File modules/ac/access_control.c

  $Revision: 1.42 $

Access control module (ac) - access control for the query part
Status: NOT REVIEWED, TESTED
Design and implementation by: Marek Bukowy

Included Files


Preprocessor definitions

#define AC_IMPL

#define ACL_FORMAT "%10d %10d %10d %10d %10d"

#define ACL_HEADER "%-20s %10s %10s %10s %10s %10s\n"

#define ACC_FORMAT "%4d %4d %4d %4d %7d %7d %7d %7.1f %7.1f"

#define ACC_HEADER "%-20s %4s %4s %4s %4s %7s %7s %7s %7s %7s\n"

AC_acc_load:
loads the acl access tree from the acl table of the RIPADMIN database. (takes port/host/user/password from the config module).
bails out if encounters problems with the database (logs to stderr).
returns error code from RX_bin_node or wr_malloc.

#define NUMELEM 7


Typedef ac_decay_data_t

typedef struct {...} ac_decay_data_t
struct 
   { 
     double decay_factor; 
     unsigned newtotal; 
     GList* prunelist; 
   } 

Global Variable AC_ar_acl

char* AC_ar_acl[]
Included from modules/ac/access_control.h
Visible in:  modules/ac/access_control.c
Used in: AC_asc_acl_command_set()modules/ac/access_control.c
  ac_acl_to_string_header()modules/ac/access_control.c

Global Variable act_runtime

rx_tree_t* act_runtime
Included from modules/ac/access_control.h
Visible in:  modules/aa/aa.c
   modules/ac/access_control.c
Used in: AC_asc_set_nodeny()modules/ac/access_control.c
  AC_build()modules/ac/access_control.c
  AC_commit()modules/ac/access_control.c
  AC_commit_credit_l()modules/ac/access_control.c
  AC_decay()modules/ac/access_control.c
  AC_fetch_acc()modules/ac/access_control.c
  AC_findcreate_account_l()modules/ac/access_control.c
  AC_print_access()modules/ac/access_control.c
  AC_prune()modules/ac/access_control.c

Global Variable act_hour

rx_tree_t* act_hour
Included from modules/ac/access_control.h
Visible in:  modules/aa/aa.c
   modules/ac/access_control.c
Used in: AC_build()modules/ac/access_control.c

Global Variable act_minute

rx_tree_t* act_minute
Included from modules/ac/access_control.h
Visible in:  modules/aa/aa.c
   modules/ac/access_control.c
Used in: AC_build()modules/ac/access_control.c

Global Variable act_acl

rx_tree_t* act_acl
Included from modules/ac/access_control.h
Visible in:  modules/aa/aa.c
   modules/ac/access_control.c
Used in: AC_acc_load()modules/ac/access_control.c
  AC_asc_all_set()modules/ac/access_control.c
  AC_ban_set()modules/ac/access_control.c
  AC_build()modules/ac/access_control.c
  AC_check_acl()modules/ac/access_control.c
  AC_findcreate_acl_l()modules/ac/access_control.c
  AC_print_acl()modules/ac/access_control.c
  ac_find_acl_l()modules/ac/access_control.c

Global Variable Lock

pthread_mutex_t Lock
Included from include/ca_defs.h
Visible in:  modules/ac/access_control.c

Global Function AC_acc_addup()

  AC_acc_addup:

Add/subtract the values from one accounting structure to another
void AC_acc_addup ( acc_st* a, acc_st* b, int minus )
acc_st* a
this one gets changed
acc_st* b
this one provides the values to change a
int minus
triggers subtraction if non-zero
Prototyped in: modules/ac/access_control.h
Called by: AC_commit_credit_l()modules/ac/access_control.c
  AC_prune()modules/ac/access_control.c

Global Function AC_acc_load()

