providers/simple/simple_access.c

	simple_access.c revision c8119652b17229a5aca9b110365c310a6afdce30
5f5870385cff47efd2f58e7892f251cf13761528Timo Sirainen/*
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   SSSD
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   Simple access control
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   Copyright (C) Sumit Bose <sbose@redhat.com> 2010
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   This program is free software; you can redistribute it and/or modify
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   it under the terms of the GNU General Public License as published by
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   the Free Software Foundation; either version 3 of the License, or
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   (at your option) any later version.
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   This program is distributed in the hope that it will be useful,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   but WITHOUT ANY WARRANTY; without even the implied warranty of
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   GNU General Public License for more details.
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9ddd3d7d8651985e373a6c48e0ddc76b8a4ef1c7Timo Sirainen   You should have received a copy of the GNU General Public License
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen   along with this program.  If not, see <http://www.gnu.org/licenses/>.
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen*/
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#include <errno.h>
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#include <security/pam_modules.h>
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#include "util/util.h"
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#include "util/sss_utf8.h"
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#include "providers/dp_backend.h"
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#include "db/sysdb.h"
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#include "providers/simple/simple_access.h"
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#define CONFDB_SIMPLE_ALLOW_USERS "simple_allow_users"
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#define CONFDB_SIMPLE_DENY_USERS "simple_deny_users"
d03a871a77f8ec36f48f5fea98d810e51b186fdbTimo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen#define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
d03a871a77f8ec36f48f5fea98d810e51b186fdbTimo Sirainen#define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
38505846b6d083e19f0a7d1373761bdda5d9a5a9Timo Sirainenstatic bool string_equal(bool cs, const char *s1, const char *s2)
38505846b6d083e19f0a7d1373761bdda5d9a5a9Timo Sirainen{
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    if (cs) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        return strcmp(s1, s2) == 0;
d8702d15ee7721ed1fcfc8f00a589970bd6b3598Timo Sirainen    }
d8702d15ee7721ed1fcfc8f00a589970bd6b3598Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    return sss_utf8_case_eq((const uint8_t *)s1, (const uint8_t *)s2) == EOK;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen}
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
f016dec9837e6a41867708e4b89ca5308dedab05Timo Sirainenerrno_t simple_access_check(struct simple_ctx *ctx, const char *username,
f016dec9837e6a41867708e4b89ca5308dedab05Timo Sirainen                            bool *access_granted)
d03a871a77f8ec36f48f5fea98d810e51b186fdbTimo Sirainen{
f016dec9837e6a41867708e4b89ca5308dedab05Timo Sirainen    int i, j;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    errno_t ret;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    TALLOC_CTX *tmp_ctx = NULL;
d03a871a77f8ec36f48f5fea98d810e51b186fdbTimo Sirainen    const char *user_attrs[] = { SYSDB_MEMBEROF,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                                 SYSDB_GIDNUM,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                                 NULL };
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    const char *group_attrs[] = { SYSDB_NAME,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                                  NULL };
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    struct ldb_message *msg;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    struct ldb_message_element *el;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    char **groups;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    const char *primary_group;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    gid_t gid;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    bool matched;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    bool cs = ctx->domain->case_sensitive;
d03a871a77f8ec36f48f5fea98d810e51b186fdbTimo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    *access_granted = false;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    /* First, check whether the user is in the allowed users list */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    if (ctx->allow_users != NULL) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        for(i = 0; ctx->allow_users[i] != NULL; i++) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            if (string_equal(cs, username, ctx->allow_users[i])) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                DEBUG(9, ("User [%s] found in allow list, access granted.\n",
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                      username));
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                /* Do not return immediately on explicit allow
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                 * We need to make sure none of the user's groups
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                 * are denied.
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                 */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                *access_granted = true;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    } else if (!ctx->allow_groups) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        /* If neither allow rule is in place, we'll assume allowed
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen         * unless a deny rule disables us below.
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen         */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        *access_granted = true;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
f016dec9837e6a41867708e4b89ca5308dedab05Timo Sirainen    /* Next check whether this user has been specifically denied */
f016dec9837e6a41867708e4b89ca5308dedab05Timo Sirainen    if (ctx->deny_users != NULL) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        for(i = 0; ctx->deny_users[i] != NULL; i++) {
0ad9d535b04fe4a80534702617e17fd0d261fafaTimo Sirainen            if (string_equal(cs, username, ctx->deny_users[i])) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                DEBUG(9, ("User [%s] found in deny list, access denied.\n",
0ad9d535b04fe4a80534702617e17fd0d261fafaTimo Sirainen                      username));
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                /* Return immediately on explicit denial */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                *access_granted = false;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                return EOK;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        }
9ddd3d7d8651985e373a6c48e0ddc76b8a4ef1c7Timo Sirainen    }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    if (!ctx->allow_groups && !ctx->deny_groups) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        /* There are no group restrictions, so just return
