src/db/sysdb_sudo.c

	sysdb_sudo.c revision 770896b194b7b66b09c2a30545b4d091fd86b1f4
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/*
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    Authors:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        Jakub Hrozek <jhrozek@redhat.com>
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    Copyright (C) 2011 Red Hat
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    This program is free software; you can redistribute it and/or modify
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    it under the terms of the GNU General Public License as published by
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    the Free Software Foundation; either version 3 of the License, or
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    (at your option) any later version.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    This program is distributed in the hope that it will be useful,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    but WITHOUT ANY WARRANTY; without even the implied warranty of
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    GNU General Public License for more details.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    You should have received a copy of the GNU General Public License
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    along with this program.  If not, see <http://www.gnu.org/licenses/>.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek*/
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina#define _XOPEN_SOURCE
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#include <talloc.h>
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina#include <time.h>
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#include "db/sysdb.h"
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina#include "db/sysdb_private.h"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#include "db/sysdb_sudo.h"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define NULL_CHECK(val, rval, label) do { \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (!val) {                           \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        rval = ENOMEM;                    \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto label;                       \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }                                     \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek} while(0)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/* ====================  Utility functions ==================== */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
80941dd89fd8bc7c4a1272c304f737ce0fd5fc54Sumit Bosestatic errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time)
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina{
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    struct tm tm;
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    char *tret = NULL;
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    /* SUDO requires times to be in generalized time format:
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina     * YYYYMMDDHHMMSS[.|,fraction][(+|-HHMM)|Z]
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina     *
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina     * We need to use more format strings to parse this with strptime().
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina     */
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    const char **format = NULL;
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    const char *formats[] = {"%Y%m%d%H%M%SZ",    /* 201212121300Z */
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina                             "%Y%m%d%H%M%S%z",   /* 201212121300+-0200 */
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina                             "%Y%m%d%H%M%S.0Z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina                             "%Y%m%d%H%M%S.0%z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina                             "%Y%m%d%H%M%S,0Z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina                             "%Y%m%d%H%M%S,0%z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina                             NULL};
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    for (format = formats; *format != NULL; format++) {
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina        tret = strptime(str, *format, &tm);
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina        if (tret != NULL && *tret == '\0') {
80941dd89fd8bc7c4a1272c304f737ce0fd5fc54Sumit Bose            *unix_time = mktime(&tm);
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina            return EOK;
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina        }
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    }
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina    return EINVAL;
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina}
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinastatic errno_t sysdb_sudo_check_time(struct sysdb_attrs *rule,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                     time_t now,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                     bool *result)
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina{
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    TALLOC_CTX *tmp_ctx = NULL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    const char **values = NULL;
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    const char *name = NULL;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    time_t notBefore = 0;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    time_t notAfter = 0;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    time_t converted;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    errno_t ret;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    int i;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    if (!result) return EINVAL;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    *result = false;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    tmp_ctx = talloc_new(NULL);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    NULL_CHECK(tmp_ctx, ret, done);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name);
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    if (ret == ENOENT) {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina        name = "<missing>";
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    } else if(ret != EOK) {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina        goto done;
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    }
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    /*
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     * From man sudoers.ldap:
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     *
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     * If multiple sudoNotBefore entries are present, the *earliest* is used.
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     * If multiple sudoNotAfter entries are present, the *last one* is used.
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     *
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     * From sudo sources, ldap.c:
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     * If either the sudoNotAfter or sudoNotBefore attributes are missing,
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     * no time restriction shall be imposed.
