providers/ipa/ipa_hbac_rules.c

	ipa_hbac_rules.c revision 4b37ee7d370003514916c793046577ea4b6e736b
6bdda696b3ea703c47e87fea61017ec655f91d92nd/*
6bdda696b3ea703c47e87fea61017ec655f91d92nd    SSSD
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    Authors:
6bdda696b3ea703c47e87fea61017ec655f91d92nd        Stephen Gallagher <sgallagh@redhat.com>
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    Copyright (C) 2011 Red Hat
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    This program is free software; you can redistribute it and/or modify
6bdda696b3ea703c47e87fea61017ec655f91d92nd    it under the terms of the GNU General Public License as published by
0662ed52e814f8f08ef0e09956413a792584eddffuankg    the Free Software Foundation; either version 3 of the License, or
6bdda696b3ea703c47e87fea61017ec655f91d92nd    (at your option) any later version.
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    This program is distributed in the hope that it will be useful,
6bdda696b3ea703c47e87fea61017ec655f91d92nd    but WITHOUT ANY WARRANTY; without even the implied warranty of
6bdda696b3ea703c47e87fea61017ec655f91d92nd    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
6bdda696b3ea703c47e87fea61017ec655f91d92nd    GNU General Public License for more details.
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    You should have received a copy of the GNU General Public License
6bdda696b3ea703c47e87fea61017ec655f91d92nd    along with this program.  If not, see <http://www.gnu.org/licenses/>.
16b55a35cff91315d261d1baa776138af465c4e4fuankg*/
16b55a35cff91315d261d1baa776138af465c4e4fuankg
16b55a35cff91315d261d1baa776138af465c4e4fuankg#include "util/util.h"
6bdda696b3ea703c47e87fea61017ec655f91d92nd#include "providers/ipa/ipa_rules_common.h"
6bdda696b3ea703c47e87fea61017ec655f91d92nd#include "providers/ipa/ipa_hbac_private.h"
6bdda696b3ea703c47e87fea61017ec655f91d92nd#include "providers/ipa/ipa_hbac_rules.h"
6bdda696b3ea703c47e87fea61017ec655f91d92nd#include "providers/ldap/sdap_async.h"
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92ndstruct ipa_hbac_rule_state {
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct tevent_context *ev;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct sdap_handle *sh;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct sdap_options *opts;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    int search_base_iter;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct sdap_search_base **search_bases;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    const char **attrs;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    char *rules_filter;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    char *cur_filter;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    size_t rule_count;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct sysdb_attrs **rules;
6bdda696b3ea703c47e87fea61017ec655f91d92nd};
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92ndstatic errno_t
6bdda696b3ea703c47e87fea61017ec655f91d92ndipa_hbac_rule_info_next(struct tevent_req *req,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                        struct ipa_hbac_rule_state *state);
6bdda696b3ea703c47e87fea61017ec655f91d92ndstatic void
6bdda696b3ea703c47e87fea61017ec655f91d92ndipa_hbac_rule_info_done(struct tevent_req *subreq);
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92ndstruct tevent_req *
6bdda696b3ea703c47e87fea61017ec655f91d92ndipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                        struct tevent_context *ev,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                        struct sdap_handle *sh,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                        struct sdap_options *opts,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                        struct sdap_search_base **search_bases,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                        struct sysdb_attrs *ipa_host)
6bdda696b3ea703c47e87fea61017ec655f91d92nd{
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg    errno_t ret;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    size_t i;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct tevent_req *req = NULL;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct ipa_hbac_rule_state *state;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    const char *host_dn;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    char *host_dn_clean;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    char *host_group_clean;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    char *rule_filter;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    const char **memberof_list;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (req == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
6bdda696b3ea703c47e87fea61017ec655f91d92nd        return NULL;
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (ipa_host == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        ret = EINVAL;
6bdda696b3ea703c47e87fea61017ec655f91d92nd        DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n");
6bdda696b3ea703c47e87fea61017ec655f91d92nd        goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (ret != EOK) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n");
6bdda696b3ea703c47e87fea61017ec655f91d92nd        goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    ret = sss_filter_sanitize(state, host_dn, &host_dn_clean);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (ret != EOK) goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->ev = ev;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->sh = sh;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->opts = opts;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->search_bases = search_bases;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->search_base_iter = 0;
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg    state->attrs = talloc_zero_array(state, const char *, 15);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (state->attrs == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        ret = ENOMEM;
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg        goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[0] = OBJECTCLASS;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[1] = IPA_CN;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[2] = IPA_UNIQUE_ID;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[3] = IPA_ENABLED_FLAG;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[4] = IPA_ACCESS_RULE_TYPE;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[5] = IPA_MEMBER_USER;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[6] = IPA_USER_CATEGORY;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[7] = IPA_MEMBER_SERVICE;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[8] = IPA_SERVICE_CATEGORY;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[9] = IPA_SOURCE_HOST;
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg    state->attrs[10] = IPA_SOURCE_HOST_CATEGORY;
0662ed52e814f8f08ef0e09956413a792584eddffuankg    state->attrs[11] = IPA_EXTERNAL_HOST;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[12] = IPA_MEMBER_HOST;
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg    state->attrs[13] = IPA_HOST_CATEGORY;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->attrs[14] = NULL;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    rule_filter = talloc_asprintf(state,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  "(&(objectclass=%s)"
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  "(%s=%s)(%s=%s)"
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  "(|(%s=%s)(%s=%s)",
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  IPA_HBAC_RULE,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  IPA_HOST_CATEGORY, "all",
0662ed52e814f8f08ef0e09956413a792584eddffuankg                                  IPA_MEMBER_HOST, host_dn_clean);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (rule_filter == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        ret = ENOMEM;
6bdda696b3ea703c47e87fea61017ec655f91d92nd        goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
0662ed52e814f8f08ef0e09956413a792584eddffuankg
