source4: Change to use lib/util/access functions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 16:35:12 CET 2016 on sn-devel-144

4 files changed, 5 insertions, 240 deletions

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index d1396e4fd5c..8f74b45a84e 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -46,6 +46,7 @@
 #include "librpc/gen_ndr/irpc.h"
 #include "libds/common/flag_mapping.h"
 #include "../lib/util/util_runcmd.h"
+#include "lib/util/access.h"
 
 /*
   search the sam for the specified attributes in a specific domain, filter on
@@ -1869,7 +1870,7 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
 
 		allow_list[0] = l_subnet_name;
 
-		if (socket_allow_access(mem_ctx, NULL, allow_list, "", ip_address)) {
+		if (allow_access_nolog(NULL, allow_list, "", ip_address)) {
 			sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx,
 							   res->msgs[i],
 							   "siteObject");
diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c
index adc8105ca9d..c019fd64d26 100644
--- a/source4/lib/socket/access.c
+++ b/source4/lib/socket/access.c
@@ -33,241 +33,8 @@
 #include "includes.h"
 #include "system/network.h"
 #include "lib/socket/socket.h"
-#include "system/locale.h"
 #include "lib/util/util_net.h"
-
-#define	FAIL		(-1)
-#define ALLONES  ((uint32_t)0xFFFFFFFF)
-
-/* masked_match - match address against netnumber/netmask */
-static bool masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s)
-{
-	uint32_t net;
-	uint32_t mask;
-	uint32_t addr;
-	char *tok_cpy;
-
-	if ((addr = interpret_addr(s)) == INADDR_NONE)
-		return false;
-
-	tok_cpy = talloc_strdup(mem_ctx, tok);
-	tok_cpy[PTR_DIFF(slash,tok)] = '\0';
-	net = interpret_addr(tok_cpy);
-	talloc_free(tok_cpy);
-
-        if (strlen(slash + 1) > 2) {
-                mask = interpret_addr(slash + 1);
-        } else {
-		mask = (uint32_t)((ALLONES >> atoi(slash + 1)) ^ ALLONES);
-		/* convert to network byte order */
-		mask = htonl(mask);
-        }
-
-	if (net == INADDR_NONE || mask == INADDR_NONE) {
-		DEBUG(0,("access: bad net/mask access control: %s\n", tok));
-		return false;
-	}
-	
-	return (addr & mask) == (net & mask);
-}
-
-/* string_match - match string against token */
-static bool string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char)
-{
-	size_t     tok_len;
-	size_t     str_len;
-	const char   *cut;
-
-	*invalid_char = '\0';
-
-	/* Return true if a token has the magic value "ALL". Return
-	 * FAIL if the token is "FAIL". If the token starts with a "."
-	 * (domain name), return true if it matches the last fields of
-	 * the string. If the token has the magic value "LOCAL",
-	 * return true if the string does not contain a "."
-	 * character. If the token ends on a "." (network number),
-	 * return true if it matches the first fields of the
-	 * string. If the token begins with a "@" (netgroup name),
-	 * return true if the string is a (host) member of the
-	 * netgroup. Return true if the token fully matches the
-	 * string. If the token is a netnumber/netmask pair, return
-	 * true if the address is a member of the specified subnet.  
-	 */
-
-	if (tok[0] == '.') {			/* domain: match last fields */
-		if ((str_len = strlen(s)) > (tok_len = strlen(tok))
-		    && strcasecmp(tok, s + str_len - tok_len)==0) {
-			return true;
-		}
-	} else if (tok[0] == '@') { /* netgroup: look it up */
-		DEBUG(0,("access: netgroup support is not available\n"));
-		return false;
-	} else if (strcmp(tok, "ALL")==0) {	/* all: match any */
-		return true;
-	} else if (strcmp(tok, "FAIL")==0) {	/* fail: match any */
-		return FAIL;
-	} else if (strcmp(tok, "LOCAL")==0) {	/* local: no dots */
-		if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0) {
-			return true;
-		}
-	} else if (strcasecmp(tok, s)==0) {   /* match host name or address */
-		return true;
-	} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {	/* network */
-		if (strncmp(tok, s, tok_len) == 0)
-			return true;
-	} else if ((cut = strchr(tok, '/')) != 0) {	/* netnumber/netmask */
-		if (isdigit((int)s[0]) && masked_match(mem_ctx, tok, cut, s))
-			return true;
-	} else if (strchr(tok, '*') != 0) {
-		*invalid_char = '*';
-	} else if (strchr(tok, '?') != 0) {
-		*invalid_char = '?';
-	}
-	return false;
-}
-
-struct client_addr {
-	const char *cname;
-	const char *caddr;
-};
-
-/* client_match - match host name and address against token */
-static bool client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client)
-{
-	bool match;
-	char invalid_char = '\0';
-
-	/*
-	 * Try to match the address first. If that fails, try to match the host
-	 * name if available.
-	 */
-
-	if ((match = string_match(mem_ctx, tok, client->caddr, &invalid_char)) == 0) {
-		if(invalid_char)
-			DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
-token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
-
-		if (client->cname[0] != 0)
-			match = string_match(mem_ctx, tok, client->cname, &invalid_char);
-
-		if(invalid_char)
-			DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
-token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
-	}
-
-	return (match);
-}
-
-/* list_match - match an item against a list of tokens with exceptions */
-static bool list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client)
-{
-	bool match = false;
-
-	if (!list)
-		return false;
-
-	/*
-	 * Process tokens one at a time. We have exhausted all possible matches
-	 * when we reach an "EXCEPT" token or the end of the list. If we do find
-	 * a match, look for an "EXCEPT" list and recurse to determine whether
-	 * the match is affected by any exceptions.
-	 */
-
-	for (; *list ; list++) {
-		if (strcmp(*list, "EXCEPT")==0)	/* EXCEPT: give up */
-			break;
-		if ((match = client_match(mem_ctx, *list, client)))	/* true or FAIL */
-			break;
-	}
-
-	/* Process exceptions to true or FAIL matches. */
-	if (match != false) {
-		while (*list  && strcmp(*list, "EXCEPT")!=0)
-			list++;
-
-		for (; *list; list++) {
-			if (client_match(mem_ctx, *list, client)) /* Exception Found */
-				return false;
-		}
-	}
-
-	return match;
-}
-
-/* return true if access should be allowed */
-static bool allow_access_internal(TALLOC_CTX *mem_ctx,
-				  const char **deny_list,const char **allow_list,
-				  const char *cname, const char *caddr)
-{
-	struct client_addr client;
-
-	client.cname = cname;
-	client.caddr = caddr;
-
-	/* if it is loopback then always allow unless specifically denied */
-	if (strcmp(caddr, "127.0.0.1") == 0) {
-		/*
-		 * If 127.0.0.1 matches both allow and deny then allow.
-		 * Patch from Steve Langasek vorlon@netexpress.net.
-		 */
-		if (deny_list && 
-			list_match(mem_ctx, deny_list, &client) &&
-				(!allow_list ||
-				!list_match(mem_ctx, allow_list, &client))) {
-			return false;
-		}
-		return true;
-	}
-
-	/* if theres no deny list and no allow list then allow access */
-	if ((!deny_list || *deny_list == 0) && 
-	    (!allow_list || *allow_list == 0)) {
-		return true;  
-	}
-
-	/* if there is an allow list but no deny list then allow only hosts
-	   on the allow list */
-	if (!deny_list || *deny_list == 0)
-		return list_match(mem_ctx, allow_list, &client);
-
-	/* if theres a deny list but no allow list then allow
-	   all hosts not on the deny list */
-	if (!allow_list || *allow_list == 0)
-		return !list_match(mem_ctx, deny_list, &client);
-
-	/* if there are both types of list then allow all hosts on the
-           allow list */
-	if (list_match(mem_ctx, allow_list, &client))
-		return true;
-
-	/* if there are both types of list and it's not on the allow then
-	   allow it if its not on the deny */
-	if (list_match(mem_ctx, deny_list, &client))
-		return false;
-	
-	return true;
-}
-
-/* return true if access should be allowed */
-bool socket_allow_access(TALLOC_CTX *mem_ctx,
-			 const char **deny_list, const char **allow_list,
-			 const char *cname, const char *caddr)
-{
-	bool ret;
-	char *nc_cname = talloc_strdup(mem_ctx, cname);
-	char *nc_caddr = talloc_strdup(mem_ctx, caddr);
-
-	if (!nc_cname || !nc_caddr) {
-		return false;
-	}
-	
-	ret = allow_access_internal(mem_ctx, deny_list, allow_list, nc_cname, nc_caddr);
-
-	talloc_free(nc_cname);
-	talloc_free(nc_caddr);
-
-	return ret;
-}
+#include "lib/util/access.h"
 
 /* return true if the char* contains ip addrs only.  Used to avoid 
 gethostbyaddr() calls */
@@ -346,7 +113,7 @@ bool socket_check_access(struct socket_context *sock,
 		return false;
 	}
 
-	ret = socket_allow_access(mem_ctx, deny_list, allow_list, name, addr->addr);
+	ret = allow_access(deny_list, allow_list, name, addr->addr);
 	
 	if (ret) {
 		DEBUG(2,("socket_check_access: Allowed connection to '%s' from %s (%s)\n", 
diff --git a/source4/lib/socket/socket.h b/source4/lib/socket/socket.h
index 403a723edbf..50a20d90911 100644
--- a/source4/lib/socket/socket.h
+++ b/source4/lib/socket/socket.h
@@ -183,9 +183,6 @@ _PUBLIC_ void socket_address_set_port(struct socket_address *a,
 struct socket_address *socket_address_copy(TALLOC_CTX *mem_ctx,
 					   const struct socket_address *oaddr);
 const struct socket_ops *socket_getops_byname(const char *name, enum socket_type type);
-bool socket_allow_access(TALLOC_CTX *mem_ctx,
-			 const char **deny_list, const char **allow_list,
-			 const char *cname, const char *caddr);
 bool socket_check_access(struct socket_context *sock, 
 			 const char *service_name,
 			 const char **allow_list, const char **deny_list);
diff --git a/source4/lib/socket/wscript_build b/source4/lib/socket/wscript_build
index 1cb89c610db..e2438247d2e 100644
--- a/source4/lib/socket/wscript_build
+++ b/source4/lib/socket/wscript_build
@@ -24,6 +24,6 @@ bld.SAMBA_MODULE('socket_unix',
 bld.SAMBA_SUBSYSTEM('samba_socket',
     source='socket.c access.c connect_multi.c connect.c',
     public_deps='talloc LIBTSOCKET',
-    deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix'
+    deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix access'
     )