Blob

Date:
Message:
implement per-repository read/write authorization rules in gotd ok op@
Actions:
History | Blame | Raw File
1 /*

2  * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>

3  * Copyright (c) 2016-2019, 2020-2021 Tracey Emery <tracey@traceyemery.net>

4  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>

5  * Copyright (c) 2004 Ryan McBride <mcbride@openbsd.org>

6  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>

7  * Copyright (c) 2001 Markus Friedl.  All rights reserved.

8  * Copyright (c) 2001 Daniel Hartmeier.  All rights reserved.

9  * Copyright (c) 2001 Theo de Raadt.  All rights reserved.

10  *

11  * Permission to use, copy, modify, and distribute this software for any

12  * purpose with or without fee is hereby granted, provided that the above

13  * copyright notice and this permission notice appear in all copies.

14  *

15  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

16  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

17  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

18  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

19  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

20  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

21  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

22  */

24 %{

25 #include <sys/time.h>

26 #include <sys/types.h>

27 #include <sys/queue.h>

28 #include <sys/stat.h>

30 #include <ctype.h>

31 #include <err.h>

32 #include <errno.h>

33 #include <event.h>

34 #include <imsg.h>

35 #include <limits.h>

36 #include <sha1.h>

37 #include <stdarg.h>

38 #include <stdlib.h>

39 #include <stdio.h>

40 #include <string.h>

41 #include <syslog.h>

42 #include <unistd.h>

44 #include "got_error.h"

45 #include "got_path.h"

47 #include "log.h"

48 #include "gotd.h"

50 TAILQ_HEAD(files, file)		 files = TAILQ_HEAD_INITIALIZER(files);

51 static struct file {

52 	TAILQ_ENTRY(file)	 entry;

53 	FILE			*stream;

54 	char			*name;

55 	int			 lineno;

56 	int			 errors;

57 } *file;

58 struct file	*newfile(const char *, int);

59 static void	 closefile(struct file *);

60 int		 check_file_secrecy(int, const char *);

61 int		 yyparse(void);

62 int		 yylex(void);

63 int		 yyerror(const char *, ...)

64     __attribute__((__format__ (printf, 1, 2)))

65     __attribute__((__nonnull__ (1)));

66 int		 kw_cmp(const void *, const void *);

67 int		 lookup(char *);

68 int		 lgetc(int);

69 int		 lungetc(int);

70 int		 findeol(void);

72 TAILQ_HEAD(symhead, sym)	 symhead = TAILQ_HEAD_INITIALIZER(symhead);

73 struct sym {

74 	TAILQ_ENTRY(sym)	 entry;

75 	int			 used;

76 	int			 persist;

77 	char			*nam;

78 	char			*val;

79 };

81 int	 symset(const char *, const char *, int);

82 char	*symget(const char *);

84 static int		 errors;

86 static struct gotd		*gotd;

87 static struct gotd_repo		*new_repo;

88 static struct gotd_repo		*conf_new_repo(const char *);

89 static enum gotd_procid		 gotd_proc_id;

91 typedef struct {

92 	union {

93 		long long	 number;

94 		char		*string;

95 	} v;

96 	int lineno;

97 } YYSTYPE;

99 %}

101 %token	PATH ERROR ON UNIX_SOCKET UNIX_GROUP USER REPOSITORY PERMIT DENY

103 %token	<v.string>	STRING

104 %token	<v.number>	NUMBER

105 %type	<v.number>	boolean

107 %%

109 grammar		:

110 		| grammar '\n'

111 		| grammar main '\n'

112 		| grammar repository '\n'

115 boolean		: STRING {

116 			if (strcasecmp($1, "1") == 0 ||

117 			    strcasecmp($1, "yes") == 0 ||

118 			    strcasecmp($1, "on") == 0)

119 				$$ = 1;

120 			else if (strcasecmp($1, "0") == 0 ||

121 			    strcasecmp($1, "off") == 0 ||

122 			    strcasecmp($1, "no") == 0)

123 				$$ = 0;

124 			else {

125 				yyerror("invalid boolean value '%s'", $1);

126 				free($1);

127 				YYERROR;

129 			free($1);

