]> git.ipfire.org Git - thirdparty/cups.git/blob - scheduler/policy.c
projects / thirdparty / cups.git / blob
? search:


9a68b1a97b582a769e8bf2fc1033759924524d85
[thirdparty/cups.git] / scheduler / policy.c
1 /*
2 * Policy routines for the CUPS scheduler.
3 *
4 * Copyright 2007-2011, 2014 by Apple Inc.
5 * Copyright 1997-2006 by Easy Software Products, all rights reserved.
6 *
7 * These coded instructions, statements, and computer programs are the
8 * property of Apple Inc. and are protected by Federal copyright
9 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
10 * which should have been included with this file. If this file is
11 * file is missing or damaged, see the license at "http://www.cups.org/".
12 */
13
14 /*
15 * Include necessary headers...
16 */
17
18 #include "cupsd.h"
19 #include <pwd.h>
20
21
22 /*
23 * Local functions...
24 */
25
26 static int compare_ops(cupsd_location_t *a, cupsd_location_t *b);
27 static int compare_policies(cupsd_policy_t *a, cupsd_policy_t *b);
28 static void free_policy(cupsd_policy_t *p);
29 static int hash_op(cupsd_location_t *op);
30
31
32 /*
33 * 'cupsdAddPolicy()' - Add a policy to the system.
34 */
35
36 cupsd_policy_t * /* O - Policy */
37 cupsdAddPolicy(const char *policy) /* I - Name of policy */
38 {
39 cupsd_policy_t *temp; /* Pointer to policy */
40
41
42 if (!policy)
43 return (NULL);
44
45 if (!Policies)
46 Policies = cupsArrayNew3((cups_array_func_t)compare_policies, NULL,
47 (cups_ahash_func_t)NULL, 0,
48 (cups_acopy_func_t)NULL,
49 (cups_afree_func_t)free_policy);
50
51 if (!Policies)
52 return (NULL);
53
54 if ((temp = calloc(1, sizeof(cupsd_policy_t))) != NULL)
55 {
56 cupsdSetString(&temp->name, policy);
57 cupsArrayAdd(Policies, temp);
58 }
59
60 return (temp);
61 }
62
63
64 /*
65 * 'cupsdAddPolicyOp()' - Add an operation to a policy.
66 */
67
68 cupsd_location_t * /* O - New policy operation */
69 cupsdAddPolicyOp(cupsd_policy_t *p, /* I - Policy */
70 cupsd_location_t *po, /* I - Policy operation to copy */
71 ipp_op_t op) /* I - IPP operation code */
72 {
73 cupsd_location_t *temp; /* New policy operation */
74
75
76 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddPolicyOp(p=%p, po=%p, op=%x(%s))",
77 p, po, op, ippOpString(op));
78
79 if (!p)
80 return (NULL);
81
82 if (!p->ops)
83 p->ops = cupsArrayNew3((cups_array_func_t)compare_ops, NULL,
84 (cups_ahash_func_t)hash_op, 128,
85 (cups_acopy_func_t)NULL,
86 (cups_afree_func_t)cupsdFreeLocation);
87
88 if (!p->ops)
89 return (NULL);
90
91 if ((temp = cupsdCopyLocation(po)) != NULL)
92 {
93 temp->op = op;
94 temp->limit = CUPSD_AUTH_LIMIT_IPP;
95
96 cupsArrayAdd(p->ops, temp);
97 }
98
99 return (temp);
100 }
101
102
103 /*
104 * 'cupsdCheckPolicy()' - Check the IPP operation and username against a policy.
105 */
106
107 http_status_t /* I - 1 if OK, 0 otherwise */
108 cupsdCheckPolicy(cupsd_policy_t *p, /* I - Policy */
109 cupsd_client_t *con, /* I - Client connection */
110 const char *owner) /* I - Owner of object */
111 {
112 cupsd_location_t *po; /* Current policy operation */
113
114
115 /*
116 * Range check...
117 */
118
119 if (!p || !con)
120 {
121 cupsdLogMessage(CUPSD_LOG_CRIT, "cupsdCheckPolicy: p=%p, con=%p.", p, con);
122
123 return ((http_status_t)0);
124 }
125
126 /*
127 * Find a match for the operation...
128 */
129
130 if ((po = cupsdFindPolicyOp(p, con->request->request.op.operation_id)) == NULL)
131 {
132 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckPolicy: No matching operation, returning 0.");
133 return ((http_status_t)0);
134 }
135
136 con->best = po;
137
138 /*
139 * Return the status of the check...
140 */
141
142 return (cupsdIsAuthorized(con, owner));
143 }
144
145
146 /*
147 * 'cupsdDeleteAllPolicies()' - Delete all policies in memory.
148 */
149
150 void
151 cupsdDeleteAllPolicies(void)
152 {
153 cupsd_printer_t *printer; /* Current printer */
154
155
156 if (!Policies)
157 return;
158
159 /*
160 * First clear the policy pointers for all printers...
