2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
17 #include <sys/types.h>
21 #include <netinet/in.h>
28 #include <afs/cellconfig.h>
29 #include <afs/afsutil.h>
30 #include <afs/com_err.h>
37 # include "afs_usrops.h"
40 struct ubik_client *pruclient = 0;
41 static afs_int32 lastLevel; /* security level pruclient, if any */
43 static char *whoami = "libprot";
46 #define ID_HASH_SIZE 1024
47 #define ID_STACK_SIZE 1024
50 * Hash table chain of user and group ids.
58 * Hash table of user and group ids.
61 afs_uint32 userEntries; /**< number of user id entries hashed */
62 afs_uint32 groupEntries; /**< number of group id entries hashed */
63 struct idchain *hash[ID_HASH_SIZE];
67 * Allocate a new id hash table.
70 AllocateIdHash(struct idhash **aidhash)
72 struct idhash *idhash;
74 idhash = (struct idhash *)malloc(sizeof(struct idhash));
78 memset((void *)idhash, 0, sizeof(struct idhash));
87 FreeIdHash(struct idhash *idhash)
90 struct idchain *chain;
93 for (index = 0; index < ID_HASH_SIZE; index++) {
94 for (chain = idhash->hash[index]; chain; chain = next) {
103 * Indicate if group/user id is already hashed, and
106 * @returns whether id is present
107 * @retval >0 id is already present in the hash
108 * @retval 0 id was not found and was inserted into the hash
109 * @retval <0 error encountered
112 FindId(struct idhash *idhash, afs_int32 id)
115 struct idchain *chain;
116 struct idchain *newChain;
118 index = abs(id) % ID_HASH_SIZE;
119 for (chain = idhash->hash[index]; chain; chain = chain->next) {
120 if (chain->id == id) {
125 /* Insert this id but return not found. */
126 newChain = (struct idchain *)malloc(sizeof(struct idchain));
131 newChain->next = idhash->hash[index];
132 idhash->hash[index] = newChain;
134 idhash->groupEntries++;
136 idhash->userEntries++;
143 * Create an idlist from the ids in the hash.
146 CreateIdList(struct idhash *idhash, idlist * alist, afs_int32 select)
148 struct idchain *chain;
149 afs_int32 entries = 0;
153 if (select & PRGROUPS) {
154 entries += idhash->groupEntries;
156 if (select & PRUSERS) {
157 entries += idhash->userEntries;
160 alist->idlist_len = entries;
161 alist->idlist_val = (afs_int32 *) malloc(sizeof(afs_int32) * entries);
162 if (!alist->idlist_val) {
166 for (i = 0, index = 0; index < ID_HASH_SIZE; index++) {
167 for (chain = idhash->hash[index]; chain; chain = chain->next) {
169 if (select & PRGROUPS) {
170 alist->idlist_val[i++] = chain->id;
173 if (select & PRUSERS) {
174 alist->idlist_val[i++] = chain->id;
183 pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
186 struct rx_connection *serverconns[MAXSERVERS];
187 struct rx_securityClass *sc = NULL;
188 static struct afsconf_dir *tdir = (struct afsconf_dir *)NULL; /* only do this once */
189 static char tconfDir[100] = "";
190 static char tcell[64] = "";
193 static struct afsconf_cell info;
195 #if !defined(UKERNEL)
198 afs_int32 gottdir = 0;
199 afs_int32 refresh = 0;
201 initialize_PT_error_table();
202 initialize_RXK_error_table();
203 initialize_ACFG_error_table();
204 initialize_KTC_error_table();
208 cell = afs_LclCellName;
210 #else /* defined(UKERNEL) */
213 tdir = afsconf_Open(confDir);
215 if (confDir && strcmp(confDir, ""))
217 "%s: Could not open configuration directory: %s.\n",
221 "%s: No configuration directory specified.\n",
227 code = afsconf_GetLocalCell(tdir, cellstr, sizeof(cellstr));
230 "libprot: Could not get local cell. [%d]\n", code);
235 #endif /* defined(UKERNEL) */
237 if (tdir == NULL || strcmp(confDir, tconfDir) || strcmp(cell, tcell)) {
239 * force re-evaluation. we either don't have an afsconf_dir,
240 * the directory has changed or the cell has changed.
