2 * Copyright (c) 2012-2014, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
35 #if JANSSON_VERSION_HEX < 0x020500
36 #include "jansson_iterators.h"
41 #include <tr_filter.h>
42 #include <tid_internal.h>
44 #include <tr_constraint_internal.h>
47 * Helper for tr_constraint_destructor - calls tr_free_name on its first argument
49 * @param item void pointer to a TR_NAME
50 * @param cookie ignored
52 static void constraint_destruct_helper(void *item, void *cookie)
54 TR_NAME *name = (TR_NAME *) item;
57 static int tr_constraint_destructor(void *obj)
59 TR_CONSTRAINT *cons = talloc_get_type_abort(obj, TR_CONSTRAINT);
62 tr_free_name(cons->type);
65 tr_list_foreach(cons->matches, constraint_destruct_helper, NULL);
70 TR_CONSTRAINT *tr_constraint_new(TALLOC_CTX *mem_ctx)
72 TR_CONSTRAINT *cons = talloc(mem_ctx, TR_CONSTRAINT);
76 cons->matches = tr_list_new(cons);
77 if (cons->matches == NULL) {
81 talloc_set_destructor((void *) cons, tr_constraint_destructor);
86 void tr_constraint_free(TR_CONSTRAINT *cons)
92 * Helper for tr_constraint_dup - duplicates a TR_NAME and adds it as a TR_CONSTRAINT match
94 * No return value. If this succeeds, it will have added a new entry to the TR_CONSTRAINT
95 * match list. Check the length of that - you won't be able to tell whether the allocation
96 * of the duplicate TR_NAME or the addition to the list failed, but either of those is probably
97 * due to a memory allocation failure, in which case the system is probably crashing anyway.
99 * @param item void pointer to a TR_NAME to add as a match
100 * @param cookie void pointer to a TR_CONSTRAINT to add the match to
102 static void cons_dup_helper(void *item, void *cookie)
104 TR_CONSTRAINT *new_cons = talloc_get_type_abort(cookie, TR_CONSTRAINT);
105 TR_NAME *new_name = tr_dup_name((TR_NAME *) item);
107 /* check that new_name is added, free if it fails */
108 if (tr_constraint_add_match(new_cons, new_name) == NULL)
109 tr_free_name(new_name);
113 * Duplicate a TR_CONSTRAINT
115 * @param mem_ctx talloc context for the result
116 * @param cons TR_CONSTRAINT to duplicate
117 * @return pointer to the new TR_CONSTRAINT, or NULL on error
119 TR_CONSTRAINT *tr_constraint_dup(TALLOC_CTX *mem_ctx, TR_CONSTRAINT *cons)
121 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
122 TR_CONSTRAINT *new = NULL;
127 new = tr_constraint_new(tmp_ctx);
131 new->type = tr_dup_name(cons->type);
132 if (new->type == NULL) {
137 tr_list_foreach(cons->matches, cons_dup_helper, new); /* copies matches to new->matches */
138 /* check that we were successful - if we were, then the lists will be the same length */
139 if (tr_list_length(new->matches) != tr_list_length(cons->matches)) {
141 goto cleanup; /* at least one dup or add failed */
145 talloc_steal(mem_ctx, new);
148 talloc_free(tmp_ctx);
152 /* Returns TRUE (1) if the the string (str) matches the wildcard string (wc_str), FALSE (0) if not.
153 * Allows for a single '*' as the wildcard character if it is the first character. Leading white
154 * space is significant.
