1*5e7646d2SAndroid Build Coastguard Worker /*
2*5e7646d2SAndroid Build Coastguard Worker * Authorization routines for the CUPS scheduler.
3*5e7646d2SAndroid Build Coastguard Worker *
4*5e7646d2SAndroid Build Coastguard Worker * Copyright © 2007-2019 by Apple Inc.
5*5e7646d2SAndroid Build Coastguard Worker * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
6*5e7646d2SAndroid Build Coastguard Worker *
7*5e7646d2SAndroid Build Coastguard Worker * This file contains Kerberos support code, copyright 2006 by
8*5e7646d2SAndroid Build Coastguard Worker * Jelmer Vernooij.
9*5e7646d2SAndroid Build Coastguard Worker *
10*5e7646d2SAndroid Build Coastguard Worker * Licensed under Apache License v2.0. See the file "LICENSE" for more
11*5e7646d2SAndroid Build Coastguard Worker * information.
12*5e7646d2SAndroid Build Coastguard Worker */
13*5e7646d2SAndroid Build Coastguard Worker
14*5e7646d2SAndroid Build Coastguard Worker /*
15*5e7646d2SAndroid Build Coastguard Worker * Include necessary headers...
16*5e7646d2SAndroid Build Coastguard Worker */
17*5e7646d2SAndroid Build Coastguard Worker
18*5e7646d2SAndroid Build Coastguard Worker #include "cupsd.h"
19*5e7646d2SAndroid Build Coastguard Worker #include <grp.h>
20*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_SHADOW_H
21*5e7646d2SAndroid Build Coastguard Worker # include <shadow.h>
22*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_SHADOW_H */
23*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_CRYPT_H
24*5e7646d2SAndroid Build Coastguard Worker # include <crypt.h>
25*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_CRYPT_H */
26*5e7646d2SAndroid Build Coastguard Worker #if HAVE_LIBPAM
27*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_PAM_PAM_APPL_H
28*5e7646d2SAndroid Build Coastguard Worker # include <pam/pam_appl.h>
29*5e7646d2SAndroid Build Coastguard Worker # else
30*5e7646d2SAndroid Build Coastguard Worker # include <security/pam_appl.h>
31*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_PAM_PAM_APPL_H */
32*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_LIBPAM */
33*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_MEMBERSHIP_H
34*5e7646d2SAndroid Build Coastguard Worker # include <membership.h>
35*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_MEMBERSHIP_H */
36*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
37*5e7646d2SAndroid Build Coastguard Worker # include <Security/AuthorizationTags.h>
38*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
39*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_SYS_PARAM_H
40*5e7646d2SAndroid Build Coastguard Worker # include <sys/param.h>
41*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_SYS_PARAM_H */
42*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_SYS_UCRED_H
43*5e7646d2SAndroid Build Coastguard Worker # include <sys/ucred.h>
44*5e7646d2SAndroid Build Coastguard Worker typedef struct xucred cupsd_ucred_t;
45*5e7646d2SAndroid Build Coastguard Worker # define CUPSD_UCRED_UID(c) (c).cr_uid
46*5e7646d2SAndroid Build Coastguard Worker #else
47*5e7646d2SAndroid Build Coastguard Worker # ifndef __OpenBSD__
48*5e7646d2SAndroid Build Coastguard Worker typedef struct ucred cupsd_ucred_t;
49*5e7646d2SAndroid Build Coastguard Worker # else
50*5e7646d2SAndroid Build Coastguard Worker typedef struct sockpeercred cupsd_ucred_t;
51*5e7646d2SAndroid Build Coastguard Worker # endif
52*5e7646d2SAndroid Build Coastguard Worker # define CUPSD_UCRED_UID(c) (c).uid
53*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_SYS_UCRED_H */
54*5e7646d2SAndroid Build Coastguard Worker
55*5e7646d2SAndroid Build Coastguard Worker
56*5e7646d2SAndroid Build Coastguard Worker /*
57*5e7646d2SAndroid Build Coastguard Worker * Local functions...
58*5e7646d2SAndroid Build Coastguard Worker */
59*5e7646d2SAndroid Build Coastguard Worker
60*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
61*5e7646d2SAndroid Build Coastguard Worker static int check_authref(cupsd_client_t *con, const char *right);
62*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
63*5e7646d2SAndroid Build Coastguard Worker static int compare_locations(cupsd_location_t *a,
64*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *b);
65*5e7646d2SAndroid Build Coastguard Worker static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
66*5e7646d2SAndroid Build Coastguard Worker static void free_authmask(cupsd_authmask_t *am, void *data);
67*5e7646d2SAndroid Build Coastguard Worker #if HAVE_LIBPAM
68*5e7646d2SAndroid Build Coastguard Worker static int pam_func(int, const struct pam_message **,
69*5e7646d2SAndroid Build Coastguard Worker struct pam_response **, void *);
70*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_LIBPAM */
71*5e7646d2SAndroid Build Coastguard Worker
72*5e7646d2SAndroid Build Coastguard Worker
73*5e7646d2SAndroid Build Coastguard Worker /*
74*5e7646d2SAndroid Build Coastguard Worker * Local structures...
75*5e7646d2SAndroid Build Coastguard Worker */
76*5e7646d2SAndroid Build Coastguard Worker
77*5e7646d2SAndroid Build Coastguard Worker #if HAVE_LIBPAM
78*5e7646d2SAndroid Build Coastguard Worker typedef struct cupsd_authdata_s /**** Authentication data ****/
79*5e7646d2SAndroid Build Coastguard Worker {
80*5e7646d2SAndroid Build Coastguard Worker char username[HTTP_MAX_VALUE], /* Username string */
81*5e7646d2SAndroid Build Coastguard Worker password[HTTP_MAX_VALUE]; /* Password string */
82*5e7646d2SAndroid Build Coastguard Worker } cupsd_authdata_t;
83*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_LIBPAM */
84*5e7646d2SAndroid Build Coastguard Worker
85*5e7646d2SAndroid Build Coastguard Worker
86*5e7646d2SAndroid Build Coastguard Worker /*
87*5e7646d2SAndroid Build Coastguard Worker * 'cupsdAddIPMask()' - Add an IP address authorization mask.
88*5e7646d2SAndroid Build Coastguard Worker */
89*5e7646d2SAndroid Build Coastguard Worker
90*5e7646d2SAndroid Build Coastguard Worker int /* O - 1 on success, 0 on failure */
cupsdAddIPMask(cups_array_t ** masks,const unsigned address[4],const unsigned netmask[4])91*5e7646d2SAndroid Build Coastguard Worker cupsdAddIPMask(
92*5e7646d2SAndroid Build Coastguard Worker cups_array_t **masks, /* IO - Masks array (created as needed) */
93*5e7646d2SAndroid Build Coastguard Worker const unsigned address[4], /* I - IP address */
94*5e7646d2SAndroid Build Coastguard Worker const unsigned netmask[4]) /* I - IP netmask */
95*5e7646d2SAndroid Build Coastguard Worker {
96*5e7646d2SAndroid Build Coastguard Worker cupsd_authmask_t temp; /* New host/domain mask */
97*5e7646d2SAndroid Build Coastguard Worker
98*5e7646d2SAndroid Build Coastguard Worker
99*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", masks, *masks, address[0], address[1], address[2], address[3], netmask[0], netmask[1], netmask[2], netmask[3]);
100*5e7646d2SAndroid Build Coastguard Worker
101*5e7646d2SAndroid Build Coastguard Worker temp.type = CUPSD_AUTH_IP;
102*5e7646d2SAndroid Build Coastguard Worker memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address));
103*5e7646d2SAndroid Build Coastguard Worker memcpy(temp.mask.ip.netmask, netmask, sizeof(temp.mask.ip.netmask));
104*5e7646d2SAndroid Build Coastguard Worker
105*5e7646d2SAndroid Build Coastguard Worker /*
106*5e7646d2SAndroid Build Coastguard Worker * Create the masks array as needed and add...
107*5e7646d2SAndroid Build Coastguard Worker */
108*5e7646d2SAndroid Build Coastguard Worker
109*5e7646d2SAndroid Build Coastguard Worker if (!*masks)
110*5e7646d2SAndroid Build Coastguard Worker *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
111*5e7646d2SAndroid Build Coastguard Worker (cups_acopy_func_t)copy_authmask,
112*5e7646d2SAndroid Build Coastguard Worker (cups_afree_func_t)free_authmask);
113*5e7646d2SAndroid Build Coastguard Worker
114*5e7646d2SAndroid Build Coastguard Worker return (cupsArrayAdd(*masks, &temp));
115*5e7646d2SAndroid Build Coastguard Worker }
116*5e7646d2SAndroid Build Coastguard Worker
117*5e7646d2SAndroid Build Coastguard Worker
118*5e7646d2SAndroid Build Coastguard Worker /*
119*5e7646d2SAndroid Build Coastguard Worker * 'cupsdAddLocation()' - Add a location for authorization.
120*5e7646d2SAndroid Build Coastguard Worker */
121*5e7646d2SAndroid Build Coastguard Worker
122*5e7646d2SAndroid Build Coastguard Worker void
cupsdAddLocation(cupsd_location_t * loc)123*5e7646d2SAndroid Build Coastguard Worker cupsdAddLocation(cupsd_location_t *loc) /* I - Location to add */
124*5e7646d2SAndroid Build Coastguard Worker {
125*5e7646d2SAndroid Build Coastguard Worker /*
126*5e7646d2SAndroid Build Coastguard Worker * Make sure the locations array is created...
127*5e7646d2SAndroid Build Coastguard Worker */
128*5e7646d2SAndroid Build Coastguard Worker
129*5e7646d2SAndroid Build Coastguard Worker if (!Locations)
130*5e7646d2SAndroid Build Coastguard Worker Locations = cupsArrayNew3((cups_array_func_t)compare_locations, NULL,
131*5e7646d2SAndroid Build Coastguard Worker (cups_ahash_func_t)NULL, 0,
132*5e7646d2SAndroid Build Coastguard Worker (cups_acopy_func_t)NULL,
133*5e7646d2SAndroid Build Coastguard Worker (cups_afree_func_t)cupsdFreeLocation);
134*5e7646d2SAndroid Build Coastguard Worker
135*5e7646d2SAndroid Build Coastguard Worker if (Locations)
136*5e7646d2SAndroid Build Coastguard Worker {
137*5e7646d2SAndroid Build Coastguard Worker cupsArrayAdd(Locations, loc);
138*5e7646d2SAndroid Build Coastguard Worker
139*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"", loc->location ? loc->location : "(null)");
140*5e7646d2SAndroid Build Coastguard Worker }
141*5e7646d2SAndroid Build Coastguard Worker }
142*5e7646d2SAndroid Build Coastguard Worker
143*5e7646d2SAndroid Build Coastguard Worker
144*5e7646d2SAndroid Build Coastguard Worker /*
145*5e7646d2SAndroid Build Coastguard Worker * 'cupsdAddName()' - Add a name to a location...
146*5e7646d2SAndroid Build Coastguard Worker */
147*5e7646d2SAndroid Build Coastguard Worker
148*5e7646d2SAndroid Build Coastguard Worker void
cupsdAddName(cupsd_location_t * loc,char * name)149*5e7646d2SAndroid Build Coastguard Worker cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */
150*5e7646d2SAndroid Build Coastguard Worker char *name) /* I - Name to add */
151*5e7646d2SAndroid Build Coastguard Worker {
152*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", loc, name);
153*5e7646d2SAndroid Build Coastguard Worker
154*5e7646d2SAndroid Build Coastguard Worker if (!loc->names)
155*5e7646d2SAndroid Build Coastguard Worker loc->names = cupsArrayNew3(NULL, NULL, NULL, 0,
156*5e7646d2SAndroid Build Coastguard Worker (cups_acopy_func_t)_cupsStrAlloc,
157*5e7646d2SAndroid Build Coastguard Worker (cups_afree_func_t)_cupsStrFree);
158*5e7646d2SAndroid Build Coastguard Worker
159*5e7646d2SAndroid Build Coastguard Worker if (!cupsArrayAdd(loc->names, name))
160*5e7646d2SAndroid Build Coastguard Worker {
161*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_ERROR,
162*5e7646d2SAndroid Build Coastguard Worker "Unable to duplicate name for location %s: %s",
163*5e7646d2SAndroid Build Coastguard Worker loc->location ? loc->location : "nil", strerror(errno));
164*5e7646d2SAndroid Build Coastguard Worker return;
165*5e7646d2SAndroid Build Coastguard Worker }
166*5e7646d2SAndroid Build Coastguard Worker }
167*5e7646d2SAndroid Build Coastguard Worker
168*5e7646d2SAndroid Build Coastguard Worker
169*5e7646d2SAndroid Build Coastguard Worker /*
170*5e7646d2SAndroid Build Coastguard Worker * 'cupsdAddNameMask()' - Add a host or interface name authorization mask.
171*5e7646d2SAndroid Build Coastguard Worker */
172*5e7646d2SAndroid Build Coastguard Worker
173*5e7646d2SAndroid Build Coastguard Worker int /* O - 1 on success, 0 on failure */
cupsdAddNameMask(cups_array_t ** masks,char * name)174*5e7646d2SAndroid Build Coastguard Worker cupsdAddNameMask(cups_array_t **masks, /* IO - Masks array (created as needed) */
175*5e7646d2SAndroid Build Coastguard Worker char *name) /* I - Host or interface name */
176*5e7646d2SAndroid Build Coastguard Worker {
177*5e7646d2SAndroid Build Coastguard Worker cupsd_authmask_t temp; /* New host/domain mask */
178*5e7646d2SAndroid Build Coastguard Worker char ifname[32], /* Interface name */
179*5e7646d2SAndroid Build Coastguard Worker *ifptr; /* Pointer to end of name */
180*5e7646d2SAndroid Build Coastguard Worker
181*5e7646d2SAndroid Build Coastguard Worker
182*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddNameMask(masks=%p(%p), name=\"%s\")", masks, *masks, name);
183*5e7646d2SAndroid Build Coastguard Worker
184*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strcasecmp(name, "@LOCAL"))
185*5e7646d2SAndroid Build Coastguard Worker {
186*5e7646d2SAndroid Build Coastguard Worker /*
187*5e7646d2SAndroid Build Coastguard Worker * Deny *interface*...
188*5e7646d2SAndroid Build Coastguard Worker */
189*5e7646d2SAndroid Build Coastguard Worker
190*5e7646d2SAndroid Build Coastguard Worker temp.type = CUPSD_AUTH_INTERFACE;
191*5e7646d2SAndroid Build Coastguard Worker temp.mask.name.name = (char *)"*";
192*5e7646d2SAndroid Build Coastguard Worker }
193*5e7646d2SAndroid Build Coastguard Worker else if (!_cups_strncasecmp(name, "@IF(", 4))
194*5e7646d2SAndroid Build Coastguard Worker {
195*5e7646d2SAndroid Build Coastguard Worker /*
196*5e7646d2SAndroid Build Coastguard Worker * Deny *interface*...
197*5e7646d2SAndroid Build Coastguard Worker */
198*5e7646d2SAndroid Build Coastguard Worker
199*5e7646d2SAndroid Build Coastguard Worker strlcpy(ifname, name + 4, sizeof(ifname));
200*5e7646d2SAndroid Build Coastguard Worker
201*5e7646d2SAndroid Build Coastguard Worker ifptr = ifname + strlen(ifname) - 1;
202*5e7646d2SAndroid Build Coastguard Worker
203*5e7646d2SAndroid Build Coastguard Worker if (ifptr >= ifname && *ifptr == ')')
204*5e7646d2SAndroid Build Coastguard Worker {
205*5e7646d2SAndroid Build Coastguard Worker *ifptr = '\0';
206*5e7646d2SAndroid Build Coastguard Worker }
207*5e7646d2SAndroid Build Coastguard Worker
208*5e7646d2SAndroid Build Coastguard Worker temp.type = CUPSD_AUTH_INTERFACE;
209*5e7646d2SAndroid Build Coastguard Worker temp.mask.name.name = ifname;
210*5e7646d2SAndroid Build Coastguard Worker }
211*5e7646d2SAndroid Build Coastguard Worker else
212*5e7646d2SAndroid Build Coastguard Worker {
213*5e7646d2SAndroid Build Coastguard Worker /*
214*5e7646d2SAndroid Build Coastguard Worker * Deny name...
215*5e7646d2SAndroid Build Coastguard Worker */
216*5e7646d2SAndroid Build Coastguard Worker
217*5e7646d2SAndroid Build Coastguard Worker if (*name == '*')
218*5e7646d2SAndroid Build Coastguard Worker name ++;
219*5e7646d2SAndroid Build Coastguard Worker
220*5e7646d2SAndroid Build Coastguard Worker temp.type = CUPSD_AUTH_NAME;
221*5e7646d2SAndroid Build Coastguard Worker temp.mask.name.name = (char *)name;
222*5e7646d2SAndroid Build Coastguard Worker }
223*5e7646d2SAndroid Build Coastguard Worker
224*5e7646d2SAndroid Build Coastguard Worker /*
225*5e7646d2SAndroid Build Coastguard Worker * Set the name length...
226*5e7646d2SAndroid Build Coastguard Worker */
227*5e7646d2SAndroid Build Coastguard Worker
228*5e7646d2SAndroid Build Coastguard Worker temp.mask.name.length = strlen(temp.mask.name.name);
229*5e7646d2SAndroid Build Coastguard Worker
230*5e7646d2SAndroid Build Coastguard Worker /*
231*5e7646d2SAndroid Build Coastguard Worker * Create the masks array as needed and add...
232*5e7646d2SAndroid Build Coastguard Worker */
233*5e7646d2SAndroid Build Coastguard Worker
234*5e7646d2SAndroid Build Coastguard Worker if (!*masks)
235*5e7646d2SAndroid Build Coastguard Worker *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
236*5e7646d2SAndroid Build Coastguard Worker (cups_acopy_func_t)copy_authmask,
237*5e7646d2SAndroid Build Coastguard Worker (cups_afree_func_t)free_authmask);
238*5e7646d2SAndroid Build Coastguard Worker
239*5e7646d2SAndroid Build Coastguard Worker return (cupsArrayAdd(*masks, &temp));
240*5e7646d2SAndroid Build Coastguard Worker }
241*5e7646d2SAndroid Build Coastguard Worker
242*5e7646d2SAndroid Build Coastguard Worker
243*5e7646d2SAndroid Build Coastguard Worker /*
244*5e7646d2SAndroid Build Coastguard Worker * 'cupsdAuthorize()' - Validate any authorization credentials.
245*5e7646d2SAndroid Build Coastguard Worker */
246*5e7646d2SAndroid Build Coastguard Worker
247*5e7646d2SAndroid Build Coastguard Worker void
cupsdAuthorize(cupsd_client_t * con)248*5e7646d2SAndroid Build Coastguard Worker cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
249*5e7646d2SAndroid Build Coastguard Worker {
250*5e7646d2SAndroid Build Coastguard Worker int type; /* Authentication type */
251*5e7646d2SAndroid Build Coastguard Worker const char *authorization; /* Pointer into Authorization string */
252*5e7646d2SAndroid Build Coastguard Worker char *ptr, /* Pointer into string */
253*5e7646d2SAndroid Build Coastguard Worker username[HTTP_MAX_VALUE],
254*5e7646d2SAndroid Build Coastguard Worker /* Username string */
255*5e7646d2SAndroid Build Coastguard Worker password[HTTP_MAX_VALUE];
256*5e7646d2SAndroid Build Coastguard Worker /* Password string */
257*5e7646d2SAndroid Build Coastguard Worker cupsd_cert_t *localuser; /* Certificate username */
258*5e7646d2SAndroid Build Coastguard Worker
259*5e7646d2SAndroid Build Coastguard Worker
260*5e7646d2SAndroid Build Coastguard Worker /*
261*5e7646d2SAndroid Build Coastguard Worker * Locate the best matching location so we know what kind of
262*5e7646d2SAndroid Build Coastguard Worker * authentication to expect...