242 if (tdir && !gottdir) {
244 tdir = (struct afsconf_dir *)NULL;
246 pruclient = (struct ubik_client *)NULL;
251 strncpy(tconfDir, confDir, sizeof(tconfDir));
252 strncpy(tcell, cell, sizeof(tcell));
256 #else /* defined(UKERNEL) */
258 tdir = afsconf_Open(confDir);
260 if (confDir && strcmp(confDir, ""))
262 "libprot: Could not open configuration directory: %s.\n",
266 "libprot: No configuration directory specified.\n");
269 #endif /* defined(UKERNEL) */
271 code = afsconf_GetCellInfo(tdir, cell, "afsprot", &info);
273 fprintf(stderr, "libprot: Could not locate cell %s in %s/%s\n",
274 cell, confDir, AFSDIR_CELLSERVDB_FILE);
279 /* If we already have a client and it is at the security level we
280 * want, don't get a new one. Unless the security level is 2 in
281 * which case we will get one (and re-read the key file).
283 if (pruclient && (lastLevel == secLevel) && (secLevel != 2)) {
289 fprintf(stderr, "libprot: Could not initialize rx.\n");
293 /* Most callers use secLevel==1, however, the fileserver uses secLevel==2
294 * to force use of the KeyFile. secLevel == 0 implies -noauth was
297 code = afsconf_GetLatestKey(tdir, 0, 0);
299 afs_com_err(whoami, code, "(getting key from local KeyFile)\n");
301 /* If secLevel is two assume we're on a file server and use
302 * ClientAuthSecure if possible. */
303 code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
305 afs_com_err(whoami, code, "(calling client secure)\n");
307 } else if (secLevel > 0) {
310 secFlags |= AFSCONF_SECOPTS_ALWAYSENCRYPT;
312 code = afsconf_ClientAuthToken(&info, secFlags, &sc, &scIndex, NULL);
314 afs_com_err(whoami, code, "(getting token)");
321 sc = rxnull_NewClientSecurityObject();
322 scIndex = RX_SECIDX_NULL;
325 if ((scIndex == RX_SECIDX_NULL) && (secLevel != 0))
327 "%s: Could not get afs tokens, running unauthenticated\n",
330 memset(serverconns, 0, sizeof(serverconns)); /* terminate list!!! */
331 for (i = 0; i < info.numServers; i++)
333 rx_NewConnection(info.hostAddr[i].sin_addr.s_addr,
334 info.hostAddr[i].sin_port, PRSRV, sc,
337 code = ubik_ClientInit(serverconns, &pruclient);
339 afs_com_err(whoami, code, "ubik client init failed.");
344 code = rxs_Release(sc);
354 code = ubik_ClientDestroy(pruclient);
363 pr_CreateUser(char name[PR_MAXNAMELEN], afs_int32 *id)
369 code = ubik_PR_INewEntry(pruclient, 0, name, *id, 0);
372 code = ubik_PR_NewEntry(pruclient, 0, name, 0, 0, id);
379 pr_CreateGroup(char name[PR_MAXNAMELEN], char owner[PR_MAXNAMELEN], afs_int32 *id)
387 code = pr_SNameToId(owner, &oid);
390 if (oid == ANONYMOUSID)
395 code = ubik_PR_INewEntry(pruclient, 0, name, *id, oid);
398 code = ubik_PR_NewEntry(pruclient, 0, name, flags, oid, id);
404 pr_Delete(char *name)
410 code = pr_SNameToId(name, &id);
413 if (id == ANONYMOUSID)
415 code = ubik_PR_Delete(pruclient, 0, id);
420 pr_DeleteByID(afs_int32 id)
424 code = ubik_PR_Delete(pruclient, 0, id);
429 pr_AddToGroup(char *user, char *group)