131 		| ON { $$ = 1; }

132 		| NUMBER { $$ = $1; }

135 main		: UNIX_SOCKET STRING {

136 			if (gotd_proc_id == PROC_GOTD) {

137 				if (strlcpy(gotd->unix_socket_path, $2,

138 				    sizeof(gotd->unix_socket_path)) >=

139 				    sizeof(gotd->unix_socket_path)) {

140 					yyerror("%s: unix socket path too long",

141 					    __func__);

142 					free($2);

143 					YYERROR;

146 			free($2);

148 		| UNIX_GROUP STRING {

149 			if (strlcpy(gotd->unix_group_name, $2,

150 			    sizeof(gotd->unix_group_name)) >=

151 			    sizeof(gotd->unix_group_name)) {

152 				yyerror("%s: unix group name too long",

153 				    __func__);

154 				free($2);

155 				YYERROR;

157 			free($2);

159 		| USER STRING {

160 			if (strlcpy(gotd->user_name, $2,

161 			    sizeof(gotd->user_name)) >=

162 			    sizeof(gotd->user_name)) {

163 				yyerror("%s: user name too long", __func__);

164 				free($2);

165 				YYERROR;

167 			free($2);

171 repository	: REPOSITORY STRING {

172 			struct gotd_repo *repo;

174 			TAILQ_FOREACH(repo, &gotd->repos, entry) {

175 				if (strcmp(repo->name, $2) == 0) {

176 					yyerror("duplicate repository '%s'", $2);

177 					free($2);

178 					YYERROR;

182 			if (gotd_proc_id == PROC_GOTD) {

183 				new_repo = conf_new_repo($2);

185 			free($2);

187 		| REPOSITORY STRING {

188 			struct gotd_repo *repo;

190 			TAILQ_FOREACH(repo, &gotd->repos, entry) {

191 				if (strcmp(repo->name, $2) == 0) {

192 					yyerror("duplicate repository '%s'", $2);

193 					free($2);

194 					YYERROR;

198 			if (gotd_proc_id == PROC_GOTD) {

199 				new_repo = conf_new_repo($2);

201 			free($2);

202 		} '{' optnl repoopts2 '}' {

206 repoopts1	: PATH STRING {

207 			if (gotd_proc_id == PROC_GOTD) {

208 				if (!got_path_is_absolute($2)) {

209 					yyerror("%s: path %s is not absolute",

210 					    __func__, $2);

211 					free($2);

212 					YYERROR;

214 				if (strlcpy(new_repo->path, $2,

215 				    sizeof(new_repo->path)) >=

216 				    sizeof(new_repo->path)) {

217 					yyerror("%s: path truncated", __func__);

218 					free($2);

219 					YYERROR;

222 			free($2);

224 		| PERMIT RO STRING {

225 			if (gotd_proc_id == PROC_GOTD) {

226 				conf_new_access_rule(new_repo,

227 				    GOTD_ACCESS_PERMITTED, GOTD_AUTH_READ, $3);

230 		| PERMIT RW STRING {

231 			if (gotd_proc_id == PROC_GOTD) {

232 				conf_new_access_rule(new_repo,

233 				    GOTD_ACCESS_PERMITTED,

234 				    GOTD_AUTH_READ | GOTD_AUTH_WRITE, $3);

237 		| DENY STRING {

238 			if (gotd_proc_id == PROC_GOTD) {

239 				conf_new_access_rule(new_repo,

240 				    GOTD_ACCESS_DENIED, 0, $2);

245 repoopts2	: repoopts2 repoopts1 nl

246 		| repoopts1 optnl

249 nl		: '\n' optnl

252 optnl		: '\n' optnl		/* zero or more newlines */

253 		| /* empty */

256 %%

258 struct keywords {

259 	const char	*k_name;

260 	int		 k_val;

261 };

263 int

264 yyerror(const char *fmt, ...)

266 	va_list ap;

267 	char *msg;

269 	file->errors++;

270 	va_start(ap, fmt);

271 	if (vasprintf(&msg, fmt, ap) == -1)

272 		fatalx("yyerror vasprintf");

273 	va_end(ap);

274 	logit(LOG_CRIT, "%s:%d: %s", file->name, yylval.lineno, msg);

275 	free(msg);

276 	return (0);

279 int

280 kw_cmp(const void *k, const void *e)

282 	return (strcmp(k, ((const struct keywords *)e)->k_name));

285 int

286 lookup(char *s)

