From 1243e093fd31c5660adf1bb3dd477d6935a755be Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 16 Mar 2015 10:35:59 +0100 Subject: IPA: Use custom error codes when validating HBAC rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina --- src/providers/ipa/ipa_hbac_common.c | 10 +++++----- src/providers/ipa/ipa_hbac_hosts.c | 16 ++++++++-------- src/providers/ipa/ipa_hbac_services.c | 16 ++++++++-------- src/providers/ipa/ipa_hbac_users.c | 16 ++++++++-------- src/util/util_errors.c | 2 ++ src/util/util_errors.h | 2 ++ 6 files changed, 33 insertions(+), 29 deletions(-) (limited to 'src') diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c index 7d68aa512..d537db1ea 100644 --- a/src/providers/ipa/ipa_hbac_common.c +++ b/src/providers/ipa/ipa_hbac_common.c @@ -567,7 +567,7 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, ret = get_ipa_groupname(users->groups, sysdb, member_dn, &users->groups[num_groups]); - if (ret != EOK && ret != ENOENT) { + if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) { DEBUG(SSSDBG_MINOR_FAILURE, "Parse error on [%s]\n", member_dn); goto done; } else if (ret == EOK) { @@ -676,9 +676,9 @@ hbac_eval_service_element(TALLOC_CTX *mem_ctx, ret = get_ipa_servicegroupname(tmp_ctx, sysdb, (const char *)el->values[i].data, &name); - if (ret != EOK && ret != ENOENT) goto done; + if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) goto done; - /* ENOENT means we had a memberOf entry that wasn't a + /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a * service group. We'll just ignore those (could be * HBAC rules) */ @@ -783,9 +783,9 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx, ret = get_ipa_hostgroupname(tmp_ctx, sysdb, (const char *)el->values[i].data, &name); - if (ret != EOK && ret != ENOENT) goto done; + if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) goto done; - /* ENOENT means we had a memberOf entry that wasn't a + /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a * host group. We'll just ignore those (could be * HBAC rules) */ diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c index 656e0e565..d331cdfab 100644 --- a/src/providers/ipa/ipa_hbac_hosts.c +++ b/src/providers/ipa/ipa_hbac_hosts.c @@ -362,14 +362,14 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, } if (!ldb_dn_validate(dn)) { - ret = EINVAL; + ret = ERR_MALFORMED_ENTRY; goto done; } if (ldb_dn_get_comp_num(dn) < 4) { /* RDN, hostgroups, accounts, and at least one DC= */ /* If it's fewer, it's not a group DN */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -379,7 +379,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, /* Shouldn't happen if ldb_dn_validate() * passed, but we'll be careful. */ - ret = EINVAL; + ret = ERR_MALFORMED_ENTRY; goto done; } @@ -387,7 +387,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, /* RDN has the wrong attribute name. * It's not a host. */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -395,7 +395,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, hostgroup_comp_name = ldb_dn_get_component_name(dn, 1); if (strcasecmp("cn", hostgroup_comp_name) != 0) { /* The second component name is not "cn" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -404,7 +404,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, (const char *) hostgroup_comp_val->data, hostgroup_comp_val->length) != 0) { /* The second component value is not "hostgroups" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -412,7 +412,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, account_comp_name = ldb_dn_get_component_name(dn, 2); if (strcasecmp("cn", account_comp_name) != 0) { /* The third component name is not "cn" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -421,7 +421,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, (const char *) account_comp_val->data, account_comp_val->length) != 0) { /* The third component value is not "accounts" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } diff --git a/src/providers/ipa/ipa_hbac_services.c b/src/providers/ipa/ipa_hbac_services.c index 3040ce68a..35ee003ef 100644 --- a/src/providers/ipa/ipa_hbac_services.c +++ b/src/providers/ipa/ipa_hbac_services.c @@ -606,14 +606,14 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, } if (!ldb_dn_validate(dn)) { - ret = EINVAL; + ret = ERR_MALFORMED_ENTRY; goto done; } if (ldb_dn_get_comp_num(dn) < 4) { /* RDN, services, hbac, and at least one DC= */ /* If it's fewer, it's not a group DN */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -623,7 +623,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, /* Shouldn't happen if ldb_dn_validate() * passed, but we'll be careful. */ - ret = EINVAL; + ret = ERR_MALFORMED_ENTRY; goto done; } @@ -631,7 +631,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, /* RDN has the wrong attribute name. * It's not a service. */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -639,7 +639,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, svc_comp_name = ldb_dn_get_component_name(dn, 1); if (strcasecmp("cn", svc_comp_name) != 0) { /* The second component name is not "cn" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -648,7 +648,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, (const char *) svc_comp_val->data, svc_comp_val->length) != 0) { /* The second component value is not "hbacservicegroups" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -656,7 +656,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, hbac_comp_name = ldb_dn_get_component_name(dn, 2); if (strcasecmp("cn", hbac_comp_name) != 0) { /* The third component name is not "cn" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -665,7 +665,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, (const char *) hbac_comp_val->data, hbac_comp_val->length) != 0) { /* The third component value is not "hbac" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c index ebf4bf9d5..a8d52ffa5 100644 --- a/src/providers/ipa/ipa_hbac_users.c +++ b/src/providers/ipa/ipa_hbac_users.c @@ -60,14 +60,14 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, } if (!ldb_dn_validate(dn)) { - ret = EINVAL; + ret = ERR_MALFORMED_ENTRY; goto done; } if (ldb_dn_get_comp_num(dn) < 4) { /* RDN, groups, accounts, and at least one DC= */ /* If it's fewer, it's not a group DN */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -77,7 +77,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, /* Shouldn't happen if ldb_dn_validate() * passed, but we'll be careful. */ - ret = EINVAL; + ret = ERR_MALFORMED_ENTRY; goto done; } @@ -85,7 +85,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, /* RDN has the wrong attribute name. * It's not a group. */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -93,7 +93,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, group_comp_name = ldb_dn_get_component_name(dn, 1); if (strcasecmp("cn", group_comp_name) != 0) { /* The second component name is not "cn" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -102,7 +102,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, (const char *) group_comp_val->data, group_comp_val->length) != 0) { /* The second component value is not "groups" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -110,7 +110,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, account_comp_name = ldb_dn_get_component_name(dn, 2); if (strcasecmp("cn", account_comp_name) != 0) { /* The third component name is not "cn" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -119,7 +119,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, (const char *) account_comp_val->data, account_comp_val->length) != 0) { /* The third component value is not "accounts" */ - ret = ENOENT; + ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } diff --git a/src/util/util_errors.c b/src/util/util_errors.c index 923f0a865..ac08f6277 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -70,6 +70,8 @@ struct err_string error_to_str[] = { { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */ { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */ { "Invalid SSSD configuration detected." }, /* ERR_INVALID_CONFIG */ + { "Malformed cache entry" }, /* ERR_MALFORMED_ENTRY */ + { "Unexpected cache entry type" }, /* ERR_UNEXPECTED_ENTRY_TYPE */ { "ERR_LAST" } /* ERR_LAST */ }; diff --git a/src/util/util_errors.h b/src/util/util_errors.h index 54d474f96..c03274ce2 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -92,6 +92,8 @@ enum sssd_errors { ERR_REGEX_NOMATCH, ERR_TIMESPEC_NOT_SUPPORTED, ERR_INVALID_CONFIG, + ERR_MALFORMED_ENTRY, + ERR_UNEXPECTED_ENTRY_TYPE, ERR_LAST /* ALWAYS LAST */ }; -- cgit