1
/*
2
 * Authorization routines for the CUPS scheduler.
3
 *
4
 * Copyright © 2021-2022 by OpenPrinting.
5
 * Copyright © 2007-2019 by Apple Inc.
6
 * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
7
 *
8
 * This file contains Kerberos support code, copyright 2006 by
9
 * Jelmer Vernooij.
10
 *
11
 * Licensed under Apache License v2.0.  See the file "LICENSE" for more
12
 * information.
13
 */
14

15
/*
16
 * Include necessary headers...
17
 */
18

19
#include "cupsd.h"
20
#include <grp.h>
21
#ifdef HAVE_SHADOW_H
22
#  include <shadow.h>
23
#endif /* HAVE_SHADOW_H */
24
#ifdef HAVE_CRYPT_H
25
#  include <crypt.h>
26
#endif /* HAVE_CRYPT_H */
27
#if HAVE_LIBPAM
28
#  ifdef HAVE_PAM_PAM_APPL_H
29
#    include <pam/pam_appl.h>
30
#  else
31
#    include <security/pam_appl.h>
32
#  endif /* HAVE_PAM_PAM_APPL_H */
33
#endif /* HAVE_LIBPAM */
34
#ifdef HAVE_MEMBERSHIP_H
35
#  include <membership.h>
36
#endif /* HAVE_MEMBERSHIP_H */
37
#ifdef HAVE_AUTHORIZATION_H
38
#  include <Security/AuthorizationTags.h>
39
#endif /* HAVE_AUTHORIZATION_H */
40
#ifdef HAVE_SYS_PARAM_H
41
#  include <sys/param.h>
42
#endif /* HAVE_SYS_PARAM_H */
43
#ifdef HAVE_SYS_UCRED_H
44
#  include <sys/ucred.h>
45
typedef struct xucred cupsd_ucred_t;
46
#  define CUPSD_UCRED_UID(c) (c).cr_uid
47
#else
48
#  ifndef __OpenBSD__
49
typedef struct ucred cupsd_ucred_t;
50
#  else
51
typedef struct sockpeercred cupsd_ucred_t;
52
#  endif
53
#  define CUPSD_UCRED_UID(c) (c).uid
54
#endif /* HAVE_SYS_UCRED_H */
55
#ifdef HAVE_LIBAPPARMOR
56
#  include <sys/apparmor.h>
57
#endif /* HAVE_LIBAPPARMOR */
58
#ifdef HAVE_LIBSNAPDGLIB
59
#  include <glib.h>
60
#  include <snapd-glib/snapd-glib.h>
61
#endif /* HAVE_LIBSNAPDGLIB */
62

63

64
/*
65
 * Local functions...
66
 */
67

68
static int		check_admin_access(cupsd_client_t *con);
69
#ifdef HAVE_AUTHORIZATION_H
70
static int		check_authref(cupsd_client_t *con, const char *right);
71
#endif /* HAVE_AUTHORIZATION_H */
72
static int		compare_locations(cupsd_location_t *a,
73
			                  cupsd_location_t *b);
74
static cupsd_authmask_t	*copy_authmask(cupsd_authmask_t *am, void *data);
75
static void		free_authmask(cupsd_authmask_t *am, void *data);
76
#if HAVE_LIBPAM
77
static int		pam_func(int, const struct pam_message **,
78
			         struct pam_response **, void *);
79
#endif /* HAVE_LIBPAM */
80

81

82
/*
83
 * Local structures...
84
 */
85

86
#if HAVE_LIBPAM
87
typedef struct cupsd_authdata_s		/**** Authentication data ****/
88
{
89
  char	username[HTTP_MAX_VALUE],	/* Username string */
90
	password[HTTP_MAX_VALUE];	/* Password string */
91
} cupsd_authdata_t;
92
#endif /* HAVE_LIBPAM */
93

94

95
/*
96
 * 'cupsdAddIPMask()' - Add an IP address authorization mask.
97
 */
98

99
int					/* O  - 1 on success, 0 on failure */
100
cupsdAddIPMask(
101
    cups_array_t   **masks,		/* IO - Masks array (created as needed) */
102
    const unsigned address[4],		/* I  - IP address */
103
    const unsigned netmask[4])		/* I  - IP netmask */
104
{
105
  cupsd_authmask_t	temp;		/* New host/domain mask */
106

107

108
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", masks, *masks, address[0], address[1], address[2], address[3], netmask[0], netmask[1], netmask[2], netmask[3]);
109

110
  temp.type = CUPSD_AUTH_IP;
111
  memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address));
112
  memcpy(temp.mask.ip.netmask, netmask, sizeof(temp.mask.ip.netmask));
113

114
 /*
115
  * Create the masks array as needed and add...
116
  */
117

118
  if (!*masks)
119
    *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
120
			   (cups_acopy_func_t)copy_authmask,
121
			   (cups_afree_func_t)free_authmask);
122

123
  return (cupsArrayAdd(*masks, &temp));
124
}
125

126

127
/*
128
 * 'cupsdAddLocation()' - Add a location for authorization.
129
 */
130

131
void
132
cupsdAddLocation(cupsd_location_t *loc)	/* I - Location to add */
133
{
134
 /*
135
  * Make sure the locations array is created...
136
  */
137

138
  if (!Locations)
139
    Locations = cupsArrayNew3((cups_array_func_t)compare_locations, NULL,
140
                              (cups_ahash_func_t)NULL, 0,
141
			      (cups_acopy_func_t)NULL,
142
			      (cups_afree_func_t)cupsdFreeLocation);
143

144
  if (Locations)
145
  {
146
    cupsArrayAdd(Locations, loc);
147

148
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"", loc->location ? loc->location : "(null)");
149
  }
150
}
151

152

153
/*
154
 * 'cupsdAddName()' - Add a name to a location...
155
 */
156

157
void
158
cupsdAddName(cupsd_location_t *loc,	/* I - Location to add to */
159
             char             *name)	/* I - Name to add */
160
{
161
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", loc, name);
162

163
  if (!loc->names)
164
    loc->names = cupsArrayNew3(NULL, NULL, NULL, 0,
165
                               (cups_acopy_func_t)_cupsStrAlloc,
166
                               (cups_afree_func_t)_cupsStrFree);
167

168
  if (!cupsArrayAdd(loc->names, name))
169
  {
170
    cupsdLogMessage(CUPSD_LOG_ERROR,
171
                    "Unable to duplicate name for location %s: %s",
172
                    loc->location ? loc->location : "nil", strerror(errno));
173
    return;
174
  }
175
}
176

177

178
/*
179
 * 'cupsdAddNameMask()' - Add a host or interface name authorization mask.
180
 */
181

182
int					/* O  - 1 on success, 0 on failure */
183
cupsdAddNameMask(cups_array_t **masks,	/* IO - Masks array (created as needed) */
184
                 char         *name)	/* I  - Host or interface name */
185
{
186
  cupsd_authmask_t	temp;		/* New host/domain mask */
187
  char			ifname[32],	/* Interface name */
188
			*ifptr;		/* Pointer to end of name */
189

190

191
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddNameMask(masks=%p(%p), name=\"%s\")", masks, *masks, name);
192

193
  if (!_cups_strcasecmp(name, "@LOCAL"))
194
  {
195
   /*
196
    * Deny *interface*...
197
    */
198

199
    temp.type           = CUPSD_AUTH_INTERFACE;
200
    temp.mask.name.name = (char *)"*";
201
  }
202
  else if (!_cups_strncasecmp(name, "@IF(", 4))
203
  {
204
   /*
205
    * Deny *interface*...
206
    */
207

208
    strlcpy(ifname, name + 4, sizeof(ifname));
209

210
    ifptr = ifname + strlen(ifname) - 1;
211

212
    if (ifptr >= ifname && *ifptr == ')')
213
    {
214
      *ifptr = '\0';
215
    }
216

217
    temp.type             = CUPSD_AUTH_INTERFACE;
218
    temp.mask.name.name   = ifname;
219
  }
220
  else
221
  {
222
   /*
223
    * Deny name...
224
    */
225

226
    if (*name == '*')
227
      name ++;
228

229
    temp.type             = CUPSD_AUTH_NAME;
230
    temp.mask.name.name   = (char *)name;
231
  }
232

233
 /*
234
  * Set the name length...
235
  */
236

237
  temp.mask.name.length = strlen(temp.mask.name.name);
238

239
 /*
240
  * Create the masks array as needed and add...
241
  */
242

243
  if (!*masks)
244
    *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
245
			   (cups_acopy_func_t)copy_authmask,
246
			   (cups_afree_func_t)free_authmask);
247

248
  return (cupsArrayAdd(*masks, &temp));
249
}
250

251

252
/*
253
 * 'cupsdAuthorize()' - Validate any authorization credentials.
254
 */
255

256
void
257
cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
258
{
259
  int		type;			/* Authentication type */
260
  const char	*authorization;		/* Pointer into Authorization string */
261
  char		*ptr,			/* Pointer into string */
262
		username[HTTP_MAX_VALUE],
263
					/* Username string */
264
		password[HTTP_MAX_VALUE];
265
					/* Password string */
266
  cupsd_cert_t	*localuser;		/* Certificate username */
267

268

269
 /*
270
  * Locate the best matching location so we know what kind of
271
  * authentication to expect...
272
  */
273

274
  con->best = cupsdFindBest(con->uri, httpGetState(con->http));
275
  con->type = CUPSD_AUTH_NONE;
276

