ipa_hbac_common.c revision 2ce00e0d3896bb42db169d1e79553a81ca837a22
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi Stephen Gallagher <sgallagh@redhat.com>
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi Copyright (C) 2011 Red Hat
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi This program is free software; you can redistribute it and/or modify
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi it under the terms of the GNU General Public License as published by
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi the Free Software Foundation; either version 3 of the License, or
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi (at your option) any later version.
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi This program is distributed in the hope that it will be useful,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi but WITHOUT ANY WARRANTY; without even the implied warranty of
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi GNU General Public License for more details.
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi You should have received a copy of the GNU General Public License
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi along with this program. If not, see <http://www.gnu.org/licenses/>.
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomiipa_hbac_save_list(struct sysdb_ctx *sysdb, bool delete_subdir,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const char *subdir, struct sss_domain_info *domain,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi base_dn = sysdb_custom_subtree_dn(sysdb, tmp_ctx, domain, subdir);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ret = sysdb_delete_recursive(sysdb, base_dn, true);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi for (c = 0; c < count; c++) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ret = sysdb_attrs_get_el(list[c], naming_attribute, &el);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(1, ("[%s] not found.\n", naming_attribute));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi object_name = talloc_strndup(tmp_ctx, (const char *)el->values[0].data,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ret = sysdb_store_custom(sysdb, object_name, subdir, list[c]);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomiipa_hbac_sysdb_save(struct sysdb_ctx *sysdb, struct sss_domain_info *domain,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const char *primary_subdir, const char *attr_name,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi size_t primary_count, struct sysdb_attrs **primary,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const char *group_subdir, const char *groupattr_name,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* There always has to be at least one
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi * primary entry.
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* Save the entries and groups to the cache */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* First, save the specific entries */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* Second, save the groups */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to commit transaction\n"));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(0, ("Could not cancel sysdb transaction\n"));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(3, ("Error [%d][%s]\n", ret, strerror(ret)));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi for (i = 0; i < count; i++) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ret = sysdb_attrs_replace_name(list[i], old_name, new_name);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomicreate_empty_grouplist(struct hbac_request_element *el)
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi/********************************************
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi * Functions for handling conversion to the *
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi * HBAC evaluator format *
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi ********************************************/
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* First create an array of rules */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi new_rules = talloc_array(tmp_ctx, struct hbac_rule *,
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Create each rule one at a time */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi ret = hbac_attrs_to_rule(new_rules, hbac_ctx, i, &(new_rules[i]));
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Create the eval request */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi ret = hbac_ctx_to_eval_request(tmp_ctx, hbac_ctx, &new_request);
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi new_rule = talloc_zero(mem_ctx, struct hbac_rule);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(4, ("rule has no name, assuming '(none)'.\n"));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi new_rule->name = talloc_strdup(new_rule, "(none)");
401160c5ca4c3c8f122f437d00f5e4498243d7bfMartti Rannanjärvi DEBUG(7, ("Processing rule [%s]\n", new_rule->name));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ret = sysdb_attrs_get_bool(hbac_ctx->rules[idx], IPA_ENABLED_FLAG,
cce36a2c5573e4c69b01b163b08e6c8586c56aa6Aki Tuomi ret = sysdb_attrs_get_string(hbac_ctx->rules[idx],
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(7, ("Rule [%s] is not an ALLOW rule\n", new_rule->name));
6b136bb200a5f803d0ef5af225ad891e862b6b75Timo Sirainen /* Get the users */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi DEBUG(1, ("Could not parse users for rule [%s]\n",
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Get the services */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi DEBUG(1, ("Could not parse services for rule [%s]\n",
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Get the target hosts */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi DEBUG(1, ("Could not parse target hosts for rule [%s]\n",