263*5e7646d2SAndroid Build Coastguard Worker */
264*5e7646d2SAndroid Build Coastguard Worker
265*5e7646d2SAndroid Build Coastguard Worker con->best = cupsdFindBest(con->uri, httpGetState(con->http));
266*5e7646d2SAndroid Build Coastguard Worker con->type = CUPSD_AUTH_NONE;
267*5e7646d2SAndroid Build Coastguard Worker
268*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG2, "con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location : "");
269*5e7646d2SAndroid Build Coastguard Worker
270*5e7646d2SAndroid Build Coastguard Worker if (con->best && con->best->type != CUPSD_AUTH_NONE)
271*5e7646d2SAndroid Build Coastguard Worker {
272*5e7646d2SAndroid Build Coastguard Worker if (con->best->type == CUPSD_AUTH_DEFAULT)
273*5e7646d2SAndroid Build Coastguard Worker type = cupsdDefaultAuthType();
274*5e7646d2SAndroid Build Coastguard Worker else
275*5e7646d2SAndroid Build Coastguard Worker type = con->best->type;
276*5e7646d2SAndroid Build Coastguard Worker }
277*5e7646d2SAndroid Build Coastguard Worker else
278*5e7646d2SAndroid Build Coastguard Worker type = cupsdDefaultAuthType();
279*5e7646d2SAndroid Build Coastguard Worker
280*5e7646d2SAndroid Build Coastguard Worker /*
281*5e7646d2SAndroid Build Coastguard Worker * Decode the Authorization string...
282*5e7646d2SAndroid Build Coastguard Worker */
283*5e7646d2SAndroid Build Coastguard Worker
284*5e7646d2SAndroid Build Coastguard Worker authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION);
285*5e7646d2SAndroid Build Coastguard Worker
286*5e7646d2SAndroid Build Coastguard Worker username[0] = '\0';
287*5e7646d2SAndroid Build Coastguard Worker password[0] = '\0';
288*5e7646d2SAndroid Build Coastguard Worker
289*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_GSSAPI
290*5e7646d2SAndroid Build Coastguard Worker con->gss_uid = 0;
291*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_GSSAPI */
292*5e7646d2SAndroid Build Coastguard Worker
293*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
294*5e7646d2SAndroid Build Coastguard Worker if (con->authref)
295*5e7646d2SAndroid Build Coastguard Worker {
296*5e7646d2SAndroid Build Coastguard Worker AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
297*5e7646d2SAndroid Build Coastguard Worker con->authref = NULL;
298*5e7646d2SAndroid Build Coastguard Worker }
299*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
300*5e7646d2SAndroid Build Coastguard Worker
301*5e7646d2SAndroid Build Coastguard Worker if (!*authorization)
302*5e7646d2SAndroid Build Coastguard Worker {
303*5e7646d2SAndroid Build Coastguard Worker /*
304*5e7646d2SAndroid Build Coastguard Worker * No authorization data provided, return early...
305*5e7646d2SAndroid Build Coastguard Worker */
306*5e7646d2SAndroid Build Coastguard Worker
307*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "No authentication data provided.");
308*5e7646d2SAndroid Build Coastguard Worker return;
309*5e7646d2SAndroid Build Coastguard Worker }
310*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
311*5e7646d2SAndroid Build Coastguard Worker else if (!strncmp(authorization, "AuthRef ", 8) &&
312*5e7646d2SAndroid Build Coastguard Worker httpAddrLocalhost(httpGetAddress(con->http)))
313*5e7646d2SAndroid Build Coastguard Worker {
314*5e7646d2SAndroid Build Coastguard Worker OSStatus status; /* Status */
315*5e7646d2SAndroid Build Coastguard Worker char authdata[HTTP_MAX_VALUE];
316*5e7646d2SAndroid Build Coastguard Worker /* Nonce value from client */
317*5e7646d2SAndroid Build Coastguard Worker int authlen; /* Auth string length */
318*5e7646d2SAndroid Build Coastguard Worker AuthorizationItemSet *authinfo; /* Authorization item set */
319*5e7646d2SAndroid Build Coastguard Worker
320*5e7646d2SAndroid Build Coastguard Worker /*
321*5e7646d2SAndroid Build Coastguard Worker * Get the Authorization Services data...
322*5e7646d2SAndroid Build Coastguard Worker */
323*5e7646d2SAndroid Build Coastguard Worker
324*5e7646d2SAndroid Build Coastguard Worker authorization += 8;
325*5e7646d2SAndroid Build Coastguard Worker while (isspace(*authorization & 255))
326*5e7646d2SAndroid Build Coastguard Worker authorization ++;
327*5e7646d2SAndroid Build Coastguard Worker
328*5e7646d2SAndroid Build Coastguard Worker authlen = sizeof(authdata);
329*5e7646d2SAndroid Build Coastguard Worker httpDecode64_2(authdata, &authlen, authorization);
330*5e7646d2SAndroid Build Coastguard Worker
331*5e7646d2SAndroid Build Coastguard Worker if (authlen != kAuthorizationExternalFormLength)
332*5e7646d2SAndroid Build Coastguard Worker {
333*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "External Authorization reference size is incorrect.");
334*5e7646d2SAndroid Build Coastguard Worker return;
335*5e7646d2SAndroid Build Coastguard Worker }
336*5e7646d2SAndroid Build Coastguard Worker
337*5e7646d2SAndroid Build Coastguard Worker if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0)
338*5e7646d2SAndroid Build Coastguard Worker {
339*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "AuthorizationCreateFromExternalForm returned %d", (int)status);
340*5e7646d2SAndroid Build Coastguard Worker return;
341*5e7646d2SAndroid Build Coastguard Worker }
342*5e7646d2SAndroid Build Coastguard Worker
343*5e7646d2SAndroid Build Coastguard Worker username[0] = '\0';
344*5e7646d2SAndroid Build Coastguard Worker
345*5e7646d2SAndroid Build Coastguard Worker if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
346*5e7646d2SAndroid Build Coastguard Worker &authinfo))
347*5e7646d2SAndroid Build Coastguard Worker {
348*5e7646d2SAndroid Build Coastguard Worker if (authinfo->count == 1 && authinfo->items[0].value &&
349*5e7646d2SAndroid Build Coastguard Worker authinfo->items[0].valueLength >= 2)
350*5e7646d2SAndroid Build Coastguard Worker {
351*5e7646d2SAndroid Build Coastguard Worker strlcpy(username, authinfo->items[0].value, sizeof(username));
352*5e7646d2SAndroid Build Coastguard Worker
353*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef.", username);
354*5e7646d2SAndroid Build Coastguard Worker }
355*5e7646d2SAndroid Build Coastguard Worker
356*5e7646d2SAndroid Build Coastguard Worker AuthorizationFreeItemSet(authinfo);
357*5e7646d2SAndroid Build Coastguard Worker }
358*5e7646d2SAndroid Build Coastguard Worker
359*5e7646d2SAndroid Build Coastguard Worker if (!username[0])
360*5e7646d2SAndroid Build Coastguard Worker {
361*5e7646d2SAndroid Build Coastguard Worker /*
362*5e7646d2SAndroid Build Coastguard Worker * No username in AuthRef, grab username using peer credentials...
363*5e7646d2SAndroid Build Coastguard Worker */
364*5e7646d2SAndroid Build Coastguard Worker
365*5e7646d2SAndroid Build Coastguard Worker struct passwd *pwd; /* Password entry for this user */
366*5e7646d2SAndroid Build Coastguard Worker cupsd_ucred_t peercred; /* Peer credentials */
367*5e7646d2SAndroid Build Coastguard Worker socklen_t peersize; /* Size of peer credentials */
368*5e7646d2SAndroid Build Coastguard Worker
369*5e7646d2SAndroid Build Coastguard Worker peersize = sizeof(peercred);
370*5e7646d2SAndroid Build Coastguard Worker
371*5e7646d2SAndroid Build Coastguard Worker if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
372*5e7646d2SAndroid Build Coastguard Worker {
373*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
374*5e7646d2SAndroid Build Coastguard Worker return;
375*5e7646d2SAndroid Build Coastguard Worker }
376*5e7646d2SAndroid Build Coastguard Worker
377*5e7646d2SAndroid Build Coastguard Worker if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL)
378*5e7646d2SAndroid Build Coastguard Worker {
379*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to find UID %d for peer credentials.", (int)CUPSD_UCRED_UID(peercred));
380*5e7646d2SAndroid Build Coastguard Worker return;
381*5e7646d2SAndroid Build Coastguard Worker }
382*5e7646d2SAndroid Build Coastguard Worker
383*5e7646d2SAndroid Build Coastguard Worker strlcpy(username, pwd->pw_name, sizeof(username));
384*5e7646d2SAndroid Build Coastguard Worker
385*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef + PeerCred.", username);
386*5e7646d2SAndroid Build Coastguard Worker }
387*5e7646d2SAndroid Build Coastguard Worker
388*5e7646d2SAndroid Build Coastguard Worker con->type = CUPSD_AUTH_BASIC;
389*5e7646d2SAndroid Build Coastguard Worker }
390*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
391*5e7646d2SAndroid Build Coastguard Worker #if defined(SO_PEERCRED) && defined(AF_LOCAL)
392*5e7646d2SAndroid Build Coastguard Worker else if (!strncmp(authorization, "PeerCred ", 9) &&
393*5e7646d2SAndroid Build Coastguard Worker con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
394*5e7646d2SAndroid Build Coastguard Worker {
395*5e7646d2SAndroid Build Coastguard Worker /*
396*5e7646d2SAndroid Build Coastguard Worker * Use peer credentials from domain socket connection...
397*5e7646d2SAndroid Build Coastguard Worker */
398*5e7646d2SAndroid Build Coastguard Worker
399*5e7646d2SAndroid Build Coastguard Worker struct passwd *pwd; /* Password entry for this user */
400*5e7646d2SAndroid Build Coastguard Worker cupsd_ucred_t peercred; /* Peer credentials */
401*5e7646d2SAndroid Build Coastguard Worker socklen_t peersize; /* Size of peer credentials */
402*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
403*5e7646d2SAndroid Build Coastguard Worker const char *name; /* Authorizing name */
404*5e7646d2SAndroid Build Coastguard Worker int no_peer = 0; /* Don't allow peer credentials? */
405*5e7646d2SAndroid Build Coastguard Worker
406*5e7646d2SAndroid Build Coastguard Worker /*
407*5e7646d2SAndroid Build Coastguard Worker * See if we should allow peer credentials...
408*5e7646d2SAndroid Build Coastguard Worker */
409*5e7646d2SAndroid Build Coastguard Worker
410*5e7646d2SAndroid Build Coastguard Worker for (name = (char *)cupsArrayFirst(con->best->names);
411*5e7646d2SAndroid Build Coastguard Worker name;
412*5e7646d2SAndroid Build Coastguard Worker name = (char *)cupsArrayNext(con->best->names))
413*5e7646d2SAndroid Build Coastguard Worker {
414*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
415*5e7646d2SAndroid Build Coastguard Worker !_cups_strcasecmp(name, "@SYSTEM"))
416*5e7646d2SAndroid Build Coastguard Worker {
417*5e7646d2SAndroid Build Coastguard Worker /* Normally don't want peer credentials if we need an auth key... */
418*5e7646d2SAndroid Build Coastguard Worker no_peer = 1;
419*5e7646d2SAndroid Build Coastguard Worker }
420*5e7646d2SAndroid Build Coastguard Worker else if (!_cups_strcasecmp(name, "@OWNER"))
421*5e7646d2SAndroid Build Coastguard Worker {
422*5e7646d2SAndroid Build Coastguard Worker /* but if @OWNER is present then we allow it... */
423*5e7646d2SAndroid Build Coastguard Worker no_peer = 0;
424*5e7646d2SAndroid Build Coastguard Worker break;
425*5e7646d2SAndroid Build Coastguard Worker }
426*5e7646d2SAndroid Build Coastguard Worker }
427*5e7646d2SAndroid Build Coastguard Worker
428*5e7646d2SAndroid Build Coastguard Worker if (no_peer)
429*5e7646d2SAndroid Build Coastguard Worker {
430*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "PeerCred authentication not allowed for resource per AUTHKEY policy.");
431*5e7646d2SAndroid Build Coastguard Worker return;
432*5e7646d2SAndroid Build Coastguard Worker }
433*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
434*5e7646d2SAndroid Build Coastguard Worker
435*5e7646d2SAndroid Build Coastguard Worker if ((pwd = getpwnam(authorization + 9)) == NULL)
436*5e7646d2SAndroid Build Coastguard Worker {
437*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
438*5e7646d2SAndroid Build Coastguard Worker return;
439*5e7646d2SAndroid Build Coastguard Worker }
440*5e7646d2SAndroid Build Coastguard Worker
441*5e7646d2SAndroid Build Coastguard Worker peersize = sizeof(peercred);
442*5e7646d2SAndroid Build Coastguard Worker
443*5e7646d2SAndroid Build Coastguard Worker # ifdef __APPLE__
444*5e7646d2SAndroid Build Coastguard Worker if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
445*5e7646d2SAndroid Build Coastguard Worker # else
446*5e7646d2SAndroid Build Coastguard Worker if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
447*5e7646d2SAndroid Build Coastguard Worker # endif /* __APPLE__ */
448*5e7646d2SAndroid Build Coastguard Worker {
449*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
450*5e7646d2SAndroid Build Coastguard Worker return;
451*5e7646d2SAndroid Build Coastguard Worker }
452*5e7646d2SAndroid Build Coastguard Worker
453*5e7646d2SAndroid Build Coastguard Worker if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
454*5e7646d2SAndroid Build Coastguard Worker {
455*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Invalid peer credentials for \"%s\" - got %d, expected %d.", authorization + 9, CUPSD_UCRED_UID(peercred), pwd->pw_uid);
456*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_SYS_UCRED_H
457*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_version=%d", peercred.cr_version);
458*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_uid=%d", peercred.cr_uid);
459*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_ngroups=%d", peercred.cr_ngroups);
460*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_groups[0]=%d", peercred.cr_groups[0]);
461*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_SYS_UCRED_H */
462*5e7646d2SAndroid Build Coastguard Worker return;
463*5e7646d2SAndroid Build Coastguard Worker }
464*5e7646d2SAndroid Build Coastguard Worker
465*5e7646d2SAndroid Build Coastguard Worker strlcpy(username, authorization + 9, sizeof(username));
466*5e7646d2SAndroid Build Coastguard Worker
467*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_GSSAPI
468*5e7646d2SAndroid Build Coastguard Worker con->gss_uid = CUPSD_UCRED_UID(peercred);
469*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_GSSAPI */
470*5e7646d2SAndroid Build Coastguard Worker
471*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using PeerCred.", username);
472*5e7646d2SAndroid Build Coastguard Worker
473*5e7646d2SAndroid Build Coastguard Worker con->type = CUPSD_AUTH_BASIC;
474*5e7646d2SAndroid Build Coastguard Worker }
475*5e7646d2SAndroid Build Coastguard Worker #endif /* SO_PEERCRED && AF_LOCAL */
476*5e7646d2SAndroid Build Coastguard Worker else if (!strncmp(authorization, "Local", 5) &&
477*5e7646d2SAndroid Build Coastguard Worker httpAddrLocalhost(httpGetAddress(con->http)))
478*5e7646d2SAndroid Build Coastguard Worker {
479*5e7646d2SAndroid Build Coastguard Worker /*
480*5e7646d2SAndroid Build Coastguard Worker * Get Local certificate authentication data...
481*5e7646d2SAndroid Build Coastguard Worker */
482*5e7646d2SAndroid Build Coastguard Worker
483*5e7646d2SAndroid Build Coastguard Worker authorization += 5;
484*5e7646d2SAndroid Build Coastguard Worker while (isspace(*authorization & 255))
485*5e7646d2SAndroid Build Coastguard Worker authorization ++;
486*5e7646d2SAndroid Build Coastguard Worker
487*5e7646d2SAndroid Build Coastguard Worker if ((localuser = cupsdFindCert(authorization)) == NULL)
488*5e7646d2SAndroid Build Coastguard Worker {
489*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Local authentication certificate not found.");
490*5e7646d2SAndroid Build Coastguard Worker return;
491*5e7646d2SAndroid Build Coastguard Worker }
492*5e7646d2SAndroid Build Coastguard Worker
493*5e7646d2SAndroid Build Coastguard Worker strlcpy(username, localuser->username, sizeof(username));
494*5e7646d2SAndroid Build Coastguard Worker con->type = localuser->type;
495*5e7646d2SAndroid Build Coastguard Worker
496*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using Local.", username);
497*5e7646d2SAndroid Build Coastguard Worker }
498*5e7646d2SAndroid Build Coastguard Worker else if (!strncmp(authorization, "Basic", 5))
499*5e7646d2SAndroid Build Coastguard Worker {
500*5e7646d2SAndroid Build Coastguard Worker /*
501*5e7646d2SAndroid Build Coastguard Worker * Get the Basic authentication data...
502*5e7646d2SAndroid Build Coastguard Worker */
503*5e7646d2SAndroid Build Coastguard Worker
504*5e7646d2SAndroid Build Coastguard Worker int userlen; /* Username:password length */
505*5e7646d2SAndroid Build Coastguard Worker
506*5e7646d2SAndroid Build Coastguard Worker
507*5e7646d2SAndroid Build Coastguard Worker authorization += 5;
508*5e7646d2SAndroid Build Coastguard Worker while (isspace(*authorization & 255))
509*5e7646d2SAndroid Build Coastguard Worker authorization ++;
510*5e7646d2SAndroid Build Coastguard Worker
511*5e7646d2SAndroid Build Coastguard Worker userlen = sizeof(username);
512*5e7646d2SAndroid Build Coastguard Worker httpDecode64_2(username, &userlen, authorization);
513*5e7646d2SAndroid Build Coastguard Worker
514*5e7646d2SAndroid Build Coastguard Worker /*
515*5e7646d2SAndroid Build Coastguard Worker * Pull the username and password out...
516*5e7646d2SAndroid Build Coastguard Worker */
517*5e7646d2SAndroid Build Coastguard Worker
518*5e7646d2SAndroid Build Coastguard Worker if ((ptr = strchr(username, ':')) == NULL)
519*5e7646d2SAndroid Build Coastguard Worker {
520*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing Basic password.");
521*5e7646d2SAndroid Build Coastguard Worker return;
522*5e7646d2SAndroid Build Coastguard Worker }
523*5e7646d2SAndroid Build Coastguard Worker
524*5e7646d2SAndroid Build Coastguard Worker *ptr++ = '\0';
525*5e7646d2SAndroid Build Coastguard Worker
526*5e7646d2SAndroid Build Coastguard Worker if (!username[0])
527*5e7646d2SAndroid Build Coastguard Worker {
528*5e7646d2SAndroid Build Coastguard Worker /*
529*5e7646d2SAndroid Build Coastguard Worker * Username must not be empty...