161 */
162
163 for (printer = (cupsd_printer_t *)cupsArrayFirst(Printers);
164 printer;
165 printer = (cupsd_printer_t *)cupsArrayNext(Printers))
166 printer->op_policy_ptr = NULL;
167
168 DefaultPolicyPtr = NULL;
169
170 /*
171 * Then free all of the policies...
172 */
173
174 cupsArrayDelete(Policies);
175
176 Policies = NULL;
177 }
178
179
180 /*
181 * 'cupsdFindPolicy()' - Find a named policy.
182 */
183
184 cupsd_policy_t * /* O - Policy */
185 cupsdFindPolicy(const char *policy) /* I - Name of policy */
186 {
187 cupsd_policy_t key; /* Search key */
188
189
190 /*
191 * Range check...
192 */
193
194 if (!policy)
195 return (NULL);
196
197 /*
198 * Look it up...
199 */
200
201 key.name = (char *)policy;
202 return ((cupsd_policy_t *)cupsArrayFind(Policies, &key));
203 }
204
205
206 /*
207 * 'cupsdFindPolicyOp()' - Find a policy operation.
208 */
209
210 cupsd_location_t * /* O - Policy operation */
211 cupsdFindPolicyOp(cupsd_policy_t *p, /* I - Policy */
212 ipp_op_t op) /* I - IPP operation */
213 {
214 cupsd_location_t key, /* Search key... */
215 *po; /* Current policy operation */
216
217
218 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindPolicyOp(p=%p, op=%x(%s))",
219 p, op, ippOpString(op));
220
221 /*
222 * Range check...
223 */
224
225 if (!p)
226 return (NULL);
227
228 /*
229 * Check the operation against the available policies...
230 */
231
232 key.op = op;
233 if ((po = (cupsd_location_t *)cupsArrayFind(p->ops, &key)) != NULL)
234 {
235 cupsdLogMessage(CUPSD_LOG_DEBUG2,
236 "cupsdFindPolicyOp: Found exact match...");
237 return (po);
238 }
239
240 key.op = IPP_ANY_OPERATION;
241 if ((po = (cupsd_location_t *)cupsArrayFind(p->ops, &key)) != NULL)
242 {
243 cupsdLogMessage(CUPSD_LOG_DEBUG2,
244 "cupsdFindPolicyOp: Found wildcard match...");
245 return (po);
246 }
247
248 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindPolicyOp: No match found.");
249
250 return (NULL);
251 }
252
253
254 /*
255 * 'cupsdGetPrivateAttrs()' - Get the private attributes for the current
256 * request.
257 */
258
259 cups_array_t * /* O - Array or NULL for no restrictions */
260 cupsdGetPrivateAttrs(
261 cupsd_policy_t *policy, /* I - Policy */
262 cupsd_client_t *con, /* I - Client connection */
263 cupsd_printer_t *printer, /* I - Printer, if any */
264 const char *owner) /* I - Owner of object */
265 {
266 char *name; /* Current name in access list */
267 cups_array_t *access_ptr, /* Access array */
268 *attrs_ptr; /* Attributes array */
269 const char *username; /* Username associated with request */
270 ipp_attribute_t *attr; /* Attribute from request */
271 struct passwd *pw; /* User info */
272
273
274 #ifdef DEBUG
275 cupsdLogMessage(CUPSD_LOG_DEBUG2,
276 "cupsdGetPrivateAttrs(policy=%p(%s), con=%p(%d), "
277 "printer=%p(%s), owner=\"%s\")", policy, policy->name, con,
278 con->number, printer, printer ? printer->name : "", owner);
279 #endif /* DEBUG */
280
281 if (!policy)
282 {
283 cupsdLogMessage(CUPSD_LOG_CRIT, "cupsdGetPrivateAttrs: policy=%p, con=%p, printer=%p, owner=\"%s\", DefaultPolicyPtr=%p: This should never happen, please report a bug.", policy, con, printer, owner, DefaultPolicyPtr);
284 policy = DefaultPolicyPtr;
285 }
286
287 /*
288 * Get the access and attributes lists that correspond to the request...
289 */
290
291 #ifdef DEBUG
292 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: %s",
293 ippOpString(con->request->request.op.operation_id));
294 #endif /* DEBUG */
295
296 switch (con->request->request.op.operation_id)
297 {
298 case IPP_GET_SUBSCRIPTIONS :
299 case IPP_GET_SUBSCRIPTION_ATTRIBUTES :
300 case IPP_GET_NOTIFICATIONS :
301 access_ptr = policy->sub_access;
302 attrs_ptr = policy->sub_attrs;
303 break;
304
305 default :
306 access_ptr = policy->job_access;
307 attrs_ptr = policy->job_attrs;
308 break;
309 }
310
311 /*
312 * If none of the attributes are private, return NULL now...
313 */
314
315 if ((name = (char *)cupsArrayFirst(attrs_ptr)) != NULL &&
316 !_cups_strcasecmp(name, "none"))
317 {
318 #ifdef DEBUG
319 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: Returning NULL.");
320 #endif /* DEBUG */
321
322 return (NULL);
323 }
324
325 /*
326 * Otherwise check the user against the access list...
