ipa_hbac_rules.c revision 71ad247500b417836a1a2edec257a4433a7c415f
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher/*
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher SSSD
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Authors:
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Copyright (C) 2011 Red Hat
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is free software; you can redistribute it and/or modify
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher it under the terms of the GNU General Public License as published by
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher the Free Software Foundation; either version 3 of the License, or
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (at your option) any later version.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is distributed in the hope that it will be useful,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher GNU General Public License for more details.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher You should have received a copy of the GNU General Public License
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher*/
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher#include "util/util.h"
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher#include "providers/ipa/ipa_hbac_rules.h"
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek#include "providers/ldap/sdap_async.h"
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozekstruct ipa_hbac_rule_state {
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek struct tevent_context *ev;
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek struct sdap_handle *sh;
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek struct sdap_options *opts;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek int search_base_iter;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct sdap_search_base **search_bases;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek const char **attrs;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek char *rules_filter;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek char *cur_filter;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek size_t rule_count;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct sysdb_attrs **rules;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek};
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekstatic errno_t
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekipa_hbac_rule_info_next(struct tevent_req *req,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct ipa_hbac_rule_state *state);
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozekstatic void
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozekipa_hbac_rule_info_done(struct tevent_req *subreq);
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozek
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozekstruct tevent_req *
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek bool get_deny_rules,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct tevent_context *ev,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct sdap_handle *sh,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct sdap_options *opts,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct sdap_search_base **search_bases,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct sysdb_attrs *ipa_host)
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek{
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek errno_t ret;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek size_t i;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct tevent_req *req = NULL;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct ipa_hbac_rule_state *state;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek TALLOC_CTX *tmp_ctx;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek const char *host_dn;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek char *host_dn_clean;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek char *host_group_clean;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek char *rule_filter;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek const char **memberof_list;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (ipa_host == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(1, ("Missing host\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return NULL;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
35d420c5d4609b6e999920e38a9b2ec40a0e1ac4Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek tmp_ctx = talloc_new(mem_ctx);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (tmp_ctx == NULL) return NULL;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (ret != EOK) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(1, ("Could not identify IPA hostname\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek goto error;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = sss_filter_sanitize(tmp_ctx, host_dn, &host_dn_clean);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (ret != EOK) goto error;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (req == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(1, ("tevent_req_create failed.\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return NULL;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->ev = ev;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->sh = sh;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->opts = opts;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->search_bases = search_bases;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->search_base_iter = 0;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs = talloc_zero_array(state, const char *, 15);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (state->attrs == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = ENOMEM;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek goto immediate;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[0] = OBJECTCLASS;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[1] = IPA_CN;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[2] = IPA_UNIQUE_ID;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[3] = IPA_ENABLED_FLAG;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[4] = IPA_ACCESS_RULE_TYPE;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[5] = IPA_MEMBER_USER;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[6] = IPA_USER_CATEGORY;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[7] = IPA_MEMBER_SERVICE;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[8] = IPA_SERVICE_CATEGORY;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[9] = IPA_SOURCE_HOST;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[10] = IPA_SOURCE_HOST_CATEGORY;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[11] = IPA_EXTERNAL_HOST;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[12] = IPA_MEMBER_HOST;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[13] = IPA_HOST_CATEGORY;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->attrs[14] = NULL;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (get_deny_rules) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek rule_filter = talloc_asprintf(tmp_ctx,
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozek "(&(objectclass=%s)"
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozek "(%s=%s)(|(%s=%s)(%s=%s)",
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozek IPA_HBAC_RULE,
90afedb00608547ae1f32aa7aafd552c4b306909Jakub Hrozek IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek IPA_HOST_CATEGORY, "all",
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek IPA_MEMBER_HOST, host_dn_clean);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek } else {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek rule_filter = talloc_asprintf(tmp_ctx,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek "(&(objectclass=%s)"
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek "(%s=%s)(%s=%s)"
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek "(|(%s=%s)(%s=%s)",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov IPA_HBAC_RULE,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek IPA_HOST_CATEGORY, "all",
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek IPA_MEMBER_HOST, host_dn_clean);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (rule_filter == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ret = ENOMEM;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek goto immediate;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Add all parent groups of ipa_hostname to the filter */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek tmp_ctx, &memberof_list);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov if (ret != EOK && ret != ENOENT) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(1, ("Could not identify "));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek } if (ret == ENOENT) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* This host is not a member of any hostgroups */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek memberof_list = talloc_array(tmp_ctx, const char *, 1);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (memberof_list == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = ENOMEM;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek goto immediate;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek memberof_list[0] = NULL;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek for (i = 0; memberof_list[i]; i++) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = sss_filter_sanitize(tmp_ctx,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek memberof_list[i],