156 int tr_prefix_wildcard_match(const char *str, const char *wc_str)
158 const char *wc_post = wc_str;
162 if ((!str) || (!wc_str))
166 if (0 == (wc_len = strlen(wc_str)))
169 /* TBD -- skip leading white space? */
170 if ('*' == wc_str[0]) {
171 wc_post = &(wc_str[1]);
173 } else if (len != wc_len)
180 if (0 == strcmp(&(str[len - wc_len]), wc_post)) {
186 /* This combines the two constraints in a filter line (TR_FLINE) into a single
187 * set with two constraints. */
188 TR_CONSTRAINT_SET *tr_constraint_set_from_fline(TR_FLINE *fline)
195 if (fline->realm_cons)
196 tr_constraint_add_to_set((TR_CONSTRAINT_SET **) &cset, fline->realm_cons);
197 if (fline->domain_cons)
198 tr_constraint_add_to_set((TR_CONSTRAINT_SET **) &cset, fline->domain_cons);
200 return (TR_CONSTRAINT_SET *) cset;
203 /* A constraint set is represented in json as an array of constraint
204 * objects. So, a constraint set (cset) that consists of one realm
205 * constraint and one domain constraint might look like:
207 * {cset: [{domain: [a.com, b.co.uk]},
208 * {realm: [c.net, d.org]}]}
210 * This routine takes a TR_CONSTRAINT, converts it to its JSON representation,
211 * and adds that to the TR_CONSTRAINT_SET.
213 void tr_constraint_add_to_set(TR_CONSTRAINT_SET **cset, TR_CONSTRAINT *cons)
215 json_t *jcons = NULL;
216 json_t *jmatches = NULL;
217 TR_NAME *this_match = NULL;
218 TR_CONSTRAINT_ITER iter = {0};
220 if ((!cset) || (!cons))
223 /* If we don't already have a json object, create one */
225 *cset = (TR_CONSTRAINT_SET *) json_array();
227 /* Create a json object representing cons */
228 jmatches = json_array();
229 jcons = json_object();
231 for (this_match = tr_constraint_iter_first(&iter, cons);
233 this_match = tr_constraint_iter_next(&iter))
235 json_array_append_new(jmatches, tr_name_to_json_string(this_match));
238 json_object_set_new(jcons, cons->type->buf, jmatches);
240 /* Add the created object to the cset object */
241 json_array_append_new((json_t *) *cset, jcons);
244 /* Test whether a JSON object has a valid structure
245 * to represent a constraint set.
247 int tr_constraint_set_validate(TR_CONSTRAINT_SET *cset) {
248 json_t *json = (json_t *) cset;
251 if (!json_is_array(json)) {
252 tr_debug("Constraint_set is not an array");
255 json_array_foreach(json, i, set_member) {
258 if (!json_is_object(set_member)) {
259 tr_debug("Constraint member at %zu is not an object\n", i);
262 json_object_foreach(set_member, key, value) {
265 if (!json_is_array(value)) {
266 tr_debug("Constraint type %s at index %zu in constraint set is not an array\n", key,
270 json_array_foreach(value, inner_index, inner_value) {
271 if (!json_is_string(inner_value)) {
272 tr_debug("Constraint type %s at index %zu in constraint set has non-string element %zu\n",
273 key, i, inner_index);
283 * Create a new constraint set containing all constraints from #orig
284 * with constraint_type #constraint_type and no others. This constraint set is
285 * live until #request is freed.
