summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-05-21 15:16:15 +0200
committerStephen Gallagher <sgallagh@redhat.com>2010-05-27 14:44:14 -0400
commita790a52db5bfe24679873d0083eb35236e616b83 (patch)
tree7e9a83f318c91c0236b474e9e913316bda61aee0
parentd66944d34d4969c2ba1ed1495e2dda91af665156 (diff)
downloadsssd-a790a52db5bfe24679873d0083eb35236e616b83.tar.gz
sssd-a790a52db5bfe24679873d0083eb35236e616b83.tar.bz2
sssd-a790a52db5bfe24679873d0083eb35236e616b83.zip
Check ipaEnabledFlag
-rw-r--r--src/providers/ipa/ipa_access.c28
1 files changed, 23 insertions, 5 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 58f937b8..590ae789 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -1269,9 +1269,9 @@ enum check_result check_remote_hosts(const char *rhost,
return RULE_ERROR;
}
-static errno_t check_if_rule_applies(enum hbac_result *result,
- struct hbac_ctx *hbac_ctx,
- struct sysdb_attrs *rule_attrs) {
+static errno_t check_if_rule_applies(struct hbac_ctx *hbac_ctx,
+ struct sysdb_attrs *rule_attrs,
+ enum hbac_result *result) {
int ret;
struct ldb_message_element *el;
enum hbac_result rule_type;
@@ -1296,6 +1296,24 @@ static errno_t check_if_rule_applies(enum hbac_result *result,
}
DEBUG(9, ("Processsing rule [%s].\n", rule_name));
+ ret = sysdb_attrs_get_el(rule_attrs, IPA_ENABLED_FLAG, &el);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to find out if rule is enabled or not, "
+ "assuming it is enabled.\n"));
+ } else {
+ if (el->num_values == 0) {
+ DEBUG(1, ("Failed to find out if rule is enabled or not, "
+ "assuming it is enabled.\n"));
+ } else {
+ if (strncasecmp("false", (const char*) el->values[0].data,
+ el->values[0].length) == 0) {
+ DEBUG(7, ("Rule is disabled.\n"));
+ *result = HBAC_NOT_APPLICABLE;
+ return EOK;
+ }
+ }
+ }
+
/* rule type */
ret = sysdb_attrs_get_el(rule_attrs, IPA_ACCESS_RULE_TYPE, &el);
if (ret != EOK) {
@@ -1363,8 +1381,8 @@ static int evaluate_ipa_hbac_rules(struct hbac_ctx *hbac_ctx,
for (i = 0; i < hbac_ctx->hbac_rule_count ; i++) {
- ret = check_if_rule_applies(&result, hbac_ctx,
- hbac_ctx->hbac_rule_list[i]);
+ ret = check_if_rule_applies(hbac_ctx, hbac_ctx->hbac_rule_list[i],
+ &result);
if (ret != EOK) {
DEBUG(1, ("check_if_rule_applies failed.\n"));
return ret;