check all variables in pam_authz_search to see if they exist

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1474 ef36b2f9-881f-0410-afb5-c4e39611909c

2 files changed, 42 insertions, 7 deletions

diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index bc42627..fee3286 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -57,6 +57,7 @@
 #include "log.h"
 #include "cfg.h"
 #include "attmap.h"
+#include "common/expr.h"
 
 struct ldap_config *nslcd_cfg=NULL;
 
@@ -756,6 +757,39 @@ static void parse_nss_initgroups_ignoreusers_statement(
   }
 }
 
+static void parse_pam_authz_search_statement(
+              const char *filename,int lnr,const char *keyword,
+              char *line,struct ldap_config *cfg)
+{
+  SET *set;
+  const char **list;
+  int i;
+  check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
+  cfg->ldc_pam_authz_search=xstrdup(line);
+  /* check the variables used in the expression */
+  set=expr_vars(cfg->ldc_pam_authz_search,NULL);
+  list=set_tolist(set);
+  for (i=0;list[i]!=NULL;i++)
+  {
+    if ((strcmp(list[i],"username")!=0)&&
+        (strcmp(list[i],"service")!=0)&&
+        (strcmp(list[i],"ruser")!=0)&&
+        (strcmp(list[i],"rhost")!=0)&&
+        (strcmp(list[i],"tty")!=0)&&
+        (strcmp(list[i],"hostname")!=0)&&
+        (strcmp(list[i],"fqdn")!=0)&&
+        (strcmp(list[i],"dn")!=0)&&
+        (strcmp(list[i],"uid")!=0))
+    {
+      log_log(LOG_ERR,"%s:%d: unknown variable $%s",filename,lnr,list[i]);
+      exit(EXIT_FAILURE);
+    }
+  }
+  /* free memory */
+  set_free(set);
+  free(list);
+}
+
 static void cfg_read(const char *filename,struct ldap_config *cfg)
 {
   FILE *fp;
@@ -1057,8 +1091,7 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"pam_authz_search")==0)
     {
-      check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
-      cfg->ldc_pam_authz_search=xstrdup(line);
+      parse_pam_authz_search_statement(filename,lnr,keyword,line,cfg);
     }
     else if (strcasecmp(keyword,"nss_min_uid")==0)
     {
diff --git a/nslcd/pam.c b/nslcd/pam.c
index 77322ca..b0c1911 100644
--- a/nslcd/pam.c
+++ b/nslcd/pam.c
@@ -244,7 +244,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
   authzmsg[0]='\0';
   /* read request parameters */
   READ_STRING(fp,username);
-  SKIP_STRING(fp);
+  SKIP_STRING(fp); /* DN */
   READ_STRING(fp,servicename);
   READ_STRING(fp,password);
   /* log call */
@@ -377,7 +377,9 @@ static int try_autzsearch(MYLDAP_SESSION *session,const char *dn,
   /* check whether the search filter is configured at all */
   if (!nslcd_cfg->ldc_pam_authz_search)
     return LDAP_SUCCESS;
-  /* build the dictionary with variables */
+  /* build the dictionary with variables
+     NOTE: any variables added here also need to be added to
+           cfg.c:parse_pam_authz_search_statement() */
   dict=dict_new();
   autzsearch_var_add(dict,"username",username);
   autzsearch_var_add(dict,"service",servicename);
@@ -441,7 +443,7 @@ int nslcd_pam_authz(TFILE *fp,MYLDAP_SESSION *session)
   authzmsg[0]='\0';
   /* read request parameters */
   READ_STRING(fp,username);
-  SKIP_STRING(fp);
+  SKIP_STRING(fp); /* DN */
   READ_STRING(fp,servicename);
   READ_STRING(fp,ruser);
   READ_STRING(fp,rhost);
@@ -497,7 +499,7 @@ int nslcd_pam_sess_o(TFILE *fp,MYLDAP_SESSION *session)
   int32_t sessionid;
   /* read request parameters */
   READ_STRING(fp,username);
-  SKIP_STRING(fp);
+  SKIP_STRING(fp); /* DN */
   READ_STRING(fp,servicename);
   READ_STRING(fp,tty);
   READ_STRING(fp,rhost);
@@ -526,7 +528,7 @@ int nslcd_pam_sess_c(TFILE *fp,MYLDAP_SESSION *session)
   int32_t sessionid;
   /* read request parameters */
   READ_STRING(fp,username);
-  SKIP_STRING(fp);
+  SKIP_STRING(fp); /* DN */
   READ_STRING(fp,servicename);
   READ_STRING(fp,tty);
   READ_STRING(fp,rhost);