435 lnames.namelist_len = 2;
436 lnames.namelist_val = malloc(2 * PR_MAXNAMELEN);
437 strncpy(lnames.namelist_val[0], user, PR_MAXNAMELEN);
438 strncpy(lnames.namelist_val[1], group, PR_MAXNAMELEN);
441 code = pr_NameToId(&lnames, &lids);
444 /* if here, still could be missing an entry */
445 if (lids.idlist_val[0] == ANONYMOUSID
446 || lids.idlist_val[1] == ANONYMOUSID) {
451 ubik_PR_AddToGroup(pruclient, 0, lids.idlist_val[0],
454 if (lnames.namelist_val)
455 free(lnames.namelist_val);
457 xdr_free((xdrproc_t) xdr_idlist, &lids);
462 pr_RemoveUserFromGroup(char *user, char *group)
468 lnames.namelist_len = 2;
469 lnames.namelist_val = malloc(2 * PR_MAXNAMELEN);
470 strncpy(lnames.namelist_val[0], user, PR_MAXNAMELEN);
471 strncpy(lnames.namelist_val[1], group, PR_MAXNAMELEN);
474 code = pr_NameToId(&lnames, &lids);
478 if (lids.idlist_val[0] == ANONYMOUSID
479 || lids.idlist_val[1] == ANONYMOUSID) {
484 ubik_PR_RemoveFromGroup(pruclient, 0, lids.idlist_val[0],
487 if (lnames.namelist_val)
488 free(lnames.namelist_val);
490 xdr_free((xdrproc_t) xdr_idlist, &lids);
496 pr_NameToId(namelist *names, idlist *ids)
501 for (i = 0; i < names->namelist_len; i++)
502 stolower(names->namelist_val[i]);
503 code = ubik_PR_NameToID(pruclient, 0, names, ids);
508 pr_SNameToId(char name[PR_MAXNAMELEN], afs_int32 *id)
516 lnames.namelist_len = 1;
517 lnames.namelist_val = malloc(PR_MAXNAMELEN);
519 strncpy(lnames.namelist_val[0], name, PR_MAXNAMELEN);
520 code = ubik_PR_NameToID(pruclient, 0, &lnames, &lids);
521 if (lids.idlist_val) {
522 *id = *lids.idlist_val;
523 xdr_free((xdrproc_t) xdr_idlist, &lids);
525 if (lnames.namelist_val)
526 free(lnames.namelist_val);
531 pr_IdToName(idlist *ids, namelist *names)
535 code = ubik_PR_IDToName(pruclient, 0, ids, names);
540 pr_SIdToName(afs_int32 id, char name[PR_MAXNAMELEN])
547 lids.idlist_val = malloc(sizeof(afs_int32));
548 *lids.idlist_val = id;
549 lnames.namelist_len = 0;
550 lnames.namelist_val = 0;
551 code = ubik_PR_IDToName(pruclient, 0, &lids, &lnames);
553 if (lnames.namelist_val)
554 strncpy(name, lnames.namelist_val[0], PR_MAXNAMELEN);
557 free(lids.idlist_val);
559 xdr_free((xdrproc_t) xdr_namelist, &lnames);
565 pr_GetCPS(afs_int32 id, prlist *CPS)
571 code = ubik_PR_GetCPS(pruclient, 0, id, CPS, &over);
572 if (code != PRSUCCESS)
575 /* do something about this, probably make a new call */
576 /* don't forget there's a hard limit in the interface */
577 fprintf(stderr, "membership list for id %d exceeds display limit\n",
584 pr_GetCPS2(afs_int32 id, afs_uint32 host, prlist *CPS)
590 code = ubik_PR_GetCPS2(pruclient, 0, id, host, CPS, &over);
591 if (code != PRSUCCESS)
594 /* do something about this, probably make a new call */
595 /* don't forget there's a hard limit in the interface */
596 fprintf(stderr, "membership list for id %d exceeds display limit\n",
603 pr_GetHostCPS(afs_uint32 host, prlist *CPS)
609 code = ubik_PR_GetHostCPS(pruclient, 0, host, CPS, &over);
610 if (code != PRSUCCESS)
613 /* do something about this, probably make a new call */
614 /* don't forget there's a hard limit in the interface */
616 "membership list for host id %d exceeds display limit\n",
623 pr_ListMembers(char *group, namelist *lnames)
628 code = pr_SNameToId(group, &gid);
631 if (gid == ANONYMOUSID)
633 code = pr_IDListMembers(gid, lnames);
638 pr_ListOwned(afs_int32 oid, namelist *lnames, afs_int32 *moreP)
644 alist.prlist_len = 0;
645 alist.prlist_val = 0;
646 code = ubik_PR_ListOwned(pruclient, 0, oid, &alist, moreP);
650 /* Remain backwards compatible when moreP was a T/F bit */
651 fprintf(stderr, "membership list for id %d exceeds display limit\n",
655 lids = (idlist *) &alist;
656 code = pr_IdToName(lids, lnames);
658 xdr_free((xdrproc_t) xdr_prlist, &alist);
667 pr_IDListMembers(afs_int32 gid, namelist *lnames)
674 alist.prlist_len = 0;
675 alist.prlist_val = 0;
676 code = ubik_PR_ListElements(pruclient, 0, gid, &alist, &over);
680 fprintf(stderr, "membership list for id %d exceeds display limit\n",
683 lids = (idlist *) &alist;
684 code = pr_IdToName(lids, lnames);
686 xdr_free((xdrproc_t) xdr_prlist, &alist);
694 pr_IDListExpandedMembers(afs_int32 aid, namelist * lnames)
701 struct idhash *members = NULL;
702 afs_int32 *stack = NULL;
703 afs_int32 maxstack = ID_STACK_SIZE;
704 int n = 0; /* number of ids stacked */
708 code = AllocateIdHash(&members);
712 stack = (afs_int32 *) malloc(sizeof(afs_int32) * maxstack);
720 gid = stack[--n]; /* pop next group id */
721 alist.prlist_len = 0;
722 alist.prlist_val = NULL;
723 if (firstpass || aid < 0) {
725 code = ubik_PR_ListElements(pruclient, 0, gid, &alist, &over);
727 code = ubik_PR_ListSuperGroups(pruclient, 0, gid, &alist, &over);
728 if (code == RXGEN_OPCODE) {
729 alist.prlist_len = 0;
730 alist.prlist_val = NULL;
731 code = 0; /* server does not support supergroups. */
738 "membership list for id %d exceeds display limit\n", gid);
740 for (i = 0; i < alist.prlist_len; i++) {
744 id = alist.prlist_val[i];
745 found = FindId(members, id);
748 xdr_free((xdrproc_t) xdr_prlist, &alist);
751 if (found == 0 && id < 0) {
752 if (n == maxstack) { /* need more stack space */
756 (afs_int32 *) realloc(stack,
757 maxstack * sizeof(afs_int32));
760 xdr_free((xdrproc_t) xdr_prlist, &alist);
765 stack[n++] = id; /* push group id */
768 xdr_free((xdrproc_t) xdr_prlist, &alist);
771 code = CreateIdList(members, &lids, (aid < 0 ? PRUSERS : PRGROUPS));
775 code = pr_IdToName(&lids, lnames);
777 free(lids.idlist_val);
788 pr_ListEntry(afs_int32 id, struct prcheckentry *aentry)
792 code = ubik_PR_ListEntry(pruclient, 0, id, aentry);
797 pr_ListEntries(int flag, afs_int32 startindex, afs_int32 *nentries, struct prlistentries **entries, afs_int32 *nextstartindex)
800 prentries bulkentries;
804 *nextstartindex = -1;
805 bulkentries.prentries_val = 0;
806 bulkentries.prentries_len = 0;
809 ubik_PR_ListEntries(pruclient, 0, flag, startindex,
810 &bulkentries, nextstartindex);
811 *nentries = bulkentries.prentries_len;
812 *entries = bulkentries.prentries_val;
817 pr_CheckEntryByName(char *name, afs_int32 *id, char *owner, char *creator)
819 /* struct prcheckentry returns other things, which aren't useful to show at this time. */
821 struct prcheckentry aentry;
823 code = pr_SNameToId(name, id);
826 if (*id == ANONYMOUSID)
828 code = ubik_PR_ListEntry(pruclient, 0, *id, &aentry);
831 /* this should be done in one RPC, but I'm lazy. */
832 code = pr_SIdToName(aentry.owner, owner);
835 code = pr_SIdToName(aentry.creator, creator);
842 pr_CheckEntryById(char *name, afs_int32 id, char *owner, char *creator)
844 /* struct prcheckentry returns other things, which aren't useful to show at this time. */
846 struct prcheckentry aentry;
848 code = pr_SIdToName(id, name);
851 if (id == ANONYMOUSID)
853 code = ubik_PR_ListEntry(pruclient, 0, id, &aentry);
856 /* this should be done in one RPC, but I'm lazy. */
857 code = pr_SIdToName(aentry.owner, owner);
860 code = pr_SIdToName(aentry.creator, creator);
867 pr_ChangeEntry(char *oldname, char *newname, afs_int32 *newid, char *newowner)
873 code = pr_SNameToId(oldname, &id);
876 if (id == ANONYMOUSID)
878 if (newowner && *newowner) {
879 code = pr_SNameToId(newowner, &oid);
882 if (oid == ANONYMOUSID)
886 code = ubik_PR_ChangeEntry(pruclient, 0, id, newname, oid, *newid);
888 code = ubik_PR_ChangeEntry(pruclient, 0, id, newname, oid, 0);
893 pr_IsAMemberOf(char *uname, char *gname, afs_int32 *flag)
901 lnames.namelist_len = 2;
902 lnames.namelist_val = malloc(2 * PR_MAXNAMELEN);
903 strncpy(lnames.namelist_val[0], uname, PR_MAXNAMELEN);
904 strncpy(lnames.namelist_val[1], gname, PR_MAXNAMELEN);
907 code = pr_NameToId(&lnames, &lids);
909 if (lnames.namelist_val)
910 free(lnames.namelist_val);
911 xdr_free((xdrproc_t) xdr_idlist, &lids);
915 ubik_PR_IsAMemberOf(pruclient, 0, lids.idlist_val[0],
916 lids.idlist_val[1], flag);
917 if (lnames.namelist_val)
918 free(lnames.namelist_val);
919 xdr_free((xdrproc_t) xdr_idlist, &lids);
924 pr_ListMaxUserId(afs_int32 *mid)
928 code = ubik_PR_ListMax(pruclient, 0, mid, &gid);
933 pr_SetMaxUserId(afs_int32 mid)
937 code = ubik_PR_SetMax(pruclient, 0, mid, flag);
942 pr_ListMaxGroupId(afs_int32 *mid)
946 code = ubik_PR_ListMax(pruclient, 0, &id, mid);
951 pr_SetMaxGroupId(afs_int32 mid)
957 code = ubik_PR_SetMax(pruclient, 0, mid, flag);
962 pr_SetFieldsEntry(afs_int32 id, afs_int32 mask, afs_int32 flags, afs_int32 ngroups, afs_int32 nusers)
967 ubik_PR_SetFieldsEntry(pruclient, 0, id, mask, flags, ngroups,
973 pr_ListSuperGroups(afs_int32 gid, namelist * lnames)
980 alist.prlist_len = 0;
981 alist.prlist_val = 0;
982 code = ubik_PR_ListSuperGroups(pruclient, 0, gid, &alist, &over);
986 fprintf(stderr, "supergroup list for id %d exceeds display limit\n",
989 lids = (idlist *) & alist;
990 code = pr_IdToName(lids, lnames);
992 xdr_free((xdrproc_t) xdr_prlist, &alist);