945173cae9e0f894a50aec717acea9399680fdd5bnicholes

e8f95a682820a599fe41b22977010636be5c2717jim#include "providers/dp_backend.h"

945173cae9e0f894a50aec717acea9399680fdd5bnicholes#include "providers/simple/simple_access.h"

945173cae9e0f894a50aec717acea9399680fdd5bnicholes#include "util/sss_utf8.h"

945173cae9e0f894a50aec717acea9399680fdd5bnicholes#include "db/sysdb.h"

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic bool

e8f95a682820a599fe41b22977010636be5c2717jimis_posix(const struct ldb_message *group)

945173cae9e0f894a50aec717acea9399680fdd5bnicholes{

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char *val;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes val = ldb_msg_find_attr_as_string(group, SYSDB_POSIX, NULL);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (!val || /* Groups are posix by default */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes strcasecmp(val, "TRUE") == 0) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return true;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return false;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes}

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic errno_t

945173cae9e0f894a50aec717acea9399680fdd5bnicholessimple_check_users(struct simple_ctx *ctx, const char *username,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes bool *access_granted)

945173cae9e0f894a50aec717acea9399680fdd5bnicholes{

6d805bdcf42852dba0612f41f77ecf6724b7c033bnicholes struct sss_domain_info *domain = NULL;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes int i;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* First, check whether the user is in the allowed users list */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (ctx->allow_users != NULL) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes for(i = 0; ctx->allow_users[i] != NULL; i++) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes domain = find_subdomain_by_object_name(ctx->domain,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes ctx->allow_users[i]);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (domain == NULL) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",

945173cae9e0f894a50aec717acea9399680fdd5bnicholes ctx->allow_users[i]);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EINVAL;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholes

9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholes if (sss_string_equal(domain->case_sensitive, username,

9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholes ctx->allow_users[i])) {

9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholes DEBUG(SSSDBG_TRACE_LIBS,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes "User [%s] found in allow list, access granted.\n",

945173cae9e0f894a50aec717acea9399680fdd5bnicholes username);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* Do not return immediately on explicit allow

945173cae9e0f894a50aec717acea9399680fdd5bnicholes *access_granted = true;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes } else if (!ctx->allow_groups) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* If neither allow rule is in place, we'll assume allowed

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_TRACE_LIBS,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes "No allow rule, assumuing allow unless explicitly denied\n");

945173cae9e0f894a50aec717acea9399680fdd5bnicholes *access_granted = true;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* Next check whether this user has been specifically denied */

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (ctx->deny_users != NULL) {

17c23d907df1d639f6851a46a9b1d20f06815aefbnicholes for(i = 0; ctx->deny_users[i] != NULL; i++) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes domain = find_subdomain_by_object_name(ctx->domain,

1944ddbbad413b60307d66081b022a3eee5f04cfbnicholes ctx->deny_users[i]);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (domain == NULL) {

09a1167b8cb70e15be9f661f9e83ee33cfe062defuankg DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",

09a1167b8cb70e15be9f661f9e83ee33cfe062defuankg ctx->deny_users[i]);

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick return EINVAL;

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick }

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick if (sss_string_equal(domain->case_sensitive, username,

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick ctx->deny_users[i])) {

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick DEBUG(SSSDBG_TRACE_LIBS,

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick "User [%s] found in deny list, access denied.\n",

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick ctx->deny_users[i]);

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick /* Return immediately on explicit denial */

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick *access_granted = false;

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick return EOK;

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick }

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick }

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EAGAIN;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes}

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic errno_t

6e68ad13348b2b614939ae365470728026ff38betrawicksimple_check_groups(struct simple_ctx *ctx, const char **group_names,

a96f477774c960ff59a3741f5f43e8fff90b9412trawick bool *access_granted)

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick{

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick struct sss_domain_info *domain = NULL;

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick bool matched;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes int i, j;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* Now process allow and deny group rules

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (ctx->allow_groups && !*access_granted) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes matched = false;

3fa816e4832a1c70600bdfd6fc5ef60e9f1c18bbsf for (i = 0; ctx->allow_groups[i]; i++) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes domain = find_subdomain_by_object_name(ctx->domain,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes ctx->allow_groups[i]);

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick if (domain == NULL) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",

74e3c3e110c5da220a384579543086f1519632a6bnicholes ctx->allow_groups[i]);

