From 319f9710185929186778814b48f2227359d4f8f4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 16 Mar 2015 10:35:59 +0100
Subject: [PATCH 45/99] IPA: Use custom error codes when validating HBAC rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
https://fedorahosted.org/sssd/ticket/2603
Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 1243e093fd31c5660adf1bb3dd477d6935a755be)
---
src/providers/ipa/ipa_hbac_common.c | 10 +++++-----
src/providers/ipa/ipa_hbac_hosts.c | 16 ++++++++--------
src/providers/ipa/ipa_hbac_services.c | 16 ++++++++--------
src/providers/ipa/ipa_hbac_users.c | 16 ++++++++--------
src/util/util_errors.c | 2 ++
src/util/util_errors.h | 2 ++
6 files changed, 33 insertions(+), 29 deletions(-)
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index 7d68aa5125682e1b43012ac978d42a0bbd2c5d55..d537db1ea591589ad687a432fb0ebba3dd4fa42a 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -567,7 +567,7 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
ret = get_ipa_groupname(users->groups, sysdb, member_dn,
&users->groups[num_groups]);
- if (ret != EOK && ret != ENOENT) {
+ if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
DEBUG(SSSDBG_MINOR_FAILURE, "Parse error on [%s]\n", member_dn);
goto done;
} else if (ret == EOK) {
@@ -676,9 +676,9 @@ hbac_eval_service_element(TALLOC_CTX *mem_ctx,
ret = get_ipa_servicegroupname(tmp_ctx, sysdb,
(const char *)el->values[i].data,
&name);
- if (ret != EOK && ret != ENOENT) goto done;
+ if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) goto done;
- /* ENOENT means we had a memberOf entry that wasn't a
+ /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a
* service group. We'll just ignore those (could be
* HBAC rules)
*/
@@ -783,9 +783,9 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
ret = get_ipa_hostgroupname(tmp_ctx, sysdb,
(const char *)el->values[i].data,
&name);
- if (ret != EOK && ret != ENOENT) goto done;
+ if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) goto done;
- /* ENOENT means we had a memberOf entry that wasn't a
+ /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a
* host group. We'll just ignore those (could be
* HBAC rules)
*/
diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c
index 656e0e5654a2390093fb5a7c4d7254b87be0589f..d331cdfabb489914658487734042086361c7e7b1 100644
--- a/src/providers/ipa/ipa_hbac_hosts.c
+++ b/src/providers/ipa/ipa_hbac_hosts.c
@@ -362,14 +362,14 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,
}
if (!ldb_dn_validate(dn)) {
- ret = EINVAL;
+ ret = ERR_MALFORMED_ENTRY;
goto done;
}
if (ldb_dn_get_comp_num(dn) < 4) {
/* RDN, hostgroups, accounts, and at least one DC= */
/* If it's fewer, it's not a group DN */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -379,7 +379,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,
/* Shouldn't happen if ldb_dn_validate()
* passed, but we'll be careful.
*/
- ret = EINVAL;
+ ret = ERR_MALFORMED_ENTRY;
goto done;
}
@@ -387,7 +387,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,
/* RDN has the wrong attribute name.
* It's not a host.
*/
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -395,7 +395,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,
hostgroup_comp_name = ldb_dn_get_component_name(dn, 1);
if (strcasecmp("cn", hostgroup_comp_name) != 0) {
/* The second component name is not "cn" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -404,7 +404,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,
(const char *) hostgroup_comp_val->data,
hostgroup_comp_val->length) != 0) {
/* The second component value is not "hostgroups" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -412,7 +412,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,
account_comp_name = ldb_dn_get_component_name(dn, 2);
if (strcasecmp("cn", account_comp_name) != 0) {
/* The third component name is not "cn" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -421,7 +421,7 @@ get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,
(const char *) account_comp_val->data,
account_comp_val->length) != 0) {
/* The third component value is not "accounts" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
diff --git a/src/providers/ipa/ipa_hbac_services.c b/src/providers/ipa/ipa_hbac_services.c
index 3040ce68a68520d7eee0ec478ee0adbfb80eb083..35ee003effb5ac933843cbc3bd662f81a58246ad 100644
--- a/src/providers/ipa/ipa_hbac_services.c
+++ b/src/providers/ipa/ipa_hbac_services.c
@@ -606,14 +606,14 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
}
if (!ldb_dn_validate(dn)) {
- ret = EINVAL;
+ ret = ERR_MALFORMED_ENTRY;
goto done;
}
if (ldb_dn_get_comp_num(dn) < 4) {
/* RDN, services, hbac, and at least one DC= */
/* If it's fewer, it's not a group DN */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -623,7 +623,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
/* Shouldn't happen if ldb_dn_validate()
* passed, but we'll be careful.
*/
- ret = EINVAL;
+ ret = ERR_MALFORMED_ENTRY;
goto done;
}
@@ -631,7 +631,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
/* RDN has the wrong attribute name.
* It's not a service.
*/
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -639,7 +639,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
svc_comp_name = ldb_dn_get_component_name(dn, 1);
if (strcasecmp("cn", svc_comp_name) != 0) {
/* The second component name is not "cn" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -648,7 +648,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
(const char *) svc_comp_val->data,
svc_comp_val->length) != 0) {
/* The second component value is not "hbacservicegroups" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -656,7 +656,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
hbac_comp_name = ldb_dn_get_component_name(dn, 2);
if (strcasecmp("cn", hbac_comp_name) != 0) {
/* The third component name is not "cn" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -665,7 +665,7 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
(const char *) hbac_comp_val->data,
hbac_comp_val->length) != 0) {
/* The third component value is not "hbac" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c
index ebf4bf9d591135e19492a89e2fab4aac05f873d9..a8d52ffa51ba1a04cf0101cb00537c58d1a4848d 100644
--- a/src/providers/ipa/ipa_hbac_users.c
+++ b/src/providers/ipa/ipa_hbac_users.c
@@ -60,14 +60,14 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx,
}
if (!ldb_dn_validate(dn)) {
- ret = EINVAL;
+ ret = ERR_MALFORMED_ENTRY;
goto done;
}
if (ldb_dn_get_comp_num(dn) < 4) {
/* RDN, groups, accounts, and at least one DC= */
/* If it's fewer, it's not a group DN */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -77,7 +77,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx,
/* Shouldn't happen if ldb_dn_validate()
* passed, but we'll be careful.
*/
- ret = EINVAL;
+ ret = ERR_MALFORMED_ENTRY;
goto done;
}
@@ -85,7 +85,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx,
/* RDN has the wrong attribute name.
* It's not a group.
*/
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -93,7 +93,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx,
group_comp_name = ldb_dn_get_component_name(dn, 1);
if (strcasecmp("cn", group_comp_name) != 0) {
/* The second component name is not "cn" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -102,7 +102,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx,
(const char *) group_comp_val->data,
group_comp_val->length) != 0) {
/* The second component value is not "groups" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -110,7 +110,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx,
account_comp_name = ldb_dn_get_component_name(dn, 2);
if (strcasecmp("cn", account_comp_name) != 0) {
/* The third component name is not "cn" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
@@ -119,7 +119,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx,
(const char *) account_comp_val->data,
account_comp_val->length) != 0) {
/* The third component value is not "accounts" */
- ret = ENOENT;
+ ret = ERR_UNEXPECTED_ENTRY_TYPE;
goto done;
}
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index dad988bce2515c3614a19205f038053152916a16..b481210aa21e05eda3a4c5b0699836d085baa892 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -69,6 +69,8 @@ struct err_string error_to_str[] = {
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
+ { "Malformed cache entry" }, /* ERR_MALFORMED_ENTRY */
+ { "Unexpected cache entry type" }, /* ERR_UNEXPECTED_ENTRY_TYPE */
{ "ERR_LAST" } /* ERR_LAST */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 5d657c707dabc74cf5771af2b601500ba2664ee0..b6a667fffbbddc77de53e501e185defbd30b23e0 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -91,6 +91,8 @@ enum sssd_errors {
ERR_SELINUX_CONTEXT,
ERR_REGEX_NOMATCH,
ERR_TIMESPEC_NOT_SUPPORTED,
+ ERR_MALFORMED_ENTRY,
+ ERR_UNEXPECTED_ENTRY_TYPE,
ERR_LAST /* ALWAYS LAST */
};
--
2.4.0