Moving NSCP Directory Server from DirectoryBranch to TRUNK, initial drop. (foxworth)ldapserver7x

1 files changed, 657 insertions, 0 deletions

diff --git a/lib/libaccess/usrcache.cpp b/lib/libaccess/usrcache.cpp
new file mode 100644
index 00000000..2f79d2cc
--- /dev/null
+++ b/lib/libaccess/usrcache.cpp
@@ -0,0 +1,657 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+/* #define DBG_PRINT */
+
+
+#include <netsite.h>
+extern "C" {
+#include <secitem.h>
+}
+#include <base/crit.h>
+#include <ldaputil/errors.h>
+#include <libaccess/usrcache.h>
+#include <libaccess/las.h>
+#include <libaccess/authdb.h>
+#include "permhash.h"
+
+/* uid is unique within a database.  The user cache tables are stored per
+ * database.  The following table maps a database name to the corresponding
+ * user cache table.  The user cache table is another hash table which stores
+ * the UserCacheObj instances.
+ */
+static PRHashTable *databaseUserCacheTable = 0;
+static time_t acl_usr_cache_lifetime = (time_t)120;
+static PRCList *usrobj_list = 0;
+static const int num_usrobj = 200;
+static CRITICAL usr_hash_crit = NULL;	/* Controls user cache hash tables & */
+					/* usrobj link list */
+static pool_handle_t *usrcache_pool = NULL;
+static PRHashTable *singleDbTable = 0;
+
+#define USEROBJ_PTR(l) \
+    ((UserCacheObj*) ((char*) (l) - offsetof(UserCacheObj, list)))
+
+static void user_hash_crit_enter (void)
+{
+    /* Caching may be disabled (usr_hash_crit will be NULL) */
+    if (usr_hash_crit) crit_enter(usr_hash_crit);
+}
+
+static void user_hash_crit_exit (void)
+{
+    /* Caching may be disabled (usr_hash_crit will be NULL) */
+    if (usr_hash_crit) crit_exit(usr_hash_crit);
+}
+
+static void user_hash_crit_init (void)
+{
+    usr_hash_crit = crit_init();
+}
+
+static PRHashNumber
+usr_cache_hash_cert(const void *key)
+{
+    PRHashNumber h;
+    const unsigned char *s;
+    unsigned int i = 0;
+    SECItem *derCert = (SECItem *)key;
+    unsigned int len = derCert->len;
+ 
+    h = 0;
+    for (s = (const unsigned char *)derCert->data; i < len; s++, i++)
+        h = (h >> 28) ^ (h << 4) ^ *s;
+    return h;
+}
+ 
+static PRHashNumber
+usr_cache_hash_fn (const void *key)
+{
+    UserCacheObj *usrObj = (UserCacheObj *)key;
+
+    if (usrObj->derCert)
+	return usr_cache_hash_cert(usrObj->derCert);
+    else
+	return PR_HashCaseString(usrObj->uid);
+}
+
+static int
+usr_cache_compare_certs(const void *v1, const void *v2)
+{
+    const SECItem *c1 = (const SECItem *)v1;
+    const SECItem *c2 = (const SECItem *)v2;
+
+    return (c1->len == c2 ->len && !memcmp(c1->data, c2->data, c1->len));
+}
+ 
+static int
+usr_cache_compare_fn(const void *v1, const void *v2)
+{
+    UserCacheObj *usrObj1 = (UserCacheObj *)v1;
+    UserCacheObj *usrObj2 = (UserCacheObj *)v2;
+
+    if (usrObj1->derCert && usrObj2->derCert)
+	return usr_cache_compare_certs(usrObj1->derCert, usrObj2->derCert);
+    else if (!usrObj1->derCert && !usrObj2->derCert)
+	return PR_CompareCaseStrings(usrObj1->uid, usrObj1->uid);
