ipa: implement method to refresh HBAC rules Related: https://pagure.io/SSSD/sssd/issue/2840 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_COMMON: Introduce ipa_get_host_attrs() By adding this method it can reused in the future for new backend modules. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_ACCESS: Make use of struct ipa_common_entries Just by doing so ipa_save_hbac() can be completely removed. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_RULES_COMMON: Introduce ipa_common_save_rules() This method is kind of a replacement for ipa_save_hbac() one. While ipa_save_hbac() wasn't removed, its porpuse has been totally changed. Now it just prepare the ground and calls ipa_common_save_rules() which is a more generic function that can be reused for new backend modules. In order to make the code cleaner a new structure has also been introduced: struct ipa_common_entries; which contains the values that will be used to save the entry and the entrygroup to sysdb. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_ACCESS: Make ipa_purge_hbac() more generic This mothod can also be reused in the future for new backend modules. In order to make it more generic, let's just move it to ipa_rules_common.[ch], rename it to ipa_common_purge_rules() and make the subtreename to be purged a new paramether of this method. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_ACCESS: Make hbac_get_cache_rules() more generic This method can also be reused in the future for new backend modules. In order to make it more generic, let's just move it to ipa_rules_common.[ch], rename it to ipa_common_get_cached_rules() and make the rule, subtree name and the attributes to be searched new parameters of this method. In order to not be declaring the enourmous list of attributes HBAC uses when calling this method, a new hbac_get_attrs_to_get_cached_rules() method has been introduced. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Make ipa_hbac_sysdb_save() more generic Although there's no change in the ipa_hbac_sysdb_save() itself, its name has been changed to ipa_common_entries_and_groups_sysdb_save() and its been split out from HBAC related files and moved to the newly created ipa_rules_common.[ch] files, which will also be used in the future for new backend modules. ipa_rules_common.[ch] is not exactly the best name for those files, IMO, but I really cannot come up with something better. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_ACCESS: Remove not used attribute struct time_rules_ctx * is not used anywhere in in the access handler, thus there's no need to store it. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove unnecessary sys/param.h They are mostly required for macros MAX/MIN which were not used in these modules. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Allow to append new line in sss_vdebug_fn libldb is not consistent with appending line feed in debug messages. AS a result of this two messages can be on the same line in sssd log files. Which makes analyzing log files more difficult. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

libipa_hbac: Move the library to src/lib/ipa_hbac Moving the library to the lib directory will force maintainers to think twice about changes, because it would be obvious this is a library. Also don't use includes from sssd source tree paths, but add the util path to Makefile's CFLAGS so that other projects can copy the hbac_evaluator.c file verbatim. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: log real hbac function The string "hbac" wsa logged previously. Real hbac function will be logged with this patch. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Use sss_vdebug_fn in hbac_debug_messages This patch reduce unnecessary memory allocations for log messages from libhbac. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Use prefix for debug function Reviewed-by: Pavel Březina <pbrezina@redhat.com>

HBAC: Better libhbac debugging Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

IPA: Remove the ipa_hbac_treat_deny_as option https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Deprecate the ipa_hbac_treat_deny_as option https://fedorahosted.org/sssd/ticket/2603 Deny rules have not been supported by the IPA server since 2.1. We should deprecate the ipa_hbac_treat_deny_as option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

LDAP: Amend sdap_access_check to allow any connection Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.

IPA: Deprecate ipa_hbac_support_srchost option This option got already deprecated on the ipa server side. Option is undocumented and warning is printed both to the sssd log files and syslog. Resolves: https://fedorahosted.org/sssd/ticket/1918

handle ERR_ACCOUNT_EXPIRED properly https://fedorahosted.org/sssd/ticket/1953

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Convert sdap_access to new error codes Also simplify sdap_access_send to avoid completely fake _send() routines.

Add be_req_get_data() helper funciton. In preparation for making struct be_req opaque.

