[svn-commits] oej: branch oej/deluxepine-1.4 r236800 - in /team/oej/deluxepine-1.4: configs...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Tue Dec 29 15:38:45 CST 2009 

Author: oej
Date: Tue Dec 29 15:38:43 2009
New Revision: 236800

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=236800
Log:
Introducing Named ACLs, nacls. Now you can create them. Let's find creative uses for them ;-)

...but not tonight.

This has been discussed at Astridevcon a number of times as a tool for many improvements
in relation to various security architectures. Thanks to skerker for inspiring me by asking
a few interesting questions related to this.

Added:
    team/oej/deluxepine-1.4/configs/nacl.conf.sample   (with props)
    team/oej/deluxepine-1.4/include/asterisk/nacl.h   (with props)
    team/oej/deluxepine-1.4/main/nacl.c   (with props)
Modified:
    team/oej/deluxepine-1.4/main/Makefile
    team/oej/deluxepine-1.4/main/acl.c
    team/oej/deluxepine-1.4/main/asterisk.c
    team/oej/deluxepine-1.4/main/loader.c

Added: team/oej/deluxepine-1.4/configs/nacl.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/configs/nacl.conf.sample?view=auto&rev=236800
==============================================================================
--- team/oej/deluxepine-1.4/configs/nacl.conf.sample (added)
+++ team/oej/deluxepine-1.4/configs/nacl.conf.sample Tue Dec 29 15:38:43 2009
@@ -1,0 +1,13 @@
+; Configuration for named ACLs
+;
+; Named ACLs are usable in many parts of Asterisk, like the AMI, the SIP channel and in the HTTP server.
+; There are named ACls created by various modules. List the configured named ACLs with the CLI
+; command "nacl show". The ones configured here has "config" as owner.
+
+; NACL names prefixed with ast_ are reserved by the system for internal use.
+
+; Example
+[mylocalnetwork]
+deny=all
+permit=192.168.0.0/24	; CIDR notation
+permit=192.168.1.125/255.255.255.255	; Subnetmask

Propchange: team/oej/deluxepine-1.4/configs/nacl.conf.sample
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: team/oej/deluxepine-1.4/configs/nacl.conf.sample
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Propchange: team/oej/deluxepine-1.4/configs/nacl.conf.sample
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: team/oej/deluxepine-1.4/include/asterisk/nacl.h
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/include/asterisk/nacl.h?view=auto&rev=236800
==============================================================================
--- team/oej/deluxepine-1.4/include/asterisk/nacl.h (added)
+++ team/oej/deluxepine-1.4/include/asterisk/nacl.h Tue Dec 29 15:38:43 2009
@@ -1,0 +1,68 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2009-2010, Edvina AB
+ *
+ * Olle E. Johansson <oej at edvina.net>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+#ifndef ASTERISK_NACL_H
+#define ASTERISK_NACL_H
+
+
+/*! \file
+ *
+ * \brief Named Access Control Lists (nacl)
+ *
+ * \author Olle E. Johansson <oej at edvina.net>
+ */
+
+/*! \brief Structure for named ACL */
+struct named_acl; 
+
+/*! \brief Add named ACL to list (done from configuration file or module) */
+struct named_acl *ast_nacl_add(const char *name, const char *owner);
+
+/*! \brief Find a named ACL 
+	if deleted is true, we will find deleted items too
+	if owner is NULL, we'll find all otherwise owner is used for selection too
+*/
+struct named_acl *ast_nacl_find_all(const char *name, const int deleted, const char *owner);
+
+/*! \brief Find a named ACL (that is not marked with the delete flag) 
+ */
+struct named_acl *ast_nacl_find(const char *name);
+
+/*! \brief Clear all named ACLs that is not used
+	Mark the others as deletion ready.
+	If owner is NULL, clear ALL, otherwise only nacls with the same owner
+*/
+void ast_nacl_clear_all_unused(const char *owner);
+
+/*! \brief Attach to a named ACL. You need to detach later 
+	This is to avoid Named ACLs to disappear from runtime. Even if they are deleted from the
+	configuration, they will still be around
+ */
+struct named_acl *ast_nacl_attach(const char *name);
+
+/*! \brief Detach from a named ACL. 
+	If it's marked for deletion and refcount is zero, then it's deleted
+ */
+void ast_nacl_detach(struct named_acl *nacl);
+
+/*! \brief Initialize NACL subsystem */
+int ast_nacl_load(void);
+
+/*! \brief re-nitialize NACL subsystem */
+int ast_nacl_reload(void);
+
+#endif /* ASTERISK_NACL_H */