6bdda696b3ea703c47e87fea61017ec655f91d92nd    /* Add all parent groups of ipa_hostname to the filter */
6bdda696b3ea703c47e87fea61017ec655f91d92nd    ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                       state, &memberof_list);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (ret != EOK && ret != ENOENT) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n");
6bdda696b3ea703c47e87fea61017ec655f91d92nd    } else if (ret == ENOENT) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        /* This host is not a member of any hostgroups */
6bdda696b3ea703c47e87fea61017ec655f91d92nd        memberof_list = talloc_array(state, const char *, 1);
6bdda696b3ea703c47e87fea61017ec655f91d92nd        if (memberof_list == NULL) {
0662ed52e814f8f08ef0e09956413a792584eddffuankg            ret = ENOMEM;
6bdda696b3ea703c47e87fea61017ec655f91d92nd            goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd        }
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg        memberof_list[0] = NULL;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    for (i = 0; memberof_list[i]; i++) {
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg        ret = sss_filter_sanitize(state,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  memberof_list[i],
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                  &host_group_clean);
6bdda696b3ea703c47e87fea61017ec655f91d92nd        if (ret != EOK) goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd        rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                             IPA_MEMBER_HOST,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                             host_group_clean);
6bdda696b3ea703c47e87fea61017ec655f91d92nd        if (rule_filter == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd            ret = ENOMEM;
6bdda696b3ea703c47e87fea61017ec655f91d92nd            goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd        }
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    rule_filter = talloc_asprintf_append(rule_filter, "))");
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (rule_filter == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        ret = ENOMEM;
6bdda696b3ea703c47e87fea61017ec655f91d92nd        goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->rules_filter = talloc_steal(state, rule_filter);
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    ret = ipa_hbac_rule_info_next(req, state);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (ret != EAGAIN) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        if (ret == EOK) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd            /* ipa_hbac_rule_info_next should always have a search base when
6bdda696b3ea703c47e87fea61017ec655f91d92nd             * called for the first time.
6bdda696b3ea703c47e87fea61017ec655f91d92nd             *
6bdda696b3ea703c47e87fea61017ec655f91d92nd             * For the subsequent iterations, not finding any more search bases
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg             * is fine though (thus the function returns EOK).
6bdda696b3ea703c47e87fea61017ec655f91d92nd             *
6bdda696b3ea703c47e87fea61017ec655f91d92nd             * As, here, it's the first case happening, let's return EINVAL.
6bdda696b3ea703c47e87fea61017ec655f91d92nd             */
6bdda696b3ea703c47e87fea61017ec655f91d92nd            ret = EINVAL;
6bdda696b3ea703c47e87fea61017ec655f91d92nd        }
6bdda696b3ea703c47e87fea61017ec655f91d92nd        goto immediate;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    return req;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92ndimmediate:
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (ret == EOK) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        tevent_req_done(req);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    } else {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        tevent_req_error(req, ret);
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd    tevent_req_post(req, ev);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    return req;
6bdda696b3ea703c47e87fea61017ec655f91d92nd}
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92ndstatic errno_t
6bdda696b3ea703c47e87fea61017ec655f91d92ndipa_hbac_rule_info_next(struct tevent_req *req,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                        struct ipa_hbac_rule_state *state)
6bdda696b3ea703c47e87fea61017ec655f91d92nd{
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct tevent_req *subreq;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct sdap_search_base *base;
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    base = state->search_bases[state->search_base_iter];
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (base == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        return EOK;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    talloc_zfree(state->cur_filter);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    state->cur_filter = sdap_combine_filters(state, state->rules_filter,
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg                                             base->filter);
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg    if (state->cur_filter == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        return ENOMEM;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: "
6bdda696b3ea703c47e87fea61017ec655f91d92nd                              "[%s][%d][%s]\n", base->basedn, base->scope,
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg                              state->cur_filter);
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg
6bdda696b3ea703c47e87fea61017ec655f91d92nd    subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                   base->basedn, base->scope,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                   state->cur_filter, state->attrs,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                   NULL, 0,
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg                                   dp_opt_get_int(state->opts->basic,
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                                  SDAP_ENUM_SEARCH_TIMEOUT),
6bdda696b3ea703c47e87fea61017ec655f91d92nd                                   true);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    if (subreq == NULL) {
6bdda696b3ea703c47e87fea61017ec655f91d92nd        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n");
6bdda696b3ea703c47e87fea61017ec655f91d92nd        return ENOMEM;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    }
6bdda696b3ea703c47e87fea61017ec655f91d92nd    tevent_req_set_callback(subreq, ipa_hbac_rule_info_done, req);
6bdda696b3ea703c47e87fea61017ec655f91d92nd
6bdda696b3ea703c47e87fea61017ec655f91d92nd    return EAGAIN;
6bdda696b3ea703c47e87fea61017ec655f91d92nd}
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg
0662ed52e814f8f08ef0e09956413a792584eddffuankgstatic void
6bdda696b3ea703c47e87fea61017ec655f91d92ndipa_hbac_rule_info_done(struct tevent_req *subreq)
6bdda696b3ea703c47e87fea61017ec655f91d92nd{
6bdda696b3ea703c47e87fea61017ec655f91d92nd    errno_t ret;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct tevent_req *req =
6bdda696b3ea703c47e87fea61017ec655f91d92nd            tevent_req_callback_data(subreq, struct tevent_req);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct ipa_hbac_rule_state *state =
6bdda696b3ea703c47e87fea61017ec655f91d92nd            tevent_req_data(req, struct ipa_hbac_rule_state);
6bdda696b3ea703c47e87fea61017ec655f91d92nd    int i;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    size_t rule_count;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    size_t total_count;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct sysdb_attrs **rules;
6bdda696b3ea703c47e87fea61017ec655f91d92nd    struct sysdb_attrs **target;
0662ed52e814f8f08ef0e09956413a792584eddffuankg
6bdda696b3ea703c47e87fea61017ec655f91d92nd    ret = sdap_get_generic_recv(subreq, state,
ac7985784d08a3655291f24f711812b4d8b1cbcffuankg                                &rule_count,
                                &rules);
    if (ret != EOK) {
        DEBUG(SSSDBG_MINOR_FAILURE, "Could not retrieve HBAC rules\n");
        goto fail;
    }

