search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added a parameter to semaphore constructor to avoid ambiguity
[pwlib.git] / src / ptclib / ipacl.cxx
blobf69bb89eb723f8752c473435e7505ffca1373a31
1 /*
2 * ipacl.cxx
3 *
4 * IP Access Control Lists
5 *
6 * Portable Windows Library
7 *
8 * Copyright (c) 2002 Equivalence Pty. Ltd.
9 *
10 * The contents of this file are subject to the Mozilla Public License
11 * Version 1.0 (the "License"); you may not use this file except in
12 * compliance with the License. You may obtain a copy of the License at
13 * http://www.mozilla.org/MPL/
14 *
15 * Software distributed under the License is distributed on an "AS IS"
16 * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
17 * the License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * The Original Code is Portable Windows Library.
21 *
22 * The Initial Developer of the Original Code is Equivalence Pty. Ltd.
23 *
24 * Contributor(s): ______________________________________.
25 *
26 * $Log$
27 * Revision 1.14 2002/11/06 22:47:25 robertj
28 * Fixed header comment (copyright etc)
29 *
30 * Revision 1.13 2002/07/16 10:05:01 robertj
31 * Fixed GNU warning
32 *
33 * Revision 1.12 2002/07/16 10:02:49 robertj
34 * Fixed MSVC warning
35 *
36 * Revision 1.11 2002/07/16 09:58:51 robertj
37 * Fixed compatibility with unix htonl(), use platform independent function!
38 * Allow number of bits of 32 to be a full mask, ie a single host ip.
39 *
40 * Revision 1.10 2002/07/16 08:00:49 robertj
41 * Fixed correct endian-ness of mask when specifed in bits.
42 *
43 * Revision 1.9 2002/06/19 04:03:21 robertj
44 * Added default allowance boolean if ACL empty.
45 * Added ability to override the creation of ACL entry objects with descendents
46 * so an application can add information/functionality to each entry.
47 *
48 * Revision 1.8 2002/02/13 02:08:12 robertj
49 * Added const to IsAllowed() function.
50 * Added missing function that takes a socket.
51 *
52 * Revision 1.7 1999/02/25 13:01:11 robertj
53 * Fixed subtle bug in GNU compiler not automatically casting IP address.
54 *
55 * Revision 1.6 1999/02/25 11:10:52 robertj
56 * Fixed count of non-hidden entries in config file.
57 *
58 * Revision 1.5 1999/02/25 05:05:15 robertj
59 * Added missing test for hidden entries not to be written to config file
60 *
61 * Revision 1.4 1999/02/08 08:05:39 robertj
62 * Changed semantics of IP access control list for empty list.
63 *
64 * Revision 1.3 1999/01/31 10:14:07 robertj
65 * Changed about dialog to be full company name
66 *
67 * Revision 1.2 1999/01/31 08:10:33 robertj
68 * Fixed PConfig file save, out by one error in array subscript.
69 *
70 * Revision 1.1 1999/01/31 00:59:26 robertj
71 * Added IP Access Control List class to PTLib Components
72 *
73 */
74
75 #include <ptlib.h>
76 #include <ptclib/ipacl.h>
77
78 #define new PNEW
79
80
81 PIpAccessControlEntry::PIpAccessControlEntry(PIPSocket::Address addr,
82 PIPSocket::Address msk,
83 BOOL allow)
84 : address(addr), mask(msk)
85 {
86 allowed = allow;
87 hidden = FALSE;
88 }
89
90
91 PIpAccessControlEntry::PIpAccessControlEntry(const PString & description)
92 : address(0), mask(0xffffffff)
93 {
94 Parse(description);
95 }
96
97
98 PIpAccessControlEntry & PIpAccessControlEntry::operator=(const PString & description)
99 {
100 Parse(description);
101 return *this;
102 }
103
104
105 PIpAccessControlEntry & PIpAccessControlEntry::operator=(const char * description)
106 {
107 Parse(description);
108 return *this;
109 }
110
111
112 PObject::Comparison PIpAccessControlEntry::Compare(const PObject & obj) const
113 {
114 PAssert(obj.IsDescendant(Class()), PInvalidCast);
115 const PIpAccessControlEntry & other = (const PIpAccessControlEntry &)obj;
116
117 // The larger the mask value, th more specific the range, so earlier in list
118 if (mask > other.mask)
119 return LessThan;