+    else
+	return 0;
+}
+
+static PRHashTable *alloc_db2uid_table ()
+{
+    return PR_NewHashTable(0, 
+			   usr_cache_hash_fn,
+			   usr_cache_compare_fn,
+			   PR_CompareValues,
+			   &ACLPermAllocOps, 
+			   usrcache_pool);
+}
+
+
+int acl_usr_cache_set_timeout (const int nsec)
+{
+    acl_usr_cache_lifetime = (time_t)nsec;
+    return 0;
+}
+
+
+int acl_usr_cache_enabled ()
+{
+    return (acl_usr_cache_lifetime > 0);
+}
+
+
+int acl_usr_cache_init ()
+{
+    UserCacheObj *usrobj;
+    int i;
+
+    if (acl_usr_cache_lifetime <= 0) {
+	/* Caching is disabled */
+	DBG_PRINT1("usrcache is disabled");
+	return 0;
+    }
+
+    usrcache_pool = pool_create();
+    user_hash_crit_init();
+
+    if (acl_num_databases() == 0) {
+	/* Something wrong -- No databases registered yet! */
+	return -1;
+    }
+    else if (acl_num_databases() == 1) {
+	/* Optimize for single database */
+	DBG_PRINT1("Optimizing usrcache for single db");
+	singleDbTable = alloc_db2uid_table();
+    }
+    else {
+	singleDbTable = 0;
+	databaseUserCacheTable = PR_NewHashTable(0, 
+						 PR_HashCaseString,
+						 PR_CompareCaseStrings,
+						 PR_CompareValues,
+						 &ACLPermAllocOps, 
+						 usrcache_pool);
+    }
+
+    /* Allocate first UserCacheObj and initialize the circular link list */
+    usrobj = (UserCacheObj *)pool_malloc(usrcache_pool, sizeof(UserCacheObj));
+    if (!usrobj) return -1;
+    memset((void *)usrobj, 0, sizeof(UserCacheObj));
+    usrobj_list = &usrobj->list;
+    PR_INIT_CLIST(usrobj_list);
+
+    /* Allocate rest of the UserCacheObj and put them in the link list */
+    for(i = 0; i < num_usrobj; i++){
+	usrobj = (UserCacheObj *)pool_malloc(usrcache_pool,
+					     sizeof(UserCacheObj));
+					     
+	if (!usrobj) return -1;
+	memset((void *)usrobj, 0, sizeof(UserCacheObj));
+	PR_INSERT_AFTER(&usrobj->list, usrobj_list);
+    }
+
+    return (singleDbTable || databaseUserCacheTable) ? 0 : -1;
+}
+
+/* If the user hash table exists in the databaseUserCacheTable then return it.
+ * Otherwise, create a new hash table, insert it in the databaseUserCacheTable
+ * and then return it.
+ */
+static int usr_cache_table_get (const char *dbname, PRHashTable **usrTable)
+{
+    PRHashTable *table;
+
+    if (singleDbTable) {
+	*usrTable = singleDbTable;
+	return LAS_EVAL_TRUE;
+    }
+
+    user_hash_crit_enter();
+
+    table = (PRHashTable *)PR_HashTableLookup(databaseUserCacheTable,
+					      dbname);
+
+    if (!table) {
+	/* create a new table and insert it in the databaseUserCacheTable */
+	table = alloc_db2uid_table();
+
+	if (table) {
+	    PR_HashTableAdd(databaseUserCacheTable,
+			    pool_strdup(usrcache_pool, dbname),
+			    table);
+	}
+    }
+
+    *usrTable = table;
+
+    user_hash_crit_exit();
+
+    return table ? LAS_EVAL_TRUE : LAS_EVAL_FAIL;
+}
+
+int acl_usr_cache_insert (const char *uid, const char *dbname,
+			  const char *userdn, const char *passwd,
+			  const char *group,
+			  const SECItem *derCert, const time_t time)
