src/db/sysdb_sudo.c

	sysdb_sudo.c revision db419c61035cb262010cc8d5a4047191c2b60f05
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/*
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    Authors:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        Jakub Hrozek <jhrozek@redhat.com>
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    Copyright (C) 2011 Red Hat
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    This program is free software; you can redistribute it and/or modify
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    it under the terms of the GNU General Public License as published by
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    the Free Software Foundation; either version 3 of the License, or
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    (at your option) any later version.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    This program is distributed in the hope that it will be useful,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    but WITHOUT ANY WARRANTY; without even the implied warranty of
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    GNU General Public License for more details.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    You should have received a copy of the GNU General Public License
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    along with this program.  If not, see <http://www.gnu.org/licenses/>.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek*/
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina#define _XOPEN_SOURCE
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#include <talloc.h>
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina#include <time.h>
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#include "db/sysdb.h"
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina#include "db/sysdb_private.h"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#include "db/sysdb_sudo.h"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define NULL_CHECK(val, rval, label) do { \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (!val) {                           \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        rval = ENOMEM;                    \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto label;                       \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }                                     \
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek} while(0)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/* ====================  Utility functions ==================== */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinastatic errno_t sysdb_sudo_check_time(struct sysdb_attrs *rule,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                     time_t now,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                     bool *result)
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina{
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    TALLOC_CTX *tmp_ctx = NULL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    const char **values = NULL;
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    const char *name = NULL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    char *tret = NULL;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    time_t notBefore = 0;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    time_t notAfter = 0;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    time_t converted;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    struct tm tm;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    errno_t ret;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    int i;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    if (!result) return EINVAL;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    *result = false;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    tmp_ctx = talloc_new(NULL);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    NULL_CHECK(tmp_ctx, ret, done);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name);
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    if (ret == ENOENT) {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina        name = "<missing>";
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    } else if(ret != EOK) {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina        goto done;
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina    }
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    /*
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     * From man sudoers.ldap:
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     *
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     * A timestamp is in the form yyyymmddHHMMSSZ.
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     * If multiple sudoNotBefore entries are present, the *earliest* is used.
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     * If multiple sudoNotAfter entries are present, the *last one* is used.
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     *
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     * From sudo sources, ldap.c:
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     * If either the sudoNotAfter or sudoNotBefore attributes are missing,
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek     * no time restriction shall be imposed.
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina     */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    /* check for sudoNotBefore */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTBEFORE,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                       tmp_ctx, &values);
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    if (ret == ENOENT) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        DEBUG(SSSDBG_TRACE_LIBS,
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina              ("notBefore attribute is missing, the rule [%s] is valid\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina               name));
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        *result = true;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        ret = EOK;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    } else if (ret != EOK) {
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    for (i=0; values[i] ; i++) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        tret = strptime(values[i], SYSDB_SUDO_TIME_FORMAT, &tm);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        if (tret == NULL || *tret != '\0') {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina            DEBUG(SSSDBG_MINOR_FAILURE, ("Invalid time format in rule [%s]!\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina                  name));
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            ret = EINVAL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        converted = mktime(&tm);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        /* Grab the earliest */
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        if (!notBefore) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notBefore = converted;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        } else if (notBefore > converted) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notBefore = converted;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    /* check for sudoNotAfter */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTAFTER,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                       tmp_ctx, &values);
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    if (ret == ENOENT) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        DEBUG(SSSDBG_TRACE_LIBS,
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina              ("notAfter attribute is missing, the rule [%s] is valid\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina               name));
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        *result = true;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        ret = EOK;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina    } else if (ret != EOK) {
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822dfPavel Březina        goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    for (i=0; values[i] ; i++) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        tret = strptime(values[i], SYSDB_SUDO_TIME_FORMAT, &tm);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        if (tret == NULL || *tret != '\0') {
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina            DEBUG(SSSDBG_MINOR_FAILURE, ("Invalid time format in rule [%s]!\n",
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina                  name));
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            ret = EINVAL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            goto done;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        converted = mktime(&tm);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        /* Grab the latest */
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        if (!notAfter) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notAfter = converted;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek        } else if (notAfter < converted) {
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek            notAfter = converted;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    if (now >= notBefore && now <= notAfter) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        *result = true;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    }
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek    ret = EOK;
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozekdone:
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    talloc_free(tmp_ctx);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    return ret;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina}
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinaerrno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        size_t in_num_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        struct sysdb_attrs **in_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        time_t now,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        size_t *_num_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        struct sysdb_attrs ***_rules)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    size_t num_rules = 0;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    struct sysdb_attrs **rules = NULL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    TALLOC_CTX *tmp_ctx = NULL;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    bool allowed = false;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    errno_t ret;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    int i;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    tmp_ctx = talloc_new(NULL);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    NULL_CHECK(tmp_ctx, ret, done);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    if (now == 0) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        now = time(NULL);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    for (i = 0; i < in_num_rules; i++) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        ret = sysdb_sudo_check_time(in_rules[i], now, &allowed);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        if (ret == EOK && allowed) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            num_rules++;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            rules = talloc_realloc(tmp_ctx, rules, struct sysdb_attrs *,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                   num_rules);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            NULL_CHECK(rules, ret, done);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina            rules[num_rules - 1] = in_rules[i];
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    *_num_rules = num_rules;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    *_rules = talloc_steal(mem_ctx, rules);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    ret = EOK;
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinadone:
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    talloc_free(tmp_ctx);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina    return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                      uid_t uid, char **groupnames, unsigned int flags,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                      char **_filter)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    TALLOC_CTX *tmp_ctx = NULL;
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    char *filter = NULL;
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    char *specific_filter = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    int i;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    tmp_ctx = talloc_new(NULL);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    /* build specific filter */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    specific_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    NULL_CHECK(specific_filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=ALL)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=defaults)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_NAME);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if ((flags & SYSDB_SUDO_FILTER_USERNAME) && (username != NULL)) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER,
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 username);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    }
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=#%llu)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER,
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 (unsigned long long) uid);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if ((flags & SYSDB_SUDO_FILTER_GROUPS) && (groupnames != NULL)) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        for (i=0; groupnames[i] != NULL; i++) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina            specific_filter = talloc_asprintf_append(specific_filter, "(%s=%%%s)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                     SYSDB_SUDO_CACHE_AT_USER,
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                     groupnames[i]);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina            NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (flags & SYSDB_SUDO_FILTER_NGRS) {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        specific_filter = talloc_asprintf_append(specific_filter, "(%s=+*)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                                 SYSDB_SUDO_CACHE_AT_USER);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        NULL_CHECK(specific_filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    /* build global filter */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)",
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                             SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_AT_OC);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    NULL_CHECK(filter, ret, done);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    if (specific_filter[0] != '\0') {
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina        filter = talloc_asprintf_append(filter, "(|%s)", specific_filter);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        NULL_CHECK(filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina    filter = talloc_strdup_append(filter, ")");
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    NULL_CHECK(filter, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    *_filter = talloc_steal(mem_ctx, filter);
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekdone:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    talloc_free(tmp_ctx);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, const char *username,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                         struct sysdb_ctx *sysdb, uid_t *_uid,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                         char ***groupnames)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    TALLOC_CTX *tmp_ctx;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    const char *attrs[3];
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    struct ldb_message *msg;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    char **sysdb_groupnames = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    struct ldb_message_element *groups;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    uid_t uid;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    int i;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    tmp_ctx = talloc_new(NULL);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    attrs[0] = SYSDB_MEMBEROF;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    attrs[1] = SYSDB_UIDNUM;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    attrs[2] = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_search_user_by_name(tmp_ctx, sysdb, username,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                                    attrs, &msg);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_CRIT_FAILURE, ("Error looking up user %s\n", username));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (!uid) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_CRIT_FAILURE, ("A user with no UID?\n"));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        ret = EIO;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (!groups || groups->num_values == 0) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        /* No groups for this user in sysdb currently */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        sysdb_groupnames = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    } else {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        sysdb_groupnames = talloc_array(tmp_ctx, char *, groups->num_values+1);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina        NULL_CHECK(sysdb_groupnames, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        /* Get a list of the groups by groupname only */
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina        for (i = 0; i < groups->num_values; i++) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            ret = sysdb_group_dn_name(sysdb,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                                      sysdb_groupnames,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                                      (const char *)groups->values[i].data,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                                      &sysdb_groupnames[i]);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                ret = ENOMEM;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        sysdb_groupnames[groups->num_values] = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    *_uid = uid;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    *groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekdone:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    talloc_free(tmp_ctx);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekstatic errno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_sudo_purge_subdir(struct sysdb_ctx *sysdb,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                        struct sss_domain_info *domain,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                        const char *subdir)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    struct ldb_dn *base_dn = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    TALLOC_CTX *tmp_ctx = NULL;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    tmp_ctx = talloc_new(NULL);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    base_dn = sysdb_custom_subtree_dn(sysdb, tmp_ctx, domain->name, subdir);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(base_dn, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_delete_recursive(sysdb, base_dn, true);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE, ("sysdb_delete_recursive failed.\n"));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekdone:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    talloc_free(tmp_ctx);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_save_sudorule(struct sysdb_ctx *sysdb_ctx,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                   const char *rule_name,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                   struct sysdb_attrs *attrs)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    DEBUG(SSSDBG_TRACE_FUNC, ("Adding sudo rule %s\n", rule_name));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                                 SYSDB_SUDO_CACHE_AT_OC);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE, ("Could not set rule object class [%d]: %s\n",
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek              ret, strerror(ret)));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, rule_name);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE, ("Could not set name attribute [%d]: %s\n",
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek              ret, strerror(ret)));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_store_custom(sysdb_ctx, rule_name, SUDORULE_SUBDIR, attrs);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE, ("sysdb_store_custom failed [%d]: %s\n",
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek              ret, strerror(ret)));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozeksysdb_purge_sudorule_subtree(struct sysdb_ctx *sysdb,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                             struct sss_domain_info *domain,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                             const char *filter)
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek{
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    TALLOC_CTX *tmp_ctx;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    size_t count;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    struct ldb_message **msgs;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    const char *name;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    int i;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    errno_t ret;
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    const char *attrs[] = { SYSDB_OBJECTCLASS,
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina                            SYSDB_NAME,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                            SYSDB_SUDO_CACHE_AT_OC,
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina                            SYSDB_SUDO_CACHE_AT_CN,
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina                            NULL };
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    /* just purge all if there's no filter */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (!filter) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        return sysdb_sudo_purge_subdir(sysdb, domain, SUDORULE_SUBDIR);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    tmp_ctx = talloc_new(NULL);
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina    NULL_CHECK(tmp_ctx, ret, done);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    /* match entries based on the filter and remove them one by one */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = sysdb_search_custom(tmp_ctx, sysdb, filter,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                              SUDORULE_SUBDIR, attrs,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek                              &count, &msgs);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    if (ret != EOK && ret != ENOENT) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_CRIT_FAILURE, ("Error looking up SUDO rules"));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    } if (ret == ENOENT) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        DEBUG(SSSDBG_TRACE_FUNC, ("No rules matched\n"));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        ret = EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    for (i = 0; i < count; i++) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        if (name == NULL) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            DEBUG(SSSDBG_OP_FAILURE, ("A rule without a name?\n"));
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina            /* skip this one but still delete other entries */
f643754db81eeade60485bbe3d80324d889cc4f3Pavel Březina            continue;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        ret = sysdb_delete_custom(sysdb, name, SUDORULE_SUBDIR);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        if (ret != EOK) {
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            DEBUG(SSSDBG_OP_FAILURE, ("Could not delete rule %s\n", name));
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek            goto done;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    }
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    ret = EOK;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekdone:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    talloc_free(tmp_ctx);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    return ret;
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek}
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březinaerrno_t sysdb_sudo_set_refreshed(struct sysdb_ctx *sysdb,
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina                                 bool refreshed)
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina{
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    errno_t ret;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    struct ldb_dn *dn;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    TALLOC_CTX *tmp_ctx;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    tmp_ctx = talloc_new(NULL);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    if (!tmp_ctx) {
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        ret = ENOMEM;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        goto done;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    }
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_CUSTOM_SUBTREE,
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina                        SUDORULE_SUBDIR, sysdb->domain->name);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    if (!dn) {
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        ret = ENOMEM;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        goto done;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    }
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    ret = sysdb_set_bool(sysdb, dn, SUDORULE_SUBDIR,
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina                         SYSDB_SUDO_AT_REFRESHED, refreshed);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březinadone:
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    talloc_free(tmp_ctx);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    return ret;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina}
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březinaerrno_t sysdb_sudo_get_refreshed(struct sysdb_ctx *sysdb,
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina                                 bool *refreshed)
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina{
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    errno_t ret;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    struct ldb_dn *dn;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    TALLOC_CTX *tmp_ctx;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    tmp_ctx = talloc_new(NULL);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    if (!tmp_ctx) {
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        ret = ENOMEM;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        goto done;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    }
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_CUSTOM_SUBTREE,
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina                        SUDORULE_SUBDIR, sysdb->domain->name);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    if (!dn) {
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        ret = ENOMEM;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina        goto done;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    }
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    ret = sysdb_get_bool(sysdb, dn, SYSDB_SUDO_AT_REFRESHED, refreshed);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březinadone:
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    talloc_free(tmp_ctx);
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina    return ret;
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina}