diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-29 15:03:14 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-08-01 12:18:34 -0400 |
| commit | 84b3c3c55b0aea0fef56c82fd3917f915797964b (patch) | |
| tree | 891a04b1bc59eaf9e4d0d9950499340bc1b2eaf4 /src/providers/ipa | |
| parent | 627edc01036259c75611a9fda4c4abee16f30294 (diff) | |
| download | sssd-84b3c3c55b0aea0fef56c82fd3917f915797964b.tar.gz sssd-84b3c3c55b0aea0fef56c82fd3917f915797964b.tar.xz sssd-84b3c3c55b0aea0fef56c82fd3917f915797964b.zip | |
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
Diffstat (limited to 'src/providers/ipa')
| -rw-r--r-- | src/providers/ipa/hbac_evaluator.c | 51 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_hbac.h | 23 |
2 files changed, 74 insertions, 0 deletions
diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c index ee39a09ae..476ad6482 100644 --- a/src/providers/ipa/hbac_evaluator.c +++ b/src/providers/ipa/hbac_evaluator.c @@ -52,6 +52,57 @@ enum hbac_eval_result_int { HBAC_EVAL_UNMATCHED }; +static bool hbac_rule_element_is_complete(struct hbac_rule_element *el) +{ + if (el == NULL) return false; + if (el->category == HBAC_CATEGORY_ALL) return true; + + if (el->names == NULL && el->groups == NULL) return false; + + if ((el->names && el->names[0] != NULL) + || (el->groups && el->groups[0] != NULL)) + return true; + + /* If other categories are added, handle them here */ + + return false; +} + +bool hbac_rule_is_complete(struct hbac_rule *rule, uint32_t *missing_attrs) +{ + bool complete = true; + + *missing_attrs = 0; + + if (rule == NULL) { + /* No rule passed in? */ + return false; + } + + /* Make sure we have all elements */ + if (!hbac_rule_element_is_complete(rule->users)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_USERS; + } + + if (!hbac_rule_element_is_complete(rule->services)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_SERVICES; + } + + if (!hbac_rule_element_is_complete(rule->targethosts)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_TARGETHOSTS; + } + + if (!hbac_rule_element_is_complete(rule->srchosts)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_SOURCEHOSTS; + } + + return complete; +} + enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule, struct hbac_eval_req *hbac_req, enum hbac_error_code *error); diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h index a1d513785..7de49d1ff 100644 --- a/src/providers/ipa/ipa_hbac.h +++ b/src/providers/ipa/ipa_hbac.h @@ -151,4 +151,27 @@ const char *hbac_error_string(enum hbac_error_code code); void hbac_free_info(struct hbac_info *info); + +#define HBAC_RULE_ELEMENT_USERS 0x01 +#define HBAC_RULE_ELEMENT_SERVICES 0x02 +#define HBAC_RULE_ELEMENT_TARGETHOSTS 0x04 +#define HBAC_RULE_ELEMENT_SOURCEHOSTS 0x08 + +/** + * @brief Evaluate whether an HBAC rule contains all necessary elements + * + * @param[in] rule An HBAC rule to evaluate + * @param[out] missing_attrs A list of attributes missing from the rule + * This is a bitmask that may contain one or more + * of HBAC_RULE_ELEMENT_USERS, + * HBAC_RULE_ELEMENT_SERVICES, + * HBAC_RULE_ELEMENT_TARGETHOSTS and + * HBAC_RULE_ELEMENT_SOURCEHOSTS + * + * @return True if the rule contains all mandatory attributes + * + * @note This function does not care if the rule is enabled or disabled + */ +bool hbac_rule_is_complete(struct hbac_rule *rule, uint32_t *missing_attrs); + #endif /* IPA_HBAC_H_ */ |