+{
+    PRHashTable *usrTable;
+    UserCacheObj *usrobj;
+    UserCacheObj key;
+    int rv;
+
+    if (acl_usr_cache_lifetime <= 0) {
+	/* Caching is disabled */
+	return LAS_EVAL_TRUE;
+    }
+
+    rv = usr_cache_table_get (dbname, &usrTable);
+
+    if (rv != LAS_EVAL_TRUE) return rv;
+
+    user_hash_crit_enter();
+
+    key.uid = (char *)uid;
+    key.derCert = (SECItem *)derCert;
+
+    usrobj = (UserCacheObj *)PR_HashTableLookup(usrTable, &key);
+
+    if (usrobj) {
+	time_t elapsed = time - usrobj->time;
+	int expired = (elapsed >= acl_usr_cache_lifetime);
+
+	/* Free & reset the old values in usrobj if -- there is an old value
+	 * and if the new value is given then it is different or the usrobj
+	 * has expired */
+	/* Set the field if the new value is given and the field is not set */
+	/* If the usrobj has not expired then we only want to update the field
+	 * whose new value is non-NULL and different */
+
+	/* Work on the 'uid' field */
+	if (usrobj->uid &&
+	    (uid ? strcmp(usrobj->uid, uid) : expired))
+	{
+	    pool_free(usrcache_pool, usrobj->uid);
+	    usrobj->uid = 0;
+	}
+	if (uid && !usrobj->uid) {
+	    usrobj->uid = pool_strdup(usrcache_pool, uid);
+	}
+
+	/* Work on the 'userdn' field */
+	if (usrobj->userdn &&
+	    (userdn ? strcmp(usrobj->userdn, userdn) : expired))
+	{
+	    pool_free(usrcache_pool, usrobj->userdn);
+	    usrobj->userdn = 0;
+	}
+	if (userdn && !usrobj->userdn) {
+	    usrobj->userdn = pool_strdup(usrcache_pool, userdn);
+	}
+
+	/* Work on the 'passwd' field */
+	if (usrobj->passwd &&
+	    (passwd ? strcmp(usrobj->passwd, passwd) : expired))
+	{
+	    pool_free(usrcache_pool, usrobj->passwd);
+	    usrobj->passwd = 0;
+	}
+	if (passwd && !usrobj->passwd) {
+	    usrobj->passwd = pool_strdup(usrcache_pool, passwd);
+	}
+
+	/* Work on the 'group' field -- not replace a valid group */
+	if (!expired && usrobj->group &&
+	    (group ? strcmp(usrobj->group, group) : expired))
+	{
+	    pool_free(usrcache_pool, usrobj->group);
+	    usrobj->group = 0;
+	}
+	if (group && !usrobj->group) {
+	    usrobj->group = pool_strdup(usrcache_pool, group);
+	}
+
+	/* Work on the 'derCert' field */
+	if (usrobj->derCert &&
+	    (derCert ? (derCert->len != usrobj->derCert->len ||
+			memcmp(usrobj->derCert->data, derCert->data,
+			       derCert->len))
+	     : expired))
+	{
+	    SECITEM_FreeItem(usrobj->derCert, PR_TRUE);
+	    usrobj->derCert = 0;
+	}
+	if (derCert && !usrobj->derCert) {
+	    usrobj->derCert = SECITEM_DupItem((SECItem *)derCert);
+	}
+
+	/* Reset the time only if the usrobj has expired */
+	if (expired) {
+	    DBG_PRINT1("Replace ");
+	    usrobj->time = time;
+	}
+	else {
+	    DBG_PRINT1("Update ");
+	}
+    }
+    else {
+	/* Get the last usrobj from the link list, erase it and use it */
+	/* Maybe the last usrobj is not invalid yet but we don't want to grow
+	 * the list of usrobjs.  The last obj is the best candidate for being
+	 * not valid.  We don't want to compare the time -- just use it.
