e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/*
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher SSSD
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Authors:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Copyright (C) 2011 Red Hat
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is free software; you can redistribute it and/or modify
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher it under the terms of the GNU General Public License as published by
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher the Free Software Foundation; either version 3 of the License, or
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher (at your option) any later version.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is distributed in the hope that it will be useful,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher GNU General Public License for more details.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher You should have received a copy of the GNU General Public License
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher*/
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_common.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorcestatic errno_t
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorceipa_hbac_save_list(struct sss_domain_info *domain,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce bool delete_subdir, const char *subdir,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *naming_attribute, size_t count,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_attrs **list)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher int ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t c;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_dn *base_dn;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *object_name;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(NULL);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (delete_subdir) {
e2ac9be4f293b96f3c8992f1171e44bc1da5cfcaMichal Zidek base_dn = sysdb_custom_subtree_dn(tmp_ctx, domain, subdir);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (base_dn == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_delete_recursive(domain->sysdb, base_dn, true);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_delete_recursive failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (c = 0; c < count; c++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(list[c], naming_attribute, &el);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_get_el failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (el->num_values == 0) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "[%s] not found.\n", naming_attribute);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher object_name = talloc_strndup(tmp_ctx, (const char *)el->values[0].data,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher el->values[0].length);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (object_name == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "Object name: [%s].\n", object_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek ret = sysdb_store_custom(domain, object_name, subdir, list[c]);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_store_custom failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorceipa_hbac_sysdb_save(struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *primary_subdir, const char *attr_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t primary_count, struct sysdb_attrs **primary,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *group_subdir, const char *groupattr_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t group_count, struct sysdb_attrs **groups)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret, sret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher bool in_transaction = false;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if ((primary_count == 0 || primary == NULL)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher || (group_count > 0 && groups == NULL)) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* There always has to be at least one
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * primary entry.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Save the entries and groups to the cache */
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_transaction_start(domain->sysdb);
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek goto done;
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek };
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher in_transaction = true;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First, save the specific entries */
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = ipa_hbac_save_list(domain, true, primary_subdir,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce attr_name, primary_count, primary);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not save %s. [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov primary_subdir, ret, strerror(ret));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Second, save the groups */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (group_count > 0) {
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = ipa_hbac_save_list(domain, true, group_subdir,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce groupattr_name, group_count, groups);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not save %s. [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov group_subdir, ret, strerror(ret));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_transaction_commit(domain->sysdb);
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek goto done;
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher in_transaction = false;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (in_transaction) {
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce sret = sysdb_transaction_cancel(domain->sysdb);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (sret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_FATAL_FAILURE, "Could not cancel sysdb transaction\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Error [%d][%s]\n", ret, strerror(ret));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherreplace_attribute_name(const char *old_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *new_name, const size_t count,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_attrs **list)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher int ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher int i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < count; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_replace_name(list[i], old_name, new_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_replace_name failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozekstatic errno_t
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozekcreate_empty_grouplist(struct hbac_request_element *el)
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek{
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek el->groups = talloc_array(el, const char *, 1);
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek if (!el->groups) return ENOMEM;
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek el->groups[0] = NULL;
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek return EOK;
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/********************************************
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * Functions for handling conversion to the *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * HBAC evaluator format *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ********************************************/
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t index,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule **rule);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req **request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_rules(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule ***rules,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req **request)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule **new_rules;
9f37bb2012faa136ef7c1f9fe93689ce2be85637Ondrej Kos struct hbac_eval_req *new_request = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (!rules || !request) return EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First create an array of rules */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rules = talloc_array(tmp_ctx, struct hbac_rule *,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rule_count + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_rules == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Create each rule one at a time */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < hbac_ctx->rule_count ; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_attrs_to_rule(new_rules, hbac_ctx, i, &(new_rules[i]));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret == EPERM) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct rules\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rules[i] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Create the eval request */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_ctx_to_eval_request(tmp_ctx, hbac_ctx, &new_request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct eval request\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *rules = talloc_steal(mem_ctx, new_rules);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *request = talloc_steal(mem_ctx, new_request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t idx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule **rule)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule *new_rule;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *rule_type;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule = talloc_zero(mem_ctx, struct hbac_rule);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_rule == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher IPA_CN, &el);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK || el->num_values == 0) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CONF_SETTINGS, "rule has no name, assuming '(none)'.