diff options
author | Pavel Březina <pbrezina@redhat.com> | 2013-09-12 13:15:47 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-17 16:02:20 +0200 |
commit | a0d010f488bf15fb3e170ce04092013fa494401f (patch) | |
tree | 9905eeb01e7aa1a3238bf47dcc1b1d6245908217 /src | |
parent | 219781d47052000eb0a016b665f5c381a48df3cb (diff) | |
download | sssd-a0d010f488bf15fb3e170ce04092013fa494401f.tar.gz sssd-a0d010f488bf15fb3e170ce04092013fa494401f.tar.bz2 sssd-a0d010f488bf15fb3e170ce04092013fa494401f.zip |
simple provider: obey case sensitivity for subdomain users and groups
When comparing username and his groups to access list, we will
obey case sensitivity of object from access list.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/simple/simple_access_check.c | 50 |
1 files changed, 43 insertions, 7 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index b401aef9..a3684311 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -44,13 +44,22 @@ static errno_t simple_check_users(struct simple_ctx *ctx, const char *username, bool *access_granted) { + struct sss_domain_info *domain = NULL; int i; - bool cs = ctx->domain->case_sensitive; /* First, check whether the user is in the allowed users list */ if (ctx->allow_users != NULL) { for(i = 0; ctx->allow_users[i] != NULL; i++) { - if (sss_string_equal(cs, username, ctx->allow_users[i])) { + domain = find_subdomain_by_object_name(ctx->domain, + ctx->allow_users[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid user %s!\n", + ctx->allow_users[i])); + return EINVAL; + } + + if (sss_string_equal(domain->case_sensitive, username, + ctx->allow_users[i])) { DEBUG(SSSDBG_TRACE_LIBS, ("User [%s] found in allow list, access granted.\n", username)); @@ -74,10 +83,19 @@ simple_check_users(struct simple_ctx *ctx, const char *username, /* Next check whether this user has been specifically denied */ if (ctx->deny_users != NULL) { for(i = 0; ctx->deny_users[i] != NULL; i++) { - if (sss_string_equal(cs, username, ctx->deny_users[i])) { + domain = find_subdomain_by_object_name(ctx->domain, + ctx->deny_users[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid user %s!\n", + ctx->deny_users[i])); + return EINVAL; + } + + if (sss_string_equal(domain->case_sensitive, username, + ctx->deny_users[i])) { DEBUG(SSSDBG_TRACE_LIBS, ("User [%s] found in deny list, access denied.\n", - username)); + ctx->deny_users[i])); /* Return immediately on explicit denial */ *access_granted = false; @@ -93,9 +111,9 @@ static errno_t simple_check_groups(struct simple_ctx *ctx, const char **group_names, bool *access_granted) { + struct sss_domain_info *domain = NULL; bool matched; int i, j; - bool cs = ctx->domain->case_sensitive; /* Now process allow and deny group rules * If access was already granted above, we'll skip @@ -104,8 +122,17 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, if (ctx->allow_groups && !*access_granted) { matched = false; for (i = 0; ctx->allow_groups[i]; i++) { + domain = find_subdomain_by_object_name(ctx->domain, + ctx->allow_groups[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid group %s!\n", + ctx->allow_groups[i])); + return EINVAL; + } + for(j = 0; group_names[j]; j++) { - if (sss_string_equal(cs, group_names[j], ctx->allow_groups[i])) { + if (sss_string_equal(domain->case_sensitive, + group_names[j], ctx->allow_groups[i])) { matched = true; break; } @@ -128,8 +155,17 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, if (ctx->deny_groups) { matched = false; for (i = 0; ctx->deny_groups[i]; i++) { + domain = find_subdomain_by_object_name(ctx->domain, + ctx->deny_groups[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid group %s!\n", + ctx->deny_groups[i])); + return EINVAL; + } + for(j = 0; group_names[j]; j++) { - if (sss_string_equal(cs, group_names[j], ctx->deny_groups[i])) { + if (sss_string_equal(domain->case_sensitive, + group_names[j], ctx->deny_groups[i])) { matched = true; break; } |