[apple/ipsec.git] / ipsec-tools / racoon / open_dir.c

/*
 * Copyright (c) 2001-2004 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


#include <CoreFoundation/CoreFoundation.h>

#include <DirectoryService/DirServices.h>
#include <DirectoryService/DirServicesUtils.h>
#include <DirectoryService/DirServicesConst.h>
#include <CoreFoundation/CFString.h>
#include <SystemConfiguration/SystemConfiguration.h>

#include "vmbuf.h"
#include "remoteconf.h"
#include "plog.h"
#include "misc.h"
#include "gcmalloc.h"
#include "open_dir.h"

#define BUF_LEN 		1024


static tDirStatus open_dir_get_search_node_ref(tDirReference dirRef, unsigned long index, 
                tDirNodeReference *searchNodeRef, unsigned long *count);
static tDirStatus open_dir_get_user_attr(tDirReference dirRef, tDirNodeReference searchNodeRef, char *user_name, 
                char *attr, tAttributeValueEntryPtr *attr_value);
static tDirStatus open_dir_check_group_membership(tDirReference dirRef, tDirNodeReference searchNodeRef, 
                char *group_name, char *user_name, char *userGID, int *authorized);


//----------------------------------------------------------------------
//	open_dir_authorize_id
//----------------------------------------------------------------------
int open_dir_authorize_id(vchar_t *id, vchar_t *group)
{

    tDirReference 			dirRef;
    tDirStatus 				dsResult = eDSNoErr;
    int						authorized = 0;
    tDirNodeReference 		searchNodeRef;
    tAttributeValueEntryPtr	groupID = NULL;
    tAttributeValueEntryPtr	recordName = NULL;
    unsigned long 			searchNodeCount;
    char*					user_name = NULL;
    char*					group_name = NULL;
    
    if (id == 0 || id->l < 1) {
        plog(LLV_ERROR, LOCATION, NULL, "invalid user name.\n");
        goto end;
    }	
   	user_name = racoon_malloc(id->l + 1);
   	if (user_name == NULL) {
   		plog(LLV_ERROR, LOCATION, NULL, "out of memory - unable to allocate space for user name.\n");
   		goto end;
   	}
   	bcopy(id->v, user_name, id->l);
   	*(user_name + id->l) = 0;
   		
   	if (group && group->l > 0) {
   		group_name = racoon_malloc(group->l + 1);
   		if (group_name == NULL) {
   			plog(LLV_NOTIFY, LOCATION, NULL, "out of memeory - unable to allocate space for group name.\n");
   			goto end;
   		}
   		bcopy(group->v, group_name, group->l);
   		*(group_name + group->l) = 0;
   	}
   			
    if ((dsResult = dsOpenDirService(&dirRef)) == eDSNoErr) {  
        // get the search node ref
        if ((dsResult = open_dir_get_search_node_ref(dirRef, 1, &searchNodeRef, &searchNodeCount)) == eDSNoErr) {
            // get the user's primary group ID
           	if (dsResult = open_dir_get_user_attr(dirRef, searchNodeRef, user_name, kDSNAttrRecordName, &recordName) == eDSNoErr) {
           		if (recordName != 0) {
           			if (group_name != 0) {
						if ((dsResult = open_dir_get_user_attr(dirRef, searchNodeRef, user_name, kDS1AttrPrimaryGroupID, &groupID)) == eDSNoErr) {
							// check if user is member of the group
							dsResult = open_dir_check_group_membership(dirRef, searchNodeRef, group_name, 
								recordName->fAttributeValueData.fBufferData, groupID->fAttributeValueData.fBufferData, &authorized);
						}
					} else
						authorized = 1;	// no group required - user record found		
 				} 
            }
            if (groupID)
                dsDeallocAttributeValueEntry(dirRef, groupID);
            if (recordName)
            	dsDeallocAttributeValueEntry(dirRef, recordName);
            dsCloseDirNode(searchNodeRef);		// close the search node
        }
        dsCloseDirService(dirRef);
    }

end:    
    if (authorized)
        plog(LLV_NOTIFY, LOCATION, NULL, "User '%s' authorized for access\n", user_name);
    else
        plog(LLV_NOTIFY, LOCATION, NULL, "User '%s' not authorized for access\n", user_name);
    if (user_name)
    	free(user_name);
    if (group_name)
    	free(group_name);
    return authorized;
}


