sssd  2.2.3
About: SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides also an NSS and PAM interface toward the system.
  Fossies Dox: sssd-2.2.3.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

hbac_evaluator.c
Go to the documentation of this file.
1 /*
2  SSSD
3 
4  IPA Backend Module -- Access control
5 
6  Authors:
7  Sumit Bose <sbose@redhat.com>
8  Stephen Gallagher <sgallagh@redhat.com>
9 
10  Copyright (C) 2011 Red Hat
11 
12  This program is free software; you can redistribute it and/or modify
13  it under the terms of the GNU General Public License as published by
14  the Free Software Foundation; either version 3 of the License, or
15  (at your option) any later version.
16 
17  This program is distributed in the hope that it will be useful,
18  but WITHOUT ANY WARRANTY; without even the implied warranty of
19  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20  GNU General Public License for more details.
21 
22  You should have received a copy of the GNU General Public License
23  along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25 
26 #include "config.h" /* for HAVE_FUNCTION_ATTRIBUTE_FORMAT in "ipa_hbac.h" */
27 
28 #include <stdlib.h>
29 #include <string.h>
30 #include <errno.h>
31 #include "ipa_hbac.h"
32 #include "sss_utf8.h"
33 
34 #ifndef HAVE_ERRNO_T
35 #define HAVE_ERRNO_T
36 typedef int errno_t;
37 #endif
38 
39 #ifndef EOK
40 #define EOK 0
41 #endif
42 
43 /* HBAC logging system */
44 
45 /* debug macro */
46 #define HBAC_DEBUG(level, format, ...) do { \
47  if (hbac_debug_fn != NULL) { \
48  hbac_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
49  level, format, ##__VA_ARGS__); \
50  } \
51 } while (0)
52 
53 /* static pointer to external logging function */
55 
56 /* setup function for external logging function */
57 void hbac_enable_debug(hbac_debug_fn_t external_debug_fn)
58 {
59  hbac_debug_fn = external_debug_fn;
60 }
61 
62 /* auxiliary function for hbac_request_element logging */
64  const char *label);
65 
66 /* auxiliary function for hbac_eval_req logging */
67 static void hbac_req_debug_print(struct hbac_eval_req *req);
68 
69 /* auxiliary function for hbac_rule_element logging */
71  const char *label);
72 
73 /* auxiliary function for hbac_rule logging */
74 static void hbac_rule_debug_print(struct hbac_rule *rule);
75 
76 
77 /* Placeholder structure for future HBAC time-based
78  * evaluation rules
79  */
82 };
83 
88 };
89 
91 {
92  if (el == NULL) return false;
93  if (el->category == HBAC_CATEGORY_ALL) return true;
94 
95  if (el->names == NULL && el->groups == NULL) return false;
96 
97  if ((el->names && el->names[0] != NULL)
98  || (el->groups && el->groups[0] != NULL))
99  return true;
100 
101  /* If other categories are added, handle them here */
102 
103  return false;
104 }
105 
106 bool hbac_rule_is_complete(struct hbac_rule *rule, uint32_t *missing_attrs)
107 {
108  bool complete = true;
109 
110  *missing_attrs = 0;
111 
112  if (rule == NULL) {
113  /* No rule passed in? */
114  return false;
115  }
116 
117  /* Make sure we have all elements */
118  if (!hbac_rule_element_is_complete(rule->users)) {
119  complete = false;
120  *missing_attrs |= HBAC_RULE_ELEMENT_USERS;
121  }
122 
124  complete = false;
125  *missing_attrs |= HBAC_RULE_ELEMENT_SERVICES;
126  }
127 
129  complete = false;
130  *missing_attrs |= HBAC_RULE_ELEMENT_TARGETHOSTS;
131  }
132 
134  complete = false;
135  *missing_attrs |= HBAC_RULE_ELEMENT_SOURCEHOSTS;
136  }
137 
138  return complete;
139 }
140 
142  struct hbac_eval_req *hbac_req,
143  enum hbac_error_code *error);
144 
146  struct hbac_eval_req *hbac_req,
