From a790a52db5bfe24679873d0083eb35236e616b83 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 21 May 2010 15:16:15 +0200
Subject: Check ipaEnabledFlag

---
 src/providers/ipa/ipa_access.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

(limited to 'src/providers/ipa/ipa_access.c')

diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 58f937b89..590ae7894 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -1269,9 +1269,9 @@ enum check_result check_remote_hosts(const char *rhost,
     return RULE_ERROR;
 }
 
-static errno_t check_if_rule_applies(enum hbac_result *result,
-                                     struct hbac_ctx *hbac_ctx,
-                                     struct sysdb_attrs *rule_attrs) {
+static errno_t check_if_rule_applies(struct hbac_ctx *hbac_ctx,
+                                     struct sysdb_attrs *rule_attrs,
+                                     enum hbac_result *result) {
     int ret;
     struct ldb_message_element *el;
     enum hbac_result rule_type;
@@ -1296,6 +1296,24 @@ static errno_t check_if_rule_applies(enum hbac_result *result,
     }
     DEBUG(9, ("Processsing rule [%s].\n", rule_name));
 
+    ret = sysdb_attrs_get_el(rule_attrs, IPA_ENABLED_FLAG, &el);
+    if (ret != EOK) {
+        DEBUG(1, ("Failed to find out if rule is enabled or not, "
+                  "assuming it is enabled.\n"));
+    } else {
+        if (el->num_values == 0) {
+            DEBUG(1, ("Failed to find out if rule is enabled or not, "
+                      "assuming it is enabled.\n"));
+        } else {
+            if (strncasecmp("false", (const char*) el->values[0].data,
+                            el->values[0].length) == 0) {
+                DEBUG(7, ("Rule is disabled.\n"));
+                *result = HBAC_NOT_APPLICABLE;
+                return EOK;
+            }
+        }
+    }
+
     /* rule type */
     ret = sysdb_attrs_get_el(rule_attrs, IPA_ACCESS_RULE_TYPE, &el);
     if (ret != EOK) {
@@ -1363,8 +1381,8 @@ static int evaluate_ipa_hbac_rules(struct hbac_ctx *hbac_ctx,
 
     for (i = 0; i < hbac_ctx->hbac_rule_count ; i++) {
 
-        ret = check_if_rule_applies(&result, hbac_ctx,
-                                    hbac_ctx->hbac_rule_list[i]);
+        ret = check_if_rule_applies(hbac_ctx, hbac_ctx->hbac_rule_list[i],
+                                    &result);
         if (ret != EOK) {
             DEBUG(1, ("check_if_rule_applies failed.\n"));
             return ret;
-- 
cgit