xdasd_filter.c

Go to the documentation of this file.

/*----------------------------------------------------------------------------
 * Copyright (c) 2006, Novell, Inc.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are 
 * met:
 * 
 *     * Redistributions of source code must retain the above copyright 
 *       notice, this list of conditions and the following disclaimer.
 *     * Redistributions in binary form must reproduce the above copyright 
 *       notice, this list of conditions and the following disclaimer in the 
 *       documentation and/or other materials provided with the distribution.
 *     * Neither the name of the Novell nor the names of its contributors 
 *       may be used to endorse or promote products derived from this 
 *       software without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *--------------------------------------------------------------------------*/

#include <xdas.h>

#include "xdasd_filter.h"
#include "xdasd_parse.h"
#include "xdasd_list.h"
#include "xdasd_log.h"

#include <expat.h>

#ifdef _WIN32
# define strcasecmp  _stricmp
# define strncasecmp _strnicmp
# define strdup      _strdup
#endif

#include <stdio.h>
#include <string.h>
#include <ctype.h>

#ifdef XML_LARGE_SIZE
# if defined(XML_USE_MSC_EXTENSIONS) && _MSC_VER < 1400
#  define XML_FMT_INT_MOD "I64"
# else
#  define XML_FMT_INT_MOD "ll"
# endif
#else
# define XML_FMT_INT_MOD "l"
#endif

#define FT_SUBMIT 0x00000001
#define FT_IMPORT 0x00000002

typedef enum
{
   OP_UNKNOWN = -1,
   OP_EQUAL,
   OP_NOT_EQUAL,
   OP_GREATER_THAN,
   OP_LESS_THAN,
   OP_GT_OR_EQUAL,
   OP_LT_OR_EQUAL,
   OP_BIT_TEST,
   OP_SUBSTRING,
} Operator;

typedef enum
{
   AT_UNKNOWN = -1,
   AT_HDR = 0,
   AT_HDRLEN,
   AT_HDRVER,
   AT_HDRTMOFFS,
   AT_HDRTUINT,
   AT_HDRTUIND,
   AT_HDRTMSRC,
   AT_HDRTMZONE,
   AT_HDREVENT,
   AT_HDROUTCOME,
   AT_ORG,
   AT_ORGLOC,
   AT_ORGADDR,
   AT_ORGTYPE,
   AT_ORGAUT,
   AT_ORGNAME,
   AT_ORGID,
   AT_INT,
   AT_INTAUTH,
   AT_INTNAME,
   AT_INTID,
   AT_TGT,
   AT_TGTLOC,
   AT_TGTADDR,
   AT_TGTTYPE,
   AT_TGTAUTH,
   AT_TGTNAME,
   AT_TGTID,
   AT_SRC,
   AT_SRCDPTR,
   AT_EVT,
   AT_EVTINFO,
   AT_END,
} Attribute;

typedef enum
{
   ACT_LOG,
   ACT_ALARM,
   ACT_TRIGGER,
} ActionType;

typedef struct match_tag
{
   XDLItem elem;           
   int inverse;            /* allow = 0, deny = 1 */
   Attribute attribute;
   Operator op;
   unsigned number;        /* numeric value (if applicable) */
   char * text;            /* text literal */
} Match;

typedef struct action_tag
{
   XDLItem elem;           
   ActionType atype;
   int severity;           /* if atype is alarm, text is severity */
   char * text;            /* if atype if trigger, text is script */
} Action;

typedef struct filter_tag
{
   XDLItem elem;           
   char * name;
   int status;
   unsigned ftype;
   XDList matches;
   XDList actions;
} Filter;

typedef enum
{
   PS_INIT,
   PS_FILTER_EXPECTED,
   PS_MATCH_OR_ACTION_EXPECTED,
   PS_MATCH_EXPECTED,
   PS_ALLOW_IN_PROGRESS,
   PS_DENY_IN_PROGRESS,
   PS_ACTION_EXPECTED,
   PS_LOG_IN_PROGRESS,
   PS_ALARM_IN_PROGRESS,
   PS_TRIGGER_IN_PROGRESS,
   PS_TERMINATE,
} ParserState;

typedef struct parser_tag
{
   XML_Parser xp;       /* the XML parser */
   ParserState state;   /* current parser state */
   char fversion[32];   /* filter list version string */
   XDList filters;      /* filter list being built */
   Filter * f;          /* filter currently being built */
   Match * m;           /* match currently being built */
   Action * a;          /* action currently being built */
} Parser;

/* module static globals */
static char g_filter_version[32];
static XDList g_filters = {0, 0, 0};


