a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina Pavel Březina <pbrezina@redhat.com>
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina Copyright (C) 2015 Red Hat
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina This program is free software; you can redistribute it and/or modify
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina it under the terms of the GNU General Public License as published by
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina the Free Software Foundation; either version 3 of the License, or
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina (at your option) any later version.
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina This program is distributed in the hope that it will be useful,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina but WITHOUT ANY WARRANTY; without even the implied warranty of
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina GNU General Public License for more details.
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina You should have received a copy of the GNU General Public License
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina along with this program. If not, see <http://www.gnu.org/licenses/>.
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina#define MATCHDN(cat) SUDO_DN_CN, (cat), SUDO_DN_CN, SUDO_DN_CONTAINER
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina#define MATCHDN_CMDGROUPS MATCHDN(SUDO_DN_CMDGROUPS)
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina#define MATCHRDN_CMDGROUPS(map) (map)[IPA_AT_SUDOCMDGROUP_NAME].name, MATCHDN_CMDGROUPS
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina#define MATCHRDN_CMDS(attr, map) (map)[attr].name, MATCHDN_CMDS
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina#define MATCHRDN_USER(map) (map)[SDAP_AT_USER_NAME].name, "cn", "users", "cn", "accounts"
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina#define MATCHRDN_GROUP(map) (map)[SDAP_AT_GROUP_NAME].name, "cn", "groups", "cn", "accounts"
60a715a0dd79873d2d2607eab8fdfaf0ffd2e7d3Hristo Venev#define MATCHRDN_HOST(map) (map)[SDAP_AT_HOST_FQDN].name, "cn", "computers", "cn", "accounts"
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina#define MATCHRDN_HOSTGROUP(map) (map)[IPA_AT_HOSTGROUP_NAME].name, "cn", "hostgroups", "cn", "accounts"
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaipa_sudo_dn_list_count(struct ipa_sudo_dn_list *list)
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina for (i = 0, item = list; item != NULL; item = item->next, i++) {
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina const char *key,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina /* If value is NULL we don't want to override existing entry. */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina if (value == NULL && hash_has_key(table, &hkey)) {
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina const char *key)
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Key not found %s\n", key);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup value [%d]\n", hret);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina const char *dn)
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina item = talloc_zero(mem_ctx, struct ipa_sudo_dn_list);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to store DN %s [%d]: %s\n",
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březinastatic bool is_ipacmdgroup(struct ipa_sudo_conv *conv, const char *dn)
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina return false;
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březinastatic bool is_ipacmd(struct ipa_sudo_conv *conv, const char *dn)
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina MATCHRDN_CMDS(IPA_AT_SUDOCMD_UUID, conv->map_cmd))) {
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina /* For older versions of FreeIPA than 3.1. */
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina MATCHRDN_CMDS(IPA_AT_SUDOCMD_CMD, conv->map_cmd))) {
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_get_string_array(rule, attr, tmp_ctx, &members);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = store_rulemember(mem_ctx, &rulemember->cmdgroups,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command group %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = store_rulemember(mem_ctx, &rulemember->cmds,
b0c4eb194cf1414d3440e0cccfb9af9074388c08Pavel Březina DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Invalid member DN %s, skipping...\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return process_rulemember(rule, conv, &rule->allow, rule->attrs,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return process_rulemember(rule, conv, &rule->deny, rule->attrs,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaprocess_cmdgroupmember(struct ipa_sudo_conv *conv,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_get_string_array(attrs, SYSDB_MEMBER, tmp_ctx, &members);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = ipa_sudo_conv_store(conv->cmds, members[i], NULL);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to store DN [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina item = talloc_zero(tmp_ctx, struct ipa_sudo_dn_list);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina conv = talloc_zero(mem_ctx, struct ipa_sudo_conv);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sss_hash_create(conv, 20, &conv->rules);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sss_hash_create(conv, 20, &conv->cmdgroups);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaipa_sudo_conv_rules(struct ipa_sudo_conv *conv,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina /* We're done here. */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina for (i = 0; i < num_rules; i++) {
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_get_string(rules[i], SYSDB_NAME, &key);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get rule name, skipping "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina rule = talloc_zero(conv->rules, struct ipa_sudo_rule);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberAllowCmd "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberDenyCmd "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = ipa_sudo_conv_store(conv->rules, key, rule);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Failed to store rule into table "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaipa_sudo_conv_cmdgroups(struct ipa_sudo_conv *conv,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina /* We're done here. */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina for (i = 0; i < num_cmdgroups; i++) {
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_get_string(cmdgroups[i], SYSDB_ORIG_DN, &key);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command group DN, "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina "skipping [%d]: %s\n", ret, sss_strerror(ret));