147  struct hbac_info **info)
148 {
149  uint32_t i;
150 
151  enum hbac_error_code ret;
152  enum hbac_eval_result result = HBAC_EVAL_DENY;
153  enum hbac_eval_result_int intermediate_result;
154 
155  HBAC_DEBUG(HBAC_DBG_INFO, "[< hbac_evaluate()\n");
156  hbac_req_debug_print(hbac_req);
157 
158  if (info) {
159  *info = malloc(sizeof(struct hbac_info));
160  if (!*info) {
161  HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n");
162  return HBAC_EVAL_OOM;
163  }
164  (*info)->code = HBAC_ERROR_UNKNOWN;
165  (*info)->rule_name = NULL;
166  }
167 
168  for (i = 0; rules[i]; i++) {
169  hbac_rule_debug_print(rules[i]);
170  intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, &ret);
171  if (intermediate_result == HBAC_EVAL_UNMATCHED) {
172  /* This rule did not match at all. Skip it */
173  HBAC_DEBUG(HBAC_DBG_INFO, "The rule [%s] did not match.\n",
174  rules[i]->name);
175  continue;
176  } else if (intermediate_result == HBAC_EVAL_MATCHED) {
177  HBAC_DEBUG(HBAC_DBG_INFO, "ALLOWED by rule [%s].\n", rules[i]->name);
178  result = HBAC_EVAL_ALLOW;
179  if (info) {
180  (*info)->code = HBAC_SUCCESS;
181  (*info)->rule_name = strdup(rules[i]->name);
182  if (!(*info)->rule_name) {
183  HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n");
184  result = HBAC_EVAL_ERROR;
185  (*info)->code = HBAC_ERROR_OUT_OF_MEMORY;
186  }
187  }
188  break;
189  } else {
190  /* An error occurred processing this rule */
192  "Error %d occurred during evaluating of rule [%s].\n",
193  ret, rules[i]->name);
194  result = HBAC_EVAL_ERROR;
195  if (info) {
196  (*info)->code = ret;
197  (*info)->rule_name = strdup(rules[i]->name);
198  }
199  /* Explicitly not checking the result of strdup(), since if
200  * it's NULL, we can't do anything anyway.
201  */
202  goto done;
203  }
204  }
205 
206  /* If we've reached the end of the loop, we have either set the
207  * result to ALLOW explicitly or we'll stick with the default DENY.
208  */
209 done:
210 
211  HBAC_DEBUG(HBAC_DBG_INFO, "hbac_evaluate() >]\n");
212  return result;
213 }
214 
215 static errno_t hbac_evaluate_element(struct hbac_rule_element *rule_el,
216  struct hbac_request_element *req_el,
217  bool *matched);
218 
220  struct hbac_eval_req *hbac_req,
221  enum hbac_error_code *error)
222 {
223  errno_t ret;
224  bool matched;
225 
226  if (!rule->enabled) {
227  HBAC_DEBUG(HBAC_DBG_INFO, "Rule [%s] is not enabled\n", rule->name);
228  return HBAC_EVAL_UNMATCHED;
229  }
230 
231  /* Make sure we have all elements */
232  if (!rule->users
233  || !rule->services
234  || !rule->targethosts
235  || !rule->srchosts) {
237  "Rule [%s] cannot be parsed, some elements are empty\n",
238  rule->name);
240  return HBAC_EVAL_MATCH_ERROR;
241  }
242 
243  /* Check users */
245  hbac_req->user,
246  &matched);
247  if (ret != EOK) {
249  "Cannot parse user elements of rule [%s]\n", rule->name);
251  return HBAC_EVAL_MATCH_ERROR;
252  } else if (!matched) {
253  return HBAC_EVAL_UNMATCHED;
254  }
255 
256  /* Check services */
258  hbac_req->service,
259  &matched);
260  if (ret != EOK) {
262  "Cannot parse service elements of rule [%s]\n", rule->name);
264  return HBAC_EVAL_MATCH_ERROR;
265  } else if (!matched) {
266  return HBAC_EVAL_UNMATCHED;
267  }
268 
269  /* Check target hosts */
271  hbac_req->targethost,
272  &matched);
273  if (ret != EOK) {
275  "Cannot parse targethost elements of rule [%s]\n",
276  rule->name);
278  return HBAC_EVAL_MATCH_ERROR;
279  } else if (!matched) {
280  return HBAC_EVAL_UNMATCHED;
281  }
282 
283  /* Check source hosts */
285  hbac_req->srchost,
286  &matched);
