From 9de6bdbaf99c345fd00337ed2293f743bd1faee0 Mon Sep 17 00:00:00 2001 From: Margaret Wasserman Date: Thu, 19 Dec 2013 13:14:09 -0500 Subject: [PATCH] Full support for rp_permitted filters using new filter structures, etc. --- common/tr_config.c | 2 +- common/tr_filter.c | 66 ++++++++++++++++++++++++++++++++++++++--------------- include/tr_filter.h | 16 ++++++++----- include/tr_rp.h | 2 +- tr/tr_main.c | 15 ++++++------ 5 files changed, 67 insertions(+), 34 deletions(-) diff --git a/common/tr_config.c b/common/tr_config.c index 8e49c95..9324134 100644 --- a/common/tr_config.c +++ b/common/tr_config.c @@ -280,7 +280,7 @@ static TR_RP_CLIENT *tr_cfg_parse_one_rp_client (TR_INSTANCE *tr, json_t *jrp, T memset(rp, 0, sizeof(TR_RP_CLIENT)); /* TBD -- support more than one filter entry per RP Client? */ - if (NULL == (rp->filters[0] = tr_cfg_parse_one_filter(tr, jfilt, rc))) { + if (NULL == (rp->filter = tr_cfg_parse_one_filter(tr, jfilt, rc))) { fprintf(stderr, "tr_cfg_parse_one_rp_client: Error parsing filter.\n"); free(rp); *rc = TR_CFG_NOPARSE; diff --git a/common/tr_filter.c b/common/tr_filter.c index 0143d89..5c09fa9 100644 --- a/common/tr_filter.c +++ b/common/tr_filter.c @@ -37,25 +37,6 @@ #include #include -void tr_filter_free (TR_FILTER *filt) { - int i = 0, j = 0; - - if (!filt) - return; - - for (i = 0; i < TR_MAX_FILTER_LINES; i++) { - if (filt->lines[i]) { - for (j = 0; j < TR_MAX_FILTER_SPECS; j++) { - if (filt->lines[i]->specs[j]) - free(filt->lines[i]->specs[j]); - } - free(filt->lines[i]); - } - } - - free (filt); -} - /* Returns TRUE (1) if the the string (str) matchs the wildcard string (wc_str), FALSE (0) if not. */ int tr_prefix_wildcard_match (char *str, char *wc_str) { @@ -85,3 +66,50 @@ int tr_prefix_wildcard_match (char *str, char *wc_str) { else return 0; } + +int tr_filter_process_rp_permitted (TR_NAME *rp_realm, TR_FILTER *rpp_filter, TR_CONSTRAINT_SET *in_constraints, TR_CONSTRAINT_SET **out_constraints, int *out_action) +{ + int i = 0, j = 0; + + *out_action = TR_FILTER_ACTION_REJECT; + *out_constraints = NULL; + + /* If this isn't a valid rp_permitted filter, return no match. */ + if ((!rpp_filter) || + (TR_FILTER_TYPE_RP_PERMITTED != rpp_filter->type)) { + return TR_FILTER_NO_MATCH; + } + + /* Check if there is a match for this filter. */ + for (i = 0; i < TR_MAX_FILTER_LINES; i++) { + for (j = 0; j < TR_MAX_FILTER_SPECS; j++) { + if (tr_prefix_wildcard_match(rp_realm->buf, rpp_filter->lines[i]->specs[j]->match)) { + *out_action = rpp_filter->lines[i]->action; + *out_constraints = &(rpp_filter->lines[i]->constraints); + return TR_FILTER_MATCH; + } + } + } + /* If there is no match, indicate that. */ + return TR_FILTER_NO_MATCH; +} + +void tr_filter_free (TR_FILTER *filt) { + int i = 0, j = 0; + + if (!filt) + return; + + for (i = 0; i < TR_MAX_FILTER_LINES; i++) { + if (filt->lines[i]) { + for (j = 0; j < TR_MAX_FILTER_SPECS; j++) { + if (filt->lines[i]->specs[j]) + free(filt->lines[i]->specs[j]); + } + free(filt->lines[i]); + } + } + + free (filt); +} + diff --git a/include/tr_filter.h b/include/tr_filter.h index 4c61888..08eb51c 100644 --- a/include/tr_filter.h +++ b/include/tr_filter.h @@ -41,18 +41,24 @@ #define TR_MAX_FILTERS 5 #define TR_MAX_FILTER_LINES 8 #define TR_MAX_FILTER_SPECS 8 +#define