277
  cupsdLogClient(con, CUPSD_LOG_DEBUG2, "con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location : "");
278

279
  if (con->best && con->best->type != CUPSD_AUTH_NONE)
280
  {
281
    if (con->best->type == CUPSD_AUTH_DEFAULT)
282
      type = cupsdDefaultAuthType();
283
    else
284
      type = con->best->type;
285
  }
286
  else
287
    type = cupsdDefaultAuthType();
288

289
 /*
290
  * Decode the Authorization string...
291
  */
292

293
  authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION);
294

295
  username[0] = '\0';
296
  password[0] = '\0';
297

298
#ifdef HAVE_GSSAPI
299
  con->gss_uid = 0;
300
#endif /* HAVE_GSSAPI */
301

302
#ifdef HAVE_AUTHORIZATION_H
303
  if (con->authref)
304
  {
305
    AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
306
    con->authref = NULL;
307
  }
308
#endif /* HAVE_AUTHORIZATION_H */
309

310
  if (!*authorization)
311
  {
312
   /*
313
    * No authorization data provided, return early...
314
    */
315

316
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "No authentication data provided.");
317
    return;
318
  }
319
#ifdef HAVE_AUTHORIZATION_H
320
  else if (!strncmp(authorization, "AuthRef ", 8) &&
321
           httpAddrLocalhost(httpGetAddress(con->http)))
322
  {
323
    OSStatus		status;		/* Status */
324
    char		authdata[HTTP_MAX_VALUE];
325
					/* Nonce value from client */
326
    int			authlen;	/* Auth string length */
327
    AuthorizationItemSet *authinfo;	/* Authorization item set */
328

329
   /*
330
    * Get the Authorization Services data...
331
    */
332

333
    authorization += 8;
334
    while (isspace(*authorization & 255))
335
      authorization ++;
336

337
    authlen = sizeof(authdata);
338
    httpDecode64_2(authdata, &authlen, authorization);
339

340
    if (authlen != kAuthorizationExternalFormLength)
341
    {
342
      cupsdLogClient(con, CUPSD_LOG_ERROR, "External Authorization reference size is incorrect.");
343
      return;
344
    }
345

346
    if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0)
347
    {
348
      cupsdLogClient(con, CUPSD_LOG_ERROR, "AuthorizationCreateFromExternalForm returned %d", (int)status);
349
      return;
350
    }
351

352
    username[0] = '\0';
353

354
    if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
355
			       &authinfo))
356
    {
357
      if (authinfo->count == 1 && authinfo->items[0].value &&
358
          authinfo->items[0].valueLength >= 2)
359
      {
360
        strlcpy(username, authinfo->items[0].value, sizeof(username));
361

362
        cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef.", username);
363
      }
364

365
      AuthorizationFreeItemSet(authinfo);
366
    }
367

368
    if (!username[0])
369
    {
370
     /*
371
      * No username in AuthRef, grab username using peer credentials...
372
      */
373

374
      struct passwd	*pwd;		/* Password entry for this user */
375
      cupsd_ucred_t	peercred;	/* Peer credentials */
376
      socklen_t		peersize;	/* Size of peer credentials */
377

378
      peersize = sizeof(peercred);
379

380
      if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
381
      {
382
        cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
383
        return;
384
      }
385

386
      if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL)
387
      {
388
        cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to find UID %d for peer credentials.", (int)CUPSD_UCRED_UID(peercred));
389
        return;
390
      }
391

392
      strlcpy(username, pwd->pw_name, sizeof(username));
393

394
      cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef + PeerCred.", username);
395
    }
396

397
    con->type = CUPSD_AUTH_BASIC;
398
  }
399
#endif /* HAVE_AUTHORIZATION_H */
400
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
401
  else if (!strncmp(authorization, "PeerCred ", 9) &&
402
           con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
403
  {
404
   /*
405
    * Use peer credentials from domain socket connection...
406
    */
407

408
    struct passwd	*pwd;		/* Password entry for this user */
409
    cupsd_ucred_t	peercred;	/* Peer credentials */
410
    socklen_t		peersize;	/* Size of peer credentials */
411
#ifdef HAVE_AUTHORIZATION_H
412
    const char		*name;		/* Authorizing name */
413
    int			no_peer = 0;	/* Don't allow peer credentials? */
414

415
   /*
416
    * See if we should allow peer credentials...
417
    */
418

419
    for (name = (char *)cupsArrayFirst(con->best->names);
420
         name;
421
         name = (char *)cupsArrayNext(con->best->names))
422
    {
423
      if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
424
          !_cups_strcasecmp(name, "@SYSTEM"))
425
      {
426
       /* Normally don't want peer credentials if we need an auth key... */
427
	no_peer = 1;
428
      }
429
      else if (!_cups_strcasecmp(name, "@OWNER"))
430
      {
431
       /* but if @OWNER is present then we allow it... */
432
        no_peer = 0;
433
        break;
434
      }
435
    }
436

437
    if (no_peer)
438
    {
439
      cupsdLogClient(con, CUPSD_LOG_ERROR, "PeerCred authentication not allowed for resource per AUTHKEY policy.");
440
      return;
441
    }
442
#endif /* HAVE_AUTHORIZATION_H */
443

444
    if ((pwd = getpwnam(authorization + 9)) == NULL)
445
    {
446
      cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
447
      return;
448
    }
449

450
    peersize = sizeof(peercred);
451

452
#  ifdef __APPLE__
453
    if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
454
#  else
455
    if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
456
#  endif /* __APPLE__ */
457
    {
458
      cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
459
      return;
460
    }
461

462
    if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
463
    {
464
      cupsdLogClient(con, CUPSD_LOG_ERROR, "Invalid peer credentials for \"%s\" - got %d, expected %d.", authorization + 9, CUPSD_UCRED_UID(peercred), pwd->pw_uid);
465
#  ifdef HAVE_SYS_UCRED_H
466
      cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_version=%d", peercred.cr_version);
467
      cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_uid=%d", peercred.cr_uid);
468
      cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_ngroups=%d", peercred.cr_ngroups);
469
      cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_groups[0]=%d", peercred.cr_groups[0]);
470
#  endif /* HAVE_SYS_UCRED_H */
471
      return;
472
    }
473

474
    strlcpy(username, authorization + 9, sizeof(username));
475

476
#  ifdef HAVE_GSSAPI
477
    con->gss_uid = CUPSD_UCRED_UID(peercred);
478
#  endif /* HAVE_GSSAPI */
479

480
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using PeerCred.", username);
481

482
    con->type = CUPSD_AUTH_BASIC;
483
  }
484
#endif /* SO_PEERCRED && AF_LOCAL */
485
  else if (!strncmp(authorization, "Local", 5) &&
486
	   httpAddrLocalhost(httpGetAddress(con->http)))
487
  {
488
   /*
489
    * Get Local certificate authentication data...
490
    */
491

492
    authorization += 5;
493
    while (isspace(*authorization & 255))
494
      authorization ++;
495

496
    if ((localuser = cupsdFindCert(authorization)) == NULL)
497
    {
498
      cupsdLogClient(con, CUPSD_LOG_ERROR, "Local authentication certificate not found.");
499
      return;
500
    }
501

502
    strlcpy(username, localuser->username, sizeof(username));
503
    con->type = localuser->type;
504

505
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using Local.", username);
506
  }
507
  else if (!strncmp(authorization, "Basic", 5))
508
  {
509
   /*
510
    * Get the Basic authentication data...
511
    */
512

513
    int	userlen;			/* Username:password length */
514

515

516
    authorization += 5;
517
    while (isspace(*authorization & 255))
518
      authorization ++;
519

520
    userlen = sizeof(username);
521
    httpDecode64_2(username, &userlen, authorization);
522

523
   /*
524
    * Pull the username and password out...
525
    */
526

527
    if ((ptr = strchr(username, ':')) == NULL)
528
    {
529
      cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing Basic password.");
530
      return;
531
    }
532

533
    *ptr++ = '\0';
534

535
    if (!username[0])
536
    {
537
     /*
538
      * Username must not be empty...
539
      */
540

541
      cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic username.");
542
      return;
543
    }
544

545
    if (!*ptr)
546
    {
547
     /*
548
      * Password must not be empty...
549
      */
550

551
      cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic password.");
552
      return;
553
    }
554

555
    strlcpy(password, ptr, sizeof(password));
556

557
   /*
558
    * Validate the username and password...
559
    */
560

561
    switch (type)
562
    {
563
      default :
564
      case CUPSD_AUTH_BASIC :
565
          {
566
#if HAVE_LIBPAM
567
	   /*
568
	    * Only use PAM to do authentication.  This supports MD5
569
	    * passwords, among other things...
570
	    */
571

572
	    pam_handle_t	*pamh;	/* PAM authentication handle */
573
	    int			pamerr;	/* PAM error code */
574
	    struct pam_conv	pamdata;/* PAM conversation data */
575
	    cupsd_authdata_t	data;	/* Authentication data */
576

577

578
            strlcpy(data.username, username, sizeof(data.username));
579
	    strlcpy(data.password, password, sizeof(data.password));
580

581
#  ifdef __sun
582
	    pamdata.conv        = (int (*)(int, struct pam_message **,
583
	                                   struct pam_response **,
584
					   void *))pam_func;
585
#  else
586
	    pamdata.conv        = pam_func;
587
#  endif /* __sun */
588
	    pamdata.appdata_ptr = &data;
589

