && (cp = Atab.H_Hash->Find(host)))
cp->Privs(caps, path, plen, phash);
// Check for user fungible privileges
//
if (isuser && Atab.X_List) Atab.X_List->Privs(caps, path, plen, phash, id);
// Add in specific user privileges
//
if (isuser && Atab.U_Hash && (cp = Atab.U_Hash->Find(id)))
cp->Privs(caps, path, plen, phash);
// Next add in the group privileges. The group list either comes from the
// credentials, in which case we need not have a username, or from the
// standard unix-username group mapping.
//
if (Atab.G_Hash)
{if (Entity->grps)
{xP = Entity->grps;
while((n = XrdOucUtils::Token(&xP, ' ', xBuff, sizeof(xBuff))))
{if (n < (int)sizeof(xBuff) && (cp = Atab.G_Hash->Find(xBuff)))
cp->Privs(caps, path, plen, phash);
}
} else if (isuser && (glp=XrdAccConfiguration.GroupMaster.Groups(id)))
{while((gname = (char *)glp->Next()))
if ((cp = Atab.G_Hash->Find((const char *)gname)))
cp->Privs(caps, path, plen, phash);
delete glp;
}
}
// Now add in the netgroup privileges
//
if (Atab.N_Hash && id && host &&
(glp = XrdAccConfiguration.GroupMaster.NetGroups(id, host)))
{while((gname = (char *)glp->Next()))
if ((cp = Atab.N_Hash->Find((const char *)gname)))
cp->Privs(caps, path, plen, phash);
delete glp;
}
// Next add in the org-specific privileges
//
if (Atab.O_Hash && Entity->vorg)
{xP = Entity->vorg;
while((n = XrdOucUtils::Token(&xP, ' ', xBuff, sizeof(xBuff))))
{if (n < (int)sizeof(xBuff) && (cp = Atab.O_Hash->Find(xBuff)))
cp->Privs(caps, path, plen, phash);
}
}
// Next add in the role-specific privileges
//
if (Atab.R_Hash && Entity->role)
{xP = Entity->role;
while((n = XrdOucUtils::Token(&xP, ' ', xBuff, sizeof(xBuff))))
{if (n < (int)sizeof(xBuff) && (cp = Atab.R_Hash->Find(xBuff)))
cp->Privs(caps, path, plen, phash);
}
}
// Finally run through the inclusive list and apply arr relevant rules
//
XrdAccAccess_ID *ylP = Atab.SYList;
while (ylP)
{if (ylP->Applies(Entity)) ylP->caps->Privs(caps, path, plen, phash);
ylP = ylP->next;
}
// We are now done with looking at changeable data
//
Access_Context.UnLock(xs_Shared);
// Return the privileges as needed
//
return Access(caps, Entity, path, oper);
}
/******************************************************************************/
XrdAccPrivs XrdAccAccess::Access( XrdAccPrivCaps &caps,
const XrdSecEntity *Entity,
const char *path,
const Access_Operation oper
)
{
XrdAccPrivs myprivs;
XrdAccAudit_Options audits = (XrdAccAudit_Options)Auditor->Auditing();
int accok;
// Compute composite privileges and see if privs need to be returned
//
myprivs = (XrdAccPrivs)(caps.pprivs & ~caps.nprivs);
if (!oper) return (XrdAccPrivs)myprivs;
// Check if auditing is enabled or whether we can do a fastaroo test
//
if (!audits) return (XrdAccPrivs)Test(myprivs, oper);
if ((accok = Test(myprivs, oper)) && !(audits & audit_grant))
return (XrdAccPrivs)accok;
// Call the auditing routine and exit
//
return (XrdAccPrivs)Audit(accok, Entity, path, oper);
}
/******************************************************************************/
/* A u d i t */
/******************************************************************************/
int XrdAccAccess::Audit(const int accok,
const XrdSecEntity *Entity,
const char *path,
const Access_Operation oper,
XrdOucEnv *Env)
{
// Warning! This table must be in 1-to-1 correspondence with Access_Operation
//
static const char *Opername[] = {"any", // 0
"chmod", // 1
"chown", // 2
"create", // 3
"delete", // 4
"insert", // 5
"lock", // 6
"mkdir", // 7
"read", // 8
"readdir", // 9
"rename", // 10
"stat", // 10
"update" // 12
};
const char *opname = (oper > AOP_LastOp ? "???" : Opername[oper]);
const char *id = (Entity->name ? (const char *)Entity->name : "*");
const char *host = (Entity->host ? (const char *)Entity->host : "?");
char atype[XrdSecPROTOIDSIZE+1];
// Get the protocol type in a printable format
//
strncpy(atype, Entity->prot, XrdSecPROTOIDSIZE);
atype[XrdSecPROTOIDSIZE] = '\0';
// Route the message appropriately
//
if (accok) Auditor->Grant(opname, Entity->tident, atype, id, host, path);
else Auditor->Deny( opname, Entity->tident, atype, id, host, path);
// All done, finally
//
return accok;
}
/******************************************************************************/
/* R e s o l v e */
/******************************************************************************/
const char *XrdAccAccess::Resolve(const XrdSecEntity *Entity)
{
// Make a quick test for IPv6 (as that's the future) and a minimal one for ipV4
// to see if we have to do a DNS lookup.