TR_MAX_CONS_VALUES 8 /* Filter actions */ #define TR_FILTER_ACTION_REJECT 0 #define TR_FILTER_ACTION_ACCEPT 1 +/* Match codes */ +#define TR_FILTER_MATCH 0 +#define TR_FILTER_NO_MATCH 1 + /* Filter types */ #define TR_FILTER_TYPE_RP_PERMITTED 0 /* Other types TBD */ +typedef json_t TR_CONSTRAINT_SET; + typedef struct tr_constraint { - struct tr_constraint *next; - TR_NAME values[]; + TR_NAME values[TR_MAX_CONS_VALUES]; } TR_CONSTRAINT; typedef struct tr_fspec { @@ -63,9 +69,7 @@ typedef struct tr_fspec { typedef struct tr_fline { int action; TR_FSPEC *specs[TR_MAX_FILTER_SPECS]; - TR_CONSTRAINT *realm_cons; - TR_CONSTRAINT *domain_cons; - json_t *j_constraints; + TR_CONSTRAINT_SET *constraints; } TR_FLINE; typedef struct tr_filter { @@ -75,5 +79,5 @@ typedef struct tr_filter { void tr_filter_free (TR_FILTER *filt); int tr_prefix_wildcard_match (char *str, char *wc_str); - +int tr_filter_process_rp_permitted (TR_NAME *rp_realm, TR_FILTER *rpp_filter, TR_CONSTRAINT_SET *in_constraints, TR_CONSTRAINT_SET **out_constraints, int *out_action); #endif diff --git a/include/tr_rp.h b/include/tr_rp.h index de9ad98..43a3b58 100644 --- a/include/tr_rp.h +++ b/include/tr_rp.h @@ -44,7 +44,7 @@ typedef struct tr_rp_client { struct tr_rp_client *next; struct tr_rp_client *comm_next; TR_NAME *gss_names[TR_MAX_GSS_NAMES]; - TR_FILTER *filters[TR_MAX_FILTERS]; + TR_FILTER *filter; } TR_RP_CLIENT; /* Structure to make a linked list of RP realms by name for community config */ diff --git a/tr/tr_main.c b/tr/tr_main.c index d1bd6e4..70d8b06 100644 --- a/tr/tr_main.c +++ b/tr/tr_main.c @@ -78,7 +78,9 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids, TID_REQ *fwd_req = NULL; TR_COMM *cfg_comm = NULL; TR_COMM *cfg_apc = NULL; - int rc; + TR_CONSTRAINT *ocons = NULL; + int oaction = TR_FILTER_ACTION_REJECT; + int rc = 0; if ((!tids) || (!orig_req) || (!resp) || (!(*resp)) || (!tr)) { fprintf(stderr, "tids_req_handler: Bad parameters\n"); @@ -105,21 +107,20 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids, /* Check that the rp_realm matches the filter for the GSS name that * was received. */ - /* TBD -- rewrite for new filtering system. if ((!((TR_INSTANCE *)tr)->rp_gss) || - (!((TR_INSTANCE *)tr)->rp_gss->rp_match)) { + (!((TR_INSTANCE *)tr)->rp_gss->filter)) { fprintf(stderr, "tr_tids_req_handler: No GSS name for incoming request.\n"); tids_send_err_response(tids, orig_req, "No GSS name for request"); return -1; } - if (!tr_prefix_wildcard_match(orig_req->rp_realm->buf, ((TR_INSTANCE *)tr)->rp_gss->rp_match->buf)) { - fprintf(stderr, "tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name (%s)\n", orig_req->rp_realm->buf, ((TR_INSTANCE *)tr)->rp_gss->rp_match->buf); + if ((TR_FILTER_NO_MATCH == tr_filter_process_rp_permitted(orig_req->rp_realm, ((TR_INSTANCE *)tr)->rp_gss->filter, NULL, &ocons, &oaction)) || + (TR_FILTER_ACTION_REJECT == oaction)) { + fprintf(stderr, "tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name\n"); tids_send_err_response(tids, orig_req, "RP Realm filter error"); - return -1; } - */ + /* TBD -- add constraints to request for further forwarding. */ /* Check that the rp_realm and target_realm are members of the community in the request */ if (NULL == (tr_find_comm_rp(cfg_comm, orig_req->rp_realm))) { -- 2.1.4