530*5e7646d2SAndroid Build Coastguard Worker */
531*5e7646d2SAndroid Build Coastguard Worker
532*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic username.");
533*5e7646d2SAndroid Build Coastguard Worker return;
534*5e7646d2SAndroid Build Coastguard Worker }
535*5e7646d2SAndroid Build Coastguard Worker
536*5e7646d2SAndroid Build Coastguard Worker if (!*ptr)
537*5e7646d2SAndroid Build Coastguard Worker {
538*5e7646d2SAndroid Build Coastguard Worker /*
539*5e7646d2SAndroid Build Coastguard Worker * Password must not be empty...
540*5e7646d2SAndroid Build Coastguard Worker */
541*5e7646d2SAndroid Build Coastguard Worker
542*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic password.");
543*5e7646d2SAndroid Build Coastguard Worker return;
544*5e7646d2SAndroid Build Coastguard Worker }
545*5e7646d2SAndroid Build Coastguard Worker
546*5e7646d2SAndroid Build Coastguard Worker strlcpy(password, ptr, sizeof(password));
547*5e7646d2SAndroid Build Coastguard Worker
548*5e7646d2SAndroid Build Coastguard Worker /*
549*5e7646d2SAndroid Build Coastguard Worker * Validate the username and password...
550*5e7646d2SAndroid Build Coastguard Worker */
551*5e7646d2SAndroid Build Coastguard Worker
552*5e7646d2SAndroid Build Coastguard Worker switch (type)
553*5e7646d2SAndroid Build Coastguard Worker {
554*5e7646d2SAndroid Build Coastguard Worker default :
555*5e7646d2SAndroid Build Coastguard Worker case CUPSD_AUTH_BASIC :
556*5e7646d2SAndroid Build Coastguard Worker {
557*5e7646d2SAndroid Build Coastguard Worker #if HAVE_LIBPAM
558*5e7646d2SAndroid Build Coastguard Worker /*
559*5e7646d2SAndroid Build Coastguard Worker * Only use PAM to do authentication. This supports MD5
560*5e7646d2SAndroid Build Coastguard Worker * passwords, among other things...
561*5e7646d2SAndroid Build Coastguard Worker */
562*5e7646d2SAndroid Build Coastguard Worker
563*5e7646d2SAndroid Build Coastguard Worker pam_handle_t *pamh; /* PAM authentication handle */
564*5e7646d2SAndroid Build Coastguard Worker int pamerr; /* PAM error code */
565*5e7646d2SAndroid Build Coastguard Worker struct pam_conv pamdata;/* PAM conversation data */
566*5e7646d2SAndroid Build Coastguard Worker cupsd_authdata_t data; /* Authentication data */
567*5e7646d2SAndroid Build Coastguard Worker
568*5e7646d2SAndroid Build Coastguard Worker
569*5e7646d2SAndroid Build Coastguard Worker strlcpy(data.username, username, sizeof(data.username));
570*5e7646d2SAndroid Build Coastguard Worker strlcpy(data.password, password, sizeof(data.password));
571*5e7646d2SAndroid Build Coastguard Worker
572*5e7646d2SAndroid Build Coastguard Worker # ifdef __sun
573*5e7646d2SAndroid Build Coastguard Worker pamdata.conv = (int (*)(int, struct pam_message **,
574*5e7646d2SAndroid Build Coastguard Worker struct pam_response **,
575*5e7646d2SAndroid Build Coastguard Worker void *))pam_func;
576*5e7646d2SAndroid Build Coastguard Worker # else
577*5e7646d2SAndroid Build Coastguard Worker pamdata.conv = pam_func;
578*5e7646d2SAndroid Build Coastguard Worker # endif /* __sun */
579*5e7646d2SAndroid Build Coastguard Worker pamdata.appdata_ptr = &data;
580*5e7646d2SAndroid Build Coastguard Worker
581*5e7646d2SAndroid Build Coastguard Worker pamerr = pam_start("cups", username, &pamdata, &pamh);
582*5e7646d2SAndroid Build Coastguard Worker if (pamerr != PAM_SUCCESS)
583*5e7646d2SAndroid Build Coastguard Worker {
584*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
585*5e7646d2SAndroid Build Coastguard Worker return;
586*5e7646d2SAndroid Build Coastguard Worker }
587*5e7646d2SAndroid Build Coastguard Worker
588*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_PAM_SET_ITEM
589*5e7646d2SAndroid Build Coastguard Worker # ifdef PAM_RHOST
590*5e7646d2SAndroid Build Coastguard Worker pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
591*5e7646d2SAndroid Build Coastguard Worker if (pamerr != PAM_SUCCESS)
592*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
593*5e7646d2SAndroid Build Coastguard Worker # endif /* PAM_RHOST */
594*5e7646d2SAndroid Build Coastguard Worker
595*5e7646d2SAndroid Build Coastguard Worker # ifdef PAM_TTY
596*5e7646d2SAndroid Build Coastguard Worker pamerr = pam_set_item(pamh, PAM_TTY, "cups");
597*5e7646d2SAndroid Build Coastguard Worker if (pamerr != PAM_SUCCESS)
598*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
599*5e7646d2SAndroid Build Coastguard Worker # endif /* PAM_TTY */
600*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_PAM_SET_ITEM */
601*5e7646d2SAndroid Build Coastguard Worker
602*5e7646d2SAndroid Build Coastguard Worker pamerr = pam_authenticate(pamh, PAM_SILENT);
603*5e7646d2SAndroid Build Coastguard Worker if (pamerr != PAM_SUCCESS)
604*5e7646d2SAndroid Build Coastguard Worker {
605*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
606*5e7646d2SAndroid Build Coastguard Worker pam_end(pamh, 0);
607*5e7646d2SAndroid Build Coastguard Worker return;
608*5e7646d2SAndroid Build Coastguard Worker }
609*5e7646d2SAndroid Build Coastguard Worker
610*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_PAM_SETCRED
611*5e7646d2SAndroid Build Coastguard Worker pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
612*5e7646d2SAndroid Build Coastguard Worker if (pamerr != PAM_SUCCESS)
613*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
614*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_PAM_SETCRED */
615*5e7646d2SAndroid Build Coastguard Worker
616*5e7646d2SAndroid Build Coastguard Worker pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
617*5e7646d2SAndroid Build Coastguard Worker if (pamerr != PAM_SUCCESS)
618*5e7646d2SAndroid Build Coastguard Worker {
619*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
620*5e7646d2SAndroid Build Coastguard Worker pam_end(pamh, 0);
621*5e7646d2SAndroid Build Coastguard Worker return;
622*5e7646d2SAndroid Build Coastguard Worker }
623*5e7646d2SAndroid Build Coastguard Worker
624*5e7646d2SAndroid Build Coastguard Worker pam_end(pamh, PAM_SUCCESS);
625*5e7646d2SAndroid Build Coastguard Worker
626*5e7646d2SAndroid Build Coastguard Worker #else
627*5e7646d2SAndroid Build Coastguard Worker /*
628*5e7646d2SAndroid Build Coastguard Worker * Use normal UNIX password file-based authentication...
629*5e7646d2SAndroid Build Coastguard Worker */
630*5e7646d2SAndroid Build Coastguard Worker
631*5e7646d2SAndroid Build Coastguard Worker char *pass; /* Encrypted password */
632*5e7646d2SAndroid Build Coastguard Worker struct passwd *pw; /* User password data */
633*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_SHADOW_H
634*5e7646d2SAndroid Build Coastguard Worker struct spwd *spw; /* Shadow password data */
635*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_SHADOW_H */
636*5e7646d2SAndroid Build Coastguard Worker
637*5e7646d2SAndroid Build Coastguard Worker
638*5e7646d2SAndroid Build Coastguard Worker pw = getpwnam(username); /* Get the current password */
639*5e7646d2SAndroid Build Coastguard Worker endpwent(); /* Close the password file */
640*5e7646d2SAndroid Build Coastguard Worker
641*5e7646d2SAndroid Build Coastguard Worker if (!pw)
642*5e7646d2SAndroid Build Coastguard Worker {
643*5e7646d2SAndroid Build Coastguard Worker /*
644*5e7646d2SAndroid Build Coastguard Worker * No such user...
645*5e7646d2SAndroid Build Coastguard Worker */
646*5e7646d2SAndroid Build Coastguard Worker
647*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username);
648*5e7646d2SAndroid Build Coastguard Worker return;
649*5e7646d2SAndroid Build Coastguard Worker }
650*5e7646d2SAndroid Build Coastguard Worker
651*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_SHADOW_H
652*5e7646d2SAndroid Build Coastguard Worker spw = getspnam(username);
653*5e7646d2SAndroid Build Coastguard Worker endspent();
654*5e7646d2SAndroid Build Coastguard Worker
655*5e7646d2SAndroid Build Coastguard Worker if (!spw && !strcmp(pw->pw_passwd, "x"))
656*5e7646d2SAndroid Build Coastguard Worker {
657*5e7646d2SAndroid Build Coastguard Worker /*
658*5e7646d2SAndroid Build Coastguard Worker * Don't allow blank passwords!
659*5e7646d2SAndroid Build Coastguard Worker */
660*5e7646d2SAndroid Build Coastguard Worker
661*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username);
662*5e7646d2SAndroid Build Coastguard Worker return;
663*5e7646d2SAndroid Build Coastguard Worker }
664*5e7646d2SAndroid Build Coastguard Worker
665*5e7646d2SAndroid Build Coastguard Worker if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
666*5e7646d2SAndroid Build Coastguard Worker # else
667*5e7646d2SAndroid Build Coastguard Worker if (!pw->pw_passwd[0])
668*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_SHADOW_H */
669*5e7646d2SAndroid Build Coastguard Worker {
670*5e7646d2SAndroid Build Coastguard Worker /*
671*5e7646d2SAndroid Build Coastguard Worker * Don't allow blank passwords!
672*5e7646d2SAndroid Build Coastguard Worker */
673*5e7646d2SAndroid Build Coastguard Worker
674*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username);
675*5e7646d2SAndroid Build Coastguard Worker return;
676*5e7646d2SAndroid Build Coastguard Worker }
677*5e7646d2SAndroid Build Coastguard Worker
678*5e7646d2SAndroid Build Coastguard Worker /*
679*5e7646d2SAndroid Build Coastguard Worker * OK, the password isn't blank, so compare with what came from the
680*5e7646d2SAndroid Build Coastguard Worker * client...
681*5e7646d2SAndroid Build Coastguard Worker */
682*5e7646d2SAndroid Build Coastguard Worker
683*5e7646d2SAndroid Build Coastguard Worker pass = crypt(password, pw->pw_passwd);
684*5e7646d2SAndroid Build Coastguard Worker
685*5e7646d2SAndroid Build Coastguard Worker if (!pass || strcmp(pw->pw_passwd, pass))
686*5e7646d2SAndroid Build Coastguard Worker {
687*5e7646d2SAndroid Build Coastguard Worker # ifdef HAVE_SHADOW_H
688*5e7646d2SAndroid Build Coastguard Worker if (spw)
689*5e7646d2SAndroid Build Coastguard Worker {
690*5e7646d2SAndroid Build Coastguard Worker pass = crypt(password, spw->sp_pwdp);
691*5e7646d2SAndroid Build Coastguard Worker
692*5e7646d2SAndroid Build Coastguard Worker if (pass == NULL || strcmp(spw->sp_pwdp, pass))
693*5e7646d2SAndroid Build Coastguard Worker {
694*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
695*5e7646d2SAndroid Build Coastguard Worker return;
696*5e7646d2SAndroid Build Coastguard Worker }
697*5e7646d2SAndroid Build Coastguard Worker }
698*5e7646d2SAndroid Build Coastguard Worker else
699*5e7646d2SAndroid Build Coastguard Worker # endif /* HAVE_SHADOW_H */
700*5e7646d2SAndroid Build Coastguard Worker {
701*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
702*5e7646d2SAndroid Build Coastguard Worker return;
703*5e7646d2SAndroid Build Coastguard Worker }
704*5e7646d2SAndroid Build Coastguard Worker }
705*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_LIBPAM */
706*5e7646d2SAndroid Build Coastguard Worker }
707*5e7646d2SAndroid Build Coastguard Worker
708*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
709*5e7646d2SAndroid Build Coastguard Worker break;
710*5e7646d2SAndroid Build Coastguard Worker }
711*5e7646d2SAndroid Build Coastguard Worker
712*5e7646d2SAndroid Build Coastguard Worker con->type = type;
713*5e7646d2SAndroid Build Coastguard Worker }
714*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_GSSAPI
715*5e7646d2SAndroid Build Coastguard Worker else if (!strncmp(authorization, "Negotiate", 9))
716*5e7646d2SAndroid Build Coastguard Worker {
717*5e7646d2SAndroid Build Coastguard Worker int len; /* Length of authorization string */
718*5e7646d2SAndroid Build Coastguard Worker gss_ctx_id_t context; /* Authorization context */
719*5e7646d2SAndroid Build Coastguard Worker OM_uint32 major_status, /* Major status code */
720*5e7646d2SAndroid Build Coastguard Worker minor_status; /* Minor status code */
721*5e7646d2SAndroid Build Coastguard Worker gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER,
722*5e7646d2SAndroid Build Coastguard Worker /* Input token from string */
723*5e7646d2SAndroid Build Coastguard Worker output_token = GSS_C_EMPTY_BUFFER;
724*5e7646d2SAndroid Build Coastguard Worker /* Output token for username */
725*5e7646d2SAndroid Build Coastguard Worker gss_name_t client_name; /* Client name */
726*5e7646d2SAndroid Build Coastguard Worker
727*5e7646d2SAndroid Build Coastguard Worker
728*5e7646d2SAndroid Build Coastguard Worker # ifdef __APPLE__
729*5e7646d2SAndroid Build Coastguard Worker /*
730*5e7646d2SAndroid Build Coastguard Worker * If the weak-linked GSSAPI/Kerberos library is not present, don't try
731*5e7646d2SAndroid Build Coastguard Worker * to use it...
732*5e7646d2SAndroid Build Coastguard Worker */
733*5e7646d2SAndroid Build Coastguard Worker
734*5e7646d2SAndroid Build Coastguard Worker if (&gss_init_sec_context == NULL)
735*5e7646d2SAndroid Build Coastguard Worker {
736*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_WARN, "GSSAPI/Kerberos authentication failed because the Kerberos framework is not present.");
737*5e7646d2SAndroid Build Coastguard Worker return;
738*5e7646d2SAndroid Build Coastguard Worker }
739*5e7646d2SAndroid Build Coastguard Worker # endif /* __APPLE__ */
740*5e7646d2SAndroid Build Coastguard Worker
741*5e7646d2SAndroid Build Coastguard Worker /*
742*5e7646d2SAndroid Build Coastguard Worker * Find the start of the Kerberos input token...
743*5e7646d2SAndroid Build Coastguard Worker */
744*5e7646d2SAndroid Build Coastguard Worker
745*5e7646d2SAndroid Build Coastguard Worker authorization += 9;
746*5e7646d2SAndroid Build Coastguard Worker while (isspace(*authorization & 255))
747*5e7646d2SAndroid Build Coastguard Worker authorization ++;
748*5e7646d2SAndroid Build Coastguard Worker
749*5e7646d2SAndroid Build Coastguard Worker if (!*authorization)
750*5e7646d2SAndroid Build Coastguard Worker {
751*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG2, "No authentication data specified.");
752*5e7646d2SAndroid Build Coastguard Worker return;
753*5e7646d2SAndroid Build Coastguard Worker }
754*5e7646d2SAndroid Build Coastguard Worker
755*5e7646d2SAndroid Build Coastguard Worker /*
756*5e7646d2SAndroid Build Coastguard Worker * Decode the authorization string to get the input token...
757*5e7646d2SAndroid Build Coastguard Worker */
758*5e7646d2SAndroid Build Coastguard Worker
759*5e7646d2SAndroid Build Coastguard Worker len = (int)strlen(authorization) + 0;
760*5e7646d2SAndroid Build Coastguard Worker input_token.value = malloc((size_t)len);
761*5e7646d2SAndroid Build Coastguard Worker input_token.value = httpDecode64_2(input_token.value, &len,
762*5e7646d2SAndroid Build Coastguard Worker authorization);
763*5e7646d2SAndroid Build Coastguard Worker input_token.length = (size_t)len;
764*5e7646d2SAndroid Build Coastguard Worker
765*5e7646d2SAndroid Build Coastguard Worker /*
766*5e7646d2SAndroid Build Coastguard Worker * Accept the input token to get the authorization info...
767*5e7646d2SAndroid Build Coastguard Worker */
768*5e7646d2SAndroid Build Coastguard Worker
769*5e7646d2SAndroid Build Coastguard Worker context = GSS_C_NO_CONTEXT;
770*5e7646d2SAndroid Build Coastguard Worker client_name = GSS_C_NO_NAME;
771*5e7646d2SAndroid Build Coastguard Worker major_status = gss_accept_sec_context(&minor_status,
772*5e7646d2SAndroid Build Coastguard Worker &context,
773*5e7646d2SAndroid Build Coastguard Worker ServerCreds,
774*5e7646d2SAndroid Build Coastguard Worker &input_token,
775*5e7646d2SAndroid Build Coastguard Worker GSS_C_NO_CHANNEL_BINDINGS,
776*5e7646d2SAndroid Build Coastguard Worker &client_name,
777*5e7646d2SAndroid Build Coastguard Worker NULL,
778*5e7646d2SAndroid Build Coastguard Worker &output_token,
779*5e7646d2SAndroid Build Coastguard Worker NULL,
780*5e7646d2SAndroid Build Coastguard Worker NULL,
781*5e7646d2SAndroid Build Coastguard Worker NULL);
782*5e7646d2SAndroid Build Coastguard Worker
783*5e7646d2SAndroid Build Coastguard Worker if (output_token.length > 0)
784*5e7646d2SAndroid Build Coastguard Worker gss_release_buffer(&minor_status, &output_token);
785*5e7646d2SAndroid Build Coastguard Worker
786*5e7646d2SAndroid Build Coastguard Worker if (GSS_ERROR(major_status))
787*5e7646d2SAndroid Build Coastguard Worker {
788*5e7646d2SAndroid Build Coastguard Worker cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error accepting GSSAPI security context.", con->number);
789*5e7646d2SAndroid Build Coastguard Worker
790*5e7646d2SAndroid Build Coastguard Worker if (context != GSS_C_NO_CONTEXT)
791*5e7646d2SAndroid Build Coastguard Worker gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
792*5e7646d2SAndroid Build Coastguard Worker return;
793*5e7646d2SAndroid Build Coastguard Worker }
794*5e7646d2SAndroid Build Coastguard Worker
795*5e7646d2SAndroid Build Coastguard Worker con->have_gss = 1;
796*5e7646d2SAndroid Build Coastguard Worker
797*5e7646d2SAndroid Build Coastguard Worker /*
798*5e7646d2SAndroid Build Coastguard Worker * Get the username associated with the client's credentials...
