ipa_hbac_common.c revision 9b72b00ebcfd6225a4e139619c8e18d44a448f87
/*
SSSD
Authors:
Stephen Gallagher <sgallagh@redhat.com>
Copyright (C) 2011 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "providers/ipa/ipa_hbac_private.h"
#include "providers/ipa/ipa_hbac.h"
#include "providers/ipa/ipa_common.h"
struct sysdb_attrs **list)
{
int ret;
size_t c;
const char *object_name;
struct ldb_message_element *el;
return ENOMEM;
}
if (delete_subdir) {
goto done;
}
goto done;
}
}
for (c = 0; c < count; c++) {
goto done;
}
if (el->num_values == 0) {
goto done;
}
if (object_name == NULL) {
goto done;
}
list[c]);
goto done;
}
}
done:
return ret;
}
const char *primary_subdir, const char *attr_name,
const char *group_subdir, const char *groupattr_name,
{
int lret;
bool in_transaction = false;
const char **orig_member_dns;
size_t i, j, member_count;
struct ldb_message **members;
const char *member_dn;
const char *group_id;
struct ldb_message *msg;
char *member_filter;
/* There always has to be at least one
* primary entry.
*/
return EINVAL;
}
/* Save the entries and groups to the cache */
in_transaction = true;
/* First, save the specific entries */
primary);
goto done;
}
/* Second, save the groups */
if (group_count > 0) {
groups);
goto done;
}
/* Third, save the memberships */
for (i = 0; i < group_count; i++) {
if (!groups[i]) {
goto done;
}
goto done;
}
&group_id);
goto done;
}
goto done;
}
goto done;
}
if (lret != LDB_SUCCESS) {
goto done;
}
goto done;
}
for (j = 0; orig_member_dns[j]; j++) {
orig_member_dns[j]);
if (member_filter == NULL) {
goto done;
}
goto done;
/* No member exists with this orig_dn. Skip it */
continue;
} else if (member_count > 1) {
/* This probably means corruption in the cache, but
* we'll try to proceed anyway.
*/
continue;
}
if (!member_dn) {
goto done;
}
if (lret != LDB_SUCCESS) {
goto done;
}
}
if (lret != LDB_SUCCESS) {
goto done;
}
}
}
in_transaction = false;
done:
if (in_transaction) {
DEBUG(0, ("Could not cancel sysdb transaction\n"));
}
}
}
return ret;
}
replace_attribute_name(const char *old_name,
struct sysdb_attrs **list)
{
int ret;
int i;
for (i = 0; i < count; i++) {
return ret;
}
}
return EOK;
}
/********************************************
* Functions for handling conversion to the *
* HBAC evaluator format *
********************************************/
static errno_t
static errno_t
struct hbac_eval_req **request);
struct hbac_eval_req **request)
{
struct hbac_eval_req *new_request;
size_t i;
/* First create an array of rules */
goto done;
}
/* Create each rule one at a time */
for (i = 0; i < hbac_ctx->rule_count ; i++) {
goto done;
goto done;
}
}
/* Create the eval request */
goto done;
}
done:
return ret;
}
static errno_t
{
struct ldb_message_element *el;
const char *rule_type;
} else {
}
goto done;
}
&rule_type);
goto done;
}
/* Get the users */
goto done;
}
/* Get the services */
goto done;
}
/* Get the target hosts */
&new_rule->targethosts);
goto done;
}
/* Get the source hosts */
goto done;
}
done:
return ret;
}
const char *category_attr,
{
size_t i;
const char **categories;
tmp_ctx, &categories);
for (i = 0; categories[i]; i++) {
continue;
}
categories[i]));
}
}
*_categories = cats;
done:
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *username,
struct hbac_request_element **user_element);
static errno_t
struct sss_domain_info *domain,
const char *hostname,
struct hbac_request_element **svc_element);
static errno_t
struct sss_domain_info *domain,
const char *hostname,
struct hbac_request_element **host_element);
static errno_t
struct hbac_eval_req **request)
{
struct hbac_eval_req *eval_req;
const char *rhost;
const char *thost;
goto done;
}
/* Get user the user name and groups */
/* Get the PAM service and service groups */
/* Get the source host */
/* If we haven't been passed an rhost,
* the rhost is unknown. This will fail
* to match any rule requiring the
* source host.
*/
} else {
}
/* The target host is always the current machine */
goto done;
}
done:
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *username,
struct hbac_request_element **user_element)
{
unsigned int i;
unsigned int num_groups = 0;
const char *member_dn;
struct hbac_request_element *users;
struct ldb_message *msg;
struct ldb_message_element *el;
goto done;
}
/* Read the originalMemberOf attribute
* This will give us the list of both POSIX and
* non-POSIX groups that this user belongs to.
*/
goto done;
}
goto done;
}
goto done;
}
goto done;
}
for (i = 0; i < el->num_values; i++) {
goto done;
num_groups++;
continue;
}
/* Skip entries that are not groups */
}
/* Shrink the array memory */
num_groups+1);
goto done;
}
}
done:
}
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *hostname,
struct hbac_request_element **svc_element)
{
struct hbac_request_element *svc;
struct ldb_message **msgs;
const char *group_name;
const char *service_filter;
goto done;
}
"(objectClass=%s)",
if (service_filter == NULL) {
goto done;
}
goto done;
}
/* Find the service groups */
goto done;
count = 0;
}
goto done;
}
for (i = 0; i < count; i++) {
if (group_name == NULL) {
goto done;
}
goto done;
}
}
done:
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *hostname,
struct hbac_request_element **host_element)
{
struct hbac_request_element *host;
struct ldb_message **msgs;
const char *group_name;
const char *host_filter;
goto done;
}
/* We don't know the host (probably an rhost)
* So we can't determine it's groups either.
*/
goto done;
}
goto done;
}
"(objectClass=%s)",
if (host_filter == NULL) {
goto done;
}
goto done;
}
/* Find the host groups */
goto done;
count = 0;
}
goto done;
}
for (i = 0; i < count; i++) {
NULL);
if (group_name == NULL) {
goto done;
}
goto done;
}
}
done:
}
return ret;
}