Rewrite HBAC rule evaluator

Add helper function msgs2attrs_array

This function converts a list of ldb_messages into a list of
sysdb_attrs.

Conflicts:

	src/providers/ldap/ldap_common.c
	src/providers/ldap/ldap_common.h

Add HBAC evaluator and tests

Add helper functions for looking up HBAC rule components

Remove old HBAC implementation

Add new HBAC lookup and evaluation routines

Conflicts:

	Makefile.am

Add ipa_hbac_refresh option

This option describes the time between refreshes of the HBAC rules
on the IPA server.

Add ipa_hbac_treat_deny_as option

By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.

Treat NULL or empty rhost as unknown

Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.

libipa_hbac: Support case-insensitive comparisons with UTF8

UTF8 HBAC test

Fix memory leak in ipa_hbac_evaluate_rules

https://fedorahosted.org/sssd/ticket/933

Fix incorrect NULL check in ipa_hbac_common.c

https://fedorahosted.org/sssd/ticket/936

Require matched version and release for libipa_hbac

Add rule validator to libipa_hbac

https://fedorahosted.org/sssd/ticket/943

1 files changed, 34 insertions, 2 deletions

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index c08633a0e..db0ecb3f4 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -19,7 +19,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 Requires: libldb >= 0.9.3
 Requires: libtdb >= 1.1.3
-Requires: sssd-client = %{version}-%{release}
+Requires: sssd-client%{?_isa} = %{version}-%{release}
+Requires: libipa_hbac = %{version}-%{release}
 Requires: cyrus-sasl-gssapi
 Requires: keyutils-libs
 Requires(post): initscripts chkconfig /sbin/ldconfig
@@ -73,7 +74,9 @@ BuildRequires: bind-utils
 BuildRequires: keyutils-libs-devel
 BuildRequires: libnl-devel
 BuildRequires: nscd
-BuildRequires: gettext
+BuildRequires: gettext-devel
+BuildRequires: pkgconfig
+BuildRequires: libunistring-devel
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -104,6 +107,23 @@ SSSD when using id_provider = local in /etc/sssd/sssd.conf.
 Also provides a userspace tool for generating an obfuscated LDAP password for
 use with ldap_default_authtok_type = obfuscated_password.
 
+%package -n libipa_hbac
+Summary: FreeIPA HBAC Evaluator library
+Group: Development/Libraries
+License: LGPLv3+
+
+%description -n libipa_hbac
+Utility library to validate FreeIPA HBAC rules for authorization requests
+
+%package -n libipa_hbac-devel
+Summary: FreeIPA HBAC Evaluator library
+Group: Development/Libraries
+License: LGPLv3+
+Requires: libipa_hbac = %{version}-%{release}
+
+%description -n libipa_hbac-devel
+Utility library to validate FreeIPA HBAC rules for authorization requests
+
 %prep
 %setup -q
 
@@ -158,6 +178,7 @@ rm -f \
     $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \
     $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \
     $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \
+    $RPM_BUILD_ROOT/%{_libdir}/libipa_hbac.la \
     $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la
 
 # Older versions of rpmbuild can only handle one -f option
@@ -232,6 +253,17 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sss_usermod.8*
 %{_mandir}/man8/sss_obfuscate.8*
 
+%files -n libipa_hbac
+%defattr(-,root,root,-)
+%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libipa_hbac.so.*
+
+%files -n libipa_hbac-devel
+%defattr(-,root,root,-)
+%{_includedir}/ipa_hbac.h
+%{_libdir}/libipa_hbac.so
+%{_libdir}/pkgconfig/ipa_hbac.pc
+
 %post
 /sbin/ldconfig
 /sbin/chkconfig --add %{servicename}