crypto/external/bsd/heimdal/dist/lib/kadm5/acl.c

   1 /*      $NetBSD: acl.c,v 1.1.1.2 2014/04/24 12:45:48 pettai Exp $       */
   2
   3 /*
   4  * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
   5  * (Royal Institute of Technology, Stockholm, Sweden).
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in the
  17  *    documentation and/or other materials provided with the distribution.
  18  *
  19  * 3. Neither the name of the Institute nor the names of its contributors
  20  *    may be used to endorse or promote products derived from this software
  21  *    without specific prior written permission.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  33  * SUCH DAMAGE.
  34  */
  35
  36 #include "kadm5_locl.h"
  37
  38 __RCSID("NetBSD");
  39
  40 static struct units acl_units[] = {
  41     { "all",            KADM5_PRIV_ALL },
  42     { "change-password",KADM5_PRIV_CPW },
  43     { "cpw",            KADM5_PRIV_CPW },
  44     { "list",           KADM5_PRIV_LIST },
  45     { "delete",         KADM5_PRIV_DELETE },
  46     { "modify",         KADM5_PRIV_MODIFY },
  47     { "add",            KADM5_PRIV_ADD },
  48     { "get",            KADM5_PRIV_GET },
  49     { NULL,             0 }
  50 };
  51
  52 kadm5_ret_t
  53 _kadm5_string_to_privs(const char *s, uint32_t* privs)
  54 {
  55     int flags;
  56     flags = parse_flags(s, acl_units, 0);
  57     if(flags < 0)
  58         return KADM5_FAILURE;
  59     *privs = flags;
  60     return 0;
  61 }
  62
  63 kadm5_ret_t
  64 _kadm5_privs_to_string(uint32_t privs, char *string, size_t len)
  65 {
  66     if(privs == 0)
  67         strlcpy(string, "none", len);
  68     else
  69         unparse_flags(privs, acl_units + 1, string, len);
  70     return 0;
  71 }
  72
  73 /*
  74  * retrieve the right for the current caller on `princ' (NULL means all)
  75  * and store them in `ret_flags'
  76  * return 0 or an error.
  77  */
  78
  79 static kadm5_ret_t
  80 fetch_acl (kadm5_server_context *context,
  81            krb5_const_principal princ,
  82            unsigned *ret_flags)
  83 {
  84     FILE *f;
  85     krb5_error_code ret = 0;
  86     char buf[256];
  87
  88     *ret_flags = 0;
  89
  90     /* no acl file -> no rights */
  91     f = fopen(context->config.acl_file, "r");
  92     if (f == NULL)
  93         return 0;
  94
  95     while(fgets(buf, sizeof(buf), f) != NULL) {
  96         char *foo = NULL, *p;
  97         krb5_principal this_princ;
  98         unsigned flags = 0;
  99
 100         p = strtok_r(buf, " \t\n", &foo);
 101         if(p == NULL)
 102             continue;
 103         if (*p == '#')          /* comment */
 104             continue;
 105         ret = krb5_parse_name(context->context, p, &this_princ);
 106         if(ret)
 107             break;
 108         if(!krb5_principal_compare(context->context,
 109                                    context->caller, this_princ)) {
 110             krb5_free_principal(context->context, this_princ);
 111             continue;
 112         }
 113         krb5_free_principal(context->context, this_princ);
 114         p = strtok_r(NULL, " \t\n", &foo);
 115         if(p == NULL)
 116             continue;
 117         ret = _kadm5_string_to_privs(p, &flags);
 118         if (ret)
 119             break;
 120         p = strtok_r(NULL, " \t\n", &foo);
 121         if (p == NULL) {
 122             *ret_flags = flags;
 123             break;
 124         }
 125         if (princ != NULL) {
 126             krb5_principal pattern_princ;
 127             krb5_boolean match;
 128
 129             ret = krb5_parse_name (context->context, p, &pattern_princ);
 130             if (ret)
 131                 break;
 132             match = krb5_principal_match (context->context,
 133                                           princ, pattern_princ);
 134             krb5_free_principal (context->context, pattern_princ);
 135             if (match) {
 136                 *ret_flags = flags;
 137                 break;
 138             }
 139         }
 140     }
 141     fclose(f);
 142     return ret;
 143 }
 144
 145 /*
 146  * set global acl flags in `context' for the current caller.
 147  * return 0 on success or an error
 148  */
 149
 150 kadm5_ret_t
 151 _kadm5_acl_init(kadm5_server_context *context)
 152 {
 153     krb5_principal princ;
 154     krb5_error_code ret;
 155
 156     ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ);
 157     if (ret)
 158         return ret;
 159     ret = krb5_principal_compare(context->context, context->caller, princ);
 160     krb5_free_principal(context->context, princ);
 161     if(ret != 0) {
 162         context->acl_flags = KADM5_PRIV_ALL;
 163         return 0;
 164     }
 165
 166     return fetch_acl (context, NULL, &context->acl_flags);
 167 }
 168
 169 /*
 170  * check if `flags' allows `op'
 171  * return 0 if OK or an error
 172  */
 173
 174 static kadm5_ret_t
 175 check_flags (unsigned op,
 176              unsigned flags)
 177 {
 178     unsigned res = ~flags & op;
 179
 180     if(res & KADM5_PRIV_GET)
 181         return KADM5_AUTH_GET;
 182     if(res & KADM5_PRIV_ADD)
 183         return KADM5_AUTH_ADD;
 184     if(res & KADM5_PRIV_MODIFY)
 185         return KADM5_AUTH_MODIFY;
 186     if(res & KADM5_PRIV_DELETE)
 187         return KADM5_AUTH_DELETE;
 188     if(res & KADM5_PRIV_CPW)
 189         return KADM5_AUTH_CHANGEPW;
 190     if(res & KADM5_PRIV_LIST)
 191         return KADM5_AUTH_LIST;
 192     if(res)
 193         return KADM5_AUTH_INSUFFICIENT;
 194     return 0;
 195 }
 196
 197 /*
 198  * return 0 if the current caller in `context' is allowed to perform
 199  * `op' on `princ' and otherwise an error
 200  * princ == NULL if it's not relevant.
 201  */
 202
 203 kadm5_ret_t
 204 _kadm5_acl_check_permission(kadm5_server_context *context,
 205                             unsigned op,
 206                             krb5_const_principal princ)
 207 {
 208     kadm5_ret_t ret;
 209     unsigned princ_flags;
 210
 211     ret = check_flags (op, context->acl_flags);
 212     if (ret == 0)
 213         return ret;
 214     ret = fetch_acl (context, princ, &princ_flags);
 215     if (ret)
 216         return ret;
 217     return check_flags (op, princ_flags);
 218 }