/* It is allowed to have duplicate handles (paths or class names or variables
* etc) in bundle server access_rules in policy files, but the lists here
* should have unique entries. This, we make sure here. */
static Auth *GetOrCreateAuth(const char *handle, Auth **authchain, Auth **authchain_tail)
{
Auth *a = GetAuthPath(handle, *authchain);
if (!a)
{
InstallServerAuthPath(handle, authchain, authchain_tail);
a = GetAuthPath(handle, *authchain);
}
return a;
}
static void KeepServerRolePromise(EvalContext *ctx, Promise *pp)
{
Rlist *rp;
Auth *ap;
if (!GetAuthPath(pp->promiser, SV.roles))
{
InstallServerAuthPath(pp->promiser, &SV.roles, &SV.rolestop);
}
ap = GetAuthPath(pp->promiser, SV.roles);
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMROLE_BODIES[REMOTE_ROLE_AUTHORIZE].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
}
break;
case RVAL_TYPE_FNCALL:
/* Shouldn't happen */
break;
default:
if ((strcmp(cp->lval, "comment") == 0) || (strcmp(cp->lval, "handle") == 0))
{
}
else
{
Log(LOG_LEVEL_ERR, "Right-hand side of authorize promise for '%s' should be a list", pp->promiser);
}
break;
}
}
}
static void KeepServerRolePromise(Promise *pp)
{
Constraint *cp;
Rlist *rp;
Auth *ap;
if (!GetAuthPath(pp->promiser, ROLES))
{
InstallServerAuthPath(pp->promiser, &ROLES, &ROLESTOP);
}
ap = GetAuthPath(pp->promiser, ROLES);
for (cp = pp->conlist; cp != NULL; cp = cp->next)
{
if (!IsDefinedClass(cp->classes))
{
continue;
}
switch (cp->rval.rtype)
{
case CF_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMROLE_BODIES[cfs_authorize].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
}
break;
case CF_FNCALL:
/* Shouldn't happen */
break;
default:
if (strcmp(cp->lval, "comment") == 0 || strcmp(cp->lval, "handle") == 0)
{
}
else
{
CfOut(cf_error, "", "RHS of authorize promise for %s should be a list\n", pp->promiser);
}
break;
}
}
}
void KeepQueryAccessPromise(EvalContext *ctx, Promise *pp, char *type)
{
Rlist *rp;
Auth *ap, *dp;
if (!GetAuthPath(pp->promiser, SV.varadmit))
{
InstallServerAuthPath(pp->promiser, &SV.varadmit, &SV.varadmittop);
}
RegisterLiteralServerData(ctx, pp->promiser, pp);
if (!GetAuthPath(pp->promiser, SV.vardeny))
{
InstallServerAuthPath(pp->promiser, &SV.vardeny, &SV.vardenytop);
}
ap = GetAuthPath(pp->promiser, SV.varadmit);
dp = GetAuthPath(pp->promiser, SV.vardeny);
if (strcmp(type, "query") == 0)
{
ap->literal = true;
}
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ENCRYPTED].lval) == 0)
{
ap->encrypt = true;
}
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ADMIT].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_DENY].lval) == 0)
{
PrependItem(&(dp->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_MAPROOT].lval) == 0)
{
PrependItem(&(ap->maproot), rp->item, NULL);
continue;
}
}
break;
default:
/* Shouldn't happen */
break;
}
}
}
void KeepLiteralAccessPromise(EvalContext *ctx, Promise *pp, char *type)
{
Rlist *rp;
Auth *ap = NULL, *dp = NULL;
const char *handle = PromiseGetHandle(pp);
if ((handle == NULL) && (strcmp(type,"literal") == 0))
{
Log(LOG_LEVEL_ERR, "Access to literal server data requires you to define a promise handle for reference");