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Get the source hosts */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi DEBUG(1, ("Could not parse source hosts for rule [%s]\n",
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const char **categories;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ret = sysdb_attrs_get_string_array(attrs, category_attr,
401160c5ca4c3c8f122f437d00f5e4498243d7bfMartti Rannanjärvi if (ret != EOK && ret != ENOENT) goto done;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi for (i = 0; categories[i]; i++) {
401160c5ca4c3c8f122f437d00f5e4498243d7bfMartti Rannanjärvi DEBUG(5, ("Category is set to 'all'.\n"));
fadd4c92940c10a01556e1ebcb2f17890b35d7bcMartti Rannanjärvi struct hbac_request_element **host_element);
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi struct sysdb_ctx *sysdb = hbac_ctx_sysdb(hbac_ctx);
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi struct sss_domain_info *domain = hbac_ctx_be(hbac_ctx)->domain;
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi const char *rhost;
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi eval_req = talloc_zero(tmp_ctx, struct hbac_eval_req);
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi /* Get user the user name and groups,
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi * take care of subdomain users as well */
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi if (strcasecmp(pd->domain, domain->name) != 0) {
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi user_dom = new_subdomain(tmp_ctx, domain, pd->domain, NULL, NULL);
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi ret = hbac_eval_user_element(eval_req, user_dom->sysdb, user_dom,
fba8aa9864290ef74486cb2333220180f6bd1de9Martti Rannanjärvi ret = hbac_eval_user_element(eval_req, sysdb, domain,
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Get the PAM service and service groups */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi ret = hbac_eval_service_element(eval_req, sysdb, domain,
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Get the source host */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* If we haven't been passed an rhost,
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi * the rhost is unknown. This will fail
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi * to match any rule requiring the
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi * source host.
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi ret = hbac_eval_host_element(eval_req, sysdb, domain,
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* The target host is always the current machine */
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi thost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi DEBUG(1, ("Missing ipa_hostname, this should never happen.\n"));
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi ret = hbac_eval_host_element(eval_req, sysdb, domain,
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi unsigned int i;
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi unsigned int num_groups = 0;
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi users = talloc_zero(tmp_ctx, struct hbac_request_element);
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi /* Read the originalMemberOf attribute
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi * This will give us the list of both POSIX and
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi * non-POSIX groups that this user belongs to.
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi ret = sysdb_search_user_by_name(tmp_ctx, sysdb, domain,
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi DEBUG(1, ("Could not determine user memberships for [%s]\n",
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi DEBUG(7, ("No groups for [%s]\n", users->name));
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi DEBUG(7, ("[%d] groups for [%s]\n", el->num_values, users->name));
58562739e57d14eeced3bc5923d7f907b6df4ab2Martti Rannanjärvi users->groups = talloc_array(users, const char *, el->num_values + 1);
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi member_dn = (const char *)el->values[i].data;
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi ret = get_ipa_groupname(users->groups, sysdb, member_dn,
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi DEBUG(3, ("Parse error on [%s]\n", member_dn));
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi DEBUG(7, ("Added group [%s] for user [%s]\n",
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi users->groups[num_groups], users->name));
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi /* Skip entries that are not groups */
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi DEBUG(8, ("Skipping non-group memberOf [%s]\n", member_dn));
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi /* Shrink the array memory */
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi users->groups = talloc_realloc(users, users->groups, const char *,
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi *user_element = talloc_steal(mem_ctx, users);
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvihbac_eval_service_element(TALLOC_CTX *mem_ctx,
401160c5ca4c3c8f122f437d00f5e4498243d7bfMartti Rannanjärvi struct hbac_request_element **svc_element)
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi svc = talloc_zero(tmp_ctx, struct hbac_request_element);
0be99975517967a2a074bf55de39aae65fe893c6Martti Rannanjärvi domain, svc->name, HBAC_SERVICES_SUBDIR);
5efce910194a73988c098c31098576cb1fcb1c8bAki Tuomi /* Look up the service to get its originalMemberOf entries */
goto done;
goto done;
goto done;
if (!el) {
goto done;
goto done;
&name);
done:
return ret;
static errno_t
const char *hostname,
char *name;
goto done;
goto done;
goto done;
goto done;
goto done;
goto done;
if (!el) {
goto done;
goto done;
&name);
done:
return ret;