ipa_hbac_hosts.c revision 6fb75e297bf7fc83e3db1f5ae8560624656ef319
/*
SSSD
Authors:
Stephen Gallagher <sgallagh@redhat.com>
Copyright (C) 2011 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "providers/ipa/ipa_hbac_private.h"
#include "providers/ldap/sdap_async.h"
struct ipa_hbac_host_state {
struct tevent_context *ev;
struct sdap_handle *sh;
struct sdap_options *opts;
const char *search_base;
const char **attrs;
bool support_srchost;
const char *hostname;
/* Return values */
struct sysdb_attrs **hosts;
struct sysdb_attrs **hostgroups;
struct sdap_attr_map_info *hostgroup_map;
};
#define HOSTGROUP_MAP_ATTRS_COUNT 5
static struct sdap_attr_map hostgroup_map[] = {
};
static void
static void
struct tevent_req *
struct tevent_context *ev,
struct sdap_handle *sh,
struct sdap_options *opts,
bool support_srchost,
const char *hostname,
const char *search_base)
{
struct ipa_hbac_host_state *state;
struct tevent_req *req;
struct tevent_req *subreq;
char *host_filter;
return NULL;
}
if (support_srchost) {
} else {
goto immediate;
}
}
if (host_filter == NULL) {
goto immediate;
}
goto immediate;
}
goto immediate;
}
return req;
} else {
}
return req;
}
static void
{
struct tevent_req *req =
struct ipa_hbac_host_state *state =
char *hostgroup_filter;
const char *host_dn;
int i;
&state->host_count,
return;
}
if (state->host_count == 0) {
return;
}
return;
}
/* Complete the map */
for (i = 0; i < HOSTGROUP_MAP_ATTRS_COUNT; i++) {
/* These are allocated on the state, so the next time they'll
* have to be allocated again
*/
hostgroup_map[i].def_name);
return;
}
}
/* Look up host groups */
if (state->support_srchost) {
if (hostgroup_filter == NULL) {
return;
}
return;
}
} else {
return;
}
return;
}
return;
}
}
}
static void
{
struct tevent_req *req =
struct ipa_hbac_host_state *state =
struct sdap_deref_attrs **deref_result;
const char *hostgroup_name;
int i;
if (state->support_srchost) {
&state->hostgroups);
} else {
&deref_result);
if (state->hostgroup_count == 0) {
} else {
goto done;
}
for (i = 0; i < state->hostgroup_count; i++) {
IPA_CN, &hostgroup_name);
deref_result[i]->attrs);
}
}
}
done:
} else {
}
}
struct sysdb_attrs ***hosts,
struct sysdb_attrs ***hostgroups)
{
size_t c;
struct ipa_hbac_host_state *state =
for (c = 0; c < state->host_count; c++) {
/* Guarantee the memory heirarchy of the list */
}
return EOK;
}
/*
* Functions to convert sysdb_attrs to the hbac_rule format
*/
const char *rule_name,
struct sysdb_attrs *rule_attrs,
const char *category_attr,
const char *member_attr,
struct hbac_rule_element **hosts)
{
struct hbac_rule_element *new_hosts;
struct ldb_message_element *el;
size_t num_hostgroups = 0;
size_t i;
char *member_dn;
char *filter;
struct ldb_message **msgs;
const char *name;
goto done;
}
/* First check for host category */
goto done;
}
/* Short-cut to the exit */
goto done;
}
/* Get the list of DNs from the member_attr */
goto done;
}
el->num_values = 0;
}
/* Assume maximum size; We'll trim it later */
const char *,
goto done;
}
const char *,
goto done;
}
for (i = 0; i < el->num_values; i++) {
&member_dn);
goto done;
}
/* First check if this is a specific host */
}
if (count > 1) {
continue;
}
/* Original DN matched a single host. Get the hostname */
NULL);
goto done;
}
name);
goto done;
}
num_hosts++;
} else { /* ret == ENOENT */
/* Check if this is a hostgroup */
}
if (count > 1) {
"Skipping\n"));
continue;
}
/* Original DN matched a single group. Get the groupname */
goto done;
}
goto done;
}
} else { /* ret == ENOENT */
/* Neither a host nor a hostgroup? Skip it */
"Skipping\n", member_dn));
}
}
}
/* Shrink the arrays down to their real sizes */
const char *, num_hosts + 1);
goto done;
}
const char *, num_hostgroups + 1);
goto done;
}
done:
}
return ret;
}
const char *rule_name,
struct sysdb_attrs *rule_attrs,
struct hbac_rule_element **thosts)
{
}
const char *rule_name,
struct sysdb_attrs *rule_attrs,
bool support_srchost,
struct hbac_rule_element **source_hosts)
{
struct ldb_message_element *el;
struct hbac_rule_element *shosts;
if (!support_srchost) {
goto done;
}
goto done;
}
&host_count, &shosts);
goto done;
}
/* All hosts (including external) are
* allowed.
*/
goto done;
}
/* Include external (non-IPA-managed) source hosts */
goto done;
}
goto done;
}
}
}
done:
}
return ret;
}
const char *host_dn,
char **hostgroupname)
{
const char *rdn_name;
const char *hostgroup_comp_name;
const char *account_comp_name;
const struct ldb_val *hostgroup_comp_val;
const struct ldb_val *account_comp_val;
/* This is an IPA-specific hack. It may not
* work for non-IPA servers and will need to
* be changed if SSSD ever supports HBAC on
* a non-IPA server.
*/
*hostgroupname = NULL;
goto done;
}
if (!ldb_dn_validate(dn)) {
goto done;
}
/* RDN, hostgroups, accounts, and at least one DC= */
/* If it's fewer, it's not a group DN */
goto done;
}
/* If the RDN name is 'cn' */
/* Shouldn't happen if ldb_dn_validate()
* passed, but we'll be careful.
*/
goto done;
}
/* RDN has the wrong attribute name.
* It's not a host.
*/
goto done;
}
/* and the second component is "cn=hostgroups" */
/* The second component name is not "cn" */
goto done;
}
if (strncasecmp("hostgroups",
(const char *) hostgroup_comp_val->data,
hostgroup_comp_val->length) != 0) {
/* The second component value is not "hostgroups" */
goto done;
}
/* and the third component is "accounts" */
/* The third component name is not "cn" */
goto done;
}
if (strncasecmp("accounts",
(const char *) account_comp_val->data,
account_comp_val->length) != 0) {
/* The third component value is not "accounts" */
goto done;
}
/* Then the value of the RDN is the group name */
if (*hostgroupname == NULL) {
goto done;
}
done:
return ret;
}