local.c revision 8890a30f5d054187fd7d5b50503f82a49cd025f0
/*
SSSD
Secrets Responder
Copyright (C) Simo Sorce <ssorce@redhat.com> 2016
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "responder/secrets/secsrv_private.h"
#include "util/crypto/sss_crypto.h"
#include <time.h>
#include <fcntl.h>
#include <ldb.h>
#define SECRETS_BASEDN "cn=secrets"
#define KCM_BASEDN "cn=kcm"
struct local_context {
struct ldb_context *ldb;
struct sec_data master_key;
int max_secrets;
int max_payload_size;
};
char **plain_secret)
{
char *output;
int ret;
return EINVAL;
}
if (ret) {
return ret;
}
"Output length mismatch or output not NULL-terminated\n");
return EIO;
}
} else {
}
*plain_secret = output;
return EOK;
}
char **ciphertext)
{
char *output;
int ret;
return EINVAL;
}
return EINVAL;
}
if (ret) {
return ret;
}
*ciphertext = output;
return EOK;
}
struct ldb_context *ldb,
const char *basedn,
const char *req_path,
{
const char *s, *e;
int ret;
if (!dn) {
goto done;
}
s = req_path;
while (s && *s) {
e = strchr(s, '/');
if (e) {
if (e == s) {
s++;
continue;
}
goto done;
}
s = e + 1;
} else {
goto done;
}
s = NULL;
}
}
"Local path for [%s] is [%s]\n",
done:
return ret;
}
{
int basecomps;
int dncomps;
if (path) {
} else {
}
}
"Secrets path for [%s] is [%s]\n",
return path;
}
struct local_db_req {
char *path;
};
#define LOCAL_SIMPLE_FILTER "(type=simple)"
#define LOCAL_CONTAINER_FILTER "(type=container)"
struct local_context *lctx,
struct local_db_req *lc_req,
char **secret)
{
struct ldb_result *res;
const char *attr_secret;
const char *attr_enctype;
int ret;
"Searching for [%s] at [%s] with scope=base\n",
goto done;
}
case 0:
goto done;
case 1:
break;
default:
"Too many secrets returned with BASE search\n");
goto done;
}
if (!attr_secret) {
goto done;
}
if (attr_enctype) {
} else {
}
done:
return ret;
}
struct local_context *lctx,
struct local_db_req *lc_req,
char ***_keys,
int *num_keys)
{
struct ldb_result *res;
char **keys;
int ret;
"Searching for [%s] at [%s] with scope=subtree\n",
goto done;
}
goto done;
}
if (!keys) {
goto done;
}
if (!keys[i]) {
goto done;
}
}
done:
return ret;
}
struct local_context *lctx,
{
int num;
int ret;
if (!dn) {
goto done;
}
/* We need to exclude the leaf as that will be the new child entry,
* We also do not care for the synthetic containers that constitute the
* base path (cn=<uidnumber>,cn=users,cn=secrets), so in total we remove
* 4 components */
for (int i = 0; i < num; i++) {
/* remove the child first (we do not want to check the leaf) */
/* and check the parent container exists */
"Searching for [%s] at [%s] with scope=base\n",
return ENOENT;
}
}
done:
return ret;
}
{
int nest_level;
/* We need do not care for the synthetic containers that constitute the
* base path (cn=<uidnumber>,cn=user,cn=secrets). */
"Cannot create a nested container of depth %d as the maximum"
"allowed number of nested containers is %d.\n",
}
return EOK;
}
struct local_context *lctx)
{
int ret;
if (!dn) {
goto done;
}
"Cannot store any more secrets as the maximum allowed limit (%d) "
goto done;
}
done:
return ret;
}
int payload_size)
{
int max_payload_size;
if (payload_size > max_payload_size) {
"Secrets' payload size [%d kb (%d)] exceeds the maximum allowed "
"payload size [%d kb (%d)]\n",
}
return EOK;
}
struct local_context *lctx,
struct local_db_req *lc_req,
const char *secret)
{
struct ldb_message *msg;
const char *enctype = "masterkey";
char *enc_secret;
int ret;
if (!msg) {
goto done;
}
/* make sure containers exist */
"local_db_check_containers failed for [%s]: [%d]: %s\n",
goto done;
}
