diff options
| author | Sumit Bose <sbose@redhat.com> | 2010-05-21 15:16:15 +0200 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-05-23 12:15:59 -0400 |
| commit | eb812bb807d65309c037c6a806b728c637e9b0fa (patch) | |
| tree | 511bb1dc361e3ced20eacec5d85810792f7e13d1 | |
| parent | ce145e54b99b8356c21d58d0806e038f8f6d7afb (diff) | |
| download | sssd-eb812bb807d65309c037c6a806b728c637e9b0fa.tar.gz sssd-eb812bb807d65309c037c6a806b728c637e9b0fa.tar.xz sssd-eb812bb807d65309c037c6a806b728c637e9b0fa.zip | |
Check ipaEnabledFlag
| -rw-r--r-- | src/providers/ipa/ipa_access.c | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 2a498b1ee..b8a928a07 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -1502,9 +1502,9 @@ enum check_result check_remote_hosts(const char *rhost, return RULE_ERROR; } -static errno_t check_if_rule_applies(enum hbac_result *result, - struct hbac_ctx *hbac_ctx, - struct sysdb_attrs *rule_attrs) { +static errno_t check_if_rule_applies(struct hbac_ctx *hbac_ctx, + struct sysdb_attrs *rule_attrs, + enum hbac_result *result) { int ret; struct ldb_message_element *el; enum hbac_result rule_type; @@ -1529,6 +1529,24 @@ static errno_t check_if_rule_applies(enum hbac_result *result, } DEBUG(9, ("Processsing rule [%s].\n", rule_name)); + ret = sysdb_attrs_get_el(rule_attrs, IPA_ENABLED_FLAG, &el); + if (ret != EOK) { + DEBUG(1, ("Failed to find out if rule is enabled or not, " + "assuming it is enabled.\n")); + } else { + if (el->num_values == 0) { + DEBUG(1, ("Failed to find out if rule is enabled or not, " + "assuming it is enabled.\n")); + } else { + if (strncasecmp("false", (const char*) el->values[0].data, + el->values[0].length) == 0) { + DEBUG(7, ("Rule is disabled.\n")); + *result = HBAC_NOT_APPLICABLE; + return EOK; + } + } + } + /* rule type */ ret = sysdb_attrs_get_el(rule_attrs, IPA_ACCESS_RULE_TYPE, &el); if (ret != EOK) { @@ -1596,8 +1614,8 @@ static int evaluate_ipa_hbac_rules(struct hbac_ctx *hbac_ctx, for (i = 0; i < hbac_ctx->hbac_rule_count ; i++) { - ret = check_if_rule_applies(&result, hbac_ctx, - hbac_ctx->hbac_rule_list[i]); + ret = check_if_rule_applies(hbac_ctx, hbac_ctx->hbac_rule_list[i], + &result); if (ret != EOK) { DEBUG(1, ("check_if_rule_applies failed.\n")); return ret; |