// ---------------------------------------------------------------------------- // // Copyright (c) Microsoft Corporation. All rights reserved. // // ---------------------------------------------------------------------------- // #define VERBOSE // #define REALLY_VERBOSE namespace Microsoft.Singularity.Security.AccessControl { using System; using System.Text; using System.Text.RegularExpressions; using System.Collections; using Microsoft.SingSharp; using Microsoft.Singularity.Security; using Microsoft.Singularity.Channels; ///

/// Converts an Access Control List description to a regular expression. /// Caches group expansions for improved performance. ///

public class AclConverter { ///

/// Regular expression matching an path fragment ///

protected const string pathfrag = @"[a-zA-Z1-90_]+(\.[a-zA-Z1-90_]+)*"; ///

/// Regular expression matching the beginning of a string ///

protected const string start = "^("; ///

/// Regular expression matching the end of a string ///

protected const string end = ")$"; ///

expression /// The reader of group definitions ///

protected Cache! cache; private IAclCoreSupport support; ///

/// Create new converter, ///

private const int ExpnCachePrunePercent = 20; public AclConverter(IAclCoreSupport _support, int expnCacheMaxEntries, int expnCacheExpirySeconds) { this.support = _support; this.cache = new Cache(expnCacheMaxEntries, expnCacheExpirySeconds, ExpnCachePrunePercent, "Expansion Cache: "); } ///

