xref: /freebsd/crypto/heimdal/lib/krb5/acl.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 2000 - 2002 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "krb5_locl.h"
35 #include <fnmatch.h>
36 
37 RCSID("$Id: acl.c,v 1.3 2002/04/18 16:16:24 joda Exp $");
38 
39 struct acl_field {
40     enum { acl_string, acl_fnmatch, acl_retval } type;
41     union {
42 	const char *cstr;
43 	char **retv;
44     } u;
45     struct acl_field *next, **last;
46 };
47 
48 static void
49 acl_free_list(struct acl_field *acl)
50 {
51     struct acl_field *next;
52     while(acl != NULL) {
53 	next = acl->next;
54 	free(acl);
55 	acl = next;
56     }
57 }
58 
59 static krb5_error_code
60 acl_parse_format(krb5_context context,
61 		 struct acl_field **acl_ret,
62 		 const char *format,
63 		 va_list ap)
64 {
65     const char *p;
66     struct acl_field *acl = NULL, *tmp;
67 
68     for(p = format; *p != '\0'; p++) {
69 	tmp = malloc(sizeof(*tmp));
70 	if(tmp == NULL) {
71 	    krb5_set_error_string(context, "malloc: out of memory");
72 	    acl_free_list(acl);
73 	    return ENOMEM;
74 	}
75 	if(*p == 's') {
76 	    tmp->type = acl_string;
77 	    tmp->u.cstr = va_arg(ap, const char*);
78 	} else if(*p == 'f') {
79 	    tmp->type = acl_fnmatch;
80 	    tmp->u.cstr = va_arg(ap, const char*);
81 	} else if(*p == 'r') {
82 	    tmp->type = acl_retval;
83 	    tmp->u.retv = va_arg(ap, char **);
84 	}
85 	tmp->next = NULL;
86 	if(acl == NULL)
87 	    acl = tmp;
88 	else
89 	    *acl->last = tmp;
90 	acl->last = &tmp->next;
91     }
92     *acl_ret = acl;
93     return 0;
94 }
95 
96 static krb5_boolean
97 acl_match_field(krb5_context context,
98 		const char *string,
99 		struct acl_field *field)
100 {
101     if(field->type == acl_string) {
102 	return !strcmp(string, field->u.cstr);
103     } else if(field->type == acl_fnmatch) {
104 	return !fnmatch(string, field->u.cstr, 0);
105     } else if(field->type == acl_retval) {
106 	*field->u.retv = strdup(string);
107 	return TRUE;
108     }
109     return FALSE;
110 }
111 
112 static krb5_boolean
113 acl_match_acl(krb5_context context,
114 	      struct acl_field *acl,
115 	      const char *string)
116 {
117     char buf[256];
118     for(;strsep_copy(&string, " \t", buf, sizeof(buf)) != -1;
119 	acl = acl->next) {
120 	if(buf[0] == '\0')
121 	    continue; /* skip ws */
122 	if(!acl_match_field(context, buf, acl)) {
123 	    return FALSE;
124 	}
125     }
126     return TRUE;
127 }
128 
129 
130 krb5_error_code
131 krb5_acl_match_string(krb5_context context,
132 		      const char *string,
133 		      const char *format,
134 		      ...)
135 {
136     krb5_error_code ret;
137     krb5_boolean found;
138     struct acl_field *acl;
139 
140     va_list ap;
141     va_start(ap, format);
142     ret = acl_parse_format(context, &acl, format, ap);
143     va_end(ap);
144     if(ret)
145 	return ret;
146 
147     found = acl_match_acl(context, acl, string);
148     acl_free_list(acl);
149     if (found) {
150 	return 0;
151     } else {
152 	krb5_set_error_string(context, "ACL did not match");
153 	return EACCES;
154     }
155 }
156 
157 krb5_error_code
158 krb5_acl_match_file(krb5_context context,
159 		    const char *file,
160 		    const char *format,
161 		    ...)
162 {
163     krb5_error_code ret;
164     struct acl_field *acl;
165     char buf[256];
166     va_list ap;
167     FILE *f;
168     krb5_boolean found;
169 
170     f = fopen(file, "r");
171     if(f == NULL) {
172 	int save_errno = errno;
173 
174 	krb5_set_error_string(context, "open(%s): %s", file,
175 			      strerror(save_errno));
176 	return save_errno;
177     }
178 
179     va_start(ap, format);
180     ret = acl_parse_format(context, &acl, format, ap);
181     va_end(ap);
182     if(ret) {
183 	fclose(f);
184 	return ret;
185     }
186 
187     found = FALSE;
188     while(fgets(buf, sizeof(buf), f)) {
189 	if(buf[0] == '#')
190 	    continue;
191 	if(acl_match_acl(context, acl, buf)) {
192 	    found = TRUE;
193 	    break;
194 	}
195     }
196 
197     fclose(f);
198     acl_free_list(acl);
199     if (found) {
200 	return 0;
201     } else {
202 	krb5_set_error_string(context, "ACL did not match");
203 	return EACCES;
204     }
205 }
206