static int num_attrs =
sizeof(attr_id_names) / sizeof(attr_id_names[0]);
+static int
+check_rule(_edg_wll_authz_rule *rule, edg_wll_GssPrincipal principal)
+{
+ int i, found;
+ char **f;
+ _edg_wll_authz_attr *a;
+
+ if (rule->attrs_num == 0)
+ return 0;
+
+ for (i = 0; i < rule->attrs_num; i++) {
+ a = rule->attrs + i;
+ if (strcmp(a->value, ".*") == 0)
+ continue;
+
+ switch (a->id) {
+ case ATTR_SUBJECT:
+ if (!edg_wll_gss_equal_subj(a->value, principal->name))
+ return 0;
+ break;
+ case ATTR_FQAN:
+ found = 0;
+ for (f = principal->fqans; f && *f; f++)
+ if (strcmp(a->value, *f) == 0) {
+ found = 1;
+ break;
+ }
+ if (!found)
+ return 0;
+ break;
+ default:
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
int
check_authz_policy(edg_wll_authz_policy policy,
authz_action action)
{
int i;
- char **f;
- _edg_wll_authz_rule *r;
+ _edg_wll_authz_action *a;
if (policy == NULL)
return 0;
- for (i = 0; i < policy->num; i++) {
- r = policy->rules + i;
- if (r->action != action)
- continue;
- if (strcmp(r->attr_value, ".*") == 0)
- return 1;
- switch (r->attr_id) {
- case ATTR_SUBJECT:
- if (edg_wll_gss_equal_subj(r->attr_value, principal->name))
- return 1;
- break;
- case ATTR_FQAN:
- for (f = principal->fqans; f && *f; f++)
- if (strcmp(r->attr_value, *f) == 0)
- return 1;
- break;
- default:
- break;
- }
+ for (i = 0; i < policy->actions_num; i++) {
+ if (policy->actions[i].id == action)
+ break;
}
+ if (i == policy->actions_num)
+ /* Access denied by default */
+ return 0;
+ a = policy->actions + i;
+ for (i = 0; i < a->rules_num; i++) {
+ if (check_rule(a->rules+i, principal))
+ return 1;
+ }
return 0;
}
ctx->hardJobsLimit = hardJobsLimit;
ctx->hardEventsLimit = hardEventsLimit;
if ( noAuth ) ctx->noAuth = 1;
- if ( authz_policy.num ) {
- int i;
- for (i=0; i < authz_policy.num; i++)
- edg_wll_add_authz_rule(ctx, &ctx->authz_policy,
- (authz_policy.rules[i]).action,
- (authz_policy.rules[i]).attr_id,
- (authz_policy.rules[i]).attr_value);
+ if ( authz_policy.actions_num ) {
+ int i,j;
+ for (i=0; i < authz_policy.actions_num; i++)
+ for (j = 0; j < authz_policy.actions[i].rules_num; j++)
+ edg_wll_add_authz_rule(ctx,
+ &ctx->authz_policy,
+ authz_policy.actions[i].id,
+ &authz_policy.actions[i].rules[j]);
}
ctx->rgma_export = rgma_export;
memcpy(ctx->purge_timeout, purge_timeout, sizeof(ctx->purge_timeout));
static int add_root(edg_wll_Context ctx, char *root)
{
- int attr_id = ATTR_SUBJECT;
+ struct _edg_wll_authz_attr attr;
+ struct _edg_wll_authz_rule rule;
+ attr.value = root;
+ attr.id = ATTR_SUBJECT;
if (strncmp(root, "FQAN:", 5) == 0){
root += 5;
- attr_id = ATTR_FQAN;
+ attr.id = ATTR_FQAN;
}
- edg_wll_add_authz_rule(ctx, &authz_policy, ADMIN_ACCESS,
- attr_id, root);
+ rule.attrs = &attr;
+ rule.attrs_num = 1;
+ edg_wll_add_authz_rule(ctx, &authz_policy, ADMIN_ACCESS, &rule);
return 0;
}
extern FILE *yyin;
-struct _assigs {
- int id;
- char *value;
- struct _assigs *next;
-} _assigs;
-
-struct _assigs *assigs = NULL;
+struct _rules {
+ struct _edg_wll_authz_rule *rule;
+ struct _rules *next;
+} _rules;
%}
%union {
char *string;
- struct _assigs *assigs;
+ struct _rules *rules;
+ struct _edg_wll_authz_rule *rule;
+ struct _edg_wll_authz_attr *attr;
}
%token RESOURCE ACTION RULE PERMIT
%token <string> STRING
%token <string> LITERAL
-%type <assigs> assignment assignments
+%type <attr> assignment
+%type <rule> assignments
+%type <rules> rule rules
%start policy
action : ACTION STRING '{' rules '}'
{
- struct _assigs *a;
+ struct _rules *r;
+
authz_action ac = find_authz_action($2);
if (ac == ACTION_UNDEF)
set_error("undefined action '%s'", $2);
- for (a = assigs; a; a = a->next) {
+ for (r = $4; r; r = r->next) {
edg_wll_add_authz_rule(parse_ctx, parse_policy,
- ac, a->id, a->value);
+ ac, r->rule);
}
- assigs = NULL; /* XXX */
}
;
-rules :
+rules :
+ {
+ $$ = NULL;
+ }
| rule rules
+ {
+ $1->next = $2;
+ $$ = $1;
+ }
;
rule : RULE PERMIT '{' assignments '}'
{
- assigs = $4;
+ $$ = malloc(sizeof(*$$));
+ $$->rule = $4;
+ $$->next = NULL;
}
;
assignments :
{
- $$ = NULL;
+ $$ = calloc(1, sizeof(*$$));
}
| assignment assignments
{
- $1->next = $2;
- $$ = $1;
+ edg_wll_add_authz_attr(parse_ctx, $2, $1->id, $1->value);
+ $$ = $2;
}
;
if ($$->id == ATTR_UNDEF)
set_error("undefined attribute '%s'", $1);
$$->value = $3;
- $$->next = NULL;
}
;
git://scientific.zcu.cz / jra1mw.git / commitdiff