74e3c3e110c5da220a384579543086f1519632a6bnicholes return EINVAL;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes for(j = 0; group_names[j]; j++) {

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes if (sss_string_equal(domain->case_sensitive,

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes group_names[j], ctx->allow_groups[i])) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes matched = true;

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes break;

c71d98d9fe23826dfc3ee53bbfa39c3f121a839bbnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes /* If any group has matched, we can skip out on the

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes if (matched) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_TRACE_LIBS,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes "Group [%s] found in allow list, access granted.\n",

4e692b4a3b2030db8c188b994ebdaa374a6d467cbnicholes group_names[j]);

4e692b4a3b2030db8c188b994ebdaa374a6d467cbnicholes *access_granted = true;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes break;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes /* Finally, process the deny group rules */

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes if (ctx->deny_groups) {

c31c1eba9cad174e94bf0b436a505ca888d244faclar matched = false;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes for (i = 0; ctx->deny_groups[i]; i++) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes domain = find_subdomain_by_object_name(ctx->domain,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes ctx->deny_groups[i]);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (domain == NULL) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",

945173cae9e0f894a50aec717acea9399680fdd5bnicholes ctx->deny_groups[i]);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes return EINVAL;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes for(j = 0; group_names[j]; j++) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (sss_string_equal(domain->case_sensitive,

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes group_names[j], ctx->deny_groups[i])) {

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes matched = true;

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes break;

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes }

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes }

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes /* If any group has matched, we can skip out on the

c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley if (matched) {

e8f95a682820a599fe41b22977010636be5c2717jim DEBUG(SSSDBG_TRACE_LIBS,

c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley "Group [%s] found in deny list, access denied.\n",

945173cae9e0f894a50aec717acea9399680fdd5bnicholes group_names[j]);

c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley *access_granted = false;

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes break;

e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley }

ecc16907392dd9a7a11037d54aa463cc1149788abnicholes }

4054c01b59274ea24974fd3399f71c9d47373eadbnicholes }

0fa3ef0701a92c35f594a810eaf3808be7a26cdabnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes return EOK;

e8f95a682820a599fe41b22977010636be5c2717jim}

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstruct simple_resolve_group_state {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct sss_domain_info *domain;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes gid_t gid;

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd struct simple_ctx *ctx;

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd const char *name;

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd};

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisdstatic errno_t

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisdsimple_resolve_group_check(struct simple_resolve_group_state *state);

3e155218733389e7b1ea3a9ffd0aea533fd929cechrisdstatic void simple_resolve_group_done(struct tevent_req *subreq);

b5b31852ab27739ab90febad74faefe8dab5b24efuankg

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic struct tevent_req *

b5b31852ab27739ab90febad74faefe8dab5b24efuankgsimple_resolve_group_send(TALLOC_CTX *mem_ctx,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct tevent_context *ev,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct simple_ctx *ctx,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct sss_domain_info *domain,

b5b31852ab27739ab90febad74faefe8dab5b24efuankg gid_t gid)

945173cae9e0f894a50aec717acea9399680fdd5bnicholes{

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes errno_t ret;

b5b31852ab27739ab90febad74faefe8dab5b24efuankg struct tevent_req *req;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct tevent_req *subreq;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct simple_resolve_group_state *state;

b5b31852ab27739ab90febad74faefe8dab5b24efuankg struct be_acct_req *ar;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes req = tevent_req_create(mem_ctx, &state,

b5b31852ab27739ab90febad74faefe8dab5b24efuankg struct simple_resolve_group_state);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (!req) return NULL;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

b5b31852ab27739ab90febad74faefe8dab5b24efuankg state->domain = domain;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->gid = gid;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes state->ctx = ctx;

b5b31852ab27739ab90febad74faefe8dab5b24efuankg

c4fbc4018fd2b6716673a38ee27eeb36cba41c5djwoolley /* First check if the group was updated already. If it was (maybe its

b5b31852ab27739ab90febad74faefe8dab5b24efuankg ret = simple_resolve_group_check(state);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (ret == EOK) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes DEBUG(SSSDBG_TRACE_LIBS, "Group already updated\n");

b5b31852ab27739ab90febad74faefe8dab5b24efuankg ret = EOK;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes goto done;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes } else if (ret != EAGAIN) {

b5b31852ab27739ab90febad74faefe8dab5b24efuankg DEBUG(SSSDBG_OP_FAILURE,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes "Cannot check if group was already updated [%d]: %s\n",