Propchange: team/oej/deluxepine-1.4/include/asterisk/nacl.h
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: team/oej/deluxepine-1.4/include/asterisk/nacl.h
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Propchange: team/oej/deluxepine-1.4/include/asterisk/nacl.h
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: team/oej/deluxepine-1.4/main/Makefile
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/main/Makefile?view=diff&rev=236800&r1=236799&r2=236800
==============================================================================
--- team/oej/deluxepine-1.4/main/Makefile (original)
+++ team/oej/deluxepine-1.4/main/Makefile Tue Dec 29 15:38:43 2009
@@ -27,7 +27,7 @@
 	netsock.o slinfactory.o ast_expr2.o ast_expr2f.o \
 	cryptostub.o sha1.o http.o fixedjitterbuf.o abstract_jb.o \
 	strcompat.o threadstorage.o dial.o astobj2.o global_datastores.o \
-	audiohook.o poll.o
+	audiohook.o poll.o nacl.o
 
 # we need to link in the objects statically, not as a library, because
 # otherwise modules will not have them available if none of the static

Modified: team/oej/deluxepine-1.4/main/acl.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/main/acl.c?view=diff&rev=236800&r1=236799&r2=236800
==============================================================================
--- team/oej/deluxepine-1.4/main/acl.c (original)
+++ team/oej/deluxepine-1.4/main/acl.c Tue Dec 29 15:38:43 2009
@@ -579,4 +579,3 @@
 		return 0;
 	return get_local_address(ourip);
 }
-

Modified: team/oej/deluxepine-1.4/main/asterisk.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/main/asterisk.c?view=diff&rev=236800&r1=236799&r2=236800
==============================================================================
--- team/oej/deluxepine-1.4/main/asterisk.c (original)
+++ team/oej/deluxepine-1.4/main/asterisk.c Tue Dec 29 15:38:43 2009
@@ -124,6 +124,7 @@
 #include "asterisk/devicestate.h"
 #include "asterisk/module.h"
 #include "asterisk/poll-compat.h"
+#include "asterisk/nacl.h"
 
 #include "asterisk/doxyref.h"		/* Doxygen documentation */
 
@@ -3097,6 +3098,8 @@
 
 	ast_autoservice_init();
 
+	ast_nacl_load();	/* Initiate named ACLs before loading any modules */
+
 	if (load_modules(1)) {
 		printf("%s", term_quit());
 		exit(1);

Modified: team/oej/deluxepine-1.4/main/loader.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/main/loader.c?view=diff&rev=236800&r1=236799&r2=236800
==============================================================================
--- team/oej/deluxepine-1.4/main/loader.c (original)
+++ team/oej/deluxepine-1.4/main/loader.c Tue Dec 29 15:38:43 2009
@@ -51,6 +51,7 @@
 #include "asterisk/rtp.h"
 #include "asterisk/http.h"
 #include "asterisk/lock.h"
+#include "asterisk/nacl.h"
 
 #include <dlfcn.h>
 
@@ -255,6 +256,7 @@
 	{ "extconfig",	read_config_maps },
 	{ "enum",	ast_enum_reload },
 	{ "manager",	reload_manager },
+	{ "nacl",	ast_nacl_reload },
 	{ "rtp",	ast_rtp_reload },
 	{ "http",	ast_http_reload },
 	{ "logger",	logger_reload },