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    /* check for sudoNotBefore */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTBEFORE,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                       tmp_ctx, &values);
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    if (ret == ENOENT) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        DEBUG(SSSDBG_TRACE_LIBS,
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina              ("notBefore attribute is missing, the rule [%s] is valid\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina               name));
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        *result = true;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        ret = EOK;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    } else if (ret != EOK) {
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    for (i=0; values[i] ; i++) {
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina        ret = sysdb_sudo_convert_time(values[i], &converted);
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina        if (ret != EOK) {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina            DEBUG(SSSDBG_MINOR_FAILURE, ("Invalid time format in rule [%s]!\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina                  name));
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        /* Grab the earliest */
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        if (!notBefore) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notBefore = converted;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        } else if (notBefore > converted) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notBefore = converted;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    /* check for sudoNotAfter */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTAFTER,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                       tmp_ctx, &values);
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    if (ret == ENOENT) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        DEBUG(SSSDBG_TRACE_LIBS,
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina              ("notAfter attribute is missing, the rule [%s] is valid\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina               name));
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        *result = true;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        ret = EOK;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    } else if (ret != EOK) {
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    for (i=0; values[i] ; i++) {
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina        ret = sysdb_sudo_convert_time(values[i], &converted);
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina        if (ret != EOK) {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina            DEBUG(SSSDBG_MINOR_FAILURE, ("Invalid time format in rule [%s]!\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina                  name));
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        /* Grab the latest */
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        if (!notAfter) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notAfter = converted;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        } else if (notAfter < converted) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notAfter = converted;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    if (now >= notBefore && now <= notAfter) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        *result = true;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    ret = EOK;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozekdone:
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    talloc_free(tmp_ctx);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    return ret;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina}
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinaerrno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        size_t in_num_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        struct sysdb_attrs **in_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        time_t now,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        size_t *_num_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        struct sysdb_attrs ***_rules)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    size_t num_rules = 0;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    struct sysdb_attrs **rules = NULL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    TALLOC_CTX *tmp_ctx = NULL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    bool allowed = false;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    errno_t ret;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    int i;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    tmp_ctx = talloc_new(NULL);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    NULL_CHECK(tmp_ctx, ret, done);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    if (now == 0) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        now = time(NULL);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    for (i = 0; i < in_num_rules; i++) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        ret = sysdb_sudo_check_time(in_rules[i], now, &allowed);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        if (ret == EOK && allowed) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            num_rules++;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            rules = talloc_realloc(tmp_ctx, rules, struct sysdb_attrs *,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                   num_rules);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            NULL_CHECK(rules, ret, done);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            rules[num_rules - 1] = in_rules[i];
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    *_num_rules = num_rules;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    *_rules = talloc_steal(mem_ctx, rules);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    ret = EOK;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinadone:
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    talloc_free(tmp_ctx);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                      uid_t uid, char **groupnames, unsigned int flags,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                      char **_filter)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    TALLOC_CTX *tmp_ctx = NULL;
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    char *filter = NULL;
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    char *specific_filter = NULL;
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina    time_t now;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    int i;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    tmp_ctx = talloc_new(NULL);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    /* build specific filter */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    specific_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    NULL_CHECK(specific_filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=ALL)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=defaults)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_NAME);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if ((flags & SYSDB_SUDO_FILTER_USERNAME) && (username != NULL)) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER,
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 username);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    }
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=#%llu)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER,
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 (unsigned long long) uid);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if ((flags & SYSDB_SUDO_FILTER_GROUPS) && (groupnames != NULL)) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        for (i=0; groupnames[i] != NULL; i++) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina            specific_filter = talloc_asprintf_append(specific_filter, "(%s=%%%s)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                     SYSDB_SUDO_CACHE_AT_USER,
