![]() |
Icinga-core 1.4.0
next gen monitoring
|
00001 /***************************************************************************** 00002 * 00003 * CGIAUTH.C - Authorization utilities for Icinga CGIs 00004 * 00005 * Copyright (c) 1999-2008 Ethan Galstad (egalstad@nagios.org) 00006 * Copyright (c) 2009-2011 Icinga Development Team (http://www.icinga.org) 00007 * 00008 * License: 00009 * 00010 * This program is free software; you can redistribute it and/or modify 00011 * it under the terms of the GNU General Public License version 2 as 00012 * published by the Free Software Foundation. 00013 * 00014 * This program is distributed in the hope that it will be useful, 00015 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00016 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00017 * GNU General Public License for more details. 00018 * 00019 * You should have received a copy of the GNU General Public License 00020 * along with this program; if not, write to the Free Software 00021 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 00022 * 00023 *****************************************************************************/ 00024 00025 #include "../include/config.h" 00026 #include "../include/common.h" 00027 #include "../include/objects.h" 00028 00029 #include "../include/cgiutils.h" 00030 #include "../include/cgiauth.h" 00031 00032 extern char main_config_file[MAX_FILENAME_LENGTH]; 00033 00034 extern hostgroup *hostgroup_list; 00035 extern servicegroup *servicegroup_list; 00036 00037 extern int use_authentication; 00038 extern int use_ssl_authentication; 00039 00040 extern int show_all_services_host_is_authorized_for; 00041 00042 /* get current authentication information */ 00043 int get_authentication_information(authdata *authinfo){ 00044 mmapfile *thefile; 00045 char *input=NULL; 00046 char *temp_ptr; 00047 00048 if(authinfo==NULL) 00049 return ERROR; 00050 00051 /* initial values... */ 00052 authinfo->authorized_for_all_hosts=FALSE; 00053 authinfo->authorized_for_all_host_commands=FALSE; 00054 authinfo->authorized_for_all_services=FALSE; 00055 authinfo->authorized_for_all_service_commands=FALSE; 00056 authinfo->authorized_for_system_information=FALSE; 00057 authinfo->authorized_for_system_commands=FALSE; 00058 authinfo->authorized_for_configuration_information=FALSE; 00059 authinfo->authorized_for_read_only=FALSE; 00060 authinfo->number_of_authentication_rules=0; 00061 authinfo->authentication_rules=NULL; 00062 00063 /* grab username from the environment... */ 00064 if(use_ssl_authentication) { 00065 /* patch by Pawl Zuzelski - 7/22/08 */ 00066 temp_ptr=getenv("SSL_CLIENT_S_DN_CN"); 00067 } 00068 else{ 00069 temp_ptr=getenv("REMOTE_USER"); 00070 } 00071 if(temp_ptr==NULL){ 00072 authinfo->username=""; 00073 authinfo->authenticated=FALSE; 00074 } 00075 else{ 00076 authinfo->username=(char *)malloc(strlen(temp_ptr)+1); 00077 if(authinfo->username==NULL) 00078 authinfo->username=""; 00079 else 00080 strcpy(authinfo->username,temp_ptr); 00081 if(!strcmp(authinfo->username,"")) 00082 authinfo->authenticated=FALSE; 00083 else 00084 authinfo->authenticated=TRUE; 00085 } 00086 00087 /* read in authorization override vars from config file... */ 00088 if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){ 00089 00090 while(1){ 00091 00092 /* free memory */ 00093 free(input); 00094 00095 /* read the next line */ 00096 if((input=mmap_fgets_multiline(thefile))==NULL) 00097 break; 00098 00099 strip(input); 00100 00101 /* we don't have a username yet, so fake the authentication if we find a default username defined */ 00102 if(!strcmp(authinfo->username,"") && strstr(input,"default_user_name=")==input){ 00103 temp_ptr=strtok(input,"="); 00104 temp_ptr=strtok(NULL,","); 00105 00106 if(temp_ptr==NULL){ 00107 authinfo->username=""; 