sssd/0082-DESKPROFILE-Add-checks-for-user-and-host-category.patch

From b72e444bc1cd2fe8d9617f09b446c678d4684fff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 22 Jan 2018 00:02:43 +0100
Subject: [PATCH] DESKPROFILE: Add checks for user and host category
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

freeipa-deskprofile-plugin can have both user and host category set as
"all" and when it happens, no users and groups or hosts or hostgroups
are going to be set.

Let's treat this expected (but so far missed) situation on SSSD side.

Resolves:
https://pagure.io/SSSD/sssd/issue/3449

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 100 ++++++++++++++++++++-----
 1 file changed, 82 insertions(+), 18 deletions(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 53c433145..01b7d0527 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -684,6 +684,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
     TALLOC_CTX *tmp_ctx;
     const char *rule_name;
     const char *data;
+    const char *hostcat;
+    const char *usercat;
     char *shortname;
     char *domainname;
     char *base_dn;
@@ -722,6 +724,28 @@ ipa_deskprofile_rules_save_rule_to_disk(
         goto done;
     }
 
+    ret = sysdb_attrs_get_string(rule, IPA_HOST_CATEGORY, &hostcat);
+    if (ret == ENOENT) {
+        hostcat = NULL;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "Failed to get the Desktop Profile Rule host category for rule "
+              "\"%s\" [%d]: %s\n",
+              rule_name, ret, sss_strerror(ret));
+        goto done;
+    }
+
+    ret = sysdb_attrs_get_string(rule, IPA_USER_CATEGORY, &usercat);
+    if (ret == ENOENT) {
+        usercat = NULL;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "Failed to get the Desktop Profile Rule user category for rule "
+              "\"%s\" [%d]: %s\n",
+              rule_name, ret, sss_strerror(ret));
+        goto done;
+    }
+
     rule_prio = talloc_asprintf(tmp_ctx, "%06d", prio);
     if (rule_prio == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate rule priority\n");
@@ -753,26 +777,66 @@ ipa_deskprofile_rules_save_rule_to_disk(
         goto done;
     }
 
-    ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
-                                                rule_name, rule_prio,
-                                                base_dn, username,
-                                                &user_prio, &group_prio);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
-              ret, sss_strerror(ret));
-        goto done;
+    if (usercat != NULL && strcasecmp(usercat, "all") == 0) {
+        user_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (user_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the user priority "
+                  "when user category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        group_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (group_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the group priority "
+                  "when user category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+    } else {
+        ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
+                                                    rule_name, rule_prio,
+                                                    base_dn, username,
+                                                    &user_prio, &group_prio);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
+                  ret, sss_strerror(ret));
+            goto done;
+        }
     }
 
-    ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
-                                                rule_name, rule_prio,
-                                                base_dn, hostname,
-                                                &host_prio, &hostgroup_prio);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
-              ret, sss_strerror(ret));
-        goto done;
+    if (hostcat != NULL && strcasecmp(hostcat, "all") == 0) {
+        host_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (host_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the host priority "
+                  "when host category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        hostgroup_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (hostgroup_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the hostgroup priority "
+                  "when host category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+    } else {
+        ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
+                                                    rule_name, rule_prio,
+                                                    base_dn, hostname,
+                                                    &host_prio, &hostgroup_prio);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
+                  ret, sss_strerror(ret));
+            goto done;
+        }
     }
 
     ret = ipa_deskprofile_get_normalized_rule_name(mem_ctx, rule_name,
-- 
2.14.3