799*5e7646d2SAndroid Build Coastguard Worker */
800*5e7646d2SAndroid Build Coastguard Worker
801*5e7646d2SAndroid Build Coastguard Worker if (major_status == GSS_S_CONTINUE_NEEDED)
802*5e7646d2SAndroid Build Coastguard Worker cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Credentials not complete.", con->number);
803*5e7646d2SAndroid Build Coastguard Worker else if (major_status == GSS_S_COMPLETE)
804*5e7646d2SAndroid Build Coastguard Worker {
805*5e7646d2SAndroid Build Coastguard Worker major_status = gss_display_name(&minor_status, client_name,
806*5e7646d2SAndroid Build Coastguard Worker &output_token, NULL);
807*5e7646d2SAndroid Build Coastguard Worker
808*5e7646d2SAndroid Build Coastguard Worker if (GSS_ERROR(major_status))
809*5e7646d2SAndroid Build Coastguard Worker {
810*5e7646d2SAndroid Build Coastguard Worker cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error getting username.", con->number);
811*5e7646d2SAndroid Build Coastguard Worker gss_release_name(&minor_status, &client_name);
812*5e7646d2SAndroid Build Coastguard Worker gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
813*5e7646d2SAndroid Build Coastguard Worker return;
814*5e7646d2SAndroid Build Coastguard Worker }
815*5e7646d2SAndroid Build Coastguard Worker
816*5e7646d2SAndroid Build Coastguard Worker strlcpy(username, output_token.value, sizeof(username));
817*5e7646d2SAndroid Build Coastguard Worker
818*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Negotiate.", username);
819*5e7646d2SAndroid Build Coastguard Worker
820*5e7646d2SAndroid Build Coastguard Worker gss_release_name(&minor_status, &client_name);
821*5e7646d2SAndroid Build Coastguard Worker gss_release_buffer(&minor_status, &output_token);
822*5e7646d2SAndroid Build Coastguard Worker
823*5e7646d2SAndroid Build Coastguard Worker con->type = CUPSD_AUTH_NEGOTIATE;
824*5e7646d2SAndroid Build Coastguard Worker }
825*5e7646d2SAndroid Build Coastguard Worker
826*5e7646d2SAndroid Build Coastguard Worker gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
827*5e7646d2SAndroid Build Coastguard Worker
828*5e7646d2SAndroid Build Coastguard Worker # if defined(SO_PEERCRED) && defined(AF_LOCAL)
829*5e7646d2SAndroid Build Coastguard Worker /*
830*5e7646d2SAndroid Build Coastguard Worker * Get the client's UID if we are printing locally - that allows a backend
831*5e7646d2SAndroid Build Coastguard Worker * to run as the correct user to get Kerberos credentials of its own.
832*5e7646d2SAndroid Build Coastguard Worker */
833*5e7646d2SAndroid Build Coastguard Worker
834*5e7646d2SAndroid Build Coastguard Worker if (httpAddrFamily(con->http->hostaddr) == AF_LOCAL)
835*5e7646d2SAndroid Build Coastguard Worker {
836*5e7646d2SAndroid Build Coastguard Worker cupsd_ucred_t peercred; /* Peer credentials */
837*5e7646d2SAndroid Build Coastguard Worker socklen_t peersize; /* Size of peer credentials */
838*5e7646d2SAndroid Build Coastguard Worker
839*5e7646d2SAndroid Build Coastguard Worker peersize = sizeof(peercred);
840*5e7646d2SAndroid Build Coastguard Worker
841*5e7646d2SAndroid Build Coastguard Worker # ifdef __APPLE__
842*5e7646d2SAndroid Build Coastguard Worker if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
843*5e7646d2SAndroid Build Coastguard Worker # else
844*5e7646d2SAndroid Build Coastguard Worker if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred,
845*5e7646d2SAndroid Build Coastguard Worker &peersize))
846*5e7646d2SAndroid Build Coastguard Worker # endif /* __APPLE__ */
847*5e7646d2SAndroid Build Coastguard Worker {
848*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
849*5e7646d2SAndroid Build Coastguard Worker }
850*5e7646d2SAndroid Build Coastguard Worker else
851*5e7646d2SAndroid Build Coastguard Worker {
852*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_DEBUG, "Using credentials for UID %d.", CUPSD_UCRED_UID(peercred));
853*5e7646d2SAndroid Build Coastguard Worker con->gss_uid = CUPSD_UCRED_UID(peercred);
854*5e7646d2SAndroid Build Coastguard Worker }
855*5e7646d2SAndroid Build Coastguard Worker }
856*5e7646d2SAndroid Build Coastguard Worker # endif /* SO_PEERCRED && AF_LOCAL */
857*5e7646d2SAndroid Build Coastguard Worker }
858*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_GSSAPI */
859*5e7646d2SAndroid Build Coastguard Worker else
860*5e7646d2SAndroid Build Coastguard Worker {
861*5e7646d2SAndroid Build Coastguard Worker char scheme[256]; /* Auth scheme... */
862*5e7646d2SAndroid Build Coastguard Worker
863*5e7646d2SAndroid Build Coastguard Worker
864*5e7646d2SAndroid Build Coastguard Worker if (sscanf(authorization, "%255s", scheme) != 1)
865*5e7646d2SAndroid Build Coastguard Worker strlcpy(scheme, "UNKNOWN", sizeof(scheme));
866*5e7646d2SAndroid Build Coastguard Worker
867*5e7646d2SAndroid Build Coastguard Worker cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\".", scheme);
868*5e7646d2SAndroid Build Coastguard Worker return;
869*5e7646d2SAndroid Build Coastguard Worker }
870*5e7646d2SAndroid Build Coastguard Worker
871*5e7646d2SAndroid Build Coastguard Worker /*
872*5e7646d2SAndroid Build Coastguard Worker * If we get here, then we were able to validate the username and
873*5e7646d2SAndroid Build Coastguard Worker * password - copy the validated username and password to the client
874*5e7646d2SAndroid Build Coastguard Worker * data and return...
875*5e7646d2SAndroid Build Coastguard Worker */
876*5e7646d2SAndroid Build Coastguard Worker
877*5e7646d2SAndroid Build Coastguard Worker strlcpy(con->username, username, sizeof(con->username));
878*5e7646d2SAndroid Build Coastguard Worker strlcpy(con->password, password, sizeof(con->password));
879*5e7646d2SAndroid Build Coastguard Worker }
880*5e7646d2SAndroid Build Coastguard Worker
881*5e7646d2SAndroid Build Coastguard Worker
882*5e7646d2SAndroid Build Coastguard Worker /*
883*5e7646d2SAndroid Build Coastguard Worker * 'cupsdCheckAccess()' - Check whether the given address is allowed to
884*5e7646d2SAndroid Build Coastguard Worker * access a location.
885*5e7646d2SAndroid Build Coastguard Worker */
886*5e7646d2SAndroid Build Coastguard Worker
887*5e7646d2SAndroid Build Coastguard Worker int /* O - 1 if allowed, 0 otherwise */
cupsdCheckAccess(unsigned ip[4],const char * name,size_t namelen,cupsd_location_t * loc)888*5e7646d2SAndroid Build Coastguard Worker cupsdCheckAccess(
889*5e7646d2SAndroid Build Coastguard Worker unsigned ip[4], /* I - Client address */
890*5e7646d2SAndroid Build Coastguard Worker const char *name, /* I - Client hostname */
891*5e7646d2SAndroid Build Coastguard Worker size_t namelen, /* I - Length of hostname */
892*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *loc) /* I - Location to check */
893*5e7646d2SAndroid Build Coastguard Worker {
894*5e7646d2SAndroid Build Coastguard Worker int allow; /* 1 if allowed, 0 otherwise */
895*5e7646d2SAndroid Build Coastguard Worker
896*5e7646d2SAndroid Build Coastguard Worker
897*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strcasecmp(name, "localhost"))
898*5e7646d2SAndroid Build Coastguard Worker {
899*5e7646d2SAndroid Build Coastguard Worker /*
900*5e7646d2SAndroid Build Coastguard Worker * Access from localhost (127.0.0.1 or ::1) is always allowed...
901*5e7646d2SAndroid Build Coastguard Worker */
902*5e7646d2SAndroid Build Coastguard Worker
903*5e7646d2SAndroid Build Coastguard Worker return (1);
904*5e7646d2SAndroid Build Coastguard Worker }
905*5e7646d2SAndroid Build Coastguard Worker else
906*5e7646d2SAndroid Build Coastguard Worker {
907*5e7646d2SAndroid Build Coastguard Worker /*
908*5e7646d2SAndroid Build Coastguard Worker * Do authorization checks on the domain/address...
909*5e7646d2SAndroid Build Coastguard Worker */
910*5e7646d2SAndroid Build Coastguard Worker
911*5e7646d2SAndroid Build Coastguard Worker switch (loc->order_type)
912*5e7646d2SAndroid Build Coastguard Worker {
913*5e7646d2SAndroid Build Coastguard Worker default :
914*5e7646d2SAndroid Build Coastguard Worker allow = 0; /* anti-compiler-warning-code */
915*5e7646d2SAndroid Build Coastguard Worker break;
916*5e7646d2SAndroid Build Coastguard Worker
917*5e7646d2SAndroid Build Coastguard Worker case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
918*5e7646d2SAndroid Build Coastguard Worker allow = 1;
919*5e7646d2SAndroid Build Coastguard Worker
920*5e7646d2SAndroid Build Coastguard Worker if (cupsdCheckAuth(ip, name, namelen, loc->deny))
921*5e7646d2SAndroid Build Coastguard Worker allow = 0;
922*5e7646d2SAndroid Build Coastguard Worker
923*5e7646d2SAndroid Build Coastguard Worker if (cupsdCheckAuth(ip, name, namelen, loc->allow))
924*5e7646d2SAndroid Build Coastguard Worker allow = 1;
925*5e7646d2SAndroid Build Coastguard Worker break;
926*5e7646d2SAndroid Build Coastguard Worker
927*5e7646d2SAndroid Build Coastguard Worker case CUPSD_AUTH_DENY : /* Order Allow,Deny */
928*5e7646d2SAndroid Build Coastguard Worker allow = 0;
929*5e7646d2SAndroid Build Coastguard Worker
930*5e7646d2SAndroid Build Coastguard Worker if (cupsdCheckAuth(ip, name, namelen, loc->allow))
931*5e7646d2SAndroid Build Coastguard Worker allow = 1;
932*5e7646d2SAndroid Build Coastguard Worker
933*5e7646d2SAndroid Build Coastguard Worker if (cupsdCheckAuth(ip, name, namelen, loc->deny))
934*5e7646d2SAndroid Build Coastguard Worker allow = 0;
935*5e7646d2SAndroid Build Coastguard Worker break;
936*5e7646d2SAndroid Build Coastguard Worker }
937*5e7646d2SAndroid Build Coastguard Worker }
938*5e7646d2SAndroid Build Coastguard Worker
939*5e7646d2SAndroid Build Coastguard Worker return (allow);
940*5e7646d2SAndroid Build Coastguard Worker }
941*5e7646d2SAndroid Build Coastguard Worker
942*5e7646d2SAndroid Build Coastguard Worker
943*5e7646d2SAndroid Build Coastguard Worker /*
944*5e7646d2SAndroid Build Coastguard Worker * 'cupsdCheckAuth()' - Check authorization masks.
945*5e7646d2SAndroid Build Coastguard Worker */
946*5e7646d2SAndroid Build Coastguard Worker
947*5e7646d2SAndroid Build Coastguard Worker int /* O - 1 if mask matches, 0 otherwise */
cupsdCheckAuth(unsigned ip[4],const char * name,size_t name_len,cups_array_t * masks)948*5e7646d2SAndroid Build Coastguard Worker cupsdCheckAuth(unsigned ip[4], /* I - Client address */
949*5e7646d2SAndroid Build Coastguard Worker const char *name, /* I - Client hostname */
950*5e7646d2SAndroid Build Coastguard Worker size_t name_len, /* I - Length of hostname */
951*5e7646d2SAndroid Build Coastguard Worker cups_array_t *masks) /* I - Masks */
952*5e7646d2SAndroid Build Coastguard Worker {
953*5e7646d2SAndroid Build Coastguard Worker int i; /* Looping var */
954*5e7646d2SAndroid Build Coastguard Worker cupsd_authmask_t *mask; /* Current mask */
955*5e7646d2SAndroid Build Coastguard Worker cupsd_netif_t *iface; /* Network interface */
956*5e7646d2SAndroid Build Coastguard Worker unsigned netip4; /* IPv4 network address */
957*5e7646d2SAndroid Build Coastguard Worker #ifdef AF_INET6
958*5e7646d2SAndroid Build Coastguard Worker unsigned netip6[4]; /* IPv6 network address */
959*5e7646d2SAndroid Build Coastguard Worker #endif /* AF_INET6 */
960*5e7646d2SAndroid Build Coastguard Worker
961*5e7646d2SAndroid Build Coastguard Worker
962*5e7646d2SAndroid Build Coastguard Worker for (mask = (cupsd_authmask_t *)cupsArrayFirst(masks);
963*5e7646d2SAndroid Build Coastguard Worker mask;
964*5e7646d2SAndroid Build Coastguard Worker mask = (cupsd_authmask_t *)cupsArrayNext(masks))
965*5e7646d2SAndroid Build Coastguard Worker {
966*5e7646d2SAndroid Build Coastguard Worker switch (mask->type)
967*5e7646d2SAndroid Build Coastguard Worker {
968*5e7646d2SAndroid Build Coastguard Worker case CUPSD_AUTH_INTERFACE :
969*5e7646d2SAndroid Build Coastguard Worker /*
970*5e7646d2SAndroid Build Coastguard Worker * Check for a match with a network interface...
971*5e7646d2SAndroid Build Coastguard Worker */
972*5e7646d2SAndroid Build Coastguard Worker
973*5e7646d2SAndroid Build Coastguard Worker netip4 = htonl(ip[3]);
974*5e7646d2SAndroid Build Coastguard Worker
975*5e7646d2SAndroid Build Coastguard Worker #ifdef AF_INET6
976*5e7646d2SAndroid Build Coastguard Worker netip6[0] = htonl(ip[0]);
977*5e7646d2SAndroid Build Coastguard Worker netip6[1] = htonl(ip[1]);
978*5e7646d2SAndroid Build Coastguard Worker netip6[2] = htonl(ip[2]);
979*5e7646d2SAndroid Build Coastguard Worker netip6[3] = htonl(ip[3]);
980*5e7646d2SAndroid Build Coastguard Worker #endif /* AF_INET6 */
981*5e7646d2SAndroid Build Coastguard Worker
982*5e7646d2SAndroid Build Coastguard Worker cupsdNetIFUpdate();
983*5e7646d2SAndroid Build Coastguard Worker
984*5e7646d2SAndroid Build Coastguard Worker if (!strcmp(mask->mask.name.name, "*"))
985*5e7646d2SAndroid Build Coastguard Worker {
986*5e7646d2SAndroid Build Coastguard Worker #ifdef __APPLE__
987*5e7646d2SAndroid Build Coastguard Worker /*
988*5e7646d2SAndroid Build Coastguard Worker * Allow Back-to-My-Mac addresses...
989*5e7646d2SAndroid Build Coastguard Worker */
990*5e7646d2SAndroid Build Coastguard Worker
991*5e7646d2SAndroid Build Coastguard Worker if ((ip[0] & 0xff000000) == 0xfd000000)
992*5e7646d2SAndroid Build Coastguard Worker return (1);
993*5e7646d2SAndroid Build Coastguard Worker #endif /* __APPLE__ */
994*5e7646d2SAndroid Build Coastguard Worker
995*5e7646d2SAndroid Build Coastguard Worker /*
996*5e7646d2SAndroid Build Coastguard Worker * Check against all local interfaces...
997*5e7646d2SAndroid Build Coastguard Worker */
998*5e7646d2SAndroid Build Coastguard Worker
999*5e7646d2SAndroid Build Coastguard Worker for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1000*5e7646d2SAndroid Build Coastguard Worker iface;
1001*5e7646d2SAndroid Build Coastguard Worker iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1002*5e7646d2SAndroid Build Coastguard Worker {
1003*5e7646d2SAndroid Build Coastguard Worker /*
1004*5e7646d2SAndroid Build Coastguard Worker * Only check local interfaces...
1005*5e7646d2SAndroid Build Coastguard Worker */
1006*5e7646d2SAndroid Build Coastguard Worker
1007*5e7646d2SAndroid Build Coastguard Worker if (!iface->is_local)
1008*5e7646d2SAndroid Build Coastguard Worker continue;
1009*5e7646d2SAndroid Build Coastguard Worker
1010*5e7646d2SAndroid Build Coastguard Worker if (iface->address.addr.sa_family == AF_INET)
1011*5e7646d2SAndroid Build Coastguard Worker {
1012*5e7646d2SAndroid Build Coastguard Worker /*
1013*5e7646d2SAndroid Build Coastguard Worker * Check IPv4 address...
1014*5e7646d2SAndroid Build Coastguard Worker */
1015*5e7646d2SAndroid Build Coastguard Worker
1016*5e7646d2SAndroid Build Coastguard Worker if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1017*5e7646d2SAndroid Build Coastguard Worker (iface->address.ipv4.sin_addr.s_addr &
1018*5e7646d2SAndroid Build Coastguard Worker iface->mask.ipv4.sin_addr.s_addr))
1019*5e7646d2SAndroid Build Coastguard Worker return (1);
1020*5e7646d2SAndroid Build Coastguard Worker }
1021*5e7646d2SAndroid Build Coastguard Worker #ifdef AF_INET6
1022*5e7646d2SAndroid Build Coastguard Worker else
1023*5e7646d2SAndroid Build Coastguard Worker {
1024*5e7646d2SAndroid Build Coastguard Worker /*
1025*5e7646d2SAndroid Build Coastguard Worker * Check IPv6 address...
1026*5e7646d2SAndroid Build Coastguard Worker */
1027*5e7646d2SAndroid Build Coastguard Worker
1028*5e7646d2SAndroid Build Coastguard Worker for (i = 0; i < 4; i ++)
1029*5e7646d2SAndroid Build Coastguard Worker if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1030*5e7646d2SAndroid Build Coastguard Worker (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1031*5e7646d2SAndroid Build Coastguard Worker iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1032*5e7646d2SAndroid Build Coastguard Worker break;
1033*5e7646d2SAndroid Build Coastguard Worker
1034*5e7646d2SAndroid Build Coastguard Worker if (i == 4)
1035*5e7646d2SAndroid Build Coastguard Worker return (1);
1036*5e7646d2SAndroid Build Coastguard Worker }
1037*5e7646d2SAndroid Build Coastguard Worker #endif /* AF_INET6 */
1038*5e7646d2SAndroid Build Coastguard Worker }
1039*5e7646d2SAndroid Build Coastguard Worker }
1040*5e7646d2SAndroid Build Coastguard Worker else
1041*5e7646d2SAndroid Build Coastguard Worker {
1042*5e7646d2SAndroid Build Coastguard Worker /*
1043*5e7646d2SAndroid Build Coastguard Worker * Check the named interface...
1044*5e7646d2SAndroid Build Coastguard Worker */
1045*5e7646d2SAndroid Build Coastguard Worker
1046*5e7646d2SAndroid Build Coastguard Worker for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1047*5e7646d2SAndroid Build Coastguard Worker iface;
1048*5e7646d2SAndroid Build Coastguard Worker iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1049*5e7646d2SAndroid Build Coastguard Worker {
1050*5e7646d2SAndroid Build Coastguard Worker if (strcmp(mask->mask.name.name, iface->name))
1051*5e7646d2SAndroid Build Coastguard Worker continue;
1052*5e7646d2SAndroid Build Coastguard Worker
1053*5e7646d2SAndroid Build Coastguard Worker if (iface->address.addr.sa_family == AF_INET)
1054*5e7646d2SAndroid Build Coastguard Worker {
1055*5e7646d2SAndroid Build Coastguard Worker /*
1056*5e7646d2SAndroid Build Coastguard Worker * Check IPv4 address...