00108 authinfo->authenticated=FALSE; 00109 } 00110 else{ 00111 authinfo->username=(char *)malloc(strlen(temp_ptr)+1); 00112 if(authinfo->username==NULL) 00113 authinfo->username=""; 00114 else 00115 strcpy(authinfo->username,temp_ptr); 00116 if(!strcmp(authinfo->username,"")) 00117 authinfo->authenticated=FALSE; 00118 else 00119 authinfo->authenticated=TRUE; 00120 } 00121 } 00122 00123 else if(strstr(input,"authorized_for_all_hosts=")==input){ 00124 temp_ptr=strtok(input,"="); 00125 while((temp_ptr=strtok(NULL,","))){ 00126 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00127 authinfo->authorized_for_all_hosts=TRUE; 00128 } 00129 } 00130 else if(strstr(input,"authorized_for_all_services=")==input){ 00131 temp_ptr=strtok(input,"="); 00132 while((temp_ptr=strtok(NULL,","))){ 00133 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00134 authinfo->authorized_for_all_services=TRUE; 00135 } 00136 } 00137 else if(strstr(input,"authorized_for_system_information=")==input){ 00138 temp_ptr=strtok(input,"="); 00139 while((temp_ptr=strtok(NULL,","))){ 00140 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00141 authinfo->authorized_for_system_information=TRUE; 00142 } 00143 } 00144 else if(strstr(input,"authorized_for_configuration_information=")==input){ 00145 temp_ptr=strtok(input,"="); 00146 while((temp_ptr=strtok(NULL,","))){ 00147 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00148 authinfo->authorized_for_configuration_information=TRUE; 00149 } 00150 } 00151 else if(strstr(input,"authorized_for_all_host_commands=")==input){ 00152 temp_ptr=strtok(input,"="); 00153 while((temp_ptr=strtok(NULL,","))){ 00154 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00155 authinfo->authorized_for_all_host_commands=TRUE; 00156 } 00157 } 00158 else if(strstr(input,"authorized_for_all_service_commands=")==input){ 00159 temp_ptr=strtok(input,"="); 00160 while((temp_ptr=strtok(NULL,","))){ 00161 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00162 authinfo->authorized_for_all_service_commands=TRUE; 00163 } 00164 } 00165 else if(strstr(input,"authorized_for_system_commands=")==input){ 00166 temp_ptr=strtok(input,"="); 00167 while((temp_ptr=strtok(NULL,","))){ 00168 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00169 authinfo->authorized_for_system_commands=TRUE; 00170 } 00171 } 00172 else if(strstr(input,"authorized_for_read_only=")==input){ 00173 temp_ptr=strtok(input,"="); 00174 while((temp_ptr=strtok(NULL,","))){ 00175 if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*")) 00176 authinfo->authorized_for_read_only=TRUE; 00177 } 00178 } 00179 else if(strstr(input,"authorization_config_file=")==input){ 00180 temp_ptr=strtok(input,"="); 00181 temp_ptr=strtok(NULL,"\n"); 00182 if(temp_ptr!=NULL) 00183 parse_authorization_config_file(temp_ptr, authinfo); 00184 } 00185 } 00186 00187 /* free memory and close the file */ 00188 free(input); 00189 mmap_fclose(thefile); 00190 } 00191 00192 if(authinfo->authenticated==TRUE) 00193 return OK; 00194 else 00195 return ERROR; 00196 } 00197 00198 /* parsing authorization configuration file */ 00199 int parse_authorization_config_file(char* filename, authdata* authinfo){ 00200 mmapfile *thefile; 00201 char *input=NULL; 00202 char *temp_ptr=NULL; 00203 char *temp_rule=NULL; 00204 char *role=NULL; 00205 char *roles=NULL; 00206 char *roles_tmp=NULL; 00207 char test_char[2]; 00208 int role_match=FALSE; 00209 00210 /* Shibboleth environment variable */ 00211 if(getenv("entitlement")==NULL){ 00212 printf("<P><DIV CLASS='errorMessage'>Authorization information: entitlement variable is empty</DIV></P>"); 00213 return ERROR; 00214 } 00215 00216 roles=getenv("entitlement"); 00217 00218 roles_tmp=(char *)malloc(strlen(roles)+1); 00219 00220 /* read in authorization config file */ 00221 if((thefile=mmap_fopen(filename))!