From b6c53b49cde8188bf2f8b493b275118472c4482e Mon Sep 17 00:00:00 2001
From: Pavel Reichl <pavel.reichl@redhat.com>
Date: Wed, 8 Jan 2014 16:03:08 +0000
Subject: [PATCH 52/53] simple access: refresh master domain info
To correctly decide if an object is a member of the main sssd domain, a flat name
is needed. However, the information may not be available when the module is
inited so it may be necessary to refresh this data later while processing a
request.
Resolves:
https://fedorahosted.org/sssd/ticket/2189
---
src/providers/simple/simple_access.c | 135 +++++++++++++++++++++++------------
src/providers/simple/simple_access.h | 2 +
2 files changed, 92 insertions(+), 45 deletions(-)
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index f2bfe755039fd7a370749fd3ce94a47c62c216bc..eab62a826b4749aa5e5dab4a8e491fc2263be4fb 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -32,7 +32,76 @@
#define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
#define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
+#define TIMEOUT_OF_REFRESH_FILTER_LISTS 5
+
static void simple_access_check(struct tevent_req *req);
+static errno_t simple_access_parse_names(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ char **list,
+ char ***_out);
+
+static int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
+{
+ struct be_ctx *bectx = ctx->be_ctx;
+ int ret;
+ int i;
+ struct {
+ const char *name;
+ const char *option;
+ char **orig_list;
+ char ***ctx_list;
+ } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
+ {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
+ {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
+ {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
+ {NULL, NULL, NULL, NULL}};
+
+ lists[0].ctx_list = &ctx->allow_users;
+ lists[1].ctx_list = &ctx->deny_users;
+ lists[2].ctx_list = &ctx->allow_groups;
+ lists[3].ctx_list = &ctx->deny_groups;
+
+ ret = sysdb_master_domain_update(bectx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FUNC_DATA, ("Update of master domain failed [%d]: %s.\n",
+ ret, sss_strerror(ret)));
+ goto failed;
+ }
+
+ for (i = 0; lists[i].name != NULL; i++) {
+ ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
+ lists[i].option, &lists[i].orig_list);
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_FUNC_DATA, ("%s list is empty.\n", lists[i].name));
+ *lists[i].ctx_list = NULL;
+ continue;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("confdb_get_string_as_list failed.\n"));
+ goto failed;
+ }
+
+ ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
+ lists[i].ctx_list);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to parse %s list [%d]: %s\n",
+ lists[i].name, ret, sss_strerror(ret)));
+ goto failed;
+ }
+ }
+
+ if (!ctx->allow_users &&
+ !ctx->allow_groups &&
+ !ctx->deny_users &&
+ !ctx->deny_groups) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("No rules supplied for simple access provider. "
+ "Access will be granted for all users.\n"));
+ }
+ return EOK;
+
+failed:
+ return ret;
+}
void simple_access_handler(struct be_req *be_req)
{
@@ -40,13 +109,16 @@ void simple_access_handler(struct be_req *be_req)
struct pam_data *pd;
struct tevent_req *req;
struct simple_ctx *ctx;
+ int ret;
+ time_t now;
pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
pd->pam_status = PAM_SYSTEM_ERR;
if (pd->cmd != SSS_PAM_ACCT_MGMT) {
- DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd));
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ ("simple access does not handle pam task %d.\n", pd->cmd));
pd->pam_status = PAM_MODULE_UNKNOWN;
goto done;
}
@@ -54,6 +126,18 @@ void simple_access_handler(struct be_req *be_req)
ctx = talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
struct simple_ctx);
+
+ now = time(NULL);
+ if ((now - ctx->last_refresh_of_filter_lists)
+ > TIMEOUT_OF_REFRESH_FILTER_LISTS) {
+
+ ret = simple_access_obtain_filter_lists(ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to refresh filter lists\n"));
+ }
+ ctx->last_refresh_of_filter_lists = now;
+ }
+
req = simple_access_check_send(be_req, be_ctx->ev, ctx, pd->user);
if (!req) {
pd->pam_status = PAM_SYSTEM_ERR;
@@ -176,18 +260,6 @@ int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops,
{
int ret = EINVAL;
struct simple_ctx *ctx;
- int i;
- struct {
- const char *name;
- const char *option;
- char **orig_list;
- char ***ctx_list;
- } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
- {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
- {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
- {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
- {NULL, NULL, NULL, NULL}};
-
ctx = talloc_zero(bectx, struct simple_ctx);
if (ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
@@ -196,39 +268,11 @@ int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops,
ctx->domain = bectx->domain;
ctx->be_ctx = bectx;
+ ctx->last_refresh_of_filter_lists = 0;
- lists[0].ctx_list = &ctx->allow_users;
- lists[1].ctx_list = &ctx->deny_users;
- lists[2].ctx_list = &ctx->allow_groups;
- lists[3].ctx_list = &ctx->deny_groups;
-
- for (i = 0; lists[i].name != NULL; i++) {
- ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path,
- lists[i].option, &lists[i].orig_list);
- if (ret == ENOENT) {
- DEBUG(SSSDBG_FUNC_DATA, ("%s list is empty.\n", lists[i].name));
- *lists[i].ctx_list = NULL;
- continue;
- } else if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("confdb_get_string_as_list failed.\n"));
- goto failed;
- }
-
- ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
- lists[i].ctx_list);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to parse %s list [%d]: %s\n",
- lists[i].name, ret, sss_strerror(ret)));
- goto failed;
- }
- }
-
- if (!ctx->allow_users &&
- !ctx->allow_groups &&
- !ctx->deny_users &&
- !ctx->deny_groups) {
- DEBUG(SSSDBG_OP_FAILURE, ("No rules supplied for simple access provider. "
- "Access will be granted for all users.\n"));
+ ret = simple_access_obtain_filter_lists(ctx);
+ if (ret != EOK) {
+ goto failed;
}
*ops = &simple_access_ops;
@@ -240,3 +284,4 @@ failed:
talloc_free(ctx);
return ret;
}
+
diff --git a/src/providers/simple/simple_access.h b/src/providers/simple/simple_access.h
index 15dfaceb2d9a6670d3559e4a945c2c7a633fad44..a618b2e2ec16a2f32bad7ceb1f5adb7523199316 100644
--- a/src/providers/simple/simple_access.h
+++ b/src/providers/simple/simple_access.h
@@ -32,6 +32,8 @@ struct simple_ctx {
char **deny_users;
char **allow_groups;
char **deny_groups;
+
+ time_t last_refresh_of_filter_lists;
};
struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx,
--
1.8.4.2