287 TR_CONSTRAINT_SET *tr_constraint_set_filter(TID_REQ *request,
288 TR_CONSTRAINT_SET *orig,
289 const char *constraint_type)
291 json_t *orig_cset = (json_t *) orig;
292 json_t *new_cs = NULL;
295 if (!tr_constraint_set_validate((TR_CONSTRAINT_SET *) orig_cset)) {
296 tr_debug ("tr_constraint_set_filter: not a valid constraint set\n");
299 new_cs = json_array();
301 json_array_foreach(orig_cset, index, set_member) {
302 if (json_object_get(set_member, constraint_type))
303 json_array_append(new_cs, set_member);
305 tid_req_cleanup_json(request, new_cs);
306 return (TR_CONSTRAINT_SET *) new_cs;
310 * Within a given constraint object merge any overlapping domain or
311 * realm constraints. For example ['*','*.net'] can be simplified to
314 static void merge_constraints(json_t *constraint, const char *key)
316 json_t *value_1, *value_2, *constraint_array;
317 size_t index_1, index_2;
319 * Go through the loop pairwise linear, removing elements where one
320 * element is a subset of the other. Always shrik the array from
321 * the end so that index_1 never becomes invalid (swapping if
324 constraint_array = json_object_get(constraint, key);
325 if (NULL == constraint_array)
327 json_array_foreach(constraint_array, index_1, value_1)json_array_foreach(constraint_array, index_2, value_2) {
328 if (index_2 <= index_1)
330 if (tr_prefix_wildcard_match(json_string_value(value_2),
331 json_string_value(value_1))) {
332 json_array_remove(constraint_array, index_2);
334 } else if (tr_prefix_wildcard_match(json_string_value(value_1),
335 json_string_value(value_2))) {
336 json_array_set(constraint_array, index_1, value_2);
337 json_array_remove(constraint_array, index_2);
344 * Returns an array of constraint strings that is the intersection of
345 * all constraints in the constraint_set of type #type
347 static json_t *constraint_intersect_internal(TR_CONSTRAINT_SET *constraints,
348 const char *constraint_type)
350 json_t *constraint, *result = NULL;
352 json_array_foreach((json_t *) constraints, i, constraint) {
353 merge_constraints(constraint, constraint_type);
354 if (NULL == result) {
355 result = json_object_get(constraint, constraint_type);
357 result = json_copy(result);
359 json_t *intersect, *value_1, *value_2;
360 size_t index_1, index_2;
361 intersect = json_object_get(constraint, constraint_type);
362 /*If an element of the constraint set doesn't have a particular
363 * constraint type, we ignore that element of the constraint set.
364 * However, if no element of the constraint set has a particular
365 * constraint type we return empty (no access) rather than universal
370 json_array_foreach(result, index_1, value_1) {
371 json_array_foreach(intersect, index_2, value_2) {
372 if (tr_prefix_wildcard_match(json_string_value(value_1),
373 json_string_value(value_2)))
374 goto result_acceptable;
375 else if (tr_prefix_wildcard_match(json_string_value(value_2),
376 json_string_value(value_1))) {
377 json_array_set(result, index_1, value_2);
378 goto result_acceptable;
381 json_array_remove(result, index_1);
394 * Return the intersection of domain and realm constraints.
395 * Return is live until #request is freed.
397 TR_CONSTRAINT_SET *tr_constraint_set_intersect(TID_REQ *request,
398 TR_CONSTRAINT_SET *input)
400 json_t *domain = NULL, *realm = NULL;
401 json_t *result = NULL, *result_array = NULL;
402 if (tr_constraint_set_validate(input)) {
403 domain = constraint_intersect_internal(input, "domain");
404 realm = constraint_intersect_internal(input, "realm");
406 result = json_object();
409 json_object_set_new(result, "domain", domain);
411 json_object_set_new(result, "realm", realm);
412 result_array = json_array();
413 assert(result_array);
414 json_array_append_new(result_array, result);
415 tid_req_cleanup_json(request, result_array);
416 return (TR_CONSTRAINT_SET *) result_array;
419 /** Get the set of wildcard strings that matches a fully intersected
420 * constraint set. Requires that the constraint set only have one
421 * constraint in it, but the constraint may have multiple matches for
422 * a given type. Returns true on success false on failure. The
423 * output is live as long as the request is live.
425 int tr_constraint_set_get_match_strings(TID_REQ *request,
426 TR_CONSTRAINT_SET *constraints,
427 const char *constraint_type,
428 tr_const_string **output,
431 json_t *cset = (json_t *) constraints;
432 json_t *member, *matches, *value;;
433 size_t index, array_size;
434 assert (output && output_len);
437 if (json_array_size(cset) != 1) {
438 tr_debug("Constraint set for get_match_strings has more than one member\n");
441 member = json_array_get(cset, 0);
442 matches = json_object_get(member, constraint_type);
445 array_size = json_array_size(matches);
448 *output = talloc_array_ptrtype(request, *output, array_size);
449 json_array_foreach(matches, index, value)(*output)[index] = json_string_value(value);
450 *output_len = array_size;