providers/ipa/ipa_hbac_rules.c

e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/*
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    SSSD
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    Authors:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        Stephen Gallagher <sgallagh@redhat.com>
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    Copyright (C) 2011 Red Hat
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    This program is free software; you can redistribute it and/or modify
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    it under the terms of the GNU General Public License as published by
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    the Free Software Foundation; either version 3 of the License, or
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    (at your option) any later version.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    This program is distributed in the hope that it will be useful,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    but WITHOUT ANY WARRANTY; without even the implied warranty of
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    GNU General Public License for more details.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    You should have received a copy of the GNU General Public License
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    along with this program.  If not, see <http://www.gnu.org/licenses/>.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher*/
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "util/util.h"
21909d3b620d97e81dd946b959a47efe88d2b7d8Fabiano Fidêncio#include "providers/ipa/ipa_rules_common.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny#include "providers/ipa/ipa_hbac_rules.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ldap/sdap_async.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstruct ipa_hbac_rule_state {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct tevent_context *ev;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sdap_handle *sh;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct sdap_options *opts;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    int search_base_iter;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sdap_search_base **search_bases;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    const char **attrs;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    char *rules_filter;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    char *cur_filter;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    size_t rule_count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct sysdb_attrs **rules;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher};
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenystatic errno_t
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyipa_hbac_rule_info_next(struct tevent_req *req,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                        struct ipa_hbac_rule_state *state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic void
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_done(struct tevent_req *subreq);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstruct tevent_req *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct tevent_context *ev,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct sdap_handle *sh,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct sdap_options *opts,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                        struct sdap_search_base **search_bases,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct sysdb_attrs *ipa_host)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    size_t i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct tevent_req *req = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct ipa_hbac_rule_state *state;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    const char *host_dn;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    char *host_dn_clean;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    char *host_group_clean;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    char *rule_filter;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    const char **memberof_list;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio    req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio    if (req == NULL) {
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        return NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio    if (ipa_host == NULL) {
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio        ret = EINVAL;
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio        DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n");
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio        goto immediate;
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n");
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio        goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio    ret = sss_filter_sanitize(state, host_dn, &host_dn_clean);
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio    if (ret != EOK) goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->ev = ev;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->sh = sh;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    state->opts = opts;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->search_bases = search_bases;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->search_base_iter = 0;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs = talloc_zero_array(state, const char *, 15);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (state->attrs == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        ret = ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        goto immediate;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[0] = OBJECTCLASS;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[1] = IPA_CN;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[2] = IPA_UNIQUE_ID;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[3] = IPA_ENABLED_FLAG;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[4] = IPA_ACCESS_RULE_TYPE;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[5] = IPA_MEMBER_USER;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[6] = IPA_USER_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[7] = IPA_MEMBER_SERVICE;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[8] = IPA_SERVICE_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[9] = IPA_SOURCE_HOST;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[10] = IPA_SOURCE_HOST_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[11] = IPA_EXTERNAL_HOST;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[12] = IPA_MEMBER_HOST;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[13] = IPA_HOST_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[14] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio    rule_filter = talloc_asprintf(state,
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  "(&(objectclass=%s)"
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  "(%s=%s)(%s=%s)"
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  "(|(%s=%s)(%s=%s)",
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  IPA_HBAC_RULE,
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  IPA_HOST_CATEGORY, "all",
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek                                  IPA_MEMBER_HOST, host_dn_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (rule_filter == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    /* Add all parent groups of ipa_hostname to the filter */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio                                       state, &memberof_list);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret != EOK && ret != ENOENT) {
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595Lukas Slebodnik        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n");
4b37ee7d370003514916c793046577ea4b6e736bFabiano Fidêncio    } else if (ret == ENOENT) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        /* This host is not a member of any hostgroups */
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio        memberof_list = talloc_array(state, const char *, 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        if (memberof_list == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        memberof_list[0] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    for (i = 0; memberof_list[i]; i++) {
b054e7d8c43b024ee33e9343b4a15e124861f68cFabiano Fidêncio        ret = sss_filter_sanitize(state,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                  memberof_list[i],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                  &host_group_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        if (ret != EOK) goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                             IPA_MEMBER_HOST,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                             host_group_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        if (rule_filter == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    rule_filter = talloc_asprintf_append(rule_filter, "))");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (rule_filter == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->rules_filter = talloc_steal(state, rule_filter);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    ret = ipa_hbac_rule_info_next(req, state);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (ret != EAGAIN) {
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio        if (ret == EOK) {
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio            /* ipa_hbac_rule_info_next should always have a search base when
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio             * called for the first time.
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio             *
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio             * For the subsequent iterations, not finding any more search bases
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio             * is fine though (thus the function returns EOK).
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio             *
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio             * As, here, it's the first case happening, let's return EINVAL.
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio             */
85a93ca67ae020607006cd035170c9360fb0a450Fabiano Fidêncio            DEBUG(SSSDBG_CRIT_FAILURE, "No search base found\n");
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio            ret = EINVAL;
dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5Fabiano Fidêncio        }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    return req;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherimmediate:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret == EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        tevent_req_done(req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    } else {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        tevent_req_error(req, ret);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    tevent_req_post(req, ev);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    return req;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenystatic errno_t
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyipa_hbac_rule_info_next(struct tevent_req *req,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                        struct ipa_hbac_rule_state *state)
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny{
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct tevent_req *subreq;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sdap_search_base *base;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    base = state->search_bases[state->search_base_iter];
c9e104f17b6c4cf5741dea9fdbe864619125fab1Fabiano Fidêncio    if (base == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        return EOK;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    talloc_zfree(state->cur_filter);
92ec40e6aa25f75903ffdb166a8ec56b67bfd77dPavel Březina    state->cur_filter = sdap_combine_filters(state, state->rules_filter,
92ec40e6aa25f75903ffdb166a8ec56b67bfd77dPavel Březina                                             base->filter);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (state->cur_filter == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        return ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: "
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                              "[%s][%d][%s]\n", base->basedn, base->scope,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                              state->cur_filter);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   base->basedn, base->scope,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   state->cur_filter, state->attrs,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   NULL, 0,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   dp_opt_get_int(state->opts->basic,
2f3ee3f49019f5b60adbe073070f31e6e2d7c7abStephen Gallagher                                                  SDAP_ENUM_SEARCH_TIMEOUT),
2f3ee3f49019f5b60adbe073070f31e6e2d7c7abStephen Gallagher                                   true);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (subreq == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        return ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    tevent_req_set_callback(subreq, ipa_hbac_rule_info_done, req);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    return EAGAIN;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny}
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic void
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_done(struct tevent_req *subreq)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct tevent_req *req =
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            tevent_req_callback_data(subreq, struct tevent_req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct ipa_hbac_rule_state *state =
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            tevent_req_data(req, struct ipa_hbac_rule_state);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    int i;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    size_t rule_count;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    size_t total_count;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sysdb_attrs **rules;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sysdb_attrs **target;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    ret = sdap_get_generic_recv(subreq, state,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                &rule_count,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                &rules);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_MINOR_FAILURE, "Could not retrieve HBAC rules\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        goto fail;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (rule_count > 0) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        total_count = rule_count + state->rule_count;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        state->rules = talloc_realloc(state, state->rules,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                      struct sysdb_attrs *,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                      total_count);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        if (state->rules == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            ret = ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            goto fail;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        i = 0;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        while (state->rule_count < total_count) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            target = &state->rules[state->rule_count];
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            *target = talloc_steal(state->rules, rules[i]);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            state->rule_count++;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            i++;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->search_base_iter++;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    ret = ipa_hbac_rule_info_next(req, state);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (ret == EAGAIN) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        return;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    } else if (ret != EOK) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        goto fail;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    } else if (ret == EOK && state->rule_count == 0) {
85517b57685809ff96818bbd3e3b4678ac74b461Fabiano Fidêncio        DEBUG(SSSDBG_TRACE_FUNC, "No rules apply to this host\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        tevent_req_error(req, ENOENT);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        return;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    /* We went through all search bases and we have some results */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    tevent_req_done(req);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    return;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyfail:
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    tevent_req_error(req, ret);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_recv(struct tevent_req *req,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        TALLOC_CTX *mem_ctx,
684a13e8de1526257ca2e40b6bf2e05585d4eacaFabiano Fidêncio                        size_t *_rule_count,
684a13e8de1526257ca2e40b6bf2e05585d4eacaFabiano Fidêncio                        struct sysdb_attrs ***_rules)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct ipa_hbac_rule_state *state =
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            tevent_req_data(req, struct ipa_hbac_rule_state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    TEVENT_REQ_RETURN_ON_ERROR(req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
684a13e8de1526257ca2e40b6bf2e05585d4eacaFabiano Fidêncio    *_rule_count = state->rule_count;
684a13e8de1526257ca2e40b6bf2e05585d4eacaFabiano Fidêncio    *_rules = talloc_steal(mem_ctx, state->rules);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    return EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}