/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */
/* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
/* All Rights Reserved */
/*
 * Portions of this source code were derived from Berkeley
 * 4.3 BSD under license from the Regents of the University of
 * California.
 */

/*
 * auth_sys.c, Implements UNIX (system) style authentication parameters.
 *
 * The system is very weak.  The client uses no encryption for its
 * credentials and only sends null verifiers.  The server sends backs
 * null verifiers or optionally a verifier that suggests a new short hand
 * for the credentials.
 *
 */
#include "mt.h"
#include "rpc_mt.h"
#include <alloca.h>
#include <stdio.h>
#include <syslog.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <rpc/auth.h>
#include <rpc/auth_sys.h>
#include <synch.h>

extern int gethostname(char *, int);
extern bool_t xdr_opaque_auth(XDR *, struct opaque_auth *);

static struct auth_ops *authsys_ops(void);

/*
 * This struct is pointed to by the ah_private field of an auth_handle.
 */
struct audata {
        struct opaque_auth      au_origcred;    /* original credentials */
        struct opaque_auth      au_shcred;      /* short hand cred */
        uint_t                  au_shfaults;    /* short hand cache faults */
        char                    au_marshed[MAX_AUTH_BYTES];
        uint_t                  au_mpos;        /* xdr pos at end of marshed */
};
#define AUTH_PRIVATE(auth)      ((struct audata *)auth->ah_private)

static void marshal_new_auth();

static const char auth_sys_str[] = "%s : %s";
static const char authsys_create_str[] = "authsys_create";
static const char __no_mem_auth[] = "out of memory";

/*
 * Create a (sys) unix style authenticator.
 * Returns an auth handle with the given stuff in it.
 */
AUTH *
authsys_create(const char *machname, const uid_t uid, const gid_t gid,
        const int len, const gid_t *aup_gids)
{
        struct authsys_parms aup;
        char mymem[MAX_AUTH_BYTES];
        struct timeval now;
        XDR xdrs;
        AUTH *auth;
        struct audata *au;

        /*
         * Allocate and set up auth handle
         */
        auth = malloc(sizeof (*auth));
        if (auth == NULL) {
                (void) syslog(LOG_ERR, auth_sys_str, authsys_create_str,
                    __no_mem_auth);
                return (NULL);
        }
        au = malloc(sizeof (*au));
        if (au == NULL) {
                (void) syslog(LOG_ERR, auth_sys_str, authsys_create_str,
                    __no_mem_auth);
                free(auth);
                return (NULL);
        }
        auth->ah_ops = authsys_ops();
        auth->ah_private = (caddr_t)au;
        auth->ah_verf = au->au_shcred = _null_auth;
        au->au_shfaults = 0;

        /*
         * fill in param struct from the given params
         */
        (void) gettimeofday(&now,  (struct timezone *)0);
        aup.aup_time = now.tv_sec;
        aup.aup_machname = (char *)machname;
        aup.aup_uid = uid;
        aup.aup_gid = gid;
        aup.aup_len = (uint_t)len;
        aup.aup_gids = (gid_t *)aup_gids;

        /*
         * Serialize the parameters into origcred
         */
        xdrmem_create(&xdrs, mymem, MAX_AUTH_BYTES, XDR_ENCODE);
        if (!xdr_authsys_parms(&xdrs, &aup)) {
                (void) syslog(LOG_ERR, auth_sys_str, authsys_create_str,
                    ":  xdr_authsys_parms failed");
                return (NULL);
        }
        au->au_origcred.oa_length = XDR_GETPOS(&xdrs);
        au->au_origcred.oa_flavor = AUTH_SYS;
        if ((au->au_origcred.oa_base = malloc(au->au_origcred.oa_length)) ==
            NULL) {
                (void) syslog(LOG_ERR, auth_sys_str, authsys_create_str,
                    __no_mem_auth);
                free(au);
                free(auth);
                return (NULL);
        }
        (void) memcpy(au->au_origcred.oa_base, mymem,
            (size_t)au->au_origcred.oa_length);

        /*
         * set auth handle to reflect new cred.
         */
        auth->ah_cred = au->au_origcred;
        (void) marshal_new_auth(auth);
        return (auth);
}

/*
 * authsys_create_default is a public interface.
 *
 * Returns an auth handle with parameters determined by doing lots of
 * syscalls.
 */

static const char authsys_def_str[] =
        "authsys_create_default:  get%s failed:  %m";

AUTH *
authsys_create_default(void)
{
        int len;
        char machname[MAX_MACHINE_NAME + 1];
        uid_t uid;
        gid_t gid;
        int maxgrp = getgroups(0, NULL);
        gid_t *gids = alloca(maxgrp * sizeof (gid_t));

        if (gethostname(machname, MAX_MACHINE_NAME) == -1) {
                (void) syslog(LOG_ERR, authsys_def_str, "hostname");
                return (NULL);
        }
        machname[MAX_MACHINE_NAME] = 0;
        uid = geteuid();
        gid = getegid();
        if ((len = getgroups(maxgrp, gids)) < 0) {
                (void) syslog(LOG_ERR, authsys_def_str, "groups");
                return (NULL);
        }
        if (len > NGRPS)
                len = NGRPS;
        return (authsys_create(machname, uid, gid, len, gids));
}