120 if (mask < other.mask)
121 return GreaterThan;
122
123 if (!domain && !other.domain)
124 return domain.Compare(other.domain);
125
126 if (address > other.address)
127 return LessThan;
128 if (address < other.address)
129 return GreaterThan;
130
131 return EqualTo;
132 }
133
134
135 void PIpAccessControlEntry::PrintOn(ostream & strm) const
136 {
137 if (!allowed)
138 strm << '-';
139
140 if (hidden)
141 strm << '@';
142
143 if (domain.IsEmpty())
144 strm << address;
145 else if (domain[0] != '\xff')
146 strm << domain;
147 else {
148 strm << "ALL";
149 return;
150 }
151
152 if (mask != 0 && mask != 0xffffffff)
153 strm << '/' << mask;
154 }
155
156
157 void PIpAccessControlEntry::ReadFrom(istream & strm)
158 {
159 char buffer[200];
160 strm >> ws >> buffer;
161 Parse(buffer);
162 }
163
164
165 BOOL PIpAccessControlEntry::Parse(const PString & description)
166 {
167 domain = PString();
168 address = 0;
169
170 if (description.IsEmpty())
171 return FALSE;
172
173 // Check for the allow/deny indication in first character of description
174 BOOL offset = 1;
175 if (description[0] == '-')
176 allowed = FALSE;
177 else {
178 allowed = TRUE;
179 if (description[0] != '+')
180 offset = 0;
181 }
182
183 // Check for indication entry is from the hosts.allow/hosts.deny file
184 hidden = FALSE;
185 if (description[offset] == '@') {
186 offset++;
187 hidden = TRUE;
188 }
189
190 if (description.Mid(offset) *= "all") {
191 domain = "\xff";
192 mask = 0;
193 return TRUE;
194 }
195
196 PINDEX slash = description.Find('/', offset);
197
198 PString preSlash = description(offset, slash-1);
199 if (preSlash[0] == '.') {
200 // If has a leading dot then assume a domain, ignore anything after slash
201 domain = preSlash;
202 mask = 0;
203 return TRUE;
204 }
205
206 if (strspn(preSlash, "0123456789.") != (size_t)preSlash.GetLength()) {
207 // If is not all numbers and dots can't be an IP number so assume hostname
208 domain = preSlash;
209 }
210 else if (preSlash[preSlash.GetLength()-1] != '.') {
211 // Must be explicit IP number if doesn't end in dot
212 address = preSlash;
213 }
214 else {
215 // Must be partial IP number, count the dots!
216 PINDEX dot = preSlash.Find('.', preSlash.Find('.')+1);
217 if (dot == P_MAX_INDEX) {
218 // One dot
219 preSlash += "0.0.0";
220 mask = "255.0.0.0";
221 }
222 else if ((dot = preSlash.Find('.', dot+1)) == P_MAX_INDEX) {
223 // has two dots
224 preSlash += "0.0";
225 mask = "255.255.0.0";
226 }
227 else if (preSlash.Find('.', dot+1) == P_MAX_INDEX) {
228 // has three dots
229 preSlash += "0";
230 mask = "255.255.255.0";
231 }
232 else {
233 // Has more than three dots!
234 return FALSE;
235 }
236
237 address = preSlash;
238 return TRUE;
239 }
240
241 if (slash == P_MAX_INDEX) {
242 // No slash so assume a full mask
243 mask = 0xffffffff;
244 return TRUE;
245 }
246
247 PString postSlash = description.Mid(slash+1);
248 if (strspn(postSlash, "0123456789.") != (size_t)postSlash.GetLength()) {
249 domain = PString();
250 address = 0;
251 return FALSE;
252 }
253
254 if (postSlash.Find('.') != P_MAX_INDEX)
255 mask = postSlash;
256 else {
257 DWORD bits = postSlash.AsUnsigned();
258 if (bits > 32)
259 mask = PSocket::Host2Net(bits);
260 else
261 mask = PSocket::Host2Net((DWORD)(0xffffffff << (32 - bits)));
262 }
263
264 if (mask == 0)
265 domain = "\xff";
266
267 address = (DWORD)address & (DWORD)mask;
268
269 return TRUE;
270 }
271
272
273 PString PIpAccessControlEntry::AsString() const
274 {
275 PStringStream str;
276 str << *this;
277 return str;
278 }
279
280
281 BOOL PIpAccessControlEntry::IsValid()
282 {
283 return address != 0 || !domain;
284 }
285
286
287 BOOL PIpAccessControlEntry::Match(PIPSocket::Address & addr)
288 {
289 switch (domain[0]) {
290 case '\0' : // Must have address field set
291 break;
292
293 case '.' : // Are a domain name