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina cmdgroup = talloc_zero(conv->cmdgroups, struct ipa_sudo_cmdgroup);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = process_cmdgroupmember(conv, cmdgroup, cmdgroups[i]);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Failed to process member "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = ipa_sudo_conv_store(conv->cmdgroups, key, cmdgroup);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Failed to store command group into "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina /* We're done here. */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina for (i = 0; i < num_cmds; i++) {
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_get_string(cmds[i], SYSDB_ORIG_DN, &key);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command DN, skipping "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_get_string(cmds[i], SYSDB_IPA_SUDOCMD_SUDOCMD, &cmd);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command, skipping "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = ipa_sudo_conv_store(conv->cmds, key, discard_const(cmd));
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Failed to store command into table "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaipa_sudo_conv_has_cmdgroups(struct ipa_sudo_conv *conv)
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaipa_sudo_conv_has_cmds(struct ipa_sudo_conv *conv)
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephensonipa_sudo_cmdgroups_exceed_threshold(struct ipa_sudo_conv *conv, int threshold)
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson return (hash_count(conv->cmdgroups)) > threshold;
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephensonipa_sudo_cmds_exceed_threshold(struct ipa_sudo_conv *conv, int threshold)
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson return (hash_count(conv->cmds)) > threshold;
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březinatypedef errno_t (*ipa_sudo_conv_rdn_fn)(TALLOC_CTX *mem_ctx,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina const char *dn,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina const char **_rdn_attr);
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březinastatic errno_t get_sudo_cmdgroup_rdn(TALLOC_CTX *mem_ctx,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina const char *dn,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina *_rdn_attr = map[IPA_AT_SUDOCMDGROUP_NAME].name;
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březinastatic errno_t get_sudo_cmd_rdn(TALLOC_CTX *mem_ctx,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina const char *dn,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val,
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina /* For older versions of FreeIPA than 3.1. */
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina unsigned long int i;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina for (i = 0; i < count; i++) {
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina ret = rdn_fn(tmp_ctx, map, sysdb, keys[i].str, &rdn_val, &rdn_attr);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get member %s [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sss_filter_sanitize(tmp_ctx, rdn_val, &safe_rdn);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to sanitize DN "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina filter = talloc_asprintf_append(filter, "(%s=%s)", rdn_attr, safe_rdn);
84060f52e782b079337ee7a99bb7ad17e8c84fbbPavel Březina /* objectClass is always first */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina filter = talloc_asprintf(filter, "(&(objectClass=%s)(|%s))",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaipa_sudo_conv_cmdgroup_filter(TALLOC_CTX *mem_ctx,
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson if (ipa_sudo_cmdgroups_exceed_threshold(conv, cmd_threshold)) {
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson "Command threshold [%d] exceeded, retrieving all sudo command "
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson return talloc_asprintf(mem_ctx, "(objectClass=%s)",
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson return build_filter(mem_ctx, conv->dom->sysdb, conv->cmdgroups,
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson conv->map_cmdgroup, get_sudo_cmdgroup_rdn);
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson if (ipa_sudo_cmdgroups_exceed_threshold(conv, cmd_threshold)) {
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson "Command threshold [%d] exceeded, retrieving all sudo commands\n",
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson return talloc_asprintf(mem_ctx, "(objectClass=%s)",
bc854800cc67271205d63136daaf68d7863cea6bJustin Stephenson return build_filter(mem_ctx, conv->dom->sysdb, conv->cmds,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinastatic const char *
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozek ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozek ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
d0aae3c1e87e2e51ab178b7b343261443094a974Justin Stephenson DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinastatic const char *
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozek ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozek ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
d0aae3c1e87e2e51ab178b7b343261443094a974Justin Stephenson DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina group = talloc_asprintf(mem_ctx, "%%%s", rdn);
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozekstatic const char *
d0aae3c1e87e2e51ab178b7b343261443094a974Justin Stephenson shortname = convert_user(mem_ctx, conv, value, skip_entry);
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozek fqdn = sss_create_internal_fqname(mem_ctx, shortname, conv->dom->name);
0f6b5b02afb35caae774ff4d52854a844d49f52eJakub Hrozekstatic const char *
0f6b5b02afb35caae774ff4d52854a844d49f52eJakub Hrozek return sss_create_internal_fqname(mem_ctx, value, conv->dom->name);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinastatic const char *
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozek ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
d0aae3c1e87e2e51ab178b7b343261443094a974Justin Stephenson DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březinastatic const char *
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březina return talloc_asprintf(mem_ctx, "%%%s", value);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinastatic const char *
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina static struct {
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina } table[] = {{SYSDB_NAME, SYSDB_SUDO_CACHE_AT_CN , NULL},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_HOST, SYSDB_SUDO_CACHE_AT_HOST , convert_host},