=NULL){ 00222 00223 while(1){ 00224 /* read the next line */ 00225 if((input=mmap_fgets_multiline(thefile))==NULL) 00226 break; 00227 00228 strip(input); 00229 00230 test_char[0]=input[0]; 00231 test_char[1]='\0'; 00232 00233 /* ignore comment */ 00234 if(strcmp(test_char,"#")==0) 00235 continue; 00236 00237 temp_ptr=strtok(input,"="); 00238 00239 if(temp_ptr==NULL) 00240 continue; 00241 00242 temp_rule=strtok(NULL,"="); 00243 00244 if (temp_rule==NULL) 00245 continue; 00246 00247 strcpy(roles_tmp,roles); 00248 role=strtok(roles_tmp,";"); 00249 00250 while(role!=NULL){ 00251 00252 if(strcmp(role,temp_ptr)==0){ 00253 role_match=TRUE; 00254 break; 00255 } 00256 00257 role=strtok(NULL,";"); 00258 } 00259 00260 if(role_match==FALSE) 00261 continue; 00262 00263 authinfo->number_of_authentication_rules++; 00264 strip(temp_rule); 00265 00266 /* increment the authentication_rules array */ 00267 authinfo->authentication_rules=realloc(authinfo->authentication_rules, (sizeof(char*)) * authinfo->number_of_authentication_rules); 00268 00269 if(authinfo->authentication_rules==NULL) 00270 return ERROR; 00271 00272 authinfo->authentication_rules[authinfo->number_of_authentication_rules-1]=malloc(sizeof(char) * (strlen(temp_rule)+1)); 00273 strcpy(authinfo->authentication_rules[authinfo->number_of_authentication_rules-1], temp_rule); 00274 } 00275 00276 /* free memory and close the file */ 00277 free(input); 00278 mmap_fclose(thefile); 00279 } 00280 00281 free(roles_tmp); 00282 00283 return OK; 00284 } 00285 00286 /* set default authz permissions */ 00287 int set_authz_permissions(char* permission, authdata* authinfo){ 00288 00289 if(strcmp(permission,"r")==0){ /* only read permissions */ 00290 authinfo->authorized_for_read_only=TRUE; 00291 authinfo->authorized_for_system_information=TRUE; 00292 authinfo->authorized_for_configuration_information=TRUE; 00293 authinfo->authorized_for_system_commands=FALSE; 00294 authinfo->authorized_for_all_service_commands=FALSE; 00295 authinfo->authorized_for_all_host_commands=FALSE; 00296 } else if(strcmp(permission,"w")==0){ /* read + write permissions */ 00297 authinfo->authorized_for_read_only=FALSE; 00298 authinfo->authorized_for_system_information=TRUE; 00299 authinfo->authorized_for_system_commands=TRUE; 00300 authinfo->authorized_for_configuration_information=TRUE; 00301 authinfo->authorized_for_all_service_commands=TRUE; 00302 authinfo->authorized_for_all_host_commands=TRUE; 00303 } 00304 00305 return TRUE; 00306 } 00307 00308 /* check if user is authorized to view information about a particular host */ 00309 int is_authorized_for_host(host *hst, authdata *authinfo){ 00310 contact *temp_contact; 00311 char *host_list=NULL; 00312 char *host_list2=NULL; 00313 char *list_tmp=NULL; 00314 char *list_tmp2=NULL; 00315 char *host2=NULL; 00316 char *tmp=NULL; 00317 char *tmp_permission=NULL; 00318 char *tmp_service=NULL; 00319 char *hg_name=NULL; 00320 int i; 00321 int j; 00322 char permission[2]; 00323 int ok=FALSE; 00324 int is_ok=FALSE; 00325 00326 if(hst==NULL) 00327 return FALSE; 00328 00329 /* if we're not using authentication, fake it */ 00330 if(use_authentication==FALSE) 00331 return TRUE; 00332 00333 /* if this user has not authenticated return error */ 00334 if(authinfo->authenticated==FALSE) 00335 return FALSE; 00336 00337 /* if this user is authorized for all hosts, they are for this one... */ 00338 if(is_authorized_for_all_hosts(authinfo)==TRUE) 00339 return TRUE; 00340 00341 /* find the contact */ 00342 temp_contact=find_contact(authinfo->username); 00343 00344 /* see if this user is a contact for the host */ 00345 if(is_contact_for_host(hst,temp_contact)==TRUE) 00346 return TRUE; 00347 00348 /* see if this user is an escalated contact for the host */ 00349 if(is_escalated_contact_for_host(hst,temp_contact)==TRUE) 00350 return TRUE; 00351 00352 /* authz parsing */ 00353 if(authinfo->number_of_authentication_rules!