summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/cvtsudoers_json.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 13:14:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 13:14:46 +0000
commit025c439e829e0db9ac511cd9c1b8d5fd53475ead (patch)
treefa6986b4690f991613ffb97cea1f6942427baf5d /plugins/sudoers/cvtsudoers_json.c
parentInitial commit. (diff)
downloadsudo-025c439e829e0db9ac511cd9c1b8d5fd53475ead.tar.xz
sudo-025c439e829e0db9ac511cd9c1b8d5fd53475ead.zip
Adding upstream version 1.9.15p5.upstream/1.9.15p5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'plugins/sudoers/cvtsudoers_json.c')
-rw-r--r--plugins/sudoers/cvtsudoers_json.c937
1 files changed, 937 insertions, 0 deletions
diff --git a/plugins/sudoers/cvtsudoers_json.c b/plugins/sudoers/cvtsudoers_json.c
new file mode 100644
index 0000000..3ff543d
--- /dev/null
+++ b/plugins/sudoers/cvtsudoers_json.c
@@ -0,0 +1,937 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2013-2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <ctype.h>
+
+#include <sudoers.h>
+#include <sudo_json.h>
+#include <cvtsudoers.h>
+#include <gram.h>
+
+/*
+ * Closure used to store state when iterating over all aliases.
+ */
+struct json_alias_closure {
+ struct json_container *jsonc;
+ const char *title;
+ unsigned int count;
+ short alias_type;
+};
+
+/*
+ * Type values used to disambiguate the generic WORD and ALIAS types.
+ */
+enum word_type {
+ TYPE_COMMAND,
+ TYPE_HOSTNAME,
+ TYPE_RUNASGROUP,
+ TYPE_RUNASUSER,
+ TYPE_USERNAME
+};
+
+/*
+ * Print sudo command member in JSON format, with correct indentation.
+ */
+static void
+print_command_json(struct json_container *jsonc, const char *name, bool negated)
+{
+ struct sudo_command *c = (struct sudo_command *)name;
+ struct command_digest *digest;
+ struct json_value value;
+ char *cmnd = c->cmnd;
+ const char *digest_name;
+ debug_decl(print_command_json, SUDOERS_DEBUG_UTIL);
+
+ /* Print command with optional command line args. */
+ if (c->args != NULL) {
+ if (asprintf(&cmnd, "%s %s", c->cmnd, c->args) == -1) {
+ sudo_fatalx(U_("%s: %s"), __func__,
+ U_("unable to allocate memory"));
+ }
+ }
+ value.type = JSON_STRING;
+ value.u.string = cmnd ? cmnd : (char *)"ALL";
+
+ if (!negated && TAILQ_EMPTY(&c->digests)) {
+ /* Print as { "command": "command and args" } */
+ sudo_json_add_value_as_object(jsonc, "command", &value);
+ } else {
+ /* Print as multi-line object. */
+ sudo_json_open_object(jsonc, NULL);
+ sudo_json_add_value(jsonc, "command", &value);
+
+ /* Optional digest list. */
+ TAILQ_FOREACH(digest, &c->digests, entries) {
+ digest_name = digest_type_to_name(digest->digest_type);
+ value.type = JSON_STRING;
+ value.u.string = digest->digest_str;
+ sudo_json_add_value(jsonc, digest_name, &value);
+ }
+
+ /* Command may be negated. */
+ if (negated) {
+ value.type = JSON_BOOL;
+ value.u.boolean = true;
+ sudo_json_add_value(jsonc, "negated", &value);
+ }
+
+ sudo_json_close_object(jsonc);
+ }
+
+ if (cmnd != c->cmnd)
+ free(cmnd);
+
+ debug_return;
+}
+
+/*
+ * Map an alias type to enum word_type.
+ */
+static enum word_type
+alias_to_word_type(short alias_type)
+{
+ switch (alias_type) {
+ case CMNDALIAS:
+ return TYPE_COMMAND;
+ case HOSTALIAS:
+ return TYPE_HOSTNAME;
+ case RUNASALIAS:
+ return TYPE_RUNASUSER;
+ case USERALIAS:
+ return TYPE_USERNAME;
+ default:
+ sudo_fatalx_nodebug("unexpected alias type %d", alias_type);
+ }
+}
+
+/*
+ * Map a Defaults type to enum word_type.
