enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, struct hbac_eval_req *hbac_req, struct hbac_info **info) { enum hbac_error_code ret; enum hbac_eval_result result = HBAC_EVAL_DENY; enum hbac_eval_result_int intermediate_result; if (info) { *info = malloc(sizeof(struct hbac_info)); if (!*info) { return HBAC_EVAL_OOM; } (*info)->code = HBAC_ERROR_UNKNOWN; (*info)->rule_name = NULL; } uint32_t i; for (i = 0; rules[i]; i++) { intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, &ret); if (intermediate_result == HBAC_EVAL_UNMATCHED) { /* This rule did not match at all. Skip it */ continue; } else if (intermediate_result == HBAC_EVAL_MATCHED) { /* This request matched an ALLOW rule * Set the result to ALLOW but continue checking * the other rules in case a DENY rule trumps it. */ result = HBAC_EVAL_ALLOW; if (info) { (*info)->code = HBAC_SUCCESS; (*info)->rule_name = strdup(rules[i]->name); if (!(*info)->rule_name) { result = HBAC_EVAL_ERROR; (*info)->code = HBAC_ERROR_OUT_OF_MEMORY; } } break; } else { /* An error occurred processing this rule */ result = HBAC_EVAL_ERROR; if (info) { (*info)->code = ret; (*info)->rule_name = strdup(rules[i]->name); } /* Explicitly not checking the result of strdup(), since if * it's NULL, we can't do anything anyway. */ goto done; } } /* If we've reached the end of the loop, we have either set the * result to ALLOW explicitly or we'll stick with the default DENY. */ done: return result; }
enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, struct hbac_eval_req *hbac_req, struct hbac_info **info) { uint32_t i; enum hbac_error_code ret; enum hbac_eval_result result = HBAC_EVAL_DENY; enum hbac_eval_result_int intermediate_result; HBAC_DEBUG(HBAC_DBG_INFO, "[< hbac_evaluate()\n"); hbac_req_debug_print(hbac_req); if (info) { *info = malloc(sizeof(struct hbac_info)); if (!*info) { HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n"); return HBAC_EVAL_OOM; } (*info)->code = HBAC_ERROR_UNKNOWN; (*info)->rule_name = NULL; } for (i = 0; rules[i]; i++) { hbac_rule_debug_print(rules[i]); intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, &ret); if (intermediate_result == HBAC_EVAL_UNMATCHED) { /* This rule did not match at all. Skip it */ HBAC_DEBUG(HBAC_DBG_INFO, "The rule [%s] did not match.\n", rules[i]->name); continue; } else if (intermediate_result == HBAC_EVAL_MATCHED) { HBAC_DEBUG(HBAC_DBG_INFO, "ALLOWED by rule [%s].\n", rules[i]->name); result = HBAC_EVAL_ALLOW; if (info) { (*info)->code = HBAC_SUCCESS; (*info)->rule_name = strdup(rules[i]->name); if (!(*info)->rule_name) { HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n"); result = HBAC_EVAL_ERROR; (*info)->code = HBAC_ERROR_OUT_OF_MEMORY; } } break; } else { /* An error occurred processing this rule */ HBAC_DEBUG(HBAC_DBG_ERROR, "Error %d occurred during evaluating of rule [%s].\n", ret, rules[i]->name); result = HBAC_EVAL_ERROR; if (info) { (*info)->code = ret; (*info)->rule_name = strdup(rules[i]->name); } /* Explicitly not checking the result of strdup(), since if * it's NULL, we can't do anything anyway. */ goto done; } } /* If we've reached the end of the loop, we have either set the * result to ALLOW explicitly or we'll stick with the default DENY. */ done: HBAC_DEBUG(HBAC_DBG_INFO, "hbac_evaluate() >]\n"); return result; }