=0){ 00354 00355 strcpy(permission, "r"); 00356 00357 for(i=0; i<authinfo->number_of_authentication_rules; i++){ 00358 00359 list_tmp=malloc(strlen(authinfo->authentication_rules[i])+1); 00360 strcpy(list_tmp, authinfo->authentication_rules[i]); 00361 strip(list_tmp); 00362 00363 /* for this situation: :service:r */ 00364 if(list_tmp[0]==':') 00365 continue; 00366 00367 /* "w" is the maximum permission, do not need continue */ 00368 if(strcmp(permission,"w")==0) 00369 break; 00370 00371 host_list=strtok(list_tmp,":"); 00372 00373 host_list2=malloc(strlen(host_list)+1); 00374 strcpy(host_list2,host_list); 00375 00376 tmp_service=strtok(NULL,":"); 00377 tmp_permission=strtok(NULL,":"); 00378 host2=strtok(host_list2,","); 00379 00380 while(host2!=NULL){ 00381 00382 list_tmp2=malloc(strlen(host2)+1); 00383 strcpy(list_tmp2,host2); 00384 strip(list_tmp2); 00385 00386 /* host group parsing */ 00387 if(list_tmp2[0]=='@'){ 00388 hg_name=malloc(strlen(list_tmp2)+1); 00389 strcpy(hg_name,list_tmp2); 00390 00391 for(j=0; j<strlen(hg_name); j++) 00392 hg_name[j]=hg_name[j+1]; 00393 00394 if(is_host_member_of_hostgroup(find_hostgroup(hg_name),hst)==TRUE){ 00395 is_ok=TRUE; 00396 } else { 00397 host2=strtok(NULL,","); 00398 free(hg_name); 00399 continue; 00400 } 00401 00402 free(hg_name); 00403 } 00404 00405 if(strcmp(list_tmp2,hst->name)==0 || strcmp(list_tmp2,"*")==0) 00406 is_ok=TRUE; 00407 00408 if(is_ok==TRUE){ 00409 00410 /* for this situation: host::r */ 00411 if(tmp_permission==NULL) 00412 tmp_permission=tmp_service; 00413 00414 if(tmp_permission!=NULL){ 00415 tmp=malloc(strlen(tmp_permission)+1); 00416 strcpy(tmp,tmp_permission); 00417 strip(tmp); /* "w" will overwrite "r" permission */ 00418 00419 if(strcmp(permission,"r")==0 && strcmp(tmp,"w")==0){ 00420 strcpy(permission,"w"); 00421 } 00422 00423 free(tmp); 00424 } 00425 00426 ok=TRUE; 00427 } 00428 00429 host2=strtok(NULL,","); 00430 free(list_tmp2); 00431 } 00432 00433 free(list_tmp); 00434 free(host_list2); 00435 } 00436 00437 if(ok==TRUE){ 00438 set_authz_permissions(permission,authinfo); 00439 return TRUE; 00440 } 00441 00442 } /* end of authz parsing */ 00443 00444 return FALSE; 00445 } 00446 00447 00448 /* check if user is authorized to view information about all hosts in a particular hostgroup */ 00449 int is_authorized_for_hostgroup(hostgroup *hg, authdata *authinfo){ 00450 hostsmember *temp_hostsmember; 00451 host *temp_host; 00452 00453 if(hg==NULL) 00454 return FALSE; 00455 00456 /* CHANGED in 2.0 - user must be authorized for ALL hosts in a hostgroup, not just one */ 00457 /* see if user is authorized for all hosts in the hostgroup */ 00458 for(temp_hostsmember=hg->members;temp_hostsmember!=NULL;temp_hostsmember=temp_hostsmember->next){ 00459 temp_host=find_host(temp_hostsmember->host_name); 00460 if(is_authorized_for_host(temp_host,authinfo)==FALSE) 00461 return FALSE; 00462 } 00463 00464 return TRUE; 00465 } 00466 00467 00468 00469 /* check if user is authorized to view information about all services in a particular servicegroup */ 00470 int is_authorized_for_servicegroup(servicegroup *sg, authdata *authinfo){ 00471 servicesmember *temp_servicesmember; 00472 service *temp_service; 00473 00474 if(sg==NULL) 00475 return FALSE; 00476 00477 /* see if user is authorized for all services in the servicegroup */ 00478 for(temp_servicesmember=sg->members;temp_servicesmember!