src/db/sysdb_sudo.h

3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/*
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    Authors:
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek        Jakub Hrozek <jhrozek@redhat.com>
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    Copyright (C) 2011 Red Hat
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    This program is free software; you can redistribute it and/or modify
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    it under the terms of the GNU General Public License as published by
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    the Free Software Foundation; either version 3 of the License, or
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    (at your option) any later version.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    This program is distributed in the hope that it will be useful,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    but WITHOUT ANY WARRANTY; without even the implied warranty of
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    GNU General Public License for more details.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    You should have received a copy of the GNU General Public License
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek    along with this program.  If not, see <http://www.gnu.org/licenses/>.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek*/
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#ifndef _SYSDB_SUDO_H_
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define _SYSDB_SUDO_H_
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#include "db/sysdb.h"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/* subdirs in cn=custom in sysdb. We don't store sudo stuff in sysdb directly
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek * b/c it's not name-service-switch data */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SUDORULE_SUBDIR "sudorules"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina/* attribute of SUDORULE_SUBDIR
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina * should be true if we have downloaded all rules atleast once */
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina#define SYSDB_SUDO_AT_REFRESHED      "refreshed"
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina#define SYSDB_SUDO_AT_LAST_FULL_REFRESH "sudoLastFullRefreshTime"
1a542b3698d8c42cf075b722f8838f106eb09fccPavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/* sysdb attributes */
fb4e4c4eb6a6dc732370584f70d23dd4a2c5c7b6Pavel Březina#define SYSDB_SUDO_CACHE_OC            "sudoRule"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_CN         "cn"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_USER       "sudoUser"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_HOST       "sudoHost"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_COMMAND    "sudoCommand"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_OPTION     "sudoOption"
7c30e60c525ea798aaab142766ff00eef4b5df3bPavel Březina#define SYSDB_SUDO_CACHE_AT_RUNAS      "sudoRunAs"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_RUNASUSER  "sudoRunAsUser"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_RUNASGROUP "sudoRunAsGroup"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_NOTBEFORE  "sudoNotBefore"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_NOTAFTER   "sudoNotAfter"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_CACHE_AT_ORDER      "sudoOrder"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina/* sysdb ipa attributes */
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_OC                 "ipasudorule"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_ENABLED            "ipaEnabledFlag"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_OPTION             "ipaSudoOpt"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_RUNASUSER          "ipaSudoRunAs"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_RUNASGROUP         "ipaSudoRunAsGroup"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_ORIGCMD            "originalMemberCommand"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_ALLOWCMD           "memberAllowCmd"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_DENYCMD            "memberDenyCmd"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_HOST               "memberHost"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_USER               "memberUser"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_NOTAFTER           "sudoNotAfter"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_NOTBEFORE          "sudoNotBefore"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_SUDOORDER          "sudoOrder"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_CMDCATEGORY        "cmdCategory"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_HOSTCATEGORY       "hostCategory"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_USERCATEGORY       "userCategory"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_RUNASUSERCATEGORY  "ipaSudoRunAsUserCategory"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina#define SYSDB_IPA_SUDORULE_RUNASGROUPCATEGORY "ipaSudoRunAsGroupCategory"
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březina#define SYSDB_IPA_SUDORULE_RUNASEXTUSER       "ipaSudoRunAsExtUser"
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březina#define SYSDB_IPA_SUDORULE_RUNASEXTGROUP      "ipaSudoRunAsExtGroup"
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březina#define SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP  "ipaSudoRunAsExtUserGroup"
991c9f47fcb24704b880f60ab8ee77cfda056e2cPavel Březina#define SYSDB_IPA_SUDORULE_EXTUSER            "externalUser"
a2057618f30a3c64bdffb35a2ef3c2ba148c8a03Pavel Březina
ed8650be18af26b7bf389e1246f7e8cdb363f829Pavel Březina#define SYSDB_IPA_SUDOCMDGROUP_OC                 "ipasudocmdgrp"
ed8650be18af26b7bf389e1246f7e8cdb363f829Pavel Březina
cc7766c8456653ab5d7dedbf432cb1711a905804Pavel Březina#define SYSDB_IPA_SUDOCMD_OC                 "ipasudocmd"
cc7766c8456653ab5d7dedbf432cb1711a905804Pavel Březina#define SYSDB_IPA_SUDOCMD_SUDOCMD            "sudoCmd"
cc7766c8456653ab5d7dedbf432cb1711a905804Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/* When constructing a sysdb filter, OR these values to include..   */