+ */
+static enum word_type
+defaults_to_word_type(int defaults_type)
+{
+ switch (defaults_type) {
+ case DEFAULTS_CMND:
+ return TYPE_COMMAND;
+ case DEFAULTS_HOST:
+ return TYPE_HOSTNAME;
+ case DEFAULTS_RUNAS:
+ return TYPE_RUNASUSER;
+ case DEFAULTS_USER:
+ return TYPE_USERNAME;
+ default:
+ sudo_fatalx_nodebug("unexpected defaults type %d", defaults_type);
+ }
+}
+
+/*
+ * Print struct member in JSON format, with correct indentation.
+ */
+static void
+print_member_json_int(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree, char *name, int type,
+ bool negated, enum word_type word_type, bool expand_aliases)
+{
+ struct json_value value;
+ const char *typestr = NULL;
+ const char *errstr;
+ short alias_type = UNSPEC;
+ id_t id;
+ debug_decl(print_member_json_int, SUDOERS_DEBUG_UTIL);
+
+ /* Most of the time we print a string. */
+ value.type = JSON_STRING;
+ switch (type) {
+ case ALL:
+ if (name == NULL) {
+ value.u.string = "ALL";
+ } else {
+ /* ALL used with digest, print as a command. */
+ type = COMMAND;
+ }
+ break;
+ case MYSELF:
+ value.u.string = "";
+ break;
+ default:
+ if (name == NULL)
+ sudo_fatalx("missing member name for type %d", type);
+ value.u.string = name;
+ }
+
+ switch (type) {
+ case USERGROUP:
+ value.u.string++; /* skip leading '%' */
+ if (*value.u.string == ':') {
+ value.u.string++;
+ typestr = "nonunixgroup";
+ if (*value.u.string == '#') {
+ id = sudo_strtoid(value.u.string + 1, &errstr);
+ if (errstr != NULL) {
+ sudo_warnx("internal error: non-Unix group-ID %s: \"%s\"",
+ errstr, value.u.string + 1);
+ } else {
+ value.type = JSON_ID;
+ value.u.id = id;
+ typestr = "nonunixgid";
+ }
+ }
+ } else {
+ typestr = "usergroup";
+ if (*value.u.string == '#') {
+ id = sudo_strtoid(value.u.string + 1, &errstr);
+ if (errstr != NULL) {
+ sudo_warnx("internal error: group-ID %s: \"%s\"",
+ errstr, value.u.string + 1);
+ } else {
+ value.type = JSON_ID;
+ value.u.id = id;
+ typestr = "usergid";
+ }
+ }
+ }
+ break;
+ case NETGROUP:
+ typestr = "netgroup";
+ value.u.string++; /* skip leading '+' */
+ break;
+ case NTWKADDR:
+ typestr = "networkaddr";
+ break;
+ case COMMAND:
+ print_command_json(jsonc, name, negated);
+ debug_return;
+ case ALL:
+ case MYSELF:
+ case WORD:
+ switch (word_type) {
+ case TYPE_COMMAND:
+ typestr = "command";
+ break;
+ case TYPE_HOSTNAME:
+ typestr = "hostname";
+ break;
+ case TYPE_RUNASGROUP:
+ typestr = "usergroup";
+ break;
+ case TYPE_RUNASUSER:
+ case TYPE_USERNAME:
+ typestr = "username";
+ if (*value.u.string == '#') {
+ id = sudo_strtoid(value.u.string + 1, &errstr);
+ if (errstr != NULL) {
+ sudo_warnx("internal error: user-ID %s: \"%s\"",
+ errstr, name);
+ } else {
+ value.type = JSON_ID;
+ value.u.id = id;
+ typestr = "userid";
+ }
+ }
+ break;
+ default:
+ sudo_fatalx("unexpected word type %d", word_type);
+ }
+ break;
+ case ALIAS:
+ switch (word_type) {
+ case TYPE_COMMAND:
+ if (expand_aliases) {
+ alias_type = CMNDALIAS;
+ } else {
+ typestr = "cmndalias";
+ }
+ break;
+ case TYPE_HOSTNAME:
+ if (expand_aliases) {