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name = talloc_strdup(new_rule, "(none)");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name = talloc_strndup(new_rule,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher (const char*) el->values[0].data,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher el->values[0].length);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "Processing rule [%s]\n", new_rule->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_bool(hbac_ctx->rules[idx], IPA_ENABLED_FLAG,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->enabled);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (!new_rule->enabled) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_string(hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher IPA_ACCESS_RULE_TYPE,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &rule_type);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp(rule_type, IPA_HBAC_ALLOW) != 0) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Rule [%s] is not an ALLOW rule\n", new_rule->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EPERM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the users */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = hbac_user_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->users);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not parse users for rule [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov new_rule->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the services */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = hbac_service_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->services);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not parse services for rule [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov new_rule->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the target hosts */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = hbac_thost_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->targethosts);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Could not parse target hosts for rule [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov new_rule->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the source hosts */
6fb75e297bf7fc83e3db1f5ae8560624656ef319Jan Zeleny
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = hbac_shost_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
6fb75e297bf7fc83e3db1f5ae8560624656ef319Jan Zeleny dp_opt_get_bool(hbac_ctx->ipa_options,
6fb75e297bf7fc83e3db1f5ae8560624656ef319Jan Zeleny IPA_HBAC_SUPPORT_SRCHOST),
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->srchosts);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Could not parse source hosts for rule [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov new_rule->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *rule = new_rule;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) talloc_free(new_rule);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_get_category(struct sysdb_attrs *attrs,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *category_attr,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher uint32_t *_categories)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher uint32_t cats = HBAC_CATEGORY_NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char **categories;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx = talloc_new(NULL);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_string_array(attrs, category_attr,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx, &categories);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != ENOENT) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; categories[i]; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp("all", categories[i]) == 0) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_FUNC_DATA, "Category is set to 'all'.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher cats |= HBAC_CATEGORY_ALL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher continue;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "Unsupported user category [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov categories[i]);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *_categories = cats;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_user_element(TALLOC_CTX *mem_ctx,
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *username,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **user_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_service_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher const char *servicename,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **svc_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_host_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *hostname,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **host_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req **request)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct pam_data *pd = hbac_ctx->pd;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req *eval_req;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct sss_domain_info *domain = hbac_ctx->be_ctx->domain;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *rhost;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *thost;
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose struct sss_domain_info *user_dom;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher eval_req = talloc_zero(tmp_ctx, struct hbac_eval_req);
1ea2e8bd370e0dc2f2c3fa09232cf67082ef748dStephen Gallagher if (eval_req == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher eval_req->request_time = time(NULL);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose /* Get user the user name and groups,
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose * take care of subdomain users as well */
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose if (strcasecmp(pd->domain, domain->name) != 0) {
db18dda869bc6c52a41797b2066cf121cf10f49cPavel Reichl user_dom = find_domain_by_name(domain, pd->domain, true);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose if (user_dom == NULL) {
db18dda869bc6c52a41797b2066cf121cf10f49cPavel Reichl DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose ret = ENOMEM;
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose goto done;
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose }
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek ret = hbac_eval_user_element(eval_req, user_dom, pd->user,
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek &eval_req->user);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose } else {
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek ret = hbac_eval_user_element(eval_req, domain, pd->user,
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek &eval_req->user);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the PAM service and service groups */
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek ret = hbac_eval_service_element(eval_req, domain, pd->service,
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek &eval_req->service);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the source host */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (pd->rhost == NULL || pd->rhost[0] == '\0') {
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher /* If we haven't been passed an rhost,
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * the rhost is unknown. This will fail
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * to match any rule requiring the
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * source host.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher */
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher rhost = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher rhost = pd->rhost;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek ret = hbac_eval_host_element(eval_req, domain, rhost,
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek &eval_req->srchost);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* The target host is always the current machine */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher thost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (thost == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Missing ipa_hostname, this should never happen.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek ret = hbac_eval_host_element(eval_req, domain, thost,
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek &eval_req->targethost);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *request = talloc_steal(mem_ctx, eval_req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_user_element(TALLOC_CTX *mem_ctx,
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *username,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **user_element)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher unsigned int i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher unsigned int num_groups = 0;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *member_dn;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element *users;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message *msg;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose char *shortname;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users = talloc_zero(tmp_ctx, struct hbac_request_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (users == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose ret = sss_parse_internal_fqname(tmp_ctx, username, &shortname, NULL);
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose if (ret != EOK) {
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose ret = ERR_WRONG_NAME_FORMAT;
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose goto done;
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose }
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose users->name = talloc_steal(users, shortname);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Read the originalMemberOf attribute
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * This will give us the list of both POSIX and
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * non-POSIX groups that this user belongs to.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher */
0ad1bcec60a2ec67a602e0ad1888f859d6009d54Sumit Bose ret = sysdb_search_user_by_name(tmp_ctx, domain, username,
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek attrs, &msg);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Could not determine user memberships for [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov users->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (el == NULL || el->num_values == 0) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name);
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(users);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "[%d] groups for [%s]\n", el->num_values, users->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups = talloc_array(users, const char *, el->num_values + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (users->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < el->num_values; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher member_dn = (const char *)el->values[i].data;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