  AC_acc_load:

loads the acl access tree from the acl table of the RIPADMIN database. (takes port/host/user/password from the config module).
bails out if encounters problems with the database (logs to stderr).
returns error code from RX_bin_node or wr_malloc.
er_ret_t AC_acc_load ( void )
Prototyped in: modules/ac/access_control.h
Calls: AC_dbopen_admin()modules/ac/access_control.c
  SQ_close_connection(), SQ_errno(), SQ_error(), SQ_execute_query(), SQ_free_result(), SQ_get_column_string(), SQ_row_next(), TH_acquire_write_lock(), TH_release_write_lock(), UT_free_real(), UT_malloc_real(), fprintf(), memset(), rx_bin_node(), sscanf()
References Variables: act_aclmodules/ac/access_control.c

Global Function AC_acl_sql()

  AC_acl_sql:

updates/creates a record for the given prefix in the acl table of the RIPADMIN database. Adds a comment.
placeholder: it may return an error code from SQ - as soon as sq implements common error scheme
er_ret_t AC_acl_sql ( ip_prefix_t* prefix, acl_st* newacl, char* newcomment )
ip_prefix_t* prefix
- prefix
acl_st* newacl
- new values to store in the database
char* newcomment
- comment to be added (must not be NULL)
Calls: AC_dbopen_admin()modules/ac/access_control.c
  SQ_close_connection(), SQ_execute_query(), SQ_free_result(), SQ_get_column_string(), SQ_num_rows(), SQ_row_next(), UT_free_real(), UT_malloc_real(), fprintf(), sprintf(), strlen()
Called by: AC_asc_all_set()modules/ac/access_control.c
  AC_ban_set()modules/ac/access_control.c

Global Function AC_asc_acl_command_set()

AC_asc_acl_command_set:

parse a command and set acl options for an entry. command syntax:
<prefix> option=value,option=value,option=value...
where <option> is defined in AC_ar_acl[] array, value is an integer
er_ret_t AC_asc_acl_command_set ( char* command, char* comment )
char* command
text of the command. Syntax: ip[/prefixlength] column=value,column=value... Column names as in acl display. Unset columns are inherited.
char* comment
text to be added to the acl record's comment column.
Prototyped in: modules/ac/access_control.h
Calls: AC_asc_all_set()modules/ac/access_control.c
  IP_smart_conv(), NOERR(), UT_free_real(), UT_strdup_real(), g_list_first(), g_list_length(), getsubopt(), memset(), strchr(), wr_real_clear_list()
References Variables: AC_ar_aclmodules/ac/access_control.c

Global Function AC_asc_all_set()

  AC_asc_all_set:

take ascii prefix and find/create a new entry, inheriting all parameters and then set them according to the array of args.
er_ret_t AC_asc_all_set ( ip_prefix_t* prefix, char* comment, char* array[] )
Calls: AC_acl_sql()modules/ac/access_control.c
  AC_findcreate_acl_l()modules/ac/access_control.c
  NOERR(), TH_acquire_write_lock(), TH_release_write_lock(), sscanf()
Called by: AC_asc_acl_command_set()modules/ac/access_control.c
References Variables: act_aclmodules/ac/access_control.c

Global Function AC_asc_ban_set()

  AC_asc_ban_set:

sets ban on text address/range. Parses the text address/range/prefix and then calls AC_ban_set on that prefix.
Precondition: if the key is a range, it must decompose into one prefix
returns error code from IP_smart_conv, AC_ban_set or AC_INVARG if range composed
er_ret_t AC_asc_ban_set ( char* addrstr, char* text, int denyflag )
Prototyped in: modules/ac/access_control.h
Calls: AC_ban_set()modules/ac/access_control.c
  IP_smart_conv(), NOERR(), g_list_first(), g_list_length(), wr_real_clear_list()

Global Function AC_asc_set_nodeny()

  AC_asc_set_nodeny:

reset the deny counter in the access tree to 0 (after reenabling).
Operates on the runtime access tree.
er_ret_t AC_asc_set_nodeny ( char* ip )
char* ip
text IP (ip only, not prefix or range).
Prototyped in: modules/ac/access_control.h
Calls: AC_findcreate_account_l()modules/ac/access_control.c
  IP_addr_t2b(), IP_sizebits(), NOERR(), TH_acquire_write_lock(), TH_release_write_lock()
References Variables: act_runtimemodules/ac/access_control.c

Global Function AC_ban_set()