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes ret, sss_strerror(ret));

b5b31852ab27739ab90febad74faefe8dab5b24efuankg goto done;

c4fbc4018fd2b6716673a38ee27eeb36cba41c5djwoolley }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* EAGAIN - still needs update */

b5b31852ab27739ab90febad74faefe8dab5b24efuankg

945173cae9e0f894a50aec717acea9399680fdd5bnicholes ar = talloc(state, struct be_acct_req);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (!ar) {

b5b31852ab27739ab90febad74faefe8dab5b24efuankg ret = ENOMEM;

345aaf5706b61fecdedf85f06936b4ebe2f441e0bnicholes goto done;

345aaf5706b61fecdedf85f06936b4ebe2f441e0bnicholes }

b5b31852ab27739ab90febad74faefe8dab5b24efuankg

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick ar->entry_type = BE_REQ_GROUP;

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick ar->attr_type = BE_ATTR_CORE;

5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick ar->filter_type = BE_FILTER_IDNUM;

b5b31852ab27739ab90febad74faefe8dab5b24efuankg ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid);

b5b31852ab27739ab90febad74faefe8dab5b24efuankg ar->domain = talloc_strdup(ar, state->domain->name);

b5b31852ab27739ab90febad74faefe8dab5b24efuankg if (!ar->domain || !ar->filter_value) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes ret = ENOMEM;

b5b31852ab27739ab90febad74faefe8dab5b24efuankg goto done;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

b5b31852ab27739ab90febad74faefe8dab5b24efuankg subreq = be_get_account_info_send(state, ev, NULL, ctx->be_ctx, ar);

b5b31852ab27739ab90febad74faefe8dab5b24efuankg if (!subreq) {

b5b31852ab27739ab90febad74faefe8dab5b24efuankg ret = ENOMEM;

b5b31852ab27739ab90febad74faefe8dab5b24efuankg goto done;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_set_callback(subreq, simple_resolve_group_done, req);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return req;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholesdone:

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (ret == EOK) {

4e692b4a3b2030db8c188b994ebdaa374a6d467cbnicholes tevent_req_done(req);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes } else {

8eddc914b28a460d7c590331ee9313d1fd9ae125bnicholes tevent_req_error(req, ret);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes tevent_req_post(req, ev);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return req;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes}

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholesstatic errno_t

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholessimple_resolve_group_check(struct simple_resolve_group_state *state)

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes{

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes errno_t ret;

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes struct ldb_message *group;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes SYSDB_GIDNUM, NULL };

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes /* Check the cache by GID again and fetch the name */

f4d8b0f32a6e28c425a3460b12ee3cc2a760b113bnicholes ret = sysdb_search_group_by_gid(state, state->domain, state->gid,

f4d8b0f32a6e28c425a3460b12ee3cc2a760b113bnicholes group_attrs, &group);

f4d8b0f32a6e28c425a3460b12ee3cc2a760b113bnicholes if (ret == ENOENT) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes /* The group is missing, we will try to update it. */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EAGAIN;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes } else if (ret != EOK) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_OP_FAILURE,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes "Could not look up group by gid [%"SPRIgid"]: [%d][%s]\n",

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->gid, ret, sss_strerror(ret));

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes return ret;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (!state->name) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_OP_FAILURE, "No group name\n");

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return ERR_ACCOUNT_UNKNOWN;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (is_posix(group) == false) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_TRACE_LIBS,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes "The group is still non-POSIX\n");

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EAGAIN;

2da490db9ba04361f331db8fb54869893e63383fbnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_TRACE_LIBS, "Got POSIX group\n");

8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes return EOK;

e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes}

ef51c0782d5ae6867ee33fab6ed29fc4745ed66fbnicholes

ef51c0782d5ae6867ee33fab6ed29fc4745ed66fbnicholesstatic void simple_resolve_group_done(struct tevent_req *subreq)

8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes{

8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes struct tevent_req *req;

8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes struct simple_resolve_group_state *state;

8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes int err_maj;

e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes int err_min;

8eddc914b28a460d7c590331ee9313d1fd9ae125bnicholes errno_t ret;

