providers/krb5/krb5_delayed_online_authentication.c

02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose/*
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    SSSD
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    Kerberos 5 Backend Module -- Request a TGT when the system gets online
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    Authors:
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        Sumit Bose <sbose@redhat.com>
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    Copyright (C) 2010 Red Hat
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    This program is free software; you can redistribute it and/or modify
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    it under the terms of the GNU General Public License as published by
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    the Free Software Foundation; either version 3 of the License, or
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    (at your option) any later version.
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    This program is distributed in the hope that it will be useful,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    but WITHOUT ANY WARRANTY; without even the implied warranty of
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    GNU General Public License for more details.
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    You should have received a copy of the GNU General Public License
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    along with this program.  If not, see <http://www.gnu.org/licenses/>.
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose*/
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#include <security/pam_modules.h>
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#ifdef USE_KEYRING
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#include <sys/types.h>
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#include <keyutils.h>
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#endif
f7257ab0bcea6c41fab5a4677787f3075ecdcb64Pavel Reichl#include <dhash.h>
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#include "providers/krb5/krb5_auth.h"
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#include "util/util.h"
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#include "util/find_uid.h"
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#define INITIAL_USER_TABLE_SIZE 10
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestruct deferred_auth_ctx {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_table_t *user_table;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct be_ctx *be_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct tevent_context *ev;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct krb5_ctx *krb5_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose};
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestruct auth_data {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct be_ctx *be_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct krb5_ctx *krb5_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct pam_data *pd;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose};
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestatic void *hash_talloc(const size_t size, void *pvt)
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    return talloc_size(pvt, size);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestatic void hash_talloc_free(void *ptr, void *pvt)
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    talloc_free(ptr);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestatic void authenticate_user_done(struct tevent_req *req);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestatic void authenticate_user(struct tevent_context *ev,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                              struct tevent_timer *te,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                              struct timeval current_time,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                              void *private_data)
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct auth_data *auth_data = talloc_get_type(private_data,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                                  struct auth_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct pam_data *pd = auth_data->pd;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct tevent_req *req;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov    DEBUG_PAM_DATA(SSSDBG_TRACE_ALL, pd);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#ifdef USE_KEYRING
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    char *password;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    long keysize;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    long keyrevoke;
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    errno_t ret;
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    keysize = keyctl_read_alloc(pd->key_serial, (void **)&password);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (keysize == -1) {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        ret = errno;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "keyctl_read failed [%d][%s].\n", ret, strerror(ret));
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return;
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    }
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik    ret = sss_authtok_set_password(pd->authtok, password, keysize);
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    safezero(password, keysize);
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    free(password);
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    if (ret) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "failed to set password in auth token [%d][%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  ret, strerror(ret));
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    keyrevoke = keyctl_revoke(pd->key_serial);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (keyrevoke == -1) {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        ret = errno;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "keyctl_revoke failed [%d][%s].\n", ret, strerror(ret));
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#endif
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
01ec08efd0e166ac6f390f8627c6d08dcc63ccc4Jakub Hrozek    req = krb5_auth_queue_send(auth_data, ev, auth_data->be_ctx,
01ec08efd0e166ac6f390f8627c6d08dcc63ccc4Jakub Hrozek                               auth_data->pd, auth_data->krb5_ctx);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (req == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        talloc_free(auth_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    tevent_req_set_callback(req, authenticate_user_done, auth_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
01ec08efd0e166ac6f390f8627c6d08dcc63ccc4Jakub Hrozekstatic void authenticate_user_done(struct tevent_req *req)
01ec08efd0e166ac6f390f8627c6d08dcc63ccc4Jakub Hrozek{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct auth_data *auth_data = tevent_req_callback_data(req,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                                           struct auth_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    int ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    int pam_status = PAM_SYSTEM_ERR;
01ec08efd0e166ac6f390f8627c6d08dcc63ccc4Jakub Hrozek    int dp_err = DP_ERR_OK;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
