e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Copyright (C) 2011 Red Hat
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is free software; you can redistribute it and/or modify
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher it under the terms of the GNU General Public License as published by
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher the Free Software Foundation; either version 3 of the License, or
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher (at your option) any later version.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is distributed in the hope that it will be useful,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher GNU General Public License for more details.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher You should have received a copy of the GNU General Public License
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/* Returns EOK and populates groupname if
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * the group_dn is actually a group.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * Returns ENOENT if group_dn does not point
4a9c1047354dbe5a4ed41e5951ae623e3772e113René Genz * at a group.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * Returns EINVAL if there is a parsing error.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * Returns ENOMEM as appropriate
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* This is an IPA-specific hack. It may not
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * work for non-IPA servers and will need to
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * be changed if SSSD ever supports HBAC on
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * a non-IPA server.
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose DEBUG(SSSDBG_TRACE_LIBS, "Parsing %s\n", group_dn);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), group_dn);
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "DN %s does not validate\n", group_dn);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* RDN, groups, accounts, and at least one DC= */
1dd195b9a3df01a0ef51e9f963201f1f79d1f90bStephen Gallagher /* If it's fewer, it's not a group DN */
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "DN %s has too few components\n", group_dn);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* If the RDN name is 'cn' */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Shouldn't happen if ldb_dn_validate()
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * passed, but we'll be careful.
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "No RDN name in %s\n", group_dn);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* RDN has the wrong attribute name.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * It's not a group.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* and the second component is "cn=groups" */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher group_comp_name = ldb_dn_get_component_name(dn, 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp("cn", group_comp_name) != 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* The second component name is not "cn" */
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose "Expected cn in second component, got %s\n", group_comp_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher group_comp_val = ldb_dn_get_component_val(dn, 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* The second component value is not "groups" */
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose "Expected groups second component, got %s\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* and the third component is "accounts" */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher account_comp_name = ldb_dn_get_component_name(dn, 2);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp("cn", account_comp_name) != 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* The third component name is not "cn" */
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose "Expected cn in second component, got %s\n", account_comp_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher account_comp_val = ldb_dn_get_component_val(dn, 2);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* The third component value is not "accounts" */
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose "Expected cn accounts second component, got %s\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Then the value of the RDN is the group name */
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose DEBUG(SSSDBG_TRACE_LIBS, "Parsed %s out of the DN\n", *groupname);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule_element *new_users = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *attrs[] = { SYSDB_NAME, NULL };
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_users = talloc_zero(tmp_ctx, struct hbac_rule_element);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "Processing users for rule [%s]\n", rule_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_get_category(rule_attrs, IPA_USER_CATEGORY,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify user categories\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_users->category & HBAC_CATEGORY_ALL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Short-cut to the exit */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(rule_attrs, IPA_MEMBER_USER, &el);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_get_el failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret == ENOENT || el->num_values == 0) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "No user specified, rule will never apply.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_users->names = talloc_array(new_users,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_users->groups = talloc_array(new_users,
a5e9d34fd39c0061ca284674a6fd7cad05c6056cFabiano Fidêncio member_dn = (const char *)el->values[i].data;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First check if this is a user */
a5e9d34fd39c0061ca284674a6fd7cad05c6056cFabiano Fidêncio ret = sysdb_search_users_by_orig_dn(tmp_ctx, domain, member_dn, attrs,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Original DN matched multiple users. Skipping \n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Original DN matched a single user. Get the username */
69c49ae14475773ea2c42f4e14f5d859c311abebJakub Hrozek sysdb_name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n");
69c49ae14475773ea2c42f4e14f5d859c311abebJakub Hrozek ret = sss_parse_internal_fqname(tmp_ctx, sysdb_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_users->names[num_users] = talloc_strdup(new_users->names,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_users->names[num_users] == NULL) {
69c49ae14475773ea2c42f4e14f5d859c311abebJakub Hrozek "Added user [%s] to rule [%s]\n", sysdb_name, rule_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Check if it is a group instead */
a5e9d34fd39c0061ca284674a6fd7cad05c6056cFabiano Fidêncio ret = sysdb_search_groups_by_orig_dn(tmp_ctx, domain, member_dn,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Original DN matched multiple groups. "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Skipping\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Original DN matched a single group. Get the groupname */
69c49ae14475773ea2c42f4e14f5d859c311abebJakub Hrozek sysdb_name = ldb_msg_find_attr_as_string(msgs[0],
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n");
69c49ae14475773ea2c42f4e14f5d859c311abebJakub Hrozek ret = sss_parse_internal_fqname(tmp_ctx, sysdb_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_users->groups[num_groups] == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Added POSIX group [%s] to rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* If the group still matches the group pattern,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * we can assume it is a non-POSIX group.
8a81628d58dd2991d53398a213916671e14592d8Simo Sorce ret = get_ipa_groupname(new_users->groups, domain->sysdb,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Added non-POSIX group [%s] to rule [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov new_users->groups[num_groups], rule_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Not a group, so we don't care about it */
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "[%s] does not map to either a user or group. "
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Shrink the arrays down to their real sizes */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_users->names = talloc_realloc(new_users, new_users->names,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_users->groups = talloc_realloc(new_users, new_users->groups,