+ alias_type = HOSTALIAS;
+ } else {
+ typestr = "hostalias";
+ }
+ break;
+ case TYPE_RUNASGROUP:
+ case TYPE_RUNASUSER:
+ if (expand_aliases) {
+ alias_type = RUNASALIAS;
+ } else {
+ typestr = "runasalias";
+ }
+ break;
+ case TYPE_USERNAME:
+ if (expand_aliases) {
+ alias_type = USERALIAS;
+ } else {
+ typestr = "useralias";
+ }
+ break;
+ default:
+ sudo_fatalx("unexpected word type %d", word_type);
+ }
+ break;
+ default:
+ sudo_fatalx("unexpected member type %d", type);
+ }
+
+ if (expand_aliases && type == ALIAS) {
+ struct alias *a;
+ struct member *m;
+
+ /* Print each member of the alias. */
+ if ((a = alias_get(parse_tree, value.u.string, alias_type)) != NULL) {
+ TAILQ_FOREACH(m, &a->members, entries) {
+ print_member_json_int(jsonc, parse_tree, m->name, m->type,
+ negated ? !m->negated : m->negated,
+ alias_to_word_type(alias_type), true);
+ }
+ alias_put(a);
+ }
+ } else {
+ if (negated) {
+ sudo_json_open_object(jsonc, NULL);
+ sudo_json_add_value(jsonc, typestr, &value);
+ value.type = JSON_BOOL;
+ value.u.boolean = true;
+ sudo_json_add_value(jsonc, "negated", &value);
+ sudo_json_close_object(jsonc);
+ } else {
+ sudo_json_add_value_as_object(jsonc, typestr, &value);
+ }
+ }
+
+ debug_return;
+}
+
+static void
+print_member_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree, struct member *m,
+ enum word_type word_type, bool expand_aliases)
+{
+ print_member_json_int(jsonc, parse_tree, m->name, m->type, m->negated,
+ word_type, expand_aliases);
+}
+
+/*
+ * Callback for alias_apply() to print an alias entry if it matches
+ * the type specified in the closure.
+ */
+static int
+print_alias_json(struct sudoers_parse_tree *parse_tree, struct alias *a,
+ void *v)
+{
+ struct json_alias_closure *closure = v;
+ struct member *m;
+ debug_decl(print_alias_json, SUDOERS_DEBUG_UTIL);
+
+ if (a->type != closure->alias_type)
+ debug_return_int(0);
+
+ /* Open the aliases object or close the last entry, then open new one. */
+ if (closure->count++ == 0) {
+ sudo_json_open_object(closure->jsonc, closure->title);
+ } else {
+ sudo_json_close_array(closure->jsonc);
+ }
+ sudo_json_open_array(closure->jsonc, a->name);
+
+ TAILQ_FOREACH(m, &a->members, entries) {
+ print_member_json(closure->jsonc, parse_tree, m,
+ alias_to_word_type(closure->alias_type), false);
+ }
+ debug_return_int(0);
+}
+
+/*
+ * Print the binding for a Defaults entry of the specified type.
+ */
+static void
+print_binding_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree,
+ struct defaults_binding *binding, int type, bool expand_aliases)
+{
+ struct member *m;
+ debug_decl(print_binding_json, SUDOERS_DEBUG_UTIL);
+
+ if (TAILQ_EMPTY(&binding->members))
+ debug_return;
+
+ /* Print each member object in binding. */
+ sudo_json_open_array(jsonc, "Binding");
+ TAILQ_FOREACH(m, &binding->members, entries) {
+ print_member_json(jsonc, parse_tree, m, defaults_to_word_type(type),
+ expand_aliases);
+ }
+ sudo_json_close_array(jsonc);
+
+ debug_return;
+}
+
+/*
+ * Print a Defaults list JSON format.
