sysdb_sudo.c revision aeb3cef10158a1c621d58c6d982e53569e40c6c0
/*
Authors:
Jakub Hrozek <jhrozek@redhat.com>
Copyright (C) 2011 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include <talloc.h>
#include <time.h>
#include "db/sysdb_private.h"
#include "db/sysdb_sudo.h"
if (!val) { \
goto label; \
} \
} while(0)
/* ==================== Utility functions ==================== */
{
/* SUDO requires times to be in generalized time format:
* YYYYMMDDHHMMSS[.|,fraction][(+|-HHMM)|Z]
*
* We need to use more format strings to parse this with strptime().
*/
"%Y%m%d%H%M%S%z", /* 201212121300+-0200 */
"%Y%m%d%H%M%S.0Z",
"%Y%m%d%H%M%S.0%z",
"%Y%m%d%H%M%S,0Z",
"%Y%m%d%H%M%S,0%z",
NULL};
/* strptime() may leave some fields uninitialized */
return EOK;
}
}
return EINVAL;
}
bool *result)
{
int i;
*result = false;
name = "<missing>";
goto done;
}
/*
* From man sudoers.ldap:
*
* If multiple sudoNotBefore entries are present, the *earliest* is used.
* If multiple sudoNotAfter entries are present, the *last one* is used.
*
* From sudo sources, ldap.c:
* If either the sudoNotAfter or sudoNotBefore attributes are missing,
* no time restriction shall be imposed.
*/
/* check for sudoNotBefore */
for (i=0; values[i] ; i++) {
name);
goto done;
}
/* Grab the earliest */
if (!notBefore) {
}
}
goto done;
}
/* check for sudoNotAfter */
for (i=0; values[i] ; i++) {
name);
goto done;
}
/* Grab the latest */
if (!notAfter) {
}
}
goto done;
}
*result = true;
}
if (*result) {
name);
} else {
"restrictions\n", name);
}
done:
return ret;
}
struct sysdb_attrs **in_rules,
struct sysdb_attrs ***_rules)
{
bool allowed = false;
int i;
if (now == 0) {
}
for (i = 0; i < in_num_rules; i++) {
num_rules++;
}
}
*_num_rules = num_rules;
done:
return ret;
}
char **_filter)
{
char *specific_filter = NULL;
int i;
/* build specific filter */
if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) {
}
if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) {
}
goto done;
}
}
(unsigned long long) uid);
}
for (i=0; groupnames[i] != NULL; i++) {
goto done;
}
}
}
if (flags & SYSDB_SUDO_FILTER_NGRS) {
}
/* build global filter */
if (specific_filter[0] != '\0') {
}
if (flags & SYSDB_SUDO_FILTER_ONLY_EXPIRED) {
SYSDB_CACHE_EXPIRE, (long long)now);
}
done:
return ret;
}
struct sss_domain_info *domain,
char ***groupnames)
{
struct ldb_message *msg;
char **sysdb_groupnames = NULL;
const char *primary_group = NULL;
struct ldb_message_element *groups;
size_t num_groups = 0;
int i;
const char *attrs[] = { SYSDB_MEMBEROF,
NULL };
const char *group_attrs[] = { SYSDB_NAME,
NULL };
goto done;
}
if (!uid) {
goto done;
}
}
/* resolve secondary groups */
if (groupnames != NULL) {
/* No groups for this user in sysdb currently */
num_groups = 0;
} else {
/* Get a list of the groups by groupname only */
for (i = 0; i < groups->num_values; i++) {
&sysdb_groupnames[i]);
goto done;
}
}
}
}
/* resolve primary group */
if (gid != 0) {
&group_msg);
NULL);
if (primary_group == NULL) {
goto done;
}
num_groups++;
char *, num_groups + 1);
goto done;
}
}
}
if (groupnames != NULL) {
}
done:
return ret;
}
const char *attr_name,
{
int lret;
if (!tmp_ctx) {
goto done;
}
if (!dn) {
goto done;
}
if (lret != LDB_SUCCESS) {
goto done;
}
goto done;
}
if (lret != LDB_SUCCESS) {
goto done;
}
"Got more than one reply for base search!\n");
goto done;
} else {
if (lret != LDB_SUCCESS) {
goto done;
}
}
if (lret != LDB_SUCCESS) {
goto done;
}
} else {
}
if (lret != LDB_SUCCESS) {
"ldb operation failed: [%s](%d)[%s]\n",
}
done:
return ret;
}
const char *attr_name,
{
struct ldb_result *res;
int lret;
return ENOMEM;
}
if (!dn) {
goto done;
}
if (lret != LDB_SUCCESS) {
goto done;
}
/* This entry has not been populated in LDB
* This is a common case, as unlike LDAP,
* LDB does not need to have all of its parent
* objects actually exist.
*/
*value = 0;
goto done;
"Got more than one reply for base search!\n");
goto done;
}
done:
return ret;
}
{
return sysdb_sudo_set_refresh_time(domain,
}
{
return sysdb_sudo_get_refresh_time(domain,
}
/* ==================== Purge functions ==================== */
static const char *
{
const char *name;
"or multiple CN values. It will be skipped.\n");
return NULL;
return NULL;
}
return name;
}
{
goto done;
}
done:
return ret;
}
static errno_t
const char *name)
{
}
static errno_t
struct sysdb_attrs **rules,
{
const char *name;
size_t i;
return EOK;
}
for (i = 0; i < num_rules; i++) {
continue;
}
continue;
}
}
return EOK;
}
static errno_t
const char *filter)
{
struct sysdb_attrs **rules;
struct ldb_message **msgs;
const char *attrs[] = { SYSDB_OBJECTCLASS,
NULL };
return sysdb_sudo_purge_all(domain);
}
goto done;
}
goto done;
goto done;
}
goto done;
}
done:
return ret;
}
const char *delete_filter,
struct sysdb_attrs **rules,
{
bool in_transaction = false;
return ret;
}
in_transaction = true;
if (delete_filter) {
} else {
}
goto done;
}
goto done;
}
in_transaction = false;
done:
if (in_transaction) {
}
}
}
return ret;
}
static errno_t
const char *name,
int cache_timeout,
{
return ret;
}
return ret;
}
if (ret) {
return ret;
}
return EOK;
}
static errno_t
struct sysdb_attrs *rule,
int cache_timeout,
{
const char *name;
return EINVAL;
}
return ret;
}
return ret;
}
return EOK;
}
struct sysdb_attrs **rules,
{
bool in_transaction = false;
size_t i;
return EOK;
}
return ret;
}
in_transaction = true;
for (i = 0; i < num_rules; i++) {
/* Multiple CNs are error on server side, we can just ignore this
* rule and save the others. Loud debug message is in logs. */
continue;
goto done;
}
}
goto done;
}
in_transaction = false;
done:
if (in_transaction) {
}
}
}
return ret;
}