Icinga-core 1.4.0
next gen monitoring
cgi/cgiauth.c
Go to the documentation of this file.
00001 /*****************************************************************************
00002  *
00003  * CGIAUTH.C - Authorization utilities for Icinga CGIs
00004  *
00005  * Copyright (c) 1999-2008 Ethan Galstad (egalstad@nagios.org)
00006  * Copyright (c) 2009-2011 Icinga Development Team (http://www.icinga.org)
00007  *
00008  * License:
00009  *
00010  * This program is free software; you can redistribute it and/or modify
00011  * it under the terms of the GNU General Public License version 2 as
00012  * published by the Free Software Foundation.
00013  *
00014  * This program is distributed in the hope that it will be useful,
00015  * but WITHOUT ANY WARRANTY; without even the implied warranty of
00016  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00017  * GNU General Public License for more details.
00018  *
00019  * You should have received a copy of the GNU General Public License
00020  * along with this program; if not, write to the Free Software
00021  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
00022  *
00023  *****************************************************************************/
00024 
00025 #include "../include/config.h"
00026 #include "../include/common.h"
00027 #include "../include/objects.h"
00028 
00029 #include "../include/cgiutils.h"
00030 #include "../include/cgiauth.h"
00031 
00032 extern char            main_config_file[MAX_FILENAME_LENGTH];
00033 
00034 extern hostgroup       *hostgroup_list;
00035 extern servicegroup    *servicegroup_list;
00036 
00037 extern int             use_authentication;
00038 extern int             use_ssl_authentication;
00039 
00040 extern int             show_all_services_host_is_authorized_for;
00041 
00042 /* get current authentication information */
00043 int get_authentication_information(authdata *authinfo){
00044         mmapfile *thefile;
00045         char *input=NULL;
00046         char *temp_ptr;
00047 
00048         if(authinfo==NULL)
00049                 return ERROR;
00050 
00051         /* initial values... */
00052         authinfo->authorized_for_all_hosts=FALSE;
00053         authinfo->authorized_for_all_host_commands=FALSE;
00054         authinfo->authorized_for_all_services=FALSE;
00055         authinfo->authorized_for_all_service_commands=FALSE;
00056         authinfo->authorized_for_system_information=FALSE;
00057         authinfo->authorized_for_system_commands=FALSE;
00058         authinfo->authorized_for_configuration_information=FALSE;
00059         authinfo->authorized_for_read_only=FALSE;
00060         authinfo->number_of_authentication_rules=0;
00061         authinfo->authentication_rules=NULL;
00062 
00063         /* grab username from the environment... */
00064         if(use_ssl_authentication) {
00065                 /* patch by Pawl Zuzelski - 7/22/08 */
00066                 temp_ptr=getenv("SSL_CLIENT_S_DN_CN");
00067         }
00068         else{
00069                 temp_ptr=getenv("REMOTE_USER");
00070         }
00071         if(temp_ptr==NULL){
00072                 authinfo->username="";
00073                 authinfo->authenticated=FALSE;
00074         }
00075         else{
00076                 authinfo->username=(char *)malloc(strlen(temp_ptr)+1);
00077                 if(authinfo->username==NULL)
00078                         authinfo->username="";
00079                 else
00080                         strcpy(authinfo->username,temp_ptr);
00081                 if(!strcmp(authinfo->username,""))
00082                         authinfo->authenticated=FALSE;
00083                 else
00084                         authinfo->authenticated=TRUE;
00085         }
00086 
00087         /* read in authorization override vars from config file... */
00088         if((thefile=mmap_fopen(get_cgi_config_location()))!=NULL){
00089 
00090                 while(1){
00091 
00092                         /* free memory */
00093                         free(input);
00094 
00095                         /* read the next line */
00096                         if((input=mmap_fgets_multiline(thefile))==NULL)
00097                                 break;
00098 
00099                         strip(input);
00100 
00101                         /* we don't have a username yet, so fake the authentication if we find a default username defined */
00102                         if(!strcmp(authinfo->username,"") && strstr(input,"default_user_name=")==input){
00103                                 temp_ptr=strtok(input,"=");
00104                                 temp_ptr=strtok(NULL,",");
00105 
00106                                 if(temp_ptr==NULL){
00107                                         authinfo->username="";
00108                                         authinfo->authenticated=FALSE;
00109                                 }
00110                                 else{
00111                                         authinfo->username=(char *)malloc(strlen(temp_ptr)+1);
00112                                         if(authinfo->username==NULL)
00113                                                 authinfo->username="";
00114                                         else
00115                                                 strcpy(authinfo->username,temp_ptr);
00116                                         if(!strcmp(authinfo->username,""))
00117                                                 authinfo->authenticated=FALSE;
00118                                         else
00119                                                 authinfo->authenticated=TRUE;
00120                                 }
00121                         }
00122 
00123                         else if(strstr(input,"authorized_for_all_hosts=")==input){
00124                                 temp_ptr=strtok(input,"=");
00125                                 while((temp_ptr=strtok(NULL,","))){
00126                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00127                                                 authinfo->authorized_for_all_hosts=TRUE;
00128                                 }
00129                         }
00130                         else if(strstr(input,"authorized_for_all_services=")==input){
00131                                 temp_ptr=strtok(input,"=");
00132                                 while((temp_ptr=strtok(NULL,","))){
00133                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00134                                                 authinfo->authorized_for_all_services=TRUE;
00135                                 }
00136                         }
00137                         else if(strstr(input,"authorized_for_system_information=")==input){
00138                                 temp_ptr=strtok(input,"=");
00139                                 while((temp_ptr=strtok(NULL,","))){
00140                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00141                                                 authinfo->authorized_for_system_information=TRUE;
00142                                 }
00143                         }
00144                         else if(strstr(input,"authorized_for_configuration_information=")==input){
00145                                 temp_ptr=strtok(input,"=");
00146                                 while((temp_ptr=strtok(NULL,","))){
00147                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00148                                                 authinfo->authorized_for_configuration_information=TRUE;
00149                                 }
00150                         }
00151                         else if(strstr(input,"authorized_for_all_host_commands=")==input){
00152                                 temp_ptr=strtok(input,"=");
00153                                 while((temp_ptr=strtok(NULL,","))){
00154                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00155                                                 authinfo->authorized_for_all_host_commands=TRUE;
00156                                 }
00157                         }
00158                         else if(strstr(input,"authorized_for_all_service_commands=")==input){
00159                                 temp_ptr=strtok(input,"=");
00160                                 while((temp_ptr=strtok(NULL,","))){
00161                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00162                                                 authinfo->authorized_for_all_service_commands=TRUE;
00163                                 }
00164                         }
00165                         else if(strstr(input,"authorized_for_system_commands=")==input){
00166                                 temp_ptr=strtok(input,"=");
00167                                 while((temp_ptr=strtok(NULL,","))){
00168                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00169                                                 authinfo->authorized_for_system_commands=TRUE;
00170                                 }
00171                         }
00172                         else if(strstr(input,"authorized_for_read_only=")==input){
00173                                 temp_ptr=strtok(input,"=");
00174                                 while((temp_ptr=strtok(NULL,","))){
00175                                         if(!strcmp(temp_ptr,authinfo->username) || !strcmp(temp_ptr,"*"))
00176                                                 authinfo->authorized_for_read_only=TRUE;
00177                                 }
00178                         }
00179                         else if(strstr(input,"authorization_config_file=")==input){
00180                                 temp_ptr=strtok(input,"=");
00181                                 temp_ptr=strtok(NULL,"\n");
00182                                 if(temp_ptr!=NULL)
00183                                         parse_authorization_config_file(temp_ptr, authinfo);
00184                         }
00185                 }
00186 
00187                 /* free memory and close the file */
00188                 free(input);
00189                 mmap_fclose(thefile);