+ */
+static void
+print_defaults_list_json(struct json_container *jsonc, struct defaults *def)
+{
+ char savech, *start, *end = def->val;
+ struct json_value value;
+ debug_decl(print_defaults_list_json, SUDOERS_DEBUG_UTIL);
+
+ sudo_json_open_object(jsonc, NULL);
+ value.type = JSON_STRING;
+ switch (def->op) {
+ case '+':
+ value.u.string = "list_add";
+ break;
+ case '-':
+ value.u.string = "list_remove";
+ break;
+ case true:
+ value.u.string = "list_assign";
+ break;
+ default:
+ sudo_warnx("internal error: unexpected list op %d", def->op);
+ value.u.string = "unsupported";
+ break;
+ }
+ sudo_json_add_value(jsonc, "operation", &value);
+ sudo_json_open_array(jsonc, def->var);
+ /* Split value into multiple space-separated words. */
+ do {
+ /* Remove leading blanks, must have a non-empty string. */
+ for (start = end; isblank((unsigned char)*start); start++)
+ continue;
+ if (*start == '\0')
+ break;
+
+ /* Find the end and print it. */
+ for (end = start; *end && !isblank((unsigned char)*end); end++)
+ continue;
+ savech = *end;
+ *end = '\0';
+ value.type = JSON_STRING;
+ value.u.string = start;
+ sudo_json_add_value(jsonc, NULL, &value);
+ *end = savech;
+ } while (*end++ != '\0');
+ sudo_json_close_array(jsonc);
+ sudo_json_close_object(jsonc);
+
+ debug_return;
+}
+
+static int
+get_defaults_type(struct defaults *def)
+{
+ struct sudo_defs_types *cur;
+
+ /* Look up def in table to find its type. */
+ for (cur = sudo_defs_table; cur->name; cur++) {
+ if (strcmp(def->var, cur->name) == 0)
+ return cur->type;
+ }
+ return -1;
+}
+
+/*
+ * Export all Defaults in JSON format.
+ */
+static void
+print_defaults_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree, bool expand_aliases)
+{
+ struct json_value value;
+ struct defaults *def, *next;
+ int type;
+ debug_decl(print_defaults_json, SUDOERS_DEBUG_UTIL);
+
+ if (TAILQ_EMPTY(&parse_tree->defaults))
+ debug_return;
+
+ sudo_json_open_array(jsonc, "Defaults");
+
+ TAILQ_FOREACH_SAFE(def, &parse_tree->defaults, entries, next) {
+ type = get_defaults_type(def);
+ if (type == -1) {
+ log_warnx(U_("%s:%d:%d: unknown defaults entry \"%s\""),
+ def->file, def->line, def->column, def->var);
+ /* XXX - just pass it through as a string anyway? */
+ continue;
+ }
+
+ /* Found it, print object container and binding (if any). */
+ sudo_json_open_object(jsonc, NULL);
+ print_binding_json(jsonc, parse_tree, def->binding, def->type,
+ expand_aliases);
+
+ /* Validation checks. */
+ /* XXX - validate values in addition to names? */
+
+ /* Print options, merging ones with the same binding. */
+ sudo_json_open_array(jsonc, "Options");
+ for (;;) {
+ next = TAILQ_NEXT(def, entries);
+ /* XXX - need to update cur too */
+ if ((type & T_MASK) == T_FLAG || def->val == NULL) {
+ value.type = JSON_BOOL;
+ value.u.boolean = def->op;
+ sudo_json_add_value_as_object(jsonc, def->var, &value);
+ } else if ((type & T_MASK) == T_LIST) {
+ print_defaults_list_json(jsonc, def);
+ } else {
+ value.type = JSON_STRING;
+ value.u.string = def->val;
+ sudo_json_add_value_as_object(jsonc, def->var, &value);
+ }
+ if (next == NULL || def->binding != next->binding)
+ break;
+ def = next;
+ type = get_defaults_type(def);
+ if (type == -1) {
+ log_warnx(U_("%s:%d:%d: unknown defaults entry \"%s\""),
+ def->file, def->line, def->column, def->var);
+ /* XXX - just pass it through as a string anyway? */
+ break;
+ }
+ }
+ sudo_json_close_array(jsonc);
+ sudo_json_close_object(jsonc);
+ }
+
+ /* Close Defaults array; comma (if any) & newline will be printer later. */
+ sudo_json_close_array(jsonc);
+
+ debug_return;
+}
+
+/*
+ * Export all aliases of the specified type in JSON format.