/* ---------------------- Begin XML Filter Parser ---------------------- */


static char * strncasestr(const char * haystack, const char * needle, 
      size_t haystacksz)
{
   int nlen = (int)strlen(needle);
   const char * limit = haystack + haystacksz;
   while (haystack < limit)
   {
      if (tolower(*haystack) == tolower(*needle) && nlen <= limit - haystack
            && strncasecmp(needle, haystack, nlen) == 0)
         return (char *)haystack;
      haystack++;
   }
   return 0;
}

static char * strcasestr(const char * haystack, const char * needle)
      { return strncasestr(haystack, needle, strlen(haystack)); }

static int xf_parse_filter_list_version(char * fv, size_t fvsz, 
      const char ** attrs)
{
   const char ** p;
   for (p = attrs; *p; p += 2)
   {
      if (strcmp(p[0], "version") == 0)
      {
         strncpy(fv, p[1], fvsz - 1);
         fv[fvsz-1] = 0;
      }
      else
         xdasd_log(0, "xfilter: Ignoring unknown <filter-list> "
               "attribute, %s='%s'.\n", p[0], p[1]);
   }
   if (*fv == 0)
   {
      xdasd_log(0, "xfilter: Missing <filter-list> version attribute.\n");
      return -1;
   }
   if (strcmp(fv, "OX1") != 0)
   {
      xdasd_log(0, "xfilter: Incorrect <filter-list> version (%s) - "
            "this parser only supports 'OX1'.\n", fv);
      return -1;
   }
   return 0;
}

static int xf_parse_filter_status(const char * status)
{
   return strcasecmp(status, "on") == 0
         || strcasecmp(status, "yes") == 0
         || strcasecmp(status, "true") == 0? 1: 0;
}

static unsigned xf_parse_filter_type(const char * ftype)
{
   unsigned rv = 0;
   if (strcasestr(ftype, "Submit") != 0)
      rv |= FT_SUBMIT;
   if (strcasestr(ftype, "Import") != 0)
      rv |= FT_IMPORT;
   return rv;
}

static int xf_process_filter_attrs(Filter * f, const char ** attrs)
{
   const char ** p;
   f->status = 1;          /* default filters to 'ON' */
   f->ftype = FT_SUBMIT;   /* default filter type to submit only */
   for (p = attrs; *p; p += 2)
   {
      if (strcmp(p[0], "name") == 0)
      {
         free(f->name);
         if ((f->name = strdup(p[1])) == 0)
         {
            xdasd_log(0, "xfilter: Memory allocation failure "
                  "during <filter> attribute parse.\n");
            return -1;
         }
      }
      else if (strcmp(p[0], "status") == 0)
         f->status = xf_parse_filter_status(p[1]);
      else if (strcmp(p[0], "type") == 0)
         f->ftype = xf_parse_filter_type(p[1]);
      else
         xdasd_log(0, "xfilter: Ignoring unknown <filter> "
               "attribute, %s='%s'.\n", p[0], p[1]);
   }
   if (f->name == 0)
   {
      xdasd_log(0, "xfilter: Anonymous XDAS filters are illegal.\n");
      return -1;
   }
   return 0;
}

static Filter * xf_create_filter(const char ** attrs)
{
   Filter * f;
   if ((f = (Filter *)malloc(sizeof(*f))) == 0)
      xdasd_log(0, "xfilter: Memory allocation failure during filter parse.\n");
   else
   {
      memset(f, 0, sizeof(*f));
      if (xf_process_filter_attrs(f, attrs) != 0)
         free(f), f = 0;
   }
   return f;
}
               
static Filter * xf_find_filter(const char * name, XDList * fl)
{
   Filter * f = (Filter *)fl->head;
   while (f && strcmp(name, f->name) != 0)
      f = (Filter *)f->elem.next;
   return f;
}

static int xf_is_dup_filter(const char * name, XDList * f)
{
   if (xf_find_filter(name, f) != 0)
   {
      xdasd_log(0, "xfilter: Duplicate filter name specified.\n");
      return 1;
   }
   return 0;
}

static Attribute xf_parse_match_attr(const char * avalue)
{
   static const struct { const char * astr; Attribute tok; } g_attrmap[] =
   {
      {"HDRLEN",    AT_HDRLEN},    {"HDRVER",  AT_HDRVER},
      {"HDRTMOFF",  AT_HDRTMOFFS}, {"HDRTUINT",AT_HDRTUINT},
      {"HDRTUIND",  AT_HDRTUIND},  {"HDRTMSRC",AT_HDRTMSRC},
      {"HDRTMZONE", AT_HDRTMZONE}, {"HDREVENT",AT_HDREVENT},
      {"HDROUTCOME",AT_HDROUTCOME},{"ORGLOC",  AT_ORGLOC},
      {"ORGADDR",   AT_ORGADDR},   {"ORGTYPE", AT_ORGTYPE},
      {"ORGAUT",    AT_ORGAUT},    {"ORGNAME", AT_ORGNAME},
      {"ORGID",     AT_ORGID},     {"INTAUTH", AT_INTAUTH},
      {"INTNAME",   AT_INTNAME},   {"INTID",   AT_INTID},
      {"TGTLOC",    AT_TGTLOC},    {"TGTADDR", AT_TGTADDR},
      {"TGTTYPE",   AT_TGTTYPE},   {"TGTAUTH", AT_TGTAUTH},
      {"TGTNAME",   AT_TGTNAME},   {"TGTID",   AT_TGTID},
      {"SRCDPTR",   AT_SRCDPTR},   {"EVTINFO", AT_EVTINFO},
   };
   unsigned i; 

   for (i = 0; i < sizeof(g_attrmap)/sizeof(*g_attrmap); i++)
      if (strcasecmp(avalue, g_attrmap[i].astr) == 0)
         return g_attrmap[i].tok;

   return AT_UNKNOWN;
}

static Operator xf_parse_match_op(const char * avalue)
{
   static struct { char * ostr; Operator tok; } omap[] =
   {
      {"EQ", OP_EQUAL},        {"NE", OP_NOT_EQUAL},
      {"GT", OP_GREATER_THAN}, {"LT", OP_LESS_THAN},
      {"GE", OP_GT_OR_EQUAL},  {"LE", OP_LT_OR_EQUAL},
      {"BT", OP_BIT_TEST},     {"SS", OP_SUBSTRING},
   };
   unsigned i; 

   for (i = 0; i < sizeof(omap)/sizeof(*omap); i++)
      if (strcasecmp(avalue, omap[i].ostr) == 0)
         return omap[i].tok;

   return OP_UNKNOWN;
}

static int xf_process_match_attrs(Match * m, const char ** attrs)
{
   const char ** p;
   m->attribute = AT_UNKNOWN;
   m->op = OP_UNKNOWN;
   for (p = attrs; *p; p += 2)
   {
      if (strcmp(p[0], "attr") == 0)
         m->attribute = xf_parse_match_attr(p[1]);
      else if (strcmp(p[0], "op") == 0)
         m->op = xf_parse_match_op(p[1]);
      else
         xdasd_log(0, "xfilter: Ignoring unknown <allow/deny> "
               "attribute, %s='%s'.\n", p[0], p[1]);
   }
   if (m->attribute == AT_UNKNOWN)
   {
      xdasd_log(0, "xfilter: Missing or unknown 'attr' "
            "value in <allow/deny> definition.\n");
      return -1;
   }
   if (m->op == OP_UNKNOWN)
   {
      xdasd_log(0, "xfilter: Missing or unknown 'op' "
            "value in <allow/deny> definition.\n");
      return -1;
   }
   return 0;
}

static Match * xf_create_match(ParserState state, const char ** attrs)
{
   Match * m;
   if ((m = (Match *)malloc(sizeof(*m))) == 0)
      xdasd_log(0, "xfilter: Memory allocation failure "
            "during <allow/deny> parse.\n");
   else
   {
      memset(m, 0, sizeof(*m));
      m->inverse = state == PS_DENY_IN_PROGRESS? 1: 0;
      if (xf_process_match_attrs(m, attrs) != 0)
         free(m), m = 0;
   }
   return m;
}

static int xf_process_alarm_attrs(Action * a, const char ** attrs)
{
   const char ** p;
   for (p = attrs; *p; p += 2)
   {
      if (strcmp(p[0], "severity") == 0)
         a->severity = strtoul(p[1], 0, 0);
      else
         xdasd_log(0, "xfilter: Ignoring unknown <alarm> "
               "attribute, %s='%s'.\n", p[0], p[1]);
   }
   return 0;
}

static void xf_process_unknown_attrs(const char * el, const char ** attrs)
{
   const char ** p;
   for (p = attrs; *p; p += 2)
      xdasd_log(0, "xfilter: Ignoring unknown <%s> "
            "attribute, %s='%s'.\n", el, p[0], p[1]);
}

static ActionType xf_map_state_to_action(ParserState state)
{
   switch(state)
   {
      case PS_LOG_IN_PROGRESS:      return ACT_LOG;
      case PS_ALARM_IN_PROGRESS:    return ACT_ALARM;
      case PS_TRIGGER_IN_PROGRESS:  return ACT_TRIGGER;
   }
   return -1;  /* should never happen */
}