287  if (ret != EOK) {
289  "Cannot parse srchost elements of rule [%s]\n",
290  rule->name);
292  return HBAC_EVAL_MATCH_ERROR;
293  } else if (!matched) {
294  return HBAC_EVAL_UNMATCHED;
295  }
296  return HBAC_EVAL_MATCHED;
297 }
298 
300  struct hbac_request_element *req_el,
301  bool *matched)
302 {
303  size_t i, j;
304  const uint8_t *rule_name;
305  const uint8_t *req_name;
306  int ret;
307 
308  if (rule_el->category & HBAC_CATEGORY_ALL) {
309  *matched = true;
310  return EOK;
311  }
312 
313  /* First check the name list */
314  if (rule_el->names) {
315  for (i = 0; rule_el->names[i]; i++) {
316  if (req_el->name != NULL) {
317  rule_name = (const uint8_t *) rule_el->names[i];
318  req_name = (const uint8_t *) req_el->name;
319 
320  /* Do a case-insensitive comparison. */
321  ret = sss_utf8_case_eq(rule_name, req_name);
322  if (ret != EOK && ret != ENOMATCH) {
323  return ret;
324  } else if (ret == EOK) {
325  *matched = true;
326  return EOK;
327  }
328  }
329  }
330  }
331 
332  if (rule_el->groups) {
333  /* Not found in the name list
334  * Check for group membership
335  */
336  for (i = 0; rule_el->groups[i]; i++) {
337  rule_name = (const uint8_t *) rule_el->groups[i];
338 
339  for (j = 0; req_el->groups[j]; j++) {
340  req_name = (const uint8_t *) req_el->groups[j];
341 
342  /* Do a case-insensitive comparison. */
343  ret = sss_utf8_case_eq(rule_name, req_name);
344  if (ret != EOK && ret != ENOMATCH) {
345  return ret;
346  } else if (ret == EOK) {
347  *matched = true;
348  return EOK;
349  }
350  }
351  }
352  }
353 
354  /* Not found in groups either */
355  *matched = false;
356  return EOK;
357 }
358 
359 const char *hbac_result_string(enum hbac_eval_result result)
360 {
361  switch (result) {
362  case HBAC_EVAL_ALLOW:
363  return "HBAC_EVAL_ALLOW";
364  case HBAC_EVAL_DENY:
365  return "HBAC_EVAL_DENY";
366  case HBAC_EVAL_ERROR:
367  return "HBAC_EVAL_ERROR";
368  case HBAC_EVAL_OOM:
369  return "Could not allocate memory for hbac_info object";
370  }
371  return "HBAC_EVAL_ERROR";
372 }
373 
374 void hbac_free_info(struct hbac_info *info)
375 {
376  if (info == NULL) return;
377 
378  free(info->rule_name);
379  free(info);
380 }
381 
382 const char *hbac_error_string(enum hbac_error_code code)
383 {
384  switch (code) {
385  case HBAC_SUCCESS:
386  return "Success";
388  return "Function is not yet implemented";
390  return "Out of memory";
392  return "Rule could not be evaluated";
393  case HBAC_ERROR_UNKNOWN:
394  default:
395  return "Unknown error code";
396  }
397 }
398 
400  const char *label)
401 {
402  int i;
403 
404  if (el) {
405  if (el->name) {
406  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s [%s]\n", label, el->name);
407  }
408 
409  if (el->groups) {
410  if (el->groups[0]) {
411  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_group:\n", label);
412  for (i = 0; el->groups[i]; i++) {
413  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t\t[%s]\n", el->groups[i]);
414  }
415  } else {
416  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_group (none)\n", label);
417  }
418  }
419  } else {
420  HBAC_DEBUG(HBAC_DBG_TRACE, "\t%s (none)\n", label);
421  }
422 }
423 
424 static void hbac_req_debug_print(struct hbac_eval_req *req)
425 {
426  HBAC_DEBUG(HBAC_DBG_TRACE, "\tREQUEST:\n");
427  if (req) {
428  struct tm *local_time = NULL;
429  size_t ret;
430  const size_t buff_size = 100;
431  char time_buff[buff_size];
432 
433  hbac_request_element_debug_print(req->service, "service");
435  hbac_request_element_debug_print(req->targethost, "targethost");
436  hbac_request_element_debug_print(req->srchost, "srchost");
