|
 |
2fc102 |
From b6c53b49cde8188bf2f8b493b275118472c4482e Mon Sep 17 00:00:00 2001
|
|
|
2fc102 |
From: Pavel Reichl <pavel.reichl@redhat.com>
|
|
|
2fc102 |
Date: Wed, 8 Jan 2014 16:03:08 +0000
|
|
|
2fc102 |
Subject: [PATCH 52/53] simple access: refresh master domain info
|
|
|
2fc102 |
|
|
|
2fc102 |
To correctly decide if an object is a member of the main sssd domain, a flat name
|
|
|
2fc102 |
is needed. However, the information may not be available when the module is
|
|
|
2fc102 |
inited so it may be necessary to refresh this data later while processing a
|
|
|
2fc102 |
request.
|
|
|
2fc102 |
|
|
|
2fc102 |
Resolves:
|
|
|
2fc102 |
https://fedorahosted.org/sssd/ticket/2189
|
|
|
2fc102 |
---
|
|
|
2fc102 |
src/providers/simple/simple_access.c | 135 +++++++++++++++++++++++------------
|
|
|
2fc102 |
src/providers/simple/simple_access.h | 2 +
|
|
|
2fc102 |
2 files changed, 92 insertions(+), 45 deletions(-)
|
|
|
2fc102 |
|
|
|
2fc102 |
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
|
|
|
2fc102 |
index f2bfe755039fd7a370749fd3ce94a47c62c216bc..eab62a826b4749aa5e5dab4a8e491fc2263be4fb 100644
|
|
|
2fc102 |
--- a/src/providers/simple/simple_access.c
|
|
|
2fc102 |
+++ b/src/providers/simple/simple_access.c
|
|
|
2fc102 |
@@ -32,7 +32,76 @@
|
|
|
2fc102 |
#define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
|
|
|
2fc102 |
#define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
|
|
|
2fc102 |
|
|
|
2fc102 |
+#define TIMEOUT_OF_REFRESH_FILTER_LISTS 5
|
|
|
2fc102 |
+
|
|
|
2fc102 |
static void simple_access_check(struct tevent_req *req);
|
|
|
2fc102 |
+static errno_t simple_access_parse_names(TALLOC_CTX *mem_ctx,
|
|
|
2fc102 |
+ struct be_ctx *be_ctx,
|
|
|
2fc102 |
+ char **list,
|
|
|
2fc102 |
+ char ***_out);
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+static int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
|
|
|
2fc102 |
+{
|
|
|
2fc102 |
+ struct be_ctx *bectx = ctx->be_ctx;
|
|
|
2fc102 |
+ int ret;
|
|
|
2fc102 |
+ int i;
|
|
|
2fc102 |
+ struct {
|
|
|
2fc102 |
+ const char *name;
|
|
|
2fc102 |
+ const char *option;
|
|
|
2fc102 |
+ char **orig_list;
|
|
|
2fc102 |
+ char ***ctx_list;
|
|
|
2fc102 |
+ } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
|
|
|
2fc102 |
+ {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
|
|
|
2fc102 |
+ {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
|
|
|
2fc102 |
+ {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
|
|
|
2fc102 |
+ {NULL, NULL, NULL, NULL}};
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ lists[0].ctx_list = &ctx->allow_users;
|
|
|
2fc102 |
+ lists[1].ctx_list = &ctx->deny_users;
|
|
|
2fc102 |
+ lists[2].ctx_list = &ctx->allow_groups;
|
|
|
2fc102 |
+ lists[3].ctx_list = &ctx->deny_groups;
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ ret = sysdb_master_domain_update(bectx->domain);
|
|
|
2fc102 |
+ if (ret != EOK) {
|
|
|
2fc102 |
+ DEBUG(SSSDBG_FUNC_DATA, ("Update of master domain failed [%d]: %s.\n",
|
|
|
2fc102 |
+ ret, sss_strerror(ret)));
|
|
|
2fc102 |
+ goto failed;
|
|
|
2fc102 |
+ }
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ for (i = 0; lists[i].name != NULL; i++) {
|
|
|
2fc102 |
+ ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
|
|
|
2fc102 |
+ lists[i].option, &lists[i].orig_list);
|
|
|
2fc102 |
+ if (ret == ENOENT) {
|
|
|
2fc102 |