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen         * here with whatever we've decided.
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen         */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        return EOK;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    /* Now get a list of this user's groups and check those against the
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen     * simple_allow_groups list.
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen     */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    tmp_ctx = talloc_new(NULL);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    if (!tmp_ctx) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        ret = ENOMEM;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        goto done;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    ret = sysdb_search_user_by_name(tmp_ctx, ctx->sysdb,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                                    username, user_attrs, &msg);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    if (ret != EOK) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        DEBUG(1, ("Could not look up username [%s]: [%d][%s]\n",
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                  username, ret, strerror(ret)));
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        goto done;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen    /* Construct a list of the user's groups */
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen    el = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen    if (el && el->num_values) {
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen        /* Get the groups from the memberOf entries
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen         * Allocate the array with room for both the NULL
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen         * terminator and the primary group
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen         */
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen        groups = talloc_array(tmp_ctx, char *, el->num_values + 2);
57593ca3c443884bac880b8deff7c0655ddd9a30Timo Sirainen        if (!groups) {
57593ca3c443884bac880b8deff7c0655ddd9a30Timo Sirainen            ret = ENOMEM;
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen            goto done;
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen        }
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        for (j = 0; j < el->num_values; j++) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            ret = sysdb_group_dn_name(
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                    ctx->sysdb, tmp_ctx,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                    (char *)el->values[j].data,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                    &groups[j]);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            if (ret != EOK) {
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen                goto done;
7c849dbc7be089175c1a83a84ee7249ed695810dTimo Sirainen            }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    } else {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        /* User is not a member of any groups except primary */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        groups = talloc_array(tmp_ctx, char *, 2);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        if (!groups) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            ret = ENOMEM;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            goto done;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        j = 0;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    /* Get the user's primary group */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
66c3f635f2f33905af527d49b27f95322aa7dfa7Timo Sirainen    if (!gid) {
66c3f635f2f33905af527d49b27f95322aa7dfa7Timo Sirainen        ret = EINVAL;
66c3f635f2f33905af527d49b27f95322aa7dfa7Timo Sirainen        goto done;
66c3f635f2f33905af527d49b27f95322aa7dfa7Timo Sirainen    }
66c3f635f2f33905af527d49b27f95322aa7dfa7Timo Sirainen    talloc_zfree(msg);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    ret = sysdb_search_group_by_gid(tmp_ctx, ctx->sysdb,
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                                    gid, group_attrs, &msg);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    if (ret != EOK) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        DEBUG(1, ("Could not look up primary group [%lu]: [%d][%s]\n",
9ddd3d7d8651985e373a6c48e0ddc76b8a4ef1c7Timo Sirainen                  gid, ret, strerror(ret)));
9ddd3d7d8651985e373a6c48e0ddc76b8a4ef1c7Timo Sirainen        /* We have to treat this as non-fatal, because the primary
9ddd3d7d8651985e373a6c48e0ddc76b8a4ef1c7Timo Sirainen         * group may be local to the machine and not available in
9ddd3d7d8651985e373a6c48e0ddc76b8a4ef1c7Timo Sirainen         * our ID provider.
9ddd3d7d8651985e373a6c48e0ddc76b8a4ef1c7Timo Sirainen         */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    } else {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        if (!primary_group) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            ret = EINVAL;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            goto done;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        groups[j] = talloc_strdup(tmp_ctx, primary_group);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        if (!groups[j]) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            ret = ENOMEM;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            goto done;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        j++;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        talloc_zfree(msg);
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    groups[j] = NULL;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    /* Now process allow and deny group rules
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen     * If access was already granted above, we'll skip
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen     * this redundant rule check
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen     */
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen    if (ctx->allow_groups && !*access_granted) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen        matched = false;
7c849dbc7be089175c1a83a84ee7249ed695810dTimo Sirainen        for (i = 0; ctx->allow_groups[i]; i++) {
7c849dbc7be089175c1a83a84ee7249ed695810dTimo Sirainen            for(j = 0; groups[j]; j++) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                if (string_equal(cs, groups[j], ctx->allow_groups[i])) {
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                    matched = true;
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen                    break;
4a0641e1ff10f0b0299fd36baf38057c54268e48Timo Sirainen                }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            }
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen
9137c55411aa39d41c1e705ddc34d5bd26c65021Timo Sirainen            /* If any group has matched, we can skip out on the
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen             * processing early
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen             */
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen            if (matched) {
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen                *access_granted = true;
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen                break;
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen            }
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen        }
3b8d05391336c0e4d24c8ddcc962f350409ffbd3Timo Sirainen    }

    /* Finally, process the deny group rules */
    if (ctx->deny_groups) {
        matched = false;
        for (i = 0; ctx->deny_groups[i]; i++) {
            for(j = 0; groups[j]; j++) {
                if (string_equal(cs, groups[j], ctx->deny_groups[i])) {
                    matched = true;
                    break;
                }
            }

            /* If any group has matched, we can skip out on the
             * processing early
             */
            if (matched) {
                *access_granted = false;
                break;
            }
        }
    }

    ret = EOK;

done:
    talloc_free(tmp_ctx);
    return ret;
}

void simple_access_handler(struct be_req *be_req)
{
    int ret;
    bool access_granted = false;
    struct pam_data *pd;
    struct simple_ctx *ctx;

    pd = talloc_get_type(be_req->req_data, struct pam_data);

    pd->pam_status = PAM_SYSTEM_ERR;

    if (pd->cmd != SSS_PAM_ACCT_MGMT) {
        DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd));
        pd->pam_status = PAM_MODULE_UNKNOWN;
        goto done;
    }

    ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
                          struct simple_ctx);

    ret = simple_access_check(ctx, pd->user, &access_granted);
    if (ret != EOK) {
        pd->pam_status = PAM_SYSTEM_ERR;
        goto done;
    }

    if (access_granted) {
        pd->pam_status = PAM_SUCCESS;
    } else {
        pd->pam_status = PAM_PERM_DENIED;
    }

done:
    be_req->fn(be_req, DP_ERR_OK, pd->pam_status, NULL);
}

struct bet_ops simple_access_ops = {
    .handler = simple_access_handler,
    .finalize = NULL
};

int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops,
                            void **pvt_data)
{
    int ret = EINVAL;
    struct simple_ctx *ctx;

    ctx = talloc_zero(bectx, struct simple_ctx);
    if (ctx == NULL) {
        DEBUG(1, ("talloc_zero failed.\n"));
        return ENOMEM;
    }

    ctx->sysdb = bectx->sysdb;
    ctx->domain = bectx->domain;

    /* Users */
    ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
                                    CONFDB_SIMPLE_ALLOW_USERS,
                                    &ctx->allow_users);
    if (ret != EOK) {
        if (ret == ENOENT) {
            DEBUG(9, ("Allow user list is empty.\n"));
            ctx->allow_users = NULL;
        } else {
            DEBUG(1, ("confdb_get_string_as_list failed.\n"));
            goto failed;
        }
    }

    ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
                                    CONFDB_SIMPLE_DENY_USERS,
                                    &ctx->deny_users);
    if (ret != EOK) {
        if (ret == ENOENT) {
            DEBUG(9, ("Deny user list is empty.\n"));
            ctx->deny_users = NULL;
        } else {
            DEBUG(1, ("confdb_get_string_as_list failed.\n"));
            goto failed;
        }
    }

    /* Groups */
    ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
                                    CONFDB_SIMPLE_ALLOW_GROUPS,
                                    &ctx->allow_groups);
    if (ret != EOK) {
        if (ret == ENOENT) {
            DEBUG(9, ("Allow group list is empty.\n"));
            ctx->allow_groups = NULL;
        } else {
            DEBUG(1, ("confdb_get_string_as_list failed.\n"));
            goto failed;
        }
    }

    ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
                                    CONFDB_SIMPLE_DENY_GROUPS,
                                    &ctx->deny_groups);
    if (ret != EOK) {
        if (ret == ENOENT) {
            DEBUG(9, ("Deny user list is empty.\n"));
            ctx->deny_groups = NULL;
        } else {
            DEBUG(1, ("confdb_get_string_as_list failed.\n"));
            goto failed;
        }
    }

    if (!ctx->allow_users &&
            !ctx->allow_groups &&
            !ctx->deny_users &&
            !ctx->deny_groups) {
        DEBUG(1, ("No rules supplied for simple access provider. "
                  "Access will be granted for all users.\n"));
    }

    *ops = &simple_access_ops;
    *pvt_data = ctx;

    return EOK;

failed:
    talloc_free(ctx);
    return ret;
}