"local_db_check_number_of_secrets failed [%d]: %s\n",
goto done;
}
"local_check_max_payload_size failed [%d]: %s\n",
goto done;
}
goto done;
}
"ldb_msg_add_string failed adding type:simple [%d]: %s\n",
goto done;
}
"ldb_msg_add_string failed adding enctype [%d]: %s\n",
goto done;
}
"ldb_msg_add_string failed adding secret [%d]: %s\n",
goto done;
}
"ldb_msg_add_string failed adding creationTime [%d]: %s\n",
goto done;
}
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
} else {
"Failed to add secret [%s]: [%d]: %s\n",
}
goto done;
}
done:
return ret;
}
struct local_context *lctx,
struct local_db_req *lc_req)
{
struct ldb_result *res;
int ret;
"Searching for [%s] at [%s] with scope=base\n",
goto done;
}
goto done;
}
"Failed to remove '%s': Container is not empty\n",
goto done;
}
}
/* fallthrough */
}
done:
return ret;
}
struct local_context *lctx,
struct local_db_req *lc_req)
{
struct ldb_message *msg;
int ret;
if (!msg) {
goto done;
}
/* make sure containers exist */
"local_db_check_containers failed for [%s]: [%d]: %s\n",
goto done;
}
"ldb_msg_add_string failed adding type:container [%d]: %s\n",
goto done;
}
"ldb_msg_add_string failed adding creationTime [%d]: %s\n",
goto done;
}
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
} else {
"Failed to add secret [%s]: [%d]: %s\n",
}
goto done;
}
done:
return ret;
}
struct ldb_context *ldb,
struct sec_req_ctx *secreq,
struct local_db_req **_lc_req)
{
int ret;
struct local_db_req *lc_req;
const char *basedn;
/* be strict for now */
"Unrecognized URI fragments: [%s]\n",
return EINVAL;
}
"Unrecognized URI userinfo: [%s]\n",
return EINVAL;
}
/* only type simple for now */
if (ret != 0) {
"Invalid URI query: [%s]\n",
return EINVAL;
}
}
return ENOMEM;
}
/* drop the prefix and select a basedn instead */
basedn = KCM_BASEDN;
} else {
goto done;
}
"Failed to map request to local db path\n");
goto done;
}
"Failed to map request to local db DN\n");
goto done;
}
done:
}
return ret;
}
struct local_secret_state {
struct tevent_context *ev;
struct sec_req_ctx *secreq;
};
struct tevent_context *ev,
void *provider_ctx,
struct sec_req_ctx *secreq)
{
struct tevent_req *req;
struct local_secret_state *state;
struct local_context *lctx;
const char *content_type;
bool body_is_json;
struct local_db_req *lc_req;
char *secret;
char **keys;
int nkeys;
int plen;
int ret;
if (!lctx) {
goto done;
}
"application/json")) {
body_is_json = true;
content_type = "application/json";
"application/octet-stream")) {
body_is_json = false;
} else {
goto done;
}
if (ret) {
goto done;
}
case HTTP_GET:
break;
}
if (body_is_json) {
} else {
}
break;
case HTTP_PUT:
goto done;
}
if (body_is_json) {
&secret);
} else {
}
break;
case HTTP_DELETE:
break;
case HTTP_POST:
goto done;
}
break;
default:
goto done;
}
content_type, &body);
} else {
}
done:
} else {
"Local secrets request error [%d]: %s\n",
}
} else {
/* shortcircuit the request here as all called functions are
* synchronous and final and no further subrequests are made */
}
}
{
int ret;
int fd;
if (ret) {
"generate_csprng_buffer failed [%d]: %s\n",
return ret;
}
if (fd == -1) {
"open(%s) failed [%d]: %s\n",
return ret;
}
"sss_atomic_write_s failed [%d]: %s\n",
/* non-fatal failure */
"Failed to remove file: %s - %d [%s]!\n",
}
return EFAULT;
}
return EOK;
}
struct provider_handle **out_handle)
{
struct provider_handle *handle;
struct local_context *lctx;
int mfd;
int ret;
if (ret != LDB_SUCCESS) {
"ldb_connect(%s) returned %d: %s\n",
return EIO;
}
}
if (ret) {
return EFAULT;
}
return EIO;
}
*out_handle = handle;
return EOK;
}