providers/ipa/ipa_hbac_rules.c

	ipa_hbac_rules.c revision a3c8390d19593b1e5277d95bfb4ab206d4785150
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/*
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    SSSD
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    Authors:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        Stephen Gallagher <sgallagh@redhat.com>
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    Copyright (C) 2011 Red Hat
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    This program is free software; you can redistribute it and/or modify
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    it under the terms of the GNU General Public License as published by
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    the Free Software Foundation; either version 3 of the License, or
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    (at your option) any later version.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    This program is distributed in the hope that it will be useful,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    but WITHOUT ANY WARRANTY; without even the implied warranty of
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    GNU General Public License for more details.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    You should have received a copy of the GNU General Public License
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    along with this program.  If not, see <http://www.gnu.org/licenses/>.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher*/
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "util/util.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny#include "providers/ipa/ipa_hbac_rules.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ldap/sdap_async.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstruct ipa_hbac_rule_state {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct tevent_context *ev;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sdap_handle *sh;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct sdap_options *opts;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    int search_base_iter;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sdap_search_base **search_bases;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    const char **attrs;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    char *rules_filter;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    char *cur_filter;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    size_t rule_count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct sysdb_attrs **rules;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher};
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenystatic errno_t
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyipa_hbac_rule_info_next(struct tevent_req *req,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                        struct ipa_hbac_rule_state *state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic void
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_done(struct tevent_req *subreq);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstruct tevent_req *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        bool get_deny_rules,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct tevent_context *ev,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct sdap_handle *sh,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct sdap_options *opts,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                        struct sdap_search_base **search_bases,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct sysdb_attrs *ipa_host)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    size_t i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct tevent_req *req = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct ipa_hbac_rule_state *state;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    const char *host_dn;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    char *host_dn_clean;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    char *host_group_clean;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    char *rule_filter;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    const char **memberof_list;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ipa_host == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(1, "Missing host\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        return NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (tmp_ctx == NULL) return NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(1, "Could not identify IPA hostname\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        goto error;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    ret = sss_filter_sanitize(tmp_ctx, host_dn, &host_dn_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret != EOK) goto error;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (req == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(1, "tevent_req_create failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        return NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->ev = ev;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->sh = sh;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    state->opts = opts;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->search_bases = search_bases;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->search_base_iter = 0;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs = talloc_zero_array(state, const char *, 15);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (state->attrs == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        ret = ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        goto immediate;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[0] = OBJECTCLASS;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[1] = IPA_CN;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[2] = IPA_UNIQUE_ID;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[3] = IPA_ENABLED_FLAG;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[4] = IPA_ACCESS_RULE_TYPE;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[5] = IPA_MEMBER_USER;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[6] = IPA_USER_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[7] = IPA_MEMBER_SERVICE;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[8] = IPA_SERVICE_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[9] = IPA_SOURCE_HOST;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[10] = IPA_SOURCE_HOST_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[11] = IPA_EXTERNAL_HOST;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[12] = IPA_MEMBER_HOST;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[13] = IPA_HOST_CATEGORY;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->attrs[14] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (get_deny_rules) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        rule_filter = talloc_asprintf(tmp_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      "(&(objectclass=%s)"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      "(%s=%s)(|(%s=%s)(%s=%s)",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_HBAC_RULE,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_HOST_CATEGORY, "all",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_MEMBER_HOST, host_dn_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    } else {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        rule_filter = talloc_asprintf(tmp_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      "(&(objectclass=%s)"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      "(%s=%s)(%s=%s)"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      "(|(%s=%s)(%s=%s)",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_HBAC_RULE,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_HOST_CATEGORY, "all",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                      IPA_MEMBER_HOST, host_dn_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (rule_filter == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    /* Add all parent groups of ipa_hostname to the filter */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                       tmp_ctx, &memberof_list);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret != EOK && ret != ENOENT) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(1, "Could not identify ");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    } if (ret == ENOENT) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        /* This host is not a member of any hostgroups */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        memberof_list = talloc_array(tmp_ctx, const char *, 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        if (memberof_list == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        memberof_list[0] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    for (i = 0; memberof_list[i]; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        ret = sss_filter_sanitize(tmp_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                  memberof_list[i],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                  &host_group_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        if (ret != EOK) goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                             IPA_MEMBER_HOST,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                                             host_group_clean);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        if (rule_filter == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    rule_filter = talloc_asprintf_append(rule_filter, "))");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (rule_filter == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->rules_filter = talloc_steal(state, rule_filter);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    ret = ipa_hbac_rule_info_next(req, state);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (ret == EOK) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        ret = EINVAL;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (ret != EAGAIN) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        goto immediate;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    return req;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherimmediate:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret == EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        tevent_req_done(req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    } else {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        tevent_req_error(req, ret);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    tevent_req_post(req, ev);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    return req;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererror:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    return NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenystatic errno_t
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyipa_hbac_rule_info_next(struct tevent_req *req,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                        struct ipa_hbac_rule_state *state)
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny{
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct tevent_req *subreq;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sdap_search_base *base;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    base = state->search_bases[state->search_base_iter];
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (base  == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        return EOK;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    talloc_zfree(state->cur_filter);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->cur_filter = sdap_get_id_specific_filter(state,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                                    state->rules_filter,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                                    base->filter);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (state->cur_filter == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        return ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: "
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                              "[%s][%d][%s]\n", base->basedn, base->scope,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                              state->cur_filter);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   base->basedn, base->scope,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   state->cur_filter, state->attrs,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   NULL, 0,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                   dp_opt_get_int(state->opts->basic,
2f3ee3f49019f5b60adbe073070f31e6e2d7c7abStephen Gallagher                                                  SDAP_ENUM_SEARCH_TIMEOUT),
2f3ee3f49019f5b60adbe073070f31e6e2d7c7abStephen Gallagher                                   true);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (subreq == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        return ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    tevent_req_set_callback(subreq, ipa_hbac_rule_info_done, req);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    return EAGAIN;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny}
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic void
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_done(struct tevent_req *subreq)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct tevent_req *req =
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            tevent_req_callback_data(subreq, struct tevent_req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct ipa_hbac_rule_state *state =
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            tevent_req_data(req, struct ipa_hbac_rule_state);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    int i;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    size_t rule_count;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    size_t total_count;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sysdb_attrs **rules;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    struct sysdb_attrs **target;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    ret = sdap_get_generic_recv(subreq, state,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                &rule_count,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                &rules);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(3, "Could not retrieve HBAC rules\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        goto fail;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (rule_count > 0) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        total_count = rule_count + state->rule_count;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        state->rules = talloc_realloc(state, state->rules,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                      struct sysdb_attrs *,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny                                      total_count);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        if (state->rules == NULL) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            ret = ENOMEM;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            goto fail;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        i = 0;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        while (state->rule_count < total_count) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            target = &state->rules[state->rule_count];
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            *target = talloc_steal(state->rules, rules[i]);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            state->rule_count++;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny            i++;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    }
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    state->search_base_iter++;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    ret = ipa_hbac_rule_info_next(req, state);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    if (ret == EAGAIN) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        return;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    } else if (ret != EOK) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny        goto fail;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    } else if (ret == EOK && state->rule_count == 0) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(3, "No rules apply to this host\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        tevent_req_error(req, ENOENT);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher        return;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    /* We went through all search bases and we have some results */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    tevent_req_done(req);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    return;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyfail:
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny    tevent_req_error(req, ret);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_rule_info_recv(struct tevent_req *req,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        size_t *rule_count,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher                        struct sysdb_attrs ***rules)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    struct ipa_hbac_rule_state *state =
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher            tevent_req_data(req, struct ipa_hbac_rule_state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    TEVENT_REQ_RETURN_ON_ERROR(req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    *rule_count = state->rule_count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    *rules = talloc_steal(mem_ctx, state->rules);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher    return EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}