jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 15:00:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

curpag-via-pioctl-20090603

Browse Source 
LICENSE IPL10
FIXES 124709

curpag needs to know about kernel constructs (getpagvalue on AIX, onegroup
versus two group on linux) and on aix 5.1 simply can't work. add a new pioctl
and use it to simply ask the kernel what the current pag is
This commit is contained in:
Derrick Brashear 2009-06-03 06:39:47 +00:00
parent 091139b3e2
commit 4af75fe96a
14 changed files with 185 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.in
View File

@ -175,13 +175,13 @@ afs: config export comerr afs_depinstall
des: config
${COMPILE_PART1} des ${COMPILE_PART2}
sys: cmd comerr afs des rx rxstat fsint sys_depinstall
sys: cmd comerr afs des rx rxstat fsint auth sys_depinstall
${COMPILE_PART1} sys ${COMPILE_PART2}
rxkad: cmd comerr sys des rx rxkad_depinstall
${COMPILE_PART1} rxkad ${COMPILE_PART2}
auth: cmd comerr comerr des lwp rx sys rxkad audit auth_depinstall
auth: cmd comerr comerr des lwp rx rxkad audit sys_depinstall auth_depinstall
${COMPILE_PART1} auth ${COMPILE_PART2}
ubik: cmd comerr auth ubik_depinstall

15
doc/man-pages/pod8/asetkey.pod
View File

@ -9,6 +9,8 @@ asetkey - Add a key from a keytab to an AFS KeyFile
B<asetkey> add <I<kvno>> <I<keyfile>> <I<principal>>
B<asetkey> add <I<kvno>> <I<key>>
B<asetkey> delete <I<kvno>>
B<asetkey> list
@ -21,7 +23,8 @@ B<asetkey> list
The B<asetkey> command is used to add a key to an AFS KeyFile from a
Kerberos keytab. It is similar to B<bos addkey> except that it must be
run locally on the system where the KeyFile is located and it takes the
new key from a Kerberos 5 keytab rather than prompting for the password.
new key from the command line or a Kerberos 5 keytab rather than prompting
for the password.
B<asetkey delete> can be used to delete a key (similar to B<bos
removekeys>), and B<asetkey list> will list the keys in a KeyFile (similar
@ -38,7 +41,8 @@ that key to the KeyFile with B<asetkey add>. The I<kvno> chosen should
match the kvno in the Kerberos KDC (checked with B<kvno> or the
C<getprinc> function of B<kadmin>). I<principal> should be the name of
the AFS principal in the keytab, which must be either C<afs> or
C<afs/I<cell name>>.
C<afs/I<cell name>>. B<asetkey> can also be used to install a key
from a hex string.
In cells that use the Update Server to distribute the contents of the
F</usr/afs/etc> directory, it is conventional to run B<asetkey add> only
@ -82,6 +86,13 @@ C<ktadd>.
You may want to use C<afs/I<cell name>> instead of C<afs>, particularly if
you may have multiple AFS cells for a single Kerberos realm.
In the event you have been distributed a key by a Kerberos administrator
in the form of a hex string, you may use asetkey to install that.
% asetkey add 3 80b6a7cd7a9dadb6
I<key> should be an 8 byte hex representation.
=head1 PRIVILEGE REQUIRED
The issuer must be able to read (for B<asetkey list>) and write (for

1
src/afs/LINUX/osi_vnodeops.c
View File

@ -587,7 +587,6 @@ afs_linux_lock(struct file *fp, int cmd, struct file_lock *flp)
crfree(credp);
return -code;
}
#ifdef STRUCT_FILE_OPERATIONS_HAS_FLOCK

