diff options
author | Sumit Bose <sbose@redhat.com> | 2009-11-10 13:38:20 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2009-11-10 09:33:57 -0500 |
commit | e31821dd6f4a4ca9d07b367c26bfb21d6755bef0 (patch) | |
tree | 40079a422fbe129396a9b2c3f6748663498fee7b | |
parent | 64a2f4205f6ebac24429cef730ef2a636636b0ff (diff) | |
download | sssd-e31821dd6f4a4ca9d07b367c26bfb21d6755bef0.tar.gz sssd-e31821dd6f4a4ca9d07b367c26bfb21d6755bef0.tar.xz sssd-e31821dd6f4a4ca9d07b367c26bfb21d6755bef0.zip |
Add check for access-time rules to ipa_access.
-rw-r--r-- | server/Makefile.am | 1 | ||||
-rw-r--r-- | server/providers/ipa/ipa_access.c | 64 | ||||
-rw-r--r-- | server/providers/ipa/ipa_access.h | 2 | ||||
-rw-r--r-- | server/providers/ipa/ipa_init.c | 7 |
4 files changed, 74 insertions, 0 deletions
diff --git a/server/Makefile.am b/server/Makefile.am index 0c894a664..bdc2f9861 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -577,6 +577,7 @@ libsss_ipa_la_SOURCES = \ providers/ipa/ipa_init.c \ providers/ipa/ipa_common.c \ providers/ipa/ipa_access.c \ + providers/ipa/ipa_timerules.c \ providers/ldap/ldap_id.c \ providers/ldap/ldap_id_enum.c \ providers/ldap/ldap_auth.c \ diff --git a/server/providers/ipa/ipa_access.c b/server/providers/ipa/ipa_access.c index 19b707cd9..18888b9bd 100644 --- a/server/providers/ipa/ipa_access.c +++ b/server/providers/ipa/ipa_access.c @@ -29,6 +29,7 @@ #include "providers/ldap/sdap_async.h" #include "providers/ipa/ipa_common.h" #include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_timerules.h" #define IPA_HOST_MEMBEROF "memberOf" #define IPA_HOST_SERVERHOSTNAME "serverHostName" @@ -1168,6 +1169,63 @@ enum check_result check_service(struct pam_data *pd, return RULE_ERROR; } +enum check_result check_access_time(struct time_rules_ctx *tr_ctx, + struct sysdb_attrs *rule_attrs) +{ + int ret; + int i; + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_message_element *el; + char *rule; + time_t now; + bool result; + + now = time(NULL); + if (now == (time_t) -1) { + DEBUG(1, ("time failed [%d][%s].\n", errno, strerror(errno))); + return RULE_ERROR; + } + + ret = sysdb_attrs_get_el(rule_attrs, IPA_ACCESS_TIME, &el); + if (ret != EOK) { + DEBUG(1, ("sysdb_attrs_get_el failed.\n")); + return RULE_ERROR; + } + if (el->num_values == 0) { + DEBUG(9, ("No access time specified, assuming rule applies.\n")); + return RULE_APPLICABLE; + } else { + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(1, ("talloc_new failed.\n")); + return RULE_ERROR; + } + + for (i = 0; i < el->num_values; i++) { + rule = talloc_strndup(tmp_ctx, (const char *) el->values[i].data, + el->values[i].length); + ret = check_time_rule(tmp_ctx, tr_ctx, rule, now, &result); + if (ret != EOK) { + DEBUG(1, ("check_time_rule failed.\n")); + ret = RULE_ERROR; + goto done; + } + + if (result) { + DEBUG(9, ("Current time [%d] matches rule [%s].\n", now, rule)); + ret = RULE_APPLICABLE; + goto done; + } + } + } + + ret = RULE_NOT_APPLICABLE; + +done: + talloc_free(tmp_ctx); + return ret; +} + enum check_result check_user(struct hbac_ctx *hbac_ctx, struct sysdb_attrs *rule_attrs) { @@ -1343,6 +1401,11 @@ static errno_t check_if_rule_applies(enum hbac_result *result, goto not_applicable; } + ret = check_access_time(hbac_ctx->tr_ctx, rule_attrs); + if (ret != RULE_APPLICABLE) { + goto not_applicable; + } + ret = check_remote_hosts(pd, rule_attrs); if (ret != RULE_APPLICABLE) { goto not_applicable; @@ -1426,6 +1489,7 @@ void ipa_access_handler(struct be_req *be_req) struct ipa_access_ctx); hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; + hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; req = hbac_get_host_info_send(hbac_ctx, be_req->be_ctx->ev, hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb, diff --git a/server/providers/ipa/ipa_access.h b/server/providers/ipa/ipa_access.h index e4903cb74..1b01e9fe1 100644 --- a/server/providers/ipa/ipa_access.h +++ b/server/providers/ipa/ipa_access.h @@ -35,11 +35,13 @@ enum ipa_access_mode { struct ipa_access_ctx { struct sdap_id_ctx *sdap_ctx; struct dp_option *ipa_options; + struct time_rules_ctx *tr_ctx; }; struct hbac_ctx { struct sdap_id_ctx *sdap_ctx; struct dp_option *ipa_options; + struct time_rules_ctx *tr_ctx; struct be_req *be_req; struct pam_data *pd; struct hbac_host_info **hbac_host_info; diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c index 7ef98e62e..1b93e14dd 100644 --- a/server/providers/ipa/ipa_init.c +++ b/server/providers/ipa/ipa_init.c @@ -30,6 +30,7 @@ #include "providers/ipa/ipa_common.h" #include "providers/krb5/krb5_auth.h" #include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_timerules.h" struct ipa_options *ipa_options = NULL; @@ -233,6 +234,12 @@ int sssm_ipa_access_init(struct be_ctx *bectx, goto done; } + ret = init_time_rules_parser(ipa_access_ctx, &ipa_access_ctx->tr_ctx); + if (ret != EOK) { + DEBUG(1, ("init_time_rules_parser failed.\n")); + goto done; + } + *ops = &ipa_access_ops; *pvt_data = ipa_access_ctx; |