static int xf_process_action_attrs(ParserState state, Action * a, 
      const char ** attrs)
{
   if (state == PS_ALARM_IN_PROGRESS)
      return xf_process_alarm_attrs(a, attrs);
   xf_process_unknown_attrs(state == PS_LOG_IN_PROGRESS? 
         "log": "trigger", attrs);
   return 0;
}

static Action * xf_create_action(ParserState state, const char ** attrs)
{
   Action * a;
   if ((a = (Action *)malloc(sizeof(*a))) == 0)
      xdasd_log(0, "xfilter: Memory allocation failure during <action> parse.\n");
   else
   {
      memset(a, 0, sizeof(*a));
      a->atype = xf_map_state_to_action(state);
      if (xf_process_action_attrs(state, a, attrs) != 0)
         free(a), a = 0;
   }
   return a;
}

static int xf_is_valid_filter_attr(unsigned ftype, Attribute attr)
{
   if ((attr < AT_HDRVER || attr > AT_TGTID)
         || (attr >= AT_HDRTUINT && attr <= AT_HDRTMZONE)
         || (attr == AT_ORG || attr == AT_INT || attr == AT_TGT)
         || (ftype & FT_SUBMIT) == 0 
               && attr != AT_HDRVER && attr != AT_HDREVENT 
               && attr != AT_HDROUTCOME && attr != AT_INTAUTH)
   {
      xdasd_log(0, "xfilter: Invalid filter attribute for specified filter type.\n");
      return 0;
   }
   return 1;
}

static void XMLCALL xf_start_tag(void * data, const char * el, 
      const char ** attrs)
{
   Parser * ps = (Parser *)data;

   switch(ps->state)
   {
      case PS_INIT:
         if (strcmp(el, "filter-list") == 0)
         {
            ps->state = PS_FILTER_EXPECTED;
            if (xf_parse_filter_list_version(ps->fversion, 
                  sizeof(ps->fversion), attrs) != 0)
               XML_StopParser(ps->xp, XML_FALSE);
         }
         else
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_FILTER_EXPECTED:
         if (strcmp(el, "filter") == 0)
         {
            ps->state = PS_MATCH_OR_ACTION_EXPECTED;
            if ((ps->f = xf_create_filter(attrs)) == 0
                  || xf_is_dup_filter(ps->f->name, &ps->filters))
               XML_StopParser(ps->xp, XML_FALSE);
         }
         else  
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_MATCH_OR_ACTION_EXPECTED:
         if (strcmp(el, "match") == 0)
            ps->state = PS_MATCH_EXPECTED;
         else if (strcmp(el, "action") == 0)
            ps->state = PS_ACTION_EXPECTED;
         else
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_MATCH_EXPECTED:
      {
         if (strcmp(el, "allow") == 0)
            ps->state = PS_ALLOW_IN_PROGRESS;
         else if (strcmp(el, "deny") == 0)
            ps->state = PS_DENY_IN_PROGRESS;
         if (ps->state == PS_MATCH_EXPECTED
               || (ps->m = xf_create_match(ps->state, attrs)) == 0
               || !xf_is_valid_filter_attr(ps->f->ftype, ps->m->attribute))
            XML_StopParser(ps->xp, XML_FALSE);
         break;
      }
      case PS_ACTION_EXPECTED:
         if (strcmp(el, "log") == 0)
            ps->state = PS_LOG_IN_PROGRESS;
         else if (strcmp(el, "alarm") == 0)
            ps->state = PS_ALARM_IN_PROGRESS;
         else if (strcmp(el, "trigger") == 0)
            ps->state = PS_TRIGGER_IN_PROGRESS;
         if (ps->state == PS_ACTION_EXPECTED
               || (ps->a = xf_create_action(ps->state, attrs)) == 0)
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      default:
         XML_StopParser(ps->xp, XML_FALSE);
         break;
   }
}

static int xf_gather_text_data(char ** tpp, const char * s, int len, int raw)
{
   if (!raw || *tpp == 0)
   {
      /* strip trailing white space */
      while (len > 0 && isspace(s[len-1]))
         len--;

