]> git.ipfire.org Git - thirdparty/cups.git/blob - scheduler/policy.c
projects / thirdparty / cups.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of https://github.com/apple/cups
[thirdparty/cups.git] / scheduler / policy.c
1 /*
2 * "$Id$"
3 *
4 * Policy routines for the CUPS scheduler.
5 *
6 * Copyright 2007-2011, 2014 by Apple Inc.
7 * Copyright 1997-2006 by Easy Software Products, all rights reserved.
8 *
9 * These coded instructions, statements, and computer programs are the
10 * property of Apple Inc. and are protected by Federal copyright
11 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
12 * which should have been included with this file. If this file is
13 * file is missing or damaged, see the license at "http://www.cups.org/".
14 */
15
16 /*
17 * Include necessary headers...
18 */
19
20 #include "cupsd.h"
21 #include <pwd.h>
22
23
24 /*
25 * Local functions...
26 */
27
28 static int compare_ops(cupsd_location_t *a, cupsd_location_t *b);
29 static int compare_policies(cupsd_policy_t *a, cupsd_policy_t *b);
30 static void free_policy(cupsd_policy_t *p);
31 static int hash_op(cupsd_location_t *op);
32
33
34 /*
35 * 'cupsdAddPolicy()' - Add a policy to the system.
36 */
37
38 cupsd_policy_t * /* O - Policy */
39 cupsdAddPolicy(const char *policy) /* I - Name of policy */
40 {
41 cupsd_policy_t *temp; /* Pointer to policy */
42
43
44 if (!policy)
45 return (NULL);
46
47 if (!Policies)
48 Policies = cupsArrayNew3((cups_array_func_t)compare_policies, NULL,
49 (cups_ahash_func_t)NULL, 0,
50 (cups_acopy_func_t)NULL,
51 (cups_afree_func_t)free_policy);
52
53 if (!Policies)
54 return (NULL);
55
56 if ((temp = calloc(1, sizeof(cupsd_policy_t))) != NULL)
57 {
58 cupsdSetString(&temp->name, policy);
59 cupsArrayAdd(Policies, temp);
60 }
61
62 return (temp);
63 }
64
65
66 /*
67 * 'cupsdAddPolicyOp()' - Add an operation to a policy.
68 */
69
70 cupsd_location_t * /* O - New policy operation */
71 cupsdAddPolicyOp(cupsd_policy_t *p, /* I - Policy */
72 cupsd_location_t *po, /* I - Policy operation to copy */
73 ipp_op_t op) /* I - IPP operation code */
74 {
75 cupsd_location_t *temp; /* New policy operation */
76
77
78 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddPolicyOp(p=%p, po=%p, op=%x(%s))",
79 p, po, op, ippOpString(op));
80
81 if (!p)
82 return (NULL);
83
84 if (!p->ops)
85 p->ops = cupsArrayNew3((cups_array_func_t)compare_ops, NULL,
86 (cups_ahash_func_t)hash_op, 128,
87 (cups_acopy_func_t)NULL,
88 (cups_afree_func_t)cupsdFreeLocation);
89
90 if (!p->ops)
91 return (NULL);
92
93 if ((temp = cupsdCopyLocation(po)) != NULL)
94 {
95 temp->op = op;
96 temp->limit = CUPSD_AUTH_LIMIT_IPP;
97
98 cupsArrayAdd(p->ops, temp);
99 }
100
101 return (temp);
102 }
103
104
105 /*
106 * 'cupsdCheckPolicy()' - Check the IPP operation and username against a policy.
107 */
108
109 http_status_t /* I - 1 if OK, 0 otherwise */
110 cupsdCheckPolicy(cupsd_policy_t *p, /* I - Policy */
111 cupsd_client_t *con, /* I - Client connection */
112 const char *owner) /* I - Owner of object */
113 {
114 cupsd_location_t *po; /* Current policy operation */
115
116
117 /*
118 * Range check...
119 */
120
121 if (!p || !con)
122 {
123 cupsdLogMessage(CUPSD_LOG_CRIT, "cupsdCheckPolicy: p=%p, con=%p.", p, con);
124
125 return ((http_status_t)0);
126 }
127
128 /*
129 * Find a match for the operation...
130 */
131
132 if ((po = cupsdFindPolicyOp(p, con->request->request.op.operation_id)) == NULL)
133 {
134 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckPolicy: No matching operation, returning 0.");
135 return ((http_status_t)0);
136 }
137
138 con->best = po;
139
140 /*
141 * Return the status of the check...
142 */
143
144 return (cupsdIsAuthorized(con, owner));
145 }
146
147
148 /*
149 * 'cupsdDeleteAllPolicies()' - Delete all policies in memory.
150 */
151
152 void
153 cupsdDeleteAllPolicies(void)
154 {
155 cupsd_printer_t *printer; /* Current printer */
156
157
158 if (!Policies)
159 return;
160
161 /*
162 * First clear the policy pointers for all printers...
