diff options
Diffstat (limited to 'plugins/python/python_plugin_approval.c')
-rw-r--r-- | plugins/python/python_plugin_approval.c | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/plugins/python/python_plugin_approval.c b/plugins/python/python_plugin_approval.c new file mode 100644 index 0000000..b9c746e --- /dev/null +++ b/plugins/python/python_plugin_approval.c @@ -0,0 +1,196 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2020 Robert Manner <robert.manner@oneidentity.com> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +#include "python_plugin_common.h" + +struct ApprovalPluginContext +{ + struct PluginContext base_ctx; + struct approval_plugin *plugin; +}; + +#define BASE_CTX(approval_ctx) (&(approval_ctx->base_ctx)) + +#define PY_APPROVAL_PLUGIN_VERSION SUDO_API_MKVERSION(1, 0) + +#define CALLBACK_PLUGINFUNC(func_name) approval_ctx->plugin->func_name + +// This also verifies compile time that the name matches the sudo plugin API. +#define CALLBACK_PYNAME(func_name) ((void)CALLBACK_PLUGINFUNC(func_name), #func_name) + +sudo_dso_public struct approval_plugin *python_approval_clone(void); + +static int +python_plugin_approval_open(struct ApprovalPluginContext *approval_ctx, + unsigned int version, sudo_conv_t conversation, sudo_printf_t sudo_printf, + char * const settings[], char * const user_info[], int submit_optind, + char * const submit_argv[], char * const submit_envp[], + char * const plugin_options[], const char **errstr) +{ + debug_decl(python_plugin_approval_open, PYTHON_DEBUG_CALLBACKS); + (void) version; + + int rc = python_plugin_register_logging(conversation, sudo_printf, settings); + if (rc != SUDO_RC_OK) { + debug_return_int(rc); + } + + struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx); + + rc = python_plugin_init(plugin_ctx, plugin_options, version); + if (rc != SUDO_RC_OK) { + debug_return_int(rc); + } + + PyObject *py_kwargs = NULL, *py_submit_optind = NULL, + *py_submit_argv = NULL; + + if ((py_kwargs = python_plugin_construct_args(version, settings, user_info, + submit_envp, plugin_options)) == NULL || + (py_submit_optind = PyLong_FromLong(submit_optind)) == NULL || + (py_submit_argv = py_str_array_to_tuple(submit_argv)) == NULL) + { + py_log_last_error("Failed to construct plugin instance"); + rc = SUDO_RC_ERROR; + } else { + PyDict_SetItemString(py_kwargs, "submit_optind", py_submit_optind); + PyDict_SetItemString(py_kwargs, "submit_argv", py_submit_argv); + + rc = python_plugin_construct_custom(plugin_ctx, py_kwargs); + CALLBACK_SET_ERROR(plugin_ctx, errstr); + } + + Py_CLEAR(py_kwargs); + Py_CLEAR(py_submit_argv); + Py_CLEAR(py_submit_optind); + + if (rc != SUDO_RC_OK) { + debug_return_int(rc); + } + + debug_return_int(rc); +} + +static void +python_plugin_approval_close(struct ApprovalPluginContext *approval_ctx) +{ + debug_decl(python_plugin_approval_close, PYTHON_DEBUG_CALLBACKS); + + struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx); + PyThreadState_Swap(plugin_ctx->py_interpreter); + python_plugin_deinit(plugin_ctx); + + debug_return; +} + +static int +python_plugin_approval_check(struct ApprovalPluginContext *approval_ctx, + char * const command_info[], char * const run_argv[], + char * const run_envp[], const char **errstr) +{ + debug_decl(python_plugin_approval_check, PYTHON_DEBUG_CALLBACKS); + + struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx); + + PyObject *py_command_info = NULL, *py_run_argv = NULL, *py_run_envp = NULL, + *py_args = NULL; + + int rc = SUDO_RC_ERROR; + if ((py_command_info = py_str_array_to_tuple(command_info)) != NULL && + (py_run_argv = py_str_array_to_tuple(run_argv)) != NULL && + (py_run_envp = py_str_array_to_tuple(run_envp)) != NULL) + { + py_args = Py_BuildValue("(OOO)", py_command_info, py_run_argv, py_run_envp); + } + + // Note, py_args gets cleared by api_rc_call + rc = python_plugin_api_rc_call(plugin_ctx, CALLBACK_PYNAME(check), py_args); + CALLBACK_SET_ERROR(plugin_ctx, errstr); + + Py_CLEAR(py_command_info); + Py_CLEAR(py_run_argv); + Py_CLEAR(py_run_envp); + + debug_return_int(rc); +} + +static int +python_plugin_approval_show_version(struct ApprovalPluginContext *approval_ctx, int verbose) +{ + debug_decl(python_plugin_approval_show_version, PYTHON_DEBUG_CALLBACKS); + + struct PluginContext *plugin_ctx = BASE_CTX(approval_ctx); + PyThreadState_Swap(plugin_ctx->py_interpreter); + + debug_return_int(python_plugin_show_version(plugin_ctx, + CALLBACK_PYNAME(show_version), verbose, PY_APPROVAL_PLUGIN_VERSION, "approval")); +} + +sudo_dso_public struct approval_plugin python_approval; + +// generate symbols for loading multiple approval plugins: +#define APPROVAL_SYMBOL_NAME(symbol) symbol +#include "python_plugin_approval_multi.inc" +#define APPROVAL_SYMBOL_NAME(symbol) symbol##1 +#include "python_plugin_approval_multi.inc" +#define APPROVAL_SYMBOL_NAME(symbol) symbol##2 +#include "python_plugin_approval_multi.inc" +#define APPROVAL_SYMBOL_NAME(symbol) symbol##3 +#include "python_plugin_approval_multi.inc" +#define APPROVAL_SYMBOL_NAME(symbol) symbol##4 +#include "python_plugin_approval_multi.inc" +#define APPROVAL_SYMBOL_NAME(symbol) symbol##5 +#include "python_plugin_approval_multi.inc" +#define APPROVAL_SYMBOL_NAME(symbol) symbol##6 +#include "python_plugin_approval_multi.inc" +#define APPROVAL_SYMBOL_NAME(symbol) symbol##7 +#include "python_plugin_approval_multi.inc" + +static struct approval_plugin *extra_approval_plugins[] = { + &python_approval1, + &python_approval2, + &python_approval3, + &python_approval4, + &python_approval5, + &python_approval6, + &python_approval7 +}; + +struct approval_plugin * +python_approval_clone(void) +{ + static size_t counter = 0; + struct approval_plugin *next_plugin = NULL; + + size_t max = sizeof(extra_approval_plugins) / sizeof(*extra_approval_plugins); + if (counter < max) { + next_plugin = extra_approval_plugins[counter]; + ++counter; + } else if (counter == max) { + ++counter; + py_sudo_log(SUDO_CONV_ERROR_MSG, + "sudo: loading more than %d sudo python approval plugins is not supported\n", counter); + } + + return next_plugin; +} |