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

Remove domain from be_req structure

Pass domain not be_req to access check functions

Move hbac_ctx_is_offline()

Remove hbac_ctx_sdap_id_[ctx|op]()

Remove hbac_ctx_ev()

Remove hbac_ctx_be()

Remove sysdb argument from hbac_get_cached_rules()

Remove sysdb arg from [ipa_]hbac_sysdb_save() Also make ipa_hbac_save_list() static

Remove sysdb arg from ipa_hbac_service_info_send()

Remove sysdb argument from ipa_host_info_send()

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

Make sysdb_custom_subtree_dn() require a domain.

Do not save HBAC rules in subdomain subtree Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.

SYSDB: Remove unnecessary domain parameter from several sysdb calls The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.

Unify usage of sysdb transactions Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).

Modify hbac_get_cached_rules() so it can be used outside of HBAC code

IPA: Don't hang onto memory longer than necessary This request and attached memory would be freed at the end of access-check processing, but it's a waste to keep it around.

Detect subdomain request in IPA access provider

Accept be_req instead if be_ctx in LDAP access provider

IPA: Initialize hbac_ctx to NULL

IPA: Check nsAccountLock during PAM_ACCT_MGMT https://fedorahosted.org/sssd/ticket/1227

IPA hosts refactoring

IPA: Add host info handler

Separate the host-retrieval code from IPA HBAC to common IPA code

Implemented support for multiple search bases in HBAC rules and services

Support multiple search bases in HBAC

Export the function to convert ldb_result to sysdb_attrs It will be reused later in the sudo responder

Add ipa_hbac_support_srchost option to IPA provider don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078

Cleanup: Remove unused parameters

IPA access: hostname comparison should be case-insensitive

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Fix memory leak in ipa_hbac_evaluate_rules https://fedorahosted.org/sssd/ticket/933

Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.

Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server.

Add new HBAC lookup and evaluation routines

Remove old HBAC implementation

Use realm for basedn instead of IPA domain https://fedorahosted.org/sssd/ticket/807

Add ipa_hbac_search_base config option

Add ldap_search_enumeration_timeout config option

Add timeout parameter to sdap_get_generic_send()

Fix uninitialized value error in set_local_and_remote_host_info https://fedorahosted.org/sssd/ticket/725

Fix unsafe return condition in ipa_access_handler https://fedorahosted.org/sssd/ticket/718

Remove IPA_ACCESS_TIME define

Remove check_access_time() from IPA access provider It is planned to release IPA 2.0 without time range specifications in the access control rules. To avoid confusion the evaluation is removed from sssd, too.

Use a more efficient host search filter

Sanitize sysdb search filters in the IPA provider

Download only enabled IPA HBAC rules

Save all data to sysdb in one transaction

Handle host objects like other objects

Cleaned some dead assignments Two needless assignments were deleted, two were complemented with code checking function results. Ticket: #582

Fix IPA access backend handling of obsolete and missing HBAC entries: - Ticket #567: Fix removal of obsolete HBAC host, rules and service records from sysdb. - Ticket #565: When no HBAC host record is found return PAM_PERM_DENIED instead of PAM_SYSTEM_ERROR.

Do not treat missing HBAC rules as an error

Use new LDAP connection framework in IPA access backend.

Unify sdap and sysdb data handling

Compare full service name

Remove service groups Because the memberOf attribute is now set for the service objects we do not need to fetch the service groups separately anymore.

Use new schema for HBAC service checks

Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el() sysdb_attrs_get_el() creates an empty element in the sysdb_attrs structure if the requested element does not exist. Recent versions of libldb do not accept empty elements when writing new objects to disk. sysdb_attrs_get_string_array() does not create an empty element but returns ENOENT.

Check ipaEnabledFlag

Don't report a fatal error for an HBAC denial

Compare the full service name

Fix a wrong return value in IPA HBAC

Better handle sdap_handle memory from callers. Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.

sysdb: remove remaining traces of sysdb_handle

Remove remaining use of sysdb_transaction_send

sysdb: convert sysdb_asq_search

sysdb: convert sysdb_store_custom

sysdb: convert sysdb_search_custom

sysdb: convert sysdb_search_user_by_name/uid

sysdb: convert sysdb_search_entry and sysdb_delete_recursive

Fix LDAP search paths for IPA HBAC - use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test

Rename server/ directory to src/ Also update BUILD.txt