/*
SSSD
IPA Backend Module -- Access control
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2009 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <security/pam_modules.h>
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap_access.h"
#include "providers/ipa/ipa_common.h"
#include "providers/ipa/ipa_access.h"
#include "providers/ipa/ipa_hosts.h"
#include "providers/ipa/ipa_hbac_private.h"
#include "providers/ipa/ipa_hbac_rules.h"
/* External logging function for HBAC. */
const char *function,
enum hbac_debug_level level,
const char *fmt, ...)
{
int loglevel;
switch(level) {
case HBAC_DBG_FATAL:
break;
case HBAC_DBG_ERROR:
break;
case HBAC_DBG_WARNING:
break;
case HBAC_DBG_INFO:
break;
case HBAC_DBG_TRACE:
break;
default:
break;
}
if (DEBUG_IS_SET(loglevel)) {
}
}
enum hbac_result {
};
enum check_result {
RULE_APPLICABLE = 0,
};
struct ipa_fetch_hbac_state {
/* Hosts */
/* Rules */
/* Services */
};
struct ipa_fetch_hbac_state *state);
static struct tevent_req *
struct tevent_context *ev,
struct ipa_access_ctx *access_ctx)
{
bool offline;
struct ipa_fetch_hbac_state);
return NULL;
}
goto immediately;
}
goto immediately;
}
goto immediately;
}
goto immediately;
}
return req;
} else {
}
return req;
}
{
int ret;
return ret;
}
return EAGAIN;
}
{
int dp_error;
goto done;
}
if (dp_error == DP_ERR_OFFLINE) {
goto done;
}
return;
}
done:
return;
}
}
{
const char *hostname;
bool srchost;
if (srchost) {
/* Support srchost
* -> we don't want any particular host,
* we want all hosts
*/
/* THIS FEATURE IS DEPRECATED */
"ipa_hbac_support_srchost.\n");
"ipa_hbac_support_srchost.\n");
} else {
}
return ENOMEM;
}
return EAGAIN;
}
{
goto done;
}
goto done;
}
return;
done:
return;
}
}
{
const char *ipa_hostname;
const char *hostname;
size_t i;
goto done;
}
/* Get the ipa_host attrs */
if (ipa_hostname == NULL) {
"Missing ipa_hostname, this should never happen.\n");
goto done;
}
for (i = 0; i < state->host_count; i++) {
goto done;
}
break;
}
}
goto done;
}
goto done;
}
return;
done:
return;
}
}
{
int dp_error;
bool found;
/* Set ret to EOK so we can safely call sdap_id_op_done. */
found = false;
found = true;
} else {
goto done;
}
/* retry */
}
return;
return;
}
if (found == false) {
/* No rules were found that apply to this host. */
goto done;
}
goto done;
}
goto done;
}
done:
return;
}
}
{
return EOK;
}
{
return ENOMEM;
}
/* Delete any rules in the sysdb so offline logins are also denied. */
goto done;
}
goto done;
}
done:
return ret;
}
struct ipa_fetch_hbac_state *state)
{
bool in_transaction = false;
goto done;
}
in_transaction = true;
/* Save the hosts */
goto done;
}
/* Save the services */
goto done;
}
/* Save the rules */
goto done;
}
goto done;
}
in_transaction = false;
done:
if (in_transaction) {
}
}
return ret;
}
struct dp_option *ipa_options,
{
return ENOMEM;
}
/* Get HBAC rules from the sysdb */
goto done;
}
"DENY rules detected. Denying access to all users\n");
goto done;
goto done;
}
if (result == HBAC_EVAL_ALLOW) {
goto done;
} else if (result == HBAC_EVAL_ERROR) {
goto done;
} else if (result == HBAC_EVAL_OOM) {
goto done;
}
done:
return ret;
}
struct sss_domain_info *domain,
struct sysdb_attrs ***_rules)
{
char *filter;
NULL };
goto done;
}
&rule_count, &msgs);
goto done;
rule_count = 0;
}
"Could not convert ldb message to sysdb_attrs\n");
goto done;
}
done:
return ret;
}
struct ipa_pam_access_handler_state {
};
struct tevent_req *
struct ipa_access_ctx *access_ctx,
struct dp_req_params *params)
{
struct ipa_pam_access_handler_state);
return NULL;
}
goto immediately;
}
return req;
/* TODO For backward compatibility we always return EOK to DP now. */
return req;
}
{
switch (ret) {
case EOK:
/* Account wasn't locked. Continue below to HBAC processing. */
break;
case ERR_ACCESS_DENIED:
/* Account was locked. Return permission denied here. */
goto done;
case ERR_ACCOUNT_EXPIRED:
goto done;
default:
break;
}
state->access_ctx);
goto done;
}
return;
done:
/* TODO For backward compatibility we always return EOK to DP now. */
}
{
goto done;
goto done;
}
} else if (ret == ERR_ACCESS_DENIED) {
} else {
}
done:
/* TODO For backward compatibility we always return EOK to DP now. */
}
struct tevent_req *req,
{
return EOK;
}