src/db/sysdb_sudo.h

	sysdb_sudo.h revision ed8650be18af26b7bf389e1246f7e8cdb363f829
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen/*
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    Authors:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        Jakub Hrozek <jhrozek@redhat.com>
8aacc9e7c84f8376822823ec98c2f551d4919b2eTimo Sirainen
16f816d3f3c32ae3351834253f52ddd0212bcbf3Timo Sirainen    Copyright (C) 2011 Red Hat
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    This program is free software; you can redistribute it and/or modify
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    it under the terms of the GNU General Public License as published by
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    the Free Software Foundation; either version 3 of the License, or
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    (at your option) any later version.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
463e82bdf0e990f4f2252d2b53ea23a5abe5883cTimo Sirainen    This program is distributed in the hope that it will be useful,
e06c0b65c16ccce69bbee009ead14d7d3d17a256Timo Sirainen    but WITHOUT ANY WARRANTY; without even the implied warranty of
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
a0d34d3982507f513a9d800082481e9faeb9a943Timo Sirainen    GNU General Public License for more details.
a0d34d3982507f513a9d800082481e9faeb9a943Timo Sirainen
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen    You should have received a copy of the GNU General Public License
e6d7d19c328e7043ad35d5a52c1617bde915a16fTimo Sirainen    along with this program.  If not, see <http://www.gnu.org/licenses/>.
d7095f3a4466fbb78b2d5eb3d322bc15a5b0ab1fTimo Sirainen*/
153de7823e64c67678b3fc95719c41a8ec5b864dTimo Sirainen
153de7823e64c67678b3fc95719c41a8ec5b864dTimo Sirainen#ifndef _SYSDB_SUDO_H_
d7095f3a4466fbb78b2d5eb3d322bc15a5b0ab1fTimo Sirainen#define _SYSDB_SUDO_H_
d7095f3a4466fbb78b2d5eb3d322bc15a5b0ab1fTimo Sirainen
8f7b00599e73fe71b1d2c6c65f8ae98aac1b23fbTimo Sirainen#include "db/sysdb.h"
8f7b00599e73fe71b1d2c6c65f8ae98aac1b23fbTimo Sirainen
d7095f3a4466fbb78b2d5eb3d322bc15a5b0ab1fTimo Sirainen/* subdirs in cn=custom in sysdb. We don't store sudo stuff in sysdb directly
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen * b/c it's not name-service-switch data */
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen#define SUDORULE_SUBDIR "sudorules"
e6d7d19c328e7043ad35d5a52c1617bde915a16fTimo Sirainen
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen/* attribute of SUDORULE_SUBDIR
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen * should be true if we have downloaded all rules atleast once */
153de7823e64c67678b3fc95719c41a8ec5b864dTimo Sirainen#define SYSDB_SUDO_AT_REFRESHED      "refreshed"
153de7823e64c67678b3fc95719c41a8ec5b864dTimo Sirainen#define SYSDB_SUDO_AT_LAST_FULL_REFRESH "sudoLastFullRefreshTime"
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen/* sysdb attributes */
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen#define SYSDB_SUDO_CACHE_OC            "sudoRule"
153de7823e64c67678b3fc95719c41a8ec5b864dTimo Sirainen#define SYSDB_SUDO_CACHE_AT_CN         "cn"
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen#define SYSDB_SUDO_CACHE_AT_USER       "sudoUser"
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen#define SYSDB_SUDO_CACHE_AT_HOST       "sudoHost"
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen#define SYSDB_SUDO_CACHE_AT_COMMAND    "sudoCommand"
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen#define SYSDB_SUDO_CACHE_AT_OPTION     "sudoOption"
9315dd69233d554452df0c12bc57002d2042a8f4Timo Sirainen#define SYSDB_SUDO_CACHE_AT_RUNAS      "sudoRunAs"
41bb0aa8e357876bc9a1916a37c9e3e78e5f8185Timo Sirainen#define SYSDB_SUDO_CACHE_AT_RUNASUSER  "sudoRunAsUser"
538c58fc95200fcc5e91abdda8b912b574a2f968Timo Sirainen#define SYSDB_SUDO_CACHE_AT_RUNASGROUP "sudoRunAsGroup"
538c58fc95200fcc5e91abdda8b912b574a2f968Timo Sirainen#define SYSDB_SUDO_CACHE_AT_NOTBEFORE  "sudoNotBefore"
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen#define SYSDB_SUDO_CACHE_AT_NOTAFTER   "sudoNotAfter"
8aacc9e7c84f8376822823ec98c2f551d4919b2eTimo Sirainen#define SYSDB_SUDO_CACHE_AT_ORDER      "sudoOrder"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen/* sysdb ipa attributes */
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_OC                 "ipasudorule"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_ENABLED            "ipaEnabledFlag"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#define SYSDB_IPA_SUDORULE_OPTION             "ipaSudoOpt"
d482b35af87f5fd872bad007da0475813a401a49Timo Sirainen#define SYSDB_IPA_SUDORULE_RUNASUSER          "ipaSudoRunAs"
d482b35af87f5fd872bad007da0475813a401a49Timo Sirainen#define SYSDB_IPA_SUDORULE_RUNASGROUP         "ipaSudoRunAsGroup"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_ORIGCMD            "originalMemberCommand"