      /* strip leading white space */
      while (len > 0 && isspace(*s))
         s++, len--;
   }
   if (len > 0)
   {
      size_t osz = *tpp? strlen(*tpp): 0;
      size_t sz = osz + len + 1;

      char * tp;
      if ((tp = (char *)malloc(sz + 1)) == 0) /* add one for trailing \n */
      {
         xdasd_log(0, "xfilter: Memory allocation failure "
               "during element data parse.\n");
         return -1;
      }
      memcpy(tp, *tpp, osz);
      memcpy(tp + osz, s, len);
      tp[sz - 1] = 0;
      free(*tpp);
      *tpp = tp;
   }
   return 0;
}

static void XMLCALL xf_elem_data(void * data, const XML_Char * s, int len)
{
   Parser * ps = (Parser *)data;

   switch(ps->state)
   {
      case PS_ALLOW_IN_PROGRESS:
      case PS_DENY_IN_PROGRESS:
         if (xf_gather_text_data(&ps->m->text, s, len, 0) != 0)
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_TRIGGER_IN_PROGRESS:
         if (xf_gather_text_data(&ps->a->text, s, len, 1) != 0)
            XML_StopParser(ps->xp, XML_FALSE);
         break;
   }
}

static int xf_replace_script_varnames(char * script, char * limit)
{
   while ((script = strcasestr(script, "$XDAS(")) != 0)
   {
      Attribute attr;
      size_t vlen, flen;
      char * ep, fnstr[3];    /* can't be more than 2 chars + null */

      /* locate field if field value specified */
      script += 6;                     /* skip "$XDAS(" */
      ep = script;
      while (ep < limit && *ep != ')') ep++;  /* find close paren */
      if (ep >= limit)
      {
         xdasd_log(0, "xfilter: Bad script variable format - no closing paren.\n");
         return -1;
      }

      /* find the correct field number for this field name */
      vlen = ep - script;
      *ep = 0;                         /* temporarily terminate for lookup */
      attr = xf_parse_match_attr(script);
      *ep = ')';                       /* then restore close paren */
      if (attr == AT_UNKNOWN)
      {
         xdasd_log(0, "xfilter: Bad script variable format - "
               "unknown field name %.*s.\n", vlen, script);
         return -1;
      }

      /* replace field name with field number - should always be shorter */
      sprintf(fnstr, "%d", attr);
      flen = strlen(fnstr);
      memmove(script + flen, ep, limit - ep);
      memcpy(script, fnstr, flen);

      /* reduce limit by difference in text lengths */
      limit -= vlen - flen; 

      /* move script (buffer pointer) past this macro */
      script = ep + 1;
   }
   *limit = 0;    /* terminate new shorter string */
   return 0;
}

static int xf_cleanup_trigger_script(Action * a)
{
   if (a->text)
   {
      char * bp = a->text;
      char * ep = a->text + strlen(a->text);

      /* remove leading and trailing white space */
      while (bp < ep && isspace(*bp)) bp++;
      while (ep - 1 > bp && isspace(ep[-1])) ep--;

      if (bp >= ep)
      {
         free(a->text);
         a->text = 0;
      }
      else
      {
         memmove(a->text, bp, ep - bp);
         a->text[ep++ - bp] = '\n';  /* add trailing NL */
         a->text[ep - bp] = 0;
         if (xf_replace_script_varnames(a->text, a->text + (ep - bp)) != 0)
            return -1;
      }
   }
   return 0;
}

static int xf_is_attr_numeric(Attribute attr)
{
   return (attr == AT_HDRLEN || attr == AT_HDRTMOFFS
         || attr == AT_HDRTUINT || attr == AT_HDRTUIND
         || attr == AT_HDREVENT || attr == AT_HDROUTCOME)? 1: 0;
}

static void XMLCALL xf_end_tag(void * data, const char * el)
{
   Parser * ps = (Parser *)data;

   switch(ps->state)
   {
      case PS_FILTER_EXPECTED:
         if (strcmp(el, "filter-list") == 0)
            ps->state = PS_TERMINATE;
         else
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_MATCH_OR_ACTION_EXPECTED:
         if (strcmp(el, "filter") == 0)
         {
            ps->state = PS_FILTER_EXPECTED;
            if (ps->f)
            {
               xdasd_list_link_tail(&ps->filters, &ps->f->elem);
               ps->f = 0;
            }
         }
         else if (strcmp(el, "match") != 0
               && strcmp(el, "action") != 0)
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_MATCH_EXPECTED:
         if (strcmp(el, "match") == 0)
            ps->state = PS_MATCH_OR_ACTION_EXPECTED;
         else if (strcmp(el, "allow") != 0
               && strcmp(el, "deny") != 0)
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_ACTION_EXPECTED:
         if (strcmp(el, "action") == 0)
            ps->state = PS_MATCH_OR_ACTION_EXPECTED;
         else if (strcmp(el, "log") != 0
               && strcmp(el, "alarm") != 0
               && strcmp(el, "trigger") != 0)
            XML_StopParser(ps->xp, XML_FALSE);
         break;

