From 6d7450e996e7c699aebf12422cc7080a0782b9ae Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 6 Jun 2011 22:26:28 -0400 Subject: Rewrite HBAC rule evaluator Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs. Conflicts: src/providers/ldap/ldap_common.c src/providers/ldap/ldap_common.h Add HBAC evaluator and tests Add helper functions for looking up HBAC rule components Remove old HBAC implementation Add new HBAC lookup and evaluation routines Conflicts: Makefile.am Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server. Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. Treat NULL or empty rhost as unknown Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts. libipa_hbac: Support case-insensitive comparisons with UTF8 UTF8 HBAC test Fix memory leak in ipa_hbac_evaluate_rules https://fedorahosted.org/sssd/ticket/933 Fix incorrect NULL check in ipa_hbac_common.c https://fedorahosted.org/sssd/ticket/936 Require matched version and release for libipa_hbac Add rule validator to libipa_hbac https://fedorahosted.org/sssd/ticket/943 --- Makefile.am | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) (limited to 'Makefile.am') diff --git a/Makefile.am b/Makefile.am index 49520f3be..d75300bdb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -32,6 +32,7 @@ pipepath = @pipepath@ initdir = @initdir@ logpath = @logpath@ pubconfpath = @pubconfpath@ +pkgconfigdir = $(libdir)/pkgconfig AM_CFLAGS = if WANT_AUX_INFO @@ -43,6 +44,8 @@ if HAVE_GCC -Werror-implicit-function-declaration endif +dist_pkgconfig_DATA = + ACLOCAL_AMFLAGS = -I m4 -I . sbin_PROGRAMS = \ @@ -78,7 +81,8 @@ if HAVE_CHECK ipa_ldap_opt-tests \ simple_access-tests \ crypto-tests \ - util-tests + util-tests \ + ipa_hbac-tests endif check_PROGRAMS = \ @@ -358,6 +362,17 @@ if HAVE_NSS endif +lib_LTLIBRARIES = libipa_hbac.la +dist_pkgconfig_DATA += src/providers/ipa/ipa_hbac.pc +libipa_hbac_la_SOURCES = \ + src/providers/ipa/hbac_evaluator.c +libipa_hbac_la_LDFLAGS = \ + -version 1:0:1 \ + -lunistring + +include_HEADERS = \ + src/providers/ipa/ipa_hbac.h + #################### # Program Binaries # #################### @@ -690,6 +705,18 @@ crypto_tests_LDADD = \ $(CHECK_LIBS) \ libsss_test_common.la +ipa_hbac_tests_SOURCES = \ + src/tests/ipa_hbac-tests.c \ + $(SSSD_UTIL_OBJ) +ipa_hbac_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +ipa_hbac_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + libsss_test_common.la \ + libipa_hbac.la + endif stress_tests_SOURCES = \ @@ -833,6 +860,12 @@ libsss_ipa_la_SOURCES = \ src/providers/ipa/ipa_auth.c \ src/providers/ipa/ipa_access.c \ src/providers/ipa/ipa_dyndns.c \ + src/providers/ipa/ipa_hbac_hosts.c \ + src/providers/ipa/ipa_hbac_private.h \ + src/providers/ipa/ipa_hbac_rules.c \ + src/providers/ipa/ipa_hbac_services.c \ + src/providers/ipa/ipa_hbac_users.c \ + src/providers/ipa/ipa_hbac_common.c \ src/providers/ldap/ldap_id.c \ src/providers/ldap/ldap_id_enum.c \ src/providers/ldap/ldap_id_cleanup.c \ @@ -870,7 +903,8 @@ libsss_ipa_la_LIBADD = \ $(DHASH_LIBS) \ $(KEYUTILS_LIBS) \ $(KRB5_LIBS) \ - libsss_crypt.la + libsss_crypt.la \ + libipa_hbac.la libsss_ipa_la_LDFLAGS = \ -version-info 1:0:0 \ -module -- cgit