Added: team/oej/deluxepine-1.4/main/nacl.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/main/nacl.c?view=auto&rev=236800
==============================================================================
--- team/oej/deluxepine-1.4/main/nacl.c (added)
+++ team/oej/deluxepine-1.4/main/nacl.c Tue Dec 29 15:38:43 2009
@@ -1,0 +1,321 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2009-2010, Edvina AB
+ *
+ * Olle E. Johansson <oej at edvina.net>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*! \file
+ *
+ * \brief Named Access Control Lists (nacl)
+ *
+ * \author Olle E. Johansson <oej at edvina.net>
+ */
+
+#include "asterisk.h"
+
+ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include "asterisk/acl.h"
+#include "asterisk/config.h"
+#include "asterisk/logger.h"
+#include "asterisk/cli.h"
+#include "asterisk/options.h"
+#include "asterisk/utils.h"
+#include "asterisk/lock.h"
+#include "asterisk/srv.h"
+#include "asterisk/nacl.h"
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#define NACL_LOAD	1
+#define NACL_RELOAD	2
+
+/*! \brief Structure for named ACL */
+struct named_acl {
+	char name[MAXHOSTNAMELEN];		/*!< Name of this ACL */
+	struct ast_ha *acl;			/*!< The actual ACL */
+	int refcount;				/*!< Number of users of this ACL */
+	int delete;				/*!< Delete this ACL when refcount is zero */
+	int rules;				/*!< Number of ACL rules */
+	char owner[20];				/*!< Owner (module) */
+	AST_LIST_ENTRY(named_acl) list;		/*!< List mechanics */
+};
+
+static AST_LIST_HEAD_STATIC(nacl_list, named_acl);	/*!< The named acl list */
+
+/*! \brief Add named ACL to list (done from configuration file or module) 
+	Internal ACLs, created by Asterisk modules, should use a name that
+	begins with "ast_". These are prevented from configuration in nacl.conf
+ */
+struct named_acl *ast_nacl_add(const char *name, const char *owner)
+{
+	struct named_acl *nacl;
+	
+	if (ast_strlen_zero(name)) {
+		ast_log(LOG_WARNING, "Zero length name.\n");
+		return NULL;
+	}
+
+	if (!(nacl = ast_calloc(1, sizeof(*nacl)))) {
+		return NULL;
+	}
+
+	ast_copy_string(nacl->name, name, sizeof(nacl->name));
+	ast_copy_string(nacl->owner, owner, sizeof(nacl->owner));
+
+	AST_LIST_LOCK(&nacl_list);
+	AST_LIST_INSERT_TAIL(&nacl_list, nacl, list);
+	AST_LIST_UNLOCK(&nacl_list);
+
+ 	if (option_debug > 2) {
+		ast_log(LOG_DEBUG, "Added named ACL '%s'\n", name);
+	}
+
+	return nacl;
+}
+
+/*! \brief Find a named ACL 
+	if deleted is true, we will find deleted items too
+	if owner is NULL, we'll find all otherwise owner is used for selection too
+*/
+struct named_acl *ast_nacl_find_all(const char *name, const int deleted, const char *owner)
+{
+	struct named_acl *nacl = NULL;
+
+	AST_LIST_LOCK(&nacl_list);
+	AST_LIST_TRAVERSE(&nacl_list, nacl, list) {
+		if (!strcasecmp(nacl->name, name) && (owner == NULL || !strcasecmp(nacl->owner,owner))) {
+			if (nacl->delete) {
+				if (deleted) {
+					continue;
+				}
+			} else {
+				continue;
+			}
+		}
+	}
+	AST_LIST_UNLOCK(&nacl_list);
+
+	return nacl;
+}
+
+/*! \brief Find a named ACL 
+*/
+struct named_acl *ast_nacl_find(const char *name)
+{
+	return ast_nacl_find_all(name, 0, NULL);
+}
+
+/*! \brief Clear all named ACLs that is not used
+	Mark the others as deletion ready.
+*/
+void ast_nacl_clear_all_unused(const char *owner)
+{
+	struct named_acl *nacl = NULL;
+
+	AST_LIST_LOCK(&nacl_list);
+	AST_LIST_TRAVERSE_SAFE_BEGIN(&nacl_list, nacl, list) {
+		if (owner == NULL || !strcasecmp(nacl->owner, owner)) {
+			if(nacl->refcount == 0) {
+				AST_LIST_REMOVE_CURRENT(&nacl_list, list);
+			} else {
+				nacl->delete = 1;
+			}
+		}
+	}
+	AST_LIST_TRAVERSE_SAFE_END;
+
+	AST_LIST_UNLOCK(&nacl_list);
+}
+
+
+/*! \brief Clear the ACL list - all the time
+*/
+static void nacl_clear_all_force(void)
+{
+	struct named_acl *nacl = NULL;
+
+	AST_LIST_LOCK(&nacl_list);
+
+	while ((nacl = AST_LIST_REMOVE_HEAD(&nacl_list, list))) {
+		free(nacl);
+	}
+
+	AST_LIST_UNLOCK(&nacl_list);
+}
+
+
+/*! \brief Attach to a named ACL. You need to detach later 
+	This is to avoid Named ACLs to disappear from runtime. Even if they are deleted from the
+	configuration, they will still be around
+	\note Deleted NACLs won't be found any more with this function, to avoid adding to the use
+		of these ACLs
+ */
+struct named_acl *ast_nacl_attach(const char *name)