8eddc914b28a460d7c590331ee9313d1fd9ae125bnicholes const char *err_msg;

e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes

e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes req = tevent_req_callback_data(subreq, struct tevent_req);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state = tevent_req_data(req, struct simple_resolve_group_state);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes ret = be_get_account_info_recv(subreq, state,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes &err_maj, &err_min, &err_msg);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes talloc_zfree(subreq);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (ret) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_OP_FAILURE, "be_get_account_info_recv failed\n");

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes tevent_req_error(req, ret);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes return;

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes }

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes if (err_maj) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes DEBUG(SSSDBG_MINOR_FAILURE,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes "Cannot refresh data from DP: %u,%u: %s\n",

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes err_maj, err_min, err_msg);

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes tevent_req_error(req, EIO);

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes return;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley /* Check the cache by GID again and fetch the name */

a462faa9b49ab5afbba870be13594ab2457fa54astriker ret = simple_resolve_group_check(state);

2fc50921b88defeb7127985dfe4b4130175e069ejwoolley if (ret != EOK) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_OP_FAILURE, "Refresh failed\n");

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_error(req, ret);

26dfa083a1662d57ba7cc410eec4e0696b9be469wrowe return;

8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick }

8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_done(req);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes}

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic errno_t

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholessimple_resolve_group_recv(struct tevent_req *req,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes TALLOC_CTX *mem_ctx,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char **name)

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes{

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes struct simple_resolve_group_state *state;

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes state = tevent_req_data(req, struct simple_resolve_group_state);

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes

8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick TEVENT_REQ_RETURN_ON_ERROR(req);

8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick

8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick *name = talloc_strdup(mem_ctx, state->name);

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes return EOK;

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes}

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes

a462faa9b49ab5afbba870be13594ab2457fa54astrikerstruct simple_group {

bdbafc44d060509e86f0cc56ff4d19579438f846striker struct sss_domain_info *domain;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes gid_t gid;

e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley};

e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley

0110ff70d8ad94ea7e36dceea84b468ef1309987bnicholesstruct simple_check_groups_state {

0110ff70d8ad94ea7e36dceea84b468ef1309987bnicholes struct tevent_context *ev;

e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley struct simple_ctx *ctx;

a8d5767403f4ba224becb84ff1b3a286370550dfbnicholes struct sss_domain_info *domain;

0fa3ef0701a92c35f594a810eaf3808be7a26cdabnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct simple_group *lookup_groups;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes size_t num_groups;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes size_t giter;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char **group_names;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes size_t num_names;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes};

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic void simple_check_get_groups_next(struct tevent_req *subreq);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

0110ff70d8ad94ea7e36dceea84b468ef1309987bnicholesstatic errno_t

c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolleysimple_check_get_groups_primary(struct simple_check_groups_state *state,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes gid_t gid);

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic errno_t

e8f95a682820a599fe41b22977010636be5c2717jimsimple_check_process_group(struct simple_check_groups_state *state,

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick struct ldb_message *group);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic struct tevent_req *

945173cae9e0f894a50aec717acea9399680fdd5bnicholessimple_check_get_groups_send(TALLOC_CTX *mem_ctx,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct tevent_context *ev,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct simple_ctx *ctx,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char *username)

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes{

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes errno_t ret;

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes struct tevent_req *req;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct tevent_req *subreq;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct simple_check_groups_state *state;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes const char *attrs[] = { SYSDB_NAME, SYSDB_POSIX, SYSDB_GIDNUM,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes SYSDB_SID_STR, NULL };

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes size_t group_count;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes struct ldb_message *user;

b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholes struct ldb_message **groups;

b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholes int i;

185aa71728867671e105178b4c66fbc22b65ae26sf gid_t gid;

b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholes

b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholes req = tevent_req_create(mem_ctx, &state,

b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholes struct simple_check_groups_state);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes if (!req) return NULL;

b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes state->ev = ev;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes state->ctx = ctx;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* get domain from username */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->domain = find_subdomain_by_object_name(ctx->domain, username);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes if (state->domain == NULL) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", username);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes ret = EINVAL;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes goto done;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes }

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes ret = sysdb_search_user_by_name(state, state->domain, username, attrs,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes &user);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes if (ret == ENOENT) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes DEBUG(SSSDBG_MINOR_FAILURE, "No such user %s\n", username);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes ret = ERR_ACCOUNT_UNKNOWN;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes goto done;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes } else if (ret != EOK) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes DEBUG(SSSDBG_OP_FAILURE,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes "Could not look up username [%s]: [%d][%s]\n",