294 return PIPSocket::GetHostName(addr).Right(domain.GetLength()) *= domain;
295
296 case '\xff' : // Match all
297 return TRUE;
298
299 default : // All else must be a hostname
300 if (!PIPSocket::GetHostAddress(domain, address))
301 return FALSE;
302 }
303
304 return (address & mask) == (addr & mask);
305 }
306
307
308 ///////////////////////////////////////////////////////////////////////////////
309
310 PIpAccessControlList::PIpAccessControlList(BOOL defAllow)
311 : defaultAllowance(defAllow)
312 {
313 }
314
315
316 static BOOL ReadConfigFileLine(PTextFile & file, PString & line)
317 {
318 line = PString();
319
320 do {
321 if (!file.ReadLine(line))
322 return FALSE;
323 } while (line.IsEmpty() || line[0] == '#');
324
325 PINDEX lastCharPos;
326 while (line[lastCharPos = line.GetLength()-1] == '\\') {
327 PString str;
328 if (!file.ReadLine(str))
329 return FALSE;
330 line[lastCharPos] = ' ';
331 line += str;
332 }
333
334 return TRUE;
335 }
336
337
338 static void ParseConfigFileExcepts(const PString & str,
339 PStringList & entries,
340 PStringList & exceptions)
341 {
342 PStringArray terms = str.Tokenise(' ', FALSE);
343
344 BOOL hadExcept = FALSE;
345 PINDEX d;
346 for (d = 0; d < terms.GetSize(); d++) {
347 if (terms[d] == "EXCEPT")
348 hadExcept = TRUE;
349 else if (hadExcept)
350 exceptions.AppendString(terms[d]);
351 else
352 entries.AppendString(terms[d]);
353 }
354 }
355
356
357 static BOOL SplitConfigFileLine(const PString & line, PString & daemons, PString & clients)
358 {
359 PINDEX colon = line.Find(':');
360 if (colon == P_MAX_INDEX)
361 return FALSE;
362
363 daemons = line.Left(colon).Trim();
364
365 PINDEX other_colon = line.Find(':', ++colon);
366 clients = line(colon, other_colon-1).Trim();
367
368 return TRUE;
369 }
370
371
372 static BOOL IsDaemonInConfigFileLine(const PString & daemon, const PString & daemons)
373 {
374 PStringList daemonsIn, daemonsOut;
375 ParseConfigFileExcepts(daemons, daemonsIn, daemonsOut);
376
377 for (PINDEX in = 0; in < daemonsIn.GetSize(); in++) {
378 if (daemonsIn[in] == "ALL" || daemonsIn[in] == daemon) {
379 PINDEX out;
380 for (out = 0; out < daemonsOut.GetSize(); out++) {
381 if (daemonsOut[out] == daemon)
382 break;
383 }
384 if (out >= daemonsOut.GetSize())
385 return TRUE;
386 }
387 }
388
389 return FALSE;
390 }
391
392
393 static BOOL ReadConfigFile(PTextFile & file,
394 const PString & daemon,
395 PStringList & clientsIn,
396 PStringList & clientsOut)
397 {
398 PString line;
399 while (ReadConfigFileLine(file, line)) {
400 PString daemons, clients;
401 if (SplitConfigFileLine(line, daemons, clients) &&
402 IsDaemonInConfigFileLine(daemon, daemons)) {
403 ParseConfigFileExcepts(clients, clientsIn, clientsOut);
404 return TRUE;
405 }
406 }
407
408 return FALSE;
409 }
410
411
412 BOOL PIpAccessControlList::InternalLoadHostsAccess(const PString & daemonName,
413 const char * filename,
414 BOOL allowance)
415 {
416 PTextFile file;
417 if (!file.Open(PProcess::GetOSConfigDir() + filename, PFile::ReadOnly))
418 return TRUE;
419
420 BOOL ok = TRUE;
421
422 PStringList clientsIn;
423 PStringList clientsOut;
424 while (ReadConfigFile(file, daemonName, clientsIn, clientsOut)) {
425 PINDEX i;
426 for (i = 0; i < clientsOut.GetSize(); i++) {
427 if (!Add((allowance ? "-@" : "+@") + clientsOut[i]))
428 ok = FALSE;
429 }
430 for (i = 0; i < clientsIn.GetSize(); i++) {
431 if (!Add((allowance ? "+@" : "-@") + clientsIn[i]))
432 ok = FALSE;
433 }
434 }
435
436 return ok;
437 }
438
439
440 BOOL PIpAccessControlList::LoadHostsAccess(const char * daemonName)
441 {
442 PString daemon;
443 if (daemonName != NULL)
444 daemon = daemonName;
445 else
446 daemon = PProcess::Current().GetName();
447
448 return InternalLoadHostsAccess(daemon, "hosts.allow", TRUE) & // Really is a single &
449 InternalLoadHostsAccess(daemon, "hosts.deny", FALSE);
450 }
451
452
