From 6bf089b751be90bd2f123e75fac10f115a59f323 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Daniel=20Kou=C5=99il?= Date: Wed, 7 Apr 2010 12:21:04 +0000 Subject: [PATCH] Policy format and evaluation made more compatible with Argus --- org.glite.lb.server/src/authz_policy.c | 71 ++++++++++++++++++++++++---------- org.glite.lb.server/src/bkserverd.c | 27 +++++++------ org.glite.lb.server/src/policy_gram.y | 47 +++++++++++++--------- 3 files changed, 94 insertions(+), 51 deletions(-) diff --git a/org.glite.lb.server/src/authz_policy.c b/org.glite.lb.server/src/authz_policy.c index b6a4485..4aa707e 100644 --- a/org.glite.lb.server/src/authz_policy.c +++ b/org.glite.lb.server/src/authz_policy.c @@ -42,6 +42,44 @@ struct attr_id_name attr_id_names[] = { static int num_attrs = sizeof(attr_id_names) / sizeof(attr_id_names[0]); +static int +check_rule(_edg_wll_authz_rule *rule, edg_wll_GssPrincipal principal) +{ + int i, found; + char **f; + _edg_wll_authz_attr *a; + + if (rule->attrs_num == 0) + return 0; + + for (i = 0; i < rule->attrs_num; i++) { + a = rule->attrs + i; + if (strcmp(a->value, ".*") == 0) + continue; + + switch (a->id) { + case ATTR_SUBJECT: + if (!edg_wll_gss_equal_subj(a->value, principal->name)) + return 0; + break; + case ATTR_FQAN: + found = 0; + for (f = principal->fqans; f && *f; f++) + if (strcmp(a->value, *f) == 0) { + found = 1; + break; + } + if (!found) + return 0; + break; + default: + return 0; + } + } + + return 1; +} + int check_authz_policy(edg_wll_authz_policy policy, @@ -49,33 +87,24 @@ check_authz_policy(edg_wll_authz_policy policy, authz_action action) { int i; - char **f; - _edg_wll_authz_rule *r; + _edg_wll_authz_action *a; if (policy == NULL) return 0; - for (i = 0; i < policy->num; i++) { - r = policy->rules + i; - if (r->action != action) - continue; - if (strcmp(r->attr_value, ".*") == 0) - return 1; - switch (r->attr_id) { - case ATTR_SUBJECT: - if (edg_wll_gss_equal_subj(r->attr_value, principal->name)) - return 1; - break; - case ATTR_FQAN: - for (f = principal->fqans; f && *f; f++) - if (strcmp(r->attr_value, *f) == 0) - return 1; - break; - default: - break; - } + for (i = 0; i < policy->actions_num; i++) { + if (policy->actions[i].id == action) + break; } + if (i == policy->actions_num) + /* Access denied by default */ + return 0; + a = policy->actions + i; + for (i = 0; i < a->rules_num; i++) { + if (check_rule(a->rules+i, principal)) + return 1; + } return 0; } diff --git a/org.glite.lb.server/src/bkserverd.c b/org.glite.lb.server/src/bkserverd.c index d77fb9c..b92363d 100644 --- a/org.glite.lb.server/src/bkserverd.c +++ b/org.glite.lb.server/src/bkserverd.c @@ -1092,13 +1092,14 @@ int bk_handle_connection(int conn, struct timeval *timeout, void *data) ctx->hardJobsLimit = hardJobsLimit; ctx->hardEventsLimit = hardEventsLimit; if ( noAuth ) ctx->noAuth = 1; - if ( authz_policy.num ) { - int i; - for (i=0; i < authz_policy.num; i++) - edg_wll_add_authz_rule(ctx, &ctx->authz_policy, - (authz_policy.rules[i]).action, - (authz_policy.rules[i]).attr_id, - (authz_policy.rules[i]).attr_value); + if ( authz_policy.actions_num ) { + int i,j; + for (i=0; i < authz_policy.actions_num; i++) + for (j = 0; j < authz_policy.actions[i].rules_num; j++) + edg_wll_add_authz_rule(ctx, + &ctx->authz_policy, + authz_policy.actions[i].id, + &authz_policy.actions[i].rules[j]); } ctx->rgma_export = rgma_export; memcpy(ctx->purge_timeout, purge_timeout, sizeof(ctx->purge_timeout)); @@ -1885,14 +1886,18 @@ static int asyn_gethostbyaddr(char **name, char **service, const struct sockaddr static int add_root(edg_wll_Context ctx, char *root) { - int attr_id = ATTR_SUBJECT; + struct _edg_wll_authz_attr attr; + struct _edg_wll_authz_rule rule; + attr.value = root; + attr.id = ATTR_SUBJECT; if (strncmp(root, "FQAN:", 5) == 0){ root += 5; - attr_id = ATTR_FQAN; + attr.id = ATTR_FQAN; } - edg_wll_add_authz_rule(ctx, &authz_policy, ADMIN_ACCESS, - attr_id, root); + rule.attrs = &attr; + rule.attrs_num = 1; + edg_wll_add_authz_rule(ctx, &authz_policy, ADMIN_ACCESS, &rule); return 0; } diff --git a/org.glite.lb.server/src/policy_gram.y b/org.glite.lb.server/src/policy_gram.y index 3abe361..53a4a4d 100644 --- a/org.glite.lb.server/src/policy_gram.y +++ b/org.glite.lb.server/src/policy_gram.y @@ -21,25 +21,26 @@ extern unsigned lineno; extern FILE *yyin; -struct _assigs { - int id; - char *value; - struct _assigs *next; -} _assigs; - -struct _assigs *assigs = NULL; +struct _rules { + struct _edg_wll_authz_rule *rule; + struct _rules *next; +} _rules; %} %union { char *string; - struct _assigs *assigs; + struct _rules *rules; + struct _edg_wll_authz_rule *rule; + struct _edg_wll_authz_attr *attr; } %token RESOURCE ACTION RULE PERMIT %token STRING %token LITERAL -%type assignment assignments +%type assignment +%type assignments +%type rule rules %start policy @@ -58,38 +59,47 @@ actions : action : ACTION STRING '{' rules '}' { - struct _assigs *a; + struct _rules *r; + authz_action ac = find_authz_action($2); if (ac == ACTION_UNDEF) set_error("undefined action '%s'", $2); - for (a = assigs; a; a = a->next) { + for (r = $4; r; r = r->next) { edg_wll_add_authz_rule(parse_ctx, parse_policy, - ac, a->id, a->value); + ac, r->rule); } - assigs = NULL; /* XXX */ } ; -rules : +rules : + { + $$ = NULL; + } | rule rules + { + $1->next = $2; + $$ = $1; + } ; rule : RULE PERMIT '{' assignments '}' { - assigs = $4; + $$ = malloc(sizeof(*$$)); + $$->rule = $4; + $$->next = NULL; } ; assignments : { - $$ = NULL; + $$ = calloc(1, sizeof(*$$)); } | assignment assignments { - $1->next = $2; - $$ = $1; + edg_wll_add_authz_attr(parse_ctx, $2, $1->id, $1->value); + $$ = $2; } ; @@ -100,7 +110,6 @@ assignment : LITERAL '=' STRING if ($$->id == ATTR_UNDEF) set_error("undefined attribute '%s'", $1); $$->value = $3; - $$->next = NULL; } ; -- 1.8.2.3