      case PS_ALLOW_IN_PROGRESS:
      case PS_DENY_IN_PROGRESS:
         if (ps->m)
         {
            /* convert any hex numeric-literal fields */
            if (ps->m->text != 0 && xf_is_attr_numeric(ps->m->attribute))
               ps->m->number = strtoul(ps->m->text, 0, 16);
            xdasd_list_link_tail(&ps->f->matches, &ps->m->elem);
            ps->m = 0;
         }
         ps->state = PS_MATCH_EXPECTED;
         break;

      case PS_LOG_IN_PROGRESS:
      case PS_ALARM_IN_PROGRESS:
      case PS_TRIGGER_IN_PROGRESS:
         if (ps->a)
         {
            if (ps->a->text != 0)
            {
               if (ps->a->atype == ACT_ALARM)
                  ps->a->severity = strtoul(ps->a->text, 0, 0);
               else if (ps->a->atype == ACT_TRIGGER
                     && xf_cleanup_trigger_script(ps->a) != 0)
                  XML_StopParser(ps->xp, XML_FALSE);
            }
            xdasd_list_link_tail(&ps->f->actions, &ps->a->elem);
            ps->a = 0;
         }
         ps->state = PS_ACTION_EXPECTED;
         break;

      default:
         XML_StopParser(ps->xp, XML_FALSE);
         break;
   }
}

#ifdef LOG_TO_STDOUT

static void xf_display_filters(XDList * filters)
{
   Filter * f = (Filter *)filters->head;
   printf("XDAS Filter Version: %s\n", g_filter_version);
   while (f)
   {
      Match * m = (Match *)f->matches.head;
      Action * a = (Action *)f->actions.head;
      printf("Filter: %s\n", f->name);
      printf("  Matches:\n");
      while (m)
      {
         printf("    %c %d %d %s\n", m->inverse? '-': '+', 
               m->attribute, m->op, m->text);
         m = (Match *)m->elem.next;
      }
      printf("  Actions:\n");
      while (a)
      {
         printf("      %d %s\n", a->atype, a->text? a->text: "");
         a = (Action *)a->elem.next;
      }
      f = (Filter *)f->elem.next;
   }
}
#endif

static int xf_parse_xml_filter(const char * xmlfile)
{
   int done, err = 0;
   XML_Parser xp;
   FILE * fp = 0;
   Parser ps;
   char buf[4096];

   if ((fp = fopen(xmlfile, "r")) == 0)
   {
      xdasd_log(0, "xfilter: No filter file found.\n");
      return 0;
   }
   if ((xp = XML_ParserCreate(0)) == 0)
   {
      xdasd_log(0, "xfilter: XML parser creation failed.\n");
      fclose(fp);
      return -1;
   }

   /* set up context object */
   memset(&ps, 0, sizeof(ps));
   ps.state = PS_INIT;
   ps.xp = xp;
   XML_SetUserData(xp, &ps);

   /* set handlers */
   XML_SetElementHandler(xp, xf_start_tag, xf_end_tag);
   XML_SetCharacterDataHandler(xp, xf_elem_data);

   do 
   {
      size_t len = fread(buf, 1, sizeof(buf), fp);
      if (ferror(fp)) 
      {
         xdasd_log(0, "xfilter: Filter file I/O error.\n");
         err = -1;
         break;
      }
      done = feof(fp);
      if (XML_Parse(xp, buf, (int)len, done) == XML_STATUS_ERROR) 
      {
         xdasd_log(0, "xfilter: Filter file XML parse error"
               " at line %" XML_FMT_INT_MOD "u: %s\n",
               XML_GetCurrentLineNumber(xp), 
               XML_ErrorString(XML_GetErrorCode(xp)));
         err = -1;
         break;
      }
   } while (!done);

   XML_ParserFree(xp);
   fclose(fp);

   if (!err)
   {
      xdasd_filter_exit(); /* clean up any old filters */
      memcpy(&g_filters, &ps.filters, sizeof(g_filters));
      memcpy(g_filter_version, ps.fversion, sizeof(g_filter_version));
#ifdef LOG_TO_STDOUT
      xf_display_filters(&g_filters);
#endif
   }
   return err;
}