288 	/* This has to be sorted always. */

289 	static const struct keywords keywords[] = {

290 		{ "deny",			DENY },

291 		{ "on",				ON },

292 		{ "path",			PATH },

293 		{ "permit",			PERMIT },

294 		{ "repository",			REPOSITORY },

295 		{ "ro",				RO },

296 		{ "rw",				RW },

297 		{ "unix_group",			UNIX_GROUP },

298 		{ "unix_socket",		UNIX_SOCKET },

299 		{ "user",			USER },

300 	};

301 	const struct keywords *p;

303 	p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),

304 	    sizeof(keywords[0]), kw_cmp);

306 	if (p)

307 		return (p->k_val);

308 	else

309 		return (STRING);

312 #define MAXPUSHBACK	128

314 unsigned char *parsebuf;

315 int parseindex;

316 unsigned char pushback_buffer[MAXPUSHBACK];

317 int pushback_index = 0;

319 int

320 lgetc(int quotec)

322 	int c, next;

324 	if (parsebuf) {

325 		/* Read character from the parsebuffer instead of input. */

326 		if (parseindex >= 0) {

327 			c = parsebuf[parseindex++];

328 			if (c != '\0')

329 				return (c);

330 			parsebuf = NULL;

331 		} else

332 			parseindex++;

335 	if (pushback_index)

336 		return (pushback_buffer[--pushback_index]);

338 	if (quotec) {

339 		c = getc(file->stream);

340 		if (c == EOF)

341 			yyerror("reached end of file while parsing "

342 			    "quoted string");

343 		return (c);

346 	c = getc(file->stream);

347 	while (c == '\\') {

348 		next = getc(file->stream);

349 		if (next != '\n') {

350 			c = next;

351 			break;

353 		yylval.lineno = file->lineno;

354 		file->lineno++;

355 		c = getc(file->stream);

358 	return (c);

361 int

362 lungetc(int c)

364 	if (c == EOF)

365 		return (EOF);

366 	if (parsebuf) {

367 		parseindex--;

368 		if (parseindex >= 0)

369 			return (c);

371 	if (pushback_index < MAXPUSHBACK-1)

372 		return (pushback_buffer[pushback_index++] = c);

373 	else

374 		return (EOF);

377 int

378 findeol(void)

380 	int c;

382 	parsebuf = NULL;

384 	/* Skip to either EOF or the first real EOL. */

385 	while (1) {

386 		if (pushback_index)

387 			c = pushback_buffer[--pushback_index];

388 		else

389 			c = lgetc(0);

390 		if (c == '\n') {

391 			file->lineno++;

392 			break;

394 		if (c == EOF)

395 			break;

397 	return (ERROR);

400 int

401 yylex(void)

403 	unsigned char buf[8096];

404 	unsigned char *p, *val;

405 	int quotec, next, c;

406 	int token;

408 top:

409 	p = buf;

410 	c = lgetc(0);

411 	while (c == ' ' || c == '\t')

412 		c = lgetc(0); /* nothing */

414 	yylval.lineno = file->lineno;

415 	if (c == '#') {

416 		c = lgetc(0);

417 		while (c != '\n' && c != EOF)

418 			c = lgetc(0); /* nothing */

420 	if (c == '$' && parsebuf == NULL) {

421 		while (1) {

422 			c = lgetc(0);

423 			if (c == EOF)

424 				return (0);

426 			if (p + 1 >= buf + sizeof(buf) - 1) {

427 				yyerror("string too long");

428 				return (findeol());

430 			if (isalnum(c) || c == '_') {

431 				*p++ = c;

432 				continue;

434 			*p = '\0';

435 			lungetc(c);

436 			break;

438 		val = symget(buf);

439 		if (val == NULL) {

440 			yyerror("macro '%s' not defined", buf);

441 			return (findeol());

443 		parsebuf = val;

444 		parseindex = 0;

445 		goto top;

448 	switch (c) {

449 	case '\'':

450 	case '"':

451 		quotec = c;

452 		while (1) {

453 			c = lgetc(quotec);

454 			if (c == EOF)

455 				return (0);

456 			if (c == '\n') {

457 				file->lineno++;

458 				continue;

459 			} else if (c == '\\') {

460 				next = lgetc(quotec);

461 				if (next == EOF)

462 					return (0);

463 				if (next == quotec || c == ' ' || c == '\t')

464 					c = next;

465 				else if (next == '\n') {

466 					file->lineno++;

467 					continue;

468 				} else

469 					lungetc(next);