590
	    pamerr = pam_start("cups", username, &pamdata, &pamh);
591
	    if (pamerr != PAM_SUCCESS)
592
	    {
593
	      cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
594
	      return;
595
	    }
596

597
#  ifdef HAVE_PAM_SET_ITEM
598
#    ifdef PAM_RHOST
599
	    pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
600
	    if (pamerr != PAM_SUCCESS)
601
	      cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
602
#    endif /* PAM_RHOST */
603

604
#    ifdef PAM_TTY
605
	    pamerr = pam_set_item(pamh, PAM_TTY, "cups");
606
	    if (pamerr != PAM_SUCCESS)
607
	      cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
608
#    endif /* PAM_TTY */
609
#  endif /* HAVE_PAM_SET_ITEM */
610

611
	    pamerr = pam_authenticate(pamh, PAM_SILENT);
612
	    if (pamerr != PAM_SUCCESS)
613
	    {
614
	      cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
615
	      pam_end(pamh, 0);
616
	      return;
617
	    }
618

619
#  ifdef HAVE_PAM_SETCRED
620
            pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
621
	    if (pamerr != PAM_SUCCESS)
622
	      cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
623
#  endif /* HAVE_PAM_SETCRED */
624

625
	    pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
626
	    if (pamerr != PAM_SUCCESS)
627
	    {
628
	      cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
629
	      pam_end(pamh, 0);
630
	      return;
631
	    }
632

633
	    pam_end(pamh, PAM_SUCCESS);
634

635
#else
636
           /*
637
	    * Use normal UNIX password file-based authentication...
638
	    */
639

640
            char		*pass;	/* Encrypted password */
641
            struct passwd	*pw;	/* User password data */
642
#  ifdef HAVE_SHADOW_H
643
            struct spwd		*spw;	/* Shadow password data */
644
#  endif /* HAVE_SHADOW_H */
645

646

647
	    pw = getpwnam(username);	/* Get the current password */
648
	    endpwent();			/* Close the password file */
649

650
	    if (!pw)
651
	    {
652
	     /*
653
	      * No such user...
654
	      */
655

656
	      cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username);
657
	      return;
658
	    }
659

660
#  ifdef HAVE_SHADOW_H
661
	    spw = getspnam(username);
662
	    endspent();
663

664
	    if (!spw && !strcmp(pw->pw_passwd, "x"))
665
	    {
666
	     /*
667
	      * Don't allow blank passwords!
668
	      */
669

670
	      cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username);
671
	      return;
672
	    }
673

674
	    if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
675
#  else
676
	    if (!pw->pw_passwd[0])
677
#  endif /* HAVE_SHADOW_H */
678
	    {
679
	     /*
680
	      * Don't allow blank passwords!
681
	      */
682

683
	      cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username);
684
	      return;
685
	    }
686

687
	   /*
688
	    * OK, the password isn't blank, so compare with what came from the
689
	    * client...
690
	    */
691

692
	    pass = crypt(password, pw->pw_passwd);
693

694
	    if (!pass || strcmp(pw->pw_passwd, pass))
695
	    {
696
#  ifdef HAVE_SHADOW_H
697
	      if (spw)
698
	      {
699
		pass = crypt(password, spw->sp_pwdp);
700

701
		if (pass == NULL || strcmp(spw->sp_pwdp, pass))
702
		{
703
	          cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
704
		  return;
705
        	}
706
	      }
707
	      else
708
#  endif /* HAVE_SHADOW_H */
709
	      {
710
		cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
711
		return;
712
              }
713
	    }
714
#endif /* HAVE_LIBPAM */
715
          }
716

717
	  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
718
          break;
719
    }
720

721
    con->type = type;
722
  }
723
#ifdef HAVE_GSSAPI
724
  else if (!strncmp(authorization, "Negotiate", 9))
725
  {
726
    int			len;		/* Length of authorization string */
727
    gss_ctx_id_t	context;	/* Authorization context */
728
    OM_uint32		major_status,	/* Major status code */
729
			minor_status;	/* Minor status code */
730
    gss_buffer_desc	input_token = GSS_C_EMPTY_BUFFER,
731
					/* Input token from string */
732
			output_token = GSS_C_EMPTY_BUFFER;
733
					/* Output token for username */
734
    gss_name_t		client_name;	/* Client name */
735

736
#  ifdef __APPLE__
737
   /*
738
    * If the weak-linked GSSAPI/Kerberos library is not present, don't try
739
    * to use it...
740
    */
741

742
    if (&gss_init_sec_context == NULL)
743
    {
744
      cupsdLogClient(con, CUPSD_LOG_WARN, "GSSAPI/Kerberos authentication failed because the Kerberos framework is not present.");
745
      return;
746
    }
747
#  endif /* __APPLE__ */
748

749
   /*
750
    * Find the start of the Kerberos input token...
751
    */
752

753
    authorization += 9;
754
    while (isspace(*authorization & 255))
755
      authorization ++;
756

757
    if (!*authorization)
758
    {
759
      cupsdLogClient(con, CUPSD_LOG_DEBUG2, "No authentication data specified.");
760
      return;
761
    }
762

763
   /*
764
    * Decode the authorization string to get the input token...
765
    */
766

767
    len                = (int)strlen(authorization) + 0;
768
    input_token.value  = malloc((size_t)len);
769
    input_token.value  = httpDecode64_2(input_token.value, &len,
770
					authorization);
771
    input_token.length = (size_t)len;
772

773
   /*
774
    * Accept the input token to get the authorization info...
775
    */
776

777
    context      = GSS_C_NO_CONTEXT;
778
    client_name  = GSS_C_NO_NAME;
779
    major_status = gss_accept_sec_context(&minor_status,
780
					  &context,
781
					  ServerCreds,
782
					  &input_token,
783
					  GSS_C_NO_CHANNEL_BINDINGS,
784
					  &client_name,
785
					  NULL,
786
					  &output_token,
787
					  NULL,
788
					  NULL,
789
					  NULL);
790

791
    if (output_token.length > 0)
792
      gss_release_buffer(&minor_status, &output_token);
793

794
    if (GSS_ERROR(major_status))
795
    {
796
      cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error accepting GSSAPI security context.", con->number);
797

798
      if (context != GSS_C_NO_CONTEXT)
799
	gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
800
      return;
801
    }
802

803
    con->have_gss = 1;
804

805
   /*
806
    * Get the username associated with the client's credentials...
807
    */
808

809
    if (major_status == GSS_S_CONTINUE_NEEDED)
810
      cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Credentials not complete.", con->number);
811
    else if (major_status == GSS_S_COMPLETE)
812
    {
813
      major_status = gss_display_name(&minor_status, client_name,
814
				      &output_token, NULL);
815

816
      if (GSS_ERROR(major_status))
817
      {
818
	cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error getting username.", con->number);
819
	gss_release_name(&minor_status, &client_name);
820
	gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
821
	return;
822
      }
823

824
      strlcpy(username, output_token.value, sizeof(username));
825

826
      cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Negotiate.", username);
827

828
      gss_release_name(&minor_status, &client_name);
829
      gss_release_buffer(&minor_status, &output_token);
830

831
      con->type = CUPSD_AUTH_NEGOTIATE;
832
    }
833

834
    gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
835

836
#  if defined(SO_PEERCRED) && defined(AF_LOCAL)
837
   /*
838
    * Get the client's UID if we are printing locally - that allows a backend
839
    * to run as the correct user to get Kerberos credentials of its own.
840
    */
841

842
    if (httpAddrFamily(con->http->hostaddr) == AF_LOCAL)
843
    {
844
      cupsd_ucred_t	peercred;	/* Peer credentials */
845
      socklen_t		peersize;	/* Size of peer credentials */
846

847
      peersize = sizeof(peercred);
848

849
#    ifdef __APPLE__
850
      if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
851
#    else
852
      if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred,
853
                     &peersize))
854
#    endif /* __APPLE__ */
855
      {
856
	cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
857
      }
858
      else
859
      {
860
	cupsdLogClient(con, CUPSD_LOG_DEBUG, "Using credentials for UID %d.", CUPSD_UCRED_UID(peercred));
861
        con->gss_uid = CUPSD_UCRED_UID(peercred);
862
      }
863
    }
864
#  endif /* SO_PEERCRED && AF_LOCAL */
865
  }
866
#endif /* HAVE_GSSAPI */
867
  else
868
  {
869
    char	scheme[256];		/* Auth scheme... */
870

871

872
    if (sscanf(authorization, "%255s", scheme) != 1)
873
      strlcpy(scheme, "UNKNOWN", sizeof(scheme));
874

875
    cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\".", scheme);
876
    return;
877
  }
878

879
 /*
880
  * If we get here, then we were able to validate the username and
881
  * password - copy the validated username and password to the client
882
  * data and return...
883
  */
884

885
  strlcpy(con->username, username, sizeof(con->username));
886
  strlcpy(con->password, password, sizeof(con->password));
887
}
888

889

890
/*
891
 * 'cupsdCheckAccess()' - Check whether the given address is allowed to
892
 *                        access a location.
893
 */
894

895
int					/* O - 1 if allowed, 0 otherwise */
896
cupsdCheckAccess(
897
    unsigned         ip[4],		/* I - Client address */
898
    const char       *name,		/* I - Client hostname */
899
    size_t           namelen,		/* I - Length of hostname */
900
    cupsd_location_t *loc)		/* I - Location to check */
901
{
902
  int	allow;				/* 1 if allowed, 0 otherwise */
903

904

905
  if (!_cups_strcasecmp(name, "localhost"))
906
  {
907
   /*
908
    * Access from localhost (127.0.0.1 or ::1) is always allowed...
909
    */
910

911
    return (1);
912
  }
913
  else
914
  {
915
   /*
916
    * Do authorization checks on the domain/address...
917
    */
918

919
    switch (loc->order_type)
920
    {
921
      default :
922
	  allow = 0;	/* anti-compiler-warning-code */
923
	  break;
924

925
      case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
926
          allow = 1;
927

928
          if (cupsdCheckAuth(ip, name, namelen, loc->deny))
929
	    allow = 0;
930

931
          if (cupsdCheckAuth(ip, name, namelen, loc->allow))
932
	    allow = 1;
933
	  break;
934

935
      case CUPSD_AUTH_DENY : /* Order Allow,Deny */
936
          allow = 0;
937

938
          if (cupsdCheckAuth(ip, name, namelen, loc->allow))
939
	    allow = 1;
940

941
          if (cupsdCheckAuth(ip, name, namelen, loc->deny))
942
	    allow = 0;
943
	  break;
944
    }
945
  }
946

947
  return (allow);
948
}
949

950

951
/*
952
 * 'cupsdCheckAuth()' - Check authorization masks.
953
 */
954

955
int					/* O - 1 if mask matches, 0 otherwise */
956
cupsdCheckAuth(unsigned     ip[4],	/* I - Client address */
957
	       const char   *name,	/* I - Client hostname */
958
	       size_t       name_len,	/* I - Length of hostname */
959
	       cups_array_t *masks)	/* I - Masks */
960
{
961
  int			i;		/* Looping var */
962
  cupsd_authmask_t	*mask;		/* Current mask */
963
  cupsd_netif_t		*iface;		/* Network interface */
964
  unsigned		netip4;		/* IPv4 network address */
965
#ifdef AF_INET6
966
  unsigned		netip6[4];	/* IPv6 network address */
967
#endif /* AF_INET6 */
968

969

970
  for (mask = (cupsd_authmask_t *)cupsArrayFirst(masks);
971
       mask;
972
       mask = (cupsd_authmask_t *)cupsArrayNext(masks))
973
  {
974
    switch (mask->type)
975
    {
976
      case CUPSD_AUTH_INTERFACE :
977
         /*
978
	  * Check for a match with a network interface...
979
	  */
980

981
          netip4 = htonl(ip[3]);
982

983
#ifdef AF_INET6
984
          netip6[0] = htonl(ip[0]);
985
          netip6[1] = htonl(ip[1]);
986
          netip6[2] = htonl(ip[2]);
987
          netip6[3] = htonl(ip[3]);
988
#endif /* AF_INET6 */
989

990
	  cupsdNetIFUpdate();
991

992
          if (!strcmp(mask->mask.name.name, "*"))
993
	  {
994
#ifdef __APPLE__
995
           /*
996
	    * Allow Back-to-My-Mac addresses...
997
	    */
998

999
	    if ((ip[0] & 0xff000000) == 0xfd000000)
1000
	      return (1);
1001
#endif /* __APPLE__ */
1002

1003
	   /*
1004
	    * Check against all local interfaces...
1005
	    */
1006

1007
	    for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1008
		 iface;
1009
		 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1010
	    {
1011
	     /*
1012
	      * Only check local interfaces...
1013
	      */
1014

1015
	      if (!iface->is_local)
1016
	        continue;
1017

1018
              if (iface->address.addr.sa_family == AF_INET)
1019
	      {
1020
	       /*
1021
	        * Check IPv4 address...
1022
		*/
1023

1024
        	if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1025
	            (iface->address.ipv4.sin_addr.s_addr &
1026
		     iface->mask.ipv4.sin_addr.s_addr))
1027
		  return (1);
1028
              }
1029
#ifdef AF_INET6
1030
	      else
1031
	      {
1032
	       /*
1033
	        * Check IPv6 address...
1034
		*/
1035

1036
        	for (i = 0; i < 4; i ++)
1037
		  if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1038
		      (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1039
		       iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1040
		    break;
1041

1042
		if (i == 4)
1043
		  return (1);
1044
              }
1045
#endif /* AF_INET6 */
1046
	    }
1047
	  }
1048
	  else
1049
	  {
1050
	   /*
1051
	    * Check the named interface...
1052
	    */
1053

1054
	    for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1055
	         iface;
1056
		 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1057
	    {
1058
              if (strcmp(mask->mask.name.name, iface->name))
1059
                continue;
1060

1061
              if (iface->address.addr.sa_family == AF_INET)
1062
	      {
1063
	       /*
1064
		* Check IPv4 address...
1065
		*/
1066

1067
        	if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1068
	            (iface->address.ipv4.sin_addr.s_addr &
1069
		     iface->mask.ipv4.sin_addr.s_addr))
1070
		  return (1);
1071
              }
1072
#ifdef AF_INET6
1073
	      else
1074
	      {
1075
	       /*
1076
		* Check IPv6 address...
1077
		*/
1078

1079
        	for (i = 0; i < 4; i ++)
1080
		  if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1081
		      (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1082
		       iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1083
		    break;
1084

1085
		if (i == 4)
1086
		  return (1);
1087
              }
1088
#endif /* AF_INET6 */
1089
	    }
1090
	  }
1091
	  break;
1092

1093
      case CUPSD_AUTH_NAME :
1094
         /*
1095
	  * Check for exact name match...
1096
	  */
1097

1098
          if (!_cups_strcasecmp(name, mask->mask.name.name))
1099
	    return (1);
1100

1101
         /*
1102
	  * Check for domain match...
1103
	  */
1104

1105
	  if (name_len >= mask->mask.name.length &&
1106
	      mask->mask.name.name[0] == '.' &&
1107
	      !_cups_strcasecmp(name + name_len - mask->mask.name.length,
1108
	                  mask->mask.name.name))
1109
	    return (1);
1110
          break;
1111

1112
      case CUPSD_AUTH_IP :
1113
         /*
1114
	  * Check for IP/network address match...
1115
	  */
1116

1117
          for (i = 0; i < 4; i ++)
1118
	    if ((ip[i] & mask->mask.ip.netmask[i]) !=
1119
	            mask->mask.ip.address[i])
1120
	      break;
1121

1122
	  if (i == 4)
1123
	    return (1);
1124
          break;
1125
    }
1126
  }
1127

1128
  return (0);
1129
}
1130

1131

1132
/*
1133
 * 'cupsdCheckGroup()' - Check for a user's group membership.
1134
 */
1135

1136
int					/* O - 1 if user is a member, 0 otherwise */
1137
cupsdCheckGroup(
1138
    const char    *username,		/* I - User name */
1139
    struct passwd *user,		/* I - System user info */
1140
    const char    *groupname)		/* I - Group name */
1141
{
1142
  int		i;			/* Looping var */
1143
  struct group	*group;			/* Group info */
1144
  gid_t		groupid;		/* ID of named group */
1145
#ifdef HAVE_MBR_UID_TO_UUID
1146
  uuid_t	useruuid,		/* UUID for username */
1147
		groupuuid;		/* UUID for groupname */
1148
  int		is_member;		/* True if user is a member of group */
1149
#endif /* HAVE_MBR_UID_TO_UUID */
1150

1151

1152
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", username, user, groupname);
1153

1154
 /*
1155
  * Validate input...
1156
  */
1157

1158
  if (!username || !groupname)
1159
    return (0);
1160

1161
 /*
1162
  * Check to see if the user is a member of the named group...
1163
  */
1164

1165
  group = getgrnam(groupname);
1166
  endgrent();
1167

1168
  if (group != NULL)
1169
  {
1170
   /*
1171
    * Group exists, check it...
1172
    */
1173

1174
    groupid = group->gr_gid;
1175

1176
    for (i = 0; group->gr_mem[i]; i ++)
1177
    {
1178
     /*
1179
      * User appears in the group membership...
1180
      */
1181

1182
      if (!_cups_strcasecmp(username, group->gr_mem[i]))
1183
	return (1);
1184
    }
1185

1186
#ifdef HAVE_GETGROUPLIST
1187
   /*
1188
    * If the user isn't in the group membership list, try the results from
1189
    * getgrouplist() which is supposed to return the full list of groups a user
1190
    * belongs to...
1191
    */
1192

1193
    if (user)
1194
    {
1195
      int	ngroups;		/* Number of groups */
1196
#  ifdef __APPLE__
1197
      int	groups[2048];		/* Groups that user belongs to */
1198
#  else
1199
      gid_t	groups[2048];		/* Groups that user belongs to */
1200
#  endif /* __APPLE__ */
1201

1202
      ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
1203
#  ifdef __APPLE__
1204
      getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
1205
#  else
1206
      getgrouplist(username, user->pw_gid, groups, &ngroups);
1207
#endif /* __APPLE__ */
1208

1209
      for (i = 0; i < ngroups; i ++)
1210
        if ((int)groupid == (int)groups[i])
1211
	  return (1);
1212
    }
1213
#endif /* HAVE_GETGROUPLIST */
1214
  }
1215
  else
1216
    groupid = (gid_t)-1;
1217

1218
 /*
1219
  * Group doesn't exist or user not in group list, check the group ID
1220
  * against the user's group ID...
1221
  */
1222

1223
  if (user && groupid == user->pw_gid)
1224
    return (1);
1225

1226
#ifdef HAVE_MBR_UID_TO_UUID
1227
 /*
1228
  * Check group membership through macOS membership API...
1229
  */
1230