/* ----------------------- End XML Filter Parser ----------------------- */


static void xf_free_match(Match * m)
{
   free(m->text);
   free(m);
}

static void xf_free_action(Action * a)
{
   free(a->text);
   free(a);
}

static void xf_free_filter(Filter * f)
{
   XDLItem * ip = f->matches.head;
   while (ip)
   {
      XDLItem * del = ip;
      ip = ip->next;
      xf_free_match((Match *)del);
   }

   ip = f->actions.head;
   while (ip)
   {
      XDLItem * del = ip;
      ip = ip->next;
      xf_free_action((Action *)del);
   }
   free(f->name);
   free(f);
}

static int xf_is_numeric_field_match(unsigned fld, 
      Operator op, unsigned number)
{
   switch(op)
   {
      case OP_EQUAL:          return fld == number;
      case OP_NOT_EQUAL:      return fld != number;
      case OP_GREATER_THAN:   return fld >  number;
      case OP_LESS_THAN:      return fld <  number;
      case OP_GT_OR_EQUAL:    return fld >= number;
      case OP_LT_OR_EQUAL:    return fld <= number;
      case OP_BIT_TEST:       return !!(fld & number);
   }
   return 0;
}

static int xf_is_text_field_match(const char * fld, size_t fldsz, 
      Operator op, const char * text)
{
   switch(op)
   {
      case OP_EQUAL:          return strncasecmp(fld, text, fldsz) == 0;
      case OP_NOT_EQUAL:      return strncasecmp(fld, text, fldsz) != 0;
      case OP_GREATER_THAN:   return strncasecmp(fld, text, fldsz) >  0;
      case OP_LESS_THAN:      return strncasecmp(fld, text, fldsz) <  0;
      case OP_GT_OR_EQUAL:    return strncasecmp(fld, text, fldsz) >= 0;
      case OP_LT_OR_EQUAL:    return strncasecmp(fld, text, fldsz) <= 0;
      case OP_SUBSTRING:      return strncasestr(fld, text, fldsz) != 0;
   }
   return 0;
}

static int xf_filter_matches(Parsed * parsed, XDList * matches)
{
   int fstate = -1;  /* start with no match */
   Match * m = (Match *)matches->head;

   while (m)
   {
      const char ** p = parsed->parsed + m->attribute;
      size_t fldlen = p[1] - p[0] - 1;

      if (fldlen == 0)
         return -2;  /* stop now - insufficient data */

      /* check for numeric or text match */
      if (xf_is_attr_numeric(m->attribute)? 
            xf_is_numeric_field_match(strtoul(p[0], 0, 16), m->op, m->number):
            xf_is_text_field_match(p[0], fldlen, m->op, m->text))
         fstate = m->inverse? 0: 1;

      m = (Match *)m->elem.next;
   }
   return fstate;    /* returns either -1, 0, or 1 from here */
}


/* ----------------------- End module static code ----------------------- */


int xdasd_filter_check(Parsed * parsed, int onlycheck)
{
   int log = -1;        /* initialize to "Default" state    */
   int severity = 0;    /* initialize to "No Alarm" state   */
   int imported = (parsed->flags & PMF_IMPORTED) != 0;
   int triggers = 0;
   Filter * f = (Filter *)g_filters.head;

   xdasd_parse_clear_actions(parsed);

   while (f)
   {
      /* is filter enabled, and does filter type match message type? */
      if (f->status 
            && ((imported && (f->ftype & FT_IMPORT) != 0)
                  || (!imported && (f->ftype & FT_SUBMIT) != 0)))
      {
         Action * a;
         int fstate = xf_filter_matches(parsed, &f->matches);

         if (fstate == -2)
            return -2;  /* insufficient information */

         a = (Action *)f->actions.head;
         while (a)
         {
            switch(a->atype)
            {
               case ACT_LOG:
                  /* This filter only applies to logging if fstate is
                     not "no-match" and log is not already explicitly set. */
                  if (fstate != -1 && log != 1)
                     log = fstate;
                  break;

               case ACT_ALARM:   
                  /* This filter only applies to alarms if fstate is true
                     and a previously applied alarm has a lesser severity. */
                  if (fstate == 1 && severity < a->severity)
                     severity = a->severity;
                  break;

               case ACT_TRIGGER:
                  /* This filter only applies to triggers if fstate is true. */
                  if (fstate == 1)
                  {
                     triggers++;
                     if (xdasd_parse_set_trigger(parsed, onlycheck? 0: a->text) != 0)
                        return -1;  /* memory allocation failure */
                  }
                  break;
            }
            a = (Action *)a->elem.next;
         }
      }
      f = (Filter *)f->elem.next;
   }

   /* check for XDAS_S_NO_AUDIT condition, bail early on "no audit" */
   if (log == 0 && severity == 0 && triggers == 0)
      return 0;   /* no audit is required */