437 
438  local_time = localtime(&req->request_time);
439  if (local_time == NULL) {
440  return;
441  }
442 
443  ret = strftime(time_buff, buff_size, "%Y-%m-%d %H:%M:%S", local_time);
444  if (ret <= 0) {
445  return;
446  }
447 
448  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\trequest time %s\n", time_buff);
449  } else {
450  HBAC_DEBUG(HBAC_DBG_TRACE, "\tRequest is EMPTY.\n");
451  }
452 }
453 
455  const char *label)
456 {
457  int i;
458 
459  if (el) {
460  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\tcategory [%#x] [%s]\n", el->category,
461  (el->category == HBAC_CATEGORY_ALL) ? "ALL" : "NONE");
462 
463  if (el->names) {
464  if (el->names[0]) {
465  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_names:\n", label);
466  for (i = 0; el->names[i]; i++) {
467  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t\t[%s]\n", el->names[i]);
468  }
469  } else {
470  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_names (none)\n", label);
471  }
472  }
473 
474  if (el->groups) {
475  if (el->groups[0]) {
476  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_groups:\n", label);
477  for (i = 0; el->groups[i]; i++) {
478  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t\t[%s]\n", el->groups[i]);
479  }
480  } else {
481  HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_groups (none)\n", label);
482  }
483  }
484  }
485 }
486 
487 static void hbac_rule_debug_print(struct hbac_rule *rule)
488 {
489  if (rule) {
490  HBAC_DEBUG(HBAC_DBG_TRACE, "\tRULE [%s] [%s]:\n",
491  rule->name, (rule->enabled) ? "ENABLED" : "DISABLED");
492  if (rule->services) {
493  HBAC_DEBUG(HBAC_DBG_TRACE, "\tservices:\n");
494  hbac_rule_element_debug_print(rule->services, "services");
495  } else {
496  HBAC_DEBUG(HBAC_DBG_TRACE, "\tservices (none)\n");
497  }
498 
499  if (rule->users) {
500  HBAC_DEBUG(HBAC_DBG_TRACE, "\tusers:\n");
501  hbac_rule_element_debug_print(rule->users, "users");
502  } else {
503  HBAC_DEBUG(HBAC_DBG_TRACE, "\tusers (none)\n");
504  }
505 
506  if (rule->targethosts) {
507  HBAC_DEBUG(HBAC_DBG_TRACE, "\ttargethosts:\n");
508  hbac_rule_element_debug_print(rule->targethosts, "targethosts");
509  } else {
510  HBAC_DEBUG(HBAC_DBG_TRACE, "\ttargethosts (none)\n");
511  }
512 
513  if (rule->srchosts) {
514  HBAC_DEBUG(HBAC_DBG_TRACE, "\tsrchosts:\n");
515  hbac_rule_element_debug_print(rule->srchosts, "srchosts");
516  } else {
517  HBAC_DEBUG(HBAC_DBG_TRACE, "\tsrchosts (none)\n");
518  }
519  }
520 }
HBAC_EVAL_MATCH_ERROR
@ HBAC_EVAL_MATCH_ERROR
Definition: hbac_evaluator.c:85
hbac_error_string
const char * hbac_error_string(enum hbac_error_code code)
Display error description.
Definition: hbac_evaluator.c:382
HBAC_EVAL_DENY
@ HBAC_EVAL_DENY
Evaluation denies access.
Definition: ipa_hbac.h:84
hbac_debug_fn_t
void(* hbac_debug_fn_t)(const char *file, int line, const char *function, enum hbac_debug_level, const char *format,...)
Function pointer to HBAC external debugging function.
Definition: ipa_hbac.h:62
EOK
#define EOK
Definition: hbac_evaluator.c:40
hbac_debug_fn
static hbac_debug_fn_t hbac_debug_fn
Definition: hbac_evaluator.c:54
HBAC_DBG_INFO
@ HBAC_DBG_INFO
Warnings (not used).
Definition: ipa_hbac.h:49
hbac_evaluate_element
static errno_t hbac_evaluate_element(struct hbac_rule_element *rule_el, struct hbac_request_element *req_el, bool *matched)
Definition: hbac_evaluator.c:299
hbac_evaluate
enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, struct hbac_eval_req *hbac_req, struct hbac_info **info)
Evaluate an authorization request against a set of HBAC rules.