29
src/afs/afs_pioctl.c
View File

@ -119,6 +119,7 @@ DECL_PIOCTL(PDiscon);
DECL_PIOCTL(PNFSNukeCreds);
DECL_PIOCTL(PNewUuid);
DECL_PIOCTL(PPrecache);
DECL_PIOCTL(PGetPAG);
#if defined(AFS_CACHE_BYPASS)
DECL_PIOCTL(PSetCachingThreshold);
DECL_PIOCTL(PSetCachingBlkSize);
@ -237,6 +238,7 @@ static pioctlFunction CpioctlSw[] = {
PBogus, /* 0 */
PBogus, /* 0 */
PPrecache, /* 12 */
PGetPAG, /* 13 */
};
static int (*(OpioctlSw[])) () = {
@ -2382,6 +2384,33 @@ DECL_PIOCTL(PViceAccess)
return EACCES;
}
/*!
* VIOC_GETPAG (13) - Get PAG value
*
* \ingroup pioctl
*
* \param[in] ain not in use
* \param[out] aout PAG value or NOPAG
*
* \retval E2BIG Error not enough space to copy out value
*
* \post get PAG value for the caller's cred
*/
DECL_PIOCTL(PGetPAG)
{
afs_int32 pag;
if (aoutSize < sizeof(afs_int32)) {
return E2BIG;
}
pag = PagInCred(*acred);
memcpy(aout, (char *)&pag, sizeof(afs_int32));
*aoutSize = sizeof(afs_int32);
return 0;
}
DECL_PIOCTL(PPrecache)
{
afs_int32 newValue;

31
src/afsweb/apache_afs_utils.c
View File

@ -93,35 +93,6 @@ flipPrimary(char *tokenBuf)
return 0;
}
/* get the current AFS pag for the calling process */
static afs_int32
curpag()
{
gid_t groups[30];
afs_uint32 g0, g1;
afs_uint32 h, l, ret;
if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
return 0;
g0 = groups[0] & 0xffff;
g1 = groups[1] & 0xffff;
g0 -= 0x3f00;
g1 -= 0x3f00;
if (g0 < 0xc000 && g1 < 0xc000) {
l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
h = (g0 >> 14);
h = (g1 >> 14) + h + h + h;
ret = ((h << 28) | l);
/* Additional testing */
if (((ret >> 24) & 0xff) == 'A')
return ret;
else
return -1;
}
return -1;
}
/* Returns the AFS pag number, if any, otherwise return -1 */
afs_int32
getPAG()
@ -131,7 +102,7 @@ getPAG()
assert(sizeof(afs_uint32) == 4);
assert(sizeof(afs_int32) == 4);
pag = curpag();
pag = ktc_curpag();
if (pag == 0 || pag == -1)
return -1;

