IPA: Remove the ipa_hbac_treat_deny_as option

https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
author: Jakub Hrozek <jhrozek@redhat.com> 2015-03-16 11:48:39 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-03-24 21:03:41 +0100
commit: 6dff95bdfe437afc0b62b5270d0d84140981c786 (patch)
tree: 887f95d15a683e3677d9dfa4e396ba1f9218eee7
parent: fdfe33975cd902bf7a334e49f2667f6346c4e6ae (diff)
download: sssd-6dff95bdfe437afc0b62b5270d0d84140981c786.tar.gz
sssd-6dff95bdfe437afc0b62b5270d0d84140981c786.tar.xz
sssd-6dff95bdfe437afc0b62b5270d0d84140981c786.zip
11 files changed, 19 insertions, 109 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index dbbffebf3..31c9c6480 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -160,7 +160,6 @@ option_strings = {
     'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
     'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"),
     'ipa_selinux_refresh' : _("The amount of time in seconds between lookups of the SELinux maps against the IPA server"),
-    'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"),
     'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"),
     'ipa_automount_location' : _("The automounter location this IPA client is using"),
     'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 2a3b7ef15..230bdd7df 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -159,7 +159,6 @@ krb5_use_enterprise_principal = bool, None, false
 [provider/ipa/access]
 ipa_hbac_refresh = int, None, false
 ipa_selinux_refresh = int, None, false
-ipa_hbac_treat_deny_as = str, None, false
 ipa_hbac_support_srchost = bool, None, false
 ipa_host_object_class = str, None, false
 ipa_host_name = str, None, false
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 77cb9aac5..0716b6235 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -500,34 +500,6 @@
                 </varlistentry>
 
                 <varlistentry>
-                    <term>ipa_hbac_treat_deny_as (string)</term>
-                    <listitem>
-                        <para>
-                            This option specifies how to treat the deprecated
-                            DENY-type HBAC rules. As of FreeIPA v2.1, DENY
-                            rules are no longer supported on the server. All
-                            users of FreeIPA will need to migrate their rules
-                            to use only the ALLOW rules. The client will
-                            support two modes of operation during this
-                            transition period:
-                        </para>
-                        <para>
-                            <emphasis>DENY_ALL</emphasis>: If any HBAC DENY
-                            rules are detected, all users will be denied
-                            access.
-                        </para>
-                        <para>
-                            <emphasis>IGNORE</emphasis>: SSSD will ignore any
-                            DENY rules. Be very careful with this option, as
-                            it may result in opening unintended access.
-                        </para>
-                        <para>
-                            Default: DENY_ALL
-                        </para>
-                    </listitem>
-                </varlistentry>
-
-                <varlistentry>
                     <term>ipa_server_mode (boolean)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index d1ae18999..3198e2bd2 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -114,7 +114,6 @@ static void ipa_hbac_check(struct tevent_req *req)
     struct be_ctx *be_ctx;
     struct pam_data *pd;
     struct hbac_ctx *hbac_ctx = NULL;
-    const char *deny_method;
     struct ipa_access_ctx *ipa_access_ctx;
     int ret;
 
@@ -172,18 +171,6 @@ static void ipa_hbac_check(struct tevent_req *req)
         goto fail;
     }
 
-    deny_method = dp_opt_get_string(hbac_ctx->ipa_options,
-                                    IPA_HBAC_DENY_METHOD);
-    if (strcasecmp(deny_method, "IGNORE") == 0) {
-        hbac_ctx->get_deny_rules = false;
-    } else {
-        hbac_ctx->get_deny_rules = true;
-        sss_log(SSS_LOG_NOTICE,
-                "WARNING: Using deny rules is deprecated, the option "
-                "ipa_hbac_treat_deny_as will be removed in the next "
-                "upstream version\n");
-    }
-
     ret = hbac_retry(hbac_ctx);
     if (ret != EOK) {
         goto fail;
@@ -471,7 +458,6 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
 
     /* Get the list of applicable rules */
     req = ipa_hbac_rule_info_send(hbac_ctx,
-                                  hbac_ctx->get_deny_rules,
                                   be_ctx->ev,
                                   sdap_id_op_handle(hbac_ctx->sdap_op),
                                   hbac_ctx->sdap_ctx->opts,
diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h
index d3b78b0f8..024b57e7e 100644
--- a/src/providers/ipa/ipa_access.h
+++ b/src/providers/ipa/ipa_access.h
@@ -64,7 +64,6 @@ struct hbac_ctx {
     struct sysdb_attrs *ipa_host;
 
     /* Rules */
-    bool get_deny_rules;
     size_t rule_count;
     struct sysdb_attrs **rules;
 