d482b35af87f5fd872bad007da0475813a401a49Timo Sirainen#define SYSDB_IPA_SUDORULE_ALLOWCMD           "memberAllowCmd"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_DENYCMD            "memberDenyCmd"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_HOST               "memberHost"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_USER               "memberUser"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_NOTAFTER           "sudoNotAfter"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_NOTBEFORE          "sudoNotBefore"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_SUDOORDER          "sudoOrder"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_CMDCATEGORY        "cmdCategory"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_HOSTCATEGORY       "hostCategory"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_USERCATEGORY       "userCategory"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_RUNASUSERCATEGORY  "ipaSudoRunAsUserCategory"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDORULE_RUNASGROUPCATEGORY "ipaSudoRunAsGroupCategory"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_IPA_SUDOCMDGROUP_OC                 "ipasudocmdgrp"
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen
d482b35af87f5fd872bad007da0475813a401a49Timo Sirainen/* When constructing a sysdb filter, OR these values to include..   */
d482b35af87f5fd872bad007da0475813a401a49Timo Sirainen#define SYSDB_SUDO_FILTER_NONE           0x00       /* no additional filter */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#define SYSDB_SUDO_FILTER_USERNAME       0x01       /* username             */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#define SYSDB_SUDO_FILTER_UID            0x02       /* uid                  */
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_SUDO_FILTER_GROUPS         0x04       /* groups               */
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_SUDO_FILTER_NGRS           0x08       /* netgroups            */
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_SUDO_FILTER_ONLY_EXPIRED   0x10       /* only expired         */
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_SUDO_FILTER_INCLUDE_ALL    0x20       /* ALL                  */
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#define SYSDB_SUDO_FILTER_INCLUDE_DFL    0x40       /* include cn=default   */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#define SYSDB_SUDO_FILTER_USERINFO       SYSDB_SUDO_FILTER_USERNAME \
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                       | SYSDB_SUDO_FILTER_UID \
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                       | SYSDB_SUDO_FILTER_GROUPS \
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                       | SYSDB_SUDO_FILTER_NGRS
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainenerrno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                        uint32_t in_num_rules,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                        struct sysdb_attrs **in_rules,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                        time_t now,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                        uint32_t *_num_rules,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                        struct sysdb_attrs ***_rules);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenerrno_t
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainensysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                      uid_t uid, char **groupnames, unsigned int flags,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                      char **_filter);
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainenerrno_t
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainensysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                         struct sss_domain_info *domain,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                         const char *username, uid_t *_uid,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                         char ***groupnames);
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainenerrno_t sysdb_sudo_set_last_full_refresh(struct sss_domain_info *domain,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                         time_t value);
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainenerrno_t sysdb_sudo_get_last_full_refresh(struct sss_domain_info *domain,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                                         time_t *value);
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainenerrno_t sysdb_sudo_purge(struct sss_domain_info *domain,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                         const char *delete_filter,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                         struct sysdb_attrs **rules,
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen                         size_t num_rules);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenerrno_t
fa5957ffc9b676bfd649fa9953e63e72ee4ebeb4Timo Sirainensysdb_sudo_store(struct sss_domain_info *domain,
fa5957ffc9b676bfd649fa9953e63e72ee4ebeb4Timo Sirainen                 struct sysdb_attrs **rules,
fa5957ffc9b676bfd649fa9953e63e72ee4ebeb4Timo Sirainen                 size_t num_rules);
fa5957ffc9b676bfd649fa9953e63e72ee4ebeb4Timo Sirainen
1cad0dd34667548ba39f794ddeb9fc486cf4c666Timo Sirainen#endif /* _SYSDB_SUDO_H_ */
fa5957ffc9b676bfd649fa9953e63e72ee4ebeb4Timo Sirainen