sssd/0014-GPO-Add-gpo_implicit_deny-option.patch

From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 3 Jul 2018 20:03:39 +0200
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option

This option (when set to True) can be used to deny access to
users even if there is not applicable GPO. Normally users are
allowed access in this situation.

Resolves:
https://pagure.io/SSSD/sssd/issue/3701

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/cfg_rules.ini     |  1 +
 src/man/sssd-ad.5.xml        | 21 +++++++++++++++++++++
 src/providers/ad/ad_common.h |  1 +
 src/providers/ad/ad_gpo.c    | 13 ++++++++++++-
 src/providers/ad/ad_opts.c   |  1 +
 5 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 36e83a9..78f215e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
 option = ad_enabled_domains
 option = ad_enable_gc
 option = ad_gpo_access_control
+option = ad_gpo_implicit_deny
 option = ad_gpo_cache_timeout
 option = ad_gpo_default_right
 option = ad_gpo_map_batch
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index f43c7fc..0eac382 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ad_gpo_implicit_deny (boolean)</term>
+                    <listitem>
+                        <para>
+                            Normally when no applicable GPOs are found the
+                            users are allowed access. When this option is set
+                            to True users will be allowed access only when
+                            explicitly allowed by a GPO rule. Otherwise users
+                            will be denied access. This can be used to harden
+                            security but be careful when using this option
+                            because it can deny access even to users in the
+                            built-in Administrators group if no GPO rules
+                            apply to them.
+                        </para>
+                        <para>
+                            Default: False (seconds)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+
+                <varlistentry>
                     <term>ad_gpo_cache_timeout (integer)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index dd440da..2c52c99 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -52,6 +52,7 @@ enum ad_basic_opt {
     AD_ACCESS_FILTER,
     AD_ENABLE_GC,
     AD_GPO_ACCESS_CONTROL,
+    AD_GPO_IMPLICIT_DENY,
     AD_GPO_CACHE_TIMEOUT,
     AD_GPO_MAP_INTERACTIVE,
     AD_GPO_MAP_REMOTE_INTERACTIVE,
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index d568643..f3be723 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
     struct ldb_context *ldb_ctx;
     struct ad_access_ctx *access_ctx;
     enum gpo_access_control_mode gpo_mode;
+    bool gpo_implicit_deny;
     enum gpo_map_type gpo_map_type;
     struct sdap_id_conn_ctx *conn;
     struct sdap_id_op *sdap_op;
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
     state->gpo_mode = ctx->gpo_access_control_mode;
     state->gpo_timeout_option = ctx->gpo_cache_timeout;
     state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
+    state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
+                                               AD_GPO_IMPLICIT_DENY);
     state->access_ctx = ctx;
     state->opts = ctx->sdap_access_ctx->id_ctx->opts;
     state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
             }
         }
 
-        ret = EOK;
+        if (state->gpo_implicit_deny == true) {
+            DEBUG(SSSDBG_TRACE_FUNC,
+                  "No applicable GPOs have been found and ad_gpo_implicit_deny"
+                  " is set to 'true'. The user will be denied access.\n");
+            ret = ERR_ACCESS_DENIED;
+        } else {
+            ret = EOK;
+        }
+
         goto done;
     }
 
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index ac93327..c1d9cd7 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
+    { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-- 
2.9.5