simple_access.c revision 721241198c369596c4f13445c70f227b199fdcd0
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Simple access control
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Copyright (C) Sumit Bose <sbose@redhat.com> 2010
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is free software; you can redistribute it and/or modify
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher it under the terms of the GNU General Public License as published by
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher the Free Software Foundation; either version 3 of the License, or
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (at your option) any later version.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is distributed in the hope that it will be useful,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher GNU General Public License for more details.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher You should have received a copy of the GNU General Public License
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher#include "providers/simple/simple_access.h"
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek#define CONFDB_SIMPLE_ALLOW_USERS "simple_allow_users"
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek#define CONFDB_SIMPLE_DENY_USERS "simple_deny_users"
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek#define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek#define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekstatic void simple_access_check(struct tevent_req *req);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekvoid simple_access_handler(struct be_req *be_req)
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct be_ctx *be_ctx = be_req_get_be_ctx(be_req);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ctx = talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek req = simple_access_check_send(be_req, be_ctx->ev, ctx, pd->user);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek tevent_req_set_callback(req, simple_access_check, be_req);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek be_req_terminate(be_req, DP_ERR_OK, pd->pam_status, NULL);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekstatic void simple_access_check(struct tevent_req *req)
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek be_req = tevent_req_callback_data(req, struct be_req);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = simple_access_check_recv(req, &access_granted);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek be_req_terminate(be_req, DP_ERR_OK, pd->pam_status, NULL);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekstatic errno_t simple_access_parse_names(TALLOC_CTX *mem_ctx,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_new() failed\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* count size */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek out = talloc_zero_array(tmp_ctx, char*, size + 1);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero_array() failed\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Since this is access provider, we should fail on any error so we don't
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek * allow unauthorized access. */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek for (i = 0; i < size; i++) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = sss_parse_name(tmp_ctx, be_ctx->domain->names, list[i],
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to parse name '%s' [%d]: %s\n",
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (domain == NULL || strcasecmp(domain, be_ctx->domain->name) == 0) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* This object belongs to main SSSD domain. Those users and groups
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek * are stored without domain part, so we will strip it off.
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Subdomain users and groups are stored as fully qualified names,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek * thus we will remember the domain part.
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek * Since subdomains may come and go, we will look for their
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek * existence later, during each access check.
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekint sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek const char *name;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_FUNC_DATA, ("%s list is empty.\n", lists[i].name));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("confdb_get_string_as_list failed.\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to parse %s list [%d]: %s\n",
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("No rules supplied for simple access provider. "
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek "Access will be granted for all users.\n"));