1231
  if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
1232
  {
1233
    if (groupid != (gid_t)-1)
1234
    {
1235
     /*
1236
      * Map group name to UUID and check membership...
1237
      */
1238

1239
      if (!mbr_gid_to_uuid(groupid, groupuuid))
1240
        if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1241
	  if (is_member)
1242
	    return (1);
1243
    }
1244
    else if (groupname[0] == '#')
1245
    {
1246
     /*
1247
      * Use UUID directly and check for equality (user UUID) and
1248
      * membership (group UUID)...
1249
      */
1250

1251
      if (!uuid_parse((char *)groupname + 1, groupuuid))
1252
      {
1253
        if (!uuid_compare(useruuid, groupuuid))
1254
	  return (1);
1255
	else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1256
	  if (is_member)
1257
	    return (1);
1258
      }
1259

1260
      return (0);
1261
    }
1262
  }
1263
  else if (groupname[0] == '#')
1264
    return (0);
1265
#endif /* HAVE_MBR_UID_TO_UUID */
1266

1267
 /*
1268
  * If we get this far, then the user isn't part of the named group...
1269
  */
1270

1271
  return (0);
1272
}
1273

1274

1275
/*
1276
 * 'cupsdCopyLocation()' - Make a copy of a location...
1277
 */
1278

1279
cupsd_location_t *			/* O - New location */
1280
cupsdCopyLocation(
1281
    cupsd_location_t *loc)		/* I - Original location */
1282
{
1283
  cupsd_location_t	*temp;		/* New location */
1284

1285

1286
 /*
1287
  * Make a copy of the original location...
1288
  */
1289

1290
  if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
1291
    return (NULL);
1292

1293
 /*
1294
  * Copy the information from the original location to the new one.
1295
  */
1296

1297
  if (!loc)
1298
    return (temp);
1299

1300
  if (loc->location)
1301
    temp->location = _cupsStrAlloc(loc->location);
1302

1303
  temp->length     = loc->length;
1304
  temp->limit      = loc->limit;
1305
  temp->order_type = loc->order_type;
1306
  temp->type       = loc->type;
1307
  temp->level      = loc->level;
1308
  temp->satisfy    = loc->satisfy;
1309
  temp->encryption = loc->encryption;
1310

1311
  if (loc->names)
1312
  {
1313
    if ((temp->names = cupsArrayDup(loc->names)) == NULL)
1314
    {
1315
      cupsdLogMessage(CUPSD_LOG_ERROR,
1316
                      "Unable to allocate memory for %d names: %s",
1317
		      cupsArrayCount(loc->names), strerror(errno));
1318

1319
      cupsdFreeLocation(temp);
1320
      return (NULL);
1321
    }
1322
  }
1323

1324
  if (loc->allow)
1325
  {
1326
   /*
1327
    * Copy allow rules...
1328
    */
1329

1330
    if ((temp->allow = cupsArrayDup(loc->allow)) == NULL)
1331
    {
1332
      cupsdLogMessage(CUPSD_LOG_ERROR,
1333
                      "Unable to allocate memory for %d allow rules: %s",
1334
                      cupsArrayCount(loc->allow), strerror(errno));
1335
      cupsdFreeLocation(temp);
1336
      return (NULL);
1337
    }
1338
  }
1339

1340
  if (loc->deny)
1341
  {
1342
   /*
1343
    * Copy deny rules...
1344
    */
1345

1346
    if ((temp->deny = cupsArrayDup(loc->deny)) == NULL)
1347
    {
1348
      cupsdLogMessage(CUPSD_LOG_ERROR,
1349
                      "Unable to allocate memory for %d deny rules: %s",
1350
                      cupsArrayCount(loc->deny), strerror(errno));
1351
      cupsdFreeLocation(temp);
1352
      return (NULL);
1353
    }
1354
  }
1355

1356
  return (temp);
1357
}
1358

1359

1360
/*
1361
 * 'cupsdDeleteAllLocations()' - Free all memory used for location authorization.
1362
 */
1363

1364
void
1365
cupsdDeleteAllLocations(void)
1366
{
1367
 /*
1368
  * Free the location array, which will free all of the locations...
1369
  */
1370

1371
  cupsArrayDelete(Locations);
1372
  Locations = NULL;
1373
}
1374

1375

1376
/*
1377
 * 'cupsdFindBest()' - Find the location entry that best matches the resource.
1378
 */
1379

1380
cupsd_location_t *			/* O - Location that matches */
1381
cupsdFindBest(const char   *path,	/* I - Resource path */
1382
              http_state_t state)	/* I - HTTP state/request */
1383
{
1384
  char			uri[HTTP_MAX_URI],
1385
					/* URI in request... */
1386
			*uriptr;	/* Pointer into URI */
1387
  cupsd_location_t	*loc,		/* Current location */
1388
			*best;		/* Best match for location so far */
1389
  size_t		bestlen;	/* Length of best match */
1390
  int			limit;		/* Limit field */
1391
  static const int	limits[] =	/* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
1392
		{
1393
		  CUPSD_AUTH_LIMIT_ALL,
1394
		  CUPSD_AUTH_LIMIT_OPTIONS,
1395
		  CUPSD_AUTH_LIMIT_GET,
1396
		  CUPSD_AUTH_LIMIT_GET,
1397
		  CUPSD_AUTH_LIMIT_HEAD,
1398
		  CUPSD_AUTH_LIMIT_POST,
1399
		  CUPSD_AUTH_LIMIT_POST,
1400
		  CUPSD_AUTH_LIMIT_POST,
1401
		  CUPSD_AUTH_LIMIT_PUT,
1402
		  CUPSD_AUTH_LIMIT_PUT,
1403
		  CUPSD_AUTH_LIMIT_DELETE,
1404
		  CUPSD_AUTH_LIMIT_TRACE,
1405
		  CUPSD_AUTH_LIMIT_ALL,
1406
		  CUPSD_AUTH_LIMIT_ALL,
1407
		  CUPSD_AUTH_LIMIT_ALL,
1408
		  CUPSD_AUTH_LIMIT_ALL
1409
		};
1410

1411

1412
 /*
1413
  * First copy the connection URI to a local string so we have drop
1414
  * any .ppd extension from the pathname in /printers or /classes
1415
  * URIs...
1416
  */
1417

1418
  strlcpy(uri, path, sizeof(uri));
1419

1420
  if ((uriptr = strchr(uri, '?')) != NULL)
1421
    *uriptr = '\0';		/* Drop trailing query string */
1422

1423
  if ((uriptr = uri + strlen(uri) - 1) > uri && *uriptr == '/')
1424
    *uriptr = '\0';		/* Remove trailing '/' */
1425

1426
  if (!strncmp(uri, "/printers/", 10) ||
1427
      !strncmp(uri, "/classes/", 9))
1428
  {
1429
   /*
1430
    * Check if the URI has .ppd on the end...
1431
    */
1432

1433
    uriptr = uri + strlen(uri) - 4; /* len > 4 if we get here... */
1434

1435
    if (!strcmp(uriptr, ".ppd"))
1436
      *uriptr = '\0';
1437
  }
1438

1439
 /*
1440
  * Loop through the list of locations to find a match...
1441
  */
1442

1443
  limit   = limits[state];
1444
  best    = NULL;
1445
  bestlen = 0;
1446

1447
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri=\"%s\", limit=%x...", uri, limit);
1448

1449

1450
  for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
1451
       loc;
1452
       loc = (cupsd_location_t *)cupsArrayNext(Locations))
1453
  {
1454
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s(%d) Limit %x", loc->location ? loc->location : "(null)", (int)loc->length, loc->limit);
1455

1456
    if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
1457
    {
1458
     /*
1459
      * Use case-insensitive comparison for queue names...
1460
      */
1461

1462
      if (loc->length > bestlen && loc->location &&
1463
          !_cups_strncasecmp(uri, loc->location, loc->length) &&
1464
	  loc->location[0] == '/' &&
1465
	  (limit & loc->limit) != 0)
1466
      {
1467
	best    = loc;
1468
	bestlen = loc->length;
1469
      }
1470
    }
1471
    else
1472
    {
1473
     /*
1474
      * Use case-sensitive comparison for other URIs...
1475
      */
1476

1477
      if (loc->length > bestlen && loc->location &&
1478
          !strncmp(uri, loc->location, loc->length) &&
1479
	  loc->location[0] == '/' &&
1480
	  (limit & loc->limit) != 0)
1481
      {
1482
	best    = loc;
1483
	bestlen = loc->length;
1484
      }
1485
    }
1486
  }
1487

1488
 /*
1489
  * Return the match, if any...
1490
  */
1491

1492
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best=%s", best ? best->location : "NONE");
1493

1494
  return (best);
1495
}
1496

1497

1498
/*
1499
 * 'cupsdFindLocation()' - Find the named location.
1500
 */
1501

1502
cupsd_location_t *			/* O - Location that matches */
1503
cupsdFindLocation(const char *location)	/* I - Connection */
1504
{
1505
  cupsd_location_t	key;		/* Search key */
1506

1507

1508
  key.location = (char *)location;
1509

1510
  return ((cupsd_location_t *)cupsArrayFind(Locations, &key));
1511
}
1512

1513

1514
/*
1515
 * 'cupsdFreeLocation()' - Free all memory used by a location.
1516
 */
1517

