diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2011-12-06 17:08:27 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-12-16 14:46:17 -0500 |
| commit | c8119652b17229a5aca9b110365c310a6afdce30 (patch) | |
| tree | 886725fb79d00649dc850024f75752eba0f7bebb | |
| parent | 940e033c0c427d02a34347dbd2f4443fa625b111 (diff) | |
| download | sssd2-c8119652b17229a5aca9b110365c310a6afdce30.tar.gz sssd2-c8119652b17229a5aca9b110365c310a6afdce30.tar.xz sssd2-c8119652b17229a5aca9b110365c310a6afdce30.zip | |
Use the case sensitivity flag in the simple access provider
| -rw-r--r-- | src/providers/simple/simple_access.c | 19 | ||||
| -rw-r--r-- | src/tests/simple_access-tests.c | 30 |
2 files changed, 45 insertions, 4 deletions
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c index 4b9c3139..06662e9d 100644 --- a/src/providers/simple/simple_access.c +++ b/src/providers/simple/simple_access.c @@ -24,6 +24,7 @@ #include <security/pam_modules.h> #include "util/util.h" +#include "util/sss_utf8.h" #include "providers/dp_backend.h" #include "db/sysdb.h" #include "providers/simple/simple_access.h" @@ -34,6 +35,15 @@ #define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups" #define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups" +static bool string_equal(bool cs, const char *s1, const char *s2) +{ + if (cs) { + return strcmp(s1, s2) == 0; + } + + return sss_utf8_case_eq((const uint8_t *)s1, (const uint8_t *)s2) == EOK; +} + errno_t simple_access_check(struct simple_ctx *ctx, const char *username, bool *access_granted) { @@ -51,13 +61,14 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username, const char *primary_group; gid_t gid; bool matched; + bool cs = ctx->domain->case_sensitive; *access_granted = false; /* First, check whether the user is in the allowed users list */ if (ctx->allow_users != NULL) { for(i = 0; ctx->allow_users[i] != NULL; i++) { - if (strcmp(username, ctx->allow_users[i]) == 0) { + if (string_equal(cs, username, ctx->allow_users[i])) { DEBUG(9, ("User [%s] found in allow list, access granted.\n", username)); @@ -78,7 +89,7 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username, /* Next check whether this user has been specifically denied */ if (ctx->deny_users != NULL) { for(i = 0; ctx->deny_users[i] != NULL; i++) { - if (strcmp(username, ctx->deny_users[i]) == 0) { + if (string_equal(cs, username, ctx->deny_users[i])) { DEBUG(9, ("User [%s] found in deny list, access denied.\n", username)); @@ -189,7 +200,7 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username, matched = false; for (i = 0; ctx->allow_groups[i]; i++) { for(j = 0; groups[j]; j++) { - if (strcmp(groups[j], ctx->allow_groups[i])== 0) { + if (string_equal(cs, groups[j], ctx->allow_groups[i])) { matched = true; break; } @@ -210,7 +221,7 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username, matched = false; for (i = 0; ctx->deny_groups[i]; i++) { for(j = 0; groups[j]; j++) { - if (strcmp(groups[j], ctx->deny_groups[i])== 0) { + if (string_equal(cs, groups[j], ctx->deny_groups[i])) { matched = true; break; } diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c index 9cd73d84..4f041d40 100644 --- a/src/tests/simple_access-tests.c +++ b/src/tests/simple_access-tests.c @@ -26,6 +26,7 @@ #include <popt.h> #include <check.h> +#include "confdb/confdb.h" #include "providers/simple/simple_access.h" const char *ulist_1[] = {"u1", "u2", NULL}; @@ -37,6 +38,10 @@ void setup_simple(void) fail_unless(ctx == NULL, "Simple context already initialized."); ctx = talloc_zero(NULL, struct simple_ctx); fail_unless(ctx != NULL, "Cannot create simple context."); + + ctx->domain = talloc_zero(ctx, struct sss_domain_info); + fail_unless(ctx != NULL, "Cannot create domain in simple context."); + ctx->domain->case_sensitive = true; } void teardown_simple(void) @@ -123,6 +128,30 @@ START_TEST(test_both_set) } END_TEST +START_TEST(test_case) +{ + int ret; + bool access_granted = false; + + ctx->allow_users = discard_const(ulist_1); + ctx->deny_users = NULL; + + ret = simple_access_check(ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "for user with different case " + "in case-sensitive domain"); + + ctx->domain->case_sensitive = false; + + ret = simple_access_check(ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "for user with different case " + "in case-insensitive domain"); +} +END_TEST + Suite *access_simple_suite (void) { Suite *s = suite_create("access_simple"); @@ -133,6 +162,7 @@ Suite *access_simple_suite (void) tcase_add_test(tc_allow_deny, test_allow_empty); tcase_add_test(tc_allow_deny, test_deny_empty); tcase_add_test(tc_allow_deny, test_both_set); + tcase_add_test(tc_allow_deny, test_case); suite_add_tcase(s, tc_allow_deny); return s; |