simple provider: obey case sensitivity for subdomain users and groups

When comparing username and his groups to access list, we will obey case sensitivity of object from access list. Resolves: https://fedorahosted.org/sssd/ticket/2034
author: Pavel Březina <pbrezina@redhat.com> 2013-09-12 13:15:47 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-09-17 16:02:20 +0200
commit: a0d010f488bf15fb3e170ce04092013fa494401f (patch)
tree: 9905eeb01e7aa1a3238bf47dcc1b1d6245908217
parent: 219781d47052000eb0a016b665f5c381a48df3cb (diff)
download: sssd-a0d010f488bf15fb3e170ce04092013fa494401f.tar.gz
sssd-a0d010f488bf15fb3e170ce04092013fa494401f.tar.bz2
sssd-a0d010f488bf15fb3e170ce04092013fa494401f.zip
1 files changed, 43 insertions, 7 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index b401aef9..a3684311 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -44,13 +44,22 @@ static errno_t
 simple_check_users(struct simple_ctx *ctx, const char *username,
                    bool *access_granted)
 {
+    struct sss_domain_info *domain = NULL;
     int i;
-    bool cs = ctx->domain->case_sensitive;
 
     /* First, check whether the user is in the allowed users list */
     if (ctx->allow_users != NULL) {
         for(i = 0; ctx->allow_users[i] != NULL; i++) {
-            if (sss_string_equal(cs, username, ctx->allow_users[i])) {
+            domain = find_subdomain_by_object_name(ctx->domain,
+                                                   ctx->allow_users[i]);
+            if (domain == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid user %s!\n",
+                                            ctx->allow_users[i]));
+                return EINVAL;
+            }
+
+            if (sss_string_equal(domain->case_sensitive, username,
+                                 ctx->allow_users[i])) {
                 DEBUG(SSSDBG_TRACE_LIBS,
                       ("User [%s] found in allow list, access granted.\n",
                       username));
@@ -74,10 +83,19 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
     /* Next check whether this user has been specifically denied */
     if (ctx->deny_users != NULL) {
         for(i = 0; ctx->deny_users[i] != NULL; i++) {
-            if (sss_string_equal(cs, username, ctx->deny_users[i])) {
+            domain = find_subdomain_by_object_name(ctx->domain,
+                                                   ctx->deny_users[i]);
+            if (domain == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid user %s!\n",
+                                            ctx->deny_users[i]));
+                return EINVAL;
+            }
+
+            if (sss_string_equal(domain->case_sensitive, username,
+                                 ctx->deny_users[i])) {
                 DEBUG(SSSDBG_TRACE_LIBS,
                       ("User [%s] found in deny list, access denied.\n",
-                      username));
+                        ctx->deny_users[i]));
 
                 /* Return immediately on explicit denial */
                 *access_granted = false;
@@ -93,9 +111,9 @@ static errno_t
 simple_check_groups(struct simple_ctx *ctx, const char **group_names,
                     bool *access_granted)
 {
+    struct sss_domain_info *domain = NULL;
     bool matched;
     int i, j;
-    bool cs = ctx->domain->case_sensitive;
 
     /* Now process allow and deny group rules
      * If access was already granted above, we'll skip
@@ -104,8 +122,17 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names,
     if (ctx->allow_groups && !*access_granted) {
         matched = false;
         for (i = 0; ctx->allow_groups[i]; i++) {
+            domain = find_subdomain_by_object_name(ctx->domain,
+                                                   ctx->allow_groups[i]);
+            if (domain == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid group %s!\n",
+                                            ctx->allow_groups[i]));
+                return EINVAL;
+            }
+
             for(j = 0; group_names[j]; j++) {
-                if (sss_string_equal(cs, group_names[j], ctx->allow_groups[i])) {
+                if (sss_string_equal(domain->case_sensitive,
+                                     group_names[j], ctx->allow_groups[i])) {
                     matched = true;
                     break;
                 }
@@ -128,8 +155,17 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names,
     if (ctx->deny_groups) {
         matched = false;
         for (i = 0; ctx->deny_groups[i]; i++) {
+            domain = find_subdomain_by_object_name(ctx->domain,
+                                                   ctx->deny_groups[i]);
+            if (domain == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid group %s!\n",
+                                            ctx->deny_groups[i]));
+                return EINVAL;
+            }
+
             for(j = 0; group_names[j]; j++) {
-                if (sss_string_equal(cs, group_names[j], ctx->deny_groups[i])) {
+                if (sss_string_equal(domain->case_sensitive,
+                                     group_names[j], ctx->deny_groups[i])) {
                     matched = true;
                     break;
                 }
author	Pavel Březina <pbrezina@redhat.com>	2013-09-12 13:15:47 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-09-17 16:02:20 +0200
commit	a0d010f488bf15fb3e170ce04092013fa494401f (patch)
tree	9905eeb01e7aa1a3238bf47dcc1b1d6245908217
parent	219781d47052000eb0a016b665f5c381a48df3cb (diff)
download	sssd-a0d010f488bf15fb3e170ce04092013fa494401f.tar.gz sssd-a0d010f488bf15fb3e170ce04092013fa494401f.tar.bz2 sssd-a0d010f488bf15fb3e170ce04092013fa494401f.zip