return;
}
if (strcmp(type, "literal") == 0)
{
Log(LOG_LEVEL_VERBOSE,"Looking at literal access promise '%s', type '%s'", pp->promiser, type);
if (!GetAuthPath(handle, SV.varadmit))
{
InstallServerAuthPath(handle, &SV.varadmit, &SV.varadmittop);
}
if (!GetAuthPath(handle, SV.vardeny))
{
InstallServerAuthPath(handle, &SV.vardeny, &SV.vardenytop);
}
RegisterLiteralServerData(ctx, handle, pp);
ap = GetAuthPath(handle, SV.varadmit);
dp = GetAuthPath(handle, SV.vardeny);
ap->literal = true;
}
else
{
Log(LOG_LEVEL_VERBOSE,"Looking at context/var access promise '%s', type '%s'", pp->promiser, type);
if (!GetAuthPath(pp->promiser, SV.varadmit))
{
InstallServerAuthPath(pp->promiser, &SV.varadmittop, &SV.varadmittop);
}
if (!GetAuthPath(pp->promiser, SV.vardeny))
{
InstallServerAuthPath(pp->promiser, &SV.vardeny, &SV.vardenytop);
}
if (strcmp(type, "context") == 0)
{
ap = GetAuthPath(pp->promiser, SV.varadmit);
dp = GetAuthPath(pp->promiser, SV.vardeny);
ap->classpattern = true;
}
if (strcmp(type, "variable") == 0)
{
ap = GetAuthPath(pp->promiser, SV.varadmit); // Allow the promiser (preferred) as well as handle as variable name
dp = GetAuthPath(pp->promiser, SV.vardeny);
ap->variable = true;
}
}
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ENCRYPTED].lval) == 0)
{
ap->encrypt = true;
}
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ADMIT].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_DENY].lval) == 0)
{
PrependItem(&(dp->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_MAPROOT].lval) == 0)
{
PrependItem(&(ap->maproot), rp->item, NULL);
continue;
}
}
break;
default:
/* Shouldn't happen */
break;
}
}
}
void KeepFileAccessPromise(EvalContext *ctx, const Promise *pp)
{
Rlist *rp;
Auth *ap, *dp;
if (strlen(pp->promiser) != 1)
{
DeleteSlash(pp->promiser);
}
if (!GetAuthPath(pp->promiser, SV.admit))
{
InstallServerAuthPath(pp->promiser, &SV.admit, &SV.admittop);
}
if (!GetAuthPath(pp->promiser, SV.deny))
{
InstallServerAuthPath(pp->promiser, &SV.deny, &SV.denytop);
}
ap = GetAuthPath(pp->promiser, SV.admit);
dp = GetAuthPath(pp->promiser, SV.deny);
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ENCRYPTED].lval) == 0)
{
ap->encrypt = true;
}
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ADMIT].lval) == 0)
{
PrependItem(&(ap->accesslist), RlistScalarValue(rp), NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_DENY].lval) == 0)
{
PrependItem(&(dp->accesslist), RlistScalarValue(rp), NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_MAPROOT].lval) == 0)
{
PrependItem(&(ap->maproot), RlistScalarValue(rp), NULL);
continue;
}
}
break;
default:
UnexpectedError("Unknown constraint type!");
break;
}
}
}
void KeepQueryAccessPromise(Promise *pp, char *type)
{
Constraint *cp;
Rlist *rp;
Auth *ap, *dp;
if (!GetAuthPath(pp->promiser, VARADMIT))
{
InstallServerAuthPath(pp->promiser, &VARADMIT, &VARADMITTOP);
}
RegisterLiteralServerData(pp->promiser, pp);
if (!GetAuthPath(pp->promiser, VARDENY))
{
InstallServerAuthPath(pp->promiser, &VARDENY, &VARDENYTOP);
}
ap = GetAuthPath(pp->promiser, VARADMIT);
dp = GetAuthPath(pp->promiser, VARDENY);
if (strcmp(type, "query") == 0)
{