470 			} else if (c == quotec) {

471 				*p = '\0';

472 				break;

473 			} else if (c == '\0') {

474 				yyerror("syntax error");

475 				return (findeol());

477 			if (p + 1 >= buf + sizeof(buf) - 1) {

478 				yyerror("string too long");

479 				return (findeol());

481 			*p++ = c;

483 		yylval.v.string = strdup(buf);

484 		if (yylval.v.string == NULL)

485 			err(1, "yylex: strdup");

486 		return (STRING);

489 #define allowed_to_end_number(x) \

490 	(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')

492 	if (c == '-' || isdigit(c)) {

493 		do {

494 			*p++ = c;

495 			if ((unsigned)(p-buf) >= sizeof(buf)) {

496 				yyerror("string too long");

497 				return (findeol());

499 			c = lgetc(0);

500 		} while (c != EOF && isdigit(c));

501 		lungetc(c);

502 		if (p == buf + 1 && buf[0] == '-')

503 			goto nodigits;

504 		if (c == EOF || allowed_to_end_number(c)) {

505 			const char *errstr = NULL;

507 			*p = '\0';

508 			yylval.v.number = strtonum(buf, LLONG_MIN,

509 			    LLONG_MAX, &errstr);

510 			if (errstr) {

511 				yyerror("\"%s\" invalid number: %s",

512 				    buf, errstr);

513 				return (findeol());

515 			return (NUMBER);

516 		} else {

517 nodigits:

518 			while (p > buf + 1)

519 				lungetc(*--p);

520 			c = *--p;

521 			if (c == '-')

522 				return (c);

526 #define allowed_in_string(x) \

527 	(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \

528 	x != '{' && x != '}' && \

529 	x != '!' && x != '=' && x != '#' && \

530 	x != ','))

532 	if (isalnum(c) || c == ':' || c == '_') {

533 		do {

534 			*p++ = c;

535 			if ((unsigned)(p-buf) >= sizeof(buf)) {

536 				yyerror("string too long");

537 				return (findeol());

539 			c = lgetc(0);

540 		} while (c != EOF && (allowed_in_string(c)));

541 		lungetc(c);

542 		*p = '\0';

543 		token = lookup(buf);

544 		if (token == STRING) {

545 			yylval.v.string = strdup(buf);

546 			if (yylval.v.string == NULL)

547 				err(1, "yylex: strdup");

549 		return (token);

551 	if (c == '\n') {

552 		yylval.lineno = file->lineno;

553 		file->lineno++;

555 	if (c == EOF)

556 		return (0);

557 	return (c);

560 int

561 check_file_secrecy(int fd, const char *fname)

563 	struct stat st;

565 	if (fstat(fd, &st)) {

566 		log_warn("cannot stat %s", fname);

567 		return (-1);

569 	if (st.st_uid != 0 && st.st_uid != getuid()) {

570 		log_warnx("%s: owner not root or current user", fname);

571 		return (-1);

573 	if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {

574 		log_warnx("%s: group writable or world read/writable", fname);

575 		return (-1);

577 	return (0);

580 struct file *

581 newfile(const char *name, int secret)

583 	struct file *nfile;

585 	nfile = calloc(1, sizeof(struct file));

586 	if (nfile == NULL) {

587 		log_warn("calloc");

588 		return (NULL);

590 	nfile->name = strdup(name);

591 	if (nfile->name == NULL) {

592 		log_warn("strdup");

593 		free(nfile);

594 		return (NULL);

596 	nfile->stream = fopen(nfile->name, "r");

597 	if (nfile->stream == NULL) {

598 		/* no warning, we don't require a conf file */

599 		free(nfile->name);

600 		free(nfile);

601 		return (NULL);

602 	} else if (secret &&

603 	    check_file_secrecy(fileno(nfile->stream), nfile->name)) {

604 		fclose(nfile->stream);

605 		free(nfile->name);

606 		free(nfile);

607 		return (NULL);

609 	nfile->lineno = 1;

610 	return (nfile);

613 static void

614 closefile(struct file *xfile)

616 	fclose(xfile->stream);

617 	free(xfile->name);

618 	free(xfile);

621 int

622 parse_config(const char *filename, enum gotd_procid proc_id,

623     struct gotd *env)

625 	struct sym *sym, *next;

627 	memset(env, 0, sizeof(*env));

629 	gotd = env;

