diff options
author | Pavel Reichl <preichl@redhat.com> | 2015-04-20 11:33:29 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-28 12:01:44 +0200 |
commit | 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a (patch) | |
tree | fae95de7a04fa2bddfabd8f5bb048c1fb1f01802 | |
parent | 1b2119aab14a4ea3ca6de0d29a661b2825bfec8d (diff) | |
download | sssd-45a089a7bcf54e27fb46dc1a2c08c21ac07db96a.tar.gz sssd-45a089a7bcf54e27fb46dc1a2c08c21ac07db96a.tar.xz sssd-45a089a7bcf54e27fb46dc1a2c08c21ac07db96a.zip |
simple-access-provider: make user grp res more robust
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
-rw-r--r-- | src/providers/simple/simple_access_check.c | 26 | ||||
-rw-r--r-- | src/util/util_errors.c | 1 | ||||
-rw-r--r-- | src/util/util_errors.h | 1 |
3 files changed, 24 insertions, 4 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index c8217f6d4..14d833be2 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -395,6 +395,8 @@ struct simple_check_groups_state { const char **group_names; size_t num_names; + + bool failed_to_resolve_groups; }; static void simple_check_get_groups_next(struct tevent_req *subreq); @@ -430,6 +432,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->ctx = ctx; + state->failed_to_resolve_groups = false; DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username); @@ -548,11 +551,10 @@ static void simple_check_get_groups_next(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "Could not resolve name of group with GID %"SPRIgid"\n", state->lookup_groups[state->giter].gid); - tevent_req_error(req, ret); - return; + state->failed_to_resolve_groups = true; + } else { + state->num_names++; } - - state->num_names++; state->giter++; if (state->giter < state->num_groups) { @@ -686,6 +688,9 @@ simple_check_get_groups_recv(struct tevent_req *req, TEVENT_REQ_RETURN_ON_ERROR(req); *_group_names = talloc_steal(mem_ctx, state->group_names); + if (state->failed_to_resolve_groups) { + return ERR_SIMPLE_GROUPS_MISSING; + } return EOK; } @@ -775,12 +780,25 @@ static void simple_access_check_done(struct tevent_req *subreq) /* We know the names now. Run the check. */ ret = simple_check_get_groups_recv(subreq, state, &state->group_names); + talloc_zfree(subreq); if (ret == ENOENT) { /* If the user wasn't found, just shortcut */ state->access_granted = false; tevent_req_done(req); return; + } else if (ret == ERR_SIMPLE_GROUPS_MISSING) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not collect groups of user %s\n", state->username); + if (state->ctx->deny_groups == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "But no deny groups were defined so we can continue.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Some deny groups were defined, we can't continue\n"); + tevent_req_error(req, ret); + return; + } } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not collect groups of user %s\n", state->username); diff --git a/src/util/util_errors.c b/src/util/util_errors.c index b481210aa..4f9a2e700 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -71,6 +71,7 @@ struct err_string error_to_str[] = { { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */ { "Malformed cache entry" }, /* ERR_MALFORMED_ENTRY */ { "Unexpected cache entry type" }, /* ERR_UNEXPECTED_ENTRY_TYPE */ + { "Failed to resolve one of user groups." }, /* ERR_SIMPLE_GROUPS_MISSING */ { "ERR_LAST" } /* ERR_LAST */ }; diff --git a/src/util/util_errors.h b/src/util/util_errors.h index b6a667fff..5842a7155 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -93,6 +93,7 @@ enum sssd_errors { ERR_TIMESPEC_NOT_SUPPORTED, ERR_MALFORMED_ENTRY, ERR_UNEXPECTED_ENTRY_TYPE, + ERR_SIMPLE_GROUPS_MISSING, ERR_LAST /* ALWAYS LAST */ }; |