=NULL;temp_servicesmember=temp_servicesmember->next){ 00479 temp_service=find_service(temp_servicesmember->host_name,temp_servicesmember->service_description); 00480 if(is_authorized_for_service(temp_service,authinfo)==FALSE) 00481 return FALSE; 00482 } 00483 00484 return TRUE; 00485 } 00486 00487 /* check if current user is restricted to read only */ 00488 int is_authorized_for_read_only(authdata *authinfo){ 00489 00490 /* if we're not using authentication, fake it */ 00491 if(use_authentication==FALSE) 00492 return FALSE; 00493 00494 /* if this user has not authenticated return error */ 00495 if(authinfo->authenticated==FALSE) 00496 return FALSE; 00497 00498 return authinfo->authorized_for_read_only; 00499 } 00500 00501 /* check if user is authorized to view information about a particular service */ 00502 int is_authorized_for_service(service *svc, authdata *authinfo){ 00503 host *temp_host=NULL; 00504 contact *temp_contact=NULL; 00505 char *host_list=NULL; 00506 char *host_list2=NULL; 00507 char *service_list=NULL; 00508 char *list_tmp=NULL; 00509 char *service=NULL; 00510 char *host2=NULL; 00511 char *read_only=NULL; 00512 char *list_tmp2=NULL; 00513 char *list_tmp3=NULL; 00514 char *list_tmp4=NULL; 00515 char *sg_name=NULL; 00516 char *hg_name=NULL; 00517 int i=0; 00518 int j=0; 00519 int ok=FALSE; 00520 int is_ok=FALSE; 00521 int is_ok2=FALSE; 00522 char permission[2]; 00523 00524 if(svc==NULL) 00525 return FALSE; 00526 00527 /* if we're not using authentication, fake it */ 00528 if(use_authentication==FALSE) 00529 return TRUE; 00530 00531 /* if this user has not authenticated return error */ 00532 if(authinfo->authenticated==FALSE) 00533 return FALSE; 00534 00535 /* if this user is authorized for all services, they are for this one... */ 00536 if(is_authorized_for_all_services(authinfo)==TRUE) 00537 return TRUE; 00538 00539 /* find the host */ 00540 temp_host=find_host(svc->host_name); 00541 if(temp_host==NULL) 00542 return FALSE; 00543 00544 /* if this user is authorized for this host, they are for all services on it as well... */ 00545 /* 06-02-2010 added config option, if set FALSE, this condition won't match and 00546 user must be authorized for the services too in order to view them */ 00547 00548 if(is_authorized_for_host(temp_host,authinfo)==TRUE){ 00549 00550 /* first off, let attribute based auth decide, then show_all_services_host_is_authorized_for==TRUE */ 00551 00552 /* authz parsing */ 00553 if (authinfo->number_of_authentication_rules!=0){ 00554 strcpy(permission,"r"); 00555 00556 for(i=0; i<authinfo->number_of_authentication_rules; i++){ 00557 00558 /* "w" is the maximum permission, do not need continue */ 00559 if (strcmp(permission,"w") == 0) break; 00560 00561 list_tmp=malloc(strlen(authinfo->authentication_rules[i])+1); 00562 strcpy(list_tmp,authinfo->authentication_rules[i]); 00563 00564 host_list=strtok(list_tmp,":"); 00565 00566 host_list2=malloc(strlen(host_list)+1); 00567 strcpy(host_list2,host_list); 00568 00569 service_list=strtok(NULL,":"); 00570 read_only=strtok(NULL,":"); 00571 service=strtok(service_list,","); 00572 00573 while (service!=NULL) { 00574 list_tmp2=malloc(strlen(service)+1); 00575 strcpy(list_tmp2,service); 00576 strip(list_tmp2); 00577 00578 /* service group parsing */ 00579 if (list_tmp2[0]=='@') { 00580 sg_name=malloc(strlen(list_tmp2)+1); 00581 strcpy(sg_name,list_tmp2); 00582 00583 for (j=0; j<strlen(sg_name); j++) 00584 sg_name[j]=sg_name[j+1]; 00585 00586 if (is_service_member_of_servicegroup(find_servicegroup(sg_name),svc)==TRUE){ 00587 is_ok2=TRUE; 00588 } else { 00589 service=strtok(NULL,","); 00590 free(sg_name); 00591 continue; 00592 } 00593 00594 free(sg_name); 00595 } 00596 00597 if (strcmp(list_tmp2,svc->display_name)==0 || strcmp(list_tmp2, "*")==0) 00598 is_ok2=TRUE; 00599 00600 if (is_ok2==TRUE){ 00601 host2=strtok(host_list2,","); 00602 00603 while (host2!