  AC_ban_set:

re/sets the permanent ban flag both in the acl tree in memory and the sql table. The "text" is appended to the comment in the sql record (the expected cases are - "automatic" in case the limit is exceeded and ban is set by s/w - "manual" in case it is (un)set from the config iface
returns error code from AC_acl_sql or OK
er_ret_t AC_ban_set ( ip_prefix_t* prefix, char* text, int denyflag )
ip_prefix_t* prefix
- prefix
char* text
- usually "automatic" or "manual"
int denyflag
- new value of the denyflag (ban)
Calls: AC_acl_sql()modules/ac/access_control.c
  AC_findcreate_acl_l()modules/ac/access_control.c
  ER_inf_va(), IP_pref_b2a(), NOERR(), TH_acquire_write_lock(), TH_release_write_lock(), ctime_r(), fprintf(), sprintf(), time()
Called by: AC_asc_ban_set()modules/ac/access_control.c
  AC_commit()modules/ac/access_control.c
References Variables: act_aclmodules/ac/access_control.c

Global Function AC_build()

  AC_build:

creates empty trees for accounting/acl.
returns error code from RX_tree_cre or OK. (XXX): just now only bails out when encounters problems.
er_ret_t AC_build ( void )
Prototyped in: modules/ac/access_control.h
Calls: RX_tree_cre(), fprintf()
References Variables: act_aclmodules/ac/access_control.c
  act_hourmodules/ac/access_control.c
  act_minutemodules/ac/access_control.c
  act_runtimemodules/ac/access_control.c

Global Function AC_check_acl()

  AC_check_acl:

search for this ip or less specific record in the access control tree
if( bonus in combined runtime+connection accountings > max_bonus in acl) set denial in the acl for this ip (create if needed) if( combined denialcounter > max_denials in acl) set the permanent ban in acl; save in SQL too calculate credit if pointer provided save the access record (ip if created or found/prefix otherwise) at *acl_store if provided
acc_st *acc_store - pointer to store the *credit* account struct
any of the args except address can be NULL
returns error code from RX or OK
MT-Note: locks/unlocks the accounting tree
er_ret_t AC_check_acl ( ip_addr_t* addr, acc_st* credit_acc, acl_st* acl_store )
ip_addr_t* addr
- address
acc_st* credit_acc
&nbs;
acl_st* acl_store
- pointer to store the acl struct
Prototyped in: modules/ac/access_control.h
Calls: AC_fetch_acc()modules/ac/access_control.c
  ac_find_acl_l()modules/ac/access_control.c
  IP_sizebits(), TH_acquire_read_lock(), TH_release_read_lock(), memset()
References Variables: act_aclmodules/ac/access_control.c

Global Function AC_commit()

  AC_commit:

commits the credit into all accounting trees, (XXX: only one at the moment) checks the limits and sets automatic ban if limit exceeded.
returns error code from AC_commit_credit or AC_ban_set or OK.
outline: lock runtime + minute accounting trees ----------------------- XXX runtime only for the moment find or create entries, increase accounting values by the values from passed acc check values against acl, see if permanent ban applies
reset the connection acc unlock accounting trees
if permanent ban - set it! : lock acl find/create IP in memory set ban find/create IP in SQL copy old values (if any), set ban, append comment unlock acl
er_ret_t AC_commit ( ip_addr_t* addr, acc_st* acc_conn, acl_st* acl_copy )
ip_addr_t* addr
- user's address
acc_st* acc_conn
- credit used
acl_st* acl_copy
- pointer to store a copy of the acl
Prototyped in: modules/ac/access_control.h
Calls: AC_ban_set()modules/ac/access_control.c
  AC_commit_credit_l()modules/ac/access_control.c
  IP_sizebits(), NOERR(), TH_acquire_write_lock(), TH_release_write_lock(), memset()
References Variables: act_runtimemodules/ac/access_control.c

Global Function AC_count_object()

  AC_count_object:

accounts an objects in the credit accordingly to its type, or sets denial if the limit is defined and the credit is exceeded.
void AC_count_object ( acc_st* acc_credit, acl_st* acl, int private )
acc_st* acc_credit
pointer to the credit structure (gets modified)
acl_st* acl
acl, contains the limits for private/public objects
int private
indicates if the object type is private
Prototyped in: modules/ac/access_control.h

Global Function AC_credit_isdenied()

  checks the denied flag in credit (-1 or 1 means denied)

int AC_credit_isdenied returns 1 if denied, 0 otherwise
int AC_credit_isdenied ( acc_st* acc_credit )
acc_st* acc_credit
pointer to the credit structure
Prototyped in: modules/ac/access_control.h

Global Function AC_credit_to_string()

  AC_credit_to_string:

Show credit used (for logging of queries)
returns an allocated string
char* AC_credit_to_string ( acc_st* a )
acc_st* a
- the credit structure
Prototyped in: modules/ac/access_control.h
Calls: UT_malloc_real(), fprintf(), sprintf()

Global Function AC_dbopen_admin()

  AC_dbopen_admin:

opens the ADMIN database and returns a pointer to the connection structure (rationale: the opening process became a bit bloated and is done twice, so I put it into a separate function)
MYSQL* AC_dbopen_admin ( void )
Prototyped in: modules/ac/access_control.h
Calls: SQ_errno(), SQ_error(), SQ_get_connection(), UT_free_real(), ca_get_adminIntElement(), ca_get_adminStrElement(), fprintf()
Called by: AC_acc_load()modules/ac/access_control.c
  AC_acl_sql()modules/ac/access_control.c
  aa_find()modules/aa/aa.c

Global Function AC_decay()

  AC_decay:

Every AC_DECAY_TIME goes through the accounting tree(s) and decays the bonus values.
returns always OK
MT-Note This should be run as a detached thread.
er_ret_t AC_decay ( void )
Prototyped in: modules/ac/access_control.h
Calls: AC_prune()modules/ac/access_control.c
  CO_get_do_server(), ER_dbg_va(), SV_sleep(), TA_add(), TA_delete(), TA_setactivity(), TH_acquire_write_lock(), TH_release_write_lock(), UT_timediff(), UT_timeget(), ca_get_int(), exp(), fprintf(), g_list_free(), rx_walk_tree(), sprintf()
References Functions: AC_decay_hook()modules/ac/access_control.c
References Variables: act_runtimemodules/ac/access_control.c

Global Function AC_decay_hook()

  AC_decay_hook:

action performed on a single account node during decay (diminishing the bonus). Conforms to rx_walk_tree interface, therefore some of the arguments do not apply and are not used.
returns always OK
er_ret_t AC_decay_hook ( rx_node_t* node, int level, int nodecounter, void* con )
rx_node_t* node
- pointer to the node of the radix tree
int level
- not used
int nodecounter
- not used
void* con
- in real life: (double *) - points to the decay factor.
Calls: ER_dbg_va(), g_list_append()
Used in: AC_decay()modules/ac/access_control.c

Global Function AC_fetch_acc()

  AC_fetch_acc:

Finds the runtime accounting record for this IP, stores a copy of it in acc_store. If not found, then it is created and initialised to zeros in findcreate()
MT-Note: locks/unlocks the accounting tree
er_ret_t AC_fetch_acc ( ip_addr_t* addr, acc_st* acc_store )
ip_addr_t* addr
- address
acc_st* acc_store
- pointer to store the account struct
Prototyped in: modules/ac/access_control.h
Calls: AC_findcreate_account_l()modules/ac/access_control.c
  IP_sizebits(), TH_acquire_write_lock(), TH_release_write_lock()
Called by: AC_check_acl()modules/ac/access_control.c
References Variables: act_runtimemodules/ac/access_control.c

Global Function AC_findcreate_account_l()

  AC_findcreate_account_l:

finds exact prefix in the accounting tree or creates area initialised to zeros + sets ptr to it.
acc_st **store_acl - pointer to store the ptr to the account struct
returns error code from RX or OK
MT-Note: assumes locked accounting tree
er_ret_t AC_findcreate_account_l ( rx_tree_t* tree, ip_prefix_t* prefix, acc_st** acc_store )
rx_tree_t* tree
- the tree
ip_prefix_t* prefix
- prefix to look for
acc_st** acc_store
&nbs;
Calls: ER_perror(), RX_bin_search(), UT_malloc_real(), fprintf(), g_list_length(), g_list_nth_data(), memset(), rx_bin_node(), wr_real_clear_list()
Called by: AC_asc_set_nodeny()modules/ac/access_control.c
  AC_commit_credit_l()modules/ac/access_control.c
  AC_fetch_acc()modules/ac/access_control.c
References Variables: act_runtimemodules/ac/access_control.c

Global Function AC_findcreate_acl_l()

  AC_findcreate_acl_l:

find or create an entry for the given prefix in the acl tree.
returns error code from RX or OK
MT-Note: assumes locked acl tree
er_ret_t AC_findcreate_acl_l ( ip_prefix_t* prefix, acl_st** store_acl )
ip_prefix_t* prefix
- prefix to look for
acl_st** store_acl
- pointer to store the ptr to the acl struct (initialised to the values of the parent entry if just created)
Calls: ac_find_acl_l()modules/ac/access_control.c
  NOERR(), RX_bin_search(), UT_calloc_real(), fprintf(), g_list_length(), g_list_nth_data(), rx_bin_node(), wr_real_clear_list()
Called by: AC_asc_all_set()modules/ac/access_control.c
  AC_ban_set()modules/ac/access_control.c
References Variables: act_aclmodules/ac/access_control.c

Global Function AC_get_higher_limit()

  returns the higher number of the two acl limits: maxprivate & maxpublic 
  corrected w.r.t the current credit left,
  or unlimited if any of them is 'unlimited'.
int AC_get_higher_limit ( acc_st* acc_credit, acl_st* acl )
int AC_get_higher_limit
returns the higher limit
acc_st* acc_credit
current credit left
acl_st* acl
acl for that user
Prototyped in: modules/ac/access_control.h

Global Function AC_print_access()

  This function displays the access table to the given connection.
unsigned AC_print_access ( GString* output )
unsigned AC_print_access
Returns the number of nodes traversed
GString* output
target string
Prototyped in: modules/ac/access_control.h
Calls: ac_to_string_header()modules/ac/access_control.c
  UT_free_real(), g_string_append(), rx_walk_tree()
References Functions: ac_rxwalkhook_print()modules/ac/access_control.c
References Variables: act_runtimemodules/ac/access_control.c

Global Function AC_print_acl()

  This function writes the acl (access control) table to the given
  Gstring (auto-expandable)
unsigned AC_print_acl ( GString* output )
unsigned AC_print_acl
Returns the number of nodes traversed
GString* output
target string
Prototyped in: modules/ac/access_control.h
Calls: ac_acl_to_string_header()modules/ac/access_control.c
  UT_free_real(), g_string_append(), rx_walk_tree()
References Functions: ac_rxwalkhook_print_acl()modules/ac/access_control.c
References Variables: act_aclmodules/ac/access_control.c

Global Function AC_prune()

unsigned AC_prune ( GList* prunelist )
unsigned AC_prune
deletes the entries listed in the prunelist (this cannot be done from within the rx_walk_tree, because the walk would be confused). Returns number of nodes deleted.
GList* prunelist
list of pointers to nodes that should be deleted. the prefixes actually are allocated in the node structures, so they must not be dereferenced after they are freed here.
Calls: AC_acc_addup()modules/ac/access_control.c
  AC_commit_credit_l()modules/ac/access_control.c
  ER_dbg_va(), IP_pref_b2a(), IP_pref_t2b(), NOERR(), fprintf(), g_list_first(), memset(), rx_bin_node()
Called by: AC_decay()modules/ac/access_control.c
References Variables: act_runtimemodules/ac/access_control.c

Local Function AC_commit_credit_l()

  AC_commit_credit_l:

performs the commit on an accounting tree (locks them first) stores a copy of the accounting record at rec_store
Assumes locked tree.
returns error code from AC_findcreate_account_l or OK
MT-Note: locks/unlocks the accounting tree
static er_ret_t AC_commit_credit_l ( rx_tree_t* tree, ip_prefix_t* prefix, acc_st* acc_conn, acc_st* rec_store )
rx_tree_t* tree
- the tree
ip_prefix_t* prefix
- prefix (usually a /32)
acc_st* acc_conn
- credit used
acc_st* rec_store
- pointer to store the account struct or NULL
Calls: AC_acc_addup()modules/ac/access_control.c
  AC_findcreate_account_l()modules/ac/access_control.c
  NOERR()
Called by: AC_commit()modules/ac/access_control.c
  AC_prune()modules/ac/access_control.c
References Variables: act_runtimemodules/ac/access_control.c

Local Function ac_acl_to_string()

  ac_acl_to_string:

Show an access control list structure
returns an allocated string
static char* ac_acl_to_string ( GList* leafptr )
Calls: UT_malloc_real(), sprintf(), strcpy()
Called by: ac_rxwalkhook_print_acl()modules/ac/access_control.c

Local Function ac_acl_to_string_header()

  ac_acl_to_string_header:

produce a header for the acl printout
returns an allocated string
static char* ac_acl_to_string_header ( void )
Calls: UT_malloc_real(), sprintf()
Called by: AC_print_acl()modules/ac/access_control.c
References Variables: AC_ar_aclmodules/ac/access_control.c

Local Function ac_find_acl_l()

  ac_find_acl_l:

find the exact or exact/less specific match for the given prefix in the acl tree.
returns error code from RX or OK
MT-Note: assumes locked acl tree
static er_ret_t ac_find_acl_l ( rx_srch_mt searchmode, ip_prefix_t* prefix, acl_st* store_acl )
rx_srch_mt searchmode
&nbs;
ip_prefix_t* prefix
- prefix to look for
acl_st* store_acl
- pointer to store the output
Calls: RX_bin_search(), fprintf(), g_list_length(), g_list_nth_data(), wr_real_clear_list()
Called by: AC_check_acl()modules/ac/access_control.c
  AC_findcreate_acl_l()modules/ac/access_control.c
References Variables: act_aclmodules/ac/access_control.c

Local Function ac_rxwalkhook_print()

  ac_rxwalkhook_print:

action performed on a single account node when listing the contents of the access tree: format and print the data from this node.
Conforms to rx_walk_tree interface, therefore some of the arguments do not apply and are not used.
void *con - pointer to the target string (prints to it)
returns always OK
static er_ret_t ac_rxwalkhook_print ( rx_node_t* node, int level, int nodecounter, void* outvoid )
rx_node_t* node
- pointer to the node of the radix tree
int level
- not used
int nodecounter
- not used
void* outvoid
&nbs;
Calls: ac_to_string()modules/ac/access_control.c
  IP_addr_b2a(), UT_free_real(), fprintf(), g_string_sprintfa()
Used in: AC_print_access()modules/ac/access_control.c

Local Function ac_rxwalkhook_print_acl()

  ac_rxwalkhook_print_acl:

action performed on a single account node when listing the contents of the acl tree: format and print the data from this node.
Conforms to rx_walk_tree interface, therefore some of the arguments do not apply and are not used.
void *con - pointer to the target string (prints to it)
returns always OK
static er_ret_t ac_rxwalkhook_print_acl ( rx_node_t* node, int level, int nodecounter, void* outvoid )
rx_node_t* node
- pointer to the node of the radix tree
int level
- not used
int nodecounter
- not used
void* outvoid
&nbs;
Calls: ac_acl_to_string()modules/ac/access_control.c
  IP_pref_b2a(), UT_free_real(), fprintf(), g_string_sprintfa()
Used in: AC_print_acl()modules/ac/access_control.c

Local Function ac_to_string()

  ac_to_string:

Show an access structure
returns an allocated string
static char* ac_to_string ( GList* leafptr )
Calls: UT_malloc_real(), sprintf(), strcpy()
Called by: ac_rxwalkhook_print()modules/ac/access_control.c

Local Function ac_to_string_header()

  ac_to_string_header:

produce a header for the access stats printout
returns an allocated string
static char* ac_to_string_header ( void )
Calls: UT_malloc_real(), sprintf()
Called by: AC_print_access()modules/ac/access_control.c