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 33085197c..fb36c702b 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -47,7 +47,6 @@ enum ipa_basic_opt {
     IPA_KRB5_REALM,
     IPA_HBAC_REFRESH,
     IPA_SELINUX_REFRESH,
-    IPA_HBAC_DENY_METHOD,
     IPA_HBAC_SUPPORT_SRCHOST,
     IPA_AUTOMOUNT_LOCATION,
     IPA_RANGES_SEARCH_BASE,
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index a7e338e99..72a620ef0 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -403,21 +403,18 @@ static errno_t
 hbac_eval_user_element(TALLOC_CTX *mem_ctx,
                        struct sss_domain_info *domain,
                        const char *username,
-                       bool deny_rules,
                        struct hbac_request_element **user_element);
 
 static errno_t
 hbac_eval_service_element(TALLOC_CTX *mem_ctx,
                           struct sss_domain_info *domain,
                           const char *servicename,
-                          bool deny_rules,
                           struct hbac_request_element **svc_element);
 
 static errno_t
 hbac_eval_host_element(TALLOC_CTX *mem_ctx,
                        struct sss_domain_info *domain,
                        const char *hostname,
-                       bool deny_rules,
                        struct hbac_request_element **host_element);
 
 static errno_t
@@ -456,18 +453,15 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
             goto done;
         }
         ret = hbac_eval_user_element(eval_req, user_dom, pd->user,
-                                     hbac_ctx->get_deny_rules,
                                      &eval_req->user);
     } else {
         ret = hbac_eval_user_element(eval_req, domain, pd->user,
-                                     hbac_ctx->get_deny_rules,
                                      &eval_req->user);
     }
     if (ret != EOK) goto done;
 
     /* Get the PAM service and service groups */
     ret = hbac_eval_service_element(eval_req, domain, pd->service,
-                                    hbac_ctx->get_deny_rules,
                                     &eval_req->service);
     if (ret != EOK) goto done;
 
@@ -484,7 +478,6 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
     }
 
     ret = hbac_eval_host_element(eval_req, domain, rhost,
-                                 hbac_ctx->get_deny_rules,
                                  &eval_req->srchost);
     if (ret != EOK) goto done;
 
@@ -498,7 +491,6 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
     }
 
     ret = hbac_eval_host_element(eval_req, domain, thost,
-                                 hbac_ctx->get_deny_rules,
                                  &eval_req->targethost);
     if (ret != EOK) goto done;
 
@@ -515,7 +507,6 @@ static errno_t
 hbac_eval_user_element(TALLOC_CTX *mem_ctx,
                        struct sss_domain_info *domain,
                        const char *username,
-                       bool deny_rules,
                        struct hbac_request_element **user_element)
 {
     errno_t ret;
@@ -573,15 +564,9 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
         ret = get_ipa_groupname(users->groups, domain->sysdb, member_dn,
                                 &users->groups[num_groups]);
         if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
-            if (deny_rules) {
-                DEBUG(SSSDBG_OP_FAILURE, "Parse error on [%s]: %s\n",
-                      member_dn, sss_strerror(ret));
-                goto done;
-            } else {
-                DEBUG(SSSDBG_MINOR_FAILURE,
-                      "Skipping malformed entry [%s]\n", member_dn);
-                continue;
-            }
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                    "Skipping malformed entry [%s]\n", member_dn);
+            continue;
         } else if (ret == EOK) {
             DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
                       users->groups[num_groups], users->name);
@@ -617,7 +602,6 @@ static errno_t
 hbac_eval_service_element(TALLOC_CTX *mem_ctx,
                           struct sss_domain_info *domain,
                           const char *servicename,
-                          bool deny_rules,
                           struct hbac_request_element **svc_element)
 {
     errno_t ret;
@@ -689,16 +673,9 @@ hbac_eval_service_element(TALLOC_CTX *mem_ctx,
                                        (const char *)el->values[i].data,
                                        &name);
         if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
-            if (deny_rules) {
-                DEBUG(SSSDBG_OP_FAILURE, "Parse error on [%s]: %s\n",
-                                         (const char *)el->values[i].data,
-                                         sss_strerror(ret));
-                goto done;
-            } else {
-                DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n",
-                                            (const char *)el->values[i].data);
-                continue;
-            }
+            DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n",
+                                        (const char *)el->values[i].data);
+            continue;
         }
 