=NULL){ 00604 list_tmp3=malloc(strlen(host2)+1); 00605 strcpy(list_tmp3,host2); 00606 strip(list_tmp3); 00607 00608 /* host group parsing */ 00609 if (list_tmp3[0]=='@') { 00610 hg_name=malloc(strlen(list_tmp3)+1); 00611 strcpy(hg_name,list_tmp3); 00612 00613 for (j=0; j<strlen(hg_name); j++) 00614 hg_name[j]=hg_name[j+1]; 00615 00616 if (is_host_member_of_hostgroup(find_hostgroup(hg_name), temp_host)==TRUE){ 00617 is_ok=TRUE; 00618 } else { 00619 host2=strtok(NULL,","); 00620 free(hg_name); 00621 continue; 00622 } 00623 00624 free(hg_name); 00625 } 00626 00627 if (strcmp(list_tmp2,svc->host_name)==0 || strcmp(list_tmp2, "*")==0) 00628 is_ok=TRUE; 00629 00630 if (is_ok==TRUE){ 00631 if (read_only!=NULL){ 00632 list_tmp4=malloc(strlen(read_only)+1); 00633 strcpy(list_tmp4,read_only); 00634 strip(list_tmp4); /* "w" will overwrite "r" permission */ 00635 00636 if (strcmp(permission,"r")==0 && strcmp(list_tmp4,"w")==0){ 00637 strcpy(permission,"w"); 00638 } 00639 00640 free(list_tmp4); 00641 } 00642 00643 ok=TRUE; 00644 } 00645 00646 host2=strtok(NULL,","); 00647 free(list_tmp3); 00648 } 00649 } 00650 00651 service=strtok(NULL,","); 00652 free(list_tmp2); 00653 } 00654 00655 free(list_tmp); 00656 free(host_list2); 00657 } 00658 00659 if (ok==TRUE){ 00660 set_authz_permissions(permission, authinfo); 00661 return TRUE; 00662 } 00663 00664 } /* end of authz parsing */ 00665 else { 00666 /* user does not need to be authorized for the services too in order to view them? */ 00667 if(show_all_services_host_is_authorized_for==TRUE){ 00668 return TRUE; 00669 } 00670 } 00671 } 00672 00673 /* find the contact */ 00674 temp_contact=find_contact(authinfo->username); 00675 00676 /* see if this user is a contact for the service */ 00677 if(is_contact_for_service(svc,temp_contact)==TRUE) 00678 return TRUE; 00679 00680 /* see if this user is an escalated contact for the service */ 00681 if(is_escalated_contact_for_service(svc,temp_contact)==TRUE) 00682 return TRUE; 00683 00684 return FALSE; 00685 } 00686 00687 00688 /* check if current user is authorized to view information on all hosts */ 00689 int is_authorized_for_all_hosts(authdata *authinfo){ 00690 00691 /* if we're not using authentication, fake it */ 00692 if(use_authentication==FALSE) 00693 return TRUE; 00694 00695 /* if this user has not authenticated return error */ 00696 if(authinfo->authenticated==FALSE) 00697 return FALSE; 00698 00699 return authinfo->authorized_for_all_hosts; 00700 } 00701 00702 00703 /* check if current user is authorized to view information on all service */ 00704 int is_authorized_for_all_services(authdata *authinfo){ 00705 00706 /* if we're not using authentication, fake it */ 00707 if(use_authentication==FALSE) 00708 return TRUE; 00709 00710 /* if this user has not authenticated return error */ 00711 if(authinfo->authenticated==FALSE) 00712 return FALSE; 00713 00714 return authinfo->authorized_for_all_services; 00715 } 00716 00717 00718 /* check if current user is authorized to view system information */ 00719 int is_authorized_for_system_information(authdata *authinfo){ 00720 00721 /* if we're not using authentication, fake it */ 00722 if(use_authentication==FALSE) 00723 return TRUE; 00724 00725 /* if this user has not authenticated return error */ 00726 if(authinfo->authenticated==FALSE) 00727 return FALSE; 00728 00729 return authinfo->authorized_for_system_information; 00730 } 00731 00732 00733 /* check if current user is authorized to view configuration information */ 00734 int is_authorized_for_configuration_information(authdata *authinfo){ 00735 00736 /* if we're not using authentication, fake it */ 00737 if(use_authentication==FALSE) 00738 return TRUE; 00739 00740 /* if this user has not authenticated return error */ 00741 if(authinfo->authenticated==FALSE) 00742 return FALSE; 00743 00744 return authinfo->authorized_for_configuration_information; 00745 } 00746 00747 00748 /* check if current user is authorized to issue