experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nacm refactoring

Browse source
This commit is contained in:
Olof hagsand 2019-01-27 14:45:39 +01:00
parent ffecebf32a
commit 342b94fb76
1 changed files with 83 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

124
lib/src/clixon_nacm.c
View file

@ -368,6 +368,75 @@ rule_datanode_read(cxobj *xrule,
return retval; return retval;
} }
/*! Go through all rules for a requested node
* @param[in] xt XML root tree with "config" label
* @param[in] xr Requested node (node in xt)
* @param[in] gvec NACM groups where user is member
* @param[in] glen Length of gvec
* @param[in] rlistvec NACM rule-list entries
* @param[in] rlistlen Length of rlistvec
* @param[out] xrulep If set, then points to matching rule
*/
static int
nacm_datanode_read_xr(cxobj *xt,
cxobj *xr,
cxobj **gvec,
size_t glen,
cxobj **rlistvec,
size_t rlistlen,
cxobj **xrulep
)
{
int retval = -1;
int i, j;
cxobj *xrlist;
char *gname;
cxobj **rvec = NULL; /* rules */
size_t rlen;
cxobj *xrule = NULL;
int match = 0;
for (i=0; i<rlistlen; i++){ /* Loop through rule list */
xrlist = rlistvec[i];
/* Loop through user's group to find match in this rule-list */
for (j=0; j<glen; j++){
gname = xml_find_body(gvec[j], "name");
if (xpath_first(xrlist, ".[group='%s']", gname)!=NULL)
break; /* found */
}
if (j==glen) /* not found */
continue;
/* 6. For each rule-list entry found, process all rules, in order,
until a rule that matches the requested access operation is
found. (see 6 sub rules in nacm_match_rule2)
*/
if (xpath_vec(xrlist, "rule", &rvec, &rlen) < 0)
goto done;
for (j=0; j<rlen; j++){ /* Loop through rules */
xrule = rvec[j];
if (rule_datanode_read(xrule, xr, xt, &match) < 0)
goto done;
if (match) /* xrule match */
break;
}
if (rvec){
free(rvec);
rvec=NULL;
}
if (match) /* xrule match */
break;
}
if (match)
*xrulep = xrule;
else
*xrulep = NULL;
retval = 0;
done:
if (rvec)
free(rvec);
return retval;
}
/*! Make nacm datanode and module rule read access validation /*! Make nacm datanode and module rule read access validation
* Just purge nodes that fail validation (dont send netconf error message) * Just purge nodes that fail validation (dont send netconf error message)
* @param[in] xt XML root tree with "config" label * @param[in] xt XML root tree with "config" label
@ -450,22 +519,16 @@ nacm_datanode_read(cxobj *xt,
{ {
int retval = -1; int retval = -1;
cxobj **gvec = NULL; /* groups */ cxobj **gvec = NULL; /* groups */
cxobj *xr;
size_t glen; size_t glen;
cxobj *xrlist; cxobj *xr;
cxobj **rlistvec = NULL; /* rule-list */ cxobj **rlistvec = NULL; /* rule-list */
size_t rlistlen; size_t rlistlen;
cxobj **rvec = NULL; /* rules */ cxobj **rvec = NULL; /* rules */
size_t rlen; int i;
int i, j, k;
char *read_default = NULL; char *read_default = NULL;
char *gname;
int match;
cxobj *xrule; cxobj *xrule;
char *action; char *action;
/* 3. Check all the "group" entries to see if any of them contain a /* 3. Check all the "group" entries to see if any of them contain a
"user-name" entry that equals the username for the session "user-name" entry that equals the username for the session
making the request. (If the "enable-external-groups" leaf is making the request. (If the "enable-external-groups" leaf is
@ -485,36 +548,15 @@ nacm_datanode_read(cxobj *xt,
entry. */ entry. */
if (xpath_vec(xnacm, "rule-list", &rlistvec, &rlistlen) < 0) if (xpath_vec(xnacm, "rule-list", &rlistvec, &rlistlen) < 0)
goto done; goto done;
for (k=0; k<xrlen; k++){ /* Loop through requested nodes */ for (i=0; i<xrlen; i++){ /* Loop through requested nodes */
xr = xrvec[k]; /* requested node XR */ xr = xrvec[i]; /* requested node XR */
match = 0; /* Go thru steps 5,6,7, if no match do 8-13 */ /* Loop through rule-list (steps 5,6,7) to find match of requested node
for (i=0; i<rlistlen; i++){ /* Loop through rule list */ */
xrlist = rlistvec[i]; xrule = NULL;
/* Loop through user's group to find match in this rule-list */ if (nacm_datanode_read_xr(xt, xr, gvec, glen, rlistvec, rlistlen,
for (j=0; j<glen; j++){ &xrule) < 0)
gname = xml_find_body(gvec[j], "name"); goto done;
if (xpath_first(xrlist, ".[group='%s']", gname)!=NULL) if (xrule){ /* xrule match requested node xr */
break; /* found */
}
if (j==glen) /* not found */
continue;
/* 6. For each rule-list entry found, process all rules, in order,
until a rule that matches the requested access operation is
found. (see 6 sub rules in nacm_match_rule2)
*/
if (xpath_vec(xrlist, "rule", &rvec, &rlen) < 0)
goto done;
for (j=0; j<rlen; j++){ /* Loop through rules */
xrule = rvec[j];
if (rule_datanode_read(xrule, xr, xt, &match) < 0)
goto done;
if (match) /* xrule match */
break;
}
if (match) /* xrule match */
break;
}
if (match){ /* xrule match requested node xr */
if ((action = xml_find_body(xrule, "action")) == NULL) if ((action = xml_find_body(xrule, "action")) == NULL)
continue; continue;
if (strcmp(action, "deny")==0){ if (strcmp(action, "deny")==0){
@ -523,7 +565,7 @@ nacm_datanode_read(cxobj *xt,
} }
else if (strcmp(action, "permit")==0) else if (strcmp(action, "permit")==0)
;/* XXX recursively find denies in xr and purge them ;/* XXX recursively find denies in xr and purge them
* ie go back to the k-loop with all sub-items? * ie call nacm_datanode_read_xr recursively?
*/ */
} }
else{ /* no rule matching xr, apply default */ else{ /* no rule matching xr, apply default */
@ -547,8 +589,8 @@ nacm_datanode_read(cxobj *xt,
"nacm:default-deny-all" statement, then the requested data node "nacm:default-deny-all" statement, then the requested data node
and all its descendants are not included in the reply. and all its descendants are not included in the reply.
*/ */
for (k=0; k<xrlen; k++) /* Loop through requested nodes */ for (i=0; i<xrlen; i++) /* Loop through requested nodes */
if (xml_purge(xrvec[k]) < 0) if (xml_purge(xrvec[i]) < 0)
goto done; goto done;
ok: ok:
retval = 0; retval = 0;