static errno_t
get_krb_primary(struct map_id_name_to_krb_primary *name_to_primary,
char *id_prov_name, bool cs, const char **_krb_primary)
{
errno_t ret;
int i = 0;
while(name_to_primary != NULL &&
name_to_primary[i].id_name != NULL &&
name_to_primary[i].krb_primary != NULL) {
if (sss_string_equal(cs, name_to_primary[i].id_name, id_prov_name)) {
*_krb_primary = name_to_primary[i].krb_primary;
ret = EOK;
goto done;
}
i++;
}
/* Handle also the case of name_to_primary being NULL */
ret = ENOENT;
done:
return ret;
}
/* Returns EOK if the result is definitive, EAGAIN if only partial result
*/
static errno_t
simple_check_users(struct simple_ctx *ctx, const char *username,
bool *access_granted)
{
struct sss_domain_info *domain = NULL;
int i;
/* First, check whether the user is in the allowed users list */
if (ctx->allow_users != NULL) {
for(i = 0; ctx->allow_users[i] != NULL; i++) {
domain = find_domain_by_object_name(ctx->domain,
ctx->allow_users[i]);
if (domain == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",
ctx->allow_users[i]);
return EINVAL;
}
if (sss_string_equal(domain->case_sensitive, username,
ctx->allow_users[i])) {
DEBUG(SSSDBG_TRACE_LIBS,
"User [%s] found in allow list, access granted.\n",
username);
/* Do not return immediately on explicit allow
* We need to make sure none of the user's groups
* are denied.
*/
*access_granted = true;
}
}
} else if (!ctx->allow_groups) {
/* If neither allow rule is in place, we'll assume allowed
* unless a deny rule disables us below.
*/
DEBUG(SSSDBG_TRACE_LIBS,
"No allow rule, assumuing allow unless explicitly denied\n");
*access_granted = true;
}
/* Next check whether this user has been specifically denied */
if (ctx->deny_users != NULL) {
for(i = 0; ctx->deny_users[i] != NULL; i++) {
domain = find_domain_by_object_name(ctx->domain,
ctx->deny_users[i]);
if (domain == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",
ctx->deny_users[i]);
return EINVAL;
}
if (sss_string_equal(domain->case_sensitive, username,
ctx->deny_users[i])) {
DEBUG(SSSDBG_TRACE_LIBS,
"User [%s] found in deny list, access denied.\n",
ctx->deny_users[i]);
/* Return immediately on explicit denial */
*access_granted = false;
return EOK;
}
}
}
return EAGAIN;
}
static errno_t
simple_check_groups(struct simple_ctx *ctx, const char **group_names,
bool *access_granted)
{
struct sss_domain_info *domain = NULL;
bool matched;
int i, j;
/* Now process allow and deny group rules
* If access was already granted above, we'll skip
* this redundant rule check
*/
if (ctx->allow_groups && !*access_granted) {
matched = false;
for (i = 0; ctx->allow_groups[i]; i++) {
domain = find_domain_by_object_name(ctx->domain,
ctx->allow_groups[i]);
if (domain == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",
ctx->allow_groups[i]);
return EINVAL;
}
for(j = 0; group_names[j]; j++) {
if (sss_string_equal(domain->case_sensitive,
group_names[j], ctx->allow_groups[i])) {
matched = true;
break;
}
}
/* If any group has matched, we can skip out on the
* processing early
*/
if (matched) {
DEBUG(SSSDBG_TRACE_LIBS,
"Group [%s] found in allow list, access granted.\n",
group_names[j]);
*access_granted = true;
break;
}
}
}
/* Finally, process the deny group rules */
if (ctx->deny_groups) {
matched = false;
for (i = 0; ctx->deny_groups[i]; i++) {
domain = find_domain_by_object_name(ctx->domain,
ctx->deny_groups[i]);
if (domain == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",
ctx->deny_groups[i]);
return EINVAL;
}
for(j = 0; group_names[j]; j++) {
if (sss_string_equal(domain->case_sensitive,
group_names[j], ctx->deny_groups[i])) {
matched = true;
break;
}
}
/* If any group has matched, we can skip out on the
* processing early
*/
if (matched) {
DEBUG(SSSDBG_TRACE_LIBS,
"Group [%s] found in deny list, access denied.\n",
group_names[j]);
*access_granted = false;
break;
}
}
}
return EOK;
}