+ DEBUG(SSSDBG_FUNC_DATA, ("%s list is empty.\n", lists[i].name));
|
|
|
2fc102 |
+ *lists[i].ctx_list = NULL;
|
|
|
2fc102 |
+ continue;
|
|
|
2fc102 |
+ } else if (ret != EOK) {
|
|
|
2fc102 |
+ DEBUG(SSSDBG_CRIT_FAILURE, ("confdb_get_string_as_list failed.\n"));
|
|
|
2fc102 |
+ goto failed;
|
|
|
2fc102 |
+ }
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
|
|
|
2fc102 |
+ lists[i].ctx_list);
|
|
|
2fc102 |
+ if (ret != EOK) {
|
|
|
2fc102 |
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to parse %s list [%d]: %s\n",
|
|
|
2fc102 |
+ lists[i].name, ret, sss_strerror(ret)));
|
|
|
2fc102 |
+ goto failed;
|
|
|
2fc102 |
+ }
|
|
|
2fc102 |
+ }
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ if (!ctx->allow_users &&
|
|
|
2fc102 |
+ !ctx->allow_groups &&
|
|
|
2fc102 |
+ !ctx->deny_users &&
|
|
|
2fc102 |
+ !ctx->deny_groups) {
|
|
|
2fc102 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
2fc102 |
+ ("No rules supplied for simple access provider. "
|
|
|
2fc102 |
+ "Access will be granted for all users.\n"));
|
|
|
2fc102 |
+ }
|
|
|
2fc102 |
+ return EOK;
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+failed:
|
|
|
2fc102 |
+ return ret;
|
|
|
2fc102 |
+}
|
|
|
2fc102 |
|
|
|
2fc102 |
void simple_access_handler(struct be_req *be_req)
|
|
|
2fc102 |
{
|
|
|
2fc102 |
@@ -40,13 +109,16 @@ void simple_access_handler(struct be_req *be_req)
|
|
|
2fc102 |
struct pam_data *pd;
|
|
|
2fc102 |
struct tevent_req *req;
|
|
|
2fc102 |
struct simple_ctx *ctx;
|
|
|
2fc102 |
+ int ret;
|
|
|
2fc102 |
+ time_t now;
|
|
|
2fc102 |
|
|
|
2fc102 |
pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
|
|
|
2fc102 |
|
|
|
2fc102 |
pd->pam_status = PAM_SYSTEM_ERR;
|
|
|
2fc102 |
|
|
|
2fc102 |
if (pd->cmd != SSS_PAM_ACCT_MGMT) {
|
|
|
2fc102 |
- DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd));
|
|
|
2fc102 |
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
2fc102 |
+ ("simple access does not handle pam task %d.\n", pd->cmd));
|
|
|
2fc102 |
pd->pam_status = PAM_MODULE_UNKNOWN;
|
|
|
2fc102 |
goto done;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
@@ -54,6 +126,18 @@ void simple_access_handler(struct be_req *be_req)
|
|
|
2fc102 |
ctx = talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
|
|
|
2fc102 |
struct simple_ctx);
|
|
|
2fc102 |
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ now = time(NULL);
|
|
|
2fc102 |
+ if ((now - ctx->last_refresh_of_filter_lists)
|
|
|
2fc102 |
+ > TIMEOUT_OF_REFRESH_FILTER_LISTS) {
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ ret = simple_access_obtain_filter_lists(ctx);
|
|
|
2fc102 |
+ if (ret != EOK) {
|
|
|
2fc102 |
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to refresh filter lists\n"));
|
|
|
2fc102 |
+ }
|
|
|
2fc102 |
+ ctx->last_refresh_of_filter_lists = now;
|
|
|
2fc102 |
+ }
|
|
|
2fc102 |
+
|
|
|
2fc102 |
req = simple_access_check_send(be_req, be_ctx->ev, ctx, pd->user);
|
|
|
2fc102 |
if (!req) {
|
|
|
2fc102 |
pd->pam_status = PAM_SYSTEM_ERR;
|
|
|
2fc102 |
@@ -176,18 +260,6 @@ int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops,
|
|
|
2fc102 |
{
|
|
|
2fc102 |
int ret = EINVAL;
|
|
|
2fc102 |
struct simple_ctx *ctx;
|
|
|
2fc102 |
- int i;
|
|
|
2fc102 |
- struct {
|
|
|
2fc102 |
- const char *name;
|
|
|
2fc102 |
- const char *option;
|
|
|
2fc102 |
- char **orig_list;
|
|
|
2fc102 |
- char ***ctx_list;
|