//----------------------------------------------------------------------
//	open_dir_get_search_node_ref
//----------------------------------------------------------------------
static tDirStatus open_dir_get_search_node_ref(tDirReference dirRef, unsigned long index, 
                tDirNodeReference *searchNodeRef, unsigned long *count)
{
    tDirStatus			dsResult = -1;
    tDataBufferPtr		searchNodeDataBufferPtr = 0;
    tDataListPtr	   	searchNodeNameDataListPtr = 0;

    unsigned long		outNodeCount;
    tContextData		continueData = 0;
    
    *searchNodeRef = 0;
    *count = 0;
    
    // allocate required buffers and data lists
    if ((searchNodeDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
        goto cleanup;
    }
    if ((searchNodeNameDataListPtr = dsDataListAllocate(dirRef)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
        goto cleanup;
    }
        
    // find authentication search node(s)
    if ((dsResult = dsFindDirNodes(dirRef, searchNodeDataBufferPtr, 0, eDSAuthenticationSearchNodeName, 
                                                                &outNodeCount, &continueData)) == eDSNoErr) {
        if (outNodeCount != 0) {
                            
            // get the seach node name and open the node
            if ((dsResult = dsGetDirNodeName(dirRef, searchNodeDataBufferPtr, index, 
                                                        &searchNodeNameDataListPtr)) == eDSNoErr) {
                if ((dsResult = dsOpenDirNode(dirRef, searchNodeNameDataListPtr, searchNodeRef)) == eDSNoErr) {
                    *count = outNodeCount; 
                }
            }
        }
        if (continueData)
            dsReleaseContinueData(dirRef, continueData);
    }
    
cleanup:
    if (searchNodeDataBufferPtr)
        dsDataBufferDeAllocate(dirRef, searchNodeDataBufferPtr);
    if (searchNodeNameDataListPtr)
        dsDataListDeallocate(dirRef, searchNodeNameDataListPtr);
    
    return dsResult;
}

//----------------------------------------------------------------------
//	open_dir_get_user_attr
//----------------------------------------------------------------------
static tDirStatus open_dir_get_user_attr(tDirReference dirRef, tDirNodeReference searchNodeRef, char *user_name, 
                char *attr, tAttributeValueEntryPtr *attr_value)
{

    tDirStatus			dsResult = -1;
   
    tDataBufferPtr		userRcdDataBufferPtr = 0;
    tDataListPtr	   	recordNameDataListPtr = 0;
    tDataListPtr	   	recordTypeDataListPtr = 0;  
    tDataListPtr	   	attrTypeDataListPtr = 0;
    tContextData		continueData = 0;

    unsigned long		outRecordCount;
    int				userRcdFound = 0;
    u_int32_t			userRecordIndex, attrIndex;
    
    *attr_value	= 0;
                                             
    if ((userRcdDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
        goto cleanup;
    }
    if ((recordNameDataListPtr = dsBuildListFromStrings(dirRef, user_name, 0)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
        goto cleanup;
    }
    if ((recordTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSStdRecordTypeUsers, 0)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
        goto cleanup;
    }
    if ((attrTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSNAttrRecordName, kDS1AttrDistinguishedName, attr, 0)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
        goto cleanup;
    }
                                                                 
    // find the user record(s), extracting the user name and requested attribute
    do {
        dsResult = dsGetRecordList(searchNodeRef, userRcdDataBufferPtr, recordNameDataListPtr, eDSExact,
                    recordTypeDataListPtr, attrTypeDataListPtr, 0, &outRecordCount, &continueData);
        
        // if buffer too small - allocate a larger one
        if (dsResult == eDSBufferTooSmall) {
            u_int32_t	size = userRcdDataBufferPtr->fBufferSize * 2;
            
            dsDataBufferDeAllocate(dirRef, userRcdDataBufferPtr);
            if ((userRcdDataBufferPtr = dsDataBufferAllocate(dirRef, size)) == 0) {
                plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
		dsResult = -1;
		goto cleanup;
            }
        }
    } while (dsResult == eDSBufferTooSmall);

    if (dsResult == eDSNoErr) {
        // for each user record
        for (userRecordIndex = 1; (userRecordIndex <= outRecordCount) && (dsResult == eDSNoErr) 
                                                        && (userRcdFound == 0); userRecordIndex++) {
                            
            tAttributeListRef	attrListRef;
            tRecordEntryPtr	userRcdEntryPtr;
                
