/*
* Verify at least one key value obtained from DIT matches the search key
* RETURNS: 1 MATCH
* 0 NO MATCH
* -1 NO KEY FOUND
*/
static int
verifyKey(char *key, __nis_rule_value_t *rv) {
int i, j;
char *sipkey, *str;
for (i = 0; i < rv->numColumns; i++) {
if (rv->colName[i] == 0)
continue;
if (strcasecmp(N2LKEY, rv->colName[i]) == 0) {
if (rv->colVal[i].val == 0)
return (0);
for (j = 0; j < rv->colVal[i].numVals; j++) {
str = (char *)rv->colVal[i].val[j].value;
if (str && strcmp(str, key) == 0)
return (1);
}
return (0);
} else if (strcasecmp(N2LIPKEY, rv->colName[i]) == 0) {
if (checkIPaddress(key, strlen(key), &sipkey) > 0) {
if (rv->colVal[i].val == 0)
return (0);
for (j = 0; j < rv->colVal[i].numVals; j++) {
str = rv->colVal[i].val[j].value;
if (str && strcmp(str, sipkey) == 0) {
sfree(sipkey);
return (1);
}
}
sfree(sipkey);
}
return (0);
}
}
return (-1);
}
int checkHostAccessControl( char *username, char *hostclient, char *groupsname ) {
//char *configDir;
//char* hostControlAccessFile[LONG_NAME_LEN];
char grouplist[MAX_SQL_ROWS][MAXSTR];
const char *delim = " \t\n";
int groupok, i, indxc, iok, nelt;
char line[MAXLEN], *eltstr, tempArr[NFIELDS][MAXLEN];
unsigned char result, IPEntry[IPV4], subnetEntry[IPV4], visitorIP[IPV4];
FILE *fp;
/* try to open the HostControlAccess if it exists. */
//configDir = getConfigDir();
//snprintf( hostControlAccessFile, LONG_NAME_LEN, "%s/%s", configDir,HOST_ACCESS_CONTROL_FILE );
std::string cfg_file;
irods::error ret = irods::get_full_path_for_config_file( HOST_ACCESS_CONTROL_FILE, cfg_file );
if ( !ret.ok() ) {
irods::log( PASS( ret ) );
return ret.code();
}
fp = fopen( cfg_file.c_str(), "r" );
if ( fp == NULL ) {
rodsLog( LOG_NOTICE,
"hostAuthCheck: can't open HostControlAccess file %s", cfg_file.c_str() );
return ( UNIX_FILE_OPEN_ERR - errno );
}
/* parse the list of groups for the user from the groupsname char */
nelt = 0;
strncpy( grouplist[0], strtok( groupsname, delim ), MAXSTR );
while ( ( eltstr = strtok( NULL, delim ) ) ) {
nelt++;
strncpy( grouplist[nelt], eltstr, MAXSTR );
}
/* parse HostControlAccess and check if <user,IP,group> is allowed to access this server. */
while ( !feof( fp ) ) {
indxc = 0;
if ( fgets( line, MAXLEN, fp ) ) {
if ( line[0] != '#' && line[0] != '\n' ) { /* Comment or empty line, ignore */
eltstr = strtok( line, delim );
strncpy( tempArr[indxc], eltstr, MAXSTR );
while ( ( eltstr = strtok( NULL, delim ) ) ) {
indxc++;
strncpy( tempArr[indxc], eltstr, MAXSTR );
}
if ( ( indxc + 1 ) == NFIELDS && checkIPaddress( tempArr[2], IPEntry ) == 0 &&
checkIPaddress( tempArr[3], subnetEntry ) == 0 &&
checkIPaddress( hostclient, visitorIP ) == 0 ) {
/* check through if one of the group does correspond to the one allowed */
groupok = 1;
for ( i = 0; i <= nelt; i++ ) {
if ( strcmp( tempArr[1], grouplist[i] ) == 0 ) {
groupok = 0;
break;
}
}
if ( strcmp( tempArr[1], "all" ) == 0 || groupok == 0 ) {
if ( strcmp( tempArr[0], "all" ) == 0 || strcmp( tempArr[0], username ) == 0 ) {
iok = 1;
/* check if <client, group, clientIP> match this entry of the control access file
(iok=1). Get out immediatly from this function: client is allowed to proceed. */
for ( i = 0; i < IPV4; i++ ) {
result = ~( visitorIP[i] ^ IPEntry[i] ) | subnetEntry[i];
if ( result != 255 ) {
iok = 0;
}
}
if ( iok == 1 ) {
fclose( fp ); // JMC cppcheck - resource
return ( 0 );
}
}
}
}
}
}
}
fclose( fp ); // JMC cppcheck - resource
return ( -1 );
}
/*
* Convert the datum to an array of RuleValues
*/
__nis_rule_value_t *
datumToRuleValue(datum *key, datum *value, __nis_table_mapping_t *t,
int *nv, char *domain, bool_t readonly, int *statP) {
__nis_rule_value_t *rvq, *subrvq, *newrvq;
__nis_value_t *val;
__nis_value_t **valA;
__nis_table_mapping_t *sf;
int valueLen, comLen, numVals, nr, count = 1;
int i, j, k, l;
char *ipaddr, *ipvalue;
/* At this point, 't' is always non NULL */
/* Initialize rule-value */
if ((rvq = initRuleValue(1, 0)) == 0) {
*statP = MAP_INTERNAL_ERROR;
return (0);
}
/* Add domainname to rule-value */
if (addCol2RuleValue(vt_string, N2LDOMAIN, domain, strlen(domain),
rvq)) {
freeRuleValue(rvq, 1);
*statP = MAP_INTERNAL_ERROR;
return (0);
}
/* Handle key */
if (key != 0) {
/* Add field=value pair for N2LKEY */
i = addCol2RuleValue(vt_string, N2LKEY, key->dptr, key->dsize,
rvq);
/* For readonly, add field=value pair for N2LSEARCHKEY */
if (readonly == TRUE && i == 0) {
i = addCol2RuleValue(vt_string, N2LSEARCHKEY, key->dptr,
key->dsize, rvq);
}
if (i) {
freeRuleValue(rvq, 1);
*statP = MAP_INTERNAL_ERROR;
return (0);
}
/* Add field=value pairs for IP addresses */
if (checkIPaddress(key->dptr, key->dsize, &ipaddr) > 0) {
/* If key is IPaddress, use preferred format */
ipvalue = ipaddr;
valueLen = strlen(ipaddr);
i = addCol2RuleValue(vt_string, N2LIPKEY, ipvalue,
valueLen, rvq);
} else {
/* If not, use original value for N2LSEARCHIPKEY */
ipaddr = 0;
ipvalue = key->dptr;
valueLen = key->dsize;
i = 0;
}
if (readonly == TRUE && i == 0) {
i = addCol2RuleValue(vt_string, N2LSEARCHIPKEY, ipvalue,
valueLen, rvq);
}
sfree(ipaddr);
if (i) {
freeRuleValue(rvq, 1);
*statP = MAP_INTERNAL_ERROR;
return (0);
}
}
/* Handle datum value */
if (value != 0 && t->e) {
valueLen = value->dsize;
/*
* Extract the comment, if any, and add it to
* the rule-value.
