diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2016-06-15 11:41:44 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-07 10:25:21 +0200 |
| commit | eef359b508b898ae99d2bf292a43f0f295a2ba5e (patch) | |
| tree | 67cbc4e66e32876fea38cbe9ad3058d5c893798d /src/providers/simple | |
| parent | 6ea6662287147308b81b9c9f2f1f3c992d01bc50 (diff) | |
| download | sssd-eef359b508b898ae99d2bf292a43f0f295a2ba5e.tar.gz sssd-eef359b508b898ae99d2bf292a43f0f295a2ba5e.tar.xz sssd-eef359b508b898ae99d2bf292a43f0f295a2ba5e.zip | |
SIMPLE: Make the simple access provider work with qualified names
This patch adds a behaviour change to the simple access provider - the
simple access list is parsed on the access check itself, which is when
the name contexts of all domains have already been established and we
are already able to parse the names in the config files with
sss_parse_names. We need to support "input names" in the simple access
provider because it needs to support flat names which rely on knowing
the details about a domain.
The simple_access_obtain_filter_lists is intentionally made non-static
in order to be called from tests which initialize the name contexts on
their own.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/simple')
| -rw-r--r-- | src/providers/simple/simple_access.c | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c index ca6d49db4..cb72ada20 100644 --- a/src/providers/simple/simple_access.c +++ b/src/providers/simple/simple_access.c @@ -41,11 +41,12 @@ static errno_t simple_access_parse_names(TALLOC_CTX *mem_ctx, { TALLOC_CTX *tmp_ctx = NULL; char **out = NULL; - char *domain = NULL; - char *name = NULL; size_t size; size_t i; errno_t ret; + char *domname = NULL; + char *shortname = NULL; + struct sss_domain_info *domain; if (list == NULL) { *_out = NULL; @@ -74,28 +75,27 @@ static errno_t simple_access_parse_names(TALLOC_CTX *mem_ctx, * allow unauthorized access. */ for (i = 0; i < size; i++) { ret = sss_parse_name(tmp_ctx, be_ctx->domain->names, list[i], - &domain, &name); + &domname, &shortname); if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s\n", - list[i], ret, sss_strerror(ret)); + DEBUG(SSSDBG_OP_FAILURE, "sss_parse_name failed [%d]: %s\n", + ret, sss_strerror(ret)); goto done; } - if (domain == NULL || strcasecmp(domain, be_ctx->domain->name) == 0 || - (be_ctx->domain->flat_name != NULL && - strcasecmp(domain, be_ctx->domain->flat_name) == 0)) { - /* This object belongs to main SSSD domain. Those users and groups - * are stored without domain part, so we will strip it off. - * */ - out[i] = talloc_move(out, &name); + if (domname != NULL) { + domain = find_domain_by_name(be_ctx->domain, domname, true); + if (domain == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } } else { - /* Subdomain users and groups are stored as fully qualified names, - * thus we will remember the domain part. - * - * Since subdomains may come and go, we will look for their - * existence later, during each access check. - */ - out[i] = talloc_move(out, &list[i]); + domain = be_ctx->domain; + } + + out[i] = sss_create_internal_fqname(out, shortname, domain->name); + if (out[i] == NULL) { + ret = EIO; + goto done; } } |