From e31821dd6f4a4ca9d07b367c26bfb21d6755bef0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 10 Nov 2009 13:38:20 +0100
Subject: Add check for access-time rules to ipa_access.

---
 server/providers/ipa/ipa_access.c | 64 +++++++++++++++++++++++++++++++++++++++
 server/providers/ipa/ipa_access.h |  2 ++
 server/providers/ipa/ipa_init.c   |  7 +++++
 3 files changed, 73 insertions(+)

(limited to 'server/providers/ipa')

diff --git a/server/providers/ipa/ipa_access.c b/server/providers/ipa/ipa_access.c
index 19b707cd9..18888b9bd 100644
--- a/server/providers/ipa/ipa_access.c
+++ b/server/providers/ipa/ipa_access.c
@@ -29,6 +29,7 @@
 #include "providers/ldap/sdap_async.h"
 #include "providers/ipa/ipa_common.h"
 #include "providers/ipa/ipa_access.h"
+#include "providers/ipa/ipa_timerules.h"
 
 #define IPA_HOST_MEMBEROF "memberOf"
 #define IPA_HOST_SERVERHOSTNAME "serverHostName"
@@ -1168,6 +1169,63 @@ enum check_result check_service(struct pam_data *pd,
     return RULE_ERROR;
 }
 
+enum check_result check_access_time(struct time_rules_ctx *tr_ctx,
+                                    struct sysdb_attrs *rule_attrs)
+{
+    int ret;
+    int i;
+    TALLOC_CTX *tmp_ctx = NULL;
+    struct ldb_message_element *el;
+    char *rule;
+    time_t now;
+    bool result;
+
+    now = time(NULL);
+    if (now == (time_t) -1) {
+        DEBUG(1, ("time failed [%d][%s].\n", errno, strerror(errno)));
+        return RULE_ERROR;
+    }
+
+    ret = sysdb_attrs_get_el(rule_attrs, IPA_ACCESS_TIME, &el);
+    if (ret != EOK) {
+        DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
+        return RULE_ERROR;
+    }
+    if (el->num_values == 0) {
+        DEBUG(9, ("No access time specified, assuming rule applies.\n"));
+        return RULE_APPLICABLE;
+    } else {
+        tmp_ctx = talloc_new(NULL);
+        if (tmp_ctx == NULL) {
+            DEBUG(1, ("talloc_new failed.\n"));
+            return RULE_ERROR;
+        }
+
+        for (i = 0; i < el->num_values; i++) {
+            rule = talloc_strndup(tmp_ctx, (const char *) el->values[i].data,
+                                  el->values[i].length);
+            ret = check_time_rule(tmp_ctx, tr_ctx, rule, now, &result);
+            if (ret != EOK) {
+                DEBUG(1, ("check_time_rule failed.\n"));
+                ret = RULE_ERROR;
+                goto done;
+            }
+
+            if (result) {
+                DEBUG(9, ("Current time [%d] matches rule [%s].\n", now, rule));
+                ret = RULE_APPLICABLE;
+                goto done;
+            }
+        }
+    }
+
+    ret = RULE_NOT_APPLICABLE;
+
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+
 enum check_result check_user(struct hbac_ctx *hbac_ctx,
                              struct sysdb_attrs *rule_attrs)
 {
@@ -1343,6 +1401,11 @@ static errno_t check_if_rule_applies(enum hbac_result *result,
         goto not_applicable;
     }
 
+    ret = check_access_time(hbac_ctx->tr_ctx, rule_attrs);
+    if (ret != RULE_APPLICABLE) {
+        goto not_applicable;
+    }
+
     ret = check_remote_hosts(pd, rule_attrs);
     if (ret != RULE_APPLICABLE) {
         goto not_applicable;
@@ -1426,6 +1489,7 @@ void ipa_access_handler(struct be_req *be_req)
                               struct ipa_access_ctx);
     hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
     hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
+    hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
 
     req = hbac_get_host_info_send(hbac_ctx, be_req->be_ctx->ev,
                                   hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb,
diff --git a/server/providers/ipa/ipa_access.h b/server/providers/ipa/ipa_access.h
index e4903cb74..1b01e9fe1 100644
--- a/server/providers/ipa/ipa_access.h
+++ b/server/providers/ipa/ipa_access.h
@@ -35,11 +35,13 @@ enum ipa_access_mode {
 struct ipa_access_ctx {
     struct sdap_id_ctx *sdap_ctx;
     struct dp_option *ipa_options;
+    struct time_rules_ctx *tr_ctx;
 };
 
 struct hbac_ctx {
     struct sdap_id_ctx *sdap_ctx;
     struct dp_option *ipa_options;
+    struct time_rules_ctx *tr_ctx;
     struct be_req *be_req;
     struct pam_data *pd;
     struct hbac_host_info **hbac_host_info;
diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c
index 7ef98e62e..1b93e14dd 100644
--- a/server/providers/ipa/ipa_init.c
+++ b/server/providers/ipa/ipa_init.c
@@ -30,6 +30,7 @@
 #include "providers/ipa/ipa_common.h"
 #include "providers/krb5/krb5_auth.h"
 #include "providers/ipa/ipa_access.h"
+#include "providers/ipa/ipa_timerules.h"
 
 struct ipa_options *ipa_options = NULL;
 
@@ -233,6 +234,12 @@ int sssm_ipa_access_init(struct be_ctx *bectx,
         goto done;
     }
 
+    ret = init_time_rules_parser(ipa_access_ctx, &ipa_access_ctx->tr_ctx);
+    if (ret != EOK) {
+        DEBUG(1, ("init_time_rules_parser failed.\n"));
+        goto done;
+    }
+
     *ops = &ipa_access_ops;
     *pvt_data = ipa_access_ctx;
 
-- 
cgit