//
if (Entity->host == 0 || *(Entity->host) == '[' || isdigit(*(Entity->host)))
return Entity->addrInfo->Name("?");
return Entity->host;
}
/******************************************************************************/
/* S w a p T a b s */
/******************************************************************************/
#define XrdAccSWAP(x) oldtab.x = Atab.x; Atab.x = newtab.x; \
newtab.x = oldtab.x; oldtab.x = 0;
void XrdAccAccess::SwapTabs(struct XrdAccAccess_Tables &newtab)
{
struct XrdAccAccess_Tables oldtab;
// Get an exclusive context to change the table pointers
//
Access_Context.Lock(xs_Exclusive);
// Save the old pointer while replacing it with the new pointer
//
XrdAccSWAP(D_List);
XrdAccSWAP(E_List);
XrdAccSWAP(G_Hash);
XrdAccSWAP(H_Hash);
XrdAccSWAP(N_Hash);
XrdAccSWAP(O_Hash);
XrdAccSWAP(R_Hash);
XrdAccSWAP(S_Hash);
XrdAccSWAP(T_Hash);
XrdAccSWAP(U_Hash);
XrdAccSWAP(X_List);
XrdAccSWAP(Z_List);
XrdAccSWAP(SXList);
XrdAccSWAP(SYList);
// When we set new access tables, we should purge the group cache
//
XrdAccConfiguration.GroupMaster.PurgeCache();
// We can now let loose new table searchers
//
Access_Context.UnLock(xs_Exclusive);
}
/******************************************************************************/
/* T e s t */
/******************************************************************************/
int XrdAccAccess::Test(const XrdAccPrivs priv,const Access_Operation oper)
{
// Warning! This table must be in 1-to-1 correspondence with Access_Operation
//
static XrdAccPrivs need[] = {XrdAccPriv_None, // 0
XrdAccPriv_Chmod, // 1
XrdAccPriv_Chown, // 2
XrdAccPriv_Create, // 3
XrdAccPriv_Delete, // 4
XrdAccPriv_Insert, // 5
XrdAccPriv_Lock, // 6
XrdAccPriv_Mkdir, // 7
XrdAccPriv_Read, // 8
XrdAccPriv_Readdir, // 9
XrdAccPriv_Rename, // 10
XrdAccPriv_Lookup, // 11
XrdAccPriv_Update // 12
};
if (oper < 0 || oper > AOP_LastOp) return 0;
return (int)(need[oper] & priv) == need[oper];
}
/******************************************************************************/
/* X r d A c c A c c e s s _ I D : : A p p l i e s */
/******************************************************************************/
bool XrdAccAccess_ID::Applies(const XrdSecEntity *Entity)
{
const char *hName, *gList, *gEnd;
int eLen;
// Check single value items in the most probable use order
//
if (org && (!Entity->vorg || strcmp(org, Entity->vorg))) return false;
if (role && (!Entity->role || strcmp(role, Entity->role))) return false;
if (user && (!Entity->name || strcmp(user, Entity->name))) return false;
// The check is more complicated as the host field may be an address. We make
// a quick test for IPv6 (as that's the future) and take the long road for ipV4.
//
if (host)
{hName = XrdAccAccess::Resolve(Entity);
if (*host == '.')
{eLen = strlen(hName);
if (eLen <= hlen) return false;
hName = hName + eLen - hlen;
}
if (strcmp(host, hName)) return false;
}
// Groups are most problematic as there may be many of them. So it's last.
//
if (!grp) return true;
if (!Entity->grps) return false;
eLen = strlen(Entity->grps);
if (eLen < glen) return false;
// Search through the group list
//
gList = Entity->grps;
while(true)
{if (!strncmp(grp, Entity->grps, glen))
{gEnd = Entity->grps + glen;
if (*gEnd == ' ' || *gEnd == 0) return true;
}
if(!(gList = index(gList, ' '))) break;
do {gList++;} while(*gList == ' ');
}
// This entry is not applicable
//
return false;
}