Branch data Line data Source code
1 : : /* zxidpdp.c - Handwritten functions for Local Policy Decision Point (PDP)
2 : : * Copyright (c) 2010 Sampo Kellomaki (sampo@iki.fi), All Rights Reserved.
3 : : * Copyright (c) 2009 Symlabs (symlabs@symlabs.com), All Rights Reserved.
4 : : * Author: Sampo Kellomaki (sampo@iki.fi)
5 : : * This is confidential unpublished proprietary source code of the author.
6 : : * NO WARRANTY, not even implied warranties. Contains trade secrets.
7 : : * Distribution prohibited unless authorized in writing.
8 : : * Licensed under Apache License 2.0, see file COPYING.
9 : : * $Id: zxidpep.c,v 1.10 2010-01-08 02:10:09 sampo Exp $
10 : : *
11 : : * 24.8.2009, created --Sampo
12 : : * 10.10.2009, added zxid_az() family --Sampo
13 : : * 12.2.2010, added locking to lazy loading --Sampo
14 : : * 31.5.2010, generalized to several PEPs model --Sampo
15 : : */
16 : :
17 : : #include "platform.h" /* needed on Win32 for pthread_mutex_lock() et al. */
18 : :
19 : : #include "errmac.h"
20 : : #include "zxid.h"
21 : : #include "zxidpriv.h"
22 : : #include "zxidconf.h"
23 : : #include "saml2.h"
24 : : #include "c/zx-const.h"
25 : : #include "c/zx-ns.h"
26 : : #include "c/zx-data.h"
27 : : #include "c/zx-e-data.h"
28 : :
29 : : /* ------------ Attribute Broker and PEP ------------ */
30 : :
31 : : /*() Local Policy Decision Point - decide on role and idpnid.
32 : : * Return: 0 for Deny and 1 for Permit. */
33 : :
34 : : /* Called by: zxid_call_epr, zxid_simple_ab_pep, zxid_wsc_prepare_call, zxid_wsc_valid_re_env, zxid_wsp_decorate, zxid_wsp_validate_env */
35 : : int zxid_localpdp(zxid_conf* cf, zxid_ses* ses)
36 : 97 : {
37 : : struct zxid_attr* at;
38 : :
39 [ + - + - ]: 97 : if (cf->localpdp_role_permit || cf->localpdp_role_deny) {
40 : 97 : at = zxid_find_at(ses->at, "role");
41 [ - + ]: 97 : if (cf->localpdp_role_permit) { /* whitelist of roles: not on list means deny */
42 [ # # ]: 0 : if (!at) {
43 : 0 : INFO("DENY due to no role attribute %d (whitelist)",0);
44 : 0 : return 0;
45 : : }
46 [ # # ]: 0 : if (!zxid_find_cstr_list(cf->localpdp_role_permit, at->val)) {
47 : 0 : INFO("DENY: role(%s) not on whitelist", at->val);
48 : 0 : return 0;
49 : : }
50 : : }
51 [ + - ]: 97 : if (cf->localpdp_role_deny) { /* blacklist of roles: on list means deny */
52 [ - + # # ]: 97 : if (at && zxid_find_cstr_list(cf->localpdp_role_deny, at->val)) {
53 : 0 : INFO("DENY: role(%s) on blacklist", at->val);
54 : 0 : return 0;
55 : : }
56 : : }
57 : : }
58 : :
59 [ + - + - ]: 97 : if (cf->localpdp_idpnid_permit || cf->localpdp_idpnid_deny) {
60 : 97 : at = zxid_find_at(ses->at, "idpnid");
61 [ - + ]: 97 : if (cf->localpdp_idpnid_permit) { /* whitelist of idpnids: not on list means deny */
62 [ # # ]: 0 : if (!at) {