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes username, ret, sss_strerror(ret));

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes goto done;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes }

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes ret = sysdb_asq_search(state, state->domain,

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes user->dn, NULL, SYSDB_MEMBEROF,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes attrs, &group_count, &groups);

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes if (ret != EOK) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes goto done;

1fbf6ba0f5207e6637b49f9a9dfcc779bbe952a9trawick }

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes DEBUG(SSSDBG_TRACE_FUNC,

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes "User %s is a member of %zu supplemental groups\n",

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes username, group_count);

e8f95a682820a599fe41b22977010636be5c2717jim

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes /* One extra space for terminator, one extra space for private group */

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes state->group_names = talloc_zero_array(state, const char *, group_count + 2);

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes state->lookup_groups = talloc_zero_array(state, struct simple_group,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes group_count + 2);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes if (!state->group_names || !state->lookup_groups) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes ret = ENOMEM;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes goto done;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes }

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes for (i=0; i < group_count; i++) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* Some providers (like the AD provider) might perform initgroups

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes ret = simple_check_process_group(state, groups[i]);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes if (ret != EOK) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes goto done;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes }

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes }

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes if (!gid) {

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes DEBUG(SSSDBG_MINOR_FAILURE, "User %s has no gid?\n", username);

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes ret = EINVAL;

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes goto done;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes }

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes

a4b7c1da4db700744951841a7424809a3025e9b8clar ret = simple_check_get_groups_primary(state, gid);

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes if (ret != EOK) {

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes goto done;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes }

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes if (state->num_groups == 0) {

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes /* If all groups could have been resolved by name, we are

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes DEBUG(SSSDBG_TRACE_FUNC, "All groups had name attribute\n");

9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholes ret = EOK;

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes goto done;

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes }

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes DEBUG(SSSDBG_TRACE_FUNC, "Need to resolve %zu groups\n",

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes state->num_groups);

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes state->giter = 0;

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes subreq = simple_resolve_group_send(req, state->ev, state->ctx,

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes state->lookup_groups[state->giter].domain,

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes state->lookup_groups[state->giter].gid);

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes if (!subreq) {

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes ret = ENOMEM;

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes goto done;

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes }

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes tevent_req_set_callback(subreq, simple_check_get_groups_next, req);

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes

185aa71728867671e105178b4c66fbc22b65ae26sf return req;

1fbf6ba0f5207e6637b49f9a9dfcc779bbe952a9trawick

e8f95a682820a599fe41b22977010636be5c2717jimdone:

c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley if (ret == EOK) {

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes tevent_req_done(req);

9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholes } else {

65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes tevent_req_error(req, ret);

185aa71728867671e105178b4c66fbc22b65ae26sf }

1fbf6ba0f5207e6637b49f9a9dfcc779bbe952a9trawick tevent_req_post(req, ev);

c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley return req;

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes}

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic void simple_check_get_groups_next(struct tevent_req *subreq)

945173cae9e0f894a50aec717acea9399680fdd5bnicholes{

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick struct tevent_req *req =

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_callback_data(subreq, struct tevent_req);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct simple_check_groups_state *state =

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_data(req, struct simple_check_groups_state);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes errno_t ret;

e8f95a682820a599fe41b22977010636be5c2717jim

2fc50921b88defeb7127985dfe4b4130175e069ejwoolley ret = simple_resolve_group_recv(subreq, state->group_names,

2fc50921b88defeb7127985dfe4b4130175e069ejwoolley &state->group_names[state->num_names]);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes talloc_zfree(subreq);

8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick if (ret != EOK) {

4fbb89a070c82e489830233bde6bc78ddf179978stoddard DEBUG(SSSDBG_OP_FAILURE,

d7d24786c80ad1ae337b916a0a44b2a7b8fcb54drbb "Could not resolve name of group with GID %"SPRIgid"\n",

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->lookup_groups[state->giter].gid);

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes tevent_req_error(req, ret);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return;

c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->num_names++;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->giter++;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (state->giter < state->num_groups) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes subreq = simple_resolve_group_send(req, state->ev, state->ctx,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->lookup_groups[state->giter].domain,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->lookup_groups[state->giter].gid);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (!subreq) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_error(req, ENOMEM);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_set_callback(subreq, simple_check_get_groups_next, req);

e8f95a682820a599fe41b22977010636be5c2717jim return;