105
src/aklog/asetkey.c
View File

@ -37,6 +37,29 @@
#define USING_HEIMDAL 1
#endif
static int
char2hex(char c)
{
if (c >= '0' && c <= '9')
return (c - 48);
if ((c >= 'a') && (c <= 'f'))
return (c - 'a' + 10);
if ((c >= 'A') && (c <= 'F'))
return (c - 'A' + 10);
return -1;
}
static int
hex2char(char c)
{
if (c <= 9)
return (c + 48);
return (c - 10 + 'a');
}
int
main(int argc, char *argv[])
{
@ -48,6 +71,8 @@ main(int argc, char *argv[])
fprintf(stderr, "%s: usage is '%s <opcode> options, e.g.\n",
argv[0], argv[0]);
fprintf(stderr, "\t%s add <kvno> <keyfile> <princ>\n", argv[0]);
fprintf(stderr, "\tOR\n\t%s add <kvno> <key>\n", argv[0]);
fprintf(stderr, "\t\tEx: %s add 0 \"80b6a7cd7a9dadb6\"\n", argv[0]);
fprintf(stderr, "\t%s delete <kvno>\n", argv[0]);
fprintf(stderr, "\t%s list\n", argv[0]);
exit(1);
@ -66,55 +91,79 @@ main(int argc, char *argv[])
krb5_principal principal;
krb5_keyblock *key;
krb5_error_code retval;
int kvno;
int kvno, keymode = 0;
if (argc != 5) {
fprintf(stderr, "%s add: usage is '%s add <kvno> <keyfile> "
"<princ>\n", argv[0], argv[0]);
exit(1);
if (argc == 4)
keymode = 1;
else {
fprintf(stderr, "%s add: usage is '%s add <kvno> <keyfile> "
"<princ>\n", argv[0], argv[0]);
fprintf(stderr, "\tOR\n\t%s add <kvno> <key>\n", argv[0]);
fprintf(stderr, "\t\tEx: %s add 0 \"80b6a7cd7a9dadb6\"\n", argv[0]);
exit(1);
}
}
krb5_init_context(&context);
kvno = atoi(argv[2]);
retval = krb5_parse_name(context, argv[4], &principal);
if (retval != 0) {
if (keymode) {
char tkey[8];
int i;
char *cp;
if (strlen(argv[3]) != 16) {
printf("key %s is not in right format\n", argv[3]);
printf(" <key> should be an 8byte hex representation \n");
printf(" Ex: setkey add 0 \"80b6a7cd7a9dadb6\"\n");
exit(1);
}
memset(tkey, 0, sizeof(tkey));
for (i = 7, cp = argv[3] + 15; i >= 0; i--, cp -= 2)
tkey[i] = char2hex(*cp) + char2hex(*(cp - 1)) * 16;
code = afsconf_AddKey(tdir, kvno, tkey, 1);
} else {
krb5_init_context(&context);
retval = krb5_parse_name(context, argv[4], &principal);
if (retval != 0) {
afs_com_err(argv[0], retval, "while parsing AFS principal");
exit(1);
}
retval = krb5_kt_read_service_key(context, argv[3], principal, kvno,
ENCTYPE_DES_CBC_CRC, &key);
if (retval != 0) {
}
retval = krb5_kt_read_service_key(context, argv[3], principal, kvno,
ENCTYPE_DES_CBC_CRC, &key);
if (retval != 0) {
afs_com_err(argv[0], retval, "while extracting AFS service key");
exit(1);
}
}
#ifdef USING_HEIMDAL
#define deref_key_length(key) \
key->keyvalue.length
#define deref_key_contents(key) \
key->keyvalue.data
#define deref_key_length(key) \
key->keyvalue.length
#define deref_key_contents(key) \
key->keyvalue.data
#else
#define deref_key_length(key) \
key->length
#define deref_key_contents(key) \
key->contents
#define deref_key_length(key) \
key->length
#define deref_key_contents(key) \
key->contents
#endif
if (deref_key_length(key) != 8) {
if (deref_key_length(key) != 8) {
fprintf(stderr, "Key length should be 8, but is really %d!\n",
deref_key_length(key));
exit(1);
}
code = afsconf_AddKey(tdir, kvno, (char *) deref_key_contents(key), 1);
}
code = afsconf_AddKey(tdir, kvno, (char *) deref_key_contents(key), 1);
if (code) {
fprintf(stderr, "%s: failed to set key, code %ld.\n", argv[0], code);
exit(1);
}
krb5_free_principal(context, principal);
krb5_free_keyblock(context, key);
if (keymode == 0) {
krb5_free_principal(context, principal);
krb5_free_keyblock(context, key);
}
}
else if (strcmp(argv[1], "delete")==0) {
long kvno;

