diff options
| author | Pavel Reichl <preichl@redhat.com> | 2015-04-20 11:33:29 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-28 11:58:53 +0200 |
| commit | 82a958e6592c4a4078e45b7197bbe4751b70f511 (patch) | |
| tree | 544bc2dbd7da242f2d663b508f17bf9f13103cf5 | |
| parent | 605dc7fcc848dffb7c9d270c864c70e6dff1242e (diff) | |
| download | sssd-82a958e6592c4a4078e45b7197bbe4751b70f511.tar.gz sssd-82a958e6592c4a4078e45b7197bbe4751b70f511.tar.xz sssd-82a958e6592c4a4078e45b7197bbe4751b70f511.zip | |
simple-access-provider: make user grp res more robust
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
| -rw-r--r-- | src/providers/simple/simple_access_check.c | 26 | ||||
| -rw-r--r-- | src/util/util_errors.c | 1 | ||||
| -rw-r--r-- | src/util/util_errors.h | 1 |
3 files changed, 24 insertions, 4 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index c8217f6d4..14d833be2 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -395,6 +395,8 @@ struct simple_check_groups_state { const char **group_names; size_t num_names; + + bool failed_to_resolve_groups; }; static void simple_check_get_groups_next(struct tevent_req *subreq); @@ -430,6 +432,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->ctx = ctx; + state->failed_to_resolve_groups = false; DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username); @@ -548,11 +551,10 @@ static void simple_check_get_groups_next(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "Could not resolve name of group with GID %"SPRIgid"\n", state->lookup_groups[state->giter].gid); - tevent_req_error(req, ret); - return; + state->failed_to_resolve_groups = true; + } else { + state->num_names++; } - - state->num_names++; state->giter++; if (state->giter < state->num_groups) { @@ -686,6 +688,9 @@ simple_check_get_groups_recv(struct tevent_req *req, TEVENT_REQ_RETURN_ON_ERROR(req); *_group_names = talloc_steal(mem_ctx, state->group_names); + if (state->failed_to_resolve_groups) { + return ERR_SIMPLE_GROUPS_MISSING; + } return EOK; } @@ -775,12 +780,25 @@ static void simple_access_check_done(struct tevent_req *subreq) /* We know the names now. Run the check. */ ret = simple_check_get_groups_recv(subreq, state, &state->group_names); + talloc_zfree(subreq); if (ret == ENOENT) { /* If the user wasn't found, just shortcut */ state->access_granted = false; tevent_req_done(req); return; + } else if (ret == ERR_SIMPLE_GROUPS_MISSING) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not collect groups of user %s\n", state->username); + if (state->ctx->deny_groups == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "But no deny groups were defined so we can continue.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Some deny groups were defined, we can't continue\n"); + tevent_req_error(req, ret); + return; + } } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not collect groups of user %s\n", state->username); diff --git a/src/util/util_errors.c b/src/util/util_errors.c index ac08f6277..62d580fe8 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -72,6 +72,7 @@ struct err_string error_to_str[] = { { "Invalid SSSD configuration detected." }, /* ERR_INVALID_CONFIG */ { "Malformed cache entry" }, /* ERR_MALFORMED_ENTRY */ { "Unexpected cache entry type" }, /* ERR_UNEXPECTED_ENTRY_TYPE */ + { "Failed to resolve one of user groups." }, /* ERR_SIMPLE_GROUPS_MISSING */ { "ERR_LAST" } /* ERR_LAST */ }; diff --git a/src/util/util_errors.h b/src/util/util_errors.h index c03274ce2..c8293a4c6 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -94,6 +94,7 @@ enum sssd_errors { ERR_INVALID_CONFIG, ERR_MALFORMED_ENTRY, ERR_UNEXPECTED_ENTRY_TYPE, + ERR_SIMPLE_GROUPS_MISSING, ERR_LAST /* ALWAYS LAST */ }; |