// Destructor IpVerify::~IpVerify() { // Clear the Permission Hash Table if (PermHashTable) { // iterate through the table and delete the entries in6_addr key; UserPerm_t * value; PermHashTable->startIterations(); while (PermHashTable->iterate(key, value)) { delete value; } delete PermHashTable; } // Clear the Permission Type Array and Punched Hole Array DCpermission perm; for (perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) { if ( PermTypeArray[perm] ) delete PermTypeArray[perm]; if ( PunchedHoleArray[perm] ) delete PunchedHoleArray[perm]; } }
DCpermission StringToDCpermission(char const *str) { DCpermission perm; for(perm = FIRST_PERM;perm!=LAST_PERM;perm=NEXT_PERM(perm)) { if(str && !strcasecmp(str,PermString(perm)) ) { return perm; } } return LAST_PERM; }
// Constructor IpVerify::IpVerify() { did_init = FALSE; DCpermission perm; for (perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) { PermTypeArray[perm] = NULL; PunchedHoleArray[perm] = NULL; } PermHashTable = new PermHashTable_t(797, compute_perm_hash); }
void IpVerify::PrintAuthTable(int dprintf_level) { struct in6_addr host; UserPerm_t * ptable; PermHashTable->startIterations(); while (PermHashTable->iterate(host, ptable)) { MyString userid; perm_mask_t mask; ptable->startIterations(); while( ptable->iterate(userid,mask) ) { // Call has_user() to get the full mask has_user(ptable, userid.Value(), mask); MyString auth_entry_str; AuthEntryToString(host,userid.Value(),mask, auth_entry_str); dprintf(dprintf_level,"%s\n", auth_entry_str.Value()); } } dprintf(dprintf_level,"Authorizations yet to be resolved:\n"); DCpermission perm; for ( perm=FIRST_PERM; perm < LAST_PERM; perm=NEXT_PERM(perm) ) { PermTypeEntry* pentry = PermTypeArray[perm]; ASSERT( pentry ); MyString allow_users,deny_users; if( pentry->allow_users ) { UserHashToString(pentry->allow_users,allow_users); } if( pentry->deny_users ) { UserHashToString(pentry->deny_users,deny_users); } if( allow_users.Length() ) { dprintf(dprintf_level,"allow %s: %s\n", PermString(perm), allow_users.Value()); } if( deny_users.Length() ) { dprintf(dprintf_level,"deny %s: %s\n", PermString(perm), deny_users.Value()); } } }
void IpVerify::PermMaskToString(perm_mask_t mask, MyString &mask_str) { DCpermission perm; for(perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) { if( mask & allow_mask(perm) ) { mask_str.append_to_list(PermString(perm)); } if( mask & deny_mask(perm) ) { mask_str.append_to_list("DENY_"); mask_str += PermString(perm); } } }
int IpVerify::Init() { char *pAllow = NULL, *pDeny = NULL, *pOldAllow = NULL, *pOldDeny = NULL, *pNewAllow = NULL, *pNewDeny = NULL; DCpermission perm; const char* const ssysname = get_mySubSystem()->getName(); did_init = TRUE; // Make sure that perm_mask_t is big enough to hold all possible // results of allow_mask() and deny_mask(). ASSERT( sizeof(perm_mask_t)*8 - 2 > LAST_PERM ); // Clear the Permission Hash Table in case re-initializing if (PermHashTable) { // iterate through the table and delete the entries struct in6_addr key; UserPerm_t * value; PermHashTable->startIterations(); while (PermHashTable->iterate(key, value)) { delete value; } PermHashTable->clear(); } // and Clear the Permission Type Array for (perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) { if ( PermTypeArray[perm] ) { delete PermTypeArray[perm]; PermTypeArray[perm] = NULL; } } // This is the new stuff for ( perm=FIRST_PERM; perm < LAST_PERM; perm=NEXT_PERM(perm) ) { PermTypeEntry* pentry = new PermTypeEntry(); ASSERT( pentry ); PermTypeArray[perm] = pentry; MyString allow_param, deny_param; dprintf(D_SECURITY,"IPVERIFY: Subsystem %s\n",ssysname); dprintf(D_SECURITY,"IPVERIFY: Permission %s\n",PermString(perm)); if(strcmp(ssysname,"TOOL")==0 || strcmp(ssysname,"SUBMIT")==0){ // to avoid unneccesary DNS activity, the TOOL and SUBMIT // subsystems only load the CLIENT lists, since they have no // command port and don't need the other authorization lists. if(strcmp(PermString(perm),"CLIENT")==0){ pNewAllow = SecMan::getSecSetting("ALLOW_%s",perm,&allow_param, ssysname ); pOldAllow = SecMan::getSecSetting("HOSTALLOW_%s",perm,&allow_param, ssysname ); pNewDeny = SecMan::getSecSetting("DENY_%s",perm,&deny_param, ssysname ); pOldDeny = SecMan::getSecSetting("HOSTDENY_%s",perm,&deny_param, ssysname ); } } else { pNewAllow = SecMan::getSecSetting("ALLOW_%s",perm,&allow_param, ssysname ); pOldAllow = SecMan::getSecSetting("HOSTALLOW_%s",perm,&allow_param, ssysname ); pNewDeny = SecMan::getSecSetting("DENY_%s",perm,&deny_param, ssysname ); pOldDeny = SecMan::getSecSetting("HOSTDENY_%s",perm,&deny_param, ssysname ); } // concat the two pAllow = merge(pNewAllow, pOldAllow); // concat the two pDeny = merge(pNewDeny, pOldDeny); if( pAllow ) { dprintf ( D_SECURITY, "IPVERIFY: allow %s: %s (from config value %s)\n", PermString(perm),pAllow,allow_param.Value()); } if( pDeny ) { dprintf ( D_SECURITY, "IPVERIFY: deny %s: %s (from config value %s)\n", PermString(perm),pDeny,deny_param.Value()); } // Treat a "*", "*/*" for ALLOW_XXX as if it's just undefined, // because that's the optimized default, except for // CONFIG_PERM which has a different default (see below). if( perm != CONFIG_PERM ) { if(pAllow && (!strcmp(pAllow, "*") || !strcmp(pAllow, "*/*"))) { free( pAllow ); pAllow = NULL; } } if ( !pAllow && !pDeny ) { if (perm == CONFIG_PERM) { // deny all CONFIG requests pentry->behavior = USERVERIFY_DENY; // by default dprintf( D_SECURITY, "ipverify: %s optimized to deny everyone\n", PermString(perm) ); } else { pentry->behavior = USERVERIFY_ALLOW; if( perm != ALLOW ) { dprintf( D_SECURITY, "ipverify: %s optimized to allow anyone\n", PermString(perm) ); } } } else { if ( pDeny && !pAllow && perm != CONFIG_PERM ) { pentry->behavior = USERVERIFY_ONLY_DENIES; } else { pentry->behavior = USERVERIFY_USE_TABLE; } if ( pAllow ) { fill_table( pentry, pAllow, true ); free(pAllow); pAllow = NULL; } if ( pDeny ) { fill_table( pentry, pDeny, false ); free(pDeny); pDeny = NULL; } } if (pAllow) { free(pAllow); pAllow = NULL; } if (pDeny) { free(pDeny); pDeny = NULL; } if (pOldAllow) { free(pOldAllow); pOldAllow = NULL; } if (pOldDeny) { free(pOldDeny); pOldDeny = NULL; } if (pNewAllow) { free(pNewAllow); pNewAllow = NULL; } if (pNewDeny) { free(pNewDeny); pNewDeny = NULL; } } dprintf(D_FULLDEBUG|D_SECURITY,"Initialized the following authorization table:\n"); if(PermHashTable) PrintAuthTable(D_FULLDEBUG|D_SECURITY); return TRUE; }