*/
if (t->commentChar != '\0') {
/*
* We loop on value->dsize because value->dptr
* may not be NULL-terminated.
*/
for (i = 0; i < value->dsize; i++) {
if (value->dptr[i] == t->commentChar) {
valueLen = i;
comLen = value->dsize - i - 1;
if (comLen == 0)
break;
if (addCol2RuleValue(vt_string,
N2LCOMMENT, value->dptr + i + 1,
comLen, rvq)) {
freeRuleValue(rvq, 1);
*statP = MAP_INTERNAL_ERROR;
return (0);
}
break;
}
}
}
/* Skip trailing whitespaces */
for (; valueLen > 0 && (value->dptr[valueLen - 1] == ' ' ||
value->dptr[valueLen - 1] == '\t'); valueLen--);
/*
* At this point valueLen is the effective length of
* the data. Convert value into __nis_value_t so that
* we can use the matchMappingItem function to break it
* into fields.
*/
if ((val = stringToValue(value->dptr, valueLen)) == 0) {
freeRuleValue(rvq, 1);
*statP = MAP_NO_MEMORY;
return (0);
}
/* Perform namefield match */
valA = matchMappingItem(t->e->element.match.fmt, val,
&numVals, 0, 0);
if (valA == 0) {
freeValue(val, 1);
freeRuleValue(rvq, 1);
*statP = MAP_NAMEFIELD_MATCH_ERROR;
return (0);
}
/* We don't need val anymore, so free it */
freeValue(val, 1);
/*
* Since matchMappingItem only returns us an array of
* __nis_value_t's, we need to associate each value
* in the array with the corresponding item name.
* This code assumes that numVals will be less than or
* equal to the number of item names associated with
* the format.
* These name=value pairs are added to rvq.
*/
for (i = 0, *statP = SUCCESS; i < numVals; i++) {
for (j = 0; j < count; j++) {
if (addCol2RuleValue(vt_string,
t->e->element.match.item[i].name,
valA[i]->val->value,
valA[i]->val->length, &rvq[j])) {
*statP = MAP_INTERNAL_ERROR;
break;
}
}
if (*statP == MAP_INTERNAL_ERROR)
break;
/*
* Check if splitField exists for the field.
* Since splitfields are also stored as mapping
* structures, we need to get the hash table entry
* corresponding to the splitfield name
*/
sf = mappingFromMap(t->e->element.match.item[i].name,
domain, statP);
if (*statP == MAP_NO_MEMORY)
break;
*statP = SUCCESS;
if (sf == 0)
continue;
/*
* Process and add splitFields to rule-value rvq
*/
subrvq = processSplitField(sf, valA[i], &nr, statP);
if (subrvq == 0) {
/* statP would have been set */
break;
}
/*
* We merge 'count' rule-values in rvq with 'nr'
* rule-values from subrvq to give us a whopping
* 'count * nr' rule-values
*/
/* Initialize the new rule-value array */
if ((newrvq = initRuleValue(count * nr, 0)) == 0) {
*statP = MAP_INTERNAL_ERROR;
freeRuleValue(subrvq, nr);
break;
}
for (j = 0, l = 0; j < nr; j++) {
for (k = 0; k < count; k++, l++) {
if ((mergeRuleValue(&newrvq[l],
&rvq[k]) == -1) ||
(mergeRuleValue(
&newrvq[l],
&subrvq[j]) == -1)) {
*statP = MAP_INTERNAL_ERROR;
for (i = 0; i < numVals; i++)
freeValue(valA[i], 1);
sfree(valA);
freeRuleValue(rvq, count);
freeRuleValue(newrvq,
count * nr);
freeRuleValue(subrvq, nr);
return (0);
}
}
}
freeRuleValue(rvq, count);
rvq = newrvq;
count = l;
freeRuleValue(subrvq, nr);
}
/* We don't need valA anymore, so free it */
for (i = 0; i < numVals; i++)
freeValue(valA[i], 1);
sfree(valA);
if (*statP != SUCCESS) {
freeRuleValue(rvq, count);
return (0);
}
} /* if value */
if (nv != 0)
*nv = count;
return (rvq);
}