1518
void
1519
cupsdFreeLocation(cupsd_location_t *loc)/* I - Location to free */
1520
{
1521
  cupsArrayDelete(loc->names);
1522
  cupsArrayDelete(loc->allow);
1523
  cupsArrayDelete(loc->deny);
1524

1525
  _cupsStrFree(loc->location);
1526
  free(loc);
1527
}
1528

1529

1530
/*
1531
 * 'cupsdIsAuthorized()' - Check to see if the user is authorized...
1532
 */
1533

1534
http_status_t				/* O - HTTP_OK if authorized or error code */
1535
cupsdIsAuthorized(cupsd_client_t *con,	/* I - Connection */
1536
                  const char     *owner)/* I - Owner of object */
1537
{
1538
  int			i,		/* Looping vars */
1539
			auth,		/* Authorization status */
1540
			type;		/* Type of authentication */
1541
  http_addr_t		*hostaddr = httpGetAddress(con->http);
1542
					/* Client address */
1543
  const char		*hostname = httpGetHostname(con->http, NULL, 0);
1544
					/* Client hostname */
1545
  unsigned		address[4];	/* Authorization address */
1546
  cupsd_location_t	*best;		/* Best match for location so far */
1547
  size_t		hostlen;	/* Length of hostname */
1548
  char			*name,		/* Current username */
1549
			username[256],	/* Username to authorize */
1550
			ownername[256],	/* Owner name to authorize */
1551
			*ptr;		/* Pointer into username */
1552
  struct passwd		*pw;		/* User password data */
1553
  static const char * const levels[] =	/* Auth levels */
1554
		{
1555
		  "ANON",
1556
		  "USER",
1557
		  "GROUP"
1558
		};
1559
  static const char * const types[] =	/* Auth types */
1560
		{
1561
		  "None",
1562
		  "Basic",
1563
		  "Negotiate"
1564
		};
1565

1566

1567
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location ? con->best->location : "(null)" : "");
1568
  if (owner)
1569
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: owner=\"%s\"", owner);
1570

1571
 /*
1572
  * If there is no "best" authentication rule for this request, then
1573
  * access is allowed from the local system and denied from other
1574
  * addresses...
1575
  */
1576

1577
  if (!con->best)
1578
  {
1579
    if (httpAddrLocalhost(httpGetAddress(con->http)) ||
1580
        !strcmp(hostname, ServerName) ||
1581
	cupsArrayFind(ServerAlias, (void *)hostname))
1582
      return (HTTP_OK);
1583
    else
1584
      return (HTTP_FORBIDDEN);
1585
  }
1586

1587
  best = con->best;
1588

1589
  if ((type = best->type) == CUPSD_AUTH_DEFAULT)
1590
    type = cupsdDefaultAuthType();
1591

1592
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", levels[best->level], types[type], best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names));
1593

1594
  if (best->limit == CUPSD_AUTH_LIMIT_IPP)
1595
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", best->op, ippOpString(best->op));
1596

1597
 /*
1598
  * Check host/ip-based accesses...
1599
  */
1600

1601
#ifdef AF_INET6
1602
  if (httpAddrFamily(hostaddr) == AF_INET6)
1603
  {
1604
   /*
1605
    * Copy IPv6 address...
1606
    */
1607

1608
    address[0] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[0]);
1609
    address[1] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[1]);
1610
    address[2] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[2]);
1611
    address[3] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[3]);
1612
  }
1613
  else
1614
#endif /* AF_INET6 */
1615
  if (con->http->hostaddr->addr.sa_family == AF_INET)
1616
  {
1617
   /*
1618
    * Copy IPv4 address...
1619
    */
1620

1621
    address[0] = 0;
1622
    address[1] = 0;
1623
    address[2] = 0;
1624
    address[3] = ntohl(hostaddr->ipv4.sin_addr.s_addr);
1625
  }
1626
  else
1627
    memset(address, 0, sizeof(address));
1628

1629
  hostlen = strlen(hostname);
1630

1631
  auth = cupsdCheckAccess(address, hostname, hostlen, best)
1632
             ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
1633

1634
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", auth ? "DENY" : "ALLOW");
1635

1636
  if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
1637
    return (HTTP_FORBIDDEN);
1638

1639
#ifdef HAVE_TLS
1640
 /*
1641
  * See if encryption is required...
1642
  */
1643

1644
  if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http->tls &&
1645
      _cups_strcasecmp(hostname, "localhost") &&
1646
      !httpAddrLocalhost(hostaddr) &&
1647
      best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
1648
      !(type == CUPSD_AUTH_NEGOTIATE ||
1649
        (type == CUPSD_AUTH_NONE &&
1650
         cupsdDefaultAuthType() == CUPSD_AUTH_NEGOTIATE)))
1651
  {
1652
    cupsdLogMessage(CUPSD_LOG_DEBUG,
1653
                    "cupsdIsAuthorized: Need upgrade to TLS...");
1654
    return (HTTP_UPGRADE_REQUIRED);
1655
  }
1656
#endif /* HAVE_TLS */
1657

1658
 /*
1659
  * Now see what access level is required...
1660
  */
1661

1662
  if (best->level == CUPSD_AUTH_ANON ||	/* Anonymous access - allow it */
1663
      (type == CUPSD_AUTH_NONE && cupsArrayCount(best->names) == 0))
1664
    return (HTTP_OK);
1665

1666
  if (!con->username[0] && type == CUPSD_AUTH_NONE &&
1667
      best->limit == CUPSD_AUTH_LIMIT_IPP)
1668
  {
1669
   /*
1670
    * Check for unauthenticated username...
1671
    */
1672

1673
    ipp_attribute_t	*attr;		/* requesting-user-name attribute */
1674

1675

1676
    attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
1677
    if (attr)
1678
    {
1679
      cupsdLogMessage(CUPSD_LOG_DEBUG,
1680
                      "cupsdIsAuthorized: requesting-user-name=\"%s\"",
1681
                      attr->values[0].string.text);
1682
      strlcpy(username, attr->values[0].string.text, sizeof(username));
1683
    }
1684
    else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
1685
      return (HTTP_UNAUTHORIZED);	/* Non-anonymous needs user/pass */
1686
    else
1687
      return (HTTP_OK);			/* unless overridden with Satisfy */
1688
  }
1689
  else
1690
  {
1691
    cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"",
1692
	            con->username);
1693

1694
#ifdef HAVE_AUTHORIZATION_H
1695
    if (!con->username[0] && !con->authref)
1696
#else
1697
    if (!con->username[0])
1698
#endif /* HAVE_AUTHORIZATION_H */
1699
    {
1700
      if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
1701
	return (HTTP_UNAUTHORIZED);	/* Non-anonymous needs user/pass */
1702
      else
1703
	return (HTTP_OK);		/* unless overridden with Satisfy */
1704
    }
1705

1706

1707
    if (con->type != type && type != CUPSD_AUTH_NONE &&
1708
#ifdef HAVE_GSSAPI
1709
        (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
1710
#endif /* HAVE_GSSAPI */
1711
        con->type != CUPSD_AUTH_BASIC)
1712
    {
1713
      cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s.",
1714
                      types[con->type], types[type]);
1715

1716
      return (HTTP_UNAUTHORIZED);
1717
    }
1718

1719
    strlcpy(username, con->username, sizeof(username));
1720
  }
1721

1722
 /*
1723
  * OK, got a username.  See if we need normal user access, or group
1724
  * access...
1725
  */
1726

1727
 /*
1728
  * Strip any @domain or @KDC from the username and owner...
1729
  */
1730

1731
  if ((ptr = strchr(username, '@')) != NULL)
1732
    *ptr = '\0';
1733

1734
  if (owner)
1735
  {
1736
    strlcpy(ownername, owner, sizeof(ownername));
1737

1738
    if ((ptr = strchr(ownername, '@')) != NULL)
1739
      *ptr = '\0';
1740
  }
1741
  else
1742
    ownername[0] = '\0';
1743

1744
 /*
1745
  * Get the user info...
1746
  */
1747

1748
  if (username[0])
1749
  {
1750
    pw = getpwnam(username);
1751
    endpwent();
1752
  }
1753
  else
1754
    pw = NULL;
1755

1756
 /*
1757
  * For matching user and group memberships below we will first go
1758
  * through all names except @SYSTEM to authorize the task as
1759
  * non-administrative, like printing or deleting one's own job, if this
1760
  * fails we will check whether we can authorize via the special name
1761
  * @SYSTEM, as an administrative task, like creating a print queue or
1762
  * deleting someone else's job.
1763
  * Note that tasks are considered as administrative by the policies
1764
  * in cupsd.conf, when they require the user or group @SYSTEM.
1765
  * We do this separation because if the client is a Snap connecting via
1766
  * domain socket, we need to additionally check whether it plugs to us
1767
  * through the "cups-control" interface which allows administration and
1768
  * not through the "cups" interface which allows only printing.
1769
  */
1770

1771
  if (best->level == CUPSD_AUTH_USER)
1772
  {
1773
   /*
1774
    * If there are no names associated with this location, then
1775
    * any valid user is OK...
1776
    */
1777

1778
    if (cupsArrayCount(best->names) == 0)
1779
      return (HTTP_OK);
1780

1781
   /*
1782
    * Otherwise check the user list and return OK if this user is
1783
    * allowed...
1784
    */
1785

1786
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking user membership...");
1787

1788
#ifdef HAVE_AUTHORIZATION_H
1789
   /*
1790
    * If an authorization reference was supplied it must match a right name...
1791
    */
1792

