sudosrv_get_sudorules.c revision 5ff1c3c5a12930692cb6284d14f7fda3a974af8e
/*
Authors:
Pavel Březina <pbrezina@redhat.com>
Jakub Hrozek <jhrozek@redhat.com>
Copyright (C) 2011 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include <stdint.h>
#include <string.h>
#include <talloc.h>
#include "db/sysdb_sudo.h"
#include "responder/sudo/sudosrv_private.h"
{
}
{
} else {
/* sudo rules are stored under parent domain basedn, so we will return
* parent's sysdb context */
}
}
{
dctx->check_provider = true;
("Looking up the user info from Data Provider\n"));
return EAGAIN;
return ret;
}
/* OK, got the user from cache. Try to get the rules. */
("Looking up the sudo rules from Data Provider\n"));
return EAGAIN;
return ret;
}
return EOK;
}
{
struct ldb_result *user;
time_t cache_expire = 0;
struct tevent_req *dpreq;
struct dp_callback_ctx *cb_ctx;
const char *original_name = NULL;
return ENOMEM;
}
while (dom) {
/* if it is a domainless search, skip domains that require fully
* qualified names instead */
}
if (!dom) break;
/* make sure to update the dctx if we changed domain */
goto done;
}
("sysdb context not found for this domain!\n"));
goto done;
}
("Failed to make request to our cache!\n"));
goto done;
}
("getpwnam call returned more than one result !?!\n"));
goto done;
}
/* if a multidomain search, try with next */
if (cmd_ctx->check_next) {
dctx->check_provider = true;
if (dom) continue;
}
goto done;
}
/* One result found, check cache expiry */
SYSDB_CACHE_EXPIRE, 0);
}
/* If cache miss and we haven't checked DP yet OR the entry is
* outdated, go to DP */
&& dctx->check_provider) {
dom, false, SSS_DP_INITGROUPS,
if (!dpreq) {
("Out of memory sending data provider request\n"));
goto done;
}
if(!cb_ctx) {
goto done;
}
/* tell caller we are in an async call */
goto done;
}
/* check uid */
/* if a multidomain search, try with next */
if (cmd_ctx->check_next) {
dctx->check_provider = true;
if (dom) continue;
}
goto done;
}
/* user is stored in cache, remember cased and original name */
SYSDB_NAME, NULL);
goto done;
}
goto done;
}
/* and set domain */
goto done;
}
done:
return ret;
}
{
struct dp_callback_ctx *cb_ctx =
char *err_msg;
&err_msg);
("Fatal error, killing connection!\n"));
return;
}
}
{
if (err_maj) {
("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n",
}
("Data Provider returned, check the cache again\n"));
dctx->check_provider = false;
goto done;
("Could not look up the user [%d]: %s\n",
return;
}
goto done;
("Error getting sudo rules [%d]: %s\n",
return;
}
done:
}
struct sudo_cmd_ctx *cmd_ctx,
struct sysdb_attrs ***_rules,
static void
static void
struct sss_domain_info *domain,
enum sss_dp_sudo_type type,
const char **attrs,
unsigned int flags,
const char *username,
char **groupnames,
struct sysdb_attrs ***_rules,
{
char **groupnames = NULL;
unsigned int flags = SYSDB_SUDO_FILTER_NONE;
const char *attrs[] = { SYSDB_NAME,
NULL };
return EFAULT;
}
if (user_sysdb == NULL) {
("user sysdb context not found for this domain!\n"));
goto done;
}
if (rules_sysdb == NULL) {
("rules sysdb context not found for this domain!\n"));
goto done;
}
return ENOMEM;
}
case SSS_SUDO_DEFAULTS:
break;
case SSS_SUDO_USER:
break;
}
/* Fetch all expired rules:
* sudo asks sssd twice - for defaults and for rules. If we refresh all
* expired rules for this user and defaults at once we will save one
* provider call
*/
goto done;
}
goto done;
}
if (expired_rules_num > 0) {
/* refresh expired rules then continue */
("Cannot issue DP request.\n"));
goto done;
}
if (!cb_ctx) {
goto done;
}
} else {
/* nothing is expired return what we have in the cache */
("Failed to make a request to our cache [%d]: %s\n",
goto done;
}
}
}
}
done:
return ret;
}
static void
{
struct dp_callback_ctx *cb_ctx =
char *err_msg;
/* we are not interested in returned values */
return;
}
&err_msg);
return;
}
}
static void
{
if (err_maj) {
("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
}
("Failed to make a request to our cache [%d]: %s\n",
return;
}
if (cmd_ctx->expired_rules_num > 0
("Some expired rules were removed from the server, "
"scheduling full refresh out of band\n"));
0, NULL);
("Cannot issue DP request.\n"));
} else {
}
}
}
struct sudo_cmd_ctx *cmd_ctx,
struct sysdb_attrs ***_rules,
{
char **groupnames = NULL;
const char *debug_name = NULL;
unsigned int flags = SYSDB_SUDO_FILTER_NONE;
const char *attrs[] = { SYSDB_OBJECTCLASS,
NULL };
return EFAULT;
}
return ENOMEM;
}
if (user_sysdb == NULL) {
("user sysdb context not found for this domain!\n"));
goto done;
}
if (rules_sysdb == NULL) {
("rules sysdb context not found for this domain!\n"));
goto done;
}
case SSS_SUDO_USER:
NULL, &groupnames);
goto done;
}
break;
case SSS_SUDO_DEFAULTS:
debug_name = "<default options>";
break;
}
goto done;
}
}
if (_num_rules != NULL) {
*_num_rules = num_rules;
}
done:
return ret;
}
static errno_t
struct sss_domain_info *domain,
enum sss_dp_sudo_type type,
const char **attrs,
unsigned int flags,
const char *username,
char **groupnames,
struct sysdb_attrs ***_rules,
{
char *filter;
struct sysdb_attrs **rules;
struct ldb_message **msgs;
("Could not construct the search filter [%d]: %s\n",
goto done;
}
goto done;
*_count = 0;
goto done;
}
("Could not convert ldb message to sysdb_attrs\n"));
goto done;
}
("Could not sort rules by sudoOrder\n"));
goto done;
}
done:
return ret;
}
static int
sudo_order_cmp_fn(const void *a, const void *b)
{
int ret;
r1 = * (struct sysdb_attrs * const *) a;
r2 = * (struct sysdb_attrs * const *) b;
return 0;
}
/* man sudoers-ldap: If the sudoOrder attribute is not present,
* a value of 0 is assumed */
o1 = 0;
return 0;
}
/* man sudoers-ldap: If the sudoOrder attribute is not present,
* a value of 0 is assumed */
o2 = 0;
return 0;
}
return 1;
return -1;
}
return 0;
}
static errno_t
{
return EOK;
}