00190         }
00191 
00192         if(authinfo->authenticated==TRUE)
00193                 return OK;
00194         else
00195                 return ERROR;
00196 }
00197 
00198 /* parsing authorization configuration file */
00199 int parse_authorization_config_file(char* filename, authdata* authinfo){
00200         mmapfile *thefile;
00201         char *input=NULL;
00202         char *temp_ptr=NULL;
00203         char *temp_rule=NULL;
00204         char *role=NULL;
00205         char *roles=NULL;
00206         char *roles_tmp=NULL;
00207         char test_char[2];
00208         int role_match=FALSE;
00209 
00210         /* Shibboleth environment variable */
00211         if(getenv("entitlement")==NULL){
00212                 printf("<P><DIV CLASS='errorMessage'>Authorization information: entitlement variable is empty</DIV></P>");
00213                 return ERROR;
00214         }
00215 
00216         roles=getenv("entitlement");
00217 
00218         roles_tmp=(char *)malloc(strlen(roles)+1);
00219 
00220         /* read in authorization config file */
00221         if((thefile=mmap_fopen(filename))!=NULL){
00222 
00223                 while(1){
00224                         /* read the next line */
00225                         if((input=mmap_fgets_multiline(thefile))==NULL)
00226                                 break;
00227 
00228                         strip(input);
00229 
00230                         test_char[0]=input[0];
00231                         test_char[1]='\0';
00232 
00233                         /* ignore comment */
00234                         if(strcmp(test_char,"#")==0)
00235                                 continue;
00236 
00237                         temp_ptr=strtok(input,"=");
00238 
00239                         if(temp_ptr==NULL)
00240                                 continue;
00241 
00242                          temp_rule=strtok(NULL,"=");
00243 
00244                         if (temp_rule==NULL)
00245                                 continue;
00246 
00247                         strcpy(roles_tmp,roles);
00248                         role=strtok(roles_tmp,";");
00249 
00250                         while(role!=NULL){
00251 
00252                                 if(strcmp(role,temp_ptr)==0){
00253                                         role_match=TRUE;
00254                                         break;
00255                                 }
00256 
00257                                 role=strtok(NULL,";");
00258                         }
00259 
00260                         if(role_match==FALSE)
00261                                  continue;
00262 
00263                         authinfo->number_of_authentication_rules++;
00264                         strip(temp_rule);
00265 
00266                         /* increment the authentication_rules array */
00267                         authinfo->authentication_rules=realloc(authinfo->authentication_rules, (sizeof(char*)) * authinfo->number_of_authentication_rules);
00268 
00269                         if(authinfo->authentication_rules==NULL)
00270                                 return ERROR;
00271 
00272                         authinfo->authentication_rules[authinfo->number_of_authentication_rules-1]=malloc(sizeof(char) * (strlen(temp_rule)+1));
00273                         strcpy(authinfo->authentication_rules[authinfo->number_of_authentication_rules-1], temp_rule);
00274                 }
00275 
00276                 /* free memory and close the file */
00277                 free(input);
00278                 mmap_fclose(thefile);
00279         }
00280 
00281         free(roles_tmp);
00282 
00283         return OK;
00284 }
00285 
00286 /* set default authz permissions */
00287 int set_authz_permissions(char* permission, authdata* authinfo){
00288 
00289         if(strcmp(permission,"r")==0){ /* only read permissions */
00290                 authinfo->authorized_for_read_only=TRUE;
00291                 authinfo->authorized_for_system_information=TRUE;
00292                 authinfo->authorized_for_configuration_information=TRUE;
00293                 authinfo->authorized_for_system_commands=FALSE;
00294                 authinfo->authorized_for_all_service_commands=FALSE;
00295                 authinfo->authorized_for_all_host_commands=FALSE;
00296         } else if(strcmp(permission,"w")==0){ /* read + write permissions */
00297                 authinfo->authorized_for_read_only=FALSE;
00298                 authinfo->authorized_for_system_information=TRUE;
00299                 authinfo->authorized_for_system_commands=TRUE;
00300                 authinfo->authorized_for_configuration_information=TRUE;
00301                 authinfo->authorized_for_all_service_commands=TRUE;
00302                 authinfo->authorized_for_all_host_commands=TRUE;
00303         }
00304 
00305         return TRUE;
00306 }
00307 
00308 /* check if user is authorized to view information about a particular host */
00309 int is_authorized_for_host(host *hst, authdata *authinfo){
00310         contact *temp_contact;
00311         char *host_list=NULL;
00312         char *host_list2=NULL;
00313         char *list_tmp=NULL;
00314         char *list_tmp2=NULL;
00315         char *host2=NULL;
00316         char *tmp=NULL;
00317         char *tmp_permission=NULL;
00318         char *tmp_service=NULL;
00319         char *hg_name=NULL;
00320         int i;
00321         int j;
00322         char permission[2];
00323         int ok=FALSE;
00324         int is_ok=FALSE;
00325 
00326         if(hst==NULL)
00327                 return FALSE;
00328 
00329         /* if we're not using authentication, fake it */
00330         if(use_authentication==FALSE)
00331                 return TRUE;
00332 
00333         /* if this user has not authenticated return error */
00334         if(authinfo->authenticated==FALSE)
00335                 return FALSE;
00336 
00337         /* if this user is authorized for all hosts, they are for this one... */
00338         if(is_authorized_for_all_hosts(authinfo)==TRUE)
00339                 return TRUE;
00340 
00341         /* find the contact */
00342         temp_contact=find_contact(authinfo->username);
00343 
00344         /* see if this user is a contact for the host */
00345         if(is_contact_for_host(hst,temp_contact)==TRUE)
00346                 return TRUE;
00347 
00348         /* see if this user is an escalated contact for the host */
00349         if(is_escalated_contact_for_host(hst,temp_contact)==TRUE)
00350                 return TRUE;
00351 
00352         /* authz parsing */
00353         if(authinfo->number_of_authentication_rules!=0){
00354 
00355                 strcpy(permission, "r");
00356 
00357                 for(i=0; i<authinfo->number_of_authentication_rules; i++){
00358 
00359                         list_tmp=malloc(strlen(authinfo->authentication_rules[i])+1);
00360                         strcpy(list_tmp, authinfo->authentication_rules[i]);
00361                         strip(list_tmp);
00362 
00363                         /* for this situation: :service:r */
00364                         if(list_tmp[0]==':')
00365                                 continue;
00366 
00367                         /* "w" is the maximum  permission, do not need continue */
00368                         if(strcmp(permission,"w")==0)
00369                                 break;
00370 
00371                         host_list=strtok(list_tmp,":");
00372 
00373                         host_list2=malloc(strlen(host_list)+1);
00374                         strcpy(host_list2,host_list);
00375 
00376                         tmp_service=strtok(NULL,":");
00377                         tmp_permission=strtok(NULL,":");
00378                         host2=strtok(host_list2,",");
00379 
00380                         while(host2!=NULL){
00381 
00382                                 list_tmp2=malloc(strlen(host2)+1);
00383                                 strcpy(list_tmp2,host2);
00384                                 strip(list_tmp2);
00385 
00386                                 /* host group parsing */
00387                                 if(list_tmp2[0]=='@'){
00388                                         hg_name=malloc(strlen(list_tmp2)+1);
00389                                         strcpy(hg_name,list_tmp2);
00390 
00391                                         for(j=0; j<strlen(hg_name); j++)
00392                                                 hg_name[j]=hg_name[j+1];
00393 
00394                                         if(is_host_member_of_hostgroup(find_hostgroup(hg_name),hst)==TRUE){
00395                                                 is_ok=TRUE;
00396                                         } else {
00397                                                 host2=strtok(NULL,",");
00398                                                 free(hg_name);
00399                                                 continue;
00400                                         }
00401 
00402                                         free(hg_name);
00403                                 }
00404 
00405                                 if(strcmp(list_tmp2,hst->name)==0 || strcmp(list_tmp2,"*")==0)
00406                                         is_ok=TRUE;
00407 
00408                                 if(is_ok==TRUE){
00409 
00410                                         /* for this situation: host::r */
00411                                         if(tmp_permission==NULL)
00412                                                 tmp_permission=tmp_service;
00413 
00414                                         if(tmp_permission!=NULL){
00415                                                 tmp=malloc(strlen(tmp_permission)+1);
00416                                                 strcpy(tmp,tmp_permission);
00417                                                 strip(tmp); /* "w" will overwrite "r" permission */
00418 
00419                                                 if(strcmp(permission,"r")==0 && strcmp(tmp,"w")==0){
00420                                                         strcpy(permission,"w");
00421                                                 }
00422 
00423                                                 free(tmp);
00424                                         }
00425 
00426                                         ok=TRUE;
00427                                 }
00428 
00429                                 host2=strtok(NULL,",");
00430                                 free(list_tmp2);
00431                         }
00432 
00433                         free(list_tmp);
00434                         free(host_list2);
00435                 }
00436 
00437                 if(ok==TRUE){
00438                         set_authz_permissions(permission,authinfo);
00439                         return TRUE;
00440                 }
00441 
00442         } /* end of authz parsing */
00443 
00444         return FALSE;
00445 }
00446 
00447 
00448 /* check if user is authorized to view information about all hosts in a particular hostgroup */
00449 int is_authorized_for_hostgroup(hostgroup *hg, authdata *authinfo){
00450         hostsmember *temp_hostsmember;
00451         host *temp_host;
00452 
00453         if(hg==NULL)
00454                 return FALSE;
00455 
00456         /* CHANGED in 2.0 - user must be authorized for ALL hosts in a hostgroup, not just one */
00457         /* see if user is authorized for all hosts in the hostgroup */
00458         for(temp_hostsmember=hg->members;temp_hostsmember!=NULL;temp_hostsmember=temp_hostsmember->next){
00459                 temp_host=find_host(temp_hostsmember->host_name);
00460                 if(is_authorized_for_host(temp_host,authinfo)==FALSE)
00461                         return FALSE;
00462                 }
00463 
00464         return TRUE;
00465         }
00466 
00467 
00468 
00469 /* check if user is authorized to view information about all services in a particular servicegroup */
00470 int is_authorized_for_servicegroup(servicegroup *sg, authdata *authinfo){
00471         servicesmember *temp_servicesmember;
00472         service *temp_service;
00473 
00474         if(sg==NULL)
00475                 return FALSE;
00476 
00477         /* see if user is authorized for all services in the servicegroup */
00478         for(temp_servicesmember=sg->members;temp_servicesmember!=NULL;temp_servicesmember=temp_servicesmember->next){
00479                 temp_service=find_service(temp_servicesmember->host_name,temp_servicesmember->service_description);
00480                 if(is_authorized_for_service(temp_service,authinfo)==FALSE)
00481                         return FALSE;
00482                 }
00483 
00484         return TRUE;
00485         }
00486 
00487 /* check if current user is restricted to read only */
00488 int is_authorized_for_read_only(authdata *authinfo){
00489 
00490         /* if we're not using authentication, fake it */
00491         if(use_authentication==FALSE)
00492                 return FALSE;
00493 
00494         /* if this user has not authenticated return error */
00495         if(authinfo->authenticated==FALSE)
00496                 return FALSE;
00497 
00498         return authinfo->authorized_for_read_only;
00499         }
00500 
00501 /* check if user is authorized to view information about a particular service */
00502 int is_authorized_for_service(service *svc, authdata *authinfo){
00503         host *temp_host=NULL;
00504         contact *temp_contact=NULL;
00505         char *host_list=NULL;
00506         char *host_list2=NULL;
00507         char *service_list=NULL;
00508         char *list_tmp=NULL;
00509         char *service=NULL;
00510         char *host2=NULL;
00511         char *read_only=NULL;
00512         char *list_tmp2=NULL;
00513         char *list_tmp3=NULL;
00514         char *list_tmp4=NULL;
00515         char *sg_name=NULL;
00516         char *hg_name=NULL;
00517         int i=0;
00518         int j=0;
00519         int ok=FALSE;
00520         int is_ok=FALSE;
00521         int is_ok2=FALSE;
00522         char permission[2];
00523 
00524         if(svc==NULL)
00525                 return FALSE;
00526 
00527         /* if we're not using authentication, fake it */
00528         if(use_authentication==FALSE)
00529                 return TRUE;
00530 
00531         /* if this user has not authenticated return error */
00532         if(authinfo->authenticated==FALSE)
00533                 return FALSE;
00534 
00535         /* if this user is authorized for all services, they are for this one... */
00536         if(is_authorized_for_all_services(authinfo)==TRUE)
00537                 return TRUE;
00538 
00539         /* find the host */
00540         temp_host=find_host(svc->host_name);
00541         if(temp_host==NULL)
00542                 return FALSE;
00543 
00544         /* if this user is authorized for this host, they are for all services on it as well... */
00545         /* 06-02-2010 added config option, if set FALSE, this condition won't match and
00546            user must be authorized for the services too in order to view them                   */
00547 
00548         if(is_authorized_for_host(temp_host,authinfo)==TRUE){
00549 
00550                 /* first off, let attribute based auth decide, then show_all_services_host_is_authorized_for==TRUE */
00551 
00552                 /* authz parsing */
00553                 if (authinfo->number_of_authentication_rules!=0){
00554                         strcpy(permission,"r");
00555 
00556                         for(i=0; i<authinfo->number_of_authentication_rules; i++){
00557 
00558                                 /* "w" is the maximum  permission, do not need continue */
00559                                 if (strcmp(permission,"w") == 0) break;
00560 
00561                                 list_tmp=malloc(strlen(authinfo->authentication_rules[i])+1);
00562                                 strcpy(list_tmp,authinfo->authentication_rules[i]);
00563 
00564                                 host_list=strtok(list_tmp,":");
00565 
00566                                 host_list2=malloc(strlen(host_list)+1);
00567                                 strcpy(host_list2,host_list);
00568 
00569                                 service_list=strtok(NULL,":");
00570                                 read_only=strtok(NULL,":");
00571                                 service=strtok(service_list,",");
00572 
00573                                 while (service!=NULL) {
00574                                         list_tmp2=malloc(strlen(service)+1);
00575                                         strcpy(list_tmp2,service);
00576                                         strip(list_tmp2);
00577 
00578                                         /* service group parsing */
00579                                         if (list_tmp2[0]=='@') {
00580                                                 sg_name=malloc(strlen(list_tmp2)+1);
00581                                                 strcpy(sg_name,list_tmp2);
00582 
00583                                                 for (j=0; j<strlen(sg_name); j++)
00584                                                         sg_name[j]=sg_name[j+1];
00585 
00586                                                 if (is_service_member_of_servicegroup(find_servicegroup(sg_name),svc)==TRUE){
00587                                                         is_ok2=TRUE;
00588                                                 } else {
00589                                                         service=strtok(NULL,",");
00590                                                         free(sg_name);
00591                                                         continue;
00592                                                 }
00593 
00594                                                 free(sg_name);
00595                                         }
00596 
00597                                         if (strcmp(list_tmp2,svc->display_name)==0 || strcmp(list_tmp2, "*")==0)
00598                                                 is_ok2=TRUE;
00599 
00600                                         if (is_ok2==TRUE){
00601                                                 host2=strtok(host_list2,",");
00602 
00603                                                 while (host2!=NULL){
00604                                                         list_tmp3=malloc(strlen(host2)+1);
00605                                                         strcpy(list_tmp3,host2);
00606                                                         strip(list_tmp3);
00607 
00608                                                         /* host group parsing */
00609                                                         if (list_tmp3[0]=='@') {
00610                                                                 hg_name=malloc(strlen(list_tmp3)+1);
00611                                                                 strcpy(hg_name,list_tmp3);
00612 
00613                                                                 for (j=0; j<strlen(hg_name); j++)
00614                                                                         hg_name[j]=hg_name[j+1];
00615 
00616                                                                 if (is_host_member_of_hostgroup(find_hostgroup(hg_name), temp_host)==TRUE){
00617                                                                         is_ok=TRUE;
00618                                                                 } else {
00619                                                                         host2=strtok(NULL,",");
00620                                                                         free(hg_name);
00621                                                                         continue;
00622                                                                 }
00623 
00624                                                                 free(hg_name);
00625                                                         }
00626 
00627                                                         if (strcmp(list_tmp2,svc->host_name)==0 || strcmp(list_tmp2, "*")==0)
00628                                                                 is_ok=TRUE;
00629 
