// Destructor
IpVerify::~IpVerify()
{
// Clear the Permission Hash Table
if (PermHashTable) {
// iterate through the table and delete the entries
in6_addr key;
UserPerm_t * value;
PermHashTable->startIterations();
while (PermHashTable->iterate(key, value)) {
delete value;
}
delete PermHashTable;
}
// Clear the Permission Type Array and Punched Hole Array
DCpermission perm;
for (perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) {
if ( PermTypeArray[perm] )
delete PermTypeArray[perm];
if ( PunchedHoleArray[perm] )
delete PunchedHoleArray[perm];
}
}
DCpermission
StringToDCpermission(char const *str) {
DCpermission perm;
for(perm = FIRST_PERM;perm!=LAST_PERM;perm=NEXT_PERM(perm)) {
if(str && !strcasecmp(str,PermString(perm)) ) {
return perm;
}
}
return LAST_PERM;
}
// Constructor
IpVerify::IpVerify()
{
did_init = FALSE;
DCpermission perm;
for (perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) {
PermTypeArray[perm] = NULL;
PunchedHoleArray[perm] = NULL;
}
PermHashTable = new PermHashTable_t(797, compute_perm_hash);
}
void
IpVerify::PrintAuthTable(int dprintf_level) {
struct in6_addr host;
UserPerm_t * ptable;
PermHashTable->startIterations();
while (PermHashTable->iterate(host, ptable)) {
MyString userid;
perm_mask_t mask;
ptable->startIterations();
while( ptable->iterate(userid,mask) ) {
// Call has_user() to get the full mask
has_user(ptable, userid.Value(), mask);
MyString auth_entry_str;
AuthEntryToString(host,userid.Value(),mask, auth_entry_str);
dprintf(dprintf_level,"%s\n", auth_entry_str.Value());
}
}
dprintf(dprintf_level,"Authorizations yet to be resolved:\n");
DCpermission perm;
for ( perm=FIRST_PERM; perm < LAST_PERM; perm=NEXT_PERM(perm) ) {
PermTypeEntry* pentry = PermTypeArray[perm];
ASSERT( pentry );
MyString allow_users,deny_users;
if( pentry->allow_users ) {
UserHashToString(pentry->allow_users,allow_users);
}
if( pentry->deny_users ) {
UserHashToString(pentry->deny_users,deny_users);
}
if( allow_users.Length() ) {
dprintf(dprintf_level,"allow %s: %s\n",
PermString(perm),
allow_users.Value());
}
if( deny_users.Length() ) {
dprintf(dprintf_level,"deny %s: %s\n",
PermString(perm),
deny_users.Value());
}
}
}
void
IpVerify::PermMaskToString(perm_mask_t mask, MyString &mask_str)
{
DCpermission perm;
for(perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) {
if( mask & allow_mask(perm) ) {
mask_str.append_to_list(PermString(perm));
}
if( mask & deny_mask(perm) ) {
mask_str.append_to_list("DENY_");
mask_str += PermString(perm);
}
}
}
int
IpVerify::Init()
{
char *pAllow = NULL, *pDeny = NULL, *pOldAllow = NULL, *pOldDeny = NULL,
*pNewAllow = NULL, *pNewDeny = NULL;
DCpermission perm;
const char* const ssysname = get_mySubSystem()->getName();
did_init = TRUE;
// Make sure that perm_mask_t is big enough to hold all possible
// results of allow_mask() and deny_mask().
ASSERT( sizeof(perm_mask_t)*8 - 2 > LAST_PERM );
// Clear the Permission Hash Table in case re-initializing
if (PermHashTable) {
// iterate through the table and delete the entries
struct in6_addr key;
UserPerm_t * value;
PermHashTable->startIterations();
while (PermHashTable->iterate(key, value)) {
delete value;
}
PermHashTable->clear();
}
// and Clear the Permission Type Array
for (perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) {
if ( PermTypeArray[perm] ) {
delete PermTypeArray[perm];
PermTypeArray[perm] = NULL;
}
}
// This is the new stuff
for ( perm=FIRST_PERM; perm < LAST_PERM; perm=NEXT_PERM(perm) ) {
PermTypeEntry* pentry = new PermTypeEntry();
ASSERT( pentry );
PermTypeArray[perm] = pentry;
MyString allow_param, deny_param;
dprintf(D_SECURITY,"IPVERIFY: Subsystem %s\n",ssysname);
dprintf(D_SECURITY,"IPVERIFY: Permission %s\n",PermString(perm));
if(strcmp(ssysname,"TOOL")==0 || strcmp(ssysname,"SUBMIT")==0){
// to avoid unneccesary DNS activity, the TOOL and SUBMIT
// subsystems only load the CLIENT lists, since they have no
// command port and don't need the other authorization lists.