+	 */
+	PRCList *tail = PR_LIST_TAIL(usrobj_list);
+	usrobj = USEROBJ_PTR(tail);
+
+	/* If the removed usrobj is in the hashtable, remove it from there */
+	if (usrobj->hashtable) {
+	    PR_HashTableRemove(usrobj->hashtable, usrobj);
+	}
+
+	/* Free the memory associated with the usrobj */
+	if (usrobj->userdn) pool_free(usrcache_pool, usrobj->userdn);
+	if (usrobj->passwd) pool_free(usrcache_pool, usrobj->passwd);
+	if (usrobj->group) pool_free(usrcache_pool, usrobj->group);
+	if (usrobj->derCert) SECITEM_FreeItem(usrobj->derCert, PR_TRUE);
+	if (usrobj->uid) pool_free(usrcache_pool, usrobj->uid);
+
+	/* Fill in the usrobj with the current data */
+	usrobj->uid = pool_strdup(usrcache_pool, uid);
+	usrobj->userdn = userdn ? pool_strdup(usrcache_pool, userdn) : 0;
+	usrobj->passwd = passwd ? pool_strdup(usrcache_pool, passwd) : 0;
+	usrobj->derCert = derCert ? SECITEM_DupItem((SECItem *)derCert) : 0;
+	usrobj->group = group ? pool_strdup(usrcache_pool, group) : 0;
+	usrobj->time = time;
+
+	/* Add the usrobj to the user hash table */
+	PR_HashTableAdd(usrTable, usrobj, usrobj);
+	usrobj->hashtable = usrTable;
+	DBG_PRINT1("Insert ");
+    }
+
+    /* Move the usrobj to the head of the list */
+    PR_REMOVE_LINK(&usrobj->list);
+    PR_INSERT_AFTER(&usrobj->list, usrobj_list);
+
+    /* Set the time in the UserCacheObj */
+    if (usrobj) {
+	rv = LAS_EVAL_TRUE;
+    }
+    else {
+	rv = LAS_EVAL_FAIL;
+    }
+
+    DBG_PRINT4("acl_usr_cache_insert: derCert = \"%s\" uid = \"%s\" at time = %ld\n",
+	       usrobj->derCert ? (char *)usrobj->derCert->data : "<NONE>",
+	       uid, time);
+
+    user_hash_crit_exit();
+    return rv;
+}
+
+static int acl_usr_cache_get_usrobj (const char *uid, const SECItem *derCert,
+				     const char *dbname, const time_t time,
+				     UserCacheObj **usrobj_out)
+{
+    PRHashTable *usrtable;
+    UserCacheObj *usrobj;
+    UserCacheObj key;
+    time_t elapsed;
+    int rv;
+
+    *usrobj_out = 0;
+
+    if (acl_usr_cache_lifetime <= 0) {
+	/* Caching is disabled */
+	return LAS_EVAL_FALSE;
+    }
+
+    rv = usr_cache_table_get(dbname, &usrtable);
+    if (!usrtable) return LAS_EVAL_FALSE;
+
+    key.uid = (char *)uid;
+    key.derCert = (SECItem *)derCert;
+
+    usrobj = (UserCacheObj *)PR_HashTableLookup(usrtable, &key);
+
+    if (!usrobj) return LAS_EVAL_FALSE;
+
+    rv = LAS_EVAL_FALSE;
+
+    elapsed = time - usrobj->time;
+
+    /* If the cache is valid, return the usrobj */
+    if (elapsed < acl_usr_cache_lifetime) {
+	rv = LAS_EVAL_TRUE;
+	*usrobj_out = usrobj;
+	DBG_PRINT4("usr_cache found: derCert = \"%s\" uid = \"%s\" at time = %ld\n",
+		   usrobj->derCert ? (char *)usrobj->derCert->data : "<NONE>",
+		   usrobj->uid, time);
+    }
+    else {
+	DBG_PRINT4("usr_cache expired: derCert = \"%s\" uid = \"%s\" at time = %ld\n",
+		   usrobj->derCert ? (char *)usrobj->derCert->data : "<NONE>",
+		   usrobj->uid, time);
+    }
+
+    return rv;
+}
+
+int acl_usr_cache_passwd_check (const char *uid, const char *dbname,
+				const char *passwd,
+				const time_t time, char **dn,
+				pool_handle_t *pool)
+{
+    UserCacheObj *usrobj;
+    int rv;
+
+    user_hash_crit_enter();
+    rv = acl_usr_cache_get_usrobj(uid, 0, dbname, time, &usrobj);
+
+    if (rv == LAS_EVAL_TRUE && usrobj->passwd && passwd &&
+	!strcmp(usrobj->passwd, passwd))
+    {
+	/* extract dn from the usrobj */
+	*dn = usrobj->userdn ? pool_strdup(pool, usrobj->userdn) : 0;
+	rv = LAS_EVAL_TRUE;
+	DBG_PRINT1("Success ");
+    }
+    else {
+	rv = LAS_EVAL_FALSE;
+	DBG_PRINT1("Failed ");
+    }
+
+    DBG_PRINT3("acl_usr_cache_passwd_check: uid = \"%s\" at time = %ld\n",
+	       uid, time);
+    user_hash_crit_exit();
+
+    return rv;
+}
+
+
+static int group_check_helper (UserCacheObj *usrobj, void *val)
+{
+    if (usrobj->group && !strcmp(usrobj->group, (char *)val))
+	return LAS_EVAL_TRUE;
+    else
+	return LAS_EVAL_FALSE;
+}
+
+int acl_usr_cache_group_check (const char *uid, const char *dbname,
+			       const char *group, const time_t time)
+{
+    UserCacheObj *usrobj;
+    int rv;
+
+    user_hash_crit_enter();
+    rv = acl_usr_cache_get_usrobj(uid, 0, dbname, time, &usrobj);
+
+    if (rv == LAS_EVAL_TRUE && usrobj->group && group &&
+	!strcmp(usrobj->group, group))
+    {
+	DBG_PRINT1("Success ");
+    }
+    else {
+	rv = LAS_EVAL_FALSE;
+	DBG_PRINT1("Failed ");
+    }
+
+    DBG_PRINT3("acl_usr_cache_group_check: uid = \"%s\" group = \"%s\"\n",
+	       uid, group ? group : "<NONE>");
+    user_hash_crit_exit();
+
+    return rv;
+}
+
+int acl_usr_cache_group_len_check (const char *uid, const char *dbname,
+				   const char *group, const int len,
+				   const time_t time)
+{
+    UserCacheObj *usrobj;
+    int rv;
+
+    user_hash_crit_enter();
+    rv = acl_usr_cache_get_usrobj(uid, 0, dbname, time, &usrobj);
+
+    if (rv == LAS_EVAL_TRUE && usrobj->group && group &&
+	!strncmp(usrobj->group, group, len))
+    {
+	rv = LAS_EVAL_TRUE;
+	DBG_PRINT1("Success ");
+    }
+    else {
+	rv = LAS_EVAL_FALSE;
+	DBG_PRINT1("Failed ");
+    }
+
+    DBG_PRINT3("acl_usr_cache_group_check: uid = \"%s\" group = \"%s\"\n",
+	       uid, group);
+    user_hash_crit_exit();
+
+    return rv;
+}
+
+
+int acl_usr_cache_get_userdn (const char *uid, const char *dbname,
+			      const time_t time, char **userdn,
+			      pool_handle_t *pool)
+{
+    UserCacheObj *usrobj;
+    int rv;
+
+    *userdn = 0;
+    user_hash_crit_enter();
+    rv = acl_usr_cache_get_usrobj(uid, 0, dbname, time, &usrobj);
+
+    if (rv == LAS_EVAL_TRUE) {
+	*userdn = usrobj->userdn ? pool_strdup(pool, usrobj->userdn) : 0;
+	DBG_PRINT1("Success ");
+    }
+    else {
+	DBG_PRINT1("Failed ");
+    }
+
+    DBG_PRINT3("acl_usr_cache_get_userdn: uid = \"%s\" userdn = \"%s\"\n",
+	       uid, *userdn ? *userdn : "<NONE>");
+    user_hash_crit_exit();
+
+    return *userdn ? LAS_EVAL_TRUE : LAS_EVAL_FALSE;
+}
+