/*
 * authsys_create_ruid() is a private routine and is a
 * variant of authsys_create_default().
 *
 * authsys_create_default() is using the effective uid.
 * authsys_create_ruid() is using the real uid.
 *
 * This routine is used by key_call_ext() in key_call.c
 */
AUTH *
authsys_create_ruid(void)
{
        int len;
        char machname[MAX_MACHINE_NAME + 1];
        uid_t uid;
        gid_t gid;
        int maxgrp = getgroups(0, NULL);
        gid_t *gids = alloca(maxgrp * sizeof (gid_t));
        AUTH *res;

        if (gethostname(machname, MAX_MACHINE_NAME) == -1) {
                (void) syslog(LOG_ERR,
                    "authsys_create_ruid:gethostname failed");
                return (NULL);
        }
        machname[MAX_MACHINE_NAME] = 0;
        uid = getuid();
        gid = getgid();
        if ((len = getgroups(maxgrp, gids)) < 0) {
                (void) syslog(LOG_ERR,
                    "authsys_create_ruid:getgroups failed");
                return (NULL);
        }
        if (len > NGRPS)
                len = NGRPS;
        res = authsys_create(machname, uid, gid, len, gids);
        return (res);
}

/*
 * authsys operations
 */

/*ARGSUSED*/
static void
authsys_nextverf(AUTH *auth)
{
        /* no action necessary */
}

static bool_t
authsys_marshal(AUTH *auth, XDR *xdrs)
{
/* LINTED pointer alignment */
        struct audata *au = AUTH_PRIVATE(auth);

        return (XDR_PUTBYTES(xdrs, au->au_marshed, au->au_mpos));
}

static bool_t
authsys_validate(AUTH *auth, struct opaque_auth *verf)
{
        struct audata *au;
        XDR xdrs;

        if (verf->oa_flavor == AUTH_SHORT) {
/* LINTED pointer alignment */
                au = AUTH_PRIVATE(auth);
                xdrmem_create(&xdrs, verf->oa_base,
                    verf->oa_length, XDR_DECODE);

                if (au->au_shcred.oa_base != NULL) {
                        free(au->au_shcred.oa_base);
                        au->au_shcred.oa_base = NULL;
                }
                if (xdr_opaque_auth(&xdrs, &au->au_shcred)) {
                        auth->ah_cred = au->au_shcred;
                } else {
                        xdrs.x_op = XDR_FREE;
                        (void) xdr_opaque_auth(&xdrs, &au->au_shcred);
                        au->au_shcred.oa_base = NULL;
                        auth->ah_cred = au->au_origcred;
                }
                (void) marshal_new_auth(auth);
        }
        return (TRUE);
}

/*ARGSUSED*/
static bool_t
authsys_refresh(AUTH *auth, void *dummy)
{
/* LINTED pointer alignment */
        struct audata *au = AUTH_PRIVATE(auth);
        struct authsys_parms aup;
        struct timeval now;
        XDR xdrs;
        int stat;

        if (auth->ah_cred.oa_base == au->au_origcred.oa_base)
                return (FALSE); /* there is no hope.  Punt */
        au->au_shfaults ++;

        /* first deserialize the creds back into a struct authsys_parms */
        aup.aup_machname = NULL;
        aup.aup_gids = NULL;
        xdrmem_create(&xdrs, au->au_origcred.oa_base,
            au->au_origcred.oa_length, XDR_DECODE);
        stat = xdr_authsys_parms(&xdrs, &aup);
        if (!stat)
                goto done;

        /* update the time and serialize in place */
        (void) gettimeofday(&now, (struct timezone *)0);
        aup.aup_time = now.tv_sec;
        xdrs.x_op = XDR_ENCODE;
        XDR_SETPOS(&xdrs, 0);
        stat = xdr_authsys_parms(&xdrs, &aup);
        if (!stat)
                goto done;
        auth->ah_cred = au->au_origcred;
        (void) marshal_new_auth(auth);
done:
        /* free the struct authsys_parms created by deserializing */
        xdrs.x_op = XDR_FREE;
        (void) xdr_authsys_parms(&xdrs, &aup);
        XDR_DESTROY(&xdrs);
        return (stat);
}

static void
authsys_destroy(AUTH *auth)
{
/* LINTED pointer alignment */
        struct audata *au = AUTH_PRIVATE(auth);

        free(au->au_origcred.oa_base);
        if (au->au_shcred.oa_base != NULL)
                free(au->au_shcred.oa_base);
        free(auth->ah_private);
        if (auth->ah_verf.oa_base != NULL)
                free(auth->ah_verf.oa_base);
        free(auth);
}

/*
 * Marshals (pre-serializes) an auth struct.
 * sets private data, au_marshed and au_mpos
 */

static const char marshal_new_auth_str[] =
                "marshal_new_auth - Fatal marshalling problem";
static void
marshal_new_auth(AUTH *auth)
{
        XDR     xdr_stream;
        XDR     *xdrs = &xdr_stream;
/* LINTED pointer alignment */
        struct audata *au = AUTH_PRIVATE(auth);

        xdrmem_create(xdrs, au->au_marshed, MAX_AUTH_BYTES, XDR_ENCODE);
        if ((!xdr_opaque_auth(xdrs, &(auth->ah_cred))) ||
            (!xdr_opaque_auth(xdrs, &(auth->ah_verf)))) {
                (void) syslog(LOG_ERR, marshal_new_auth_str);
        } else {
                au->au_mpos = XDR_GETPOS(xdrs);
        }
        XDR_DESTROY(xdrs);
}

static struct auth_ops *
authsys_ops(void)
{
        static struct auth_ops ops;
        extern mutex_t ops_lock;

        /* VARIABLES PROTECTED BY ops_lock: ops */

        (void) mutex_lock(&ops_lock);
        if (ops.ah_nextverf == NULL) {
                ops.ah_nextverf = authsys_nextverf;
                ops.ah_marshal = authsys_marshal;
                ops.ah_validate = authsys_validate;
                ops.ah_refresh = authsys_refresh;
                ops.ah_destroy = authsys_destroy;
        }
        (void) mutex_unlock(&ops_lock);
        return (&ops);
}