--- /dev/null
+/*
+ * Copyright (C) 2005-2008 Andre Noll <maan@systemlinux.org>
+ *
+ * Licensed under the GPL v2. For licencing details see COPYING.
+ */
+
+/** \file acl.c Access control lists for paraslash senders. */
+
+#include "para.h"
+#include "error.h"
+#include "string.h"
+#include "list.h"
+#include "net.h"
+
+/**
+ * Describes one entry in the blacklist/whitelist of a paraslash sender.
+ */
+struct access_info {
+ /** The address to be black/whitelisted. */
+ struct in_addr addr;
+ /** The netmask for this entry. */
+ unsigned netmask;
+ /** The position of this entry in the acl. */
+ struct list_head node;
+};
+
+
+/**
+ * Return true if addr_1 matches addr_2 in the first `netmask' bits.
+ */
+static int v4_addr_match(uint32_t addr_1, uint32_t addr_2, uint8_t netmask)
+{
+ uint32_t mask = ~0U;
+
+ if (netmask < 32)
+ mask <<= (32 - netmask);
+ return (htonl(addr_1) & mask) == (htonl(addr_2) & mask);
+}
+
+/**
+ * Find out whether the peer name of a given fd belongs to an acl.
+ *
+ * \param fd File descriptor.
+ * \param acl The access control list.
+ *
+ * \return One if \a fd belongs to \a acl, zero otherwise.
+ */
+int acl_lookup(int fd, struct list_head *acl)
+{
+ struct access_info *ai, *tmp;
+ struct sockaddr_storage ss;
+ socklen_t sslen = sizeof(ss);
+ struct in_addr v4_addr;
+
+ if (getpeername(fd, (struct sockaddr *)&ss, &sslen) < 0) {
+ PARA_ERROR_LOG("Can not determine peer address: %s\n", strerror(errno));
+ goto no_match;
+ }
+ v4_addr = extract_v4_addr(&ss);
+ if (!v4_addr.s_addr)
+ goto no_match;
+
+ list_for_each_entry_safe(ai, tmp, acl, node)
+ if (v4_addr_match(v4_addr.s_addr, ai->addr.s_addr, ai->netmask))
+ return 1;
+no_match:
+ return 0;
+}
+
+/**
+ * Add an entry to an access control list.
+ *
+ * \param acl The access control list.
+ * \param addr The address to add.
+ * \param netmask The netmask to use for this entry.
+ */
+void acl_add_entry(struct list_head *acl, struct in_addr addr,
+ int netmask)
+{
+ struct access_info *ai = para_malloc(sizeof(struct access_info));
+ ai->addr = addr;
+ ai->netmask = netmask;
+ PARA_INFO_LOG("adding %s/%i to access list\n", inet_ntoa(ai->addr),
+ ai->netmask);
+ para_list_add(&ai->node, acl);
+}
+
+
+/**
+ * Delete an entry from an access control list.
+ *
+ * \param acl The access control list.
+ * \param addr The address to delete.
+ * \param netmask The netmask of the entry to be removed from the list.
+ */
+void acl_del_entry(struct list_head *acl, struct in_addr addr,
+ int netmask)
+{
+ struct access_info *ai, *tmp;
+
+ list_for_each_entry_safe(ai, tmp, acl, node) {
+ char *nad = para_strdup(inet_ntoa(ai->addr));
+ if (!strcmp(nad, inet_ntoa(addr)) &&
+ ai->netmask == netmask) {
+ PARA_NOTICE_LOG("removing %s/%i from access list\n",
+ nad, ai->netmask);
+ list_del(&ai->node);
+ free(ai);
+ }
+ free(nad);
+ }
+}
+
+/**
+ * Compute a string containing the contents of an acl.
+ *
+ * \param acl The access control list.
+ *
+ * \return A string containing the contents of \a acl, or \p NULL
+ * if \a acl is empty.
+ */
+char *acl_get_contents(struct list_head *acl)
+{
+ struct access_info *ai, *tmp_ai;
+ char *ret = NULL;
+
+ list_for_each_entry_safe(ai, tmp_ai, acl, node) {
+ char *tmp = make_message("%s%s/%d ", ret? ret : "",
+ inet_ntoa(ai->addr), ai->netmask);
+ free(ret);
+ ret = tmp;
+ }
+ return ret;
+}
+
+/**
+ * Initialize an access control list.
+ *
+ * \param acl The list to initialize.
+ * \param acl_info An array of strings of the form ip/netmask.
+ * \param num The number of strings in \a acl_info.
+ */
+void acl_init(struct list_head *acl, char * const *acl_info, int num)
+{
+ int i;
+
+ INIT_LIST_HEAD(acl);
+ for (i = 0; i < num; i++) {
+ char *arg = para_strdup(acl_info[i]);
+ char *p = strchr(arg, '/');
+ struct in_addr addr;
+ int netmask;
+
+ if (!p)
+ goto err;
+ *p = '\0';
+ if (!inet_pton(AF_INET, arg, &addr))
+ goto err;
+ netmask = atoi(++p);
+ if (netmask < 0 || netmask > 32)
+ goto err;
+ acl_add_entry(acl, addr, netmask);
+ goto success;
+err:
+ PARA_CRIT_LOG("syntax error: %s\n", acl_info[i]);
+success:
+ free(arg);
+ continue;
+ }
+}
+
#include "net.h"
#include "fd.h"
#include "chunk_queue.h"
+#include "acl.h"
/** Message sent to clients that do not send a valid get request. */
#define HTTP_ERR_MSG "HTTP/1.0 400 Bad Request\n"
/** The list of connected clients. */
static struct list_head clients;
/** The whitelist/blacklist. */
-static struct list_head access_perm_list;
+static struct list_head http_acl;
/** Describes one client that connected the tcp port of the http sender. */
struct http_client {
struct chunk_queue *cq;
};
-/**
- * Describes one entry in the blacklist/whitelist of the http sender.
- */
-struct access_info {
- /** The address to be black/whitelisted. */
- struct in_addr addr;
- /** The netmask for this entry. */
- unsigned netmask;
- /** The position of this entry in the access_perm_list. */
- struct list_head node;
-};
-
static int server_fd = -1, numclients;
static struct sender *self;
}
}
-/**
- * Return true if addr_1 matches addr_2 in the first `netmask' bits.
- */
-static int v4_addr_match(uint32_t addr_1, uint32_t addr_2, uint8_t netmask)
-{
- uint32_t mask = ~0U;
-
- if (netmask < 32)
- mask <<= (32 - netmask);
- return (htonl(addr_1) & mask) == (htonl(addr_2) & mask);
-}
-
-static int host_in_access_perm_list(struct http_client *hc)
-{
- struct access_info *ai, *tmp;
- struct sockaddr_storage ss;
- socklen_t sslen = sizeof(ss);
- struct in_addr v4_addr;
-
- if (getpeername(hc->fd, (struct sockaddr *)&ss, &sslen) < 0) {
- PARA_ERROR_LOG("Can not determine peer address: %s\n", strerror(errno));
- goto no_match;
- }
- v4_addr = extract_v4_addr(&ss);
- if (!v4_addr.s_addr)
- goto no_match;
-
- list_for_each_entry_safe(ai, tmp, &access_perm_list, node)
- if (v4_addr_match(v4_addr.s_addr, ai->addr.s_addr, ai->netmask))
- return 1;
-no_match:
- return 0;
-}
-
static void http_post_select(fd_set *rfds, fd_set *wfds)
{
int i = -1, match;
err_msg = "server full";
goto err_out;
}
- match = host_in_access_perm_list(hc);
- PARA_DEBUG_LOG("host_in_access_perm_list: %d\n", match);
+ match = acl_lookup(hc->fd, &http_acl);
+ PARA_DEBUG_LOG("acl lookup returned %d\n", match);
if ((match && !conf.http_default_deny_given) ||
(!match && conf.http_default_deny_given)) {
err_msg = "permission denied";
return 1;
}
-static void del_perm_list_entry(struct sender_command_data *scd)
-{
- struct access_info *ai, *tmp;
-
- list_for_each_entry_safe(ai, tmp, &access_perm_list, node) {
- char *nad = para_strdup(inet_ntoa(ai->addr));
- if (!strcmp(nad, inet_ntoa(scd->addr)) &&
- ai->netmask == scd->netmask) {
- PARA_NOTICE_LOG("removing %s/%i from access list\n",
- nad, ai->netmask);
- list_del(&ai->node);
- free(ai);
- }
- free(nad);
- }
-}
-
-static void add_perm_list_entry(struct sender_command_data *scd)
-{
- struct access_info *ai = para_malloc(sizeof(struct access_info));
- ai->addr = scd->addr;
- ai->netmask = scd->netmask;
- PARA_INFO_LOG("adding %s/%i to access list\n", inet_ntoa(ai->addr),
- ai->netmask);
- para_list_add(&ai->node, &access_perm_list);
-}
-
static int http_com_deny(struct sender_command_data *scd)
{
if (conf.http_default_deny_given)
- del_perm_list_entry(scd);
+ acl_del_entry(&http_acl, scd->addr, scd->netmask);
else
- add_perm_list_entry(scd);
+ acl_add_entry(&http_acl, scd->addr, scd->netmask);
return 1;
}
static int http_com_allow(struct sender_command_data *scd)
{
if (conf.http_default_deny_given)
- add_perm_list_entry(scd);
+ acl_add_entry(&http_acl, scd->addr, scd->netmask);
else
- del_perm_list_entry(scd);
+ acl_del_entry(&http_acl, scd->addr, scd->netmask);
return 1;
}
static char *http_info(void)
{
- char *clnts = NULL, *ap = NULL, *ret;
- struct access_info *ai, *tmp_ai;
+ char *clnts = NULL, *ret;
struct http_client *hc, *tmp_hc;
- list_for_each_entry_safe(ai, tmp_ai, &access_perm_list, node) {
- char *tmp = make_message("%s%s/%d ", ap? ap : "",
- inet_ntoa(ai->addr), ai->netmask);
- free(ap);
- ap = tmp;
- }
+ char *acl_contents = acl_get_contents(&http_acl);
list_for_each_entry_safe(hc, tmp_hc, &clients, node) {
char *tmp = make_message("%s%s ", clnts? clnts : "", hc->name);
free(clnts);
conf.http_max_clients_arg > 0? "" : " (unlimited)",
clnts? clnts : "(none)",
conf.http_default_deny_given? "allow" : "deny",
- ap? ap : "(none)"
+ acl_contents? acl_contents : "(none)"
);
- free(ap);
+ free(acl_contents);
free(clnts);
return ret;
}
-static void init_access_control_list(void)
-{
- int i;
- struct sender_command_data scd;
-
- INIT_LIST_HEAD(&access_perm_list);
- for (i = 0; i < conf.http_access_given; i++) {
- char *arg = para_strdup(conf.http_access_arg[i]);
- char *p = strchr(arg, '/');
- if (!p)
- goto err;
- *p = '\0';
- if (!inet_pton(AF_INET, arg, &scd.addr))
- goto err;
- scd.netmask = atoi(++p);
- if (scd.netmask < 0 || scd.netmask > 32)
- goto err;
- add_perm_list_entry(&scd);
- goto success;
-err:
- PARA_CRIT_LOG("syntax error for http_access option "
- "#%d, ignoring\n", i);
-success:
- free(arg);
- continue;
- }
-}
-
static char *http_help(void)
{
return make_message(
s->client_cmds[SENDER_ADD] = NULL;
s->client_cmds[SENDER_DELETE] = NULL;
self = s;
- init_access_control_list();
+ acl_init(&http_acl, conf.http_access_arg, conf.http_access_given);
if (!conf.http_no_autostart_given)
open_tcp_port(conf.http_port_arg); /* ignore errors */
PARA_DEBUG_LOG("%s", "http sender init complete\n");
projects / paraslash.git / commitdiff