hbac_evaluator.c revision 9b72b00ebcfd6225a4e139619c8e18d44a448f87
/*
SSSD
IPA Backend Module -- Access control
Authors:
Sumit Bose <sbose@redhat.com>
Stephen Gallagher <sgallagh@redhat.com>
Copyright (C) 2011 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <stdlib.h>
#include <string.h>
#include "providers/ipa/ipa_hbac.h"
/* Placeholder structure for future HBAC time-based
* evaluation rules
*/
struct hbac_time_rules {
int not_yet_implemented;
};
enum hbac_eval_result_int {
HBAC_EVAL_MATCH_ERROR = -1,
};
struct hbac_eval_req *hbac_req,
enum hbac_error_code *error);
struct hbac_eval_req *hbac_req,
{
enum hbac_error_code ret;
if (info) {
if (!*info) {
return HBAC_EVAL_OOM;
}
}
uint32_t i;
for (i = 0; rules[i]; i++) {
if (intermediate_result == HBAC_EVAL_UNMATCHED) {
/* This rule did not match at all. Skip it */
continue;
} else if (intermediate_result == HBAC_EVAL_MATCHED) {
/* This request matched an ALLOW rule
* Set the result to ALLOW but continue checking
* the other rules in case a DENY rule trumps it.
*/
if (info) {
}
}
break;
} else {
/* An error occurred processing this rule */
/* Explicitly not checking the result of strdup(), since if
* it's NULL, we can't do anything anyway.
*/
goto done;
}
}
/* If we've reached the end of the loop, we have either set the
* result to ALLOW explicitly or we'll stick with the default DENY.
*/
done:
return result;
}
struct hbac_request_element *req_el);
struct hbac_eval_req *hbac_req,
enum hbac_error_code *error)
{
/* Make sure we have all elements */
|| !rule->targethosts
return HBAC_EVAL_MATCH_ERROR;
}
/* Check users */
return HBAC_EVAL_UNMATCHED;
}
/* Check services */
return HBAC_EVAL_UNMATCHED;
}
/* Check target hosts */
return HBAC_EVAL_UNMATCHED;
}
/* Check source hosts */
return HBAC_EVAL_UNMATCHED;
}
return HBAC_EVAL_MATCHED;
}
struct hbac_request_element *req_el)
{
size_t i, j;
return true;
}
/* First check the name list */
return true;
}
}
}
}
/* Not found in the name list
* Check for group membership
*/
return true;
}
}
}
}
/* Not found in groups either */
return false;
}
{
switch(result) {
case HBAC_EVAL_ALLOW:
return "HBAC_EVAL_ALLOW";
case HBAC_EVAL_DENY:
return "HBAC_EVAL_DENY";
case HBAC_EVAL_ERROR:
return "HBAC_EVAL_ERROR";
case HBAC_EVAL_OOM:
return "Could not allocate memory for hbac_info object";
}
return "HBAC_EVAL_ERROR";
}
{
}
{
switch(code) {
case HBAC_SUCCESS:
return "Success";
return "Function is not yet implemented";
case HBAC_ERROR_OUT_OF_MEMORY:
return "Out of memory";
return "Rule could not be evaluated";
case HBAC_ERROR_UNKNOWN:
default:
return "Unknown error code";
}
}