453 static const char DefaultConfigName[] = "IP Access Control List";
454
455 BOOL PIpAccessControlList::Load(PConfig & cfg)
456 {
457 return Load(cfg, DefaultConfigName);
458 }
459
460
461 BOOL PIpAccessControlList::Load(PConfig & cfg, const PString & baseName)
462 {
463 BOOL ok = TRUE;
464 PINDEX count = cfg.GetInteger(baseName & "Array Size");
465 for (PINDEX i = 1; i <= count; i++) {
466 if (!Add(cfg.GetString(baseName & PString(PString::Unsigned, i))))
467 ok = FALSE;
468 }
469
470 return ok;
471 }
472
473
474 void PIpAccessControlList::Save(PConfig & cfg)
475 {
476 Save(cfg, DefaultConfigName);
477 }
478
479
480 void PIpAccessControlList::Save(PConfig & cfg, const PString & baseName)
481 {
482 PINDEX count = 0;
483
484 for (PINDEX i = 0; i < GetSize(); i++) {
485 PIpAccessControlEntry & entry = operator[](i);
486 if (!entry.IsHidden()) {
487 count++;
488 cfg.SetString(baseName & PString(PString::Unsigned, count), entry.AsString());
489 }
490 }
491
492 cfg.SetInteger(baseName & "Array Size", count);
493 }
494
495
496 BOOL PIpAccessControlList::Add(PIpAccessControlEntry * entry)
497 {
498 if (!entry->IsValid()) {
499 delete entry;
500 return FALSE;
501 }
502
503 PINDEX idx = GetValuesIndex(*entry);
504 if (idx == P_MAX_INDEX) {
505 Append(entry);
506 return TRUE;
507 }
508
509 // Return TRUE if the newly added entry is identical to an existing one
510 PIpAccessControlEntry & existing = operator[](idx);
511 BOOL ok = existing.IsClass(PIpAccessControlEntry::Class()) &&
512 entry->IsClass(PIpAccessControlEntry::Class()) &&
513 existing.IsAllowed() == entry->IsAllowed();
514
515 delete entry;
516 return ok;
517 }
518
519
520 BOOL PIpAccessControlList::Add(const PString & description)
521 {
522 return Add(CreateControlEntry(description));
523 }
524
525
526 BOOL PIpAccessControlList::Add(PIPSocket::Address addr, PIPSocket::Address mask, BOOL allow)
527 {
528 PStringStream description;
529 description << (allow ? '+' : '-') << addr << '/' << mask;
530 return Add(description);
531 }
532
533
534 BOOL PIpAccessControlList::Remove(const PString & description)
535 {
536 PIpAccessControlEntry entry(description);
537
538 if (!entry.IsValid())
539 return FALSE;
540
541 return InternalRemoveEntry(entry);
542 }
543
544
545 BOOL PIpAccessControlList::Remove(PIPSocket::Address addr, PIPSocket::Address mask)
546 {
547 PIpAccessControlEntry entry(addr, mask, TRUE);
548 return InternalRemoveEntry(entry);
549 }
550
551
552 BOOL PIpAccessControlList::InternalRemoveEntry(PIpAccessControlEntry & entry)
553 {
554 PINDEX idx = GetValuesIndex(entry);
555 if (idx == P_MAX_INDEX)
556 return FALSE;
557
558 RemoveAt(idx);
559 return TRUE;
560 }
561
562
563 PIpAccessControlEntry * PIpAccessControlList::CreateControlEntry(const PString & description)
564 {
565 return new PIpAccessControlEntry(description);
566 }
567
568
569 PIpAccessControlEntry * PIpAccessControlList::Find(PIPSocket::Address address) const
570 {
571 PINDEX size = GetSize();
572 if (size == 0)
573 return NULL;
574
575 for (PINDEX i = 0; i < GetSize(); i++) {
576 PIpAccessControlEntry & entry = operator[](i);
577 if (entry.Match(address))
578 return &entry;
579 }
580
581 return NULL;
582 }
583
584
585 BOOL PIpAccessControlList::IsAllowed(PTCPSocket & socket) const
586 {
587 if (IsEmpty())
588 return defaultAllowance;
589
590 PIPSocket::Address address;
591 if (socket.GetPeerAddress(address))
592 return IsAllowed(address);
593
594 return FALSE;
595 }
596
597
598 BOOL PIpAccessControlList::IsAllowed(PIPSocket::Address address) const
599 {
600 if (IsEmpty())
601 return defaultAllowance;
602
603 PIpAccessControlEntry * entry = Find(address);
604 if (entry == NULL)
605 return FALSE;
606
607 return entry->IsAllowed();
608 }
609
610
611 // End of File ///////////////////////////////////////////////////////////////
Unofficial PWLib (OpenH323) repository