diff options
| author | Pavel Reichl <preichl@redhat.com> | 2015-04-20 11:33:29 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-28 11:58:53 +0200 |
| commit | 82a958e6592c4a4078e45b7197bbe4751b70f511 (patch) | |
| tree | 544bc2dbd7da242f2d663b508f17bf9f13103cf5 /src/providers/simple | |
| parent | 605dc7fcc848dffb7c9d270c864c70e6dff1242e (diff) | |
| download | sssd-82a958e6592c4a4078e45b7197bbe4751b70f511.tar.gz sssd-82a958e6592c4a4078e45b7197bbe4751b70f511.tar.xz sssd-82a958e6592c4a4078e45b7197bbe4751b70f511.zip | |
simple-access-provider: make user grp res more robust
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/simple')
| -rw-r--r-- | src/providers/simple/simple_access_check.c | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index c8217f6d4..14d833be2 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -395,6 +395,8 @@ struct simple_check_groups_state { const char **group_names; size_t num_names; + + bool failed_to_resolve_groups; }; static void simple_check_get_groups_next(struct tevent_req *subreq); @@ -430,6 +432,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->ctx = ctx; + state->failed_to_resolve_groups = false; DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username); @@ -548,11 +551,10 @@ static void simple_check_get_groups_next(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "Could not resolve name of group with GID %"SPRIgid"\n", state->lookup_groups[state->giter].gid); - tevent_req_error(req, ret); - return; + state->failed_to_resolve_groups = true; + } else { + state->num_names++; } - - state->num_names++; state->giter++; if (state->giter < state->num_groups) { @@ -686,6 +688,9 @@ simple_check_get_groups_recv(struct tevent_req *req, TEVENT_REQ_RETURN_ON_ERROR(req); *_group_names = talloc_steal(mem_ctx, state->group_names); + if (state->failed_to_resolve_groups) { + return ERR_SIMPLE_GROUPS_MISSING; + } return EOK; } @@ -775,12 +780,25 @@ static void simple_access_check_done(struct tevent_req *subreq) /* We know the names now. Run the check. */ ret = simple_check_get_groups_recv(subreq, state, &state->group_names); + talloc_zfree(subreq); if (ret == ENOENT) { /* If the user wasn't found, just shortcut */ state->access_granted = false; tevent_req_done(req); return; + } else if (ret == ERR_SIMPLE_GROUPS_MISSING) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not collect groups of user %s\n", state->username); + if (state->ctx->deny_groups == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "But no deny groups were defined so we can continue.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Some deny groups were defined, we can't continue\n"); + tevent_req_error(req, ret); + return; + } } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not collect groups of user %s\n", state->username); |