From 542cb84153c08db1ed3be0cf5467b877bb213343 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Fri, 12 Apr 2013 13:47:31 +0200
Subject: [PATCH] Clarify realm permit/deny commands

 * Deny is not able to add specific users to a blacklist.
 * Add --withdraw options for removing users from the permitted list
 * Compatibility to fall through with previous behavior
 * Better messages when arguments are invalid

https://bugs.freedesktop.org/show_bug.cgi?id=62518
---
 doc/manual/realm.xml | 50 +++++++++++++++++----------------
 tools/realm-logins.c | 78 +++++++++++++++++++++++++++++-----------------------
 tools/realm.c        |  4 +--
 3 files changed, 72 insertions(+), 60 deletions(-)

diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index c5e0c9c..8a85172 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -42,10 +42,10 @@
 		<command>realm list</command>
 	</cmdsynopsis>
 	<cmdsynopsis>
-		<command>realm permit</command> <arg choice="opt">-a</arg> <arg choice="opt">-R realm</arg> <arg choice="req" rep="repeat">user</arg>
+		<command>realm permit</command> <arg choice="opt">-ax</arg> <arg choice="opt">-R realm</arg> <arg choice="req" rep="repeat">user</arg>
 	</cmdsynopsis>
 	<cmdsynopsis>
-		<command>realm deny</command> <arg choice="opt">-a</arg> <arg choice="opt">-R realm</arg> <arg choice="req" rep="repeat">user</arg>
+		<command>realm deny</command> <arg choice="plain">-a</arg> <arg choice="opt">-R realm</arg>
 	</cmdsynopsis>
 </refsynopsisdiv>
 
@@ -301,15 +301,17 @@ $ realm list
 
 	<informalexample>
 <programlisting>
-$ realm permit -a
-</programlisting>
-<programlisting>
+$ realm permit --all
 $ realm permit DOMAIN\User
+$ realm permit DOMAIN\User2
+$ realm permit --withdraw DOMAIN\User
 </programlisting>
 	</informalexample>
 
-	<para>If more than one realm is configured, then use the <option>--realm</option>
-	option to specify which realm to permit the users on.</para>
+	<para>The current login policy and format of the user names can be seen
+	 by using the <command>realm list</command> command.</para>
+
+	<para>The following options can be used:</para>
 
 	<para>The format of the user name can be seen by using the
 	<option>list</option> command.</para>
@@ -319,14 +321,20 @@ $ realm permit DOMAIN\User
 	<variablelist>
 		<varlistentry>
 			<term><option>--all, -a</option></term>
-			<listitem><para>Permit login according to the realm or
-			domain policy for logins on this machine. This usually
-			defaults to allowing any realm user to log in.</para></listitem>
+			<listitem><para>Permit logins using realm accounts on
+			the local machine according to the realm policy.This
+			usually defaults to allowing any realm user to log
+			in.</para></listitem>
 		</varlistentry>
 		<varlistentry>
 			<term><option>--realm, -R</option></term>
-			<listitem><para>Specify the name of the realm to permit
-			users to log into.</para></listitem>
+			<listitem><para>Specify the of the realm to change login
+			policy for.</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term><option>--withdraw, -x</option></term>
+			<listitem><para>Remove a login from the list of realm
+			accounts permitted to log into the machine.</para></listitem>
 		</varlistentry>
 	</variablelist>
 
@@ -335,30 +343,24 @@ $ realm permit DOMAIN\User
 <refsect1>
 	<title>Deny</title>
 
-	<para>Deny local login by users of the realm.</para>
+	<para>Deny local login by realm accounts.</para>
 
 	<informalexample>
 <programlisting>
-$ realm deny -a
-</programlisting>
-<programlisting>
-$ realm deny DOMAIN\User
+$ realm deny --all
 </programlisting>
 	</informalexample>
 
-	<para>If more than one realm is configured, then use the <option>--realm</option>
-	option to specify which realm to deny the users' login via.</para>
-
-	<para>The format of the user name can be seen by using the
-	<option>list</option> command.</para>
+	<para>This command prevents realm accounts from logging into the local
+	machine. Use <command>realm permit</command> to restrict logins to
+	specific accounts.</para>
 
 	<para>The following options can be used:</para>
 
 	<variablelist>
 		<varlistentry>
 			<term><option>--all, -a</option></term>
-			<listitem><para>Deny login by any valid user of the
-			realm.</para></listitem>
+			<listitem><para>This option should be specified</para></listitem>
 		</varlistentry>
 		<varlistentry>
 			<term><option>--realm, -R</option></term>
diff --git a/tools/realm-logins.c b/tools/realm-logins.c
index bea26ed..0b10946 100644
--- a/tools/realm-logins.c
+++ b/tools/realm-logins.c
@@ -80,11 +80,11 @@ locate_configured_matching_realm (RealmClient *client,
 }
 
 static int
-perform_permit_or_deny_logins (RealmClient *client,
-                               const gchar *realm_name,
-                               const gchar **logins,
-                               gint n_logins,
-                               gboolean permit)
+perform_permit_specific (RealmClient *client,
+                         const gchar *realm_name,
+                         const gchar **logins,
+                         gint n_logins,
+                         gboolean withdraw)
 {
 	RealmDbusRealm *realm;
 	SyncClosure sync;
@@ -108,8 +108,8 @@ perform_permit_or_deny_logins (RealmClient *client,
 	g_variant_ref_sink (options);
 
 	realm_dbus_realm_call_change_login_policy (realm, REALM_DBUS_LOGIN_POLICY_PERMITTED,
-	                                           permit ? (const gchar * const*)add_or_remove : empty,
-	                                           permit ? empty : (const gchar * const*)add_or_remove,
+	                                           withdraw ? empty : (const gchar * const*)add_or_remove,
+	                                           withdraw ? (const gchar * const*)add_or_remove : empty,
 	                                           options, NULL, on_complete_get_result, &sync);
 
 	g_variant_unref (options);
@@ -124,8 +124,7 @@ perform_permit_or_deny_logins (RealmClient *client,
 	g_object_unref (realm);
 
 	if (error != NULL) {
-		realm_handle_error (error,
-		                    permit ? _("Couldn't permit logins") : _("Couldn't deny logins"));
+		realm_handle_error (error, _("Couldn't change permitted logins"));
 		return 1;
 	}
 
