diff options
Diffstat (limited to 'src/kadmin/server/acls.l')
| -rw-r--r-- | src/kadmin/server/acls.l | 190 |
1 files changed, 190 insertions, 0 deletions
diff --git a/src/kadmin/server/acls.l b/src/kadmin/server/acls.l new file mode 100644 index 000000000..aee4801e9 --- /dev/null +++ b/src/kadmin/server/acls.l @@ -0,0 +1,190 @@ +%{ +/* + * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. + * + * $Id$ + * $Source$ + * + * $Log$ + * Revision 1.3 1996/07/22 20:28:49 marc + * this commit includes all the changes on the OV_9510_INTEGRATION and + * OV_MERGE branches. This includes, but is not limited to, the new openvision + * admin system, and major changes to gssapi to add functionality, and bring + * the implementation in line with rfc1964. before committing, the + * code was built and tested for netbsd and solaris. + * + * Revision 1.2.4.1 1996/07/18 03:03:31 marc + * merged in changes from OV_9510_BP to OV_9510_FINAL1 + * + * Revision 1.2.2.1 1996/06/20 21:56:31 marc + * File added to the repository on a branch + * + * Revision 1.2 1993/11/05 07:47:46 bjaspan + * add and use cmp_gss_names, fix regexp bug + * + * Revision 1.1 1993/11/05 07:08:48 bjaspan + * Initial revision + * + */ + +#if !defined(lint) && !defined(__CODECENTER__) +static char *rcsid = "$Header$"; +#endif + +enum tokens { + NEWLINE = 257, + COMMA, + SEMI, + + GET = 300, + ADD, + MODIFY, + DELETE, + + ID = 350, +}; + +typedef union { + char *s; +} toktype; + +toktype tokval; +int acl_lineno = 0; + +%} + +%% + +\n acl_lineno++; +[ \t]* ; +[ ]*#.* ; +"," return (COMMA); +";" return (SEMI); +"get" return (GET); +"add" return (ADD); +"modify" return (MODIFY); +"delete" return (DELETE); +^[^ \t\n]+ { tokval.s = yytext; return (ID); } + +%% + +#include <string.h> +#include <syslog.h> +#include <gssapi/gssapi.h> +#include <gssapi/gssapi_krb5.h> +#include <ovsec_admin/admin.h> + +typedef struct _entry { + gss_name_t gss_name; + char *name; + u_int privs; + struct _entry *next; +} acl_entry; + +static acl_entry *acl_head = NULL; + +static void error(char *msg); + +int parse_aclfile(FILE *acl_file) +{ + OM_uint32 gssstat, minor_stat; + gss_buffer_desc in_buf; + acl_entry *entry; + enum tokens tok; + + yyin = acl_file; + + acl_lineno = 1; + while ((tok = yylex()) != 0) { + if (tok != ID) { + error("expected identifier"); + goto error; + } + + entry = (acl_entry *) malloc(sizeof(acl_entry)); + if (entry == NULL) { + error("out of memory"); + goto error; + } + entry->name = strdup(tokval.s); + entry->privs = 0; + while (1) { + switch (tok = yylex()) { + case GET: + entry->privs |= OVSEC_KADM_PRIV_GET; + break; + case ADD: + entry->privs |= OVSEC_KADM_PRIV_ADD; + break; + case MODIFY: + entry->privs |= OVSEC_KADM_PRIV_MODIFY; + break; + case DELETE: + entry->privs |= OVSEC_KADM_PRIV_DELETE; + break; + default: + error("expected privilege"); + goto error; + } + tok = yylex(); + if (tok == COMMA) + continue; + else if (tok == SEMI) + break; + else { + error("expected comma or semicolon"); + goto error; + } + } + + in_buf.value = entry->name; + in_buf.length = strlen(entry->name) + 1; + gssstat = gss_import_name(&minor_stat, &in_buf, + gss_nt_krb5_name, &entry->gss_name); + if (gssstat != GSS_S_COMPLETE) { + error("invalid name"); + goto error; + } + + if (acl_head == NULL) { + entry->next = NULL; + acl_head = entry; + } else { + entry->next = acl_head; + acl_head = entry; + } + } + return 0; + +error: + return 1; +} + +int acl_check(gss_name_t caller, int priv) +{ + acl_entry *entry; + + entry = acl_head; + while (entry) { + if (cmp_gss_names(entry->gss_name, caller) && entry->privs & priv) + return 1; + entry = entry->next; + } + return 0; +} + +int cmp_gss_names(gss_name_t name1, gss_name_t name2) +{ + OM_uint32 minor_stat; + int eq; + (void) gss_compare_name(&minor_stat, name1, name2, &eq); + return eq; +} + +static void error(char *msg) +{ + syslog(LOG_ERR, "Error while parsing acl file, line %d: %s\n", + acl_lineno, msg); +} + +yywrap() { return(1); } |