1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce Secrets Responder
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce Copyright (C) Simo Sorce <ssorce@redhat.com> 2016
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce This program is free software; you can redistribute it and/or modify
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce it under the terms of the GNU General Public License as published by
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce the Free Software Foundation; either version 3 of the License, or
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce (at your option) any later version.
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce This program is distributed in the hope that it will be useful,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce but WITHOUT ANY WARRANTY; without even the implied warranty of
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce GNU General Public License for more details.
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce You should have received a copy of the GNU General Public License
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce along with this program. If not, see <http://www.gnu.org/licenses/>.
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce if (enctype && strcmp(enctype, "masterkey") == 0) {
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce _secret.data = (char *)sss_base64_decode(mem_ctx, secret,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "sss_decrypt failed [%d]: %s\n", ret, sss_strerror(ret));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Output length mismatch or output not NULL-terminated\n");
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_encrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n");
677a31351c80453d9ce006481364399a96312052René Genz DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%s'\n", enctype);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret));
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce const char *s, *e;
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce while (s && *s) {
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce if (e == s) {
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce if (!ldb_dn_add_child_fmt(dn, "cn=%.*s", (int)(e - s), s)) {
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Local path for [%s] is [%s]\n",
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic char *local_dn_to_path(TALLOC_CTX *mem_ctx,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce path = talloc_strndup_append_buffer(path, (char *)val->data,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce path = talloc_strndup(mem_ctx, (char *)val->data, val->length);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Secrets path for [%s] is [%s]\n",
a8361f37af31a8a9767056bd27c418c947293f56Fabiano Fidêncio#define LOCAL_CONTAINER_FILTER "(type=container)"
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_db_get_simple(TALLOC_CTX *mem_ctx,
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce static const char *attrs[] = { "secret", "enctype", NULL };
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Retrieving a secret from [%s]\n", lc_req->path);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Searching for [%s] at [%s] with scope=base\n",
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(lc_req->req_dn));
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_BASE,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_search returned [%d]: %s\n", ret, ldb_strerror(ret));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Too many secrets returned with BASE search\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce attr_secret = ldb_msg_find_attr_as_string(res->msgs[0], "secret", NULL);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = local_decrypt(lctx, mem_ctx, attr_secret, attr_enctype, secret);
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_db_list_keys(TALLOC_CTX *mem_ctx,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Listing keys at [%s]\n", lc_req->path);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Searching for [%s] at [%s] with scope=subtree\n",
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(lc_req->req_dn));
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_SUBTREE,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_search returned [%d]: %s\n", ret, ldb_strerror(ret));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "No secrets found\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce keys = talloc_array(mem_ctx, char *, res->count);
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek keys[i] = local_dn_to_path(keys, lc_req->req_dn, res->msgs[i]->dn);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Returning %d secrets\n", res->count);
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_db_check_containers(TALLOC_CTX *mem_ctx,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce /* We need to exclude the leaf as that will be the new child entry,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce * We also do not care for the synthetic containers that constitute the
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce * base path (cn=<uidnumber>,cn=users,cn=secrets), so in total we remove
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce * 4 components */
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce for (int i = 0; i < num; i++) {
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce /* remove the child first (we do not want to check the leaf) */
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce if (!ldb_dn_remove_child_components(dn, 1)) return EFAULT;
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce /* and check the parent container exists */
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Searching for [%s] at [%s] with scope=base\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(dn));
d806427f200dc1ffd44d37724eb40125af5cc8c2Fabiano Fidêncio ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "DN [%s] does not exist\n", ldb_dn_get_linearized(dn));
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozekstatic int local_db_check_containers_nest_level(struct local_db_req *lc_req,
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek if (lc_req->quota->containers_nest_level == 0) {
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio /* We need do not care for the synthetic containers that constitute the
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio * base path (cn=<uidnumber>,cn=user,cn=secrets). */
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio nest_level = ldb_dn_get_comp_num(leaf_dn) - 3;
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek if (nest_level > lc_req->quota->containers_nest_level) {
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio "Cannot create a nested container of depth %d as the maximum"