@@ -133,9 +132,9 @@ perform_permit_or_deny_logins (RealmClient *client,
 }
 
 static int
-perform_permit_or_deny_all (RealmClient *client,
-                            const gchar *realm_name,
-                            gboolean permit)
+perform_logins_all (RealmClient *client,
+                    const gchar *realm_name,
+                    gboolean permit)
 {
 	RealmDbusRealm *realm;
 	SyncClosure sync;
@@ -171,8 +170,7 @@ perform_permit_or_deny_all (RealmClient *client,
 	g_object_unref (realm);
 
 	if (error != NULL) {
-		realm_handle_error (error, "couldn't %s all logins",
-		                    permit ? "permit" : "deny");
+		realm_handle_error (error, _("Couldn't change permitted logins"));
 		return 1;
 	}
 
@@ -187,13 +185,18 @@ realm_permit_or_deny (RealmClient *client,
 {
 	GOptionContext *context;
 	gboolean arg_all = FALSE;
+	gboolean arg_withdraw = FALSE;
 	gchar *realm_name = NULL;
 	GError *error = NULL;
-	gint ret = 0;
+	gint ret = 2;
+
+	/* This implements the deprecated commands */
 
 	GOptionEntry option_entries[] = {
 		{ "all", 'a', 0, G_OPTION_ARG_NONE, &arg_all,
-		  permit ? N_("Permit any domain user login") : N_("Deny any domain user login"), NULL },
+		  permit ? N_("Permit any realm account login") : N_("Deny any realm account login"), NULL },
+		{ "withdraw", 'x', 0, G_OPTION_ARG_NONE, &arg_withdraw,
+		  N_("Withdraw permit for a realm account to login"), NULL },
 		{ "realm", 'R', 0, G_OPTION_ARG_STRING, &realm_name, N_("Realm to permit/deny logins for"), NULL },
 		{ NULL, }
 	};
@@ -204,29 +207,36 @@ realm_permit_or_deny (RealmClient *client,
 	g_option_context_add_main_entries (context, realm_global_options, NULL);
 
 	if (!g_option_context_parse (context, &argc, &argv, &error)) {
-		g_printerr ("%s: %s\n", g_get_prgname (), error->message);
+		realm_print_error ("%s", error->message);
 		g_error_free (error);
-		g_free (realm_name);
-		g_option_context_free (context);
-		return 2;
-	}
 
-	if (arg_all) {
-		if (argc != 1) {
-			g_printerr ("%s: %s\n", _("No users should be specified with -a or --all"), g_get_prgname ());
-			ret = 2;
-		} else {
-			ret = perform_permit_or_deny_all (client, realm_name, permit);
-		}
+	} else if (arg_all && argc != 1) {
+		realm_print_error (_("No logins should be specified with -a or --all"));
+
+	} else if (!permit && arg_withdraw) {
+		realm_print_error (_("The --withdraw or -x arguments cannot be used when denying logins"));
+
+	} else if (arg_all && arg_withdraw) {
+		realm_print_error (_("Specific logins must be specified with --withdraw"));
+
+	} else if (arg_all) {
+		ret = perform_logins_all (client, realm_name, permit);
+
 	} else if (argc < 2) {
-		g_printerr ("%s: %s\n", g_get_prgname (),
-		            permit ? _("Specify users to permit") : _("Specify users to deny"));
-		ret = 2;
+		if (!permit)
+			realm_print_error (_("Use --all to deny all logins"));
+		else
+			realm_print_error (_("Specify specific users to add or remove from the permitted list"));
 
 	} else {
-		ret = perform_permit_or_deny_logins (client, realm_name,
-		                                     (const gchar **)(argv + 1),
-		                                     argc - 1, permit);
+		if (!permit) {
+			realm_print_error (_("Specifying deny without --all is deprecated. Use realm permit --withdraw"));
+			arg_withdraw = TRUE;
+		}
+
+		ret = perform_permit_specific (client, realm_name,
+		                               (const gchar **)(argv + 1),
+		                               argc - 1, arg_withdraw);
 	}
 
 	g_free (realm_name);
diff --git a/tools/realm.c b/tools/realm.c
index 9cb0b62..46aadc0 100644
--- a/tools/realm.c
+++ b/tools/realm.c
@@ -40,8 +40,8 @@ struct {
 	{ "join", realm_join, "realm join -v [-U user] realm-name", N_("Enroll this machine in a realm") },
 	{ "leave", realm_leave, "realm leave -v [-U user] [realm-name]", N_("Unenroll this machine from a realm") },
 	{ "list", realm_list, "realm list", N_("List known realms") },
-	{ "permit", realm_permit, "realm permit [-a] [-R realm] user ...", N_("Permit user logins") },
-	{ "deny", realm_deny, "realm deny [-a] [-R realm] user ...", N_("Deny user logins") },
+	{ "permit", realm_permit, "realm permit [-ax] [-R realm] user ...", N_("Permit user logins") },
+	{ "deny", realm_deny, "realm deny --all [-R realm]", N_("Deny user logins") },
 };
 
 void
-- 
1.8.1.4