63 : 0 : INFO("DENY due to no idpnid attribute %d (whitelist)",0);
64 : 0 : return 0;
65 : : }
66 [ # # ]: 0 : if (!zxid_find_cstr_list(cf->localpdp_idpnid_permit, at->val)) {
67 : 0 : INFO("DENY: idpnid(%s) not on whitelist", at->val);
68 : 0 : return 0;
69 : : }
70 : : }
71 [ + - ]: 97 : if (cf->localpdp_idpnid_deny) { /* blacklist of idpnids: on list means deny */
72 [ + + - + ]: 97 : if (at && zxid_find_cstr_list(cf->localpdp_idpnid_deny, at->val)) {
73 : 0 : INFO("DENY: idpnid(%s) on blacklist", at->val);
74 : 0 : return 0;
75 : : }
76 : : }
77 : : }
78 : :
79 : 97 : INFO("PERMIT by local PDP %d", 1);
80 : 97 : return 1;
81 : : }
82 : :
83 : : /*(i) Postprocessing of SSO: Attribute Broker handles attributes and PEP/PDP
84 : : * decide on authorization. */
85 : :
86 : : /* Called by: chkuid, zxid_simple_cf_ses, zxid_simple_no_ses_cf x2, zxid_simple_ses_active_cf */
87 : : char* zxid_simple_ab_pep(zxid_conf* cf, zxid_ses* ses, int* res_len, int auto_flags)
88 : 8 : {
89 : : char* res;
90 : : struct zx_str* ss;
91 : 8 : D_INDENT("ab_pep: ");
92 : : DD("ab_pep %d", 0);
93 : 8 : zxid_ses_to_pool(cf, ses); /* Process SSO a7n, applying NEED, WANT, and INMAP */
94 : :
95 [ - + ]: 8 : if (!zxid_localpdp(cf, ses)) {
96 : : DD("Deny by local PDP %d",0);
97 : 0 : D_DEDENT("ab_pep: ");
98 : 0 : return "z";
99 : : }
100 : :
101 [ + - + + ]: 8 : if (cf->pdp_url && *cf->pdp_url) {
102 : : //zxid_add_attr_to_pool(cf, ses, "Action", zx_dup_str(cf->ctx, "access"));
103 : : //zxid_add_attr_to_pool(cf, ses, "URL", zx_dup_str(cf->ctx, ses->rs));
104 [ - + ]: 6 : if (!zxid_pep_az_soap_pepmap(cf, 0, ses, cf->pdp_url, cf->pepmap)) {
105 : 0 : INFO("DENY by remote PDP %d", 0);
106 : 0 : D_DEDENT("ab_pep: ");
107 : 0 : return "z";
108 : : }
109 : : }
110 : :
111 [ - + - - : 8 : switch (auto_flags & (ZXID_AUTO_FMTQ | ZXID_AUTO_FMTJ)) {
+ ]
112 : 0 : case ZXID_AUTO_FMTQ|ZXID_AUTO_FMTJ: ss = zx_dup_str(cf->ctx, ""); break; /* No output */
113 : 3 : case ZXID_AUTO_FMTQ: ss = zxid_ses_to_qs(cf, ses); break;
114 : 0 : case ZXID_AUTO_FMTJ: ss = zxid_ses_to_json(cf, ses); break;
115 : 0 : default: ERR("Unsupported output format bits %x", auto_flags & (ZXID_AUTO_FMTQ|ZXID_AUTO_FMTJ));
116 : 5 : case 0: ss = zxid_ses_to_ldif(cf, ses); break;
117 : : }
118 [ - + ]: 8 : if (zx_debug & ZXID_INOUT)
119 [ # # # # ]: 0 : INFO("LDIF(%.*s)", ss?ss->len:1, ss?ss->s:"-");
120 [ + - ]: 8 : if (cf->log_level > 0)
121 [ + + + - : 8 : zxlog(cf, 0,0,0,0,0,0, ZX_GET_CONTENT(ses->nameid), "N", "K", "SHOWPC", ses->sid, 0);
+ - ]
122 : 8 : res = ss->s;
123 [ - + ]: 8 : if (res_len)
124 : 0 : *res_len = ss->len;
125 : 8 : ZX_FREE(cf->ctx, ss);
126 : 8 : D_DEDENT("ab_pep: ");
127 : 8 : return res;
128 : : }
129 : :
130 : : /* EOF -- zxidpdp.c */
|