Definition: hbac_evaluator.c:145
hbac_result_string
const char * hbac_result_string(enum hbac_eval_result result)
Display result of hbac evaluation in human-readable form.
Definition: hbac_evaluator.c:359
hbac_rule::targethosts
struct hbac_rule_element * targethosts
Target hosts for which this rule apples.
Definition: ipa_hbac.h:164
hbac_eval_req
Request object for an HBAC rule evaluation.
Definition: ipa_hbac.h:205
hbac_info::rule_name
char * rule_name
Specify the name of the rule that matched or threw an error.
Definition: ipa_hbac.h:271
HBAC_RULE_ELEMENT_TARGETHOSTS
#define HBAC_RULE_ELEMENT_TARGETHOSTS
Target host element.
Definition: ipa_hbac.h:319
hbac_request_element_debug_print
static void hbac_request_element_debug_print(struct hbac_request_element *el, const char *label)
Definition: hbac_evaluator.c:399
HBAC_EVAL_UNMATCHED
@ HBAC_EVAL_UNMATCHED
Definition: hbac_evaluator.c:87
ipa_hbac.h
hbac_rule_element::names
const char ** names
List of explicit members of this rule component.
Definition: ipa_hbac.h:130
hbac_rule_element_debug_print
static void hbac_rule_element_debug_print(struct hbac_rule_element *el, const char *label)
Definition: hbac_evaluator.c:454
hbac_rule::name
const char * name
Definition: ipa_hbac.h:146
HBAC_EVAL_ERROR
@ HBAC_EVAL_ERROR
An error occurred See the hbac_info for more details.
Definition: ipa_hbac.h:78
errno_t
int errno_t
Definition: hbac_evaluator.c:36
sss_utf8_case_eq
errno_t sss_utf8_case_eq(const uint8_t *s1, const uint8_t *s2)
hbac_eval_result
hbac_eval_result
Result of HBAC evaluation.
Definition: ipa_hbac.h:74
hbac_rule_is_complete
bool hbac_rule_is_complete(struct hbac_rule *rule, uint32_t *missing_attrs)
Evaluate whether an HBAC rule contains all necessary elements.
Definition: hbac_evaluator.c:106
hbac_rule::services
struct hbac_rule_element * services
Services and service groups for which this rule applies.
Definition: ipa_hbac.h:153
hbac_request_element::groups
const char ** groups
List of group members of this request component.
Definition: ipa_hbac.h:197
hbac_rule::enabled
bool enabled
Definition: ipa_hbac.h:147
name
const char * name
Definition: sbus_errors.c:30
hbac_eval_result_int
hbac_eval_result_int
Definition: hbac_evaluator.c:84
HBAC_RULE_ELEMENT_USERS
#define HBAC_RULE_ELEMENT_USERS
User element.
Definition: ipa_hbac.h:313
hbac_info
Extended information.
Definition: ipa_hbac.h:259
hbac_time_rules::not_yet_implemented
int not_yet_implemented
Definition: hbac_evaluator.c:81
HBAC_EVAL_MATCHED
@ HBAC_EVAL_MATCHED
Definition: hbac_evaluator.c:86
HBAC_ERROR_OUT_OF_MEMORY
@ HBAC_ERROR_OUT_OF_MEMORY
Ran out of memory during processing.
Definition: ipa_hbac.h:252
hbac_eval_req::targethost
struct hbac_request_element * targethost
This is a list of target hosts to check, it must consist of the actual target host requested,...
Definition: ipa_hbac.h:225
HBAC_RULE_ELEMENT_SERVICES
#define HBAC_RULE_ELEMENT_SERVICES
Service element.
Definition: ipa_hbac.h:316
hbac_evaluate_rule
enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule, struct hbac_eval_req *hbac_req, enum hbac_error_code *error)
Definition: hbac_evaluator.c:219
hbac_eval_req::user
struct hbac_request_element * user
This is a list of user DNs to check, it must consist of the actual user requested,...
Definition: ipa_hbac.h:218
SSSDConfigTest.error
int error
Definition: SSSDConfigTest.py:2129
hbac_free_info
void hbac_free_info(struct hbac_info *info)
Function to safely free hbac_info returned by hbac_evaluate.