00630                                                         if (is_ok==TRUE){
00631                                                                 if (read_only!=NULL){
00632                                                                         list_tmp4=malloc(strlen(read_only)+1);
00633                                                                         strcpy(list_tmp4,read_only);
00634                                                                         strip(list_tmp4); /* "w" will overwrite "r" permission */
00635 
00636                                                                         if (strcmp(permission,"r")==0 && strcmp(list_tmp4,"w")==0){
00637                                                                                 strcpy(permission,"w");
00638                                                                         }
00639 
00640                                                                         free(list_tmp4);
00641                                                                 }
00642 
00643                                                                 ok=TRUE;
00644                                                         }
00645 
00646                                                         host2=strtok(NULL,",");
00647                                                         free(list_tmp3);
00648                                                 }
00649                                         }
00650 
00651                                         service=strtok(NULL,",");
00652                                         free(list_tmp2);
00653                                 }
00654 
00655                                 free(list_tmp);
00656                                 free(host_list2);
00657                         }
00658 
00659                         if (ok==TRUE){
00660                                 set_authz_permissions(permission, authinfo);
00661                                 return TRUE;
00662                         }
00663 
00664                 } /* end of authz parsing */
00665                 else {
00666                         /* user does not need to be authorized for the services too in order to view them? */
00667                         if(show_all_services_host_is_authorized_for==TRUE){
00668                                 return TRUE;
00669                         }
00670                 }
00671         }
00672 
00673         /* find the contact */
00674         temp_contact=find_contact(authinfo->username);
00675 
00676         /* see if this user is a contact for the service */
00677         if(is_contact_for_service(svc,temp_contact)==TRUE)
00678                 return TRUE;
00679 
00680         /* see if this user is an escalated contact for the service */
00681         if(is_escalated_contact_for_service(svc,temp_contact)==TRUE)
00682                 return TRUE;
00683 
00684         return FALSE;
00685         }
00686 
00687 
00688 /* check if current user is authorized to view information on all hosts */
00689 int is_authorized_for_all_hosts(authdata *authinfo){
00690 
00691         /* if we're not using authentication, fake it */
00692         if(use_authentication==FALSE)
00693                 return TRUE;
00694 
00695         /* if this user has not authenticated return error */
00696         if(authinfo->authenticated==FALSE)
00697                 return FALSE;
00698 
00699         return authinfo->authorized_for_all_hosts;
00700         }
00701 
00702 
00703 /* check if current user is authorized to view information on all service */
00704 int is_authorized_for_all_services(authdata *authinfo){
00705 
00706         /* if we're not using authentication, fake it */
00707         if(use_authentication==FALSE)
00708                 return TRUE;
00709 
00710         /* if this user has not authenticated return error */
00711         if(authinfo->authenticated==FALSE)
00712                 return FALSE;
00713 
00714         return authinfo->authorized_for_all_services;
00715         }
00716 
00717 
00718 /* check if current user is authorized to view system information */
00719 int is_authorized_for_system_information(authdata *authinfo){
00720 
00721         /* if we're not using authentication, fake it */
00722         if(use_authentication==FALSE)
00723                 return TRUE;
00724 
00725         /* if this user has not authenticated return error */
00726         if(authinfo->authenticated==FALSE)
00727                 return FALSE;
00728 
00729         return authinfo->authorized_for_system_information;
00730         }
00731 
00732 
00733 /* check if current user is authorized to view configuration information */
00734 int is_authorized_for_configuration_information(authdata *authinfo){
00735 
00736         /* if we're not using authentication, fake it */
00737         if(use_authentication==FALSE)
00738                 return TRUE;
00739 
00740         /* if this user has not authenticated return error */
00741         if(authinfo->authenticated==FALSE)
00742                 return FALSE;
00743 