163 */
164
165 for (printer = (cupsd_printer_t *)cupsArrayFirst(Printers);
166 printer;
167 printer = (cupsd_printer_t *)cupsArrayNext(Printers))
168 printer->op_policy_ptr = NULL;
169
170 DefaultPolicyPtr = NULL;
171
172 /*
173 * Then free all of the policies...
174 */
175
176 cupsArrayDelete(Policies);
177
178 Policies = NULL;
179 }
180
181
182 /*
183 * 'cupsdFindPolicy()' - Find a named policy.
184 */
185
186 cupsd_policy_t * /* O - Policy */
187 cupsdFindPolicy(const char *policy) /* I - Name of policy */
188 {
189 cupsd_policy_t key; /* Search key */
190
191
192 /*
193 * Range check...
194 */
195
196 if (!policy)
197 return (NULL);
198
199 /*
200 * Look it up...
201 */
202
203 key.name = (char *)policy;
204 return ((cupsd_policy_t *)cupsArrayFind(Policies, &key));
205 }
206
207
208 /*
209 * 'cupsdFindPolicyOp()' - Find a policy operation.
210 */
211
212 cupsd_location_t * /* O - Policy operation */
213 cupsdFindPolicyOp(cupsd_policy_t *p, /* I - Policy */
214 ipp_op_t op) /* I - IPP operation */
215 {
216 cupsd_location_t key, /* Search key... */
217 *po; /* Current policy operation */
218
219
220 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindPolicyOp(p=%p, op=%x(%s))",
221 p, op, ippOpString(op));
222
223 /*
224 * Range check...
225 */
226
227 if (!p)
228 return (NULL);
229
230 /*
231 * Check the operation against the available policies...
232 */
233
234 key.op = op;
235 if ((po = (cupsd_location_t *)cupsArrayFind(p->ops, &key)) != NULL)
236 {
237 cupsdLogMessage(CUPSD_LOG_DEBUG2,
238 "cupsdFindPolicyOp: Found exact match...");
239 return (po);
240 }
241
242 key.op = IPP_ANY_OPERATION;
243 if ((po = (cupsd_location_t *)cupsArrayFind(p->ops, &key)) != NULL)
244 {
245 cupsdLogMessage(CUPSD_LOG_DEBUG2,
246 "cupsdFindPolicyOp: Found wildcard match...");
247 return (po);
248 }
249
250 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindPolicyOp: No match found.");
251
252 return (NULL);
253 }
254
255
256 /*
257 * 'cupsdGetPrivateAttrs()' - Get the private attributes for the current
258 * request.
259 */
260
261 cups_array_t * /* O - Array or NULL for no restrictions */
262 cupsdGetPrivateAttrs(
263 cupsd_policy_t *policy, /* I - Policy */
264 cupsd_client_t *con, /* I - Client connection */
265 cupsd_printer_t *printer, /* I - Printer, if any */
266 const char *owner) /* I - Owner of object */
267 {
268 char *name; /* Current name in access list */
269 cups_array_t *access_ptr, /* Access array */
270 *attrs_ptr; /* Attributes array */
271 const char *username; /* Username associated with request */
272 ipp_attribute_t *attr; /* Attribute from request */
273 struct passwd *pw; /* User info */
274
275
276 #ifdef DEBUG
277 cupsdLogMessage(CUPSD_LOG_DEBUG2,
278 "cupsdGetPrivateAttrs(policy=%p(%s), con=%p(%d), "
279 "printer=%p(%s), owner=\"%s\")", policy, policy->name, con,
280 con->number, printer, printer ? printer->name : "", owner);
281 #endif /* DEBUG */
282
283 if (!policy)
284 {
285 cupsdLogMessage(CUPSD_LOG_CRIT, "cupsdGetPrivateAttrs: policy=%p, con=%p, printer=%p, owner=\"%s\", DefaultPolicyPtr=%p: This should never happen, please report a bug.", policy, con, printer, owner, DefaultPolicyPtr);
286 policy = DefaultPolicyPtr;
287 }
288
289 /*
290 * Get the access and attributes lists that correspond to the request...
291 */
292
293 #ifdef DEBUG
294 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: %s",
295 ippOpString(con->request->request.op.operation_id));
296 #endif /* DEBUG */
297
298 switch (con->request->request.op.operation_id)
299 {
300 case IPP_GET_SUBSCRIPTIONS :
301 case IPP_GET_SUBSCRIPTION_ATTRIBUTES :
302 case IPP_GET_NOTIFICATIONS :
303 access_ptr = policy->sub_access;
304 attrs_ptr = policy->sub_attrs;
305 break;
306
307 default :
308 access_ptr = policy->job_access;
309 attrs_ptr = policy->job_attrs;
310 break;
311 }
312
313 /*
314 * If none of the attributes are private, return NULL now...
315 */
316
317 if ((name = (char *)cupsArrayFirst(attrs_ptr)) != NULL &&
318 !_cups_strcasecmp(name, "none"))
319 {
320 #ifdef DEBUG
321 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: Returning NULL.");
322 #endif /* DEBUG */
323
324 return (NULL);
325 }
326
327 /*
328 * Otherwise check the user against the access list...