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#define SYSDB_SUDO_FILTER_NONE           0x00       /* no additional filter */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina#define SYSDB_SUDO_FILTER_USERNAME       0x01       /* username             */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina#define SYSDB_SUDO_FILTER_UID            0x02       /* uid                  */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina#define SYSDB_SUDO_FILTER_GROUPS         0x04       /* groups               */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina#define SYSDB_SUDO_FILTER_NGRS           0x08       /* netgroups            */
f7af8c5b369938725e47585c641ae5b017d442a1Pavel Březina#define SYSDB_SUDO_FILTER_ONLY_EXPIRED   0x10       /* only expired         */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina#define SYSDB_SUDO_FILTER_INCLUDE_ALL    0x20       /* ALL                  */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina#define SYSDB_SUDO_FILTER_INCLUDE_DFL    0x40       /* include cn=default   */
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina#define SYSDB_SUDO_FILTER_USERINFO       SYSDB_SUDO_FILTER_USERNAME \
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                       | SYSDB_SUDO_FILTER_UID \
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                       | SYSDB_SUDO_FILTER_GROUPS \
f6171b2bc954a367f316853ab71090eb213bdee3Pavel Březina                                       | SYSDB_SUDO_FILTER_NGRS
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinaerrno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
5ff1c3c5a12930692cb6284d14f7fda3a974af8ePavel Březina                                        uint32_t in_num_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        struct sysdb_attrs **in_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        time_t now,
5ff1c3c5a12930692cb6284d14f7fda3a974af8ePavel Březina                                        uint32_t *_num_rules,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina                                        struct sysdb_attrs ***_rules);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinachar *
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinasysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                          const char *username,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                          char **groupnames,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                          uid_t uid);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinachar *
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinasysdb_sudo_filter_defaults(TALLOC_CTX *mem_ctx);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinachar *
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinasysdb_sudo_filter_user(TALLOC_CTX *mem_ctx,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                       const char *username,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                       char **groupnames,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                       uid_t uid);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinachar *
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinasysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                            const char *username,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                            char **groupnames,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina                            uid_t uid);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozekerrno_t
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozeksysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
b0fa48b0d612b46a86e45f8e4b5d9feae9784c2bSimo Sorce                         struct sss_domain_info *domain,
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek                         const char *username,
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek                         const char **_orig_name,
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek                         uid_t *_uid,
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek                         char ***_groupnames);
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozekerrno_t sysdb_sudo_set_last_full_refresh(struct sss_domain_info *domain,
b0fa48b0d612b46a86e45f8e4b5d9feae9784c2bSimo Sorce                                         time_t value);
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozekerrno_t sysdb_sudo_get_last_full_refresh(struct sss_domain_info *domain,
b0fa48b0d612b46a86e45f8e4b5d9feae9784c2bSimo Sorce                                         time_t *value);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinaerrno_t sysdb_sudo_purge(struct sss_domain_info *domain,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina                         const char *delete_filter,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina                         struct sysdb_attrs **rules,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina                         size_t num_rules);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinaerrno_t
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_store(struct sss_domain_info *domain,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina                 struct sysdb_attrs **rules,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina                 size_t num_rules);
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cecherrno_t
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cechsysdb_search_sudo_rules(TALLOC_CTX *mem_ctx,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                        struct sss_domain_info *domain,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                        const char *sub_filter,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                        const char **attrs,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                        size_t *_msgs_count,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                        struct ldb_message ***_msgs);
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cecherrno_t
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cechsysdb_set_sudo_rule_attr(struct sss_domain_info *domain,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                         const char *name,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                         struct sysdb_attrs *attrs,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech                         int mod_op);
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek#endif /* _SYSDB_SUDO_H_ */