1 /* 2 * Authorization definitions for the CUPS scheduler. 3 * 4 * Copyright © 2020-2024 by OpenPrinting. 5 * Copyright 2007-2014 by Apple Inc. 6 * Copyright 1997-2006 by Easy Software Products, all rights reserved. 7 * 8 * Licensed under Apache License v2.0. See the file "LICENSE" for more 9 * information. 10 */ 11 12 /* 13 * Include necessary headers... 14 */ 15 16 #include <pwd.h> 17 18 19 /* 20 * HTTP authorization types and levels... 21 */ 22 23 #define CUPSD_AUTH_DEFAULT -1 /* Use DefaultAuthType */ 24 #define CUPSD_AUTH_NONE 0 /* No authentication */ 25 #define CUPSD_AUTH_BASIC 1 /* Basic authentication */ 26 #define CUPSD_AUTH_NEGOTIATE 2 /* Kerberos authentication */ 27 #define CUPSD_AUTH_AUTO 3 /* Kerberos or Basic, depending on configuration of server */ 28 29 #define CUPSD_AUTH_ANON 0 /* Anonymous access */ 30 #define CUPSD_AUTH_USER 1 /* Must have a valid username/password */ 31 #define CUPSD_AUTH_GROUP 2 /* Must also be in a named group */ 32 33 #define CUPSD_AUTH_ALLOW 0 /* Allow access */ 34 #define CUPSD_AUTH_DENY 1 /* Deny access */ 35 36 #define CUPSD_AUTH_NAME 0 /* Authorize host by name */ 37 #define CUPSD_AUTH_IP 1 /* Authorize host by IP */ 38 #define CUPSD_AUTH_INTERFACE 2 /* Authorize host by interface */ 39 40 #define CUPSD_AUTH_SATISFY_ALL 0 /* Satisfy both address and auth */ 41 #define CUPSD_AUTH_SATISFY_ANY 1 /* Satisfy either address or auth */ 42 43 #define CUPSD_AUTH_LIMIT_DELETE 1 /* Limit DELETE requests */ 44 #define CUPSD_AUTH_LIMIT_GET 2 /* Limit GET requests */ 45 #define CUPSD_AUTH_LIMIT_HEAD 4 /* Limit HEAD requests */ 46 #define CUPSD_AUTH_LIMIT_OPTIONS 8 /* Limit OPTIONS requests */ 47 #define CUPSD_AUTH_LIMIT_POST 16 /* Limit POST requests */ 48 #define CUPSD_AUTH_LIMIT_PUT 32 /* Limit PUT requests */ 49 #define CUPSD_AUTH_LIMIT_TRACE 64 /* Limit TRACE requests */ 50 #define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */ 51 #define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */ 52 53 #define IPP_ANY_OPERATION (ipp_op_t)0 54 /* Any IPP operation */ 55 #define IPP_BAD_OPERATION (ipp_op_t)-1 56 /* No IPP operation */ 57 58 59 /* 60 * HTTP access control structures... 61 */ 62 63 typedef struct 64 { 65 unsigned address[4], /* IP address */ 66 netmask[4]; /* IP netmask */ 67 } cupsd_ipmask_t; 68 69 typedef struct 70 { 71 size_t length; /* Length of name */ 72 char *name; /* Name string */ 73 } cupsd_namemask_t; 74 75 typedef struct 76 { 77 int type; /* Mask type */ 78 union 79 { 80 cupsd_namemask_t name; /* Host/Domain name */ 81 cupsd_ipmask_t ip; /* IP address/network */ 82 } mask; /* Mask data */ 83 } cupsd_authmask_t; 84 85 typedef struct 86 { 87 char *location; /* Location of resource */ 88 size_t length; /* Length of location string */ 89 ipp_op_t op; /* IPP operation */ 90 int limit, /* Limit for these types of requests */ 91 order_type, /* Allow or Deny */ 92 type, /* Type of authentication */ 93 level, /* Access level required */ 94 satisfy; /* Satisfy any or all limits? */ 95 cups_array_t *names, /* User or group names */ 96 *allow, /* Allow lines */ 97 *deny; /* Deny lines */ 98 http_encryption_t encryption; /* To encrypt or not to encrypt... */ 99 } cupsd_location_t; 100 101 102 /* 103 * Globals... 104 */ 105 106 VAR cups_array_t *Locations VALUE(NULL); 107 /* Authorization locations */ 108 #ifdef HAVE_TLS 109 VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED); 110 /* Default encryption for authentication */ 111 #endif /* HAVE_TLS */ 112 113 114 /* 115 * Prototypes... 116 */ 117 118 extern int cupsdAddIPMask(cups_array_t **masks, 119 const unsigned address[4], 120 const unsigned netmask[4]); 121 extern void cupsdAddLocation(cupsd_location_t *loc); 122 extern void cupsdAddName(cupsd_location_t *loc, char *name); 123 extern int cupsdAddNameMask(cups_array_t **masks, char *name); 124 extern void cupsdAuthorize(cupsd_client_t *con); 125 extern int cupsdCheckAccess(unsigned ip[4], const char *name, size_t namelen, cupsd_location_t *loc); 126 extern int cupsdCheckAuth(unsigned ip[4], const char *name, size_t namelen, cups_array_t *masks); 127 extern int cupsdCheckGroup(const char *username, 128 struct passwd *user, 129 const char *groupname); 130 extern cupsd_location_t *cupsdCopyLocation(cupsd_location_t *loc); 131 extern void cupsdDeleteAllLocations(void); 132 extern cupsd_location_t *cupsdFindBest(const char *path, http_state_t state); 133 extern cupsd_location_t *cupsdFindLocation(const char *location); 134 extern void cupsdFreeLocation(cupsd_location_t *loc); 135 extern http_status_t cupsdIsAuthorized(cupsd_client_t *con, const char *owner); 136 extern cupsd_location_t *cupsdNewLocation(const char *location); 137