1057*5e7646d2SAndroid Build Coastguard Worker */
1058*5e7646d2SAndroid Build Coastguard Worker
1059*5e7646d2SAndroid Build Coastguard Worker if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1060*5e7646d2SAndroid Build Coastguard Worker (iface->address.ipv4.sin_addr.s_addr &
1061*5e7646d2SAndroid Build Coastguard Worker iface->mask.ipv4.sin_addr.s_addr))
1062*5e7646d2SAndroid Build Coastguard Worker return (1);
1063*5e7646d2SAndroid Build Coastguard Worker }
1064*5e7646d2SAndroid Build Coastguard Worker #ifdef AF_INET6
1065*5e7646d2SAndroid Build Coastguard Worker else
1066*5e7646d2SAndroid Build Coastguard Worker {
1067*5e7646d2SAndroid Build Coastguard Worker /*
1068*5e7646d2SAndroid Build Coastguard Worker * Check IPv6 address...
1069*5e7646d2SAndroid Build Coastguard Worker */
1070*5e7646d2SAndroid Build Coastguard Worker
1071*5e7646d2SAndroid Build Coastguard Worker for (i = 0; i < 4; i ++)
1072*5e7646d2SAndroid Build Coastguard Worker if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1073*5e7646d2SAndroid Build Coastguard Worker (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1074*5e7646d2SAndroid Build Coastguard Worker iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1075*5e7646d2SAndroid Build Coastguard Worker break;
1076*5e7646d2SAndroid Build Coastguard Worker
1077*5e7646d2SAndroid Build Coastguard Worker if (i == 4)
1078*5e7646d2SAndroid Build Coastguard Worker return (1);
1079*5e7646d2SAndroid Build Coastguard Worker }
1080*5e7646d2SAndroid Build Coastguard Worker #endif /* AF_INET6 */
1081*5e7646d2SAndroid Build Coastguard Worker }
1082*5e7646d2SAndroid Build Coastguard Worker }
1083*5e7646d2SAndroid Build Coastguard Worker break;
1084*5e7646d2SAndroid Build Coastguard Worker
1085*5e7646d2SAndroid Build Coastguard Worker case CUPSD_AUTH_NAME :
1086*5e7646d2SAndroid Build Coastguard Worker /*
1087*5e7646d2SAndroid Build Coastguard Worker * Check for exact name match...
1088*5e7646d2SAndroid Build Coastguard Worker */
1089*5e7646d2SAndroid Build Coastguard Worker
1090*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strcasecmp(name, mask->mask.name.name))
1091*5e7646d2SAndroid Build Coastguard Worker return (1);
1092*5e7646d2SAndroid Build Coastguard Worker
1093*5e7646d2SAndroid Build Coastguard Worker /*
1094*5e7646d2SAndroid Build Coastguard Worker * Check for domain match...
1095*5e7646d2SAndroid Build Coastguard Worker */
1096*5e7646d2SAndroid Build Coastguard Worker
1097*5e7646d2SAndroid Build Coastguard Worker if (name_len >= mask->mask.name.length &&
1098*5e7646d2SAndroid Build Coastguard Worker mask->mask.name.name[0] == '.' &&
1099*5e7646d2SAndroid Build Coastguard Worker !_cups_strcasecmp(name + name_len - mask->mask.name.length,
1100*5e7646d2SAndroid Build Coastguard Worker mask->mask.name.name))
1101*5e7646d2SAndroid Build Coastguard Worker return (1);
1102*5e7646d2SAndroid Build Coastguard Worker break;
1103*5e7646d2SAndroid Build Coastguard Worker
1104*5e7646d2SAndroid Build Coastguard Worker case CUPSD_AUTH_IP :
1105*5e7646d2SAndroid Build Coastguard Worker /*
1106*5e7646d2SAndroid Build Coastguard Worker * Check for IP/network address match...
1107*5e7646d2SAndroid Build Coastguard Worker */
1108*5e7646d2SAndroid Build Coastguard Worker
1109*5e7646d2SAndroid Build Coastguard Worker for (i = 0; i < 4; i ++)
1110*5e7646d2SAndroid Build Coastguard Worker if ((ip[i] & mask->mask.ip.netmask[i]) !=
1111*5e7646d2SAndroid Build Coastguard Worker mask->mask.ip.address[i])
1112*5e7646d2SAndroid Build Coastguard Worker break;
1113*5e7646d2SAndroid Build Coastguard Worker
1114*5e7646d2SAndroid Build Coastguard Worker if (i == 4)
1115*5e7646d2SAndroid Build Coastguard Worker return (1);
1116*5e7646d2SAndroid Build Coastguard Worker break;
1117*5e7646d2SAndroid Build Coastguard Worker }
1118*5e7646d2SAndroid Build Coastguard Worker }
1119*5e7646d2SAndroid Build Coastguard Worker
1120*5e7646d2SAndroid Build Coastguard Worker return (0);
1121*5e7646d2SAndroid Build Coastguard Worker }
1122*5e7646d2SAndroid Build Coastguard Worker
1123*5e7646d2SAndroid Build Coastguard Worker
1124*5e7646d2SAndroid Build Coastguard Worker /*
1125*5e7646d2SAndroid Build Coastguard Worker * 'cupsdCheckGroup()' - Check for a user's group membership.
1126*5e7646d2SAndroid Build Coastguard Worker */
1127*5e7646d2SAndroid Build Coastguard Worker
1128*5e7646d2SAndroid Build Coastguard Worker int /* O - 1 if user is a member, 0 otherwise */
cupsdCheckGroup(const char * username,struct passwd * user,const char * groupname)1129*5e7646d2SAndroid Build Coastguard Worker cupsdCheckGroup(
1130*5e7646d2SAndroid Build Coastguard Worker const char *username, /* I - User name */
1131*5e7646d2SAndroid Build Coastguard Worker struct passwd *user, /* I - System user info */
1132*5e7646d2SAndroid Build Coastguard Worker const char *groupname) /* I - Group name */
1133*5e7646d2SAndroid Build Coastguard Worker {
1134*5e7646d2SAndroid Build Coastguard Worker int i; /* Looping var */
1135*5e7646d2SAndroid Build Coastguard Worker struct group *group; /* Group info */
1136*5e7646d2SAndroid Build Coastguard Worker gid_t groupid; /* ID of named group */
1137*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_MBR_UID_TO_UUID
1138*5e7646d2SAndroid Build Coastguard Worker uuid_t useruuid, /* UUID for username */
1139*5e7646d2SAndroid Build Coastguard Worker groupuuid; /* UUID for groupname */
1140*5e7646d2SAndroid Build Coastguard Worker int is_member; /* True if user is a member of group */
1141*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_MBR_UID_TO_UUID */
1142*5e7646d2SAndroid Build Coastguard Worker
1143*5e7646d2SAndroid Build Coastguard Worker
1144*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", username, user, groupname);
1145*5e7646d2SAndroid Build Coastguard Worker
1146*5e7646d2SAndroid Build Coastguard Worker /*
1147*5e7646d2SAndroid Build Coastguard Worker * Validate input...
1148*5e7646d2SAndroid Build Coastguard Worker */
1149*5e7646d2SAndroid Build Coastguard Worker
1150*5e7646d2SAndroid Build Coastguard Worker if (!username || !groupname)
1151*5e7646d2SAndroid Build Coastguard Worker return (0);
1152*5e7646d2SAndroid Build Coastguard Worker
1153*5e7646d2SAndroid Build Coastguard Worker /*
1154*5e7646d2SAndroid Build Coastguard Worker * Check to see if the user is a member of the named group...
1155*5e7646d2SAndroid Build Coastguard Worker */
1156*5e7646d2SAndroid Build Coastguard Worker
1157*5e7646d2SAndroid Build Coastguard Worker group = getgrnam(groupname);
1158*5e7646d2SAndroid Build Coastguard Worker endgrent();
1159*5e7646d2SAndroid Build Coastguard Worker
1160*5e7646d2SAndroid Build Coastguard Worker if (group != NULL)
1161*5e7646d2SAndroid Build Coastguard Worker {
1162*5e7646d2SAndroid Build Coastguard Worker /*
1163*5e7646d2SAndroid Build Coastguard Worker * Group exists, check it...
1164*5e7646d2SAndroid Build Coastguard Worker */
1165*5e7646d2SAndroid Build Coastguard Worker
1166*5e7646d2SAndroid Build Coastguard Worker groupid = group->gr_gid;
1167*5e7646d2SAndroid Build Coastguard Worker
1168*5e7646d2SAndroid Build Coastguard Worker for (i = 0; group->gr_mem[i]; i ++)
1169*5e7646d2SAndroid Build Coastguard Worker {
1170*5e7646d2SAndroid Build Coastguard Worker /*
1171*5e7646d2SAndroid Build Coastguard Worker * User appears in the group membership...
1172*5e7646d2SAndroid Build Coastguard Worker */
1173*5e7646d2SAndroid Build Coastguard Worker
1174*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strcasecmp(username, group->gr_mem[i]))
1175*5e7646d2SAndroid Build Coastguard Worker return (1);
1176*5e7646d2SAndroid Build Coastguard Worker }
1177*5e7646d2SAndroid Build Coastguard Worker
1178*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_GETGROUPLIST
1179*5e7646d2SAndroid Build Coastguard Worker /*
1180*5e7646d2SAndroid Build Coastguard Worker * If the user isn't in the group membership list, try the results from
1181*5e7646d2SAndroid Build Coastguard Worker * getgrouplist() which is supposed to return the full list of groups a user
1182*5e7646d2SAndroid Build Coastguard Worker * belongs to...
1183*5e7646d2SAndroid Build Coastguard Worker */
1184*5e7646d2SAndroid Build Coastguard Worker
1185*5e7646d2SAndroid Build Coastguard Worker if (user)
1186*5e7646d2SAndroid Build Coastguard Worker {
1187*5e7646d2SAndroid Build Coastguard Worker int ngroups; /* Number of groups */
1188*5e7646d2SAndroid Build Coastguard Worker # ifdef __APPLE__
1189*5e7646d2SAndroid Build Coastguard Worker int groups[2048]; /* Groups that user belongs to */
1190*5e7646d2SAndroid Build Coastguard Worker # else
1191*5e7646d2SAndroid Build Coastguard Worker gid_t groups[2048]; /* Groups that user belongs to */
1192*5e7646d2SAndroid Build Coastguard Worker # endif /* __APPLE__ */
1193*5e7646d2SAndroid Build Coastguard Worker
1194*5e7646d2SAndroid Build Coastguard Worker ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
1195*5e7646d2SAndroid Build Coastguard Worker # ifdef __APPLE__
1196*5e7646d2SAndroid Build Coastguard Worker getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
1197*5e7646d2SAndroid Build Coastguard Worker # else
1198*5e7646d2SAndroid Build Coastguard Worker getgrouplist(username, user->pw_gid, groups, &ngroups);
1199*5e7646d2SAndroid Build Coastguard Worker #endif /* __APPLE__ */
1200*5e7646d2SAndroid Build Coastguard Worker
1201*5e7646d2SAndroid Build Coastguard Worker for (i = 0; i < ngroups; i ++)
1202*5e7646d2SAndroid Build Coastguard Worker if ((int)groupid == (int)groups[i])
1203*5e7646d2SAndroid Build Coastguard Worker return (1);
1204*5e7646d2SAndroid Build Coastguard Worker }
1205*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_GETGROUPLIST */
1206*5e7646d2SAndroid Build Coastguard Worker }
1207*5e7646d2SAndroid Build Coastguard Worker else
1208*5e7646d2SAndroid Build Coastguard Worker groupid = (gid_t)-1;
1209*5e7646d2SAndroid Build Coastguard Worker
1210*5e7646d2SAndroid Build Coastguard Worker /*
1211*5e7646d2SAndroid Build Coastguard Worker * Group doesn't exist or user not in group list, check the group ID
1212*5e7646d2SAndroid Build Coastguard Worker * against the user's group ID...
1213*5e7646d2SAndroid Build Coastguard Worker */
1214*5e7646d2SAndroid Build Coastguard Worker
1215*5e7646d2SAndroid Build Coastguard Worker if (user && groupid == user->pw_gid)
1216*5e7646d2SAndroid Build Coastguard Worker return (1);
1217*5e7646d2SAndroid Build Coastguard Worker
1218*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_MBR_UID_TO_UUID
1219*5e7646d2SAndroid Build Coastguard Worker /*
1220*5e7646d2SAndroid Build Coastguard Worker * Check group membership through macOS membership API...
1221*5e7646d2SAndroid Build Coastguard Worker */
1222*5e7646d2SAndroid Build Coastguard Worker
1223*5e7646d2SAndroid Build Coastguard Worker if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
1224*5e7646d2SAndroid Build Coastguard Worker {
1225*5e7646d2SAndroid Build Coastguard Worker if (groupid != (gid_t)-1)
1226*5e7646d2SAndroid Build Coastguard Worker {
1227*5e7646d2SAndroid Build Coastguard Worker /*
1228*5e7646d2SAndroid Build Coastguard Worker * Map group name to UUID and check membership...
1229*5e7646d2SAndroid Build Coastguard Worker */
1230*5e7646d2SAndroid Build Coastguard Worker
1231*5e7646d2SAndroid Build Coastguard Worker if (!mbr_gid_to_uuid(groupid, groupuuid))
1232*5e7646d2SAndroid Build Coastguard Worker if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1233*5e7646d2SAndroid Build Coastguard Worker if (is_member)
1234*5e7646d2SAndroid Build Coastguard Worker return (1);
1235*5e7646d2SAndroid Build Coastguard Worker }
1236*5e7646d2SAndroid Build Coastguard Worker else if (groupname[0] == '#')
1237*5e7646d2SAndroid Build Coastguard Worker {
1238*5e7646d2SAndroid Build Coastguard Worker /*
1239*5e7646d2SAndroid Build Coastguard Worker * Use UUID directly and check for equality (user UUID) and
1240*5e7646d2SAndroid Build Coastguard Worker * membership (group UUID)...
1241*5e7646d2SAndroid Build Coastguard Worker */
1242*5e7646d2SAndroid Build Coastguard Worker
1243*5e7646d2SAndroid Build Coastguard Worker if (!uuid_parse((char *)groupname + 1, groupuuid))
1244*5e7646d2SAndroid Build Coastguard Worker {
1245*5e7646d2SAndroid Build Coastguard Worker if (!uuid_compare(useruuid, groupuuid))
1246*5e7646d2SAndroid Build Coastguard Worker return (1);
1247*5e7646d2SAndroid Build Coastguard Worker else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1248*5e7646d2SAndroid Build Coastguard Worker if (is_member)
1249*5e7646d2SAndroid Build Coastguard Worker return (1);
1250*5e7646d2SAndroid Build Coastguard Worker }
1251*5e7646d2SAndroid Build Coastguard Worker
1252*5e7646d2SAndroid Build Coastguard Worker return (0);
1253*5e7646d2SAndroid Build Coastguard Worker }
1254*5e7646d2SAndroid Build Coastguard Worker }
1255*5e7646d2SAndroid Build Coastguard Worker else if (groupname[0] == '#')
1256*5e7646d2SAndroid Build Coastguard Worker return (0);
1257*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_MBR_UID_TO_UUID */
1258*5e7646d2SAndroid Build Coastguard Worker
1259*5e7646d2SAndroid Build Coastguard Worker /*
1260*5e7646d2SAndroid Build Coastguard Worker * If we get this far, then the user isn't part of the named group...
1261*5e7646d2SAndroid Build Coastguard Worker */
1262*5e7646d2SAndroid Build Coastguard Worker
1263*5e7646d2SAndroid Build Coastguard Worker return (0);
1264*5e7646d2SAndroid Build Coastguard Worker }
1265*5e7646d2SAndroid Build Coastguard Worker
1266*5e7646d2SAndroid Build Coastguard Worker
1267*5e7646d2SAndroid Build Coastguard Worker /*
1268*5e7646d2SAndroid Build Coastguard Worker * 'cupsdCopyLocation()' - Make a copy of a location...
1269*5e7646d2SAndroid Build Coastguard Worker */
1270*5e7646d2SAndroid Build Coastguard Worker
1271*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t * /* O - New location */
cupsdCopyLocation(cupsd_location_t * loc)1272*5e7646d2SAndroid Build Coastguard Worker cupsdCopyLocation(
1273*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *loc) /* I - Original location */
1274*5e7646d2SAndroid Build Coastguard Worker {
1275*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *temp; /* New location */
1276*5e7646d2SAndroid Build Coastguard Worker
1277*5e7646d2SAndroid Build Coastguard Worker
1278*5e7646d2SAndroid Build Coastguard Worker /*
1279*5e7646d2SAndroid Build Coastguard Worker * Make a copy of the original location...
1280*5e7646d2SAndroid Build Coastguard Worker */
1281*5e7646d2SAndroid Build Coastguard Worker
1282*5e7646d2SAndroid Build Coastguard Worker if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
1283*5e7646d2SAndroid Build Coastguard Worker return (NULL);
1284*5e7646d2SAndroid Build Coastguard Worker
1285*5e7646d2SAndroid Build Coastguard Worker /*
1286*5e7646d2SAndroid Build Coastguard Worker * Copy the information from the original location to the new one.
1287*5e7646d2SAndroid Build Coastguard Worker */
1288*5e7646d2SAndroid Build Coastguard Worker
1289*5e7646d2SAndroid Build Coastguard Worker if (!loc)
1290*5e7646d2SAndroid Build Coastguard Worker return (temp);
1291*5e7646d2SAndroid Build Coastguard Worker
1292*5e7646d2SAndroid Build Coastguard Worker if (loc->location)
1293*5e7646d2SAndroid Build Coastguard Worker temp->location = _cupsStrAlloc(loc->location);
1294*5e7646d2SAndroid Build Coastguard Worker
1295*5e7646d2SAndroid Build Coastguard Worker temp->length = loc->length;
1296*5e7646d2SAndroid Build Coastguard Worker temp->limit = loc->limit;
1297*5e7646d2SAndroid Build Coastguard Worker temp->order_type = loc->order_type;
1298*5e7646d2SAndroid Build Coastguard Worker temp->type = loc->type;
1299*5e7646d2SAndroid Build Coastguard Worker temp->level = loc->level;
1300*5e7646d2SAndroid Build Coastguard Worker temp->satisfy = loc->satisfy;
1301*5e7646d2SAndroid Build Coastguard Worker temp->encryption = loc->encryption;
1302*5e7646d2SAndroid Build Coastguard Worker
1303*5e7646d2SAndroid Build Coastguard Worker if (loc->names)
1304*5e7646d2SAndroid Build Coastguard Worker {
1305*5e7646d2SAndroid Build Coastguard Worker if ((temp->names = cupsArrayDup(loc->names)) == NULL)
1306*5e7646d2SAndroid Build Coastguard Worker {
1307*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_ERROR,
1308*5e7646d2SAndroid Build Coastguard Worker "Unable to allocate memory for %d names: %s",
1309*5e7646d2SAndroid Build Coastguard Worker cupsArrayCount(loc->names), strerror(errno));
1310*5e7646d2SAndroid Build Coastguard Worker
1311*5e7646d2SAndroid Build Coastguard Worker cupsdFreeLocation(temp);
1312*5e7646d2SAndroid Build Coastguard Worker return (NULL);
1313*5e7646d2SAndroid Build Coastguard Worker }
1314*5e7646d2SAndroid Build Coastguard Worker }
1315*5e7646d2SAndroid Build Coastguard Worker
1316*5e7646d2SAndroid Build Coastguard Worker if (loc->allow)
1317*5e7646d2SAndroid Build Coastguard Worker {
1318*5e7646d2SAndroid Build Coastguard Worker /*
1319*5e7646d2SAndroid Build Coastguard Worker * Copy allow rules...
1320*5e7646d2SAndroid Build Coastguard Worker */
1321*5e7646d2SAndroid Build Coastguard Worker
1322*5e7646d2SAndroid Build Coastguard Worker if ((temp->allow = cupsArrayDup(loc->allow)) == NULL)
1323*5e7646d2SAndroid Build Coastguard Worker {
1324*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_ERROR,
1325*5e7646d2SAndroid Build Coastguard Worker "Unable to allocate memory for %d allow rules: %s",
1326*5e7646d2SAndroid Build Coastguard Worker cupsArrayCount(loc->allow), strerror(errno));
1327*5e7646d2SAndroid Build Coastguard Worker cupsdFreeLocation(temp);
1328*5e7646d2SAndroid Build Coastguard Worker return (NULL);
1329*5e7646d2SAndroid Build Coastguard Worker }
1330*5e7646d2SAndroid Build Coastguard Worker }
1331*5e7646d2SAndroid Build Coastguard Worker
1332*5e7646d2SAndroid Build Coastguard Worker if (loc->deny)
1333*5e7646d2SAndroid Build Coastguard Worker {
1334*5e7646d2SAndroid Build Coastguard Worker /*
1335*5e7646d2SAndroid Build Coastguard Worker * Copy deny rules...
1336*5e7646d2SAndroid Build Coastguard Worker */
1337*5e7646d2SAndroid Build Coastguard Worker
1338*5e7646d2SAndroid Build Coastguard Worker if ((temp->deny = cupsArrayDup(loc->deny)) == NULL)
1339*5e7646d2SAndroid Build Coastguard Worker {
1340*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_ERROR,
1341*5e7646d2SAndroid Build Coastguard Worker "Unable to allocate memory for %d deny rules: %s",
1342*5e7646d2SAndroid Build Coastguard Worker cupsArrayCount(loc->deny), strerror(errno));
1343*5e7646d2SAndroid Build Coastguard Worker cupsdFreeLocation(temp);
1344*5e7646d2SAndroid Build Coastguard Worker return (NULL);
1345*5e7646d2SAndroid Build Coastguard Worker }
1346*5e7646d2SAndroid Build Coastguard Worker }
1347*5e7646d2SAndroid Build Coastguard Worker
1348*5e7646d2SAndroid Build Coastguard Worker return (temp);
1349*5e7646d2SAndroid Build Coastguard Worker }
1350*5e7646d2SAndroid Build Coastguard Worker
1351*5e7646d2SAndroid Build Coastguard Worker
1352*5e7646d2SAndroid Build Coastguard Worker /*
1353*5e7646d2SAndroid Build Coastguard Worker * 'cupsdDeleteAllLocations()' - Free all memory used for location authorization.
1354*5e7646d2SAndroid Build Coastguard Worker */
1355*5e7646d2SAndroid Build Coastguard Worker
1356*5e7646d2SAndroid Build Coastguard Worker void
cupsdDeleteAllLocations(void)1357*5e7646d2SAndroid Build Coastguard Worker cupsdDeleteAllLocations(void)
1358*5e7646d2SAndroid Build Coastguard Worker {
1359*5e7646d2SAndroid Build Coastguard Worker /*
1360*5e7646d2SAndroid Build Coastguard Worker * Free the location array, which will free all of the locations...
1361*5e7646d2SAndroid Build Coastguard Worker */
1362*5e7646d2SAndroid Build Coastguard Worker
1363*5e7646d2SAndroid Build Coastguard Worker cupsArrayDelete(Locations);
1364*5e7646d2SAndroid Build Coastguard Worker Locations = NULL;
1365*5e7646d2SAndroid Build Coastguard Worker }
1366*5e7646d2SAndroid Build Coastguard Worker
1367*5e7646d2SAndroid Build Coastguard Worker
1368*5e7646d2SAndroid Build Coastguard Worker /*
1369*5e7646d2SAndroid Build Coastguard Worker * 'cupsdFindBest()' - Find the location entry that best matches the resource.
1370*5e7646d2SAndroid Build Coastguard Worker */
1371*5e7646d2SAndroid Build Coastguard Worker
1372*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t * /* O - Location that matches */
cupsdFindBest(const char * path,http_state_t state)1373*5e7646d2SAndroid Build Coastguard Worker cupsdFindBest(const char *path, /* I - Resource path */
1374*5e7646d2SAndroid Build Coastguard Worker http_state_t state) /* I - HTTP state/request */
1375*5e7646d2SAndroid Build Coastguard Worker {
1376*5e7646d2SAndroid Build Coastguard Worker char uri[HTTP_MAX_URI],
1377*5e7646d2SAndroid Build Coastguard Worker /* URI in request... */
1378*5e7646d2SAndroid Build Coastguard Worker *uriptr; /* Pointer into URI */
1379*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *loc, /* Current location */
1380*5e7646d2SAndroid Build Coastguard Worker *best; /* Best match for location so far */
1381*5e7646d2SAndroid Build Coastguard Worker size_t bestlen; /* Length of best match */
1382*5e7646d2SAndroid Build Coastguard Worker int limit; /* Limit field */
1383*5e7646d2SAndroid Build Coastguard Worker static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
1384*5e7646d2SAndroid Build Coastguard Worker {
1385*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_ALL,
1386*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_OPTIONS,
1387*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_GET,
1388*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_GET,
1389*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_HEAD,
1390*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_POST,
1391*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_POST,
1392*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_POST,
1393*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_PUT,
1394*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_PUT,
1395*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_DELETE,
1396*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_TRACE,
1397*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_ALL,
1398*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_ALL,
1399*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_ALL,
1400*5e7646d2SAndroid Build Coastguard Worker CUPSD_AUTH_LIMIT_ALL
1401*5e7646d2SAndroid Build Coastguard Worker };
1402*5e7646d2SAndroid Build Coastguard Worker
1403*5e7646d2SAndroid Build Coastguard Worker
1404*5e7646d2SAndroid Build Coastguard Worker /*
1405*5e7646d2SAndroid Build Coastguard Worker * First copy the connection URI to a local string so we have drop
1406*5e7646d2SAndroid Build Coastguard Worker * any .ppd extension from the pathname in /printers or /classes
1407*5e7646d2SAndroid Build Coastguard Worker * URIs...
1408*5e7646d2SAndroid Build Coastguard Worker */
1409*5e7646d2SAndroid Build Coastguard Worker
1410*5e7646d2SAndroid Build Coastguard Worker strlcpy(uri, path, sizeof(uri));
1411*5e7646d2SAndroid Build Coastguard Worker
1412*5e7646d2SAndroid Build Coastguard Worker if ((uriptr = strchr(uri, '?')) != NULL)
1413*5e7646d2SAndroid Build Coastguard Worker *uriptr = '\0'; /* Drop trailing query string */
1414*5e7646d2SAndroid Build Coastguard Worker
1415*5e7646d2SAndroid Build Coastguard Worker if ((uriptr = uri + strlen(uri) - 1) > uri && *uriptr == '/')
1416*5e7646d2SAndroid Build Coastguard Worker *uriptr = '\0'; /* Remove trailing '/' */
1417*5e7646d2SAndroid Build Coastguard Worker
1418*5e7646d2SAndroid Build Coastguard Worker if (!strncmp(uri, "/printers/", 10) ||
1419*5e7646d2SAndroid Build Coastguard Worker !strncmp(uri, "/classes/", 9))
1420*5e7646d2SAndroid Build Coastguard Worker {
1421*5e7646d2SAndroid Build Coastguard Worker /*
1422*5e7646d2SAndroid Build Coastguard Worker * Check if the URI has .ppd on the end...
1423*5e7646d2SAndroid Build Coastguard Worker */
1424*5e7646d2SAndroid Build Coastguard Worker
1425*5e7646d2SAndroid Build Coastguard Worker uriptr = uri + strlen(uri) - 4; /* len > 4 if we get here... */
1426*5e7646d2SAndroid Build Coastguard Worker
1427*5e7646d2SAndroid Build Coastguard Worker if (!strcmp(uriptr, ".ppd"))
1428*5e7646d2SAndroid Build Coastguard Worker *uriptr = '\0';
1429*5e7646d2SAndroid Build Coastguard Worker }
1430*5e7646d2SAndroid Build Coastguard Worker
1431*5e7646d2SAndroid Build Coastguard Worker /*
1432*5e7646d2SAndroid Build Coastguard Worker * Loop through the list of locations to find a match...
1433*5e7646d2SAndroid Build Coastguard Worker */
1434*5e7646d2SAndroid Build Coastguard Worker
1435*5e7646d2SAndroid Build Coastguard Worker limit = limits[state];
1436*5e7646d2SAndroid Build Coastguard Worker best = NULL;
1437*5e7646d2SAndroid Build Coastguard Worker bestlen = 0;
1438*5e7646d2SAndroid Build Coastguard Worker
1439*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri=\"%s\", limit=%x...", uri, limit);
1440*5e7646d2SAndroid Build Coastguard Worker
1441*5e7646d2SAndroid Build Coastguard Worker
1442*5e7646d2SAndroid Build Coastguard Worker for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
1443*5e7646d2SAndroid Build Coastguard Worker loc;
1444*5e7646d2SAndroid Build Coastguard Worker loc = (cupsd_location_t *)cupsArrayNext(Locations))
1445*5e7646d2SAndroid Build Coastguard Worker {
1446*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s(%d) Limit %x", loc->location ? loc->location : "(null)", (int)loc->length, loc->limit);
1447*5e7646d2SAndroid Build Coastguard Worker
1448*5e7646d2SAndroid Build Coastguard Worker if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
1449*5e7646d2SAndroid Build Coastguard Worker {
1450*5e7646d2SAndroid Build Coastguard Worker /*
1451*5e7646d2SAndroid Build Coastguard Worker * Use case-insensitive comparison for queue names...
1452*5e7646d2SAndroid Build Coastguard Worker */
1453*5e7646d2SAndroid Build Coastguard Worker
1454*5e7646d2SAndroid Build Coastguard Worker if (loc->length > bestlen && loc->location &&
1455*5e7646d2SAndroid Build Coastguard Worker !_cups_strncasecmp(uri, loc->location, loc->length) &&
1456*5e7646d2SAndroid Build Coastguard Worker loc->location[0] == '/' &&
1457*5e7646d2SAndroid Build Coastguard Worker (limit & loc->limit) != 0)
1458*5e7646d2SAndroid Build Coastguard Worker {
1459*5e7646d2SAndroid Build Coastguard Worker best = loc;
1460*5e7646d2SAndroid Build Coastguard Worker bestlen = loc->length;
1461*5e7646d2SAndroid Build Coastguard Worker }
1462*5e7646d2SAndroid Build Coastguard Worker }
1463*5e7646d2SAndroid Build Coastguard Worker else
1464*5e7646d2SAndroid Build Coastguard Worker {
1465*5e7646d2SAndroid Build Coastguard Worker /*
1466*5e7646d2SAndroid Build Coastguard Worker * Use case-sensitive comparison for other URIs...
1467*5e7646d2SAndroid Build Coastguard Worker */
1468*5e7646d2SAndroid Build Coastguard Worker
1469*5e7646d2SAndroid Build Coastguard Worker if (loc->length > bestlen && loc->location &&
1470*5e7646d2SAndroid Build Coastguard Worker !strncmp(uri, loc->location, loc->length) &&
1471*5e7646d2SAndroid Build Coastguard Worker loc->location[0] == '/' &&
1472*5e7646d2SAndroid Build Coastguard Worker (limit & loc->limit) != 0)
1473*5e7646d2SAndroid Build Coastguard Worker {
1474*5e7646d2SAndroid Build Coastguard Worker best = loc;
1475*5e7646d2SAndroid Build Coastguard Worker bestlen = loc->length;
1476*5e7646d2SAndroid Build Coastguard Worker }
1477*5e7646d2SAndroid Build Coastguard Worker }
1478*5e7646d2SAndroid Build Coastguard Worker }
1479*5e7646d2SAndroid Build Coastguard Worker
1480*5e7646d2SAndroid Build Coastguard Worker /*
1481*5e7646d2SAndroid Build Coastguard Worker * Return the match, if any...
1482*5e7646d2SAndroid Build Coastguard Worker */
1483*5e7646d2SAndroid Build Coastguard Worker
1484*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best=%s", best ? best->location : "NONE");
1485*5e7646d2SAndroid Build Coastguard Worker
1486*5e7646d2SAndroid Build Coastguard Worker return (best);
1487*5e7646d2SAndroid Build Coastguard Worker }
1488*5e7646d2SAndroid Build Coastguard Worker
1489*5e7646d2SAndroid Build Coastguard Worker
1490*5e7646d2SAndroid Build Coastguard Worker /*
1491*5e7646d2SAndroid Build Coastguard Worker * 'cupsdFindLocation()' - Find the named location.
1492*5e7646d2SAndroid Build Coastguard Worker */
1493*5e7646d2SAndroid Build Coastguard Worker
1494*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t * /* O - Location that matches */
cupsdFindLocation(const char * location)1495*5e7646d2SAndroid Build Coastguard Worker cupsdFindLocation(const char *location) /* I - Connection */
1496*5e7646d2SAndroid Build Coastguard Worker {
1497*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t key; /* Search key */
1498*5e7646d2SAndroid Build Coastguard Worker
1499*5e7646d2SAndroid Build Coastguard Worker
1500*5e7646d2SAndroid Build Coastguard Worker key.location = (char *)location;
1501*5e7646d2SAndroid Build Coastguard Worker
1502*5e7646d2SAndroid Build Coastguard Worker return ((cupsd_location_t *)cupsArrayFind(Locations, &key));
1503*5e7646d2SAndroid Build Coastguard Worker }
1504*5e7646d2SAndroid Build Coastguard Worker
1505*5e7646d2SAndroid Build Coastguard Worker
1506*5e7646d2SAndroid Build Coastguard Worker /*
1507*5e7646d2SAndroid Build Coastguard Worker * 'cupsdFreeLocation()' - Free all memory used by a location.
1508*5e7646d2SAndroid Build Coastguard Worker */
1509*5e7646d2SAndroid Build Coastguard Worker
1510*5e7646d2SAndroid Build Coastguard Worker void
cupsdFreeLocation(cupsd_location_t * loc)1511*5e7646d2SAndroid Build Coastguard Worker cupsdFreeLocation(cupsd_location_t *loc)/* I - Location to free */
1512*5e7646d2SAndroid Build Coastguard Worker {
1513*5e7646d2SAndroid Build Coastguard Worker cupsArrayDelete(loc->names);
1514*5e7646d2SAndroid Build Coastguard Worker cupsArrayDelete(loc->allow);
1515*5e7646d2SAndroid Build Coastguard Worker cupsArrayDelete(loc->deny);
1516*5e7646d2SAndroid Build Coastguard Worker
1517*5e7646d2SAndroid Build Coastguard Worker _cupsStrFree(loc->location);
1518*5e7646d2SAndroid Build Coastguard Worker free(loc);
1519*5e7646d2SAndroid Build Coastguard Worker }
1520*5e7646d2SAndroid Build Coastguard Worker
1521*5e7646d2SAndroid Build Coastguard Worker
1522*5e7646d2SAndroid Build Coastguard Worker /*
1523*5e7646d2SAndroid Build Coastguard Worker * 'cupsdIsAuthorized()' - Check to see if the user is authorized...
1524*5e7646d2SAndroid Build Coastguard Worker */
1525*5e7646d2SAndroid Build Coastguard Worker
1526*5e7646d2SAndroid Build Coastguard Worker http_status_t /* O - HTTP_OK if authorized or error code */
cupsdIsAuthorized(cupsd_client_t * con,const char * owner)1527*5e7646d2SAndroid Build Coastguard Worker cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
1528*5e7646d2SAndroid Build Coastguard Worker const char *owner)/* I - Owner of object */
1529*5e7646d2SAndroid Build Coastguard Worker {
1530*5e7646d2SAndroid Build Coastguard Worker int i, /* Looping vars */
1531*5e7646d2SAndroid Build Coastguard Worker auth, /* Authorization status */
1532*5e7646d2SAndroid Build Coastguard Worker type; /* Type of authentication */
1533*5e7646d2SAndroid Build Coastguard Worker http_addr_t *hostaddr = httpGetAddress(con->http);
1534*5e7646d2SAndroid Build Coastguard Worker /* Client address */
1535*5e7646d2SAndroid Build Coastguard Worker const char *hostname = httpGetHostname(con->http, NULL, 0);
1536*5e7646d2SAndroid Build Coastguard Worker /* Client hostname */
1537*5e7646d2SAndroid Build Coastguard Worker unsigned address[4]; /* Authorization address */
1538*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *best; /* Best match for location so far */
1539*5e7646d2SAndroid Build Coastguard Worker size_t hostlen; /* Length of hostname */
1540*5e7646d2SAndroid Build Coastguard Worker char *name, /* Current username */
1541*5e7646d2SAndroid Build Coastguard Worker username[256], /* Username to authorize */
1542*5e7646d2SAndroid Build Coastguard Worker ownername[256], /* Owner name to authorize */
1543*5e7646d2SAndroid Build Coastguard Worker *ptr; /* Pointer into username */
1544*5e7646d2SAndroid Build Coastguard Worker struct passwd *pw; /* User password data */
1545*5e7646d2SAndroid Build Coastguard Worker static const char * const levels[] = /* Auth levels */
1546*5e7646d2SAndroid Build Coastguard Worker {
1547*5e7646d2SAndroid Build Coastguard Worker "ANON",
1548*5e7646d2SAndroid Build Coastguard Worker "USER",
1549*5e7646d2SAndroid Build Coastguard Worker "GROUP"
1550*5e7646d2SAndroid Build Coastguard Worker };
1551*5e7646d2SAndroid Build Coastguard Worker static const char * const types[] = /* Auth types */
1552*5e7646d2SAndroid Build Coastguard Worker {
1553*5e7646d2SAndroid Build Coastguard Worker "None",
1554*5e7646d2SAndroid Build Coastguard Worker "Basic",
1555*5e7646d2SAndroid Build Coastguard Worker "Negotiate"
1556*5e7646d2SAndroid Build Coastguard Worker };
1557*5e7646d2SAndroid Build Coastguard Worker
1558*5e7646d2SAndroid Build Coastguard Worker
1559*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location ? con->best->location : "(null)" : "");
1560*5e7646d2SAndroid Build Coastguard Worker if (owner)
1561*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: owner=\"%s\"", owner);
1562*5e7646d2SAndroid Build Coastguard Worker
1563*5e7646d2SAndroid Build Coastguard Worker /*
1564*5e7646d2SAndroid Build Coastguard Worker * If there is no "best" authentication rule for this request, then
1565*5e7646d2SAndroid Build Coastguard Worker * access is allowed from the local system and denied from other
1566*5e7646d2SAndroid Build Coastguard Worker * addresses...
1567*5e7646d2SAndroid Build Coastguard Worker */
1568*5e7646d2SAndroid Build Coastguard Worker
1569*5e7646d2SAndroid Build Coastguard Worker if (!con->best)
1570*5e7646d2SAndroid Build Coastguard Worker {
1571*5e7646d2SAndroid Build Coastguard Worker if (httpAddrLocalhost(httpGetAddress(con->http)) ||
1572*5e7646d2SAndroid Build Coastguard Worker !strcmp(hostname, ServerName) ||
1573*5e7646d2SAndroid Build Coastguard Worker cupsArrayFind(ServerAlias, (void *)hostname))
1574*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1575*5e7646d2SAndroid Build Coastguard Worker else
1576*5e7646d2SAndroid Build Coastguard Worker return (HTTP_FORBIDDEN);
1577*5e7646d2SAndroid Build Coastguard Worker }
1578*5e7646d2SAndroid Build Coastguard Worker
1579*5e7646d2SAndroid Build Coastguard Worker best = con->best;
1580*5e7646d2SAndroid Build Coastguard Worker
1581*5e7646d2SAndroid Build Coastguard Worker if ((type = best->type) == CUPSD_AUTH_DEFAULT)
1582*5e7646d2SAndroid Build Coastguard Worker type = cupsdDefaultAuthType();
1583*5e7646d2SAndroid Build Coastguard Worker
1584*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", levels[best->level], types[type], best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names));
1585*5e7646d2SAndroid Build Coastguard Worker
1586*5e7646d2SAndroid Build Coastguard Worker if (best->limit == CUPSD_AUTH_LIMIT_IPP)
1587*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", best->op, ippOpString(best->op));
1588*5e7646d2SAndroid Build Coastguard Worker
1589*5e7646d2SAndroid Build Coastguard Worker /*
1590*5e7646d2SAndroid Build Coastguard Worker * Check host/ip-based accesses...
1591*5e7646d2SAndroid Build Coastguard Worker */
1592*5e7646d2SAndroid Build Coastguard Worker
1593*5e7646d2SAndroid Build Coastguard Worker #ifdef AF_INET6
1594*5e7646d2SAndroid Build Coastguard Worker if (httpAddrFamily(hostaddr) == AF_INET6)
1595*5e7646d2SAndroid Build Coastguard Worker {
1596*5e7646d2SAndroid Build Coastguard Worker /*
1597*5e7646d2SAndroid Build Coastguard Worker * Copy IPv6 address...
1598*5e7646d2SAndroid Build Coastguard Worker */
1599*5e7646d2SAndroid Build Coastguard Worker
1600*5e7646d2SAndroid Build Coastguard Worker address[0] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[0]);
1601*5e7646d2SAndroid Build Coastguard Worker address[1] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[1]);
1602*5e7646d2SAndroid Build Coastguard Worker address[2] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[2]);
1603*5e7646d2SAndroid Build Coastguard Worker address[3] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[3]);
1604*5e7646d2SAndroid Build Coastguard Worker }
1605*5e7646d2SAndroid Build Coastguard Worker else
1606*5e7646d2SAndroid Build Coastguard Worker #endif /* AF_INET6 */
1607*5e7646d2SAndroid Build Coastguard Worker if (con->http->hostaddr->addr.sa_family == AF_INET)
1608*5e7646d2SAndroid Build Coastguard Worker {
1609*5e7646d2SAndroid Build Coastguard Worker /*
1610*5e7646d2SAndroid Build Coastguard Worker * Copy IPv4 address...
1611*5e7646d2SAndroid Build Coastguard Worker */
1612*5e7646d2SAndroid Build Coastguard Worker
1613*5e7646d2SAndroid Build Coastguard Worker address[0] = 0;
1614*5e7646d2SAndroid Build Coastguard Worker address[1] = 0;
1615*5e7646d2SAndroid Build Coastguard Worker address[2] = 0;
1616*5e7646d2SAndroid Build Coastguard Worker address[3] = ntohl(hostaddr->ipv4.sin_addr.s_addr);
1617*5e7646d2SAndroid Build Coastguard Worker }
1618*5e7646d2SAndroid Build Coastguard Worker else
1619*5e7646d2SAndroid Build Coastguard Worker memset(address, 0, sizeof(address));
1620*5e7646d2SAndroid Build Coastguard Worker
1621*5e7646d2SAndroid Build Coastguard Worker hostlen = strlen(hostname);
1622*5e7646d2SAndroid Build Coastguard Worker
1623*5e7646d2SAndroid Build Coastguard Worker auth = cupsdCheckAccess(address, hostname, hostlen, best)
1624*5e7646d2SAndroid Build Coastguard Worker ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
1625*5e7646d2SAndroid Build Coastguard Worker
1626*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", auth ? "DENY" : "ALLOW");
1627*5e7646d2SAndroid Build Coastguard Worker
1628*5e7646d2SAndroid Build Coastguard Worker if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
1629*5e7646d2SAndroid Build Coastguard Worker return (HTTP_FORBIDDEN);
1630*5e7646d2SAndroid Build Coastguard Worker
1631*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_SSL
1632*5e7646d2SAndroid Build Coastguard Worker /*
1633*5e7646d2SAndroid Build Coastguard Worker * See if encryption is required...
1634*5e7646d2SAndroid Build Coastguard Worker */
1635*5e7646d2SAndroid Build Coastguard Worker
1636*5e7646d2SAndroid Build Coastguard Worker if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http->tls &&
1637*5e7646d2SAndroid Build Coastguard Worker _cups_strcasecmp(hostname, "localhost") &&
1638*5e7646d2SAndroid Build Coastguard Worker !httpAddrLocalhost(hostaddr) &&
1639*5e7646d2SAndroid Build Coastguard Worker best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
1640*5e7646d2SAndroid Build Coastguard Worker !(type == CUPSD_AUTH_NEGOTIATE ||
1641*5e7646d2SAndroid Build Coastguard Worker (type == CUPSD_AUTH_NONE &&
1642*5e7646d2SAndroid Build Coastguard Worker cupsdDefaultAuthType() == CUPSD_AUTH_NEGOTIATE)))
1643*5e7646d2SAndroid Build Coastguard Worker {
1644*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG,
1645*5e7646d2SAndroid Build Coastguard Worker "cupsdIsAuthorized: Need upgrade to TLS...");
1646*5e7646d2SAndroid Build Coastguard Worker return (HTTP_UPGRADE_REQUIRED);
1647*5e7646d2SAndroid Build Coastguard Worker }
1648*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_SSL */
1649*5e7646d2SAndroid Build Coastguard Worker
1650*5e7646d2SAndroid Build Coastguard Worker /*
1651*5e7646d2SAndroid Build Coastguard Worker * Now see what access level is required...
1652*5e7646d2SAndroid Build Coastguard Worker */
1653*5e7646d2SAndroid Build Coastguard Worker
1654*5e7646d2SAndroid Build Coastguard Worker if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
1655*5e7646d2SAndroid Build Coastguard Worker (type == CUPSD_AUTH_NONE && cupsArrayCount(best->names) == 0))
1656*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1657*5e7646d2SAndroid Build Coastguard Worker
1658*5e7646d2SAndroid Build Coastguard Worker if (!con->username[0] && type == CUPSD_AUTH_NONE &&
1659*5e7646d2SAndroid Build Coastguard Worker best->limit == CUPSD_AUTH_LIMIT_IPP)
1660*5e7646d2SAndroid Build Coastguard Worker {
1661*5e7646d2SAndroid Build Coastguard Worker /*
1662*5e7646d2SAndroid Build Coastguard Worker * Check for unauthenticated username...
1663*5e7646d2SAndroid Build Coastguard Worker */
1664*5e7646d2SAndroid Build Coastguard Worker
1665*5e7646d2SAndroid Build Coastguard Worker ipp_attribute_t *attr; /* requesting-user-name attribute */
1666*5e7646d2SAndroid Build Coastguard Worker
1667*5e7646d2SAndroid Build Coastguard Worker
1668*5e7646d2SAndroid Build Coastguard Worker attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
1669*5e7646d2SAndroid Build Coastguard Worker if (attr)
1670*5e7646d2SAndroid Build Coastguard Worker {
1671*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG,
1672*5e7646d2SAndroid Build Coastguard Worker "cupsdIsAuthorized: requesting-user-name=\"%s\"",
1673*5e7646d2SAndroid Build Coastguard Worker attr->values[0].string.text);
1674*5e7646d2SAndroid Build Coastguard Worker strlcpy(username, attr->values[0].string.text, sizeof(username));
1675*5e7646d2SAndroid Build Coastguard Worker }
1676*5e7646d2SAndroid Build Coastguard Worker else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
1677*5e7646d2SAndroid Build Coastguard Worker return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
1678*5e7646d2SAndroid Build Coastguard Worker else
1679*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK); /* unless overridden with Satisfy */
1680*5e7646d2SAndroid Build Coastguard Worker }
1681*5e7646d2SAndroid Build Coastguard Worker else
1682*5e7646d2SAndroid Build Coastguard Worker {
1683*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"",
1684*5e7646d2SAndroid Build Coastguard Worker con->username);
1685*5e7646d2SAndroid Build Coastguard Worker
1686*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
1687*5e7646d2SAndroid Build Coastguard Worker if (!con->username[0] && !con->authref)
1688*5e7646d2SAndroid Build Coastguard Worker #else
1689*5e7646d2SAndroid Build Coastguard Worker if (!con->username[0])
1690*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
1691*5e7646d2SAndroid Build Coastguard Worker {
1692*5e7646d2SAndroid Build Coastguard Worker if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
1693*5e7646d2SAndroid Build Coastguard Worker return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
1694*5e7646d2SAndroid Build Coastguard Worker else
1695*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK); /* unless overridden with Satisfy */
1696*5e7646d2SAndroid Build Coastguard Worker }
1697*5e7646d2SAndroid Build Coastguard Worker
1698*5e7646d2SAndroid Build Coastguard Worker
1699*5e7646d2SAndroid Build Coastguard Worker if (con->type != type && type != CUPSD_AUTH_NONE &&
1700*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_GSSAPI
1701*5e7646d2SAndroid Build Coastguard Worker (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
1702*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_GSSAPI */
1703*5e7646d2SAndroid Build Coastguard Worker con->type != CUPSD_AUTH_BASIC)
1704*5e7646d2SAndroid Build Coastguard Worker {
1705*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s.",
1706*5e7646d2SAndroid Build Coastguard Worker types[con->type], types[type]);
1707*5e7646d2SAndroid Build Coastguard Worker
1708*5e7646d2SAndroid Build Coastguard Worker return (HTTP_UNAUTHORIZED);
1709*5e7646d2SAndroid Build Coastguard Worker }
1710*5e7646d2SAndroid Build Coastguard Worker
1711*5e7646d2SAndroid Build Coastguard Worker strlcpy(username, con->username, sizeof(username));
1712*5e7646d2SAndroid Build Coastguard Worker }
1713*5e7646d2SAndroid Build Coastguard Worker
1714*5e7646d2SAndroid Build Coastguard Worker /*
1715*5e7646d2SAndroid Build Coastguard Worker * OK, got a username. See if we need normal user access, or group
1716*5e7646d2SAndroid Build Coastguard Worker * access... (root always matches)
1717*5e7646d2SAndroid Build Coastguard Worker */
1718*5e7646d2SAndroid Build Coastguard Worker
1719*5e7646d2SAndroid Build Coastguard Worker if (!strcmp(username, "root"))
1720*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1721*5e7646d2SAndroid Build Coastguard Worker
1722*5e7646d2SAndroid Build Coastguard Worker /*
1723*5e7646d2SAndroid Build Coastguard Worker * Strip any @domain or @KDC from the username and owner...
1724*5e7646d2SAndroid Build Coastguard Worker */
1725*5e7646d2SAndroid Build Coastguard Worker
1726*5e7646d2SAndroid Build Coastguard Worker if ((ptr = strchr(username, '@')) != NULL)
1727*5e7646d2SAndroid Build Coastguard Worker *ptr = '\0';
1728*5e7646d2SAndroid Build Coastguard Worker
1729*5e7646d2SAndroid Build Coastguard Worker if (owner)
1730*5e7646d2SAndroid Build Coastguard Worker {
1731*5e7646d2SAndroid Build Coastguard Worker strlcpy(ownername, owner, sizeof(ownername));
1732*5e7646d2SAndroid Build Coastguard Worker
1733*5e7646d2SAndroid Build Coastguard Worker if ((ptr = strchr(ownername, '@')) != NULL)
1734*5e7646d2SAndroid Build Coastguard Worker *ptr = '\0';
1735*5e7646d2SAndroid Build Coastguard Worker }
1736*5e7646d2SAndroid Build Coastguard Worker else
1737*5e7646d2SAndroid Build Coastguard Worker ownername[0] = '\0';
1738*5e7646d2SAndroid Build Coastguard Worker
1739*5e7646d2SAndroid Build Coastguard Worker /*
1740*5e7646d2SAndroid Build Coastguard Worker * Get the user info...
1741*5e7646d2SAndroid Build Coastguard Worker */
1742*5e7646d2SAndroid Build Coastguard Worker
1743*5e7646d2SAndroid Build Coastguard Worker if (username[0])
1744*5e7646d2SAndroid Build Coastguard Worker {
1745*5e7646d2SAndroid Build Coastguard Worker pw = getpwnam(username);
1746*5e7646d2SAndroid Build Coastguard Worker endpwent();
1747*5e7646d2SAndroid Build Coastguard Worker }
1748*5e7646d2SAndroid Build Coastguard Worker else
1749*5e7646d2SAndroid Build Coastguard Worker pw = NULL;
1750*5e7646d2SAndroid Build Coastguard Worker
1751*5e7646d2SAndroid Build Coastguard Worker if (best->level == CUPSD_AUTH_USER)
1752*5e7646d2SAndroid Build Coastguard Worker {
1753*5e7646d2SAndroid Build Coastguard Worker /*
1754*5e7646d2SAndroid Build Coastguard Worker * If there are no names associated with this location, then
1755*5e7646d2SAndroid Build Coastguard Worker * any valid user is OK...
1756*5e7646d2SAndroid Build Coastguard Worker */
1757*5e7646d2SAndroid Build Coastguard Worker
1758*5e7646d2SAndroid Build Coastguard Worker if (cupsArrayCount(best->names) == 0)
1759*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1760*5e7646d2SAndroid Build Coastguard Worker
1761*5e7646d2SAndroid Build Coastguard Worker /*
1762*5e7646d2SAndroid Build Coastguard Worker * Otherwise check the user list and return OK if this user is
1763*5e7646d2SAndroid Build Coastguard Worker * allowed...
1764*5e7646d2SAndroid Build Coastguard Worker */
1765*5e7646d2SAndroid Build Coastguard Worker
1766*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking user membership...");
1767*5e7646d2SAndroid Build Coastguard Worker
1768*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
1769*5e7646d2SAndroid Build Coastguard Worker /*
1770*5e7646d2SAndroid Build Coastguard Worker * If an authorization reference was supplied it must match a right name...
1771*5e7646d2SAndroid Build Coastguard Worker */
1772*5e7646d2SAndroid Build Coastguard Worker
1773*5e7646d2SAndroid Build Coastguard Worker if (con->authref)
1774*5e7646d2SAndroid Build Coastguard Worker {
1775*5e7646d2SAndroid Build Coastguard Worker for (name = (char *)cupsArrayFirst(best->names);
1776*5e7646d2SAndroid Build Coastguard Worker name;
1777*5e7646d2SAndroid Build Coastguard Worker name = (char *)cupsArrayNext(best->names))
1778*5e7646d2SAndroid Build Coastguard Worker {
1779*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9))
1780*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1781*5e7646d2SAndroid Build Coastguard Worker else if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey &&
1782*5e7646d2SAndroid Build Coastguard Worker check_authref(con, SystemGroupAuthKey))
1783*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1784*5e7646d2SAndroid Build Coastguard Worker }
1785*5e7646d2SAndroid Build Coastguard Worker
1786*5e7646d2SAndroid Build Coastguard Worker return (HTTP_FORBIDDEN);
1787*5e7646d2SAndroid Build Coastguard Worker }
1788*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
1789*5e7646d2SAndroid Build Coastguard Worker
1790*5e7646d2SAndroid Build Coastguard Worker for (name = (char *)cupsArrayFirst(best->names);
1791*5e7646d2SAndroid Build Coastguard Worker name;
1792*5e7646d2SAndroid Build Coastguard Worker name = (char *)cupsArrayNext(best->names))
1793*5e7646d2SAndroid Build Coastguard Worker {
1794*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strcasecmp(name, "@OWNER") && owner &&
1795*5e7646d2SAndroid Build Coastguard Worker !_cups_strcasecmp(username, ownername))
1796*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1797*5e7646d2SAndroid Build Coastguard Worker else if (!_cups_strcasecmp(name, "@SYSTEM"))
1798*5e7646d2SAndroid Build Coastguard Worker {
1799*5e7646d2SAndroid Build Coastguard Worker for (i = 0; i < NumSystemGroups; i ++)
1800*5e7646d2SAndroid Build Coastguard Worker if (cupsdCheckGroup(username, pw, SystemGroups[i]))
1801*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1802*5e7646d2SAndroid Build Coastguard Worker }
1803*5e7646d2SAndroid Build Coastguard Worker else if (name[0] == '@')
1804*5e7646d2SAndroid Build Coastguard Worker {
1805*5e7646d2SAndroid Build Coastguard Worker if (cupsdCheckGroup(username, pw, name + 1))
1806*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1807*5e7646d2SAndroid Build Coastguard Worker }
1808*5e7646d2SAndroid Build Coastguard Worker else if (!_cups_strcasecmp(username, name))
1809*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1810*5e7646d2SAndroid Build Coastguard Worker }
1811*5e7646d2SAndroid Build Coastguard Worker
1812*5e7646d2SAndroid Build Coastguard Worker return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
1813*5e7646d2SAndroid Build Coastguard Worker }
1814*5e7646d2SAndroid Build Coastguard Worker
1815*5e7646d2SAndroid Build Coastguard Worker /*
1816*5e7646d2SAndroid Build Coastguard Worker * Check to see if this user is in any of the named groups...
1817*5e7646d2SAndroid Build Coastguard Worker */
1818*5e7646d2SAndroid Build Coastguard Worker
1819*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group membership...");
1820*5e7646d2SAndroid Build Coastguard Worker
1821*5e7646d2SAndroid Build Coastguard Worker /*
1822*5e7646d2SAndroid Build Coastguard Worker * Check to see if this user is in any of the named groups...
1823*5e7646d2SAndroid Build Coastguard Worker */
1824*5e7646d2SAndroid Build Coastguard Worker
1825*5e7646d2SAndroid Build Coastguard Worker for (name = (char *)cupsArrayFirst(best->names);
1826*5e7646d2SAndroid Build Coastguard Worker name;
1827*5e7646d2SAndroid Build Coastguard Worker name = (char *)cupsArrayNext(best->names))
1828*5e7646d2SAndroid Build Coastguard Worker {
1829*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group \"%s\" membership...", name);
1830*5e7646d2SAndroid Build Coastguard Worker
1831*5e7646d2SAndroid Build Coastguard Worker if (!_cups_strcasecmp(name, "@SYSTEM"))
1832*5e7646d2SAndroid Build Coastguard Worker {
1833*5e7646d2SAndroid Build Coastguard Worker for (i = 0; i < NumSystemGroups; i ++)
1834*5e7646d2SAndroid Build Coastguard Worker if (cupsdCheckGroup(username, pw, SystemGroups[i]))
1835*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1836*5e7646d2SAndroid Build Coastguard Worker }
1837*5e7646d2SAndroid Build Coastguard Worker else if (cupsdCheckGroup(username, pw, name))
1838*5e7646d2SAndroid Build Coastguard Worker return (HTTP_OK);
1839*5e7646d2SAndroid Build Coastguard Worker }
1840*5e7646d2SAndroid Build Coastguard Worker
1841*5e7646d2SAndroid Build Coastguard Worker /*
1842*5e7646d2SAndroid Build Coastguard Worker * The user isn't part of the specified group, so deny access...