    if (rule_count > 0) {
        total_count = rule_count + state->rule_count;
        state->rules = talloc_realloc(state, state->rules,
                                      struct sysdb_attrs *,
                                      total_count);
        if (state->rules == NULL) {
            ret = ENOMEM;
            goto fail;
        }

        i = 0;
        while (state->rule_count < total_count) {
            target = &state->rules[state->rule_count];
            *target = talloc_steal(state->rules, rules[i]);

            state->rule_count++;
            i++;
        }
    }

    state->search_base_iter++;
    ret = ipa_hbac_rule_info_next(req, state);
    if (ret == EAGAIN) {
        return;
    } else if (ret != EOK) {
        goto fail;
    } else if (ret == EOK && state->rule_count == 0) {
        DEBUG(SSSDBG_MINOR_FAILURE, "No rules apply to this host\n");
        tevent_req_error(req, ENOENT);
        return;
    }

    /* We went through all search bases and we have some results */
    tevent_req_done(req);

    return;

fail:
    tevent_req_error(req, ret);
}

errno_t
ipa_hbac_rule_info_recv(struct tevent_req *req,
                        TALLOC_CTX *mem_ctx,
                        size_t *rule_count,
                        struct sysdb_attrs ***rules)
{
    struct ipa_hbac_rule_state *state =
            tevent_req_data(req, struct ipa_hbac_rule_state);

    TEVENT_REQ_RETURN_ON_ERROR(req);

    *rule_count = state->rule_count;
    *rules = talloc_steal(mem_ctx, state->rules);

    return EOK;
}