From dc71edea5cda411cdce039777a2ba3b00e19ca27 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 15 Oct 2009 12:03:31 +0200
Subject: more implicit provider target settings

If auth_provider or access_provider is ont set explicitly id_provider is
used if it can handle auth or access control requests respectively. If
not auth defaults to 'none' and the access_provider is set to 'permit'.

The option 'deny' is added for the access_provider to explicitly deny
access.
---
 server/man/sssd.conf.5.xml          | 29 +++++++++++++++++-
 server/providers/data_provider_be.c | 61 +++++++++++++++++++++++++++++--------
 2 files changed, 76 insertions(+), 14 deletions(-)

diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 7af229251..4b8a92f8b 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -469,6 +469,33 @@
                         <para>
                             <quote>proxy</quote> for relaying authentication to some other PAM target.
                         </para>
+                        <para>
+                            <quote>none</quote> disables authentication explicitly.
+                        </para>
+                        <para>
+                            Default: <quote>id_provider</quote> is used if it
+                            is set and can handle authentication requests.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>access_provider (string)</term>
+                    <listitem>
+                        <para>
+                            The access control provider used for the domain.
+                            Supported access providers are:
+                        </para>
+                        <para>
+                            <quote>permit</quote> always allow access.
+                        </para>
+                        <para>
+                            <quote>deny</quote> always deny access.
+                        </para>
+                        <para>
+                            Default: <quote>id_provider</quote> is used if it
+                            is set and can handle access control requests or
+                            <quote>permit</quote> otherwise.
+                        </para>
                     </listitem>
                 </varlistentry>
                 <varlistentry>
@@ -504,7 +531,7 @@
                         </para>
                         <para>
                             Default: <quote>auth_provider</quote> is used if it
-                            is set and can handle change password request.
+                            is set and can handle change password requests.
                         </para>
                     </listitem>
                 </varlistentry>
diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c
index f7830c993..a5f1b645b 100644
--- a/server/providers/data_provider_be.c
+++ b/server/providers/data_provider_be.c
@@ -46,6 +46,7 @@
 #define MSG_TARGET_NO_CONFIGURED "sssd_be: The requested target is not configured"
 
 #define ACCESS_PERMIT "permit"
+#define ACCESS_DENY "deny"
 #define NO_PROVIDER "none"
 
 struct sbus_method monitor_be_methods[] = {
@@ -799,6 +800,21 @@ static struct bet_ops be_target_access_permit_ops = {
     .finalize = NULL
 };
 
+static void be_target_access_deny(struct be_req *be_req)
+{
+    struct pam_data *pd = talloc_get_type(be_req->req_data, struct pam_data);
+    DEBUG(9, ("be_target_access_deny called, returning PAM_PERM_DENIED.\n"));
+
+    pd->pam_status = PAM_PERM_DENIED;
+    be_req->fn(be_req, DP_ERR_OK, PAM_PERM_DENIED, NULL);
+}
+
+static struct bet_ops be_target_access_deny_ops = {
+    .check_online = NULL,
+    .handler = be_target_access_deny,
+    .finalize = NULL
+};
+
 static int load_backend_module(struct be_ctx *ctx,
                                enum bet_type bet_type,
                                struct bet_info *bet_info,
@@ -853,13 +869,23 @@ static int load_backend_module(struct be_ctx *ctx,
         goto done;
     }
 
-    if (strcmp(mod_name, ACCESS_PERMIT) == 0) {
-        (*bet_info).bet_ops = &be_target_access_permit_ops;
-        (*bet_info).pvt_bet_data = NULL;
-        (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_PERMIT);
+    if (bet_type == BET_ACCESS) {
+        if (strcmp(mod_name, ACCESS_PERMIT) == 0) {
+            (*bet_info).bet_ops = &be_target_access_permit_ops;
+            (*bet_info).pvt_bet_data = NULL;
+            (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_PERMIT);
 
-        ret = EOK;
-        goto done;
+            ret = EOK;
+            goto done;
+        }
+        if (strcmp(mod_name, ACCESS_DENY) == 0) {
+            (*bet_info).bet_ops = &be_target_access_deny_ops;
+            (*bet_info).pvt_bet_data = NULL;
+            (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_DENY);
+
+            ret = EOK;
+            goto done;
+        }
     }
 
     mod_init_fn_name = talloc_asprintf(tmp_ctx,
@@ -997,7 +1023,8 @@ int be_process_init(TALLOC_CTX *mem_ctx,
               ctx->bet_info[BET_ID].mod_name));
 
     ret = load_backend_module(ctx, BET_AUTH,
-                              &ctx->bet_info[BET_AUTH], NULL);
+                              &ctx->bet_info[BET_AUTH],
+                              ctx->bet_info[BET_ID].mod_name);
     if (ret != EOK) {
         if (ret != ENOENT) {
             DEBUG(0, ("fatal error initializing data providers\n"));
@@ -1011,14 +1038,22 @@ int be_process_init(TALLOC_CTX *mem_ctx,
     }
 
     ret = load_backend_module(ctx, BET_ACCESS,
-                              &ctx->bet_info[BET_ACCESS], ACCESS_PERMIT);
+                              &ctx->bet_info[BET_ACCESS],
+                              ctx->bet_info[BET_ID].mod_name);
     if (ret != EOK) {
-        DEBUG(0, ("No ACCESS backend target available.\n"));
-        return ret;
-    } else {
-        DEBUG(9, ("ACCESS backend target successfully loaded "
-                  "from provider [%s].\n", ctx->bet_info[BET_ACCESS].mod_name));
+        if (ret != ENOENT) {
+            DEBUG(0, ("No ACCESS backend target available.\n"));
+            return ret;
+        }
+        ret = load_backend_module(ctx, BET_ACCESS,
+                                  &ctx->bet_info[BET_ACCESS], ACCESS_PERMIT);
+        if (ret != EOK) {
+            DEBUG(0, ("Failed to set ACCESS backend to default (permit).\n"));
+            return ret;
+        }
     }
+    DEBUG(9, ("ACCESS backend target successfully loaded "
+              "from provider [%s].\n", ctx->bet_info[BET_ACCESS].mod_name));
 
     ret = load_backend_module(ctx, BET_CHPASS,
                               &ctx->bet_info[BET_CHPASS],
-- 
cgit