630 	gotd_proc_id = proc_id;

631 	TAILQ_INIT(&gotd->repos);

633 	/* Apply default values. */

634 	if (strlcpy(gotd->unix_socket_path, GOTD_UNIX_SOCKET,

635 	    sizeof(gotd->unix_socket_path)) >= sizeof(gotd->unix_socket_path)) {

636 		fprintf(stderr, "%s: unix socket path too long", __func__);

637 		return -1;

639 	if (strlcpy(gotd->unix_group_name, GOTD_UNIX_GROUP,

640 	    sizeof(gotd->unix_group_name)) >= sizeof(gotd->unix_group_name)) {

641 		fprintf(stderr, "%s: unix group name too long", __func__);

642 		return -1;

644 	if (strlcpy(gotd->user_name, GOTD_USER,

645 	    sizeof(gotd->user_name)) >= sizeof(gotd->user_name)) {

646 		fprintf(stderr, "%s: user name too long", __func__);

647 		return -1;

650 	file = newfile(filename, 0);

651 	if (file == NULL) {

652 		/* just return, as we don't require a conf file */

653 		return (0);

656 	yyparse();

657 	errors = file->errors;

658 	closefile(file);

660 	/* Free macros and check which have not been used. */

661 	TAILQ_FOREACH_SAFE(sym, &symhead, entry, next) {

662 		if ((gotd->verbosity > 1) && !sym->used)

663 			fprintf(stderr, "warning: macro '%s' not used\n",

664 			    sym->nam);

665 		if (!sym->persist) {

666 			free(sym->nam);

667 			free(sym->val);

668 			TAILQ_REMOVE(&symhead, sym, entry);

669 			free(sym);

673 	if (errors)

674 		return (-1);

676 	return (0);

679 static struct gotd_repo *

680 conf_new_repo(const char *name)

682 	struct gotd_repo *repo;

684 	if (strchr(name, '\n') != NULL) {

685 		fatalx("%s: repository names must not contain linefeeds: %s",

686 		    getprogname(), name);

689 	repo = calloc(1, sizeof(*repo));

690 	if (repo == NULL)

691 		fatalx("%s: calloc", __func__);

693 	STAILQ_INIT(&repo->rules);

695 	if (strlcpy(repo->name, name, sizeof(repo->name)) >=

696 	    sizeof(repo->name))

697 		fatalx("%s: strlcpy", __func__);

699 	TAILQ_INSERT_TAIL(&gotd->repos, repo, entry);

700 	gotd->nrepos++;

702 	return repo;

703 };

705 static void

706 conf_new_access_rule(struct gotd_repo *repo, enum gotd_access access,

707     int authorization, char *identifier)

709 	struct gotd_access_rule *rule;

711 	rule = calloc(1, sizeof(*rule));

712 	if (rule == NULL)

713 		fatal("calloc");

715 	rule->access = access;

716 	rule->authorization = authorization;

717 	rule->identifier = identifier;

719 	STAILQ_INSERT_TAIL(&repo->rules, rule, entry);

722 int

723 symset(const char *nam, const char *val, int persist)

725 	struct sym *sym;

727 	TAILQ_FOREACH(sym, &symhead, entry) {

728 		if (strcmp(nam, sym->nam) == 0)

729 			break;

732 	if (sym != NULL) {

733 		if (sym->persist == 1)

734 			return (0);

735 		else {

736 			free(sym->nam);

737 			free(sym->val);

738 			TAILQ_REMOVE(&symhead, sym, entry);

739 			free(sym);

742 	sym = calloc(1, sizeof(*sym));

743 	if (sym == NULL)

744 		return (-1);

746 	sym->nam = strdup(nam);

747 	if (sym->nam == NULL) {

748 		free(sym);

749 		return (-1);

751 	sym->val = strdup(val);

752 	if (sym->val == NULL) {

753 		free(sym->nam);

754 		free(sym);

755 		return (-1);

757 	sym->used = 0;

758 	sym->persist = persist;

759 	TAILQ_INSERT_TAIL(&symhead, sym, entry);

760 	return (0);

763 char *

764 symget(const char *nam)

766 	struct sym *sym;

768 	TAILQ_FOREACH(sym, &symhead, entry) {

769 		if (strcmp(nam, sym->nam) == 0) {

770 			sym->used = 1;

771 			return (sym->val);

774 	return (NULL);