summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2009-11-10 13:38:20 +0100
committerStephen Gallagher <sgallagh@redhat.com>2009-11-10 09:33:57 -0500
commite31821dd6f4a4ca9d07b367c26bfb21d6755bef0 (patch)
tree40079a422fbe129396a9b2c3f6748663498fee7b
parent64a2f4205f6ebac24429cef730ef2a636636b0ff (diff)
downloadsssd-e31821dd6f4a4ca9d07b367c26bfb21d6755bef0.tar.gz
sssd-e31821dd6f4a4ca9d07b367c26bfb21d6755bef0.tar.xz
sssd-e31821dd6f4a4ca9d07b367c26bfb21d6755bef0.zip
Add check for access-time rules to ipa_access.
-rw-r--r--server/Makefile.am1
-rw-r--r--server/providers/ipa/ipa_access.c64
-rw-r--r--server/providers/ipa/ipa_access.h2
-rw-r--r--server/providers/ipa/ipa_init.c7
4 files changed, 74 insertions, 0 deletions
diff --git a/server/Makefile.am b/server/Makefile.am
index 0c894a664..bdc2f9861 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -577,6 +577,7 @@ libsss_ipa_la_SOURCES = \
providers/ipa/ipa_init.c \
providers/ipa/ipa_common.c \
providers/ipa/ipa_access.c \
+ providers/ipa/ipa_timerules.c \
providers/ldap/ldap_id.c \
providers/ldap/ldap_id_enum.c \
providers/ldap/ldap_auth.c \
diff --git a/server/providers/ipa/ipa_access.c b/server/providers/ipa/ipa_access.c
index 19b707cd9..18888b9bd 100644
--- a/server/providers/ipa/ipa_access.c
+++ b/server/providers/ipa/ipa_access.c
@@ -29,6 +29,7 @@
#include "providers/ldap/sdap_async.h"
#include "providers/ipa/ipa_common.h"
#include "providers/ipa/ipa_access.h"
+#include "providers/ipa/ipa_timerules.h"
#define IPA_HOST_MEMBEROF "memberOf"
#define IPA_HOST_SERVERHOSTNAME "serverHostName"
@@ -1168,6 +1169,63 @@ enum check_result check_service(struct pam_data *pd,
return RULE_ERROR;
}
+enum check_result check_access_time(struct time_rules_ctx *tr_ctx,
+ struct sysdb_attrs *rule_attrs)
+{
+ int ret;
+ int i;
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct ldb_message_element *el;
+ char *rule;
+ time_t now;
+ bool result;
+
+ now = time(NULL);
+ if (now == (time_t) -1) {
+ DEBUG(1, ("time failed [%d][%s].\n", errno, strerror(errno)));
+ return RULE_ERROR;
+ }
+
+ ret = sysdb_attrs_get_el(rule_attrs, IPA_ACCESS_TIME, &el);
+ if (ret != EOK) {
+ DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
+ return RULE_ERROR;
+ }
+ if (el->num_values == 0) {
+ DEBUG(9, ("No access time specified, assuming rule applies.\n"));
+ return RULE_APPLICABLE;
+ } else {
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(1, ("talloc_new failed.\n"));
+ return RULE_ERROR;
+ }
+
+ for (i = 0; i < el->num_values; i++) {
+ rule = talloc_strndup(tmp_ctx, (const char *) el->values[i].data,
+ el->values[i].length);
+ ret = check_time_rule(tmp_ctx, tr_ctx, rule, now, &result);
+ if (ret != EOK) {
+ DEBUG(1, ("check_time_rule failed.\n"));
+ ret = RULE_ERROR;
+ goto done;
+ }
+
+ if (result) {
+ DEBUG(9, ("Current time [%d] matches rule [%s].\n", now, rule));
+ ret = RULE_APPLICABLE;
+ goto done;
+ }
+ }
+ }
+
+ ret = RULE_NOT_APPLICABLE;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
enum check_result check_user(struct hbac_ctx *hbac_ctx,
struct sysdb_attrs *rule_attrs)
{
@@ -1343,6 +1401,11 @@ static errno_t check_if_rule_applies(enum hbac_result *result,
goto not_applicable;
}
+ ret = check_access_time(hbac_ctx->tr_ctx, rule_attrs);
+ if (ret != RULE_APPLICABLE) {
+ goto not_applicable;
+ }
+
ret = check_remote_hosts(pd, rule_attrs);
if (ret != RULE_APPLICABLE) {
goto not_applicable;
@@ -1426,6 +1489,7 @@ void ipa_access_handler(struct be_req *be_req)
struct ipa_access_ctx);
hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
+ hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
req = hbac_get_host_info_send(hbac_ctx, be_req->be_ctx->ev,
hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb,
diff --git a/server/providers/ipa/ipa_access.h b/server/providers/ipa/ipa_access.h
index e4903cb74..1b01e9fe1 100644
--- a/server/providers/ipa/ipa_access.h
+++ b/server/providers/ipa/ipa_access.h
@@ -35,11 +35,13 @@ enum ipa_access_mode {
struct ipa_access_ctx {
struct sdap_id_ctx *sdap_ctx;
struct dp_option *ipa_options;
+ struct time_rules_ctx *tr_ctx;
};
struct hbac_ctx {
struct sdap_id_ctx *sdap_ctx;
struct dp_option *ipa_options;
+ struct time_rules_ctx *tr_ctx;
struct be_req *be_req;
struct pam_data *pd;
struct hbac_host_info **hbac_host_info;
diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c
index 7ef98e62e..1b93e14dd 100644
--- a/server/providers/ipa/ipa_init.c
+++ b/server/providers/ipa/ipa_init.c
@@ -30,6 +30,7 @@
#include "providers/ipa/ipa_common.h"
#include "providers/krb5/krb5_auth.h"
#include "providers/ipa/ipa_access.h"
+#include "providers/ipa/ipa_timerules.h"
struct ipa_options *ipa_options = NULL;
@@ -233,6 +234,12 @@ int sssm_ipa_access_init(struct be_ctx *bectx,
goto done;
}
+ ret = init_time_rules_parser(ipa_access_ctx, &ipa_access_ctx->tr_ctx);
+ if (ret != EOK) {
+ DEBUG(1, ("init_time_rules_parser failed.\n"));
+ goto done;
+ }
+
*ops = &ipa_access_ops;
*pvt_data = ipa_access_ctx;