64497d479e92ebc34717c20c3d017f1823f9e630Jakub Hrozek {SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user_fqdn},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_RUNASUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_user},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_RUNASGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , convert_group},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_OPTION, SYSDB_SUDO_CACHE_AT_OPTION , NULL},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_NOTAFTER, SYSDB_SUDO_CACHE_AT_NOTAFTER , NULL},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_NOTBEFORE, SYSDB_SUDO_CACHE_AT_NOTBEFORE , NULL},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_SUDOORDER, SYSDB_SUDO_CACHE_AT_ORDER , NULL},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_CMDCATEGORY, SYSDB_SUDO_CACHE_AT_COMMAND , convert_cat},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_HOSTCATEGORY, SYSDB_SUDO_CACHE_AT_HOST , convert_cat},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_USERCATEGORY, SYSDB_SUDO_CACHE_AT_USER , convert_cat},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_RUNASUSERCATEGORY, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_cat},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_RUNASGROUPCATEGORY, SYSDB_SUDO_CACHE_AT_RUNASGROUP , convert_cat},
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březina {SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL},
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březina {SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL},
a7d2b4f157194c14bc4a40c74f6416b82befa460Pavel Březina {SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup},
0f6b5b02afb35caae774ff4d52854a844d49f52eJakub Hrozek {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina {SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_get_string_array(rule->attrs, table[i].ipa,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read attribute "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina "%s [%d]: %s\n", table[i].ipa, ret, sss_strerror(ret));
d0aae3c1e87e2e51ab178b7b343261443094a974Justin Stephenson value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = sysdb_attrs_add_string_safe(attrs, table[i].sudo, value);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina "%s [%d]: %s\n", table[i].sudo, ret, sss_strerror(ret));
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinastatic const char **
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina values = talloc_zero_array(tmp_ctx, const char *, 1);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina cmdgroup = ipa_sudo_conv_lookup(conv->cmdgroups, listitem->dn);
e547eb597ade731f49b679ce264bbfd907363ff8Lukas Slebodnik "ipa_sudo_conv_lookup failed for DN:%s\n", listitem->dn);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = add_strings_lists(mem_ctx, values, cmdgroup->expanded,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinastatic const char **
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina values = talloc_zero_array(mem_ctx, const char *, count + 1);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina command = ipa_sudo_conv_lookup(conv->cmds, listitem->dn);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina cmds[0] = combine_cmdgroups(tmp_ctx, conv, mlist->cmdgroups);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina cmds[1] = combine_cmds(tmp_ctx, conv, mlist->cmds);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina for (i = 0; i < 2; i++) {
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina command = talloc_asprintf(tmp_ctx, "%c%s", prefix, cmds[i][j]);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březinaconvert_sudocommand(struct ipa_sudo_conv *conv,
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = build_sudocommand(conv, &rule->allow, attrs, '\0');
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build allow commands "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ret = build_sudocommand(conv, &rule->deny, attrs, '!');
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build deny commands "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina struct ipa_sudo_conv_result_ctx *ctx = user_data;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Bug: ctx is NULL\n");
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Bug: rule is NULL\n");
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ctx->ret = convert_attributes(ctx->conv, rule, attrs);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to convert attributes [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina ctx->ret = convert_sudocommand(ctx->conv, rule, attrs);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to build sudoCommand [%d]: %s\n",
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina struct ipa_sudo_conv_result_ctx *ctx = user_data;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina struct ipa_sudo_cmdgroup *cmdgroup = item->value.ptr;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Bug: ctx is NULL\n");
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Bug: rule is NULL\n");
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina values = combine_cmds(cmdgroup, ctx->conv, cmdgroup->cmds);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand commands\n");
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina return false;
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina /* If there are no cmdgroups the iterator is not called and ctx.ret is
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina * uninitialized. Since it is ok that there are no cmdgroups initializing
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina * ctx.ret to EOK. */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina /* Expand commands in command groups. */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina hret = hash_iterate(conv->cmdgroups, cmdgroups_iterator, &ctx);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to iterate over command groups "
9630a4614ba4d5f68e967d4e108893550a996f30Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand command groups "
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina "[%d]: %s\n", ctx.ret, sss_strerror(ctx.ret));
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina /* Convert rules. */
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina rules = talloc_zero_array(mem_ctx, struct sysdb_attrs *, num_rules);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina hret = hash_iterate(conv->rules, rules_iterator, &ctx);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to iterate over rules [%d]\n", hret);
a641a13889d617aca6bd998025e9087e822ff7f0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Unable to convert rules [%d]: %s\n",