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

8b6db5ee2c727568cccb16a035c90ab970d310febnicholes DEBUG(SSSDBG_TRACE_INTERNAL, "All groups resolved. Done.\n");

945173cae9e0f894a50aec717acea9399680fdd5bnicholes tevent_req_done(req);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes}

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic errno_t

945173cae9e0f894a50aec717acea9399680fdd5bnicholessimple_check_process_group(struct simple_check_groups_state *state,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct ldb_message *group)

945173cae9e0f894a50aec717acea9399680fdd5bnicholes{

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char *name;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char *group_sid;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct sss_domain_info *domain;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes gid_t gid;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes bool posix;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes posix = is_posix(group);

e8f95a682820a599fe41b22977010636be5c2717jim name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick gid = ldb_msg_find_attr_as_uint64(group, SYSDB_GIDNUM, 0);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* With the current sysdb layout, every group has a name */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (name == NULL) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EINVAL;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (gid == 0) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (posix == true) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_CRIT_FAILURE, "POSIX group without GID\n");

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EINVAL;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* Non-posix group with a name. Still can be used for access

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->group_names[state->num_names] = talloc_strdup(state->group_names,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes name);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (!state->group_names[state->num_names]) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return ENOMEM;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->num_names++;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EOK;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* Here are only groups with a name and gid. POSIX group can already

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (posix) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->group_names[state->num_names] = talloc_strdup(state->group_names,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes name);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (!state->group_names[state->num_names]) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return ENOMEM;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->num_names++;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EOK;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* Try to get group SID and assign it a domain */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes group_sid = ldb_msg_find_attr_as_string(group, SYSDB_SID_STR, NULL);

8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes if (group_sid == NULL) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* We will look it up in main domain. */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes domain = state->ctx->domain;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes } else {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes domain = find_subdomain_by_sid(state->ctx->domain, group_sid);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (domain == NULL) {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_CRIT_FAILURE, "There is no domain information for "

945173cae9e0f894a50aec717acea9399680fdd5bnicholes "SID %s\n", group_sid);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return ENOENT;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* It is a non-posix group with a GID. Needs resolving */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->lookup_groups[state->num_groups].domain = domain;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->lookup_groups[state->num_groups].gid = gid;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes DEBUG(SSSDBG_TRACE_INTERNAL, "Adding GID %"SPRIgid"\n", gid);

945173cae9e0f894a50aec717acea9399680fdd5bnicholes state->num_groups++;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes return EOK;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes}

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstatic errno_t

945173cae9e0f894a50aec717acea9399680fdd5bnicholessimple_check_get_groups_primary(struct simple_check_groups_state *state,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes gid_t gid)

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes{

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes errno_t ret;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes SYSDB_GIDNUM, SYSDB_SID_STR, NULL };

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct ldb_message *msg;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes ret = sysdb_search_group_by_gid(state, state->domain, gid, group_attrs,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes &msg);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (ret != EOK) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes DEBUG(SSSDBG_OP_FAILURE,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes "Could not look up primary group [%"SPRIgid"]: [%d][%s]\n",

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes gid, ret, sss_strerror(ret));

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes /* We have to treat this as non-fatal, because the primary

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes } else {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes ret = simple_check_process_group(state, msg);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (ret != EOK) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes DEBUG(SSSDBG_OP_FAILURE, "Cannot process primary group\n");

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes return ret;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes return EOK;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes}

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholesstatic errno_t

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholessimple_check_get_groups_recv(struct tevent_req *req,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes TALLOC_CTX *mem_ctx,

945173cae9e0f894a50aec717acea9399680fdd5bnicholes const char ***_group_names)

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes{

945173cae9e0f894a50aec717acea9399680fdd5bnicholes struct simple_check_groups_state *state;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes state = tevent_req_data(req, struct simple_check_groups_state);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes TEVENT_REQ_RETURN_ON_ERROR(req);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes *_group_names = talloc_steal(mem_ctx, state->group_names);

e8f95a682820a599fe41b22977010636be5c2717jim return EOK;

ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick}

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholesstruct simple_access_check_state {

945173cae9e0f894a50aec717acea9399680fdd5bnicholes bool access_granted;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct simple_ctx *ctx;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes const char *username;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes const char **group_names;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes};

