gateas.cc

EPICS CA gateway, base on channel access protocol

#ifdef USE_DENYFROM
	denyFromListUsed=false;
#endif

	if(lfile) {
		errno=0;
#ifdef RESERVE_FOPEN_FD
		fd=global_resources->fopen(lfile,"r");
#else
		fd=fopen(lfile,"r");
#endif
		if(fd == NULL) {
			fprintf(stderr,"Failed to open PV list file %s\n",lfile);
			fflush(stderr);
			perror("Reason");
			fflush(stderr);
			return -1;
		}
	} else {
		// Create a ".* allow" rule if no file is specified
		pe = new gateAsEntry(".*",NULL,default_group,1);
		if(pe->init(allow_list,line)==aitFalse) delete pe;
		
		return 0;
	}
	
	// Read all PV file lines
	while(fgets(inbuf,sizeof(inbuf),fd)) {
		if((ptr=strchr(inbuf,'#'))) *ptr='\0'; // Take care of comments
		
		// Allocate memory for input line
		pl=new gateAsLine(inbuf,strlen(inbuf),line_list);
		++line;
		pattern=rname=hname=NULL;
		if(!(pattern=strtok(pl->buf," \t\n"))) continue;
		
		// Two strings (pattern and command) are mandatory
		
		if(!(cmd=strtok(NULL," \t\n")))	{
			fprintf(stderr,"Error in PV list file (line %d): "
			  "missing command\n",line);
			continue;
		}
		
#ifdef USE_DENYFROM
		if(strcasecmp(cmd,"DENY")==0) {                          // DENY [FROM]
			// Arbitrary number of arguments: [from] host names
			if((hname=strtok(NULL,", \t\n")) && strcasecmp(hname,"FROM")==0)
			  hname=strtok(NULL,", \t\n");
			if(hname) {           // host pattern(s) present
				do {
					pe = new gateAsEntry(pattern);
					if(pe->init(hname,deny_from_table,host_list,line)==aitFalse) {
						delete pe;
					} else {
						denyFromListUsed=true;
					}
				} while((hname=strtok(NULL,", \t\n")));
			} else {
				// no host name specified
				pe = new gateAsEntry(pattern);
				if(pe->init(deny_list,line)==aitFalse) delete pe;
			}
			continue;
		}
#else
		if(strcasecmp(cmd,"DENY")==0) {                          // DENY [FROM]
			// Arbitrary number of arguments: [from] host names
			if((hname=strtok(NULL,", \t\n")) && strcasecmp(hname,"FROM")==0)
			  hname=strtok(NULL,", \t\n");
			if(hname) {           // host name(s) present
				fprintf(stderr,"Error in PV list file (line %d): "
				  "DENY FROM is not supported\n"
				  "  Use EPICS_CAS_IGNORE_ADDR_LIST instead\n",
				  line);
			} else {
				// no host name specified
				pe = new gateAsEntry(pattern);
				if(pe->init(deny_list,line)==aitFalse) delete pe;
			}
			continue;
		}
#endif
		
		if(strcasecmp(cmd,"ORDER")==0) {                               // ORDER
			// Arguments: "allow, deny" or "deny, allow"
			if(!(hname=strtok(NULL,", \t\n")) ||
			  !(rname=strtok(NULL,", \t\n"))) {
				fprintf(stderr,"Error in PV list file (line %d): "
				  "missing argument to '%s' command\n",line,cmd);
				continue;
			}
			if(strcasecmp(hname,"ALLOW")==0 &&
			  strcasecmp(rname,"DENY")==0)	{
				eval_order = GATE_ALLOW_FIRST;
			} else if(strcasecmp(hname,"DENY")==0 &&
			  strcasecmp(rname,"ALLOW")==0)	{
				eval_order = GATE_DENY_FIRST;
			} else {
				fprintf(stderr,"Error in PV list file (line %d): "
				  "invalid argument to '%s' command\n",line,cmd);
			}
			continue;
		}
		
		if(strcasecmp(cmd,"ALIAS")==0) {                     // ALIAS extra arg
			// Additional (first) argument: real PV name
			if(!(rname=strtok(NULL," \t\n"))) {
				fprintf(stderr,"Error in PV list file (line %d): "
				  "missing real name in ALIAS command\n",line);
				continue;
			}
		}
		
		if((asg=strtok(NULL," \t\n"))) {                           // ASG / ASL
			if((asl=strtok(NULL," \t\n")) &&
			  (sscanf(asl,"%d",&lev)!=1)) lev=1;
		} else {
			asg=(char*)default_group;
			lev=1;
		}
		
		if(strcasecmp(cmd,"ALLOW")==0   ||                           // ALLOW / ALIAS
		  strcasecmp(cmd,"ALIAS")==0   ||
		  strcasecmp(cmd,"PATTERN")==0 ||
		  strcasecmp(cmd,"PV")==0) {
			pe = new gateAsEntry(pattern,rname,asg,lev);
			if(pe->init(allow_list,line)==aitFalse) delete pe;
			continue;
		} else {
			// invalid
			fprintf(stderr,"Error in PV list file (line %d): "
			  "invalid command '%s'\n",line,cmd);
		}
	}
	
#ifdef RESERVE_FOPEN_FD
	global_resources->fclose(fd);
#else
	fclose(fd);
#endif
	return 0;
}

long gateAs::initialize(const char* afile)
{
	long rc=0;

	if(rules_installed==aitTrue) {
		fprintf(stderr,"Access security rules already installed\n");
		return -1;
	}
	
	if(afile) {
		errno=0;
#ifdef RESERVE_FOPEN_FD
		rules_fd=global_resources->fopen(afile,"r");
#else
		rules_fd=fopen(afile,"r");
#endif
		if(rules_fd == NULL) {
			// Open failed
			fprintf(stderr,"Failed to open security file: %s\n",afile);
			fflush(stderr);
			perror("Reason");
			fflush(stderr);
			fprintf(stderr,"Setting default security rules\n");
			fflush(stderr);
			use_default_rules=aitTrue;
			rc=asInitialize(::readFunc);
			if(rc) {
				fprintf(stderr,"Failed to set default security rules\n");
				fflush(stderr);
			}
		} else {
			// Open succeeded
			rc=asInitialize(::readFunc);
			if(rc) fprintf(stderr,"Failed to read security file: %s\n",afile);
#ifdef RESERVE_FOPEN_FD
			global_resources->fclose(rules_fd);
#else
			fclose(rules_fd);
#endif
		}
	} else {
		// afile is NULL
		use_default_rules=aitTrue;
		rc=asInitialize(::readFunc);
		if(rc) fprintf(stderr,"Failed to set default security rules\n");
	}
	
	if(rc==0) rules_installed=aitTrue;
	return rc;
}

long gateAs::reInitialize(const char* afile, const char* lfile)
{
	// Stop in INP PV clients
	gateAsCaClear();

	// Cleanup
#ifdef USE_DENYFROM
	// There should be no reason to use DENY FROM , but if it is
	// desired, it needs to be implemented here.
# error DENY FROM is not implemented here
#endif
	clearAsList(deny_list);
	clearAsList(allow_list);
	clearAsList(line_list);

	// Reset defaults
	default_group = "DEFAULT";
	default_pattern = "*";
	eval_order = GATE_ALLOW_FIRST;
	rules_installed = aitFalse;
	use_default_rules = aitFalse;
	rules_fd = NULL;

	// Reread the access file
	if(afile) {
		if(initialize(afile))
		  fprintf(stderr,"Failed to install access security file %s\n",afile);
	}
	
	// Restart INP PV clients
	gateAsCa();

	// Reread the pvlist file (Will use defaults if lfile is NULL)
	readPvList(lfile);

	return 0;
}

int gateAs::readFunc(char* buf, int max)
{
	int l,n;
	static aitBool one_pass=aitFalse;
	static char rbuf[150];
	static char* rptr=NULL;

	if(rptr==NULL) {
		rbuf[0]='\0';
		rptr=rbuf;
		
		if(use_default_rules==aitTrue) {
			if(one_pass==aitFalse) {
				strcpy(rbuf,"ASG(DEFAULT) { RULE(1,READ) }");
				one_pass=aitTrue;
			} else {
				n=0;
			}
		} else if(fgets(rbuf,sizeof(rbuf),rules_fd)==NULL) {
			n=0;
		}
    }
	
	l=strlen(rptr);
	n=(l<=max)?l:max;
	if(n) {
		memcpy(buf,rptr,n);
		rptr+=n;
	}
	
	if(rptr[0]=='\0')
	  rptr=NULL;
	
    return n;
}

void gateAs::report(FILE* fd)
{
	time_t t;
	time(&t);
	
	fprintf(fd,"---------------------------------------------------------------------------\n"
	  "Configuration Report: %s",ctime(&t));
	fprintf(fd,"\n============================ Allowed PV Report ============================\n");
	fprintf(fd," Pattern                        ASG             ASL Alias\n");
	tsSLIter<gateAsEntry> pi1 = allow_list.firstIter();
	gateAsEntry *pEntry1;
	while(pi1.pointer()) {
		pEntry1=pi1.pointer();
		fprintf(fd," %-30s %-16s %d ",pEntry1->pattern,pEntry1->group,pEntry1->level);
		if(pEntry1->alias) fprintf(fd," %s\n",pEntry1->alias);
		else fprintf(fd,"\n");
		pi1++;
	}
	
	fprintf(fd,"\n============================ Denied PV Report  ============================\n");
	tsSLIter<gateAsEntry> pi2 = deny_list.firstIter();
	gateAsEntry *pEntry2;
	if(pi2.pointer()) {
		fprintf(fd,"\n==== Denied from ALL Hosts:\n");
		while(pi2.pointer()) {
			pEntry2=pi2.pointer();
			fprintf(fd," %s\n",pEntry2->pattern);
			pi2++;
		}
	}
	
#ifdef USE_DENYFROM
	tsSLIter<gateAsHost> pi3 = host_list.firstIter();
	gateAsHost *pEntry3;
	while(pi3.pointer()) {
		pEntry3=pi3.pointer();
		fprintf(fd,"\n==== Denied from Host %s:\n",pEntry3->host);
		gateAsList* pl=NULL;
		if(deny_from_table.find(pEntry3->host,pl)==0) {
			tsSLIter<gateAsEntry> pi4 = pl->firstIter();
			gateAsEntry *pEntry4;
			while(pi4.pointer()) {
				pEntry4=pi4.pointer();
				fprintf(fd," %s\n",pEntry4->pattern);
			}
		}
		pi3++;
	}
#endif
	
	if(eval_order==GATE_DENY_FIRST)
	  fprintf(fd,"\nEvaluation order: deny, allow\n");
	else
	  fprintf(fd,"\nEvaluation order: allow, deny\n");
	
	if(rules_installed==aitTrue) fprintf(fd,"Access Rules are installed.\n");
	if(use_default_rules==aitTrue) fprintf(fd,"Using default access rules.\n");
	
#if (EPICS_REVISION == 14 && EPICS_MODIFICATION >= 6) || EPICS_REVISION > 14
	// Dumping to a file pointer became available sometime during 3.14.5.
	fprintf(fd,"\n============================ Access Security Dump =========================\n");
	asDumpFP(fd,NULL,NULL,TRUE);
#else
	// KE: Could use asDump, but it would go to stdout, probably
	// gateway.log, and not be in gateway.report
#endif
	fprintf(fd,"-----------------------------------------------------------------------------\n");
}

/* **************************** Emacs Editing Sequences ***************** */
/* Local Variables: */
/* tab-width: 4 */
/* c-basic-offset: 4 */
/* c-comment-only-line-offset: 0 */
/* c-file-offsets: ((substatement-open . 0) (label . 0)) */
/* End: */