LCOV - code coverage report
Current view: top level - zxid - zxidpdp.c (source / functions) Hit Total Coverage
Test: ZXID Code Coverage Lines: 30 56 53.6 %
Date: 2010-12-19 Functions: 2 2 100.0 %
Branches: 26 61 42.6 %

           Branch data     Line data    Source code
       1                 :            : /* zxidpdp.c  -  Handwritten functions for Local Policy Decision Point (PDP)
       2                 :            :  * Copyright (c) 2010 Sampo Kellomaki (sampo@iki.fi), All Rights Reserved.
       3                 :            :  * Copyright (c) 2009 Symlabs (symlabs@symlabs.com), All Rights Reserved.
       4                 :            :  * Author: Sampo Kellomaki (sampo@iki.fi)
       5                 :            :  * This is confidential unpublished proprietary source code of the author.
       6                 :            :  * NO WARRANTY, not even implied warranties. Contains trade secrets.
       7                 :            :  * Distribution prohibited unless authorized in writing.
       8                 :            :  * Licensed under Apache License 2.0, see file COPYING.
       9                 :            :  * $Id: zxidpep.c,v 1.10 2010-01-08 02:10:09 sampo Exp $
      10                 :            :  *
      11                 :            :  * 24.8.2009, created --Sampo
      12                 :            :  * 10.10.2009, added zxid_az() family --Sampo
      13                 :            :  * 12.2.2010,  added locking to lazy loading --Sampo
      14                 :            :  * 31.5.2010,  generalized to several PEPs model --Sampo
      15                 :            :  */
      16                 :            : 
      17                 :            : #include "platform.h"  /* needed on Win32 for pthread_mutex_lock() et al. */
      18                 :            : 
      19                 :            : #include "errmac.h"
      20                 :            : #include "zxid.h"
      21                 :            : #include "zxidpriv.h"
      22                 :            : #include "zxidconf.h"
      23                 :            : #include "saml2.h"
      24                 :            : #include "c/zx-const.h"
      25                 :            : #include "c/zx-ns.h"
      26                 :            : #include "c/zx-data.h"
      27                 :            : #include "c/zx-e-data.h"
      28                 :            : 
      29                 :            : /* ------------ Attribute Broker and PEP ------------ */
      30                 :            : 
      31                 :            : /*() Local Policy Decision Point - decide on role and idpnid.
      32                 :            :  * Return: 0 for Deny and 1 for Permit.  */
      33                 :            : 
      34                 :            : /* Called by:  zxid_call_epr, zxid_simple_ab_pep, zxid_wsc_prepare_call, zxid_wsc_valid_re_env, zxid_wsp_decorate, zxid_wsp_validate_env */
      35                 :            : int zxid_localpdp(zxid_conf* cf, zxid_ses* ses)
      36                 :         97 : {
      37                 :            :   struct zxid_attr* at;
      38                 :            : 
      39   [ +  -  +  - ]:         97 :   if (cf->localpdp_role_permit || cf->localpdp_role_deny) {
      40                 :         97 :     at = zxid_find_at(ses->at, "role");
      41         [ -  + ]:         97 :     if (cf->localpdp_role_permit) {  /* whitelist of roles: not on list means deny */
      42         [ #  # ]:          0 :       if (!at) {
      43                 :          0 :         INFO("DENY due to no role attribute %d (whitelist)",0);
      44                 :          0 :         return 0;
      45                 :            :       }
      46         [ #  # ]:          0 :       if (!zxid_find_cstr_list(cf->localpdp_role_permit, at->val)) {
      47                 :          0 :         INFO("DENY: role(%s) not on whitelist", at->val);
      48                 :          0 :         return 0;
      49                 :            :       }
      50                 :            :     }
      51         [ +  - ]:         97 :     if (cf->localpdp_role_deny) {    /* blacklist of roles: on list means deny */
      52   [ -  +  #  # ]:         97 :       if (at && zxid_find_cstr_list(cf->localpdp_role_deny, at->val)) {
      53                 :          0 :         INFO("DENY: role(%s) on blacklist", at->val);
      54                 :          0 :         return 0;
      55                 :            :       }
      56                 :            :     }
      57                 :            :   }
      58                 :            : 
      59   [ +  -  +  - ]:         97 :   if (cf->localpdp_idpnid_permit || cf->localpdp_idpnid_deny) {
      60                 :         97 :     at = zxid_find_at(ses->at, "idpnid");
      61         [ -  + ]:         97 :     if (cf->localpdp_idpnid_permit) {  /* whitelist of idpnids: not on list means deny */
      62         [ #  # ]:          0 :       if (!at) {