+ * Iterates through the entire aliases tree.
+ */
+static void
+print_aliases_by_type_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree, short alias_type,
+ const char *title)
+{
+ struct json_alias_closure closure;
+ debug_decl(print_aliases_by_type_json, SUDOERS_DEBUG_UTIL);
+
+ /* print_alias_json() does not modify parse_tree. */
+ closure.jsonc = jsonc;
+ closure.count = 0;
+ closure.alias_type = alias_type;
+ closure.title = title;
+ alias_apply((struct sudoers_parse_tree *)parse_tree, print_alias_json,
+ &closure);
+ if (closure.count != 0) {
+ sudo_json_close_array(jsonc);
+ sudo_json_close_object(jsonc);
+ }
+
+ debug_return;
+}
+
+/*
+ * Export all aliases in JSON format.
+ */
+static void
+print_aliases_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree)
+{
+ debug_decl(print_aliases_json, SUDOERS_DEBUG_UTIL);
+
+ print_aliases_by_type_json(jsonc, parse_tree, USERALIAS, "User_Aliases");
+ print_aliases_by_type_json(jsonc, parse_tree, RUNASALIAS, "Runas_Aliases");
+ print_aliases_by_type_json(jsonc, parse_tree, HOSTALIAS, "Host_Aliases");
+ print_aliases_by_type_json(jsonc, parse_tree, CMNDALIAS, "Command_Aliases");
+
+ debug_return;
+}
+
+/* Does the next entry differ only in the command itself? */
+static bool
+cmndspec_continues(struct cmndspec *cs, struct cmndspec *next)
+{
+ bool ret = next != NULL &&
+ !RUNAS_CHANGED(cs, next) && !TAGS_CHANGED(cs->tags, next->tags)
+#ifdef HAVE_PRIV_SET
+ && cs->privs == next->privs && cs->limitprivs == next->limitprivs
+#endif /* HAVE_PRIV_SET */
+#ifdef HAVE_SELINUX
+ && cs->role == next->role && cs->type == next->type
+#endif /* HAVE_SELINUX */
+#ifdef HAVE_APPARMOR
+ && cs->apparmor_profile == next->apparmor_profile
+#endif /* HAVE_APPARMOR */
+ && cs->runchroot == next->runchroot && cs->runcwd == next->runcwd;
+ return ret;
+}
+
+/*
+ * Print a Cmnd_Spec in JSON format at the correct indent level.
+ * A pointer to the next Cmnd_Spec is passed in to make it possible to
+ * merge adjacent entries that are identical in all but the command.
