summaryrefslogtreecommitdiff
path: root/check
diff options
context:
space:
mode:
authorJakob Kaivo <jkk@ung.org>2021-02-01 12:37:42 -0500
committerJakob Kaivo <jkk@ung.org>2021-02-01 12:37:42 -0500
commit84f1e99b6001420251d5d77f4f32928e9ace067e (patch)
tree95b331af51578e6aee3ce1ddb86b6ecb34fe5398 /check
parent9ccd9576784d719eebc7cf8b5d9eda8544186b3a (diff)
actually parse privexec.conf
Diffstat (limited to 'check')
-rw-r--r--check/parse.c57
1 files changed, 54 insertions, 3 deletions
diff --git a/check/parse.c b/check/parse.c
index aded0b1..33d1aa5 100644
--- a/check/parse.c
+++ b/check/parse.c
@@ -5,9 +5,42 @@
#include "check.h"
-enum permission get_permission(const char *user, const char *group, const char *cmd)
+static enum permission eval(const char *keyword, const char *principal, const char *cmd, const char *user, const char *group, const char *command)
+{
+ int pmatch = 0;
+ if (!strcmp(user, principal)) {
+ pmatch = 1;
+ }
+ if (principal[0] == ':' && !strcmp(group, principal + 1)) {
+ pmatch = 1;
+ }
+
+ int cmatch = 0;
+ if (cmd == NULL || !strcmp(cmd, command)) {
+ cmatch = 1;
+ }
+
+ if (!strcmp(keyword, "authorize")) {
+ if (cmatch && pmatch) {
+ return AUTHORIZED;
+ }
+ } else if (!strcmp(keyword, "authenticate")) {
+ if (cmatch && pmatch) {
+ return AUTHENTICATE;
+ }
+ } else if (!strcmp(keyword, "deny")) {
+ if (cmatch && pmatch) {
+ return DENIED;
+ }
+ } else {
+ fatal(0, "invalid keyword: %s", keyword);
+ }
+
+ return UNKNOWN;
+}
+
+enum permission get_permission(const char *user, const char *group, const char *command)
{
- (void)user; (void)group; (void)cmd;
enum permission perm = UNKNOWN;
FILE *f = fopen(CONFIG_PATH, "r");
if (f == NULL) {
@@ -24,11 +57,29 @@ enum permission get_permission(const char *user, const char *group, const char *
if (*buf == '\n') {
continue;
}
+ buf[s-1] = '\0';
char *space = strchr(buf, ' ');
if (!space) {
- fatal(0, "invalid line in config: %s\n", buf);
+ fatal(0, "invalid line in config: %s", buf);
}
+
+ char *keyword = buf;
+ *space = '\0';
+
+ char *principal = space + 1;
+ char *cmd = NULL;
+ space = strchr(principal, ' ');
+ if (space) {
+ *space = '\0';
+ cmd = space + 1;
+ }
+
+ enum permission tmp = eval(keyword, principal, cmd, user, group, command);
+ /* only increase, so deny trumps authenticate, which trumps authorize */
+ if (tmp > perm) {
+ perm = tmp;
+ }
}
if (s == -1 && ferror(f)) {
fatal(1, "reading configuration");