if(strcmp(PermString(perm),"CLIENT")==0){
pNewAllow = SecMan::getSecSetting("ALLOW_%s",perm,&allow_param, ssysname );
pOldAllow = SecMan::getSecSetting("HOSTALLOW_%s",perm,&allow_param, ssysname );
pNewDeny = SecMan::getSecSetting("DENY_%s",perm,&deny_param, ssysname );
pOldDeny = SecMan::getSecSetting("HOSTDENY_%s",perm,&deny_param, ssysname );
}
} else {
pNewAllow = SecMan::getSecSetting("ALLOW_%s",perm,&allow_param, ssysname );
pOldAllow = SecMan::getSecSetting("HOSTALLOW_%s",perm,&allow_param, ssysname );
pNewDeny = SecMan::getSecSetting("DENY_%s",perm,&deny_param, ssysname );
pOldDeny = SecMan::getSecSetting("HOSTDENY_%s",perm,&deny_param, ssysname );
}
// concat the two
pAllow = merge(pNewAllow, pOldAllow);
// concat the two
pDeny = merge(pNewDeny, pOldDeny);
if( pAllow ) {
dprintf ( D_SECURITY, "IPVERIFY: allow %s: %s (from config value %s)\n", PermString(perm),pAllow,allow_param.Value());
}
if( pDeny ) {
dprintf ( D_SECURITY, "IPVERIFY: deny %s: %s (from config value %s)\n", PermString(perm),pDeny,deny_param.Value());
}
// Treat a "*", "*/*" for ALLOW_XXX as if it's just undefined,
// because that's the optimized default, except for
// CONFIG_PERM which has a different default (see below).
if( perm != CONFIG_PERM ) {
if(pAllow && (!strcmp(pAllow, "*") || !strcmp(pAllow, "*/*"))) {
free( pAllow );
pAllow = NULL;
}
}
if ( !pAllow && !pDeny ) {
if (perm == CONFIG_PERM) { // deny all CONFIG requests
pentry->behavior = USERVERIFY_DENY; // by default
dprintf( D_SECURITY, "ipverify: %s optimized to deny everyone\n", PermString(perm) );
} else {
pentry->behavior = USERVERIFY_ALLOW;
if( perm != ALLOW ) {
dprintf( D_SECURITY, "ipverify: %s optimized to allow anyone\n", PermString(perm) );
}
}
} else {
if ( pDeny && !pAllow && perm != CONFIG_PERM ) {
pentry->behavior = USERVERIFY_ONLY_DENIES;
} else {
pentry->behavior = USERVERIFY_USE_TABLE;
}
if ( pAllow ) {
fill_table( pentry, pAllow, true );
free(pAllow);
pAllow = NULL;
}
if ( pDeny ) {
fill_table( pentry, pDeny, false );
free(pDeny);
pDeny = NULL;
}
}
if (pAllow) {
free(pAllow);
pAllow = NULL;
}
if (pDeny) {
free(pDeny);
pDeny = NULL;
}
if (pOldAllow) {
free(pOldAllow);
pOldAllow = NULL;
}
if (pOldDeny) {
free(pOldDeny);
pOldDeny = NULL;
}
if (pNewAllow) {
free(pNewAllow);
pNewAllow = NULL;
}
if (pNewDeny) {
free(pNewDeny);
pNewDeny = NULL;
}
}
dprintf(D_FULLDEBUG|D_SECURITY,"Initialized the following authorization table:\n");
if(PermHashTable)
PrintAuthTable(D_FULLDEBUG|D_SECURITY);
return TRUE;
}