            // get the user record entry from the data buffer
            if ((dsResult = dsGetRecordEntry(searchNodeRef, userRcdDataBufferPtr, userRecordIndex, 
                                                    &attrListRef, &userRcdEntryPtr)) == eDSNoErr) {
                // for each attribute
                for (attrIndex = 1; (attrIndex <= userRcdEntryPtr->fRecordAttributeCount) 
                                                            && (dsResult == eDSNoErr); attrIndex++) {
                
                    tAttributeValueListRef	attrValueListRef;
                    tAttributeEntryPtr		attrInfoPtr;
                    tAttributeValueEntryPtr	attrValuePtr;
                
                    if ((dsResult = dsGetAttributeEntry(searchNodeRef, userRcdDataBufferPtr, 
                                        attrListRef, attrIndex, &attrValueListRef, &attrInfoPtr)) == eDSNoErr) {
                        if ((dsResult = dsGetAttributeValue(searchNodeRef, userRcdDataBufferPtr, 1, 
                                        attrValueListRef, &attrValuePtr)) == eDSNoErr) { 
                                
                            // check for user record name or attribute searching for
                            if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDSNAttrRecordName)) {
                                if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, user_name)) 
                                    userRcdFound = 1;
                            }
                            if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDS1AttrDistinguishedName)) {
                                if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, user_name)) 
                                    userRcdFound = 1;
                            }
                            if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, attr)) {
                                *attr_value = attrValuePtr;	// return the attribute value
                                attrValuePtr = 0;		// set to zero so we don't deallocate it
                            }
                            if (attrValuePtr)
                                dsDeallocAttributeValueEntry(dirRef, attrValuePtr);
                        }
                        dsCloseAttributeValueList(attrValueListRef);
                        dsDeallocAttributeEntry(dirRef, attrInfoPtr);
                    }
                }
                // make sure we've processed both attributes and we have a match on user name
                if(userRcdFound == 0 || *attr_value == 0) {
                    userRcdFound = 0;
                    if (*attr_value)
                    	dsDeallocAttributeValueEntry(dirRef, *attr_value);
                    *attr_value = 0;
                }            
                dsCloseAttributeList(attrListRef);
                dsDeallocRecordEntry(dirRef, userRcdEntryPtr);
            }
        }
    }
        
cleanup:
	if (continueData)
		dsReleaseContinueData(searchNodeRef, continueData);
    if (userRcdDataBufferPtr)
        dsDataBufferDeAllocate(dirRef, userRcdDataBufferPtr);
    if (recordNameDataListPtr)
        dsDataListDeallocate(dirRef, recordNameDataListPtr);
    if (recordTypeDataListPtr)
        dsDataListDeallocate(dirRef, recordTypeDataListPtr); 
    if (attrTypeDataListPtr)
        dsDataListDeallocate(dirRef, attrTypeDataListPtr); 
        
    return dsResult;
    
}


//----------------------------------------------------------------------
//	open_dir_check_group_membership
//----------------------------------------------------------------------
static tDirStatus open_dir_check_group_membership(tDirReference dirRef, tDirNodeReference searchNodeRef, 
                char *group_name, char *user_name, char *userGID, int *authorized)
{
    tDirStatus			dsResult = -1;
   
    tDataBufferPtr		groupRcdDataBufferPtr = 0;
    tDataListPtr	   	recordNameDataListPtr = 0;
    tDataListPtr	   	recordTypeDataListPtr = 0;  
    tDataListPtr	   	attrTypeDataListPtr = 0;
    tContextData		continueData = 0;

    unsigned long		outRecordCount;
    u_int32_t			attrIndex, valueIndex;
    
    *authorized	= 0;
                                             
    if ((groupRcdDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
        goto cleanup;
    }
    if ((recordNameDataListPtr = dsBuildListFromStrings(dirRef, group_name, 0)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
        goto cleanup;
    }
    if ((recordTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSStdRecordTypeGroups, 0)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
        goto cleanup;
    }
    if ((attrTypeDataListPtr = dsBuildListFromStrings(dirRef, kDS1AttrPrimaryGroupID, kDSNAttrGroupMembership, 0)) == 0) {
        plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
        goto cleanup;
    }

    // find the group record, extracting the group ID and group membership attribute
    do {
        dsResult = dsGetRecordList(searchNodeRef, groupRcdDataBufferPtr, recordNameDataListPtr, eDSExact,
                            recordTypeDataListPtr, attrTypeDataListPtr, 0, &outRecordCount, &continueData);
        // if buffer too small - allocate a larger one
        if (dsResult == eDSBufferTooSmall) {
            u_int32_t	size = groupRcdDataBufferPtr->fBufferSize * 2;
            
            dsDataBufferDeAllocate(dirRef, groupRcdDataBufferPtr);
            if ((groupRcdDataBufferPtr = dsDataBufferAllocate(dirRef, size)) == 0) {
                plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
                dsResult = -1;
                goto cleanup;
            }
        }
    } while (dsResult == eDSBufferTooSmall);
    
    if (dsResult == eDSNoErr) {
                             
        tAttributeListRef	attrListRef;
        tRecordEntryPtr		groupRcdEntryPtr;
        
        // get the group record entry
        if ((dsResult = dsGetRecordEntry(searchNodeRef, groupRcdDataBufferPtr, 1, &attrListRef, &groupRcdEntryPtr)) == eDSNoErr) {

            // for each attribute
            for (attrIndex = 1; (attrIndex <= groupRcdEntryPtr->fRecordAttributeCount) && (dsResult == eDSNoErr)
                                    && (*authorized == 0); attrIndex++) {
                    
                tAttributeValueListRef	attrValueListRef;
                tAttributeEntryPtr	attrInfoPtr;
                tAttributeValueEntryPtr	attrValuePtr;
            
                if ((dsResult = dsGetAttributeEntry(searchNodeRef, groupRcdDataBufferPtr, attrListRef, 
                                                        attrIndex, &attrValueListRef, &attrInfoPtr)) == eDSNoErr) {
                    
                    // group ID attribute ?
                    if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDS1AttrPrimaryGroupID)) {
                    	if ((dsResult = dsGetAttributeValue(searchNodeRef, groupRcdDataBufferPtr, 1, 
                                                            attrValueListRef, &attrValuePtr)) == eDSNoErr) {  
                            
                            // check for match on primary group ID
                            if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, userGID))
                                *authorized = 1;
                            dsDeallocAttributeValueEntry(dirRef, attrValuePtr);
                        }
                    } else if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDSNAttrGroupMembership)) {
                        // for each value check for user's name in the group
                        for (valueIndex = 1; (valueIndex <= attrInfoPtr->fAttributeValueCount) 
                                                && (dsResult == eDSNoErr) && (*authorized == 0); valueIndex++) {
                            
                            if ((dsResult = dsGetAttributeValue(searchNodeRef, groupRcdDataBufferPtr, 
                                                    valueIndex, attrValueListRef, &attrValuePtr)) == eDSNoErr) {                                
                                if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, user_name))
                                    *authorized = 1;
                                dsDeallocAttributeValueEntry(dirRef, attrValuePtr);
                            }
                        }
                    }
                    dsCloseAttributeValueList(attrValueListRef);
                    dsDeallocAttributeEntry(dirRef, attrInfoPtr);
                }
            }
            dsCloseAttributeList(attrListRef);
            dsDeallocRecordEntry(dirRef, groupRcdEntryPtr);
        }
    }
        
cleanup:
	if (continueData)
		dsReleaseContinueData(searchNodeRef, continueData);
    if (groupRcdDataBufferPtr)
        dsDataBufferDeAllocate(dirRef, groupRcdDataBufferPtr);
    if (recordNameDataListPtr)
        dsDataListDeallocate(dirRef, recordNameDataListPtr);
    if (recordTypeDataListPtr)
        dsDataListDeallocate(dirRef, recordTypeDataListPtr); 
    if (attrTypeDataListPtr)
        dsDataListDeallocate(dirRef, attrTypeDataListPtr); 
        
    return dsResult;
}
Commit	Line	Data
52b7d2ce A	1	/*
	2	* Copyright (c) 2001-2004 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* The contents of this file constitute Original Code as defined in and
	7	* are subject to the Apple Public Source License Version 1.1 (the
	8	* "License"). You may not use this file except in compliance with the
	9	* License. Please obtain a copy of the License at
	10	* http://www.apple.com/publicsource and read it before using this file.
	11	*
	12	* This Original Code and all software distributed under the License are
	13	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	14	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	15	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	16	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	17	* License for the specific language governing rights and limitations
	18	* under the License.
	19	*
	20	* @APPLE_LICENSE_HEADER_END@
	21	*/
	22
	23
	24	#include <CoreFoundation/CoreFoundation.h>
	25
	26	#include <DirectoryService/DirServices.h>
	27	#include <DirectoryService/DirServicesUtils.h>
	28	#include <DirectoryService/DirServicesConst.h>
	29	#include <CoreFoundation/CFString.h>
	30	#include <SystemConfiguration/SystemConfiguration.h>
	31
	32	#include "vmbuf.h"
	33	#include "remoteconf.h"
	34	#include "plog.h"
	35	#include "misc.h"
	36	#include "gcmalloc.h"
	37	#include "open_dir.h"
	38
	39	#define BUF_LEN 1024
	40
	41
	42	static tDirStatus open_dir_get_search_node_ref(tDirReference dirRef, unsigned long index,
	43	tDirNodeReference searchNodeRef, unsigned long count);
	44	static tDirStatus open_dir_get_user_attr(tDirReference dirRef, tDirNodeReference searchNodeRef, char *user_name,
	45	char attr, tAttributeValueEntryPtr attr_value);
	46	static tDirStatus open_dir_check_group_membership(tDirReference dirRef, tDirNodeReference searchNodeRef,
	47	char group_name, char user_name, char userGID, int authorized);
	48
	49
	50	//----------------------------------------------------------------------
	51	// open_dir_authorize_id
	52	//----------------------------------------------------------------------
	53	int open_dir_authorize_id(vchar_t id, vchar_t group)
	54	{
	55
	56	tDirReference dirRef;
	57	tDirStatus dsResult = eDSNoErr;
	58	int authorized = 0;
	59	tDirNodeReference searchNodeRef;
	60	tAttributeValueEntryPtr groupID = NULL;
	61	tAttributeValueEntryPtr recordName = NULL;
	62	unsigned long searchNodeCount;
	63	char* user_name = NULL;
	64	char* group_name = NULL;
65
66	if (id == 0 \|\| id->l < 1) {
67	plog(LLV_ERROR, LOCATION, NULL, "invalid user name.\n");
68	goto end;
69	}
70	user_name = racoon_malloc(id->l + 1);
71	if (user_name == NULL) {
72	plog(LLV_ERROR, LOCATION, NULL, "out of memory - unable to allocate space for user name.\n");
73	goto end;
74	}
75	bcopy(id->v, user_name, id->l);
76	*(user_name + id->l) = 0;
77
78	if (group && group->l > 0) {
79	group_name = racoon_malloc(group->l + 1);
80	if (group_name == NULL) {
81	plog(LLV_NOTIFY, LOCATION, NULL, "out of memeory - unable to allocate space for group name.\n");
82	goto end;
83	}
84	bcopy(group->v, group_name, group->l);
85	*(group_name + group->l) = 0;
86	}
87
88	if ((dsResult = dsOpenDirService(&dirRef)) == eDSNoErr) {
89	// get the search node ref
90	if ((dsResult = open_dir_get_search_node_ref(dirRef, 1, &searchNodeRef, &searchNodeCount)) == eDSNoErr) {
91	// get the user's primary group ID
92	if (dsResult = open_dir_get_user_attr(dirRef, searchNodeRef, user_name, kDSNAttrRecordName, &recordName) == eDSNoErr) {
93	if (recordName != 0) {
94	if (group_name != 0) {
95	if ((dsResult = open_dir_get_user_attr(dirRef, searchNodeRef, user_name, kDS1AttrPrimaryGroupID, &groupID)) == eDSNoErr) {
96	// check if user is member of the group
97	dsResult = open_dir_check_group_membership(dirRef, searchNodeRef, group_name,
98	recordName->fAttributeValueData.fBufferData, groupID->fAttributeValueData.fBufferData, &authorized);
99	}
100	} else
101	authorized = 1; // no group required - user record found
102	}
103	}
104	if (groupID)
105	dsDeallocAttributeValueEntry(dirRef, groupID);
106	if (recordName)
107	dsDeallocAttributeValueEntry(dirRef, recordName);
108	dsCloseDirNode(searchNodeRef); // close the search node
109	}
110	dsCloseDirService(dirRef);
111	}
112
113	end:
114	if (authorized)
115	plog(LLV_NOTIFY, LOCATION, NULL, "User '%s' authorized for access\n", user_name);
116	else
117	plog(LLV_NOTIFY, LOCATION, NULL, "User '%s' not authorized for access\n", user_name);
118	if (user_name)
119	free(user_name);
120	if (group_name)
121	free(group_name);
122	return authorized;
123	}
124
125
126	//----------------------------------------------------------------------
127	// open_dir_get_search_node_ref
128	//----------------------------------------------------------------------
129	static tDirStatus open_dir_get_search_node_ref(tDirReference dirRef, unsigned long index,
130	tDirNodeReference searchNodeRef, unsigned long count)
131	{
132	tDirStatus dsResult = -1;
133	tDataBufferPtr searchNodeDataBufferPtr = 0;
134	tDataListPtr searchNodeNameDataListPtr = 0;
135
136	unsigned long outNodeCount;
137	tContextData continueData = 0;
138
139	*searchNodeRef = 0;
140	*count = 0;
141
142	// allocate required buffers and data lists
143	if ((searchNodeDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) {
144	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
145	goto cleanup;
146	}
147	if ((searchNodeNameDataListPtr = dsDataListAllocate(dirRef)) == 0) {
148	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
149	goto cleanup;
150	}
151
152	// find authentication search node(s)
153	if ((dsResult = dsFindDirNodes(dirRef, searchNodeDataBufferPtr, 0, eDSAuthenticationSearchNodeName,
154	&outNodeCount, &continueData)) == eDSNoErr) {
155	if (outNodeCount != 0) {
156
157	// get the seach node name and open the node
158	if ((dsResult = dsGetDirNodeName(dirRef, searchNodeDataBufferPtr, index,
159	&searchNodeNameDataListPtr)) == eDSNoErr) {
160	if ((dsResult = dsOpenDirNode(dirRef, searchNodeNameDataListPtr, searchNodeRef)) == eDSNoErr) {
161	*count = outNodeCount;
162	}
163	}
164	}
165	if (continueData)
166	dsReleaseContinueData(dirRef, continueData);
167	}
168
169	cleanup:
170	if (searchNodeDataBufferPtr)
171	dsDataBufferDeAllocate(dirRef, searchNodeDataBufferPtr);
172	if (searchNodeNameDataListPtr)
173	dsDataListDeallocate(dirRef, searchNodeNameDataListPtr);
174
175	return dsResult;
176	}
177
178	//----------------------------------------------------------------------
179	// open_dir_get_user_attr
180	//----------------------------------------------------------------------
181	static tDirStatus open_dir_get_user_attr(tDirReference dirRef, tDirNodeReference searchNodeRef, char *user_name,
182	char attr, tAttributeValueEntryPtr attr_value)
183	{
184
185	tDirStatus dsResult = -1;
186
187	tDataBufferPtr userRcdDataBufferPtr = 0;
188	tDataListPtr recordNameDataListPtr = 0;
189	tDataListPtr recordTypeDataListPtr = 0;
190	tDataListPtr attrTypeDataListPtr = 0;
191	tContextData continueData = 0;
192
193	unsigned long outRecordCount;
194	int userRcdFound = 0;
195	u_int32_t userRecordIndex, attrIndex;
196
197	*attr_value = 0;
198
199	if ((userRcdDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) {
200	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
201	goto cleanup;
202	}
203	if ((recordNameDataListPtr = dsBuildListFromStrings(dirRef, user_name, 0)) == 0) {
204	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
205	goto cleanup;
206	}
207	if ((recordTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSStdRecordTypeUsers, 0)) == 0) {
208	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
209	goto cleanup;
210	}
211	if ((attrTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSNAttrRecordName, kDS1AttrDistinguishedName, attr, 0)) == 0) {
212	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
213	goto cleanup;
214	}
215
216	// find the user record(s), extracting the user name and requested attribute
217	do {
218	dsResult = dsGetRecordList(searchNodeRef, userRcdDataBufferPtr, recordNameDataListPtr, eDSExact,
219	recordTypeDataListPtr, attrTypeDataListPtr, 0, &outRecordCount, &continueData);
220
221	// if buffer too small - allocate a larger one
222	if (dsResult == eDSBufferTooSmall) {
223	u_int32_t size = userRcdDataBufferPtr->fBufferSize * 2;
224
225	dsDataBufferDeAllocate(dirRef, userRcdDataBufferPtr);
226	if ((userRcdDataBufferPtr = dsDataBufferAllocate(dirRef, size)) == 0) {
227	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
228	dsResult = -1;
229	goto cleanup;
230	}
231	}
232	} while (dsResult == eDSBufferTooSmall);
233
234	if (dsResult == eDSNoErr) {
235	// for each user record
236	for (userRecordIndex = 1; (userRecordIndex <= outRecordCount) && (dsResult == eDSNoErr)
237	&& (userRcdFound == 0); userRecordIndex++) {
238
239	tAttributeListRef attrListRef;
240	tRecordEntryPtr userRcdEntryPtr;
241
242	// get the user record entry from the data buffer
243	if ((dsResult = dsGetRecordEntry(searchNodeRef, userRcdDataBufferPtr, userRecordIndex,
244	&attrListRef, &userRcdEntryPtr)) == eDSNoErr) {
245	// for each attribute
246	for (attrIndex = 1; (attrIndex <= userRcdEntryPtr->fRecordAttributeCount)
247	&& (dsResult == eDSNoErr); attrIndex++) {
248
249	tAttributeValueListRef attrValueListRef;
250	tAttributeEntryPtr attrInfoPtr;
251	tAttributeValueEntryPtr attrValuePtr;
252
253	if ((dsResult = dsGetAttributeEntry(searchNodeRef, userRcdDataBufferPtr,
254	attrListRef, attrIndex, &attrValueListRef, &attrInfoPtr)) == eDSNoErr) {
255	if ((dsResult = dsGetAttributeValue(searchNodeRef, userRcdDataBufferPtr, 1,
256	attrValueListRef, &attrValuePtr)) == eDSNoErr) {
257
258	// check for user record name or attribute searching for
259	if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDSNAttrRecordName)) {
260	if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, user_name))
261	userRcdFound = 1;
262	}
263	if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDS1AttrDistinguishedName)) {
264	if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, user_name))
265	userRcdFound = 1;
266	}
267	if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, attr)) {
268	*attr_value = attrValuePtr; // return the attribute value
269	attrValuePtr = 0; // set to zero so we don't deallocate it
270	}
271	if (attrValuePtr)
272	dsDeallocAttributeValueEntry(dirRef, attrValuePtr);
273	}
274	dsCloseAttributeValueList(attrValueListRef);
275	dsDeallocAttributeEntry(dirRef, attrInfoPtr);
276	}
277	}
278	// make sure we've processed both attributes and we have a match on user name
279	if(userRcdFound == 0 \|\| *attr_value == 0) {
280	userRcdFound = 0;
281	if (*attr_value)
282	dsDeallocAttributeValueEntry(dirRef, *attr_value);
283	*attr_value = 0;
284	}
285	dsCloseAttributeList(attrListRef);
286	dsDeallocRecordEntry(dirRef, userRcdEntryPtr);
287	}
288	}
289	}
290
291	cleanup:
292	if (continueData)
293	dsReleaseContinueData(searchNodeRef, continueData);
294	if (userRcdDataBufferPtr)
295	dsDataBufferDeAllocate(dirRef, userRcdDataBufferPtr);
296	if (recordNameDataListPtr)
297	dsDataListDeallocate(dirRef, recordNameDataListPtr);
298	if (recordTypeDataListPtr)
299	dsDataListDeallocate(dirRef, recordTypeDataListPtr);
300	if (attrTypeDataListPtr)
301	dsDataListDeallocate(dirRef, attrTypeDataListPtr);
302
303	return dsResult;
304
305	}
306
307
308	//----------------------------------------------------------------------
309	// open_dir_check_group_membership
310	//----------------------------------------------------------------------
311	static tDirStatus open_dir_check_group_membership(tDirReference dirRef, tDirNodeReference searchNodeRef,
312	char group_name, char user_name, char userGID, int authorized)
313	{
314	tDirStatus dsResult = -1;
315
316	tDataBufferPtr groupRcdDataBufferPtr = 0;
317	tDataListPtr recordNameDataListPtr = 0;
318	tDataListPtr recordTypeDataListPtr = 0;
319	tDataListPtr attrTypeDataListPtr = 0;
320	tContextData continueData = 0;
321
322	unsigned long outRecordCount;