64d8e2df816323a004bf6e7e9d05ba373b9e033dJakub Hrozek ret = get_ipa_groupname(users->groups, domain->sysdb, member_dn,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &users->groups[num_groups]);
1243e093fd31c5660adf1bb3dd477d6935a755beJakub Hrozek if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE,
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek "Skipping malformed entry [%s]\n", member_dn);
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek continue;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else if (ret == EOK) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov users->groups[num_groups], users->name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher num_groups++;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher continue;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Skip entries that are not groups */
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Skipping non-group memberOf [%s]\n", member_dn);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups[num_groups] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (num_groups < el->num_values) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Shrink the array memory */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups = talloc_realloc(users, users->groups, const char *,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher num_groups+1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (users->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret == EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *user_element = talloc_steal(mem_ctx, users);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_service_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher const char *servicename,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **svc_element)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher size_t i, j, count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element *svc;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message **msgs;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_dn *svc_dn;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher char *name;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher svc = talloc_zero(tmp_ctx, struct hbac_request_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (svc == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->name = servicename;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e2ac9be4f293b96f3c8992f1171e44bc1da5cfcaMichal Zidek svc_dn = sysdb_custom_dn(tmp_ctx, domain, svc->name, HBAC_SERVICES_SUBDIR);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (svc_dn == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Look up the service to get its originalMemberOf entries */
64d8e2df816323a004bf6e7e9d05ba373b9e033dJakub Hrozek ret = sysdb_search_entry(tmp_ctx, domain->sysdb, svc_dn,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher LDB_SCOPE_BASE, NULL,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher memberof_attrs,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher &count, &msgs);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret == ENOENT || count == 0) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* We won't be able to identify any groups
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * This rule will only match the name or
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * a service category of ALL
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(svc);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher } else if (ret != EOK) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher } else if (count > 1) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "More than one result for a BASE search!\n");
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher ret = EIO;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (!el) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Service is not a member of any groups
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * This rule will only match the name or
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * a service category of ALL
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(svc);
c3d09c0095a45de1973f320ce2045ac74d4e4f83Jakub Hrozek goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher }
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups = talloc_array(svc, const char *, el->num_values + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (svc->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher for (i = j = 0; i < el->num_values; i++) {
64d8e2df816323a004bf6e7e9d05ba373b9e033dJakub Hrozek ret = get_ipa_servicegroupname(tmp_ctx, domain->sysdb,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher (const char *)el->values[i].data,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher &name);
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n",
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek (const char *)el->values[i].data);
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek continue;
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek }
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher
1243e093fd31c5660adf1bb3dd477d6935a755beJakub Hrozek /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * service group. We'll just ignore those (could be
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * HBAC rules)
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret == EOK) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups[j] = talloc_steal(svc->groups, name);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher j++;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups[j] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret == EOK) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher *svc_element = talloc_steal(mem_ctx, svc);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_host_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *hostname,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **host_element)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher size_t i, j, count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element *host;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message **msgs;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_dn *host_dn;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher char *name;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher host = talloc_zero(tmp_ctx, struct hbac_request_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (host == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher host->name = hostname;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher if (host->name == NULL) {
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher /* We don't know the host (probably an rhost)
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * So we can't determine it's groups either.
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(host);
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher goto done;
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e2ac9be4f293b96f3c8992f1171e44bc1da5cfcaMichal Zidek host_dn = sysdb_custom_dn(tmp_ctx, domain, host->name, HBAC_HOSTS_SUBDIR);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (host_dn == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* Look up the host to get its originalMemberOf entries */
64d8e2df816323a004bf6e7e9d05ba373b9e033dJakub Hrozek ret = sysdb_search_entry(tmp_ctx, domain->sysdb, host_dn,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher LDB_SCOPE_BASE, NULL,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher memberof_attrs,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher &count, &msgs);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (ret == ENOENT || count == 0) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* We won't be able to identify any groups
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * This rule will only match the name or
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * a host category of ALL
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(host);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher goto done;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher } else if (ret != EOK) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher goto done;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher } else if (count > 1) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "More than one result for a BASE search!\n");
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher ret = EIO;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (!el) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* Host is not a member of any groups
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * This rule will only match the name or
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * a host category of ALL
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(host);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups = talloc_array(host, const char *, el->num_values + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (host->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher for (i = j = 0; i < el->num_values; i++) {
64d8e2df816323a004bf6e7e9d05ba373b9e033dJakub Hrozek ret = get_ipa_hostgroupname(tmp_ctx, domain->sysdb,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher (const char *)el->values[i].data,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher &name);
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n",
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek (const char *)el->values[i].data);
6dff95bdfe437afc0b62b5270d0d84140981c786Jakub Hrozek continue;
c41ae115bfa808d04e729dcbd759d8aae8387ce7Jakub Hrozek }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
1243e093fd31c5660adf1bb3dd477d6935a755beJakub Hrozek /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * host group. We'll just ignore those (could be
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * HBAC rules)
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher */
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (ret == EOK) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups[j] = talloc_steal(host->groups, name);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher j++;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups[j] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher if (ret == EOK) {
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher *host_element = talloc_steal(mem_ctx, host);
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}