01ec08efd0e166ac6f390f8627c6d08dcc63ccc4Jakub Hrozek    ret = krb5_auth_queue_recv(req, &pam_status, &dp_err);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    talloc_free(req);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth request failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    } else {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        if (pam_status == PAM_SUCCESS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov            DEBUG(SSSDBG_CONF_SETTINGS,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov                  "Successfully authenticated user [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      auth_data->pd->user);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        } else {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to authenticate user [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      auth_data->pd->user);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    talloc_free(auth_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestatic errno_t authenticate_stored_users(
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose            struct deferred_auth_ctx *deferred_auth_ctx)
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    int ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_table_t *uid_table;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct hash_iter_context_t *iter;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_entry_t *entry;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_key_t key;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_value_t value;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct pam_data *pd;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct auth_data *auth_data;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct tevent_timer *te;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = get_uid_table(deferred_auth_ctx, &uid_table);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != HASH_SUCCESS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "get_uid_table failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    iter = new_hash_iter_context(deferred_auth_ctx->user_table);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (iter == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "new_hash_iter_context failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return EINVAL;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    while ((entry = iter->next(iter)) != NULL) {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        key.type = HASH_KEY_ULONG;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        key.ul = entry->key.ul;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        pd = talloc_get_type(entry->value.ptr, struct pam_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        ret = hash_lookup(uid_table, &key, &value);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        if (ret == HASH_SUCCESS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov            DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is still logged in, "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "trying online authentication.\n", pd->user);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose            auth_data = talloc_zero(deferred_auth_ctx->be_ctx,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                    struct auth_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose            if (auth_data == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov                DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose            } else {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                auth_data->pd = talloc_steal(auth_data, pd);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                auth_data->krb5_ctx = deferred_auth_ctx->krb5_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                auth_data->be_ctx = deferred_auth_ctx->be_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                te = tevent_add_timer(deferred_auth_ctx->ev,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                      auth_data, tevent_timeval_current(),
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                      authenticate_user, auth_data);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                if (te == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov                    DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose            }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        } else {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov            DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is not logged in anymore, "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "discarding online authentication.\n", pd->user);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose            talloc_free(pd);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        ret = hash_delete(deferred_auth_ctx->user_table,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                          &entry->key);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        if (ret != HASH_SUCCESS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov            DEBUG(SSSDBG_CRIT_FAILURE, "hash_delete failed [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      hash_error_string(ret));
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    talloc_free(iter);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    return EOK;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosestatic void delayed_online_authentication_callback(void *private_data)
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct deferred_auth_ctx *deferred_auth_ctx =
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose            talloc_get_type(private_data, struct deferred_auth_ctx);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    int ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (deferred_auth_ctx->user_table == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "Delayed online authentication activated, "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "but user table does not exists.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov    DEBUG(SSSDBG_FUNC_DATA,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov          "Backend is online, starting delayed online authentication.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = authenticate_stored_users(deferred_auth_ctx);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "authenticate_stored_users failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    return;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Boseerrno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
861ab44e8148208425b67c4711bc8fade10fd3edJakub Hrozek                                                  struct sss_domain_info *domain,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                                  struct pam_data *pd,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                                  uid_t uid)
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    int ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_key_t key;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_value_t value;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    struct pam_data *new_pd;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
861ab44e8148208425b67c4711bc8fade10fd3edJakub Hrozek    if (domain->type != DOM_TYPE_POSIX) {
861ab44e8148208425b67c4711bc8fade10fd3edJakub Hrozek        DEBUG(SSSDBG_MINOR_FAILURE,
861ab44e8148208425b67c4711bc8fade10fd3edJakub Hrozek              "Domain type does not support delayed authentication\n");
861ab44e8148208425b67c4711bc8fade10fd3edJakub Hrozek        return ENOTSUP;
861ab44e8148208425b67c4711bc8fade10fd3edJakub Hrozek    }
861ab44e8148208425b67c4711bc8fade10fd3edJakub Hrozek
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (krb5_ctx->deferred_auth_ctx == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "Missing context for delayed online authentication.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return EINVAL;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (krb5_ctx->deferred_auth_ctx->user_table == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "user_table not available.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return EINVAL;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik    if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "Invalid authtok for user [%s].\n", pd->user);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return EINVAL;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = copy_pam_data(krb5_ctx->deferred_auth_ctx, pd, &new_pd);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "copy_pam_data failed\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return ENOMEM;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#ifdef USE_KEYRING
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    const char *password;
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    size_t len;
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik    ret = sss_authtok_get_password(new_pd->authtok, &password, &len);
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    if (ret) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "Failed to get password [%d][%s].\n", ret, strerror(ret));
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik        sss_authtok_set_empty(new_pd->authtok);
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce        talloc_free(new_pd);
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce        return ret;
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    }
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce    new_pd->key_serial = add_key("user", new_pd->user, password, len,
64af76e2bef2565caa9738f675c108a4b3789237Simo Sorce                                 KEY_SPEC_SESSION_KEYRING);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (new_pd->key_serial == -1) {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        ret = errno;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "add_key failed [%d][%s].\n", ret, strerror(ret));
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik        sss_authtok_set_empty(new_pd->authtok);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        talloc_free(new_pd);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
ec0b19bd6d25e3f4afea06b28c132b602bbff180Lukas Slebodnik    DEBUG(SSSDBG_TRACE_ALL,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov          "Saved authtok of user [%s] with serial [%"SPRIkey_ser"].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              new_pd->user, new_pd->key_serial);
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik    sss_authtok_set_empty(new_pd->authtok);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose#endif
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    key.type = HASH_KEY_ULONG;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    key.ul = uid;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    value.type = HASH_VALUE_PTR;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    value.ptr = new_pd;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = hash_enter(krb5_ctx->deferred_auth_ctx->user_table,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                     &key, &value);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != HASH_SUCCESS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add user [%s] to table [%s], "
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                  "delayed online authentication not possible.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  pd->user, hash_error_string(ret));
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        talloc_free(new_pd);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return ENOMEM;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov    DEBUG(SSSDBG_TRACE_ALL, "Added user [%s] successfully to "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "delayed online authentication.\n", pd->user);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    return EOK;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Boseerrno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                           struct be_ctx *be_ctx,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                           struct tevent_context *ev)
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose{
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    int ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    hash_table_t *tmp_table;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = get_uid_table(krb5_ctx, &tmp_table);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != EOK) {
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        if (ret == ENOSYS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov            DEBUG(SSSDBG_FATAL_FAILURE, "Delayed online auth was requested "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "on an unsupported system.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        } else {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov            DEBUG(SSSDBG_FATAL_FAILURE, "Delayed online auth was requested "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "but initialisation failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = hash_destroy(tmp_table);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != HASH_SUCCESS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "hash_destroy failed [%s].\n", hash_error_string(ret));
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return EFAULT;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    krb5_ctx->deferred_auth_ctx = talloc_zero(krb5_ctx,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                                          struct deferred_auth_ctx);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (krb5_ctx->deferred_auth_ctx == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        return ENOMEM;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = hash_create_ex(INITIAL_USER_TABLE_SIZE,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                         &krb5_ctx->deferred_auth_ctx->user_table,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                         0, 0, 0, 0, hash_talloc, hash_talloc_free,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                         krb5_ctx->deferred_auth_ctx,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                         NULL, NULL);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != HASH_SUCCESS) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov              "hash_create_ex failed [%s]\n", hash_error_string(ret));
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        ret = ENOMEM;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        goto fail;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    krb5_ctx->deferred_auth_ctx->be_ctx = be_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    krb5_ctx->deferred_auth_ctx->krb5_ctx = krb5_ctx;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    krb5_ctx->deferred_auth_ctx->ev = ev;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    ret = be_add_online_cb(krb5_ctx, be_ctx,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                           delayed_online_authentication_callback,
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose                           krb5_ctx->deferred_auth_ctx, NULL);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "be_add_online_cb failed.\n");
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose        goto fail;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    }
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    /* TODO: add destructor */
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    return EOK;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bosefail:
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    talloc_zfree(krb5_ctx->deferred_auth_ctx);
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose    return ret;
02e38eae1b9cb5df2036a707dafd86f6047c17deSumit Bose}