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

185aa71728867671e105178b4c66fbc22b65ae26sfstatic void simple_access_check_done(struct tevent_req *subreq);

3fa816e4832a1c70600bdfd6fc5ef60e9f1c18bbsf

3fa816e4832a1c70600bdfd6fc5ef60e9f1c18bbsfstruct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct tevent_context *ev,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct simple_ctx *ctx,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes const char *username)

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes{

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes errno_t ret;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct tevent_req *req;

185aa71728867671e105178b4c66fbc22b65ae26sf struct tevent_req *subreq;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct simple_access_check_state *state;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes req = tevent_req_create(mem_ctx, &state,

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes struct simple_access_check_state);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (!req) return NULL;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes state->access_granted = false;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes state->ctx = ctx;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes state->username = talloc_strdup(state, username);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (!state->username) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes ret = ENOMEM;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes goto immediate;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes DEBUG(SSSDBG_FUNC_DATA, "Simple access check for %s\n", username);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes ret = simple_check_users(ctx, username, &state->access_granted);

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes if (ret == EOK) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes goto immediate;

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes } else if (ret != EAGAIN) {

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes ret = ERR_INTERNAL;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes goto immediate;

945173cae9e0f894a50aec717acea9399680fdd5bnicholes }

7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes /* EAGAIN -- check groups */

945173cae9e0f894a50aec717acea9399680fdd5bnicholes

945173cae9e0f894a50aec717acea9399680fdd5bnicholes if (!ctx->allow_groups && !ctx->deny_groups) {

b5b31852ab27739ab90febad74faefe8dab5b24efuankg /* There are no group restrictions, so just return

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes DEBUG(SSSDBG_TRACE_LIBS, "No group restrictions, end request\n");

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes ret = EOK;

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes goto immediate;

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes }

e8f95a682820a599fe41b22977010636be5c2717jim

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes /* The group names might not be available. Fire a request to

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes subreq = simple_check_get_groups_send(state, ev, ctx, username);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes if (!subreq) {

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes ret = ENOMEM;

1ce78cf71b5baaf2c1ab48e818cb1f2397df5010trawick goto immediate;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes }

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_set_callback(subreq, simple_access_check_done, req);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes return req;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholesimmediate:

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes if (ret == EOK) {

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_done(req);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes } else {

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_error(req, ret);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes }

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_post(req, ev);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes return req;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes}

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholesstatic void simple_access_check_done(struct tevent_req *subreq)

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes{

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes struct tevent_req *req =

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_callback_data(subreq, struct tevent_req);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes struct simple_access_check_state *state =

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_data(req, struct simple_access_check_state);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes errno_t ret;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes /* We know the names now. Run the check. */

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes ret = simple_check_get_groups_recv(subreq, state, &state->group_names);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes talloc_zfree(subreq);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes if (ret == ENOENT) {

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes /* If the user wasn't found, just shortcut */

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes state->access_granted = false;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_done(req);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes return;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes } else if (ret != EOK) {

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes DEBUG(SSSDBG_OP_FAILURE,

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes "Could not collect groups of user %s\n", state->username);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_error(req, ret);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes return;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes }

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes ret = simple_check_groups(state->ctx, state->group_names,

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes &state->access_granted);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes if (ret != EOK) {

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes DEBUG(SSSDBG_OP_FAILURE, "Could not check group access [%d]: %s\n",

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes ret, sss_strerror(ret));

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_error(req, ERR_INTERNAL);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes return;

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes }

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes /* Now just return whatever we decided */

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes DEBUG(SSSDBG_TRACE_INTERNAL, "Group check done\n");

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes tevent_req_done(req);

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes}

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholes

2eb905c271e33af72f0a31c9a818169e65ece8c6bnicholeserrno_t simple_access_check_recv(struct tevent_req *req, bool *access_granted)

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes{

e8f95a682820a599fe41b22977010636be5c2717jim struct simple_access_check_state *state =

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes tevent_req_data(req, struct simple_access_check_state);

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes TEVENT_REQ_RETURN_ON_ERROR(req);

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes DEBUG(SSSDBG_TRACE_LIBS,

b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes "Access %sgranted\n", state->access_granted ? "" : "not ");

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes if (access_granted) {

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes *access_granted = state->access_granted;

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes }

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes return EOK;

4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes}

abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes