3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek Copyright (C) 2017 Red Hat
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek This program is free software; you can redistribute it and/or modify
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek it under the terms of the GNU Lesser General Public License as published by
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek the Free Software Foundation; either version 3 of the License, or
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek (at your option) any later version.
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek This program is distributed in the hope that it will be useful,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek but WITHOUT ANY WARRANTY; without even the implied warranty of
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek GNU Lesser General Public License for more details.
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek You should have received a copy of the GNU Lesser General Public License
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek along with this program. If not, see <http://www.gnu.org/licenses/>.
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek * We're searching the cache directly..
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozektypedef errno_t (*sssctl_dom_access_reporter_fn)(struct sss_tool_ctx *tool_ctx,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozekstatic errno_t get_rdn_value(TALLOC_CTX *mem_ctx,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek dn = ldb_dn_new(tmp_ctx, sysdb_ctx_get_ldb(dom->sysdb), dn_attr);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozekstatic errno_t is_member_group(struct sss_domain_info *dom,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek dn = ldb_dn_new(tmp_ctx, sysdb_ctx_get_ldb(dom->sysdb), dn_attr);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozekstatic void print_category(struct sss_domain_info *domain,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek category_attr = ldb_msg_find_element(rule_msg, category_attr_name);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Cannot find %s\n", category_attr_name);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek for (unsigned i = 0; i < category_attr->num_values; i++) {
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozekstatic void print_member_attr(struct sss_domain_info *domain,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek struct ldb_message_element *member_attr = NULL;
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek member_attr = ldb_msg_find_element(rule_msg, member_attr_name);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Cannot find %s\n", member_attr_name);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek const char *,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek member_group_names = talloc_zero_array(tmp_ctx,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek const char *,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek if (member_names == NULL || member_group_names == NULL) {
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek for (size_t i = 0; i < member_attr->num_values; i++) {
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek dn_attr = (const char *) member_attr->values[i].data;
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek ret = is_member_group(domain, dn_attr, group_rdn, &is_group);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek ret = get_rdn_value(tmp_ctx, domain, dn_attr, &rdn_string);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek if (is_group == false) {
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek member_names[name_count] = talloc_steal(member_names,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek member_group_names[group_count] = talloc_strdup(member_group_names,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek for (int i = 0; member_names[i]; i++) {
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek PRINT("%s%s", i > 0 ? ", " : "", member_names[i]);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek for (int i = 0; member_group_names[i]; i++) {
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek PRINT("%s%s", i > 0 ? ", " : "", member_group_names[i]);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozekstatic void print_ipa_hbac_rule(struct sss_domain_info *domain,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "A rule with no name\n");
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek PRINT("Rule name: %1$s\n", el->values[0].data);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek _("Member users"),
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek _("Member groups"));
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek _("User category"));
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek "hbacservicegroups",
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek _("Member services"),
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek _("Member service groups"));
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek _("Service category"));
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březinastatic errno_t refresh_hbac_rules(struct sss_tool_ctx *tool_ctx,
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březina path = sbus_opath_compose(tmp_ctx, IFP_PATH_DOMAINS, domain->name);
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březina sssctl_sifp_error(sifp, error, "Unable to connect to the InfoPipe");
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březina error = sssctl_sifp_send(tmp_ctx, sifp, &reply, path,
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březina sssctl_sifp_error(sifp, error, "Unable to refresh HBAC rules");
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozekstatic errno_t sssctl_ipa_access_report(struct sss_tool_ctx *tool_ctx,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek /* Run the pam account phase to make sure the rules are fetched by SSSD */
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březina ERROR("Unable to refresh HBAC rules, using cached content\n");
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek /* Non-fatal */
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek filter = talloc_asprintf(tmp_ctx, "(objectClass=%s)", IPA_HBAC_RULE);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek ret = sysdb_search_custom(tmp_ctx, domain, filter,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up HBAC rules\n");
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek PRINT("No cached rules. All users will be denied access\n");
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozeksssctl_dom_access_reporter_fn get_report_fn(const char *provider)
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozekerrno_t sssctl_access_report(struct sss_cmdline *cmdline,
be804178d5e5fee64be2b080e73f4ce7b0074f76Pavel Březina ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL,
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek NULL, NULL, "DOMAIN", _("Specify domain name."),
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek dom = find_domain_by_name(tool_ctx->domains, domname, true);
3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8Jakub Hrozek ERROR("Access report not implemented for domains of type %1$s\n",