327 */
328
329 if (con->username[0])
330 username = con->username;
331 else if ((attr = ippFindAttribute(con->request, "requesting-user-name",
332 IPP_TAG_NAME)) != NULL)
333 username = attr->values[0].string.text;
334 else
335 username = "anonymous";
336
337 if (username[0])
338 {
339 pw = getpwnam(username);
340 endpwent();
341 }
342 else
343 pw = NULL;
344
345 #ifdef DEBUG
346 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: username=\"%s\"",
347 username);
348 #endif /* DEBUG */
349
350 /*
351 * Otherwise check the user against the access list...
352 */
353
354 for (name = (char *)cupsArrayFirst(access_ptr);
355 name;
356 name = (char *)cupsArrayNext(access_ptr))
357 {
358 #ifdef DEBUG
359 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: name=%s", name);
360 #endif /* DEBUG */
361
362 if (printer && !_cups_strcasecmp(name, "@ACL"))
363 {
364 char *acl; /* Current ACL user/group */
365
366 for (acl = (char *)cupsArrayFirst(printer->users);
367 acl;
368 acl = (char *)cupsArrayNext(printer->users))
369 {
370 if (acl[0] == '@')
371 {
372 /*
373 * Check group membership...
374 */
375
376 if (cupsdCheckGroup(username, pw, acl + 1))
377 break;
378 }
379 else if (acl[0] == '#')
380 {
381 /*
382 * Check UUID...
383 */
384
385 if (cupsdCheckGroup(username, pw, acl))
386 break;
387 }
388 else if (!_cups_strcasecmp(username, acl))
389 break;
390 }
391 }
392 else if (owner && !_cups_strcasecmp(name, "@OWNER") &&
393 !_cups_strcasecmp(username, owner))
394 {
395 #ifdef DEBUG
396 cupsdLogMessage(CUPSD_LOG_DEBUG2,
397 "cupsdGetPrivateAttrs: Returning NULL.");
398 #endif /* DEBUG */
399
400 return (NULL);
401 }
402 else if (!_cups_strcasecmp(name, "@SYSTEM"))
403 {
404 int i; /* Looping var */
405
406 for (i = 0; i < NumSystemGroups; i ++)
407 if (cupsdCheckGroup(username, pw, SystemGroups[i]))
408 {
409 #ifdef DEBUG
410 cupsdLogMessage(CUPSD_LOG_DEBUG2,
411 "cupsdGetPrivateAttrs: Returning NULL.");
412 #endif /* DEBUG */
413
414 return (NULL);
415 }
416 }
417 else if (name[0] == '@')
418 {
419 if (cupsdCheckGroup(username, pw, name + 1))
420 {
421 #ifdef DEBUG
422 cupsdLogMessage(CUPSD_LOG_DEBUG2,
423 "cupsdGetPrivateAttrs: Returning NULL.");
424 #endif /* DEBUG */
425
426 return (NULL);
427 }
428 }
429 else if (!_cups_strcasecmp(username, name))
430 {
431 #ifdef DEBUG
432 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: Returning NULL.");
433 #endif /* DEBUG */
434
435 return (NULL);
436 }
437 }
438
439 /*
440 * No direct access, so return private attributes list...
441 */
442
443 #ifdef DEBUG
444 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: Returning list.");
445 #endif /* DEBUG */
446
447 return (attrs_ptr);
448 }
449
450
451 /*
452 * 'compare_ops()' - Compare two operations.
453 */
454
455 static int /* O - Result of comparison */
456 compare_ops(cupsd_location_t *a, /* I - First operation */
457 cupsd_location_t *b) /* I - Second operation */
458 {
459 return (a->op - b->op);
460 }
461
462
463 /*
464 * 'compare_policies()' - Compare two policies.
465 */
466
467 static int /* O - Result of comparison */
468 compare_policies(cupsd_policy_t *a, /* I - First policy */
469 cupsd_policy_t *b) /* I - Second policy */
470 {
471 return (_cups_strcasecmp(a->name, b->name));
472 }
473
474
475 /*
476 * 'free_policy()' - Free the memory used by a policy.
477 */
478
479 static void
480 free_policy(cupsd_policy_t *p) /* I - Policy to free */
481 {
482 cupsArrayDelete(p->job_access);
483 cupsArrayDelete(p->job_attrs);
484 cupsArrayDelete(p->sub_access);
485 cupsArrayDelete(p->sub_attrs);
486 cupsArrayDelete(p->ops);
487 cupsdClearString(&p->name);
488 free(p);
489 }
490
491
492 /*
493 * 'hash_op()' - Generate a lookup hash for the operation.
494 */
495
496 static int /* O - Hash value */
497 hash_op(cupsd_location_t *op) /* I - Operation */
498 {
499 return (((op->op >> 6) & 0x40) | (op->op & 0x3f));
500 }
Unnamed repository; edit this file 'description' to name the repository.