1793
    if (con->authref)
1794
    {
1795
      for (name = (char *)cupsArrayFirst(best->names);
1796
           name;
1797
	   name = (char *)cupsArrayNext(best->names))
1798
      {
1799
	if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9))
1800
	  return (HTTP_OK);
1801
      }
1802

1803
      for (name = (char *)cupsArrayFirst(best->names);
1804
           name;
1805
	   name = (char *)cupsArrayNext(best->names))
1806
      {
1807
	if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey &&
1808
	    check_authref(con, SystemGroupAuthKey))
1809
	  return (HTTP_OK);
1810
      }
1811

1812
      return (HTTP_FORBIDDEN);
1813
    }
1814
#endif /* HAVE_AUTHORIZATION_H */
1815

1816
    for (name = (char *)cupsArrayFirst(best->names);
1817
	 name;
1818
	 name = (char *)cupsArrayNext(best->names))
1819
    {
1820
      if (!_cups_strcasecmp(name, "@OWNER") && owner &&
1821
          !_cups_strcasecmp(username, ownername))
1822
	return (HTTP_OK);
1823
      else if (!_cups_strcasecmp(name, "@SYSTEM"))
1824
      {
1825
	/* Do @SYSTEM later, when every other entry fails */
1826
	continue;
1827
      }
1828
      else if (name[0] == '@')
1829
      {
1830
        if (cupsdCheckGroup(username, pw, name + 1))
1831
          return (HTTP_OK);
1832
      }
1833
      else if (!_cups_strcasecmp(username, name))
1834
        return (HTTP_OK);
1835
    }
1836

1837
    for (name = (char *)cupsArrayFirst(best->names);
1838
	 name;
1839
	 name = (char *)cupsArrayNext(best->names))
1840
    {
1841
      if (!_cups_strcasecmp(name, "@SYSTEM"))
1842
      {
1843
        for (i = 0; i < NumSystemGroups; i ++)
1844
	  if (cupsdCheckGroup(username, pw, SystemGroups[i]) && check_admin_access(con))
1845
	    return (HTTP_OK);
1846
      }
1847
    }
1848

1849
    return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
1850
  }
1851

1852
 /*
1853
  * Check to see if this user is in any of the named groups...
1854
  */
1855

1856
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group membership...");
1857

1858
 /*
1859
  * Check to see if this user is in any of the named groups...
1860
  */
1861

1862
  for (name = (char *)cupsArrayFirst(best->names);
1863
       name;
1864
       name = (char *)cupsArrayNext(best->names))
1865
  {
1866
    if (!_cups_strcasecmp(name, "@SYSTEM"))
1867
    {
1868
      /* Do @SYSTEM later, when every other entry fails */
1869
      continue;
1870
    }
1871

1872
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group \"%s\" membership...", name);
1873

1874
    if (cupsdCheckGroup(username, pw, name))
1875
      return (HTTP_OK);
1876
  }
1877

1878
  for (name = (char *)cupsArrayFirst(best->names);
1879
       name;
1880
       name = (char *)cupsArrayNext(best->names))
1881
  {
1882
    if (!_cups_strcasecmp(name, "@SYSTEM"))
1883
    {
1884
      cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group \"%s\" membership...", name);
1885

1886
      for (i = 0; i < NumSystemGroups; i ++)
1887
	if (cupsdCheckGroup(username, pw, SystemGroups[i]) && check_admin_access(con))
1888
	  return (HTTP_OK);
1889
    }
1890
  }
1891

1892
 /*
1893
  * The user isn't part of the specified group, so deny access...
1894
  */
1895

1896
  cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: User not in group(s).");
1897

1898
  return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
1899
}
1900

1901

1902
/*
1903
 * 'cupsdNewLocation()' - Create a new location for authorization.
1904
 *
1905
 * Note: Still need to call cupsdAddLocation() to add it to the list of global
1906
 * locations.
1907
 */
1908

1909
cupsd_location_t *			/* O - Pointer to new location record */
1910
cupsdNewLocation(const char *location)	/* I - Location path */
1911
{
1912
  cupsd_location_t	*temp;		/* New location */
1913

1914

1915
 /*
1916
  * Try to allocate memory for the new location.
1917
  */
1918

1919
  if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
1920
    return (NULL);
1921

1922
 /*
1923
  * Initialize the record and copy the name over...
1924
  */
1925

1926
  if ((temp->location = _cupsStrAlloc(location)) == NULL)
1927
  {
1928
    free(temp);
1929
    return (NULL);
1930
  }
1931

1932
  temp->length = strlen(temp->location);
1933

1934
 /*
1935
  * Return the new record...
1936
  */
1937

1938
  return (temp);
1939
}
1940

1941

1942
/*
1943
 * 'check_admin_access()' - Verify that the client has administrative access.
1944
 */
1945

1946
static int				// O - 1 if authorized, 0 otherwise
1947
check_admin_access(cupsd_client_t *con) // I - Client connection
1948
{
1949
#if defined(HAVE_LIBAPPARMOR) && defined(HAVE_LIBSNAPDGLIB)
1950
 /*
1951
  * If the client accesses locally via domain socket, find out whether it
1952
  * is a Snap.  Grant access if it is not a Snap, if it is a classic Snap
1953
  * or if it is a confined Snap which plugs "cups-control".  Otherwise deny
1954
  * access.
1955
  */
1956

1957
  int		fd = httpGetFd(con->http);
1958
					// Client socket file descriptor
1959
  char		*context = NULL;	// AppArmor profile name of client
1960
  SnapdClient	*client = NULL;		// Data structure of snapd access
1961
  GError	*error = NULL;		// Glib error
1962
  int		ret = 1;		// Return value
1963
#  if !CUPS_SNAP
1964
  SnapdSnap	*snap = NULL;		// Data structure of client Snap
1965
#  endif // !CUPS_SNAP
1966

1967

1968
#  ifdef AF_LOCAL
1969
  // Only check domain sockets...
1970
  if (httpAddrFamily(con->http->hostaddr) != AF_LOCAL)
1971
    return (1);
1972
#  endif // AF_LOCAL
1973

1974
#  if !CUPS_SNAP
1975
  // If AppArmor is not enabled, then we can't identify the client...
1976
  if (!aa_is_enabled())
1977
  {
1978
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "AppArmor not in use.");
1979
    return (1);
1980
  }
1981
#  endif /* !CUPS_SNAP */
1982

1983
  // Get the client's AppArmor context using the socket...
1984
  if (aa_getpeercon(fd, &context, NULL) < 0)
1985
  {
1986
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "AppArmor profile could not be retrieved: %s", strerror(errno));
1987
    return (1);
1988
  }
1989
  else
1990
  {
1991
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "AppArmor profile is '%s'.", context);
1992
  }
1993

1994
  // Allow access from "cups" snap...
1995
  if (!strncmp(context, "snap.cups.", 10))
1996
  {
1997
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Client from the CUPS Snap itself - allowed.");
1998
    goto done;
1999
  }
2000

2001
#  if CUPS_SNAP && defined(HAVE_SNAPD_CLIENT_RUN_SNAPCTL2_SYNC)
2002
 /*
2003
  * CUPS is snapped, so check whether the client is also snapped.  If so,
2004
  * determine whether the client snap has a "cups-control" plug which allows
2005
  * the application to perform CUPS administrative tasks.
2006
  */
2007

2008
  const char	*cookie;		// snapd access cookie
2009
  int		status = 65535;		// Status of client Snap context check
2010
  const char	*args[] =		// snapctl arguments
2011
  {
2012
    "is-connected",
2013
    "--apparmor-label",
2014
    NULL,
2015
    "cups-control",
2016
    NULL
2017
  };
2018

2019
  // Connect to snapd
2020
  if ((client = snapd_client_new()) == NULL)
2021
  {
2022
    cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to connect to snapd.");
2023
    ret = 0;
2024
    goto done;
2025
  }
2026

2027
  // snapctl commands are sent over a domain socket
2028
  snapd_client_set_socket_path(client, "/run/snapd-snap.socket");
2029

2030
  // Take cookie from the environment if available
2031
  if ((cookie = g_getenv("SNAP_COOKIE")) == NULL)
2032
  {
2033
    cookie = "";
2034
    cupsdLogClient(con, CUPSD_LOG_WARN, "No SNAP_COOKIE set in the Snap environment.");
2035
  }
2036

2037
  // Do the client Snap context check...
2038
  args[2] = context;
2039

2040
  if (!snapd_client_run_snapctl2_sync(client, cookie, (char **)args, NULL, NULL, &status, NULL, &error))
2041
  {
2042
    cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to check snap context: %s", error->message);
2043
    ret = 0;
2044
    goto done;
2045
  }
2046

2047
  switch (status)
2048
  {
2049
    case 0 : // The client is a confined Snap and plugs cups-control
2050
	cupsdLogClient(con, CUPSD_LOG_DEBUG, "Snap with cups-control plug - allowed.");
2051
	break;
2052
    case 1 : // The client is a confined Snap and does not plug cups-control
2053
	cupsdLogClient(con, CUPSD_LOG_DEBUG, "Snap without cups-control plug - denied.");
2054
	ret = 0;
2055
	break;
2056
    case 10 : // The client is a classic Snap
2057
	cupsdLogClient(con, CUPSD_LOG_DEBUG, "Classic snap - allowed.");
2058
	break;
2059
    case 11 : // The client is not a Snap
2060
	cupsdLogClient(con, CUPSD_LOG_DEBUG, "Not a snap - allowed.");
2061
	break;
2062
    default : // Unexpected status...
2063
	cupsdLogClient(con, CUPSD_LOG_ERROR, "Snap check returned unexpected status %d - denied.", status);
2064
	ret = 0;
2065
	break;
2066
  }
2067

