From a2b1e0b4bce8281d7214329d6bc261cb8ca02784 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 1 Jul 2011 16:12:58 -0400
Subject: Add ipa_hbac_treat_deny_as option

By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
---
 src/config/SSSDConfig.py                |  1 +
 src/config/etc/sssd.api.d/sssd-ipa.conf |  1 +
 src/man/sssd-ipa.5.xml                  | 27 +++++++++++++++++++++++++++
 src/providers/ipa/ipa_access.c          | 11 ++++++++++-
 src/providers/ipa/ipa_common.c          |  3 ++-
 src/providers/ipa/ipa_common.h          |  1 +
 6 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 035c95c40..920a8a056 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -98,6 +98,7 @@ option_strings = {
     'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
     'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
     'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"),
+    'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"),
 
     # [provider/krb5]
     'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index c1adc878e..d7992b608 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -101,6 +101,7 @@ krb5_use_fast = str, None, false
 
 [provider/ipa/access]
 ipa_hbac_refresh = int, None, false
+ipa_hbac_treat_deny_as = str, None, false
 
 [provider/ipa/chpass]
 
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index f728e9ccf..8d2ba6818 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -190,6 +190,33 @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>ipa_hbac_treat_deny_as (string)</term>
+                    <listitem>
+                        <para>
+                            This option specifies how to treat the deprecated
+                            DENY-type HBAC rules. As of FreeIPA v2.1, DENY
+                            rules are no longer supported on the server. All
+                            users of FreeIPA will need to migrate their rules
+                            to use only the ALLOW rules. The client will
+                            support two modes of operation during this
+                            transition period:
+                        </para>
+                        <para>
+                            <emphasis>DENY_ALL</emphasis>: If any HBAC DENY
+                            rules are detected, all users will be denied
+                            access.
+                        </para>
+                        <para>
+                            <emphasis>IGNORE</emphasis>: SSSD will ignore any
+                            DENY rules. Be very careful with this option, as
+                            it may result in opening unintended access.
+                        </para>
+                        <para>
+                            Default: DENY_ALL
+                        </para>
+                    </listitem>
+                </varlistentry>
 
             </variablelist>
         </para>
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 2a6588ebf..d88673f1e 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -97,6 +97,7 @@ void ipa_access_handler(struct be_req *be_req)
 {
     struct pam_data *pd;
     struct hbac_ctx *hbac_ctx;
+    const char *deny_method;
     int pam_status = PAM_SYSTEM_ERR;
     struct ipa_access_ctx *ipa_access_ctx;
     int ret;
@@ -108,7 +109,7 @@ void ipa_access_handler(struct be_req *be_req)
         DEBUG(1, ("talloc failed.\n"));
         goto fail;
     }
-    hbac_ctx->get_deny_rules = true; /* make this a config option */
+
     hbac_ctx->be_req = be_req;
     hbac_ctx->pd = pd;
     ipa_access_ctx = talloc_get_type(
@@ -125,6 +126,14 @@ void ipa_access_handler(struct be_req *be_req)
         goto fail;
     }
 
+    deny_method = dp_opt_get_string(hbac_ctx->ipa_options,
+                                    IPA_HBAC_DENY_METHOD);
+    if (strcasecmp(deny_method, "IGNORE") == 0) {
+        hbac_ctx->get_deny_rules = false;
+    } else {
+        hbac_ctx->get_deny_rules = true;
+    }
+
     ret = hbac_retry(hbac_ctx);
     if (ret != EOK) {
         goto fail;
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 163aaf205..a370a43be 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -37,7 +37,8 @@ struct dp_option ipa_basic_opts[] = {
     { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
-    { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }
+    { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
+    { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }
 };
 
 struct dp_option ipa_def_ldap_opts[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 26e13456d..f6e1d4e5b 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -51,6 +51,7 @@ enum ipa_basic_opt {
     IPA_HBAC_SEARCH_BASE,
     IPA_KRB5_REALM,
     IPA_HBAC_REFRESH,
+    IPA_HBAC_DENY_METHOD,
 
     IPA_OPTS_BASIC /* opts counter */
 };
-- 
cgit