system commands */ 00749 int is_authorized_for_system_commands(authdata *authinfo){ 00750 00751 /* if we're not using authentication, fake it */ 00752 if(use_authentication==FALSE) 00753 return TRUE; 00754 00755 /* if this user has not authenticated return error */ 00756 if(authinfo->authenticated==FALSE) 00757 return FALSE; 00758 00759 return authinfo->authorized_for_system_commands; 00760 } 00761 00762 00763 /* check is the current user is authorized to issue commands relating to a particular service */ 00764 int is_authorized_for_service_commands(service *svc, authdata *authinfo){ 00765 host *temp_host; 00766 contact *temp_contact; 00767 00768 if(svc==NULL) 00769 return FALSE; 00770 00771 /* if we're not using authentication, fake it */ 00772 if(use_authentication==FALSE) 00773 return TRUE; 00774 00775 /* if this user has not authenticated return error */ 00776 if(authinfo->authenticated==FALSE) 00777 return FALSE; 00778 00779 /* the user is authorized if they have rights to the service */ 00780 if(is_authorized_for_service(svc,authinfo)==TRUE){ 00781 00782 /* find the host */ 00783 temp_host=find_host(svc->host_name); 00784 if(temp_host==NULL) 00785 return FALSE; 00786 00787 /* find the contact */ 00788 temp_contact=find_contact(authinfo->username); 00789 00790 /* reject if contact is not allowed to issue commands */ 00791 if(temp_contact && temp_contact->can_submit_commands==FALSE) 00792 return FALSE; 00793 00794 /* see if this user is a contact for the host */ 00795 if(is_contact_for_host(temp_host,temp_contact)==TRUE) 00796 return TRUE; 00797 00798 /* see if this user is an escalated contact for the host */ 00799 if(is_escalated_contact_for_host(temp_host,temp_contact)==TRUE) 00800 return TRUE; 00801 00802 /* this user is a contact for the service, so they have permission... */ 00803 if(is_contact_for_service(svc,temp_contact)==TRUE) 00804 return TRUE; 00805 00806 /* this user is an escalated contact for the service, so they have permission... */ 00807 if(is_escalated_contact_for_service(svc,temp_contact)==TRUE) 00808 return TRUE; 00809 00810 /* this user is not a contact for the host, so they must have been given explicit permissions to all service commands */ 00811 if(authinfo->authorized_for_all_service_commands==TRUE) 00812 return TRUE; 00813 } 00814 00815 return FALSE; 00816 } 00817 00818 00819 /* check is the current user is authorized to issue commands relating to a particular host */ 00820 int is_authorized_for_host_commands(host *hst, authdata *authinfo){ 00821 contact *temp_contact; 00822 00823 if(hst==NULL) 00824 return FALSE; 00825 00826 /* if we're not using authentication, fake it */ 00827 if(use_authentication==FALSE) 00828 return TRUE; 00829 00830 /* if this user has not authenticated return error */ 00831 if(authinfo->authenticated==FALSE) 00832 return FALSE; 00833 00834 /* the user is authorized if they have rights to the host */ 00835 if(is_authorized_for_host(hst,authinfo)==TRUE){ 00836 00837 /* find the contact */ 00838 temp_contact=find_contact(authinfo->username); 00839 00840 /* reject if contact is not allowed to issue commands */ 00841 if(temp_contact && temp_contact->can_submit_commands==FALSE) 00842 return FALSE; 00843 00844 /* this user is a contact for the host, so they have permission... */ 00845 if(is_contact_for_host(hst,temp_contact)==TRUE) 00846 return TRUE; 00847 00848 /* this user is an escalated contact for the host, so they have permission... */ 00849 if(is_escalated_contact_for_host(hst,temp_contact)==TRUE) 00850 return TRUE; 00851 00852 /* this user is not a contact for the host, so they must have been given explicit permissions to all host commands */ 00853 if(authinfo->authorized_for_all_host_commands==TRUE) 00854 return TRUE; 00855 } 00856 00857 return FALSE; 00858 } 00859 00860