      63                 :          0 :         INFO("DENY due to no idpnid attribute %d (whitelist)",0);
      64                 :          0 :         return 0;
      65                 :            :       }
      66         [ #  # ]:          0 :       if (!zxid_find_cstr_list(cf->localpdp_idpnid_permit, at->val)) {
      67                 :          0 :         INFO("DENY: idpnid(%s) not on whitelist", at->val);
      68                 :          0 :         return 0;
      69                 :            :       }
      70                 :            :     }
      71         [ +  - ]:         97 :     if (cf->localpdp_idpnid_deny) {    /* blacklist of idpnids: on list means deny */
      72   [ +  +  -  + ]:         97 :       if (at && zxid_find_cstr_list(cf->localpdp_idpnid_deny, at->val)) {
      73                 :          0 :         INFO("DENY: idpnid(%s) on blacklist", at->val);
      74                 :          0 :         return 0;
      75                 :            :       }
      76                 :            :     }
      77                 :            :   }
      78                 :            : 
      79                 :         97 :   INFO("PERMIT by local PDP %d", 1);
      80                 :         97 :   return 1;
      81                 :            : }
      82                 :            : 
      83                 :            : /*(i) Postprocessing of SSO: Attribute Broker handles attributes and PEP/PDP
      84                 :            :  * decide on authorization. */
      85                 :            : 
      86                 :            : /* Called by:  chkuid, zxid_simple_cf_ses, zxid_simple_no_ses_cf x2, zxid_simple_ses_active_cf */
      87                 :            : char* zxid_simple_ab_pep(zxid_conf* cf, zxid_ses* ses, int* res_len, int auto_flags)
      88                 :          8 : {
      89                 :            :   char* res;
      90                 :            :   struct zx_str* ss;
      91                 :          8 :   D_INDENT("ab_pep: ");
      92                 :            :   DD("ab_pep %d", 0);
      93                 :          8 :   zxid_ses_to_pool(cf, ses);  /* Process SSO a7n, applying NEED, WANT, and INMAP */
      94                 :            : 
      95         [ -  + ]:          8 :   if (!zxid_localpdp(cf, ses)) {
      96                 :            :     DD("Deny by local PDP %d",0);
      97                 :          0 :     D_DEDENT("ab_pep: ");
      98                 :          0 :     return "z";
      99                 :            :   }
     100                 :            : 
     101   [ +  -  +  + ]:          8 :   if (cf->pdp_url && *cf->pdp_url) {
     102                 :            :     //zxid_add_attr_to_pool(cf, ses, "Action", zx_dup_str(cf->ctx, "access"));
     103                 :            :     //zxid_add_attr_to_pool(cf, ses, "URL", zx_dup_str(cf->ctx, ses->rs));
     104         [ -  + ]:          6 :     if (!zxid_pep_az_soap_pepmap(cf, 0, ses, cf->pdp_url, cf->pepmap)) {
     105                 :          0 :       INFO("DENY by remote PDP %d", 0);
     106                 :          0 :       D_DEDENT("ab_pep: ");
     107                 :          0 :       return "z";
     108                 :            :     }
     109                 :            :   }
     110                 :            :   
     111   [ -  +  -  -  :          8 :   switch (auto_flags & (ZXID_AUTO_FMTQ | ZXID_AUTO_FMTJ)) {
                      + ]
     112                 :          0 :   case ZXID_AUTO_FMTQ|ZXID_AUTO_FMTJ: ss = zx_dup_str(cf->ctx, ""); break; /* No output */
     113                 :          3 :   case ZXID_AUTO_FMTQ:  ss = zxid_ses_to_qs(cf, ses); break;
     114                 :          0 :   case ZXID_AUTO_FMTJ:  ss = zxid_ses_to_json(cf, ses); break;
     115                 :          0 :   default: ERR("Unsupported output format bits %x", auto_flags & (ZXID_AUTO_FMTQ|ZXID_AUTO_FMTJ));
     116                 :          5 :   case 0:               ss = zxid_ses_to_ldif(cf, ses); break;
     117                 :            :   }
     118         [ -  + ]:          8 :   if (zx_debug & ZXID_INOUT)
     119   [ #  #  #  # ]:          0 :     INFO("LDIF(%.*s)", ss?ss->len:1, ss?ss->s:"-");
     120         [ +  - ]:          8 :   if (cf->log_level > 0)
     121   [ +  +  +  -  :          8 :     zxlog(cf, 0,0,0,0,0,0, ZX_GET_CONTENT(ses->nameid), "N", "K", "SHOWPC", ses->sid, 0);
                   +  - ]
     122                 :          8 :   res = ss->s;
     123         [ -  + ]:          8 :   if (res_len)
     124                 :          0 :     *res_len = ss->len;
     125                 :          8 :   ZX_FREE(cf->ctx, ss);
     126                 :          8 :   D_DEDENT("ab_pep: ");
     127                 :          8 :   return res;
     128                 :            : }
     129                 :            : 
     130                 :            : /* EOF  --  zxidpdp.c */

Generated by: LCOV version 1.9