         /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a
@@ -727,7 +704,6 @@ static errno_t
 hbac_eval_host_element(TALLOC_CTX *mem_ctx,
                        struct sss_domain_info *domain,
                        const char *hostname,
-                       bool deny_rules,
                        struct hbac_request_element **host_element)
 {
     errno_t ret;
@@ -807,16 +783,9 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
                                     (const char *)el->values[i].data,
                                     &name);
         if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
-            if (deny_rules) {
-                DEBUG(SSSDBG_OP_FAILURE, "Parse error on [%s]: %s\n",
-                                         (const char *)el->values[i].data,
-                                         sss_strerror(ret));
-                goto done;
-            } else {
-                DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n",
-                                            (const char *)el->values[i].data);
-                continue;
-            }
+            DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n",
+                                        (const char *)el->values[i].data);
+            continue;
         }
 
         /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a
diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c
index 497eee612..ffef6dc4c 100644
--- a/src/providers/ipa/ipa_hbac_rules.c
+++ b/src/providers/ipa/ipa_hbac_rules.c
@@ -49,7 +49,6 @@ ipa_hbac_rule_info_done(struct tevent_req *subreq);
 
 struct tevent_req *
 ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
-                        bool get_deny_rules,
                         struct tevent_context *ev,
                         struct sdap_handle *sh,
                         struct sdap_options *opts,
@@ -116,25 +115,15 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
     state->attrs[13] = IPA_HOST_CATEGORY;
     state->attrs[14] = NULL;
 
-    if (get_deny_rules) {
-        rule_filter = talloc_asprintf(tmp_ctx,
-                                      "(&(objectclass=%s)"
-                                      "(%s=%s)(|(%s=%s)(%s=%s)",
-                                      IPA_HBAC_RULE,
-                                      IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
-                                      IPA_HOST_CATEGORY, "all",
-                                      IPA_MEMBER_HOST, host_dn_clean);
-    } else {
-        rule_filter = talloc_asprintf(tmp_ctx,
-                                      "(&(objectclass=%s)"
-                                      "(%s=%s)(%s=%s)"
-                                      "(|(%s=%s)(%s=%s)",
-                                      IPA_HBAC_RULE,
-                                      IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
-                                      IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
-                                      IPA_HOST_CATEGORY, "all",
-                                      IPA_MEMBER_HOST, host_dn_clean);
-    }
+    rule_filter = talloc_asprintf(tmp_ctx,
+                                  "(&(objectclass=%s)"
+                                  "(%s=%s)(%s=%s)"
+                                  "(|(%s=%s)(%s=%s)",
+                                  IPA_HBAC_RULE,
+                                  IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
+                                  IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
+                                  IPA_HOST_CATEGORY, "all",
+                                  IPA_MEMBER_HOST, host_dn_clean);
     if (rule_filter == NULL) {
         ret = ENOMEM;
         goto immediate;
diff --git a/src/providers/ipa/ipa_hbac_rules.h b/src/providers/ipa/ipa_hbac_rules.h
index 31ff30480..732ea483e 100644
--- a/src/providers/ipa/ipa_hbac_rules.h
+++ b/src/providers/ipa/ipa_hbac_rules.h
@@ -26,7 +26,6 @@
 /* From ipa_hbac_rules.c */
 struct tevent_req *
 ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
-                        bool get_deny_rules,
                         struct tevent_context *ev,
                         struct sdap_handle *sh,
                         struct sdap_options *opts,
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 66af64858..f2f164bc3 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -44,7 +44,6 @@ struct dp_option ipa_basic_opts[] = {
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ipa_selinux_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
-    { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING },
     { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ipa_automount_location", DP_OPT_STRING, { "default" }, NULL_STRING },
     { "ipa_ranges_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 516e31a19..3e9efee32 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -1557,7 +1557,7 @@ static void ipa_get_selinux_maps_done(struct tevent_req *subreq)
 
         DEBUG(SSSDBG_TRACE_FUNC, "SELinux maps referenced an HBAC rule. "
               "Need to refresh HBAC rules\n");
-        subreq = ipa_hbac_rule_info_send(state, false, state->be_ctx->ev,
+        subreq = ipa_hbac_rule_info_send(state, state->be_ctx->ev,
                                          sdap_id_op_handle(state->op),
                                          id_ctx->sdap_id_ctx->opts,
                                          state->selinux_ctx->hbac_search_bases,
author	Jakub Hrozek <jhrozek@redhat.com>	2015-03-16 11:48:39 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-03-24 21:03:41 +0100
commit	6dff95bdfe437afc0b62b5270d0d84140981c786 (patch)
tree	887f95d15a683e3677d9dfa4e396ba1f9218eee7
parent	fdfe33975cd902bf7a334e49f2667f6346c4e6ae (diff)
download	sssd-6dff95bdfe437afc0b62b5270d0d84140981c786.tar.gz sssd-6dff95bdfe437afc0b62b5270d0d84140981c786.tar.xz sssd-6dff95bdfe437afc0b62b5270d0d84140981c786.zip