summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--server/providers/ipa/ipa_access.c62
1 files changed, 54 insertions, 8 deletions
diff --git a/server/providers/ipa/ipa_access.c b/server/providers/ipa/ipa_access.c
index 18888b9b..8be91a61 100644
--- a/server/providers/ipa/ipa_access.c
+++ b/server/providers/ipa/ipa_access.c
@@ -45,6 +45,7 @@
#define IPA_UNIQUE_ID "ipauniqueid"
#define IPA_ENABLED_FLAG "ipaenabledflag"
#define IPA_MEMBER_HOST "memberHost"
+#define IPA_HOST_CATEGORY "hostCategory"
#define IPA_CN "cn"
#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,dc=%s"
@@ -790,7 +791,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
goto fail;
}
- state->hbac_attrs = talloc_array(state, const char *, 13);
+ state->hbac_attrs = talloc_array(state, const char *, 15);
if (state->hbac_attrs == NULL) {
DEBUG(1, ("Failed to allocate HBAC attribute list.\n"));
ret = ENOMEM;
@@ -808,10 +809,14 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
state->hbac_attrs[9] = IPA_ENABLED_FLAG;
state->hbac_attrs[10] = IPA_CN;
state->hbac_attrs[11] = "objectclass";
- state->hbac_attrs[12] = NULL;
+ state->hbac_attrs[12] = IPA_MEMBER_HOST;
+ state->hbac_attrs[13] = IPA_HOST_CATEGORY;
+ state->hbac_attrs[14] = NULL;
state->hbac_filter = talloc_asprintf(state,
- "(&(objectclass=ipaHBACRule)(|(%s=%s)",
+ "(&(objectclass=ipaHBACRule)"
+ "(|(%s=%s)(%s=%s)",
+ IPA_HOST_CATEGORY, "all",
IPA_MEMBER_HOST, host_dn);
if (state->hbac_filter == NULL) {
ret = ENOMEM;
@@ -1239,14 +1244,33 @@ enum check_result check_user(struct hbac_ctx *hbac_ctx,
return RULE_ERROR;
}
-/* TODO: add group and category checks */
+ ret = sysdb_attrs_get_el(rule_attrs, IPA_USER_CATEGORY, &el);
+ if (ret != EOK) {
+ DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
+ return RULE_ERROR;
+ }
+ if (el->num_values == 0) {
+ DEBUG(9, ("USer category is not set.\n"));
+ } else {
+ for (i = 0; i < el->num_values; i++) {
+ if (strncasecmp("all", (const char *) el->values[i].data,
+ el->values[i].length) == 0) {
+ DEBUG(9, ("User category is set to 'all', rule applies.\n"));
+ return RULE_APPLICABLE;
+ }
+ DEBUG(9, ("Unsupported user category [%.*s].\n",
+ el->values[i].length,
+ (char *) el->values[i].data));
+ }
+ }
+
ret = sysdb_attrs_get_el(rule_attrs, IPA_MEMBER_USER, &el);
if (ret != EOK) {
DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
return RULE_ERROR;
}
if (el->num_values == 0) {
- DEBUG(9, ("No user specified, assuming rule applies.\n"));
+ DEBUG(9, ("No user specified, rule does not apply.\n"));
return RULE_APPLICABLE;
} else {
for (i = 0; i < el->num_values; i++) {
@@ -1283,6 +1307,7 @@ enum check_result check_remote_hosts(struct pam_data *pd,
{
int ret;
int i;
+ struct ldb_message_element *cat_el;
struct ldb_message_element *src_el;
struct ldb_message_element *ext_el;
const char *remote_hostname;
@@ -1301,7 +1326,28 @@ enum check_result check_remote_hosts(struct pam_data *pd,
remote_hostname = pd->rhost;
}
-/* TODO: add group and category checks */
+ ret = sysdb_attrs_get_el(rule_attrs, IPA_SOURCE_HOST_CATEGORY, &cat_el);
+ if (ret != EOK) {
+ DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
+ return RULE_ERROR;
+ }
+ if (cat_el->num_values == 0) {
+ DEBUG(9, ("Source host category not set.\n"));
+ } else {
+ for(i = 0; i < cat_el->num_values; i++) {
+ if (strncasecmp("all", (const char *) cat_el->values[i].data,
+ cat_el->values[i].length) == 0) {
+ DEBUG(9, ("Source host category is set to 'all', "
+ "rule applies.\n"));
+ return RULE_APPLICABLE;
+ }
+ DEBUG(9, ("Unsupported source hosts category [%.*s].\n",
+ cat_el->values[i].length,
+ (char *) cat_el->values[i].data));
+ }
+ }
+
+
ret = sysdb_attrs_get_el(rule_attrs, IPA_SOURCE_HOST, &src_el);
if (ret != EOK) {
DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
@@ -1314,8 +1360,8 @@ enum check_result check_remote_hosts(struct pam_data *pd,
}
if (src_el->num_values == 0 && ext_el->num_values == 0) {
- DEBUG(9, ("No remote host specified, assuming rule applies.\n"));
- return RULE_APPLICABLE;
+ DEBUG(9, ("No remote host specified, rule does not apply.\n"));
+ return RULE_NOT_APPLICABLE;
} else {
for (i = 0; i < src_el->num_values; i++) {
if (strncasecmp(remote_hostname,