00744         return authinfo->authorized_for_configuration_information;
00745         }
00746 
00747 
00748 /* check if current user is authorized to issue system commands */
00749 int is_authorized_for_system_commands(authdata *authinfo){
00750 
00751         /* if we're not using authentication, fake it */
00752         if(use_authentication==FALSE)
00753                 return TRUE;
00754 
00755         /* if this user has not authenticated return error */
00756         if(authinfo->authenticated==FALSE)
00757                 return FALSE;
00758 
00759         return authinfo->authorized_for_system_commands;
00760         }
00761 
00762 
00763 /* check is the current user is authorized to issue commands relating to a particular service */
00764 int is_authorized_for_service_commands(service *svc, authdata *authinfo){
00765         host *temp_host;
00766         contact *temp_contact;
00767 
00768         if(svc==NULL)
00769                 return FALSE;
00770 
00771         /* if we're not using authentication, fake it */
00772         if(use_authentication==FALSE)
00773                 return TRUE;
00774 
00775         /* if this user has not authenticated return error */
00776         if(authinfo->authenticated==FALSE)
00777                 return FALSE;
00778 
00779         /* the user is authorized if they have rights to the service */
00780         if(is_authorized_for_service(svc,authinfo)==TRUE){
00781 
00782                 /* find the host */
00783                 temp_host=find_host(svc->host_name);
00784                 if(temp_host==NULL)
00785                         return FALSE;
00786 
00787                 /* find the contact */
00788                 temp_contact=find_contact(authinfo->username);
00789 
00790                 /* reject if contact is not allowed to issue commands */
00791                 if(temp_contact && temp_contact->can_submit_commands==FALSE)
00792                         return FALSE;
00793 
00794                 /* see if this user is a contact for the host */
00795                 if(is_contact_for_host(temp_host,temp_contact)==TRUE)
00796                         return TRUE;
00797 
00798                 /* see if this user is an escalated contact for the host */
00799                 if(is_escalated_contact_for_host(temp_host,temp_contact)==TRUE)
00800                         return TRUE;
00801 
00802                 /* this user is a contact for the service, so they have permission... */
00803                 if(is_contact_for_service(svc,temp_contact)==TRUE)
00804                         return TRUE;
00805 
00806                 /* this user is an escalated contact for the service, so they have permission... */
00807                 if(is_escalated_contact_for_service(svc,temp_contact)==TRUE)
00808                         return TRUE;
00809 
00810                 /* this user is not a contact for the host, so they must have been given explicit permissions to all service commands */
00811                 if(authinfo->authorized_for_all_service_commands==TRUE)
00812                         return TRUE;
00813                 }
00814 
00815         return FALSE;
00816         }
00817 
00818 
00819 /* check is the current user is authorized to issue commands relating to a particular host */
00820 int is_authorized_for_host_commands(host *hst, authdata *authinfo){
00821         contact *temp_contact;
00822 
00823         if(hst==NULL)
00824                 return FALSE;
00825 
00826         /* if we're not using authentication, fake it */
00827         if(use_authentication==FALSE)
00828                 return TRUE;
00829 
00830         /* if this user has not authenticated return error */
00831         if(authinfo->authenticated==FALSE)
00832                 return FALSE;
00833 
00834         /* the user is authorized if they have rights to the host */
00835         if(is_authorized_for_host(hst,authinfo)==TRUE){
00836 
00837                 /* find the contact */
00838                 temp_contact=find_contact(authinfo->username);
00839 
00840                 /* reject if contact is not allowed to issue commands */
00841                 if(temp_contact && temp_contact->can_submit_commands==FALSE)
00842                         return FALSE;
00843 
00844                 /* this user is a contact for the host, so they have permission... */
00845                 if(is_contact_for_host(hst,temp_contact)==TRUE)
00846                         return TRUE;
00847 
00848                 /* this user is an escalated contact for the host, so they have permission... */
00849                 if(is_escalated_contact_for_host(hst,temp_contact)==TRUE)
00850                         return TRUE;
00851 
00852                 /* this user is not a contact for the host, so they must have been given explicit permissions to all host commands */
00853                 if(authinfo->authorized_for_all_host_commands==TRUE)
00854                         return TRUE;
00855                 }
00856 
00857         return FALSE;
00858         }
00859 
00860 
 All Data Structures Files Functions Variables Typedefs Defines