+int acl_usr_cache_userdn_check (const char *uid, const char *dbname,
+				const char *userdn, const time_t time)
+{
+    UserCacheObj *usrobj;
+    int rv;
+
+    user_hash_crit_enter();
+    rv = acl_usr_cache_get_usrobj(uid, 0, dbname, time, &usrobj);
+
+    if (rv == LAS_EVAL_TRUE && usrobj->userdn && userdn &&
+	!strcmp(usrobj->userdn, userdn))
+    {
+	DBG_PRINT1("Success ");
+    }
+    else {
+	rv = LAS_EVAL_FALSE;
+	DBG_PRINT1("Failed ");
+    }
+
+    DBG_PRINT3("acl_usr_cache_userdn_check: uid = \"%s\" userdn = \"%s\"\n",
+	       uid, userdn ? userdn : "<NONE>");
+    user_hash_crit_exit();
+
+    return rv;
+}
+
+int acl_usr_cache_set_userdn (const char *uid, const char *dbname,
+			      const char *userdn, const time_t time)
+{
+    int rv;
+
+    /* acl_usr_cache_insert updates the existing un-expired entry or creates a
+     * new one */
+    rv = acl_usr_cache_insert(uid, dbname, userdn, 0, 0, 0, time);
+
+    return rv;
+}
+
+int acl_usr_cache_get_group (const char *uid, const char *dbname,
+			     const time_t time, char **group,
+			     pool_handle_t *pool)
+{
+    UserCacheObj *usrobj;
+    int rv;
+
+    *group = 0;
+    user_hash_crit_enter();
+    rv = acl_usr_cache_get_usrobj(uid, 0, dbname, time, &usrobj);
+
+    if (rv == LAS_EVAL_TRUE) {
+	*group = usrobj->group ? pool_strdup(pool, usrobj->group) : 0;
+	DBG_PRINT1("Success ");
+    }
+    else {
+	DBG_PRINT1("Failed ");
+    }
+
+    DBG_PRINT3("acl_usr_cache_get_group: uid = \"%s\" group = \"%s\"\n",
+	       uid, *group ? *group : "<NONE>");
+    user_hash_crit_exit();
+
+    return *group ? LAS_EVAL_TRUE : LAS_EVAL_FALSE;
+}
+
+int acl_usr_cache_set_group (const char *uid, const char *dbname,
+			     const char *group, const time_t time)
+{
+    int rv;
+
+    /* acl_usr_cache_insert updates the existing un-expired entry or creates a
+     * new one */
+    rv = acl_usr_cache_insert(uid, dbname, 0, 0, group, 0, time);
+
+    return rv;
+}
+
+int acl_cert_cache_insert (void *cert_in, const char *dbname,
+			   const char *uid, const char *dn,
+			   const time_t time)
+{
+    CERTCertificate *cert = (CERTCertificate *)cert_in;
+    SECItem derCert = cert->derCert;
+    int rv;
+
+    rv = acl_usr_cache_insert(uid, dbname, dn, 0, 0, &derCert, time);
+
+    return rv;
+}
+
+/* Returns LAS_EVAL_TRUE if the user's cache is valid and returns uid */
+int acl_cert_cache_get_uid (void *cert_in, const char *dbname,
+			    const time_t time, char **uid, char **dn,
+			    pool_handle_t *pool)
+{
+    CERTCertificate *cert = (CERTCertificate *)cert_in;
+    SECItem derCert = cert->derCert;
+    UserCacheObj *usrobj = 0;
+    int rv;
+
+    rv = acl_usr_cache_get_usrobj(0, &derCert, dbname, time, &usrobj);
+
+    if (rv == LAS_EVAL_TRUE && usrobj && usrobj->uid) {
+	*uid = pool_strdup(pool, usrobj->uid);
+	*dn = usrobj->userdn ? pool_strdup(pool, usrobj->userdn) : 0;
+    }
+    else {
+	*uid = 0;
+	*dn = 0;
+	rv = LAS_EVAL_FALSE;
+    }
+
+    return rv;
+}
+