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                     groupnames[i]);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina            NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (flags & SYSDB_SUDO_FILTER_NGRS) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=+*)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    /* build global filter */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)",
fb4e4c4eb6a6dc732370584f70d23dd4a2c5c7b6Pavel Březina                             SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    NULL_CHECK(filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if (specific_filter[0] != '\0') {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        filter = talloc_asprintf_append(filter, "(|%s)", specific_filter);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        NULL_CHECK(filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina    if (flags & SYSDB_SUDO_FILTER_ONLY_EXPIRED) {
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina        now = time(NULL);
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina        filter = talloc_asprintf_append(filter, "(&(%s<=%lld))",
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina                                        SYSDB_CACHE_EXPIRE, (long long)now);
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina        NULL_CHECK(filter, ret, done);
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina    }
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    filter = talloc_strdup_append(filter, ")");
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    NULL_CHECK(filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    *_filter = talloc_steal(mem_ctx, filter);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekdone:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    talloc_free(tmp_ctx);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, const char *username,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                         struct sysdb_ctx *sysdb, uid_t *_uid,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                         char ***groupnames)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    TALLOC_CTX *tmp_ctx;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    struct ldb_message *msg;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    struct ldb_message *group_msg = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    char **sysdb_groupnames = NULL;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    const char *primary_group = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    struct ldb_message_element *groups;
8bbf89c5ab798c112773fe23515c3a9df56dde71Nick Guay    uid_t uid = 0;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    gid_t gid = 0;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    size_t num_groups = 0;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    int i;
9bdb93119ceaf9e2bbcec0c0a4747f1a04b48a12Pavel Březina    const char *attrs[] = { SYSDB_MEMBEROF,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                            SYSDB_GIDNUM,
9bdb93119ceaf9e2bbcec0c0a4747f1a04b48a12Pavel Březina                            SYSDB_UIDNUM,
9bdb93119ceaf9e2bbcec0c0a4747f1a04b48a12Pavel Březina                            NULL };
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    const char *group_attrs[] = { SYSDB_NAME,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                                  NULL };
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    tmp_ctx = talloc_new(NULL);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce    ret = sysdb_search_user_by_name(tmp_ctx, sysdb, sysdb->domain,
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce                                    username, attrs, &msg);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_CRIT_FAILURE, ("Error looking up user %s\n", username));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina    if (_uid != NULL) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        if (!uid) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            DEBUG(SSSDBG_CRIT_FAILURE, ("A user with no UID?\n"));
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            ret = EIO;
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            goto done;
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    /* resolve secondary groups */
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina    if (groupnames != NULL) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        if (!groups || groups->num_values == 0) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            /* No groups for this user in sysdb currently */
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            sysdb_groupnames = NULL;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            num_groups = 0;
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        } else {
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            num_groups = groups->num_values;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            sysdb_groupnames = talloc_array(tmp_ctx, char *, num_groups + 1);
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            NULL_CHECK(sysdb_groupnames, ret, done);
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            /* Get a list of the groups by groupname only */
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            for (i = 0; i < groups->num_values; i++) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                ret = sysdb_group_dn_name(sysdb,
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                                          sysdb_groupnames,
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                                          (const char *)groups->values[i].data,
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                                          &sysdb_groupnames[i]);
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                if (ret != EOK) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                    ret = ENOMEM;
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                    goto done;
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina                }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            }
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina            sysdb_groupnames[groups->num_values] = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    /* resolve primary group */
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    if (gid != 0) {
5d72a91a37273c8c874640906fd2f7a70e606812Simo Sorce        ret = sysdb_search_group_by_gid(tmp_ctx, sysdb, sysdb->domain, gid,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                                        group_attrs, &group_msg);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina        if (ret == EOK) {
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            primary_group = ldb_msg_find_attr_as_string(group_msg, SYSDB_NAME,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                                                        NULL);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            if (primary_group == NULL) {
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                ret = ENOMEM;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                goto done;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            }
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            num_groups++;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            sysdb_groupnames = talloc_realloc(tmp_ctx, sysdb_groupnames,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                                              char *, num_groups + 1);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            NULL_CHECK(sysdb_groupnames, ret, done);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            sysdb_groupnames[num_groups - 1] = talloc_strdup(sysdb_groupnames,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                                                             primary_group);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            NULL_CHECK(sysdb_groupnames[num_groups - 1], ret, done);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            sysdb_groupnames[num_groups] = NULL;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina        } else if (ret != ENOENT) {
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            DEBUG(SSSDBG_CRIT_FAILURE, ("Error looking up group [%d]: %s\n",
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina                                        ret, strerror(ret)));
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina            goto done;
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina        }
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina    }
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = EOK;
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina    if (_uid != NULL) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        *_uid = uid;
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina    }
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina    if (groupnames != NULL) {
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina        *groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekdone:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    talloc_free(tmp_ctx);
69e7d6649b58c66675ef38084868fc5356c5a240Jakub Hrozek    return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_save_sudorule(struct sysdb_ctx *sysdb_ctx,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                   const char *rule_name,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                   struct sysdb_attrs *attrs)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    DEBUG(SSSDBG_TRACE_FUNC, ("Adding sudo rule %s\n", rule_name));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS,
fb4e4c4eb6a6dc732370584f70d23dd4a2c5c7b6Pavel Březina                                 SYSDB_SUDO_CACHE_OC);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE, ("Could not set rule object class [%d]: %s\n",
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek              ret, strerror(ret)));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, rule_name);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE, ("Could not set name attribute [%d]: %s\n",
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek              ret, strerror(ret)));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
dd7192379e5fc5bb852863e60ad4b6a20c5da183Simo Sorce    ret = sysdb_store_custom(sysdb_ctx, sysdb_ctx->domain, rule_name, SUDORULE_SUBDIR, attrs);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE, ("sysdb_store_custom failed [%d]: %s\n",
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek              ret, strerror(ret)));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březinastatic errno_t sysdb_sudo_set_refresh_time(struct sysdb_ctx *sysdb,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                                           const char *attr_name,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                                           time_t value)
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina{
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    TALLOC_CTX *tmp_ctx;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    struct ldb_dn *dn;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    struct ldb_message *msg = NULL;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    struct ldb_result *res = NULL;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    errno_t ret;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    int lret;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    tmp_ctx = talloc_new(NULL);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (!tmp_ctx) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = ENOMEM;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_CUSTOM_SUBTREE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                        SUDORULE_SUBDIR, sysdb->domain->name);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (!dn) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = ENOMEM;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    lret = ldb_search(sysdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                      NULL, NULL);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (lret != LDB_SUCCESS) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = sysdb_error_to_errno(lret);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    msg = ldb_msg_new(tmp_ctx);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (msg == NULL) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = ENOMEM;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    msg->dn = dn;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (res->count == 0) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        lret = ldb_msg_add_string(msg, "cn", SUDORULE_SUBDIR);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        if (lret != LDB_SUCCESS) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina            ret = sysdb_error_to_errno(lret);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina            goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    } else if (res->count != 1) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        DEBUG(SSSDBG_CRIT_FAILURE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina              ("Got more than one reply for base search!\n"));
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = EIO;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    } else {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        lret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        if (lret != LDB_SUCCESS) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina            ret = sysdb_error_to_errno(lret);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina            goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    lret = ldb_msg_add_fmt(msg, attr_name, "%lld", (long long)value);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (lret != LDB_SUCCESS) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = sysdb_error_to_errno(lret);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (res->count) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        lret = ldb_modify(sysdb->ldb, msg);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    } else {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        lret = ldb_add(sysdb->ldb, msg);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    ret = sysdb_error_to_errno(lret);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březinadone:
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    talloc_free(tmp_ctx);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    return ret;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina}
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březinastatic errno_t sysdb_sudo_get_refresh_time(struct sysdb_ctx *sysdb,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                                           const char *attr_name,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                                           time_t *value)
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina{
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    TALLOC_CTX *tmp_ctx;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    struct ldb_dn *dn;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    struct ldb_result *res;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    errno_t ret;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    int lret;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    const char *attrs[2] = {attr_name, NULL};
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    tmp_ctx = talloc_new(NULL);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (tmp_ctx == NULL) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        return ENOMEM;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_CUSTOM_SUBTREE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                        SUDORULE_SUBDIR, sysdb->domain->name);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (!dn) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = ENOMEM;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    lret = ldb_search(sysdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                      attrs, NULL);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (lret != LDB_SUCCESS) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = sysdb_error_to_errno(lret);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    if (res->count == 0) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        /* This entry has not been populated in LDB
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina         * This is a common case, as unlike LDAP,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina         * LDB does not need to have all of its parent
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina         * objects actually exist.
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina         */
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        *value = 0;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = EOK;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    } else if (res->count != 1) {
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        DEBUG(SSSDBG_CRIT_FAILURE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina              ("Got more than one reply for base search!\n"));
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        ret = EIO;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina        goto done;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    }
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    *value = ldb_msg_find_attr_as_int(res->msgs[0], attr_name, 0);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    ret = EOK;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březinadone:
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    talloc_free(tmp_ctx);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    return ret;
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina}
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březinaerrno_t sysdb_sudo_set_last_full_refresh(struct sysdb_ctx *sysdb, time_t value)
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina{
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    return sysdb_sudo_set_refresh_time(sysdb, SYSDB_SUDO_AT_LAST_FULL_REFRESH,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                                       value);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina}
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březinaerrno_t sysdb_sudo_get_last_full_refresh(struct sysdb_ctx *sysdb, time_t *value)
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina{
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina    return sysdb_sudo_get_refresh_time(sysdb, SYSDB_SUDO_AT_LAST_FULL_REFRESH,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina                                       value);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina}
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina/* ====================  Purge functions ==================== */
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
9675bccabff4e79d224f64611ad9ff3e073b488eSimo Sorcestatic errno_t sysdb_sudo_purge_all(struct sysdb_ctx *sysdb,
9675bccabff4e79d224f64611ad9ff3e073b488eSimo Sorce                                    struct sss_domain_info *domain)
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina{
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    struct ldb_dn *base_dn = NULL;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    TALLOC_CTX *tmp_ctx = NULL;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    errno_t ret;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    tmp_ctx = talloc_new(NULL);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
9675bccabff4e79d224f64611ad9ff3e073b488eSimo Sorce    base_dn = sysdb_custom_subtree_dn(sysdb, tmp_ctx, domain, SUDORULE_SUBDIR);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    NULL_CHECK(base_dn, ret, done);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    ret = sysdb_delete_recursive(sysdb, base_dn, true);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    if (ret != EOK) {
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        DEBUG(SSSDBG_OP_FAILURE, ("sysdb_delete_recursive failed.\n"));
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        goto done;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    }
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    ret = EOK;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březinadone:
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    talloc_free(tmp_ctx);
2d34690ae92215d355b0272001d9e68214dc80f6Jakub Hrozek    return ret;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina}
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březinaerrno_t sysdb_sudo_purge_byname(struct sysdb_ctx *sysdb,
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina                                const char *name)
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina{
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    DEBUG(SSSDBG_TRACE_INTERNAL, ("Deleting sudo rule %s\n", name));
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    return sysdb_delete_custom(sysdb, name, SUDORULE_SUBDIR);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina}
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březinaerrno_t sysdb_sudo_purge_byfilter(struct sysdb_ctx *sysdb,
9675bccabff4e79d224f64611ad9ff3e073b488eSimo Sorce                                  struct sss_domain_info *domain,
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina                                  const char *filter)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    TALLOC_CTX *tmp_ctx;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    size_t count;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    struct ldb_message **msgs;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    const char *name;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    int i;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    errno_t sret;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    bool in_transaction = false;
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    const char *attrs[] = { SYSDB_OBJECTCLASS,
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina                            SYSDB_NAME,
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina                            SYSDB_SUDO_CACHE_AT_CN,
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina                            NULL };
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    /* just purge all if there's no filter */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (!filter) {
9675bccabff4e79d224f64611ad9ff3e073b488eSimo Sorce        return sysdb_sudo_purge_all(sysdb, domain);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    tmp_ctx = talloc_new(NULL);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    /* match entries based on the filter and remove them one by one */
770896b194b7b66b09c2a30545b4d091fd86b1f4Simo Sorce    ret = sysdb_search_custom(tmp_ctx, sysdb, domain, filter,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                              SUDORULE_SUBDIR, attrs,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                              &count, &msgs);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    if (ret == ENOENT) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_TRACE_FUNC, ("No rules matched\n"));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        ret = EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto done;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    } else if (ret != EOK) {
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        DEBUG(SSSDBG_CRIT_FAILURE, ("Error looking up SUDO rules"));
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    ret = sysdb_transaction_start(sysdb);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    if (ret != EOK) {
3a59cbd0b7b9c5dd3c62ac1679876070c264d80fMichal Zidek        DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        goto done;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    }
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    in_transaction = true;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    for (i = 0; i < count; i++) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        if (name == NULL) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            DEBUG(SSSDBG_OP_FAILURE, ("A rule without a name?\n"));
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina            /* skip this one but still delete other entries */
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina            continue;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        ret = sysdb_sudo_purge_byname(sysdb, name);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            DEBUG(SSSDBG_OP_FAILURE, ("Could not delete rule %s\n", name));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    ret = sysdb_transaction_commit(sysdb);
3a59cbd0b7b9c5dd3c62ac1679876070c264d80fMichal Zidek    if (ret != EOK) {
3a59cbd0b7b9c5dd3c62ac1679876070c264d80fMichal Zidek        DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to commit transaction\n"));
3a59cbd0b7b9c5dd3c62ac1679876070c264d80fMichal Zidek        goto done;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    }
3a59cbd0b7b9c5dd3c62ac1679876070c264d80fMichal Zidek    in_transaction = false;
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekdone:
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    if (in_transaction) {
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        sret = sysdb_transaction_cancel(sysdb);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        if (sret != EOK) {
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina            DEBUG(SSSDBG_OP_FAILURE, ("Could not cancel transaction\n"));
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina        }
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina    }
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    talloc_free(tmp_ctx);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}