329 */
330
331 if (con->username[0])
332 username = con->username;
333 else if ((attr = ippFindAttribute(con->request, "requesting-user-name",
334 IPP_TAG_NAME)) != NULL)
335 username = attr->values[0].string.text;
336 else
337 username = "anonymous";
338
339 if (username[0])
340 {
341 pw = getpwnam(username);
342 endpwent();
343 }
344 else
345 pw = NULL;
346
347 #ifdef DEBUG
348 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: username=\"%s\"",
349 username);
350 #endif /* DEBUG */
351
352 /*
353 * Otherwise check the user against the access list...
354 */
355
356 for (name = (char *)cupsArrayFirst(access_ptr);
357 name;
358 name = (char *)cupsArrayNext(access_ptr))
359 {
360 #ifdef DEBUG
361 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: name=%s", name);
362 #endif /* DEBUG */
363
364 if (printer && !_cups_strcasecmp(name, "@ACL"))
365 {
366 char *acl; /* Current ACL user/group */
367
368 for (acl = (char *)cupsArrayFirst(printer->users);
369 acl;
370 acl = (char *)cupsArrayNext(printer->users))
371 {
372 if (acl[0] == '@')
373 {
374 /*
375 * Check group membership...
376 */
377
378 if (cupsdCheckGroup(username, pw, acl + 1))
379 break;
380 }
381 else if (acl[0] == '#')
382 {
383 /*
384 * Check UUID...
385 */
386
387 if (cupsdCheckGroup(username, pw, acl))
388 break;
389 }
390 else if (!_cups_strcasecmp(username, acl))
391 break;
392 }
393 }
394 else if (owner && !_cups_strcasecmp(name, "@OWNER") &&
395 !_cups_strcasecmp(username, owner))
396 {
397 #ifdef DEBUG
398 cupsdLogMessage(CUPSD_LOG_DEBUG2,
399 "cupsdGetPrivateAttrs: Returning NULL.");
400 #endif /* DEBUG */
401
402 return (NULL);
403 }
404 else if (!_cups_strcasecmp(name, "@SYSTEM"))
405 {
406 int i; /* Looping var */
407
408 for (i = 0; i < NumSystemGroups; i ++)
409 if (cupsdCheckGroup(username, pw, SystemGroups[i]))
410 {
411 #ifdef DEBUG
412 cupsdLogMessage(CUPSD_LOG_DEBUG2,
413 "cupsdGetPrivateAttrs: Returning NULL.");
414 #endif /* DEBUG */
415
416 return (NULL);
417 }
418 }
419 else if (name[0] == '@')
420 {
421 if (cupsdCheckGroup(username, pw, name + 1))
422 {
423 #ifdef DEBUG
424 cupsdLogMessage(CUPSD_LOG_DEBUG2,
425 "cupsdGetPrivateAttrs: Returning NULL.");
426 #endif /* DEBUG */
427
428 return (NULL);
429 }
430 }
431 else if (!_cups_strcasecmp(username, name))
432 {
433 #ifdef DEBUG
434 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: Returning NULL.");
435 #endif /* DEBUG */
436
437 return (NULL);
438 }
439 }
440
441 /*
442 * No direct access, so return private attributes list...
443 */
444
445 #ifdef DEBUG
446 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdGetPrivateAttrs: Returning list.");
447 #endif /* DEBUG */
448
449 return (attrs_ptr);
450 }
451
452
453 /*
454 * 'compare_ops()' - Compare two operations.
455 */
456
457 static int /* O - Result of comparison */
458 compare_ops(cupsd_location_t *a, /* I - First operation */
459 cupsd_location_t *b) /* I - Second operation */
460 {
461 return (a->op - b->op);
462 }
463
464
465 /*
466 * 'compare_policies()' - Compare two policies.
467 */
468
469 static int /* O - Result of comparison */
470 compare_policies(cupsd_policy_t *a, /* I - First policy */
471 cupsd_policy_t *b) /* I - Second policy */
472 {
473 return (_cups_strcasecmp(a->name, b->name));
474 }
475
476
477 /*
478 * 'free_policy()' - Free the memory used by a policy.
479 */
480
481 static void
482 free_policy(cupsd_policy_t *p) /* I - Policy to free */
483 {
484 cupsArrayDelete(p->job_access);
485 cupsArrayDelete(p->job_attrs);
486 cupsArrayDelete(p->sub_access);
487 cupsArrayDelete(p->sub_attrs);
488 cupsArrayDelete(p->ops);
489 cupsdClearString(&p->name);
490 free(p);
491 }
492
493
494 /*
495 * 'hash_op()' - Generate a lookup hash for the operation.
496 */
497
498 static int /* O - Hash value */
499 hash_op(cupsd_location_t *op) /* I - Operation */
500 {
501 return (((op->op >> 6) & 0x40) | (op->op & 0x3f));
502 }
503
504
505 /*
506 * End of "$Id$".
507 */
Unnamed repository; edit this file 'description' to name the repository.