10
src/auth/Makefile.in
View File

@ -17,7 +17,7 @@ OBJS= cellconfig.o ktc.o userok.o writeconfig.o authcon.o \
KOBJS= cellconfig.o ktc.krb.o userok.o writeconfig.o authcon.o \
acfg_errors.o ktc_errors.o
LIBS=libauth.a ${TOP_LIBDIR}/libsys.a \
LIBS=libauth.a \
${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/util.a
@ -26,7 +26,7 @@ KSRCS=auth.h
UKSRCS=${KSRCS} cellconfig.h acfg_errors.c keys.h cellconfig.c \
ktc.c authcon.c ktc_errors.c
all: ${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/libauth.krb.a depinstall copyauth setkey
all: ${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/libauth.krb.a depinstall
depinstall: ${TOP_INCDIR}/afs/keys.h \
${TOP_INCDIR}/afs/cellconfig.h \
@ -94,7 +94,7 @@ ktc_errors.c auth.h: ktc_errors.et auth.p.h
#
# Install targets
#
install: copyauth libauth.a libauth.krb.a auth.h cellconfig.h
install: libauth.a libauth.krb.a auth.h cellconfig.h
${INSTALL} -d ${DESTDIR}${libdir}/afs
${INSTALL} -d ${DESTDIR}${includedir}/afs
${INSTALL_DATA} libauth.a ${DESTDIR}${libdir}/afs/libauth.a
@ -103,9 +103,8 @@ install: copyauth libauth.a libauth.krb.a auth.h cellconfig.h
${INSTALL_DATA} cellconfig.h ${DESTDIR}${includedir}/afs/cellconfig.h
${INSTALL_DATA} auth.h ${DESTDIR}${includedir}/afs/auth.h
${INSTALL_DATA} ktc.h ${DESTDIR}${includedir}/afs/ktc.h
${INSTALL_PROGRAM} copyauth ${DESTDIR}${sbindir}/copyauth
dest: copyauth libauth.a libauth.krb.a auth.h cellconfig.h
dest: libauth.a libauth.krb.a auth.h cellconfig.h
${INSTALL} -d ${DEST}/lib/afs
${INSTALL} -d ${DEST}/include/afs
${INSTALL_DATA} libauth.a ${DEST}/lib/afs/libauth.a
@ -114,7 +113,6 @@ dest: copyauth libauth.a libauth.krb.a auth.h cellconfig.h
${INSTALL_DATA} cellconfig.h ${DEST}/include/afs/cellconfig.h
${INSTALL_DATA} auth.h ${DEST}/include/afs/auth.h
${INSTALL_DATA} ktc.h ${DEST}/include/afs/ktc.h
${INSTALL_PROGRAM} copyauth ${DEST}/etc/copyauth
#
# Misc. targets

87
src/auth/ktc.c
View File

@ -1614,39 +1614,53 @@ afs_tf_dest_tkt(void)
return 0;
}
static afs_uint32
curpag(void)
afs_uint32
ktc_curpag(void)
{
int code;
struct ViceIoctl iob;
afs_int32 pag;
/* now setup for the pioctl */
iob.in = -1;
iob.in_size = 0;
iob.out = &pag;
iob.out_size = sizeof(afs_int32);
code = PIOCTL(0, VIOC_GETPAG, &iob, 0);
if (code < 0) {
#if defined(AFS_AIX51_ENV)
int code = getpagvalue("afs");
if (code < 0 && errno == EINVAL)
code = 0;
return code;
code = getpagvalue("afs");
if (code < 0 && errno == EINVAL)
code = 0;
return code;
#else
gid_t groups[NGROUPS_MAX];
afs_uint32 g0, g1;
afs_uint32 h, l, ret;
if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
return 0;
g0 = groups[0] & 0xffff;
g1 = groups[1] & 0xffff;
g0 -= 0x3f00;
g1 -= 0x3f00;
if (g0 < 0xc000 && g1 < 0xc000) {
l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
h = (g0 >> 14);
h = (g1 >> 14) + h + h + h;
ret = ((h << 28) | l);
/* Additional testing */
if (((ret >> 24) & 0xff) == 'A')
return ret;
else
return -1;
}
return -1;
gid_t groups[NGROUPS_MAX];
afs_uint32 g0, g1;
afs_uint32 h, l, ret;
if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
return 0;
g0 = groups[0] & 0xffff;
g1 = groups[1] & 0xffff;
g0 -= 0x3f00;
g1 -= 0x3f00;
if (g0 < 0xc000 && g1 < 0xc000) {
l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
h = (g0 >> 14);
h = (g1 >> 14) + h + h + h;
ret = ((h << 28) | l);
/* Additional testing */
if (((ret >> 24) & 0xff) == 'A')
return ret;
else
return -1;
}
return -1;
#endif
}
return pag;
}
int
@ -1657,19 +1671,23 @@ ktc_newpag(void)
afs_uint32 pag;
struct stat sbuf;
char fname[256], *prefix = "/ticket/";
char fname5[256], *prefix5 = "FILE:/ticket/krb5cc_";
int numenv;
char **newenv, **senv, **denv;
LOCK_GLOBAL_MUTEX;
if (stat("/ticket", &sbuf) == -1) {
prefix = "/tmp/tkt";
prefix5 = "FILE:/tmp/krb5cc_";
}
pag = curpag() & 0xffffffff;
pag = ktc_curpag() & 0xffffffff;
if (pag == -1) {
sprintf(fname, "%s%d", prefix, getuid());
sprintf(fname5, "%s%d", prefix5, getuid());
} else {
sprintf(fname, "%sp%lu", prefix, afs_cast_uint32(pag));
sprintf(fname5, "%sp%lud", prefix5, (long unsigned int) pag);
}
ktc_set_tkt_string(fname);
@ -1678,13 +1696,18 @@ ktc_newpag(void)
newenv = (char **)malloc((numenv + 2) * sizeof(char *));
for (senv = environ, denv = newenv; *senv; senv++) {
if (strncmp(*senv, "KRBTKFILE=", 10) != 0)
if (strncmp(*senv, "KRBTKFILE=", 10) != 0 &&
strncmp(*senv, "KRB5CCNAME=", 11) != 0)
*denv++ = *senv;
}
*denv = (char *)malloc(10 + strlen(fname) + 1);
*denv = malloc(10+11 + strlen(fname) + strlen(fname5) + 2);
strcpy(*denv, "KRBTKFILE=");
strcat(*denv, fname);
*(denv+1) = *denv + strlen(*denv) + 1;
denv++;
strcpy(*denv, "KRB5CCNAME=");
strcat(*denv, fname5);
*++denv = 0;
environ = newenv;
UNLOCK_GLOBAL_MUTEX;