+ */
+static void
+print_cmndspec_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree, struct cmndspec *cs,
+ struct cmndspec **nextp, struct defaults_list *options, bool expand_aliases)
+{
+ char timebuf[sizeof("20120727121554Z")];
+ struct cmndspec *next = *nextp;
+ struct json_value value;
+ struct defaults *def;
+ struct member *m;
+ struct tm gmt;
+ size_t len;
+ debug_decl(print_cmndspec_json, SUDOERS_DEBUG_UTIL);
+
+ /* Open Cmnd_Spec object. */
+ sudo_json_open_object(jsonc, NULL);
+
+ /* Print runasuserlist */
+ if (cs->runasuserlist != NULL) {
+ sudo_json_open_array(jsonc, "runasusers");
+ TAILQ_FOREACH(m, cs->runasuserlist, entries) {
+ print_member_json(jsonc, parse_tree, m, TYPE_RUNASUSER,
+ expand_aliases);
+ }
+ sudo_json_close_array(jsonc);
+ }
+
+ /* Print runasgrouplist */
+ if (cs->runasgrouplist != NULL) {
+ sudo_json_open_array(jsonc, "runasgroups");
+ TAILQ_FOREACH(m, cs->runasgrouplist, entries) {
+ print_member_json(jsonc, parse_tree, m, TYPE_RUNASGROUP,
+ expand_aliases);
+ }
+ sudo_json_close_array(jsonc);
+ }
+
+ /* Print options and tags */
+ if (cs->timeout > 0 || cs->notbefore != UNSPEC || cs->notafter != UNSPEC ||
+ cs->runchroot != NULL || cs->runcwd != NULL || TAGS_SET(cs->tags) ||
+ !TAILQ_EMPTY(options)) {
+ struct cmndtag tag = cs->tags;
+
+ sudo_json_open_array(jsonc, "Options");
+ if (cs->runchroot != NULL) {
+ value.type = JSON_STRING;
+ value.u.string = cs->runchroot;
+ sudo_json_add_value(jsonc, "runchroot", &value);
+ }
+ if (cs->runcwd != NULL) {
+ value.type = JSON_STRING;
+ value.u.string = cs->runcwd;
+ sudo_json_add_value(jsonc, "runcwd", &value);
+ }
+ if (cs->timeout > 0) {
+ value.type = JSON_NUMBER;
+ value.u.number = cs->timeout;
+ sudo_json_add_value_as_object(jsonc, "command_timeout", &value);
+ }
+ if (cs->notbefore != UNSPEC) {
+ if (gmtime_r(&cs->notbefore, &gmt) == NULL) {
+ sudo_warn("%s", U_("unable to get GMT time"));
+ } else {
+ timebuf[sizeof(timebuf) - 1] = '\0';
+ len = strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%SZ", &gmt);
+ if (len == 0 || timebuf[sizeof(timebuf) - 1] != '\0') {
+ sudo_warnx("%s", U_("unable to format timestamp"));
+ } else {
+ value.type = JSON_STRING;
+ value.u.string = timebuf;
+ sudo_json_add_value_as_object(jsonc, "notbefore", &value);
+ }
+ }
+ }
+ if (cs->notafter != UNSPEC) {
+ if (gmtime_r(&cs->notafter, &gmt) == NULL) {
+ sudo_warn("%s", U_("unable to get GMT time"));
+ } else {
+ timebuf[sizeof(timebuf) - 1] = '\0';
+ len = strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%SZ", &gmt);
+ if (len == 0 || timebuf[sizeof(timebuf) - 1] != '\0') {
+ sudo_warnx("%s", U_("unable to format timestamp"));
+ } else {
+ value.type = JSON_STRING;
+ value.u.string = timebuf;
+ sudo_json_add_value_as_object(jsonc, "notafter", &value);
+ }
+ }
+ }
+ if (tag.nopasswd != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = !tag.nopasswd;
+ sudo_json_add_value_as_object(jsonc, "authenticate", &value);
+ }
+ if (tag.noexec != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = tag.noexec;
+ sudo_json_add_value_as_object(jsonc, "noexec", &value);
+ }
+ if (tag.intercept != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = tag.intercept;
+ sudo_json_add_value_as_object(jsonc, "intercept", &value);
+ }
+ if (tag.send_mail != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = tag.send_mail;
+ sudo_json_add_value_as_object(jsonc, "send_mail", &value);
+ }
+ if (tag.setenv != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = tag.setenv;
