memset(rp, 0, sizeof(TR_RP_CLIENT));
/* TBD -- support more than one filter entry per RP Client? */
- if (NULL == (rp->filters[0] = tr_cfg_parse_one_filter(tr, jfilt, rc))) {
+ if (NULL == (rp->filter = tr_cfg_parse_one_filter(tr, jfilt, rc))) {
fprintf(stderr, "tr_cfg_parse_one_rp_client: Error parsing filter.\n");
free(rp);
*rc = TR_CFG_NOPARSE;
#include <string.h>
#include <tr_filter.h>
-void tr_filter_free (TR_FILTER *filt) {
- int i = 0, j = 0;
-
- if (!filt)
- return;
-
- for (i = 0; i < TR_MAX_FILTER_LINES; i++) {
- if (filt->lines[i]) {
- for (j = 0; j < TR_MAX_FILTER_SPECS; j++) {
- if (filt->lines[i]->specs[j])
- free(filt->lines[i]->specs[j]);
- }
- free(filt->lines[i]);
- }
- }
-
- free (filt);
-}
-
/* Returns TRUE (1) if the the string (str) matchs the wildcard string (wc_str), FALSE (0) if not.
*/
int tr_prefix_wildcard_match (char *str, char *wc_str) {
else
return 0;
}
+
+int tr_filter_process_rp_permitted (TR_NAME *rp_realm, TR_FILTER *rpp_filter, TR_CONSTRAINT_SET *in_constraints, TR_CONSTRAINT_SET **out_constraints, int *out_action)
+{
+ int i = 0, j = 0;
+
+ *out_action = TR_FILTER_ACTION_REJECT;
+ *out_constraints = NULL;
+
+ /* If this isn't a valid rp_permitted filter, return no match. */
+ if ((!rpp_filter) ||
+ (TR_FILTER_TYPE_RP_PERMITTED != rpp_filter->type)) {
+ return TR_FILTER_NO_MATCH;
+ }
+
+ /* Check if there is a match for this filter. */
+ for (i = 0; i < TR_MAX_FILTER_LINES; i++) {
+ for (j = 0; j < TR_MAX_FILTER_SPECS; j++) {
+ if (tr_prefix_wildcard_match(rp_realm->buf, rpp_filter->lines[i]->specs[j]->match)) {
+ *out_action = rpp_filter->lines[i]->action;
+ *out_constraints = &(rpp_filter->lines[i]->constraints);
+ return TR_FILTER_MATCH;
+ }
+ }
+ }
+ /* If there is no match, indicate that. */
+ return TR_FILTER_NO_MATCH;
+}
+
+void tr_filter_free (TR_FILTER *filt) {
+ int i = 0, j = 0;
+
+ if (!filt)
+ return;
+
+ for (i = 0; i < TR_MAX_FILTER_LINES; i++) {
+ if (filt->lines[i]) {
+ for (j = 0; j < TR_MAX_FILTER_SPECS; j++) {
+ if (filt->lines[i]->specs[j])
+ free(filt->lines[i]->specs[j]);
+ }
+ free(filt->lines[i]);
+ }
+ }
+
+ free (filt);
+}
+
#define TR_MAX_FILTERS 5
#define TR_MAX_FILTER_LINES 8
#define TR_MAX_FILTER_SPECS 8
+#define TR_MAX_CONS_VALUES 8
/* Filter actions */
#define TR_FILTER_ACTION_REJECT 0
#define TR_FILTER_ACTION_ACCEPT 1
+/* Match codes */
+#define TR_FILTER_MATCH 0
+#define TR_FILTER_NO_MATCH 1
+
/* Filter types */
#define TR_FILTER_TYPE_RP_PERMITTED 0
/* Other types TBD */
+typedef json_t TR_CONSTRAINT_SET;
+
typedef struct tr_constraint {
- struct tr_constraint *next;
- TR_NAME values[];
+ TR_NAME values[TR_MAX_CONS_VALUES];
} TR_CONSTRAINT;
typedef struct tr_fspec {
typedef struct tr_fline {
int action;
TR_FSPEC *specs[TR_MAX_FILTER_SPECS];
- TR_CONSTRAINT *realm_cons;
- TR_CONSTRAINT *domain_cons;
- json_t *j_constraints;
+ TR_CONSTRAINT_SET *constraints;
} TR_FLINE;
typedef struct tr_filter {
void tr_filter_free (TR_FILTER *filt);
int tr_prefix_wildcard_match (char *str, char *wc_str);
-
+int tr_filter_process_rp_permitted (TR_NAME *rp_realm, TR_FILTER *rpp_filter, TR_CONSTRAINT_SET *in_constraints, TR_CONSTRAINT_SET **out_constraints, int *out_action);
#endif
struct tr_rp_client *next;
struct tr_rp_client *comm_next;
TR_NAME *gss_names[TR_MAX_GSS_NAMES];
- TR_FILTER *filters[TR_MAX_FILTERS];
+ TR_FILTER *filter;
} TR_RP_CLIENT;
/* Structure to make a linked list of RP realms by name for community config */
TID_REQ *fwd_req = NULL;
TR_COMM *cfg_comm = NULL;
TR_COMM *cfg_apc = NULL;
- int rc;
+ TR_CONSTRAINT *ocons = NULL;
+ int oaction = TR_FILTER_ACTION_REJECT;
+ int rc = 0;
if ((!tids) || (!orig_req) || (!resp) || (!(*resp)) || (!tr)) {
fprintf(stderr, "tids_req_handler: Bad parameters\n");
/* Check that the rp_realm matches the filter for the GSS name that
* was received. */
- /* TBD -- rewrite for new filtering system.
if ((!((TR_INSTANCE *)tr)->rp_gss) ||
- (!((TR_INSTANCE *)tr)->rp_gss->rp_match)) {
+ (!((TR_INSTANCE *)tr)->rp_gss->filter)) {
fprintf(stderr, "tr_tids_req_handler: No GSS name for incoming request.\n");
tids_send_err_response(tids, orig_req, "No GSS name for request");
return -1;
}
- if (!tr_prefix_wildcard_match(orig_req->rp_realm->buf, ((TR_INSTANCE *)tr)->rp_gss->rp_match->buf)) {
- fprintf(stderr, "tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name (%s)\n", orig_req->rp_realm->buf, ((TR_INSTANCE *)tr)->rp_gss->rp_match->buf);
+ if ((TR_FILTER_NO_MATCH == tr_filter_process_rp_permitted(orig_req->rp_realm, ((TR_INSTANCE *)tr)->rp_gss->filter, NULL, &ocons, &oaction)) ||
+ (TR_FILTER_ACTION_REJECT == oaction)) {
+ fprintf(stderr, "tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name\n");
tids_send_err_response(tids, orig_req, "RP Realm filter error");
- return -1;
}
- */
+ /* TBD -- add constraints to request for further forwarding. */
/* Check that the rp_realm and target_realm are members of the community in the request */
if (NULL == (tr_find_comm_rp(cfg_comm, orig_req->rp_realm))) {