1 /*
2  * Authorization definitions for the CUPS scheduler.
3  *
4  * Copyright 2007-2014 by Apple Inc.
5  * Copyright 1997-2006 by Easy Software Products, all rights reserved.
6  *
7  * Licensed under Apache License v2.0.  See the file "LICENSE" for more information.
8  */
9 
10 /*
11  * Include necessary headers...
12  */
13 
14 #include <pwd.h>
15 
16 
17 /*
18  * HTTP authorization types and levels...
19  */
20 
21 #define CUPSD_AUTH_DEFAULT	-1	/* Use DefaultAuthType */
22 #define CUPSD_AUTH_NONE		0	/* No authentication */
23 #define CUPSD_AUTH_BASIC	1	/* Basic authentication */
24 #define CUPSD_AUTH_NEGOTIATE	2	/* Kerberos authentication */
25 #define CUPSD_AUTH_AUTO		3	/* Kerberos or Basic, depending on configuration of server */
26 
27 #define CUPSD_AUTH_ANON		0	/* Anonymous access */
28 #define CUPSD_AUTH_USER		1	/* Must have a valid username/password */
29 #define CUPSD_AUTH_GROUP	2	/* Must also be in a named group */
30 
31 #define CUPSD_AUTH_ALLOW	0	/* Allow access */
32 #define CUPSD_AUTH_DENY		1	/* Deny access */
33 
34 #define CUPSD_AUTH_NAME		0	/* Authorize host by name */
35 #define CUPSD_AUTH_IP		1	/* Authorize host by IP */
36 #define CUPSD_AUTH_INTERFACE	2	/* Authorize host by interface */
37 
38 #define CUPSD_AUTH_SATISFY_ALL	0	/* Satisfy both address and auth */
39 #define CUPSD_AUTH_SATISFY_ANY	1	/* Satisfy either address or auth */
40 
41 #define CUPSD_AUTH_LIMIT_DELETE	1	/* Limit DELETE requests */
42 #define CUPSD_AUTH_LIMIT_GET	2	/* Limit GET requests */
43 #define CUPSD_AUTH_LIMIT_HEAD	4	/* Limit HEAD requests */
44 #define CUPSD_AUTH_LIMIT_OPTIONS 8	/* Limit OPTIONS requests */
45 #define CUPSD_AUTH_LIMIT_POST	16	/* Limit POST requests */
46 #define CUPSD_AUTH_LIMIT_PUT	32	/* Limit PUT requests */
47 #define CUPSD_AUTH_LIMIT_TRACE	64	/* Limit TRACE requests */
48 #define CUPSD_AUTH_LIMIT_ALL	127	/* Limit all requests */
49 #define CUPSD_AUTH_LIMIT_IPP	128	/* Limit IPP requests */
50 
51 #define IPP_ANY_OPERATION	(ipp_op_t)0
52 					/* Any IPP operation */
53 #define IPP_BAD_OPERATION	(ipp_op_t)-1
54 					/* No IPP operation */
55 
56 
57 /*
58  * HTTP access control structures...
59  */
60 
61 typedef struct
62 {
63   unsigned	address[4],		/* IP address */
64 		netmask[4];		/* IP netmask */
65 } cupsd_ipmask_t;
66 
67 typedef struct
68 {
69   size_t	length;			/* Length of name */
70   char		*name;			/* Name string */
71 } cupsd_namemask_t;
72 
73 typedef struct
74 {
75   int		type;			/* Mask type */
76   union
77   {
78     cupsd_namemask_t	name;		/* Host/Domain name */
79     cupsd_ipmask_t	ip;		/* IP address/network */
80   }		mask;			/* Mask data */
81 } cupsd_authmask_t;
82 
83 typedef struct
84 {
85   char			*location;	/* Location of resource */
86   size_t		length;		/* Length of location string */
87   ipp_op_t		op;		/* IPP operation */
88   int			limit,		/* Limit for these types of requests */
89 			order_type,	/* Allow or Deny */
90 			type,		/* Type of authentication */
91 			level,		/* Access level required */
92 			satisfy;	/* Satisfy any or all limits? */
93   cups_array_t		*names,		/* User or group names */
94 			*allow,		/* Allow lines */
95 			*deny;		/* Deny lines */
96   http_encryption_t	encryption;	/* To encrypt or not to encrypt... */
97 } cupsd_location_t;
98 
99 typedef struct cupsd_client_s cupsd_client_t;
100 
101 
102 /*
103  * Globals...
104  */
105 
106 VAR cups_array_t	*Locations	VALUE(NULL);
107 					/* Authorization locations */
108 #ifdef HAVE_SSL
109 VAR http_encryption_t	DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED);
110 					/* Default encryption for authentication */
111 #endif /* HAVE_SSL */
112 
113 
114 /*
115  * Prototypes...
116  */
117 
118 extern int		cupsdAddIPMask(cups_array_t **masks,
119 				       const unsigned address[4],
120 				       const unsigned netmask[4]);
121 extern void		cupsdAddLocation(cupsd_location_t *loc);
122 extern void		cupsdAddName(cupsd_location_t *loc, char *name);
123 extern int		cupsdAddNameMask(cups_array_t **masks, char *name);
124 extern void		cupsdAuthorize(cupsd_client_t *con);
125 extern int		cupsdCheckAccess(unsigned ip[4], const char *name, size_t namelen, cupsd_location_t *loc);
126 extern int		cupsdCheckAuth(unsigned ip[4], const char *name, size_t namelen, cups_array_t *masks);
127 extern int		cupsdCheckGroup(const char *username,
128 			                struct passwd *user,
129 			                const char *groupname);
130 extern cupsd_location_t	*cupsdCopyLocation(cupsd_location_t *loc);
131 extern void		cupsdDeleteAllLocations(void);
132 extern cupsd_location_t	*cupsdFindBest(const char *path, http_state_t state);
133 extern cupsd_location_t	*cupsdFindLocation(const char *location);
134 extern void		cupsdFreeLocation(cupsd_location_t *loc);
135 extern http_status_t	cupsdIsAuthorized(cupsd_client_t *con, const char *owner);
136 extern cupsd_location_t	*cupsdNewLocation(const char *location);
137