3
src/config/vioc.h
View File

@ -100,7 +100,8 @@
#define VIOC_CBADDR _CVICEIOCTL(3) /* push callback addr */
#define VIOC_DISCON _CVICEIOCTL(5) /* set/get discon mode */
#define VIOC_NEWUUID _CVICEIOCTL(9) /* new uuid */
#define VIOCPRECACHE _CVICEIOCTL(12) /* precache size */
#define VIOCPRECACHE _CVICEIOCTL(12) /* precache size */
#define VIOC_GETPAG _CVICEIOCTL(13) /* get pag value */
/* OpenAFS-specific 'O' pioctl's */
#define VIOC_NFS_NUKE_CREDS _OVICEIOCTL(1) /* nuke creds for all PAG's */

1
src/packaging/RedHat/openafs.spec.in
View File

@ -1148,7 +1148,6 @@ grep -v "^#" >openafs-file-list <<EOF-openafs-file-list
%{_bindir}/unlog
%{_sbindir}/backup
%{_sbindir}/butc
%{_sbindir}/copyauth
%{_sbindir}/fms
%{_sbindir}/fstrace
%{_sbindir}/kas

38
src/pam/afs_util.c
View File

@ -176,49 +176,13 @@ do_klog(const char *user, const char *password, const char *lifetime,
return (ret);
}
/* get the current AFS pag for the calling process */
static afs_int32
curpag(void)
{
#if defined(AFS_AIX51_ENV)
int code = getpagvalue("afs");
if (code < 0 && errno == EINVAL)
code = 0;
return code;
#else
gid_t groups[NGROUPS_MAX];
afs_uint32 g0, g1;
afs_uint32 h, l, ret;
if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
return 0;
g0 = groups[0] & 0xffff;
g1 = groups[1] & 0xffff;
g0 -= 0x3f00;
g1 -= 0x3f00;
if (g0 < 0xc000 && g1 < 0xc000) {
l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
h = (g0 >> 14);
h = (g1 >> 14) + h + h + h;
ret = ((h << 28) | l);
/* Additional testing */
if (((ret >> 24) & 0xff) == 'A')
return ret;
else
return -1;
}
return -1;
#endif
}
/* Returns the AFS pag number, if any, otherwise return -1 */
afs_int32
getPAG(void)
{
afs_int32 pag;
pag = curpag();
pag = ktc_curpag();
if (pag == 0 || pag == -1)
return -1;