|
|
2fc102 |
- } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
|
|
|
2fc102 |
- {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
|
|
|
2fc102 |
- {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
|
|
|
2fc102 |
- {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
|
|
|
2fc102 |
- {NULL, NULL, NULL, NULL}};
|
|
|
2fc102 |
-
|
|
|
2fc102 |
ctx = talloc_zero(bectx, struct simple_ctx);
|
|
|
2fc102 |
if (ctx == NULL) {
|
|
|
2fc102 |
DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
|
|
|
2fc102 |
@@ -196,39 +268,11 @@ int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops,
|
|
|
2fc102 |
|
|
|
2fc102 |
ctx->domain = bectx->domain;
|
|
|
2fc102 |
ctx->be_ctx = bectx;
|
|
|
2fc102 |
+ ctx->last_refresh_of_filter_lists = 0;
|
|
|
2fc102 |
|
|
|
2fc102 |
- lists[0].ctx_list = &ctx->allow_users;
|
|
|
2fc102 |
- lists[1].ctx_list = &ctx->deny_users;
|
|
|
2fc102 |
- lists[2].ctx_list = &ctx->allow_groups;
|
|
|
2fc102 |
- lists[3].ctx_list = &ctx->deny_groups;
|
|
|
2fc102 |
-
|
|
|
2fc102 |
- for (i = 0; lists[i].name != NULL; i++) {
|
|
|
2fc102 |
- ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
|
|
|
2fc102 |
- lists[i].option, &lists[i].orig_list);
|
|
|
2fc102 |
- if (ret == ENOENT) {
|
|
|
2fc102 |
- DEBUG(SSSDBG_FUNC_DATA, ("%s list is empty.\n", lists[i].name));
|
|
|
2fc102 |
- *lists[i].ctx_list = NULL;
|
|
|
2fc102 |
- continue;
|
|
|
2fc102 |
- } else if (ret != EOK) {
|
|
|
2fc102 |
- DEBUG(SSSDBG_CRIT_FAILURE, ("confdb_get_string_as_list failed.\n"));
|
|
|
2fc102 |
- goto failed;
|
|
|
2fc102 |
- }
|
|
|
2fc102 |
-
|
|
|
2fc102 |
- ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
|
|
|
2fc102 |
- lists[i].ctx_list);
|
|
|
2fc102 |
- if (ret != EOK) {
|
|
|
2fc102 |
- DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to parse %s list [%d]: %s\n",
|
|
|
2fc102 |
- lists[i].name, ret, sss_strerror(ret)));
|
|
|
2fc102 |
- goto failed;
|
|
|
2fc102 |
- }
|
|
|
2fc102 |
- }
|
|
|
2fc102 |
-
|
|
|
2fc102 |
- if (!ctx->allow_users &&
|
|
|
2fc102 |
- !ctx->allow_groups &&
|
|
|
2fc102 |
- !ctx->deny_users &&
|
|
|
2fc102 |
- !ctx->deny_groups) {
|
|
|
2fc102 |
- DEBUG(SSSDBG_OP_FAILURE, ("No rules supplied for simple access provider. "
|
|
|
2fc102 |
- "Access will be granted for all users.\n"));
|
|
|
2fc102 |
+ ret = simple_access_obtain_filter_lists(ctx);
|
|
|
2fc102 |
+ if (ret != EOK) {
|
|
|
2fc102 |
+ goto failed;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
*ops = &simple_access_ops;
|
|
|
2fc102 |
@@ -240,3 +284,4 @@ failed:
|
|
|
2fc102 |
talloc_free(ctx);
|
|
|
2fc102 |
return ret;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
+
|
|
|
2fc102 |
diff --git a/src/providers/simple/simple_access.h b/src/providers/simple/simple_access.h
|
|
|
2fc102 |
index 15dfaceb2d9a6670d3559e4a945c2c7a633fad44..a618b2e2ec16a2f32bad7ceb1f5adb7523199316 100644
|
|
|
2fc102 |
--- a/src/providers/simple/simple_access.h
|
|
|
2fc102 |
+++ b/src/providers/simple/simple_access.h
|
|
|
2fc102 |
@@ -32,6 +32,8 @@ struct simple_ctx {
|
|
|
2fc102 |
char **deny_users;
|
|
|
2fc102 |
char **allow_groups;
|
|
|
2fc102 |
char **deny_groups;
|
|
|
2fc102 |
+
|
|
|
2fc102 |
+ time_t last_refresh_of_filter_lists;
|
|
|
2fc102 |
};
|
|
|
2fc102 |
|
|
|
2fc102 |
struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx,
|
|
|
2fc102 |
--
|
|
|
2fc102 |
1.8.4.2
|
|
|
2fc102 |
|