summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Reichl <preichl@redhat.com>2015-04-20 11:33:29 -0400
committerJakub Hrozek <jhrozek@redhat.com>2015-04-28 12:01:44 +0200
commit45a089a7bcf54e27fb46dc1a2c08c21ac07db96a (patch)
treefae95de7a04fa2bddfabd8f5bb048c1fb1f01802
parent1b2119aab14a4ea3ca6de0d29a661b2825bfec8d (diff)
downloadsssd-45a089a7bcf54e27fb46dc1a2c08c21ac07db96a.tar.gz
sssd-45a089a7bcf54e27fb46dc1a2c08c21ac07db96a.tar.xz
sssd-45a089a7bcf54e27fb46dc1a2c08c21ac07db96a.zip
simple-access-provider: make user grp res more robust
Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
-rw-r--r--src/providers/simple/simple_access_check.c26
-rw-r--r--src/util/util_errors.c1
-rw-r--r--src/util/util_errors.h1
3 files changed, 24 insertions, 4 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index c8217f6d4..14d833be2 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -395,6 +395,8 @@ struct simple_check_groups_state {
const char **group_names;
size_t num_names;
+
+ bool failed_to_resolve_groups;
};
static void simple_check_get_groups_next(struct tevent_req *subreq);
@@ -430,6 +432,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->ctx = ctx;
+ state->failed_to_resolve_groups = false;
DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username);
@@ -548,11 +551,10 @@ static void simple_check_get_groups_next(struct tevent_req *subreq)
DEBUG(SSSDBG_OP_FAILURE,
"Could not resolve name of group with GID %"SPRIgid"\n",
state->lookup_groups[state->giter].gid);
- tevent_req_error(req, ret);
- return;
+ state->failed_to_resolve_groups = true;
+ } else {
+ state->num_names++;
}
-
- state->num_names++;
state->giter++;
if (state->giter < state->num_groups) {
@@ -686,6 +688,9 @@ simple_check_get_groups_recv(struct tevent_req *req,
TEVENT_REQ_RETURN_ON_ERROR(req);
*_group_names = talloc_steal(mem_ctx, state->group_names);
+ if (state->failed_to_resolve_groups) {
+ return ERR_SIMPLE_GROUPS_MISSING;
+ }
return EOK;
}
@@ -775,12 +780,25 @@ static void simple_access_check_done(struct tevent_req *subreq)
/* We know the names now. Run the check. */
ret = simple_check_get_groups_recv(subreq, state, &state->group_names);
+
talloc_zfree(subreq);
if (ret == ENOENT) {
/* If the user wasn't found, just shortcut */
state->access_granted = false;
tevent_req_done(req);
return;
+ } else if (ret == ERR_SIMPLE_GROUPS_MISSING) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not collect groups of user %s\n", state->username);
+ if (state->ctx->deny_groups == NULL) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "But no deny groups were defined so we can continue.\n");
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Some deny groups were defined, we can't continue\n");
+ tevent_req_error(req, ret);
+ return;
+ }
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Could not collect groups of user %s\n", state->username);
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index b481210aa..4f9a2e700 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -71,6 +71,7 @@ struct err_string error_to_str[] = {
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
{ "Malformed cache entry" }, /* ERR_MALFORMED_ENTRY */
{ "Unexpected cache entry type" }, /* ERR_UNEXPECTED_ENTRY_TYPE */
+ { "Failed to resolve one of user groups." }, /* ERR_SIMPLE_GROUPS_MISSING */
{ "ERR_LAST" } /* ERR_LAST */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index b6a667fff..5842a7155 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -93,6 +93,7 @@ enum sssd_errors {
ERR_TIMESPEC_NOT_SUPPORTED,
ERR_MALFORMED_ENTRY,
ERR_UNEXPECTED_ENTRY_TYPE,
+ ERR_SIMPLE_GROUPS_MISSING,
ERR_LAST /* ALWAYS LAST */
};