1843*5e7646d2SAndroid Build Coastguard Worker */
1844*5e7646d2SAndroid Build Coastguard Worker
1845*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: User not in group(s).");
1846*5e7646d2SAndroid Build Coastguard Worker
1847*5e7646d2SAndroid Build Coastguard Worker return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
1848*5e7646d2SAndroid Build Coastguard Worker }
1849*5e7646d2SAndroid Build Coastguard Worker
1850*5e7646d2SAndroid Build Coastguard Worker
1851*5e7646d2SAndroid Build Coastguard Worker /*
1852*5e7646d2SAndroid Build Coastguard Worker * 'cupsdNewLocation()' - Create a new location for authorization.
1853*5e7646d2SAndroid Build Coastguard Worker *
1854*5e7646d2SAndroid Build Coastguard Worker * Note: Still need to call cupsdAddLocation() to add it to the list of global
1855*5e7646d2SAndroid Build Coastguard Worker * locations.
1856*5e7646d2SAndroid Build Coastguard Worker */
1857*5e7646d2SAndroid Build Coastguard Worker
1858*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t * /* O - Pointer to new location record */
cupsdNewLocation(const char * location)1859*5e7646d2SAndroid Build Coastguard Worker cupsdNewLocation(const char *location) /* I - Location path */
1860*5e7646d2SAndroid Build Coastguard Worker {
1861*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *temp; /* New location */
1862*5e7646d2SAndroid Build Coastguard Worker
1863*5e7646d2SAndroid Build Coastguard Worker
1864*5e7646d2SAndroid Build Coastguard Worker /*
1865*5e7646d2SAndroid Build Coastguard Worker * Try to allocate memory for the new location.
1866*5e7646d2SAndroid Build Coastguard Worker */
1867*5e7646d2SAndroid Build Coastguard Worker
1868*5e7646d2SAndroid Build Coastguard Worker if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
1869*5e7646d2SAndroid Build Coastguard Worker return (NULL);
1870*5e7646d2SAndroid Build Coastguard Worker
1871*5e7646d2SAndroid Build Coastguard Worker /*
1872*5e7646d2SAndroid Build Coastguard Worker * Initialize the record and copy the name over...
1873*5e7646d2SAndroid Build Coastguard Worker */
1874*5e7646d2SAndroid Build Coastguard Worker
1875*5e7646d2SAndroid Build Coastguard Worker if ((temp->location = _cupsStrAlloc(location)) == NULL)
1876*5e7646d2SAndroid Build Coastguard Worker {
1877*5e7646d2SAndroid Build Coastguard Worker free(temp);
1878*5e7646d2SAndroid Build Coastguard Worker return (NULL);
1879*5e7646d2SAndroid Build Coastguard Worker }
1880*5e7646d2SAndroid Build Coastguard Worker
1881*5e7646d2SAndroid Build Coastguard Worker temp->length = strlen(temp->location);
1882*5e7646d2SAndroid Build Coastguard Worker
1883*5e7646d2SAndroid Build Coastguard Worker /*
1884*5e7646d2SAndroid Build Coastguard Worker * Return the new record...
1885*5e7646d2SAndroid Build Coastguard Worker */
1886*5e7646d2SAndroid Build Coastguard Worker
1887*5e7646d2SAndroid Build Coastguard Worker return (temp);
1888*5e7646d2SAndroid Build Coastguard Worker }
1889*5e7646d2SAndroid Build Coastguard Worker
1890*5e7646d2SAndroid Build Coastguard Worker
1891*5e7646d2SAndroid Build Coastguard Worker #ifdef HAVE_AUTHORIZATION_H
1892*5e7646d2SAndroid Build Coastguard Worker /*
1893*5e7646d2SAndroid Build Coastguard Worker * 'check_authref()' - Check if an authorization services reference has the
1894*5e7646d2SAndroid Build Coastguard Worker * supplied right.
1895*5e7646d2SAndroid Build Coastguard Worker */
1896*5e7646d2SAndroid Build Coastguard Worker
1897*5e7646d2SAndroid Build Coastguard Worker static int /* O - 1 if right is valid, 0 otherwise */
check_authref(cupsd_client_t * con,const char * right)1898*5e7646d2SAndroid Build Coastguard Worker check_authref(cupsd_client_t *con, /* I - Connection */
1899*5e7646d2SAndroid Build Coastguard Worker const char *right) /* I - Right name */
1900*5e7646d2SAndroid Build Coastguard Worker {
1901*5e7646d2SAndroid Build Coastguard Worker OSStatus status; /* OS Status */
1902*5e7646d2SAndroid Build Coastguard Worker AuthorizationItem authright; /* Authorization right */
1903*5e7646d2SAndroid Build Coastguard Worker AuthorizationRights authrights; /* Authorization rights */
1904*5e7646d2SAndroid Build Coastguard Worker AuthorizationFlags authflags; /* Authorization flags */
1905*5e7646d2SAndroid Build Coastguard Worker
1906*5e7646d2SAndroid Build Coastguard Worker
1907*5e7646d2SAndroid Build Coastguard Worker /*
1908*5e7646d2SAndroid Build Coastguard Worker * Check to see if the user is allowed to perform the task...
1909*5e7646d2SAndroid Build Coastguard Worker */
1910*5e7646d2SAndroid Build Coastguard Worker
1911*5e7646d2SAndroid Build Coastguard Worker if (!con->authref)
1912*5e7646d2SAndroid Build Coastguard Worker return (0);
1913*5e7646d2SAndroid Build Coastguard Worker
1914*5e7646d2SAndroid Build Coastguard Worker authright.name = right;
1915*5e7646d2SAndroid Build Coastguard Worker authright.valueLength = 0;
1916*5e7646d2SAndroid Build Coastguard Worker authright.value = NULL;
1917*5e7646d2SAndroid Build Coastguard Worker authright.flags = 0;
1918*5e7646d2SAndroid Build Coastguard Worker
1919*5e7646d2SAndroid Build Coastguard Worker authrights.count = 1;
1920*5e7646d2SAndroid Build Coastguard Worker authrights.items = &authright;
1921*5e7646d2SAndroid Build Coastguard Worker
1922*5e7646d2SAndroid Build Coastguard Worker authflags = kAuthorizationFlagDefaults |
1923*5e7646d2SAndroid Build Coastguard Worker kAuthorizationFlagExtendRights;
1924*5e7646d2SAndroid Build Coastguard Worker
1925*5e7646d2SAndroid Build Coastguard Worker if ((status = AuthorizationCopyRights(con->authref, &authrights,
1926*5e7646d2SAndroid Build Coastguard Worker kAuthorizationEmptyEnvironment,
1927*5e7646d2SAndroid Build Coastguard Worker authflags, NULL)) != 0)
1928*5e7646d2SAndroid Build Coastguard Worker {
1929*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_ERROR, "AuthorizationCopyRights(\"%s\") returned %d", authright.name, (int)status);
1930*5e7646d2SAndroid Build Coastguard Worker return (0);
1931*5e7646d2SAndroid Build Coastguard Worker }
1932*5e7646d2SAndroid Build Coastguard Worker
1933*5e7646d2SAndroid Build Coastguard Worker cupsdLogMessage(CUPSD_LOG_DEBUG2, "AuthorizationCopyRights(\"%s\") succeeded.", authright.name);
1934*5e7646d2SAndroid Build Coastguard Worker
1935*5e7646d2SAndroid Build Coastguard Worker return (1);
1936*5e7646d2SAndroid Build Coastguard Worker }
1937*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_AUTHORIZATION_H */
1938*5e7646d2SAndroid Build Coastguard Worker
1939*5e7646d2SAndroid Build Coastguard Worker
1940*5e7646d2SAndroid Build Coastguard Worker /*
1941*5e7646d2SAndroid Build Coastguard Worker * 'compare_locations()' - Compare two locations.
1942*5e7646d2SAndroid Build Coastguard Worker */
1943*5e7646d2SAndroid Build Coastguard Worker
1944*5e7646d2SAndroid Build Coastguard Worker static int /* O - Result of comparison */
compare_locations(cupsd_location_t * a,cupsd_location_t * b)1945*5e7646d2SAndroid Build Coastguard Worker compare_locations(cupsd_location_t *a, /* I - First location */
1946*5e7646d2SAndroid Build Coastguard Worker cupsd_location_t *b) /* I - Second location */
1947*5e7646d2SAndroid Build Coastguard Worker {
1948*5e7646d2SAndroid Build Coastguard Worker return (strcmp(b->location, a->location));
1949*5e7646d2SAndroid Build Coastguard Worker }
1950*5e7646d2SAndroid Build Coastguard Worker
1951*5e7646d2SAndroid Build Coastguard Worker
1952*5e7646d2SAndroid Build Coastguard Worker /*
1953*5e7646d2SAndroid Build Coastguard Worker * 'copy_authmask()' - Copy function for auth masks.
1954*5e7646d2SAndroid Build Coastguard Worker */
1955*5e7646d2SAndroid Build Coastguard Worker
1956*5e7646d2SAndroid Build Coastguard Worker static cupsd_authmask_t * /* O - New auth mask */
copy_authmask(cupsd_authmask_t * mask,void * data)1957*5e7646d2SAndroid Build Coastguard Worker copy_authmask(cupsd_authmask_t *mask, /* I - Existing auth mask */
1958*5e7646d2SAndroid Build Coastguard Worker void *data) /* I - User data (unused) */
1959*5e7646d2SAndroid Build Coastguard Worker {
1960*5e7646d2SAndroid Build Coastguard Worker cupsd_authmask_t *temp; /* New auth mask */
1961*5e7646d2SAndroid Build Coastguard Worker
1962*5e7646d2SAndroid Build Coastguard Worker
1963*5e7646d2SAndroid Build Coastguard Worker (void)data;
1964*5e7646d2SAndroid Build Coastguard Worker
1965*5e7646d2SAndroid Build Coastguard Worker if ((temp = malloc(sizeof(cupsd_authmask_t))) != NULL)
1966*5e7646d2SAndroid Build Coastguard Worker {
1967*5e7646d2SAndroid Build Coastguard Worker memcpy(temp, mask, sizeof(cupsd_authmask_t));
1968*5e7646d2SAndroid Build Coastguard Worker
1969*5e7646d2SAndroid Build Coastguard Worker if (temp->type == CUPSD_AUTH_NAME || temp->type == CUPSD_AUTH_INTERFACE)
1970*5e7646d2SAndroid Build Coastguard Worker {
1971*5e7646d2SAndroid Build Coastguard Worker /*
1972*5e7646d2SAndroid Build Coastguard Worker * Make a copy of the name...
1973*5e7646d2SAndroid Build Coastguard Worker */
1974*5e7646d2SAndroid Build Coastguard Worker
1975*5e7646d2SAndroid Build Coastguard Worker if ((temp->mask.name.name = _cupsStrAlloc(temp->mask.name.name)) == NULL)
1976*5e7646d2SAndroid Build Coastguard Worker {
1977*5e7646d2SAndroid Build Coastguard Worker /*
1978*5e7646d2SAndroid Build Coastguard Worker * Failed to make copy...
1979*5e7646d2SAndroid Build Coastguard Worker */
1980*5e7646d2SAndroid Build Coastguard Worker
1981*5e7646d2SAndroid Build Coastguard Worker free(temp);
1982*5e7646d2SAndroid Build Coastguard Worker temp = NULL;
1983*5e7646d2SAndroid Build Coastguard Worker }
1984*5e7646d2SAndroid Build Coastguard Worker }
1985*5e7646d2SAndroid Build Coastguard Worker }
1986*5e7646d2SAndroid Build Coastguard Worker
1987*5e7646d2SAndroid Build Coastguard Worker return (temp);
1988*5e7646d2SAndroid Build Coastguard Worker }
1989*5e7646d2SAndroid Build Coastguard Worker
1990*5e7646d2SAndroid Build Coastguard Worker
1991*5e7646d2SAndroid Build Coastguard Worker /*
1992*5e7646d2SAndroid Build Coastguard Worker * 'free_authmask()' - Free function for auth masks.
1993*5e7646d2SAndroid Build Coastguard Worker */
1994*5e7646d2SAndroid Build Coastguard Worker
1995*5e7646d2SAndroid Build Coastguard Worker static void
free_authmask(cupsd_authmask_t * mask,void * data)1996*5e7646d2SAndroid Build Coastguard Worker free_authmask(cupsd_authmask_t *mask, /* I - Auth mask to free */
1997*5e7646d2SAndroid Build Coastguard Worker void *data) /* I - User data (unused) */
1998*5e7646d2SAndroid Build Coastguard Worker {
1999*5e7646d2SAndroid Build Coastguard Worker (void)data;
2000*5e7646d2SAndroid Build Coastguard Worker
2001*5e7646d2SAndroid Build Coastguard Worker if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
2002*5e7646d2SAndroid Build Coastguard Worker _cupsStrFree(mask->mask.name.name);
2003*5e7646d2SAndroid Build Coastguard Worker
2004*5e7646d2SAndroid Build Coastguard Worker free(mask);
2005*5e7646d2SAndroid Build Coastguard Worker }
2006*5e7646d2SAndroid Build Coastguard Worker
2007*5e7646d2SAndroid Build Coastguard Worker
2008*5e7646d2SAndroid Build Coastguard Worker #if HAVE_LIBPAM
2009*5e7646d2SAndroid Build Coastguard Worker /*
2010*5e7646d2SAndroid Build Coastguard Worker * 'pam_func()' - PAM conversation function.
2011*5e7646d2SAndroid Build Coastguard Worker */
2012*5e7646d2SAndroid Build Coastguard Worker
2013*5e7646d2SAndroid Build Coastguard Worker static int /* O - Success or failure */
pam_func(int num_msg,const struct pam_message ** msg,struct pam_response ** resp,void * appdata_ptr)2014*5e7646d2SAndroid Build Coastguard Worker pam_func(
2015*5e7646d2SAndroid Build Coastguard Worker int num_msg, /* I - Number of messages */
2016*5e7646d2SAndroid Build Coastguard Worker const struct pam_message **msg, /* I - Messages */
2017*5e7646d2SAndroid Build Coastguard Worker struct pam_response **resp, /* O - Responses */
2018*5e7646d2SAndroid Build Coastguard Worker void *appdata_ptr)
2019*5e7646d2SAndroid Build Coastguard Worker /* I - Pointer to connection */
2020*5e7646d2SAndroid Build Coastguard Worker {
2021*5e7646d2SAndroid Build Coastguard Worker int i; /* Looping var */
2022*5e7646d2SAndroid Build Coastguard Worker struct pam_response *replies; /* Replies */
2023*5e7646d2SAndroid Build Coastguard Worker cupsd_authdata_t *data; /* Pointer to auth data */
2024*5e7646d2SAndroid Build Coastguard Worker
2025*5e7646d2SAndroid Build Coastguard Worker
2026*5e7646d2SAndroid Build Coastguard Worker /*
2027*5e7646d2SAndroid Build Coastguard Worker * Allocate memory for the responses...
2028*5e7646d2SAndroid Build Coastguard Worker */
2029*5e7646d2SAndroid Build Coastguard Worker
2030*5e7646d2SAndroid Build Coastguard Worker if ((replies = malloc(sizeof(struct pam_response) * (size_t)num_msg)) == NULL)
2031*5e7646d2SAndroid Build Coastguard Worker return (PAM_CONV_ERR);
2032*5e7646d2SAndroid Build Coastguard Worker
2033*5e7646d2SAndroid Build Coastguard Worker /*
2034*5e7646d2SAndroid Build Coastguard Worker * Answer all of the messages...
2035*5e7646d2SAndroid Build Coastguard Worker */
2036*5e7646d2SAndroid Build Coastguard Worker
2037*5e7646d2SAndroid Build Coastguard Worker data = (cupsd_authdata_t *)appdata_ptr;
2038*5e7646d2SAndroid Build Coastguard Worker
2039*5e7646d2SAndroid Build Coastguard Worker for (i = 0; i < num_msg; i ++)
2040*5e7646d2SAndroid Build Coastguard Worker {
2041*5e7646d2SAndroid Build Coastguard Worker switch (msg[i]->msg_style)
2042*5e7646d2SAndroid Build Coastguard Worker {
2043*5e7646d2SAndroid Build Coastguard Worker case PAM_PROMPT_ECHO_ON:
2044*5e7646d2SAndroid Build Coastguard Worker replies[i].resp_retcode = PAM_SUCCESS;
2045*5e7646d2SAndroid Build Coastguard Worker replies[i].resp = strdup(data->username);
2046*5e7646d2SAndroid Build Coastguard Worker break;
2047*5e7646d2SAndroid Build Coastguard Worker
2048*5e7646d2SAndroid Build Coastguard Worker case PAM_PROMPT_ECHO_OFF:
2049*5e7646d2SAndroid Build Coastguard Worker replies[i].resp_retcode = PAM_SUCCESS;
2050*5e7646d2SAndroid Build Coastguard Worker replies[i].resp = strdup(data->password);
2051*5e7646d2SAndroid Build Coastguard Worker break;
2052*5e7646d2SAndroid Build Coastguard Worker
2053*5e7646d2SAndroid Build Coastguard Worker case PAM_TEXT_INFO:
2054*5e7646d2SAndroid Build Coastguard Worker replies[i].resp_retcode = PAM_SUCCESS;
2055*5e7646d2SAndroid Build Coastguard Worker replies[i].resp = NULL;
2056*5e7646d2SAndroid Build Coastguard Worker break;
2057*5e7646d2SAndroid Build Coastguard Worker
2058*5e7646d2SAndroid Build Coastguard Worker case PAM_ERROR_MSG:
2059*5e7646d2SAndroid Build Coastguard Worker replies[i].resp_retcode = PAM_SUCCESS;
2060*5e7646d2SAndroid Build Coastguard Worker replies[i].resp = NULL;
2061*5e7646d2SAndroid Build Coastguard Worker break;
2062*5e7646d2SAndroid Build Coastguard Worker
2063*5e7646d2SAndroid Build Coastguard Worker default:
2064*5e7646d2SAndroid Build Coastguard Worker free(replies);
2065*5e7646d2SAndroid Build Coastguard Worker return (PAM_CONV_ERR);
2066*5e7646d2SAndroid Build Coastguard Worker }
2067*5e7646d2SAndroid Build Coastguard Worker }
2068*5e7646d2SAndroid Build Coastguard Worker
2069*5e7646d2SAndroid Build Coastguard Worker /*
2070*5e7646d2SAndroid Build Coastguard Worker * Return the responses back to PAM...
2071*5e7646d2SAndroid Build Coastguard Worker */
2072*5e7646d2SAndroid Build Coastguard Worker
2073*5e7646d2SAndroid Build Coastguard Worker *resp = replies;
2074*5e7646d2SAndroid Build Coastguard Worker
2075*5e7646d2SAndroid Build Coastguard Worker return (PAM_SUCCESS);
2076*5e7646d2SAndroid Build Coastguard Worker }
2077*5e7646d2SAndroid Build Coastguard Worker #endif /* HAVE_LIBPAM */
2078