323	u_int32_t attrIndex, valueIndex;
324
325	*authorized = 0;
326
327	if ((groupRcdDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) {
328	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
329	goto cleanup;
330	}
331	if ((recordNameDataListPtr = dsBuildListFromStrings(dirRef, group_name, 0)) == 0) {
332	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
333	goto cleanup;
334	}
335	if ((recordTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSStdRecordTypeGroups, 0)) == 0) {
336	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
337	goto cleanup;
338	}
339	if ((attrTypeDataListPtr = dsBuildListFromStrings(dirRef, kDS1AttrPrimaryGroupID, kDSNAttrGroupMembership, 0)) == 0) {
340	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n");
341	goto cleanup;
342	}
343
344	// find the group record, extracting the group ID and group membership attribute
345	do {
346	dsResult = dsGetRecordList(searchNodeRef, groupRcdDataBufferPtr, recordNameDataListPtr, eDSExact,
347	recordTypeDataListPtr, attrTypeDataListPtr, 0, &outRecordCount, &continueData);
348	// if buffer too small - allocate a larger one
349	if (dsResult == eDSBufferTooSmall) {
350	u_int32_t size = groupRcdDataBufferPtr->fBufferSize * 2;
351
352	dsDataBufferDeAllocate(dirRef, groupRcdDataBufferPtr);
353	if ((groupRcdDataBufferPtr = dsDataBufferAllocate(dirRef, size)) == 0) {
354	plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n");
355	dsResult = -1;
356	goto cleanup;
357	}
358	}
359	} while (dsResult == eDSBufferTooSmall);
360
361	if (dsResult == eDSNoErr) {
362
363	tAttributeListRef attrListRef;
364	tRecordEntryPtr groupRcdEntryPtr;
365
366	// get the group record entry
367	if ((dsResult = dsGetRecordEntry(searchNodeRef, groupRcdDataBufferPtr, 1, &attrListRef, &groupRcdEntryPtr)) == eDSNoErr) {
368
369	// for each attribute
370	for (attrIndex = 1; (attrIndex <= groupRcdEntryPtr->fRecordAttributeCount) && (dsResult == eDSNoErr)
371	&& (*authorized == 0); attrIndex++) {
372
373	tAttributeValueListRef attrValueListRef;
374	tAttributeEntryPtr attrInfoPtr;
375	tAttributeValueEntryPtr attrValuePtr;
376
377	if ((dsResult = dsGetAttributeEntry(searchNodeRef, groupRcdDataBufferPtr, attrListRef,
378	attrIndex, &attrValueListRef, &attrInfoPtr)) == eDSNoErr) {
379
380	// group ID attribute ?
381	if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDS1AttrPrimaryGroupID)) {
382	if ((dsResult = dsGetAttributeValue(searchNodeRef, groupRcdDataBufferPtr, 1,
383	attrValueListRef, &attrValuePtr)) == eDSNoErr) {
384
385	// check for match on primary group ID
386	if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, userGID))
387	*authorized = 1;
388	dsDeallocAttributeValueEntry(dirRef, attrValuePtr);
389	}
390	} else if (!strcmp(attrInfoPtr->fAttributeSignature.fBufferData, kDSNAttrGroupMembership)) {
391	// for each value check for user's name in the group
392	for (valueIndex = 1; (valueIndex <= attrInfoPtr->fAttributeValueCount)
393	&& (dsResult == eDSNoErr) && (*authorized == 0); valueIndex++) {
394
395	if ((dsResult = dsGetAttributeValue(searchNodeRef, groupRcdDataBufferPtr,
396	valueIndex, attrValueListRef, &attrValuePtr)) == eDSNoErr) {
397	if (!strcmp(attrValuePtr->fAttributeValueData.fBufferData, user_name))
398	*authorized = 1;
399	dsDeallocAttributeValueEntry(dirRef, attrValuePtr);
400	}
401	}
402	}
403	dsCloseAttributeValueList(attrValueListRef);
404	dsDeallocAttributeEntry(dirRef, attrInfoPtr);
405	}
406	}
407	dsCloseAttributeList(attrListRef);
408	dsDeallocRecordEntry(dirRef, groupRcdEntryPtr);
409	}
410	}
411
412	cleanup:
413	if (continueData)
414	dsReleaseContinueData(searchNodeRef, continueData);
415	if (groupRcdDataBufferPtr)
416	dsDataBufferDeAllocate(dirRef, groupRcdDataBufferPtr);
417	if (recordNameDataListPtr)
418	dsDataListDeallocate(dirRef, recordNameDataListPtr);
419	if (recordTypeDataListPtr)
420	dsDataListDeallocate(dirRef, recordTypeDataListPtr);
421	if (attrTypeDataListPtr)
422	dsDataListDeallocate(dirRef, attrTypeDataListPtr);
423
424	return dsResult;
425	}
426