Hi,
So my concerns about thread-safety of the solution seem to be
exaggerated, that is a good thing. Let me post just a little update of
the work on SSSD side for time policies in FreeIPA (also attaching
curent patches).
Thanks to the guys in the Brno office, we've been able to fix the Python
bindings I prepared some time ago. I have also written some Python tests
for the HbacTimeRules class according to the HbacRuleElement class.
Currently, a time attribute still needs to be added to the HbacRequest
class so that it can be used for HBAC evaluation in Python. I was also
wondering whether HbacTimeRules object should react when a wrong time
policy string is handed to it (e.g. you want to set "2000" as access
time instead of "timeofday=2000"). If such a time rule gets evaluated,
the mistake gets detected anyway.
One thing I was also thinking is that you may want to have the
time-rules language parsed by regular expressions in ipa_timerules.c
module. Currently, this is done by a finite automaton which works just
fine but the code may not be that readable.
Also note that the IPA_TIMEZONE constant was renamed to "ipaTimeZone"
from "timezone" according to the latest changes I made on FreeIPA side,
should you decide to try it and the timezones do not work. I have not
yet published those FreeIPA changes, but other than this, they are
rather codewise-cosmetical.
Cheers,
Standa