1
src/rxkad/Makefile.in
View File

@ -30,7 +30,6 @@ fc_test_LIBS=\
${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a \
${TOP_LIBDIR}/liblwp.a \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/libafsutil.a
all: ${TOP_LIBDIR}/librxkad.a fc_test depinstall

2
src/sys/Makefile.in
View File

@ -158,7 +158,7 @@ pagsh: libsys.a AFS_component_version_number.o
pagsh.krb: libsys.a
${CC} ${CFLAGS} -c ${srcdir}/pagsh.c -DAFS_KERBEROS_ENV
${CC} ${CFLAGS} -o pagsh.krb pagsh.o ${LIBS}
${CC} ${CFLAGS} -o pagsh.krb pagsh.o ${TOP_LIBDIR}/libauth.krb.a ${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/libdes.a ${LIBS}
#
# Test programs.

92
src/sys/pagsh.c
View File

@ -40,8 +40,6 @@ RCSID
#include "AFS_component_version_number.c"
int ktc_newpag(void);
int
main(int argc, char *argv[])
{
@ -85,93 +83,3 @@ main(int argc, char *argv[])
fprintf(stderr, "No shell\n");
exit(1);
}
#ifdef AFS_KERBEROS_ENV
/* stolen from auth/ktc.c */
static afs_uint32
curpag(void)
{
#if defined(AFS_AIX51_ENV)
int code = getpagvalue("afs");
if (code < 0 && errno == EINVAL)
code = 0;
return code;
#else
afs_uint32 groups[NGROUPS_MAX];
afs_uint32 g0, g1;
afs_uint32 h, l, ret;
if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
return 0;
g0 = groups[0] & 0xffff;
g1 = groups[1] & 0xffff;
g0 -= 0x3f00;
g1 -= 0x3f00;
if ((g0 < 0xc000) && (g1 < 0xc000)) {
l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
h = (g0 >> 14);
h = (g1 >> 14) + h + h + h;
ret = ((h << 28) | l);
/* Additional testing */
if (((ret >> 24) & 0xff) == 'A')
return ret;
else
return -1;
}
return -1;
#endif
}
int
ktc_newpag(void)
{
extern char **environ;
afs_uint32 pag;
struct stat sbuf;
char fname[256], *prefix = "/ticket/";
char fname5[256], *prefix5 = "FILE:/ticket/krb5cc_";
int numenv;
char **newenv, **senv, **denv;
if (stat("/ticket", &sbuf) == -1) {
prefix = "/tmp/tkt";
prefix5 = "FILE:/tmp/krb5cc_";
}
pag = curpag() & 0xffffffff;
if (pag == -1) {
sprintf(fname, "%s%d", prefix, getuid());
sprintf(fname5, "%s%d", prefix5, getuid());
} else {
sprintf(fname, "%sp%lud", prefix, (long unsigned int) pag);
sprintf(fname5, "%sp%lud", prefix5, (long unsigned int) pag);
}
/* ktc_set_tkt_string(fname); */
for (senv = environ, numenv = 0; *senv; senv++)
numenv++;
newenv = (char **)malloc((numenv + 2) * sizeof(char *));
for (senv = environ, denv = newenv; *senv; *senv++) {
if (strncmp(*senv, "KRBTKFILE=", 10) != 0 &&
strncmp(*senv, "KRB5CCNAME=", 11) != 0)
*denv++ = *senv;
}
*denv = malloc(10+11 + strlen(fname) + strlen(fname5) + 2);
strcpy(*denv, "KRBTKFILE=");
strcat(*denv, fname);
*(denv+1) = *denv + strlen(*denv) + 1;
denv++;
strcpy(*denv, "KRB5CCNAME=");
strcat(*denv, fname5);
*++denv = 0;
environ = newenv;
return 0;
}
#endif