/// Convert the specified ACL to a regular expression ///

/// The access control list /// An equivalent text regular expression public void DumpStats(StringBuilder! sb) { cache.DumpStats(sb); } public void ClearStats() { cache.ResetStats(); } public void FlushCache() { cache.Prune(true); } public string! Convert(string! aclstr, bool bypassCache, out DateTime minExpiry) { StringBuilder! sb = new StringBuilder(); Stack! stack = new Stack(); int nSubExprs = 0; minExpiry = DateTime.MaxValue; sb.Append(start); DoExpand(aclstr, sb, "", stack, bypassCache, ref nSubExprs, ref minExpiry); sb.Append(end); return sb.ToString(); } public string! ConvertTest(string! aclstr, out int nSubExprs) { DateTime minExpiry = DateTime.MaxValue; StringBuilder! sb = new StringBuilder(); Stack! stack = new Stack(); nSubExprs = 0; sb.Append(start); DoExpand(aclstr, sb, "", stack, false, ref nSubExprs, ref minExpiry); sb.Append(end); return sb.ToString(); } internal class CacheEntry : ICacheValue { public string! expansion; public bool constant; public int nSubExprs; public CacheEntry(Cache! cache, string! expansion, bool constant, int nSubExprs, DateTime minExpiry) { base(cache, minExpiry); this.expansion = expansion; this.constant = constant; this.nSubExprs = nSubExprs; } } private void DoExpand(string! pattern, StringBuilder! sb, string! ns, Stack! stack, bool bypassCache, ref int nSubExprs, ref DateTime minExpiry) { AclToken t; AclParser parser = new AclParser(pattern); CacheEntry ce = null; int eStart = sb.Length; int eSubExprs = nSubExprs; ce = (CacheEntry) cache.GetEntry(pattern); if (ce != null) { if (ce.Expired) ce = null; else if (!bypassCache || ce.constant) { #if VERBOSE DebugStub.Print("DoExpand: Cache hit {0}\n", __arglist(path)); #endif if (ce.expiry < minExpiry) minExpiry = ce.expiry; sb.Append(ce.expansion); nSubExprs += ce.nSubExprs; return; } } while ((t = parser.NextToken()) != null) { switch (t.Type) { case AclTokenType.Literal: #if REALLY_VERBOSE DebugStub.Print("Literal: {0}\n", __arglist(t.Text)); #endif sb.Append(t.Text); break; case AclTokenType.Arc: #if REALLY_VERBOSE DebugStub.Print("Arc: {0}\n", __arglist(t.Text)); #endif // Arcs need no transformation sb.Append(t.Text); break; case AclTokenType.Any: // Any matches any path fragment #if REALLY_VERBOSE DebugStub.Print("Any: {0}\n", __arglist(t.Text)); #endif sb.Append(pathfrag); break; case AclTokenType.Escape: // Reserved regular expression symbol: escape it #if REALLY_VERBOSE DebugStub.Print("Escape: {0}\n", __arglist(t.Text)); #endif sb.AppendFormat("\\{0}", t.Text); break; case AclTokenType.GroupName: // //A sub-expression can have relative or absolute name. //We resolve relative names by keeping track of the namespace //of the last resolution. // bool isPath = true; string path = t.Text; nSubExprs++; if (path.Length != 0) { if (path[0] == '$') { isPath = false; } else { if (path[0] != '/') { // this is a relative path. append the namespace path = ns + "/" + path; } // update the namespace name: int index = path.LastIndexOf('/'); if (index == -1) { ns = String.Empty; } else { ns = (!)path.Substring(0, index); } } string subexpr = ReadSubexpression(path, isPath); if (subexpr == null) { #if VERBOSE DebugStub.Print("Undefined subexpression: {0}\n", __arglist(t.Text)); #endif } if (stack.Contains(path)) { throw new Exception("Infinite recursion detected while expanding acl."); } sb.Append('('); stack.Push(path); if (subexpr != null && subexpr.Length != 0) DoExpand(subexpr, sb, ns, stack, bypassCache, ref nSubExprs, ref minExpiry); stack.Pop(); sb.Append(')'); } break; case AclTokenType.Miscellaneous: DebugStub.Print("Invalid token: {0} Skipping it\n", __arglist(t.Text)); break; } } // cache the results of the expansion at this level string expansion = sb.ToString(eStart, sb.Length-eStart); if (ce == null || expansion != ce.expansion) { ce = new CacheEntry(cache, expansion, false, nSubExprs-eSubExprs, minExpiry); cache.AddEntry(pattern, ce); } else if (ce != null) { // Old expansion was the same, update expiry. ce.ResetExpiry(cache, minExpiry); } if (ce.expiry < minExpiry) minExpiry = ce.expiry; } private string ReadSubexpression(string! path, bool isPath) { string result = null; if (isPath) { if (support == null) DebugStub.Print("ReadSubexpression: AclCoreSupport object missing\n"); else result = support.Expand(path); } else result = Principal.ExpandAclIndirection(path); return result; } // //// this code has been moved to the client impl (e.g. DirAclCoreSupport.sg) // //private string ReadGroup(string! path) //{ // return support.GetGroupContents(path); //} // //// read the file size // DirectoryServiceContract.Imp:Ready! ns = AcquireNSRoot(); // byte[] result = ReadFromFile(path, ns); // ReleaseNSRoot(ns); // // if (result == null) // return null; // // string! subexpression = (!)encoder.GetString(result); // return subexpression; //} // //private DirectoryServiceContract.Imp:Ready! AcquireNSRoot() //{ // // if (cachedRootNS == null) // cachedRootNS = // new TRef(support.GroupDirectoryRoot()); // return cachedRootNS.Acquire(); //} // //private void ReleaseNSRoot([Claims] DirectoryServiceContract.Imp:Ready! ns) //{ // cachedRootNS.Release(ns); //} // //private byte[] ReadFromFile(string!path, DirectoryServiceContract.Imp:Ready! ns) //{ // ErrorCode errCode; // byte[] result; // long size = 0; // int readSize = 4096; // NodeType nodeType; // // // try { // bool temp = SdsUtils.GetAttributes(path, ns, out size, out nodeType, out errCode); // if (!temp) // // element does not exist or an error has occurred // throw new Exception("Cannot get attributes - " + SdsUtils.ErrorCodeToString(errCode)); // // result = new byte[size]; // byte[] in ExHeap buf = new[ExHeap] byte[readSize]; // if (result == null || buf == null) // throw new Exception("Cannot allocate memory"); // // FileContract.Imp! fileImp; // FileContract.Exp! fileExp; // FileContract.NewChannel(out fileImp, out fileExp); // bool bindOk = SdsUtils.Bind(path, ns, fileExp, out errCode); // if (!bindOk) { // delete fileImp; // throw new Exception("Can't read group - " + SdsUtils.ErrorCodeToString(errCode)); // } // fileImp.RecvSuccess(); // // long readOffset = 0; // while (true) { // fileImp.SendRead(buf, 0, readOffset, readSize); // switch receive { // case fileImp.AckRead(localbuf, bytesRead, error) : // // move the memory // Bitter.ToByteArray(localbuf, 0, (int)bytesRead, result, (int)readOffset); // if (bytesRead == readSize) { // // see if there is more // readOffset += bytesRead; // buf = localbuf; // continue; // } // delete localbuf; // break; // case fileImp.ChannelClosed() : // break; // case unsatisfiable : // break; // } // break; // } // delete fileImp; // } // catch (Exception e) { // DebugStub.Print("An exception occurred while reading group definition: {0}\n", // __arglist(path)); // DebugStub.Print("Message: {0}\n", __arglist(e.Message)); // return null; // } // return result; //} // } }