diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-03 11:41:37 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-06 17:40:21 +0200 |
| commit | f3c181a25bee04146a9b0290bd38e95672d27452 (patch) | |
| tree | dabacf65a8d527d0175705b3f4c09dbdab163eb0 | |
| parent | 4a731c12ca5c34d4781ba939f25a364120bc6480 (diff) | |
| download | sssd-f3c181a25bee04146a9b0290bd38e95672d27452.tar.gz sssd-f3c181a25bee04146a9b0290bd38e95672d27452.tar.xz sssd-f3c181a25bee04146a9b0290bd38e95672d27452.zip | |
IPA: HBAC evaluator consumes shortnames
SSSD uses an internal format to store user and group names, but the
libhbac_ipa library uses only short names. Un-qualify the names before
passing them on to the HBAC evaluator.
| -rw-r--r-- | src/providers/ipa/ipa_hbac_users.c | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c index 44745cae7..0881647c2 100644 --- a/src/providers/ipa/ipa_hbac_users.c +++ b/src/providers/ipa/ipa_hbac_users.c @@ -176,7 +176,8 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx, const char *attrs[] = { SYSDB_NAME, NULL }; size_t num_users = 0; size_t num_groups = 0; - const char *name; + const char *sysdb_name; + char *shortname; size_t count; size_t i; @@ -260,21 +261,29 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx, } /* Original DN matched a single user. Get the username */ - name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); - if (name == NULL) { + sysdb_name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); + if (sysdb_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); ret = EFAULT; goto done; } + ret = sss_parse_internal_fqname(tmp_ctx, sysdb_name, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse %s, skipping\n", sysdb_name); + continue; + } + new_users->names[num_users] = talloc_strdup(new_users->names, - name); + shortname); if (new_users->names[num_users] == NULL) { ret = ENOMEM; goto done; } - DEBUG(SSSDBG_TRACE_INTERNAL, "Added user [%s] to rule [%s]\n", - name, rule_name); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added user [%s] to rule [%s]\n", sysdb_name, rule_name); num_users++; } else { /* Check if it is a group instead */ @@ -295,22 +304,31 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx, } /* Original DN matched a single group. Get the groupname */ - name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); - if (name == NULL) { + sysdb_name = ldb_msg_find_attr_as_string(msgs[0], + SYSDB_NAME, NULL); + if (sysdb_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); ret = EFAULT; goto done; } + ret = sss_parse_internal_fqname(tmp_ctx, sysdb_name, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse %s, skipping\n", sysdb_name); + continue; + } + new_users->groups[num_groups] = - talloc_strdup(new_users->groups, name); + talloc_strdup(new_users->groups, shortname); if (new_users->groups[num_groups] == NULL) { ret = ENOMEM; goto done; } DEBUG(SSSDBG_TRACE_INTERNAL, "Added POSIX group [%s] to rule [%s]\n", - name, rule_name); + sysdb_name, rule_name); num_groups++; } else { /* If the group still matches the group pattern, |