+ sudo_json_add_value_as_object(jsonc, "setenv", &value);
+ }
+ if (tag.follow != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = tag.follow;
+ sudo_json_add_value_as_object(jsonc, "sudoedit_follow", &value);
+ }
+ if (tag.log_input != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = tag.log_input;
+ sudo_json_add_value_as_object(jsonc, "log_input", &value);
+ }
+ if (tag.log_output != UNSPEC) {
+ value.type = JSON_BOOL;
+ value.u.boolean = tag.log_output;
+ sudo_json_add_value_as_object(jsonc, "log_output", &value);
+ }
+ TAILQ_FOREACH(def, options, entries) {
+ int type = get_defaults_type(def);
+ if (type == -1) {
+ log_warnx(U_("%s:%d:%d: unknown defaults entry \"%s\""),
+ def->file, def->line, def->column, def->var);
+ /* XXX - just pass it through as a string anyway? */
+ continue;
+ }
+ if ((type & T_MASK) == T_FLAG || def->val == NULL) {
+ value.type = JSON_BOOL;
+ value.u.boolean = def->op;
+ sudo_json_add_value_as_object(jsonc, def->var, &value);
+ } else if ((type & T_MASK) == T_LIST) {
+ print_defaults_list_json(jsonc, def);
+ } else {
+ value.type = JSON_STRING;
+ value.u.string = def->val;
+ sudo_json_add_value_as_object(jsonc, def->var, &value);
+ }
+ }
+ sudo_json_close_array(jsonc);
+ }
+
+#ifdef HAVE_SELINUX
+ /* Print SELinux role/type */
+ if (cs->role != NULL && cs->type != NULL) {
+ sudo_json_open_array(jsonc, "SELinux_Spec");
+ value.type = JSON_STRING;
+ value.u.string = cs->role;
+ sudo_json_add_value(jsonc, "role", &value);
+ value.u.string = cs->type;
+ sudo_json_add_value(jsonc, "type", &value);
+ sudo_json_close_array(jsonc);
+ }
+#endif /* HAVE_SELINUX */
+
+#ifdef HAVE_APPARMOR
+ if (cs->apparmor_profile != NULL) {
+ sudo_json_open_array(jsonc, "AppArmor_Spec");
+ value.type = JSON_STRING;
+ value.u.string = cs->apparmor_profile;
+ sudo_json_add_value(jsonc, "apparmor_profile", &value);
+ sudo_json_close_array(jsonc);
+ }
+#endif /* HAVE_APPARMOR */
+
+#ifdef HAVE_PRIV_SET
+ /* Print Solaris privs/limitprivs */
+ if (cs->privs != NULL || cs->limitprivs != NULL) {
+ sudo_json_open_array(jsonc, "Solaris_Priv_Spec");
+ value.type = JSON_STRING;
+ if (cs->privs != NULL) {
+ value.u.string = cs->privs;
+ sudo_json_add_value(jsonc, "privs", &value);
+ }
+ if (cs->limitprivs != NULL) {
+ value.u.string = cs->limitprivs;
+ sudo_json_add_value(jsonc, "limitprivs", &value);
+ }
+ sudo_json_close_array(jsonc);
+ }
+#endif /* HAVE_PRIV_SET */
+
+ /*
+ * Merge adjacent commands with matching tags, runas, SELinux
+ * role/type and Solaris priv settings.
+ */
+ sudo_json_open_array(jsonc, "Commands");
+ for (;;) {
+ print_member_json(jsonc, parse_tree, cs->cmnd, TYPE_COMMAND,
+ expand_aliases);
+ /* Does the next entry differ only in the command itself? */
+ if (!cmndspec_continues(cs, next))
+ break;
+ cs = next;
+ next = TAILQ_NEXT(cs, entries);
+ }
+ sudo_json_close_array(jsonc);
+
+ /* Close Cmnd_Spec object. */
+ sudo_json_close_object(jsonc);
+
+ *nextp = next;
+
+ debug_return;
+}
+
+/*
+ * Print a User_Spec in JSON format at the correct indent level.
+ */
+static void
+print_userspec_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree, struct userspec *us,
+ bool expand_aliases)
+{
+ struct privilege *priv;
+ struct member *m;
+ struct cmndspec *cs, *next;
+ debug_decl(print_userspec_json, SUDOERS_DEBUG_UTIL);
+
+ /*
+ * Each userspec struct may contain multiple privileges for
+ * a user. We export each privilege as a separate User_Spec
+ * object for simplicity's sake.
+ */
+ TAILQ_FOREACH(priv, &us->privileges, entries) {
+ /* Open User_Spec object. */
+ sudo_json_open_object(jsonc, NULL);
+
+ /* Print users list. */
+ sudo_json_open_array(jsonc, "User_List");
+ TAILQ_FOREACH(m, &us->users, entries) {
+ print_member_json(jsonc, parse_tree, m, TYPE_USERNAME,
+ expand_aliases);
+ }
+ sudo_json_close_array(jsonc);
+
+ /* Print hosts list. */
+ sudo_json_open_array(jsonc, "Host_List");
+ TAILQ_FOREACH(m, &priv->hostlist, entries) {
+ print_member_json(jsonc, parse_tree, m, TYPE_HOSTNAME,
+ expand_aliases);
+ }
+ sudo_json_close_array(jsonc);
+
+ /* Print commands. */
+ sudo_json_open_array(jsonc, "Cmnd_Specs");
+ TAILQ_FOREACH_SAFE(cs, &priv->cmndlist, entries, next) {
+ print_cmndspec_json(jsonc, parse_tree, cs, &next, &priv->defaults,
+ expand_aliases);
+ }
+ sudo_json_close_array(jsonc);
+
+ /* Close User_Spec object. */
+ sudo_json_close_object(jsonc);
+ }
+
+ debug_return;
+}
+
+static void
+print_userspecs_json(struct json_container *jsonc,
+ const struct sudoers_parse_tree *parse_tree, bool expand_aliases)
+{
+ struct userspec *us;
+ debug_decl(print_userspecs_json, SUDOERS_DEBUG_UTIL);
+
+ if (TAILQ_EMPTY(&parse_tree->userspecs))
+ debug_return;
+
+ sudo_json_open_array(jsonc, "User_Specs");
+ TAILQ_FOREACH(us, &parse_tree->userspecs, entries) {
+ print_userspec_json(jsonc, parse_tree, us, expand_aliases);
+ }
+ sudo_json_close_array(jsonc);
+
+ debug_return;
+}
+
+/*
+ * Export the parsed sudoers file in JSON format.
+ */
+bool
+convert_sudoers_json(const struct sudoers_parse_tree *parse_tree,
+ const char *output_file, struct cvtsudoers_config *conf)
+{
+ struct json_container jsonc;
+ bool ret = true;
+ FILE *output_fp = stdout;
+ debug_decl(convert_sudoers_json, SUDOERS_DEBUG_UTIL);
+
+ if (strcmp(output_file, "-") != 0) {
+ if ((output_fp = fopen(output_file, "w")) == NULL)
+ sudo_fatal(U_("unable to open %s"), output_file);
+ }
+
+ /* 4 space indent, non-compact, exit on memory allocation failure. */
+ sudo_json_init(&jsonc, 4, false, true, false);
+
+ /* Dump Defaults in JSON format. */
+ if (!ISSET(conf->suppress, SUPPRESS_DEFAULTS)) {
+ print_defaults_json(&jsonc, parse_tree, conf->expand_aliases);
+ }
+
+ /* Dump Aliases in JSON format. */
+ if (!conf->expand_aliases && !ISSET(conf->suppress, SUPPRESS_ALIASES)) {
+ print_aliases_json(&jsonc, parse_tree);
+ }
+
+ /* Dump User_Specs in JSON format. */
+ if (!ISSET(conf->suppress, SUPPRESS_PRIVS)) {
+ print_userspecs_json(&jsonc, parse_tree, conf->expand_aliases);
+ }
+
+ /* Write JSON output. */
+ if (sudo_json_get_len(&jsonc) != 0) {
+ putc('{', output_fp);
+ fputs(sudo_json_get_buf(&jsonc), output_fp);
+ fputs("\n}\n", output_fp);
+ (void)fflush(output_fp);
+ if (ferror(output_fp))
+ ret = false;
+ }
+ sudo_json_free(&jsonc);
+ if (output_fp != stdout)
+ fclose(output_fp);
+
+ debug_return_bool(ret);
+}