2068
#  elif !CUPS_SNAP
2069
 /*
2070
  * If CUPS is not snapped, check whether the client is snapped and if it has
2071
  * the "cups-control" plug.
2072
  */
2073

2074
  // Is the client a snapped application?
2075
  if (strncmp(context, "snap.", 5))
2076
  {
2077
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Not a snap - allowed.");
2078
    goto done;
2079
  }
2080

2081
  // Extract the snap name from the context (snap.name.instance)
2082
  char *snap_name = strdup(context + 5);// Snap name follows "snap."
2083
  char *ptr = strchr(snap_name, '.');	// instance follows the name...
2084
  if (!ptr)
2085
  {
2086
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Malformed snapd AppArmor profile name '%s' - denied.", context);
2087
    free(snap_name);
2088
    ret = 0;
2089
    goto done;
2090
  }
2091

2092
  *ptr = '\0';
2093
  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Client snap is '%s'.", snap_name);
2094

2095
  // Connect to snapd
2096
  if ((client = snapd_client_new()) == NULL)
2097
  {
2098
    cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to connect to snapd.");
2099
    free(snap_name);
2100
    ret = 0;
2101
    goto done;
2102
  }
2103

2104
  // Check whether the client Snap is under classic confinement
2105
  GPtrArray *plugs = NULL;		// List of plugs for snap
2106

2107
  if ((snap = snapd_client_get_snap_sync(client, snap_name, NULL, &error)) == NULL)
2108
  {
2109
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Unable to get client Snap data: %s", error->message);
2110
    ret = 0;
2111
  }
2112
  // Snaps using classic confinement are granted access
2113
  else if (snapd_snap_get_confinement(snap) == SNAPD_CONFINEMENT_CLASSIC)
2114
  {
2115
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Classic snap - allowed.");
2116
  }
2117
  // Check whether the client Snap has the cups-control plug
2118
  else if (!snapd_client_get_connections2_sync(client, SNAPD_GET_CONNECTIONS_FLAGS_NONE, snap_name, "cups-control", NULL, NULL, &plugs, NULL, NULL, &error))
2119
  {
2120
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Unable to get client Snap plugs: %s", error->message);
2121
    ret = 0;
2122
  }
2123
  else if (!plugs || plugs->len <= 0)
2124
  {
2125
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Snap without cups-control plug - denied.");
2126
    ret = 0;
2127
  }
2128
  else
2129
  {
2130
    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Snap with cups-control plug - allowed.");
2131
  }
2132

2133
  if (plugs)
2134
    g_ptr_array_unref(plugs);
2135

2136
  free(snap_name);
2137
  g_clear_object(&snap);
2138

2139
#  endif // CUPS_SNAP
2140

2141
  done:
2142

2143
  free(context);
2144
  g_clear_object(&client);
2145

2146
  return (ret);
2147

2148
#else
2149
  // No AppArmor/snapd to deal with...
2150
  return (1);
2151
#endif // HAVE_LIBAPPARMOR && HAVE_LIBSNAPDGLIB
2152
}
2153

2154

2155
#ifdef HAVE_AUTHORIZATION_H
2156
/*
2157
 * 'check_authref()' - Check if an authorization services reference has the
2158
 *		       supplied right.
2159
 */
2160

2161
static int				/* O - 1 if right is valid, 0 otherwise */
2162
check_authref(cupsd_client_t *con,	/* I - Connection */
2163
	      const char     *right)	/* I - Right name */
2164
{
2165
  OSStatus		status;		/* OS Status */
2166
  AuthorizationItem	authright;	/* Authorization right */
2167
  AuthorizationRights	authrights;	/* Authorization rights */
2168
  AuthorizationFlags	authflags;	/* Authorization flags */
2169

2170

2171
 /*
2172
  * Check to see if the user is allowed to perform the task...
2173
  */
2174

2175
  if (!con->authref)
2176
    return (0);
2177

2178
  authright.name        = right;
2179
  authright.valueLength = 0;
2180
  authright.value       = NULL;
2181
  authright.flags       = 0;
2182

2183
  authrights.count = 1;
2184
  authrights.items = &authright;
2185

2186
  authflags = kAuthorizationFlagDefaults |
2187
	      kAuthorizationFlagExtendRights;
2188

2189
  if ((status = AuthorizationCopyRights(con->authref, &authrights,
2190
					kAuthorizationEmptyEnvironment,
2191
					authflags, NULL)) != 0)
2192
  {
2193
    cupsdLogMessage(CUPSD_LOG_ERROR, "AuthorizationCopyRights(\"%s\") returned %d", authright.name, (int)status);
2194
    return (0);
2195
  }
2196

2197
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "AuthorizationCopyRights(\"%s\") succeeded.", authright.name);
2198

2199
  return (1);
2200
}
2201
#endif /* HAVE_AUTHORIZATION_H */
2202

2203

2204
/*
2205
 * 'compare_locations()' - Compare two locations.
2206
 */
2207

2208
static int				/* O - Result of comparison */
2209
compare_locations(cupsd_location_t *a,	/* I - First location */
2210
                  cupsd_location_t *b)	/* I - Second location */
2211
{
2212
  return (strcmp(b->location, a->location));
2213
}
2214

2215

2216
/*
2217
 * 'copy_authmask()' - Copy function for auth masks.
2218
 */
2219

2220
static cupsd_authmask_t	*		/* O - New auth mask */
2221
copy_authmask(cupsd_authmask_t *mask,	/* I - Existing auth mask */
2222
              void             *data)	/* I - User data (unused) */
2223
{
2224
  cupsd_authmask_t	*temp;		/* New auth mask */
2225

2226

2227
  (void)data;
2228

2229
  if ((temp = malloc(sizeof(cupsd_authmask_t))) != NULL)
2230
  {
2231
    memcpy(temp, mask, sizeof(cupsd_authmask_t));
2232

2233
    if (temp->type == CUPSD_AUTH_NAME || temp->type == CUPSD_AUTH_INTERFACE)
2234
    {
2235
     /*
2236
      * Make a copy of the name...
2237
      */
2238

2239
      if ((temp->mask.name.name = _cupsStrAlloc(temp->mask.name.name)) == NULL)
2240
      {
2241
       /*
2242
        * Failed to make copy...
2243
	*/
2244

2245
        free(temp);
2246
	temp = NULL;
2247
      }
2248
    }
2249
  }
2250

2251
  return (temp);
2252
}
2253

2254

2255
/*
2256
 * 'free_authmask()' - Free function for auth masks.
2257
 */
2258

2259
static void
2260
free_authmask(cupsd_authmask_t *mask,	/* I - Auth mask to free */
2261
              void             *data)	/* I - User data (unused) */
2262
{
2263
  (void)data;
2264

2265
  if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
2266
    _cupsStrFree(mask->mask.name.name);
2267

2268
  free(mask);
2269
}
2270

2271

2272
#if HAVE_LIBPAM
2273
/*
2274
 * 'pam_func()' - PAM conversation function.
2275
 */
2276

2277
static int				/* O - Success or failure */
2278
pam_func(
2279
    int                      num_msg,	/* I - Number of messages */
2280
    const struct pam_message **msg,	/* I - Messages */
2281
    struct pam_response      **resp,	/* O - Responses */
2282
    void                     *appdata_ptr)
2283
					/* I - Pointer to connection */
2284
{
2285
  int			i;		/* Looping var */
2286
  struct pam_response	*replies;	/* Replies */
2287
  cupsd_authdata_t	*data;		/* Pointer to auth data */
2288

2289

2290
 /*
2291
  * Allocate memory for the responses...
2292
  */
2293

2294
  if ((replies = malloc(sizeof(struct pam_response) * (size_t)num_msg)) == NULL)
2295
    return (PAM_CONV_ERR);
2296

2297
 /*
2298
  * Answer all of the messages...
2299
  */
2300

2301
  data = (cupsd_authdata_t *)appdata_ptr;
2302

2303
  for (i = 0; i < num_msg; i ++)
2304
  {
2305
    switch (msg[i]->msg_style)
2306
    {
2307
      case PAM_PROMPT_ECHO_ON:
2308
          replies[i].resp_retcode = PAM_SUCCESS;
2309
          replies[i].resp         = strdup(data->username);
2310
          break;
2311

2312
      case PAM_PROMPT_ECHO_OFF:
2313
          replies[i].resp_retcode = PAM_SUCCESS;
2314
          replies[i].resp         = strdup(data->password);
2315
          break;
2316

2317
      case PAM_TEXT_INFO:
2318
          replies[i].resp_retcode = PAM_SUCCESS;
2319
          replies[i].resp         = NULL;
2320
          break;
2321

2322
      case PAM_ERROR_MSG:
2323
          replies[i].resp_retcode = PAM_SUCCESS;
2324
          replies[i].resp         = NULL;
2325
          break;
2326

2327
      default:
2328
          free(replies);
2329
          return (PAM_CONV_ERR);
2330
    }
2331
  }
2332

2333
 /*
2334
  * Return the responses back to PAM...
2335
  */
2336

2337
  *resp = replies;
2338

2339
  return (PAM_SUCCESS);
2340
}
2341
#endif /* HAVE_LIBPAM */
2342

2343