   /* apply log and alarm states after all filters have been processed */
   xdasd_parse_set_log_state(parsed, log);
   xdasd_parse_set_alarm_severity(parsed, severity);

   return 1;      /* audit is required */
}

int xdasd_filter_process(int * minorp, xdas_buffer req, xdas_buffer * rspp)
{
   (void)minorp;
   (void)req;
   (void)rspp;

   return 0;
}

int xdasd_filter_init(const char * filter_file)
      { return xf_parse_xml_filter(filter_file); }

void xdasd_filter_exit(void)
{
   XDLItem * ip = g_filters.head;
   while (ip)
   {
      XDLItem * del = ip;
      ip = ip->next;
      xf_free_filter((Filter *)del);
   }
}

/*==========================================================================*/

#ifdef XDASD_FILTER_TEST

#include <stdarg.h>

void xdasd_log(int level, const char * fmt, ... ) 
{
#ifdef LOG_TO_STDOUT
   va_list args;
   va_start(args, fmt);
   vprintf(fmt, args);
   va_end(args);
#else
   (void)fmt;
#endif
}

int xdasd_log_level(void) { return 0; }

int main(int argc, char ** argv)
{
#define DEF_TEST_FILTER_FILE "xdasd.filter"

   static char test_spec[] =
      "<filter-list version='OX1'>\n"
      "  <filter name='Account Created' status='On' type='Submit, Import'>\n"
      "    <match>\n"
      "      <allow attr='HdrEvent' op='EQ'>0x10000001</allow>\n"
      "      <deny attr='HdrOutcome' op='NE'>0</deny>\n"
      "    </match>\n"
      "    <action>\n"
      "      <log />\n"
      "      <alarm severity='3' />\n"
      "      <trigger>\n"
      "        <![CDATA[\n"
      "mailx -s \"OpenXDAS: Account $XDAS(TGTNAME) created by $XDAS(INTNAME)\" admin@some.com <<InputToHERE\n"
      "$XDAS\n"
      "InputToHERE\n"
      "        ]]>\n"
      "      </trigger>\n"
      "    </action>\n"
      "  </filter>\n"
      "  <filter name='Account Deleted' status='On' type='Submit, Import'>\n"
      "    <match>\n"
      "      <allow attr='HdrEvent' op='EQ'>0x10000002</allow>\n"
      "      <deny attr='HdrOutcome' op='NE'>0</deny>\n"
      "    </match>\n"
      "    <action>\n"
      "      <log />\n"
      "      <alarm severity='4' />\n"
      "      <trigger>\n"
      "        <![CDATA[\n"
      "echo \"Sending mail message.\"\n"
      "mailx -s \"OpenXDAS: Account $XDAS(TGTNAME) deleted by $XDAS(INTNAME)\" admin@some.com <<InputToHERE\n"
      "\"$XDAS\"\n"
      "InputToHERE\n"
      "        ]]>\n"
      "      </trigger>\n"
      "    </action>\n"
      "  </filter>\n"
      "</filter-list>\n";

   FILE * fp;
   Filter * f;
   int rv = 0, fcnt, macnt;
   char * filter_file = DEF_TEST_FILTER_FILE;

   /* if filter file specified on command-line, use it */
   if (argc > 1)
      filter_file = argv[1];

   /* create test filter file */
   if ((fp = fopen(filter_file, "w+")) == 0)
   {
      fprintf(stderr, "Could not open filter file: %s.\n", filter_file);
      return -1;
   }
   fwrite(test_spec, 1, sizeof(test_spec) - 1, fp);
   fclose(fp);

   /* initialize filter module */
   if (xdasd_filter_init(filter_file) != 0)
      return -2;

   /* check filter database to ensure it contains what it should */
   f = (Filter *)g_filters.head;
   fcnt = 0;
   while (f)
   {
      Match * m = (Match *)f->matches.head;
      Action * a = (Action *)f->actions.head;
      if (f->name == 0) rv++;
      macnt = 0;
      while (m)
      {
         if (m->attribute == AT_UNKNOWN) rv++;
         if (m->op == OP_UNKNOWN) rv++;
         if (m->text == 0) rv++;
         macnt++;
         m = (Match *)m->elem.next;
      }
      if (macnt != 2) rv++;
      macnt = 0;
      while (a)
      {
         macnt++;
         a = (Action *)a->elem.next;
      }
      if (macnt != 3) rv++;
      fcnt++;
      f = (Filter *)f->elem.next;
   }
   if (fcnt != 2) rv++;

   /* cleanup and return success */
   xdasd_filter_exit();
   return rv;
}

#endif