Definition: hbac_evaluator.c:374
hbac_eval_req::service
struct hbac_request_element * service
This is a list of service DNs to check, it must consist of the actual service requested,...
Definition: ipa_hbac.h:211
sss_utf8.h
HBAC_DBG_ERROR
@ HBAC_DBG_ERROR
Fatal failure (not used).
Definition: ipa_hbac.h:47
hbac_rule_debug_print
static void hbac_rule_debug_print(struct hbac_rule *rule)
Definition: hbac_evaluator.c:487
HBAC_ERROR_UNPARSEABLE_RULE
@ HBAC_ERROR_UNPARSEABLE_RULE
Parse error while evaluating rule.
Definition: ipa_hbac.h:255
hbac_time_rules
Definition: hbac_evaluator.c:80
hbac_rule_element::groups
const char ** groups
List of group members of this rule component.
Definition: ipa_hbac.h:139
hbac_rule::srchosts
struct hbac_rule_element * srchosts
Source hosts for which this rule applies.
Definition: ipa_hbac.h:169
hbac_rule
HBAC rule object for evaluation.
Definition: ipa_hbac.h:145
HBAC_EVAL_OOM
@ HBAC_EVAL_OOM
Evaluation failed due to lack of memory hbac_info is not available.
Definition: ipa_hbac.h:89
hbac_rule_element::category
uint32_t category
Category for this element.
Definition: ipa_hbac.h:121
HBAC_SUCCESS
@ HBAC_SUCCESS
Successful evaluation.
Definition: ipa_hbac.h:246
hbac_request_element
Component of an HBAC request.
Definition: ipa_hbac.h:180
hbac_rule_element
Component of an HBAC rule.
Definition: ipa_hbac.h:113
HBAC_DBG_TRACE
@ HBAC_DBG_TRACE
HBAC allow/disallow info.
Definition: ipa_hbac.h:50
HBAC_EVAL_ALLOW
@ HBAC_EVAL_ALLOW
Evaluation grants access.
Definition: ipa_hbac.h:81
HBAC_ERROR_NOT_IMPLEMENTED
@ HBAC_ERROR_NOT_IMPLEMENTED
Function is not yet implemented.
Definition: ipa_hbac.h:249
HBAC_DEBUG
#define HBAC_DEBUG(level, format,...)
Definition: hbac_evaluator.c:46
hbac_rule_element_is_complete
static bool hbac_rule_element_is_complete(struct hbac_rule_element *el)
Definition: hbac_evaluator.c:90
hbac_error_code
hbac_error_code
Error code returned by the evaluator.
Definition: ipa_hbac.h:241
hbac_req_debug_print
static void hbac_req_debug_print(struct hbac_eval_req *req)
Definition: hbac_evaluator.c:424
hbac_eval_req::request_time
time_t request_time
For future use.
Definition: ipa_hbac.h:235
NULL
#define NULL
Definition: util.h:67
ENOMATCH
#define ENOMATCH
Definition: sss_utf8.h:27
HBAC_RULE_ELEMENT_SOURCEHOSTS
#define HBAC_RULE_ELEMENT_SOURCEHOSTS
Source host element.
Definition: ipa_hbac.h:322
hbac_enable_debug
void hbac_enable_debug(hbac_debug_fn_t external_debug_fn)
HBAC uses external_debug_fn for logging messages.
Definition: hbac_evaluator.c:57
hbac_eval_req::srchost
struct hbac_request_element * srchost
This is a list of source hosts to check, it must consist of the actual source host requested,...
Definition: ipa_hbac.h:232
ret
errno_t ret
Definition: sbus_errors.c:31
hbac_rule::users
struct hbac_rule_element * users
Users and groups for which this rule applies.
Definition: ipa_hbac.h:159
hbac_request_element::name
const char * name
List of explicit members of this request component.
Definition: ipa_hbac.h:188
HBAC_ERROR_UNKNOWN
@ HBAC_ERROR_UNKNOWN
Unexpected error.
Definition: ipa_hbac.h:243
HBAC_CATEGORY_ALL
#define HBAC_CATEGORY_ALL
Rule should apply to all.
Definition: ipa_hbac.h:100