diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-04-17 11:33:41 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-04-19 18:53:41 +0200 |
commit | 18f01e63c1968c29bddb9e48c279b583c0444730 (patch) | |
tree | d0c9156f8dd8d321f51b4c498447164c7173a828 | |
parent | d2e8ad3f8fcb3dcabb56ce9b5e7fada6800cfc77 (diff) | |
download | sssd-18f01e63c1968c29bddb9e48c279b583c0444730.tar.gz sssd-18f01e63c1968c29bddb9e48c279b583c0444730.tar.bz2 sssd-18f01e63c1968c29bddb9e48c279b583c0444730.zip |
Convert the simple access check to new error codes
https://fedorahosted.org/sssd/ticket/453
It makes sense to keep using the boolean for access granted/denied, but
when the user/group is not found, the request would now return
ERR_ACCOUNT_UNKNOWN
-rw-r--r-- | src/providers/simple/simple_access_check.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index 663b7cea..dc5f3676 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -190,7 +190,8 @@ simple_resolve_group_send(TALLOC_CTX *mem_ctx, goto done; } else if (ret != EAGAIN) { DEBUG(SSSDBG_OP_FAILURE, - ("Cannot check if group was already updated\n")); + ("Cannot check if group was already updated [%d]: %s\n", + ret, sss_strerror(ret))); goto done; } /* EAGAIN - still needs update */ @@ -245,14 +246,14 @@ simple_resolve_group_check(struct simple_resolve_group_state *state) if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Could not look up group by gid [%lu]: [%d][%s]\n", - state->gid, ret, strerror(ret))); + state->gid, ret, sss_strerror(ret))); return ret; } state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); if (!state->name) { DEBUG(SSSDBG_OP_FAILURE, ("No group name\n")); - return ENOENT; + return ERR_ACCOUNT_UNKNOWN; } if (is_posix(group) == false) { @@ -371,11 +372,12 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, username, attrs, &user); if (ret == ENOENT) { DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", username)); + ret = ERR_ACCOUNT_UNKNOWN; goto done; } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Could not look up username [%s]: [%d][%s]\n", - username, ret, strerror(ret))); + username, ret, sss_strerror(ret))); goto done; } @@ -563,7 +565,7 @@ simple_check_get_groups_primary(struct simple_check_groups_state *state, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Could not look up primary group [%lu]: [%d][%s]\n", - gid, ret, strerror(ret))); + gid, ret, sss_strerror(ret))); /* We have to treat this as non-fatal, because the primary * group may be local to the machine and not available in * our ID provider. @@ -629,11 +631,15 @@ struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_FUNC_DATA, ("Simple access check for %s\n", username)); ret = simple_check_users(ctx, username, &state->access_granted); - if (ret != EAGAIN) { - /* Both access denied and an error */ + if (ret == EOK) { + goto immediate; + } else if (ret != EAGAIN) { + ret = ERR_INTERNAL; goto immediate; } + /* EAGAIN -- check groups */ + if (!ctx->allow_groups && !ctx->deny_groups) { /* There are no group restrictions, so just return * here with whatever we've decided. @@ -648,7 +654,7 @@ struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, */ subreq = simple_check_get_groups_send(state, ev, ctx, username); if (!subreq) { - ret = EIO; + ret = ENOMEM; goto immediate; } tevent_req_set_callback(subreq, simple_access_check_done, req); @@ -692,7 +698,9 @@ static void simple_access_check_done(struct tevent_req *subreq) ret = simple_check_groups(state->ctx, state->group_names, &state->access_granted); if (ret != EOK) { - tevent_req_error(req, ret); + DEBUG(SSSDBG_OP_FAILURE, ("Could not check group access [%d]: %s\n", + ret, sss_strerror(ret))); + tevent_req_error(req, ERR_INTERNAL); return; } |