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek &host_group_clean);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (ret != EOK) goto immediate;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek IPA_MEMBER_HOST,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek host_group_clean);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (rule_filter == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = ENOMEM;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek goto immediate;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek rule_filter = talloc_asprintf_append(rule_filter, "))");
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (rule_filter == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = ENOMEM;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek goto immediate;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->rules_filter = talloc_steal(state, rule_filter);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = ipa_hbac_rule_info_next(req, state);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (ret == EOK) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = EINVAL;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (ret != EAGAIN) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek goto immediate;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek talloc_free(tmp_ctx);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return req;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekimmediate:
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (ret == EOK) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek tevent_req_done(req);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek } else {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek tevent_req_error(req, ret);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek tevent_req_post(req, ev);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek talloc_free(tmp_ctx);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return req;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekerror:
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek talloc_free(tmp_ctx);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return NULL;
d2969c6b23c722445bd699c830adb7601ba1cdc6Sumit Bose}
d2969c6b23c722445bd699c830adb7601ba1cdc6Sumit Bose
d2969c6b23c722445bd699c830adb7601ba1cdc6Sumit Bosestatic errno_t
d2969c6b23c722445bd699c830adb7601ba1cdc6Sumit Boseipa_hbac_rule_info_next(struct tevent_req *req,
d2969c6b23c722445bd699c830adb7601ba1cdc6Sumit Bose struct ipa_hbac_rule_state *state)
d2969c6b23c722445bd699c830adb7601ba1cdc6Sumit Bose{
4dd38025efda88f123eac672f87d3cda12f050c8Jakub Hrozek struct tevent_req *subreq;
4dd38025efda88f123eac672f87d3cda12f050c8Jakub Hrozek struct sdap_search_base *base;
4dd38025efda88f123eac672f87d3cda12f050c8Jakub Hrozek
4dd38025efda88f123eac672f87d3cda12f050c8Jakub Hrozek base = state->search_bases[state->search_base_iter];
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (base == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return EOK;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek talloc_zfree(state->cur_filter);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->cur_filter = sdap_get_id_specific_filter(state,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->rules_filter,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek base->filter);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (state->cur_filter == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return ENOMEM;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, ("Sending request for next search base: "
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek "[%s][%d][%s]\n", base->basedn, base->scope,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek base->filter));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek base->basedn, base->scope,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek state->cur_filter, state->attrs,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek NULL, 0,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek dp_opt_get_int(state->opts->basic,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek SDAP_ENUM_SEARCH_TIMEOUT));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek if (subreq == NULL) {
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("sdap_get_generic_send failed.\n"));
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return ENOMEM;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek }
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek tevent_req_set_callback(subreq, ipa_hbac_rule_info_done, req);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek return EAGAIN;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek}
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekstatic void
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekipa_hbac_rule_info_done(struct tevent_req *subreq)
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek{
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek errno_t ret;
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek struct tevent_req *req =
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher tevent_req_callback_data(subreq, struct tevent_req);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher struct ipa_hbac_rule_state *state =
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher tevent_req_data(req, struct ipa_hbac_rule_state);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher int i;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher size_t rule_count;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher size_t total_count;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher struct sysdb_attrs **rules;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher struct sysdb_attrs **target;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_get_generic_recv(subreq, state,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher &rule_count,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher &rules);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(3, ("Could not retrieve HBAC rules\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher goto fail;
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek }
5b4c6f22cb576a11037c7fa940fe0ba09e643e77Michal Zidek
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (rule_count > 0) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher total_count = rule_count + state->rule_count;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher state->rules = talloc_realloc(state, state->rules,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher struct sysdb_attrs *,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher total_count);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (state->rules == NULL) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = ENOMEM;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher goto fail;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher }
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher i = 0;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher while (state->rule_count < total_count) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher target = &state->rules[state->rule_count];
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher *target = talloc_steal(state->rules, rules[i]);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher state->rule_count++;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher i++;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher }
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher }
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher state->search_base_iter++;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = ipa_hbac_rule_info_next(req, state);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret == EAGAIN) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher return;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher } else if (ret != EOK) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher goto fail;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher } else if (ret == EOK && state->rule_count == 0) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(3, ("No rules apply to this host\n"));
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov tevent_req_error(req, ENOENT);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher return;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher }
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* We went through all search bases and we have some results */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher tevent_req_done(req);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher return;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherfail:
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher tevent_req_error(req, ret);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher}
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashoverrno_t
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagheripa_hbac_rule_info_recv(struct tevent_req *req,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher TALLOC_CTX *mem_ctx,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher size_t *rule_count,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher struct sysdb_attrs ***rules)
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov{
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher struct ipa_hbac_rule_state *state =
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher tevent_req_data(req, struct ipa_hbac_rule_state);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov TEVENT_REQ_RETURN_ON_ERROR(req);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher *rule_count = state->rule_count;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher *rules = talloc_steal(mem_ctx, state->rules);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher return EOK;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher}
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher