/*
SSSD
Authors:
Fabiano FidĂȘncio <fidencio@redhat.com>
Copyright (C) 2017 Red Hat
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "util/util.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/ipa/ipa_rules_common.h"
#include "providers/ipa/ipa_deskprofile_private.h"
#include "providers/ipa/ipa_deskprofile_rules.h"
#include "providers/ipa/ipa_deskprofile_rules_util.h"
struct ipa_deskprofile_rule_state {
struct tevent_context *ev;
struct sdap_handle *sh;
struct sdap_options *opts;
int search_base_iter;
struct sdap_search_base **search_bases;
const char **attrs;
char *rules_filter;
char *cur_filter;
size_t rule_count;
struct sysdb_attrs **rules;
};
static errno_t
ipa_deskprofile_rule_info_next(struct tevent_req *req,
struct ipa_deskprofile_rule_state *state);
static void
ipa_deskprofile_rule_info_done(struct tevent_req *subreq);
struct tevent_req *
ipa_deskprofile_rule_info_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct sdap_handle *sh,
struct sdap_options *opts,
struct sdap_search_base **search_bases,
struct sysdb_attrs *ipa_host,
struct sss_domain_info *domain,
const char *username)
{
struct tevent_req *req = NULL;
struct ipa_deskprofile_rule_state *state;
char *user;
char *group;
char *host_dn_clean;
char *group_clean;
char *host_group_clean;
char *rule_filter;
const char *host_dn;
const char **memberof_list;
char **groups_list;
errno_t ret;
req = tevent_req_create(mem_ctx, &state, struct ipa_deskprofile_rule_state);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
return NULL;
}
if (ipa_host == NULL) {
ret = EINVAL;
DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n");
goto immediate;
}
ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n");
goto immediate;
}
ret = sss_filter_sanitize(state, host_dn, &host_dn_clean);
if (ret != EOK) {
goto immediate;
}
state->ev = ev;
state->sh = sh;
state->opts = opts;
state->search_bases = search_bases;
state->search_base_iter = 0;
state->attrs = deskprofile_get_attrs_to_get_cached_rules(state);
if (state->attrs == NULL) {
ret = ENOMEM;
DEBUG(SSSDBG_CRIT_FAILURE,
"deskprofile_get_attrs_get_cached_rules() failed\n");
goto immediate;
}
rule_filter = talloc_asprintf(state,
"(&(objectclass=%s)"
"(%s=%s)"
"(|(%s=%s)(%s=%s)(%s=%s)",
IPA_DESKPROFILE_RULE,
IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
IPA_HOST_CATEGORY, "all",
IPA_USER_CATEGORY, "all",
IPA_MEMBER_HOST, host_dn_clean);
if (rule_filter == NULL) {
ret = ENOMEM;
goto immediate;
}
/* Add all parent groups of ipa_hostname to the filter */
ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
state, &memberof_list);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n");
} else if (ret == ENOENT) {
/* This host is not a member of any hostgroups */
memberof_list = talloc_array(state, const char *, 1);
if (memberof_list == NULL) {
ret = ENOMEM;
goto immediate;
}
memberof_list[0] = NULL;
}
for (size_t i = 0; memberof_list[i] != NULL; i++) {
ret = sss_filter_sanitize(state,
memberof_list[i],
&host_group_clean);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sss_filter_sanitize() failed [%d]: %s\n",
ret, sss_strerror(ret));
goto immediate;
}
rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
IPA_MEMBER_HOST,
host_group_clean);
if (rule_filter == NULL) {
ret = ENOMEM;
goto immediate;
}
}
/* Add the username to the filter */
ret = sss_parse_internal_fqname(state, username, &user, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sss_parse_internal_fqname() failed [%d]: %s\n",
ret, sss_strerror(ret));
goto immediate;
}
rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
IPA_MEMBER_USER, user);
if (rule_filter == NULL) {
ret = ENOMEM;
goto immediate;
}
/* Add all parent groups of `username` to the filter */
ret = get_sysdb_grouplist(state, domain->sysdb, domain, username,
&groups_list);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "get_sysdb_grouplist() failed [%d]: %s\n",
ret, sss_strerror(ret));
goto immediate;
}
for (size_t i = 0; groups_list[i] != NULL; i++) {
ret = sss_filter_sanitize(state, groups_list[i], &group_clean);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sss_filter_sanitize() failed [%d]: %s\n",
ret, sss_strerror(ret));
goto immediate;
}
ret = sss_parse_internal_fqname(state, group_clean, &group, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sss_parse_internal_fqname() failed [%d]: %s\n",
ret, sss_strerror(ret));
goto immediate;
}
rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
IPA_MEMBER_USER, group);
if (rule_filter == NULL) {
ret = ENOMEM;
goto immediate;
}
}
rule_filter = talloc_asprintf_append(rule_filter, "))");
if (rule_filter == NULL) {
ret = ENOMEM;
goto immediate;
}
state->rules_filter = talloc_steal(state, rule_filter);
ret = ipa_deskprofile_rule_info_next(req, state);
if (ret != EAGAIN) {
if (ret == EOK) {
/* ipa_deskprofile_rule_info_next should always have a search base
* when called for the first time.
