summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2011-12-06 17:08:27 +0100
committerStephen Gallagher <sgallagh@redhat.com>2011-12-16 14:46:17 -0500
commitc8119652b17229a5aca9b110365c310a6afdce30 (patch)
tree886725fb79d00649dc850024f75752eba0f7bebb
parent940e033c0c427d02a34347dbd2f4443fa625b111 (diff)
downloadsssd-c8119652b17229a5aca9b110365c310a6afdce30.tar.gz
sssd-c8119652b17229a5aca9b110365c310a6afdce30.tar.bz2
sssd-c8119652b17229a5aca9b110365c310a6afdce30.zip
Use the case sensitivity flag in the simple access provider
-rw-r--r--src/providers/simple/simple_access.c19
-rw-r--r--src/tests/simple_access-tests.c30
2 files changed, 45 insertions, 4 deletions
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index 4b9c3139..06662e9d 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -24,6 +24,7 @@
#include <security/pam_modules.h>
#include "util/util.h"
+#include "util/sss_utf8.h"
#include "providers/dp_backend.h"
#include "db/sysdb.h"
#include "providers/simple/simple_access.h"
@@ -34,6 +35,15 @@
#define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
#define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
+static bool string_equal(bool cs, const char *s1, const char *s2)
+{
+ if (cs) {
+ return strcmp(s1, s2) == 0;
+ }
+
+ return sss_utf8_case_eq((const uint8_t *)s1, (const uint8_t *)s2) == EOK;
+}
+
errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
bool *access_granted)
{
@@ -51,13 +61,14 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
const char *primary_group;
gid_t gid;
bool matched;
+ bool cs = ctx->domain->case_sensitive;
*access_granted = false;
/* First, check whether the user is in the allowed users list */
if (ctx->allow_users != NULL) {
for(i = 0; ctx->allow_users[i] != NULL; i++) {
- if (strcmp(username, ctx->allow_users[i]) == 0) {
+ if (string_equal(cs, username, ctx->allow_users[i])) {
DEBUG(9, ("User [%s] found in allow list, access granted.\n",
username));
@@ -78,7 +89,7 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
/* Next check whether this user has been specifically denied */
if (ctx->deny_users != NULL) {
for(i = 0; ctx->deny_users[i] != NULL; i++) {
- if (strcmp(username, ctx->deny_users[i]) == 0) {
+ if (string_equal(cs, username, ctx->deny_users[i])) {
DEBUG(9, ("User [%s] found in deny list, access denied.\n",
username));
@@ -189,7 +200,7 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
matched = false;
for (i = 0; ctx->allow_groups[i]; i++) {
for(j = 0; groups[j]; j++) {
- if (strcmp(groups[j], ctx->allow_groups[i])== 0) {
+ if (string_equal(cs, groups[j], ctx->allow_groups[i])) {
matched = true;
break;
}
@@ -210,7 +221,7 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
matched = false;
for (i = 0; ctx->deny_groups[i]; i++) {
for(j = 0; groups[j]; j++) {
- if (strcmp(groups[j], ctx->deny_groups[i])== 0) {
+ if (string_equal(cs, groups[j], ctx->deny_groups[i])) {
matched = true;
break;
}
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
index 9cd73d84..4f041d40 100644
--- a/src/tests/simple_access-tests.c
+++ b/src/tests/simple_access-tests.c
@@ -26,6 +26,7 @@
#include <popt.h>
#include <check.h>
+#include "confdb/confdb.h"
#include "providers/simple/simple_access.h"
const char *ulist_1[] = {"u1", "u2", NULL};
@@ -37,6 +38,10 @@ void setup_simple(void)
fail_unless(ctx == NULL, "Simple context already initialized.");
ctx = talloc_zero(NULL, struct simple_ctx);
fail_unless(ctx != NULL, "Cannot create simple context.");
+
+ ctx->domain = talloc_zero(ctx, struct sss_domain_info);
+ fail_unless(ctx != NULL, "Cannot create domain in simple context.");
+ ctx->domain->case_sensitive = true;
}
void teardown_simple(void)
@@ -123,6 +128,30 @@ START_TEST(test_both_set)
}
END_TEST
+START_TEST(test_case)
+{
+ int ret;
+ bool access_granted = false;
+
+ ctx->allow_users = discard_const(ulist_1);
+ ctx->deny_users = NULL;
+
+ ret = simple_access_check(ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "for user with different case "
+ "in case-sensitive domain");
+
+ ctx->domain->case_sensitive = false;
+
+ ret = simple_access_check(ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "for user with different case "
+ "in case-insensitive domain");
+}
+END_TEST
+
Suite *access_simple_suite (void)
{
Suite *s = suite_create("access_simple");
@@ -133,6 +162,7 @@ Suite *access_simple_suite (void)
tcase_add_test(tc_allow_deny, test_allow_empty);
tcase_add_test(tc_allow_deny, test_deny_empty);
tcase_add_test(tc_allow_deny, test_both_set);
+ tcase_add_test(tc_allow_deny, test_case);
suite_add_tcase(s, tc_allow_deny);
return s;