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio "allowed number of nested containers is %d.\n",
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek nest_level, lc_req->quota->containers_nest_level);
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL;
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozekstatic struct ldb_dn *per_uid_container(TALLOC_CTX *mem_ctx,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek /* Remove all the components up to the per-user base path which consists
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek * of three components:
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek * cn=<uidnumber>,cn=users,cn=secrets
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek user_comp = ldb_dn_get_comp_num(uid_base_dn) - 3;
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek if (!ldb_dn_remove_child_components(uid_base_dn, user_comp)) {
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot remove child components\n");
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Expected 3 components got %d\n", num_comp);
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozekstatic int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek cli_basedn = per_uid_container(tmp_ctx, lc_req->req_dn);
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek ret = ldb_search(lctx->ldb, tmp_ctx, &res, cli_basedn, LDB_SCOPE_SUBTREE,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek "ldb_search returned %d: %s\n", ret, ldb_strerror(ret));
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek if (res->count >= lc_req->quota->max_uid_secrets) {
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek "Cannot store any more secrets for this client (basedn %s) "
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek "as the maximum allowed limit (%d) has been reached\n",
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidênciostatic int local_db_check_number_of_secrets(TALLOC_CTX *mem_ctx,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek dn = ldb_dn_new(tmp_ctx, lctx->ldb, lc_req->basedn);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek "ldb_search returned %d: %s\n", ret, ldb_strerror(ret));
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek if (res->count >= lc_req->quota->max_secrets) {
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio "Cannot store any more secrets as the maximum allowed limit (%d) "
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek "has been reached\n", lc_req->quota->max_secrets);
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozekstatic int local_check_max_payload_size(struct local_db_req *lc_req,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek max_payload_size = lc_req->quota->max_payload_size * 1024; /* kb */
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed "
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio "payload size [%d kb (%d)]\n",
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_db_put_simple(TALLOC_CTX *mem_ctx,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Adding a secret to [%s]\n", lc_req->path);
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce /* make sure containers exist */
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce ret = local_db_check_containers(msg, lctx, msg->dn);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "local_db_check_containers failed for [%s]: [%d]: %s\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ldb_dn_get_linearized(msg->dn), ret, sss_strerror(ret));
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek ret = local_db_check_number_of_secrets(msg, lctx, lc_req);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio "local_db_check_number_of_secrets failed [%d]: %s\n",
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek ret = local_db_check_peruid_number_of_secrets(msg, lctx, lc_req);
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek "local_db_check_number_of_secrets failed [%d]: %s\n",
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek ret = local_check_max_payload_size(lc_req, strlen(secret));
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio "local_check_max_payload_size failed [%d]: %s\n",
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce ret = local_encrypt(lctx, msg, secret, enctype, &enc_secret);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_msg_add_string failed adding type:simple [%d]: %s\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = ldb_msg_add_string(msg, "enctype", enctype);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_msg_add_string failed adding enctype [%d]: %s\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = ldb_msg_add_string(msg, "secret", enc_secret);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_msg_add_string failed adding secret [%d]: %s\n",
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_msg_add_string failed adding creationTime [%d]: %s\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Failed to add secret [%s]: [%d]: %s\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_db_delete(TALLOC_CTX *mem_ctx,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Removing a secret from [%s]\n", lc_req->path);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Searching for [%s] at [%s] with scope=base\n",
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(lc_req->req_dn));
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_BASE,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_search returned %d: %s\n", ret, ldb_strerror(ret));
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek "Searching for children of [%s]\n", ldb_dn_get_linearized(lc_req->req_dn));
392f48c039d7a6d70bce6ae2d122042391653566Jakub Hrozek ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_ONELEVEL,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_search returned %d: %s\n", ret, ldb_strerror(ret));
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidêncio "Failed to remove '%s': Container is not empty\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_delete returned %d: %s\n", ret, ldb_strerror(ret));
677a31351c80453d9ce006481364399a96312052René Genz /* fall through */
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_db_create(TALLOC_CTX *mem_ctx,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Creating a container at [%s]\n", lc_req->path);
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce /* make sure containers exist */
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce ret = local_db_check_containers(msg, lctx, msg->dn);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "local_db_check_containers failed for [%s]: [%d]: %s\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ldb_dn_get_linearized(msg->dn), ret, sss_strerror(ret));
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek ret = local_db_check_containers_nest_level(lc_req, msg->dn);
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce ret = ldb_msg_add_string(msg, "type", "container");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_msg_add_string failed adding type:container [%d]: %s\n",
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_msg_add_string failed adding creationTime [%d]: %s\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Failed to add secret [%s]: [%d]: %s\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int local_secrets_map_path(TALLOC_CTX *mem_ctx,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce /* be strict for now */
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce "Unrecognized URI fragments: [%s]\n",
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce "Unrecognized URI userinfo: [%s]\n",
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce /* only type simple for now */
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = strcmp(secreq->parsed_url.query, "type=simple");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce "Invalid URI query: [%s]\n",
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek /* drop the prefix and select a basedn instead */
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek SEC_BASEPATH, sizeof(SEC_BASEPATH) - 1) == 0) {
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek secreq->mapped_path + (sizeof(SEC_BASEPATH) - 1));
60612b5fbdaaa62ebe6c7f4c27200316f08506d6Jakub Hrozek SEC_KCM_BASEPATH, sizeof(SEC_KCM_BASEPATH) - 1) == 0) {
60612b5fbdaaa62ebe6c7f4c27200316f08506d6Jakub Hrozek secreq->mapped_path + (sizeof(SEC_KCM_BASEPATH) - 1));
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce "Failed to map request to local db path\n");
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek ret = local_db_dn(mem_ctx, ldb, lc_req->basedn, lc_req->path, &lc_req->req_dn);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek "Failed to map request to local db DN\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Local DB path is %s\n", lc_req->path);
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce req = tevent_req_create(mem_ctx, &state, struct local_secret_state);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce lctx = talloc_get_type(provider_ctx, struct local_context);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL, "Received a local secrets request\n");
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce } else if (sec_req_has_header(secreq, "Content-Type",
677a31351c80453d9ce006481364399a96312052René Genz DEBUG(SSSDBG_OP_FAILURE, "No or unknown Content-Type\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Content-Type: %s\n", content_type);
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek ret = local_secrets_map_path(state, lctx, secreq, &lc_req);
60612b5fbdaaa62ebe6c7f4c27200316f08506d6Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot map request path to local path\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP GET at [%s]\n", lc_req->path);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek if (lc_req->path[strlen(lc_req->path) - 1] == '/') {
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek ret = local_db_list_keys(state, lctx, lc_req, &keys, &nkeys);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = sec_array_to_json(state, keys, nkeys, &body.data);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek ret = local_db_get_simple(state, lctx, lc_req, &secret);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = sec_simple_secret_to_json(state, secret, &body.data);
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce body.data = (void *)sss_base64_decode(state, secret, &body.length);
73ce539aa70f43ccd5302b3ef8a02ff028558b12Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "PUT with no data\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP PUT at [%s]\n", lc_req->path);
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce ret = sec_json_to_simple_secret(state, secreq->body.data,
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce secret = sss_base64_encode(state, (uint8_t *)secreq->body.data,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek ret = local_db_put_simple(state, lctx, lc_req, secret);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP POST at [%s]\n", lc_req->path);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = sec_http_reply_with_body(secreq, &secreq->reply, STATUS_200,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = sec_http_status_reply(secreq, &secreq->reply, STATUS_200);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Did not find the requested data\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Local secrets request error [%d]: %s\n",
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce /* shortcircuit the request here as all called functions are
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce * synchronous and final and no further subrequests are made */
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL, "Local secrets request done\n");
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic int generate_master_key(const char *filename, size_t size)
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "generate_csprng_buffer failed [%d]: %s\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce fd = open(filename, O_CREAT|O_EXCL|O_WRONLY, 0600);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "open(%s) failed [%d]: %s\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "sss_atomic_write_s failed [%d]: %s\n",
6c82774653f37945bdd0a311eb1ecc289cac683dLukas Slebodnik /* non-fatal failure */
6c82774653f37945bdd0a311eb1ecc289cac683dLukas Slebodnik "Failed to remove file: %s - %d [%s]!\n",
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorceint local_secrets_provider_handle(struct sec_ctx *sctx,
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce const char *mkey = SECRETS_DB_PATH"/.secrets.mkey";
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce const char *dbpath = SECRETS_DB_PATH"/secrets.ldb";
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL, "Creating a local provider handle\n");
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce handle = talloc_zero(sctx, struct provider_handle);
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce lctx = talloc_zero(handle, struct local_context);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "ldb_connect(%s) returned %d: %s\n",
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce lctx->master_key.data = talloc_size(lctx, MKEY_SIZE);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "No master key, generating a new one..\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot generate a master key: %d\n", ret);
942b4ce6e60e88e4e31600655fad8980f3986f68Jakub Hrozek size = sss_atomic_read_s(mfd, lctx->master_key.data,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek if (size < 0 || size != lctx->master_key.length) {
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot read a master key: %d\n", ret);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL, "Local provider handle created\n");