ap->literal = true;
}
for (cp = pp->conlist; cp != NULL; cp = cp->next)
{
if (!IsDefinedClass(cp->classes))
{
continue;
}
switch (cp->rval.rtype)
{
case CF_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_encrypted].lval) == 0)
{
ap->encrypt = true;
}
break;
case CF_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_admit].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_deny].lval) == 0)
{
PrependItem(&(dp->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_maproot].lval) == 0)
{
PrependItem(&(ap->maproot), rp->item, NULL);
continue;
}
}
break;
case CF_FNCALL:
/* Shouldn't happen */
break;
}
}
}
void KeepLiteralAccessPromise(Promise *pp, char *type)
{
Constraint *cp;
Rlist *rp;
Auth *ap, *dp;
char *handle = GetConstraintValue("handle", pp, CF_SCALAR);
if (handle == NULL)
{
CfOut(cf_error, "", "Access to literal server data requires you to define a promise handle for reference");
return;
}
if (!GetAuthPath(handle, VARADMIT))
{
InstallServerAuthPath(handle, &VARADMIT, &VARADMITTOP);
}
RegisterLiteralServerData(handle, pp);
if (!GetAuthPath(handle, VARDENY))
{
InstallServerAuthPath(handle, &VARDENY, &VARDENYTOP);
}
ap = GetAuthPath(handle, VARADMIT);
dp = GetAuthPath(handle, VARDENY);
if (strcmp(type, "literal") == 0)
{
ap->literal = true;
}
if (strcmp(type, "context") == 0)
{
ap->classpattern = true;
}
for (cp = pp->conlist; cp != NULL; cp = cp->next)
{
if (!IsDefinedClass(cp->classes))
{
continue;
}
switch (cp->rval.rtype)
{
case CF_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_encrypted].lval) == 0)
{
ap->encrypt = true;
}
break;
case CF_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_admit].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_deny].lval) == 0)
{
PrependItem(&(dp->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[cfs_maproot].lval) == 0)
{
PrependItem(&(ap->maproot), rp->item, NULL);
continue;
}
}
break;
case CF_FNCALL:
/* Shouldn't happen */
break;
}
}
}
void KeepFileAccessPromise(struct Promise *pp)
{ struct Constraint *cp;
struct Rlist *rp;
struct Auth *ap,*dp;
char *val;
if (strlen(pp->promiser) != 1)
{
DeleteSlash(pp->promiser);
}
if (!GetAuthPath(pp->promiser,VADMIT))
{
InstallServerAuthPath(pp->promiser,&VADMIT,&VADMITTOP);
}
if (!GetAuthPath(pp->promiser,VDENY))
{
InstallServerAuthPath(pp->promiser,&VDENY,&VDENYTOP);
}
ap = GetAuthPath(pp->promiser,VADMIT);
dp = GetAuthPath(pp->promiser,VDENY);
for (cp = pp->conlist; cp != NULL; cp = cp->next)
{
if (!IsDefinedClass(cp->classes))
{
continue;
}
switch (cp->type)
{
case CF_SCALAR:
val = (char *)cp->rval;
if (strcmp(cp->lval,CF_REMACCESS_BODIES[cfs_encrypted].lval) == 0)
{
ap->encrypt = true;
}
break;
case CF_LIST:
for (rp = (struct Rlist *)cp->rval; rp != NULL; rp=rp->next)
{
if (strcmp(cp->lval,CF_REMACCESS_BODIES[cfs_admit].lval) == 0)
{
PrependItem(&(ap->accesslist),rp->item,NULL);
continue;
}
if (strcmp(cp->lval,CF_REMACCESS_BODIES[cfs_deny].lval) == 0)
{
PrependItem(&(dp->accesslist),rp->item,NULL);
continue;
}
if (strcmp(cp->lval,CF_REMACCESS_BODIES[cfs_maproot].lval) == 0)
{
PrependItem(&(ap->maproot),rp->item,NULL);
continue;
}
}
break;
case CF_FNCALL:
/* Shouldn't happen */
break;
}
}
}