16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose Simple access control
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose Copyright (C) Sumit Bose <sbose@redhat.com> 2010
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose This program is free software; you can redistribute it and/or modify
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose it under the terms of the GNU General Public License as published by
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose the Free Software Foundation; either version 3 of the License, or
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose (at your option) any later version.
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose This program is distributed in the hope that it will be useful,
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose but WITHOUT ANY WARRANTY; without even the implied warranty of
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose GNU General Public License for more details.
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose You should have received a copy of the GNU General Public License
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose along with this program. If not, see <http://www.gnu.org/licenses/>.
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose#define CONFDB_SIMPLE_ALLOW_USERS "simple_allow_users"
16ac0d6e148b1e07e579d47de1da7ac541447bd2Sumit Bose#define CONFDB_SIMPLE_DENY_USERS "simple_deny_users"
1b474ef7011f4bf9ce4aac85dbc9827a9486d5ebStephen Gallagher#define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
1b474ef7011f4bf9ce4aac85dbc9827a9486d5ebStephen Gallagher#define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichlstatic errno_t simple_access_parse_names(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* count size */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina out = talloc_zero_array(tmp_ctx, char*, size + 1);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* Since this is access provider, we should fail on any error so we don't
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina * allow unauthorized access. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina for (i = 0; i < size; i++) {
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = sss_parse_name(tmp_ctx, be_ctx->domain->names, list[i],
eef359b508b898ae99d2bf292a43f0f295a2ba5eJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sss_parse_name failed [%d]: %s\n",
eef359b508b898ae99d2bf292a43f0f295a2ba5eJakub Hrozek domain = find_domain_by_name(be_ctx->domain, domname, true);
eef359b508b898ae99d2bf292a43f0f295a2ba5eJakub Hrozek out[i] = sss_create_internal_fqname(out, shortname, domain->name);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaint simple_access_obtain_filter_lists(struct simple_ctx *ctx)
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichl } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichl {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichl {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichl {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichl ret = sysdb_master_domain_update(bectx->domain);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FUNC_DATA, "Update of master domain failed [%d]: %s.\n",
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichl ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n");
a620742bffad5ef92597b6a25401f6d5c217afa9Pavel Reichl ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "No rules supplied for simple access provider. "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Access will be granted for all users.\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void simple_access_handler_done(struct tevent_req *subreq);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinasimple_access_handler_send(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "simple access does not handle pam task %d.\n", pd->cmd);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina if ((now - simple_ctx->last_refresh_of_filter_lists)
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = simple_access_obtain_filter_lists(simple_ctx);
79ac0e8a4840202c3615d6ce6584df3c08efb594Jakub Hrozek "Failed to refresh filter lists, denying all access\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina simple_ctx->last_refresh_of_filter_lists = now;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina subreq = simple_access_check_send(state, params->ev, simple_ctx, pd->user);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina tevent_req_set_callback(subreq, simple_access_handler_done, req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void simple_access_handler_done(struct tevent_req *subreq)
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina req = tevent_req_callback_data(subreq, struct tevent_req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct simple_access_handler_state);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = simple_access_check_recv(subreq, &access_granted);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinasimple_access_handler_recv(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct simple_access_handler_state *state = NULL;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct simple_access_handler_state);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaerrno_t sssm_simple_access_init(TALLOC_CTX *mem_ctx,
e32e17d04c796b37bc3f4cde58106d54ffa2b6d1Justin Stephenson const char *simple_access_lists[] = {CONFDB_SIMPLE_ALLOW_USERS,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ctx = talloc_zero(mem_ctx, struct simple_ctx);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed.\n");
e32e17d04c796b37bc3f4cde58106d54ffa2b6d1Justin Stephenson for (i = 0; simple_access_lists[i] != NULL; i++) {
e32e17d04c796b37bc3f4cde58106d54ffa2b6d1Justin Stephenson ret = confdb_get_string(be_ctx->cdb, mem_ctx, be_ctx->conf_path,
e32e17d04c796b37bc3f4cde58106d54ffa2b6d1Justin Stephenson DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string failed.\n");
e32e17d04c796b37bc3f4cde58106d54ffa2b6d1Justin Stephenson DEBUG(SSSDBG_CONF_SETTINGS, "%s values: [%s]\n",
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina simple_access_handler_send, simple_access_handler_recv, ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct simple_ctx, struct pam_data, struct pam_data *);