IFP: Per-attribute ACL for users

Introduces a new option called user_attributes that allows to specify
which user attributes are allowed to be queried from the IFP responder.

By default only the default POSIX set is allowed, this option allows to
either add other attributes (+attrname) or remove them from the default
set (-attrname).

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index 978f3614a..e02b5f08a 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -205,6 +205,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
     int ret;
     int max_retries;
     char *uid_str;
+    char *attr_list_str;
 
     ifp_cmds = get_ifp_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
@@ -271,6 +272,22 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
+    ret = confdb_get_string(ifp_ctx->rctx->cdb, ifp_ctx->rctx,
+                            CONFDB_IFP_CONF_ENTRY, CONFDB_IFP_USER_ATTR_LIST,
+                            NULL, &attr_list_str);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to get allowed UIDs.\n"));
+        goto fail;
+    }
+
+    ifp_ctx->user_whitelist = ifp_parse_attr_list(ifp_ctx, attr_list_str);
+    talloc_free(attr_list_str);
+    if (ifp_ctx->user_whitelist == NULL) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              ("Failed to parse the allowed attribute list\n"));
+        goto fail;
+    }
+
     /* Enable automatic reconnection to the Data Provider */
     ret = confdb_get_int(ifp_ctx->rctx->cdb,
                          CONFDB_IFP_CONF_ENTRY,