+{
+	struct named_acl *nacl = ast_nacl_find(name);
+	if (!nacl) {
+		return NULL;
+	}
+	nacl->refcount++;
+	return nacl;
+}
+
+/*! \brief Detach from a named ACL. 
+	If it's marked for deletion and refcount is zero, then it's deleted
+ */
+void ast_nacl_detach(struct named_acl *nacl)
+{
+	if (!nacl) {
+		return; /* What's up, doc? */
+	}
+	nacl->refcount--;
+	if (nacl->refcount == 0 && nacl->delete) {
+		AST_LIST_REMOVE(&nacl_list, nacl, list);
+		free(nacl);
+	}
+}
+
+static char show_nacls_usage[] = 
+"Usage: nacl show\n"
+"       Lists all configured named ACLs.\n"
+"       Named ACLs can be used in many configuration files as well as internally\n"
+"       by Asterisk.\n";
+
+/*! \brief Print ha list to CLI */
+static void ha_list(int fd, struct ast_ha *ha, const int rules)
+{
+	char iabuf[INET_ADDRSTRLEN];
+	char iabuf2[INET_ADDRSTRLEN];
+	int rulesfound = 0;
+
+	while (ha) {
+		rulesfound++;
+		ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
+		ast_copy_string(iabuf, ast_inet_ntoa(ha->netmask), sizeof(iabuf));
+		ast_cli(fd,"     %s: %s mask %s\n", (ha->sense == AST_SENSE_ALLOW) ? "permit" : "deny  ", iabuf2, iabuf);
+		ha = ha->next;
+	}
+	/* Rules is only used for configuration based nacls */
+	if (rules != 0 && rulesfound != rules) {
+		ast_cli(fd, "     NOTE: Number of rules doesn't match configuration. Please check.\n");
+	}
+}
+
+/*! \brief CLI command to list named ACLs */
+static int cli_show_nacls(int fd, int argc, char *argv[])
+{
+	struct named_acl *nacl;
+#define FORMAT "%-40.40s %-20.20s %5d %5d %-3.3s\n"
+#define FORMAT2 "%-40.40s %-20.20s %-5.5s %-5.5s %-3.3s\n"
+
+	if (AST_LIST_EMPTY(&nacl_list)) {
+		ast_cli(fd, "No named ACLs configured.\n\n");
+		return RESULT_SUCCESS;
+	} else {
+		ast_cli(fd, FORMAT2, "ACL name:", "Set by", "#rules", "Usage", "Delete");
+		AST_LIST_LOCK(&nacl_list);
+		AST_LIST_TRAVERSE(&nacl_list, nacl, list) {
+			ast_cli(fd, FORMAT, nacl->name, 
+				S_OR(nacl->owner, "-"),
+				nacl->rules,
+				nacl->refcount,
+				nacl->delete ? "Yes" : "No");
+			ha_list(fd, nacl->acl, nacl->rules);
+		}
+		AST_LIST_UNLOCK(&nacl_list);
+		ast_cli(fd, "\n");
+		return RESULT_SUCCESS;
+	}
+}
+#undef FORMAT
+#undef FORMAT2
+
+static struct ast_cli_entry cli_nacl = { 
+	{ "nacl", "show", NULL },
+	cli_show_nacls, "List configured named ACLs.",
+	show_nacls_usage };
+
+/* Initialize named ACLs 
+	This function is used both at load and reload time.
+ */
+static int nacl_init(int reload_reason)
+{
+	struct ast_config *cfg;
+	struct ast_variable *v;
+	char *cat = NULL;
+	struct named_acl *nacl = NULL;
+
+	/* Clear all existing NACLs - or mark them for deletion */
+	ast_nacl_clear_all_unused("config");
+
+	cfg = ast_config_load("nacl.conf");
+	if (cfg) {
+		while ((cat = ast_category_browse(cfg, cat))) {
+			if (!strncasecmp(cat, "ast_", 4)) {
+				ast_log(LOG_ERROR, "NACL names prefixed with ast_ are reserved for internal use. NACL not actived:  %s\n", cat);
+				continue;
+			}
+		
+			nacl = ast_nacl_find_all(cat, 1, "config");	/* Find deleted items */
+			if (nacl) {
+				nacl->delete = 0;	/* Reset delete flag */
+				ast_free_ha(nacl->acl);	/* Delete existing ACL (locking needed indeed) */
+			} else {
+				nacl = ast_nacl_add(cat, "config");
+			}
+			v = ast_variable_browse(cfg, cat);
+			while(v) {
+				if (!strcasecmp(v->name, "permit") || !strcasecmp(v->name, "deny")) {
+					nacl->acl = ast_append_ha(v->name, v->value, nacl->acl);
+					nacl->rules++;
+				} else {
+					ast_log(LOG_WARNING, "Unknown configuration option: %s\n", v->name);
+				}
+				v = v->next;
+			}
+		}
+		ast_config_destroy(cfg);
+	} 
+
+	if (reload_reason == NACL_LOAD) {
+		ast_cli_register(&cli_nacl);
+	}
+	return 0;
+}
+
+/*! \brief Initialize NACL subsystem */
+int ast_nacl_load(void)
+{
+	return nacl_init(NACL_LOAD);
+}
+
+/*! \brief re-nitialize NACL subsystem */
+int ast_nacl_reload(void)
+{
+	return nacl_init(NACL_RELOAD);
+}

Propchange: team/oej/deluxepine-1.4/main/nacl.c
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: team/oej/deluxepine-1.4/main/nacl.c
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Propchange: team/oej/deluxepine-1.4/main/nacl.c
------------------------------------------------------------------------------
    svn:mime-type = text/plain

More information about the svn-commits mailing list