*
* For the subsequent iterations, not finding any more search bases
* is fine though (thus the function returns EOK).
*
* As, here, it's the first case happening, let's return EINVAL.
*/
DEBUG(SSSDBG_CRIT_FAILURE, "No search base found\n");
ret = EINVAL;
}
goto immediate;
}
return req;
immediate:
if (ret == EOK) {
tevent_req_done(req);
} else {
tevent_req_error(req, ret);
}
tevent_req_post(req, ev);
return req;
}
static errno_t
ipa_deskprofile_rule_info_next(struct tevent_req *req,
struct ipa_deskprofile_rule_state *state)
{
struct tevent_req *subreq;
struct sdap_search_base *base;
base = state->search_bases[state->search_base_iter];
if (base == NULL) {
return EOK;
}
talloc_zfree(state->cur_filter);
state->cur_filter = sdap_combine_filters(state, state->rules_filter,
base->filter);
if (state->cur_filter == NULL) {
return ENOMEM;
}
DEBUG(SSSDBG_TRACE_FUNC,
"Sending request for next search base: [%s][%d][%s]\n",
base->basedn, base->scope, state->cur_filter);
subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
base->basedn, base->scope,
state->cur_filter, state->attrs,
NULL, 0,
dp_opt_get_int(state->opts->basic,
SDAP_ENUM_SEARCH_TIMEOUT),
true);
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n");
return ENOMEM;
}
tevent_req_set_callback(subreq, ipa_deskprofile_rule_info_done, req);
return EAGAIN;
}
static void
ipa_deskprofile_rule_info_done(struct tevent_req *subreq)
{
errno_t ret;
struct tevent_req *req;
struct ipa_deskprofile_rule_state *state;
size_t rule_count;
size_t total_count;
struct sysdb_attrs **rules;
struct sysdb_attrs **target;
int i;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ipa_deskprofile_rule_state);
ret = sdap_get_generic_recv(subreq, state,
&rule_count,
&rules);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Could not retrieve Desktop Profile rules\n");
goto fail;
}
if (rule_count > 0) {
total_count = rule_count + state->rule_count;
state->rules = talloc_realloc(state, state->rules,
struct sysdb_attrs *,
total_count);
if (state->rules == NULL) {
ret = ENOMEM;
goto fail;
}
i = 0;
while (state->rule_count < total_count) {
target = &state->rules[state->rule_count];
*target = talloc_steal(state->rules, rules[i]);
state->rule_count++;
i++;
}
}
state->search_base_iter++;
ret = ipa_deskprofile_rule_info_next(req, state);
if (ret == EAGAIN) {
return;
} else if (ret != EOK) {
goto fail;
} else if (ret == EOK && state->rule_count == 0) {
DEBUG(SSSDBG_TRACE_FUNC, "No rules apply to this host\n");
tevent_req_error(req, ENOENT);
return;
}
/* We went through all search bases and we have some results */
tevent_req_done(req);
return;
fail:
tevent_req_error(req, ret);
}
errno_t
ipa_deskprofile_rule_info_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
size_t *_rule_count,
struct sysdb_attrs ***_rules)
{
struct ipa_deskprofile_rule_state *state;
TEVENT_REQ_RETURN_ON_ERROR(req);
state = tevent_req_data(req, struct ipa_deskprofile_rule_state);
*_rule_count = state->rule_count;
*_rules = talloc_steal(mem_ctx, state->rules);
return EOK;
}