enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules,
struct hbac_eval_req *hbac_req,
struct hbac_info **info)
{
enum hbac_error_code ret;
enum hbac_eval_result result = HBAC_EVAL_DENY;
enum hbac_eval_result_int intermediate_result;
if (info) {
*info = malloc(sizeof(struct hbac_info));
if (!*info) {
return HBAC_EVAL_OOM;
}
(*info)->code = HBAC_ERROR_UNKNOWN;
(*info)->rule_name = NULL;
}
uint32_t i;
for (i = 0; rules[i]; i++) {
intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, &ret);
if (intermediate_result == HBAC_EVAL_UNMATCHED) {
/* This rule did not match at all. Skip it */
continue;
} else if (intermediate_result == HBAC_EVAL_MATCHED) {
/* This request matched an ALLOW rule
* Set the result to ALLOW but continue checking
* the other rules in case a DENY rule trumps it.
*/
result = HBAC_EVAL_ALLOW;
if (info) {
(*info)->code = HBAC_SUCCESS;
(*info)->rule_name = strdup(rules[i]->name);
if (!(*info)->rule_name) {
result = HBAC_EVAL_ERROR;
(*info)->code = HBAC_ERROR_OUT_OF_MEMORY;
}
}
break;
} else {
/* An error occurred processing this rule */
result = HBAC_EVAL_ERROR;
if (info) {
(*info)->code = ret;
(*info)->rule_name = strdup(rules[i]->name);
}
/* Explicitly not checking the result of strdup(), since if
* it's NULL, we can't do anything anyway.
*/
goto done;
}
}
/* If we've reached the end of the loop, we have either set the
* result to ALLOW explicitly or we'll stick with the default DENY.
*/
done:
return result;
}
enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules,
struct hbac_eval_req *hbac_req,
struct hbac_info **info)
{
uint32_t i;
enum hbac_error_code ret;
enum hbac_eval_result result = HBAC_EVAL_DENY;
enum hbac_eval_result_int intermediate_result;
HBAC_DEBUG(HBAC_DBG_INFO, "[< hbac_evaluate()\n");
hbac_req_debug_print(hbac_req);
if (info) {
*info = malloc(sizeof(struct hbac_info));
if (!*info) {
HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n");
return HBAC_EVAL_OOM;
}
(*info)->code = HBAC_ERROR_UNKNOWN;
(*info)->rule_name = NULL;
}
for (i = 0; rules[i]; i++) {
hbac_rule_debug_print(rules[i]);
intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, &ret);
if (intermediate_result == HBAC_EVAL_UNMATCHED) {
/* This rule did not match at all. Skip it */
HBAC_DEBUG(HBAC_DBG_INFO, "The rule [%s] did not match.\n",
rules[i]->name);
continue;
} else if (intermediate_result == HBAC_EVAL_MATCHED) {
HBAC_DEBUG(HBAC_DBG_INFO, "ALLOWED by rule [%s].\n", rules[i]->name);
result = HBAC_EVAL_ALLOW;
if (info) {
(*info)->code = HBAC_SUCCESS;
(*info)->rule_name = strdup(rules[i]->name);
if (!(*info)->rule_name) {
HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n");
result = HBAC_EVAL_ERROR;
(*info)->code = HBAC_ERROR_OUT_OF_MEMORY;
}
}
break;
} else {
/* An error occurred processing this rule */
HBAC_DEBUG(HBAC_DBG_ERROR,
"Error %d occurred during evaluating of rule [%s].\n",
ret, rules[i]->name);
result = HBAC_EVAL_ERROR;
if (info) {
(*info)->code = ret;
(*info)->rule_name = strdup(rules[i]->name);
}
/* Explicitly not checking the result of strdup(), since if
* it's NULL, we can't do anything anyway.
*/
goto done;
}
}
/* If we've reached the end of the loop, we have either set the
* result to ALLOW explicitly or we'll stick with the default DENY.
*/
done:
HBAC_DEBUG(HBAC_DBG_INFO, "hbac_evaluate() >]\n");
return result;
}
