ipa_hbac_common.c revision b860f8b6b6b03982c80268e9f6fd35f6455b6b37
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/*
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher SSSD
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Authors:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Copyright (C) 2011 Red Hat
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is free software; you can redistribute it and/or modify
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher it under the terms of the GNU General Public License as published by
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher the Free Software Foundation; either version 3 of the License, or
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher (at your option) any later version.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is distributed in the hope that it will be useful,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher GNU General Public License for more details.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher You should have received a copy of the GNU General Public License
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher*/
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_common.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorcestatic errno_t
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorceipa_hbac_save_list(struct sss_domain_info *domain,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce bool delete_subdir, const char *subdir,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *naming_attribute, size_t count,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_attrs **list)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher int ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t c;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_dn *base_dn;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *object_name;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(NULL);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("talloc_new failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (delete_subdir) {
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce base_dn = sysdb_custom_subtree_dn(domain->sysdb, tmp_ctx,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce domain, subdir);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (base_dn == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_delete_recursive(domain->sysdb, base_dn, true);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_delete_recursive failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (c = 0; c < count; c++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(list[c], naming_attribute, &el);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (el->num_values == 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("[%s] not found.\n", naming_attribute));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher object_name = talloc_strndup(tmp_ctx, (const char *)el->values[0].data,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher el->values[0].length);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (object_name == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("talloc_strndup failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(9, ("Object name: [%s].\n", object_name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_store_custom(domain->sysdb, domain,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce object_name, subdir, list[c]);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_store_custom failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorceipa_hbac_sysdb_save(struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *primary_subdir, const char *attr_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t primary_count, struct sysdb_attrs **primary,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *group_subdir, const char *groupattr_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t group_count, struct sysdb_attrs **groups)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret, sret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher bool in_transaction = false;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if ((primary_count == 0 || primary == NULL)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher || (group_count > 0 && groups == NULL)) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* There always has to be at least one
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * primary entry.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Save the entries and groups to the cache */
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_transaction_start(domain->sysdb);
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek if (ret != EOK) {
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek goto done;
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek };
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher in_transaction = true;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First, save the specific entries */
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = ipa_hbac_save_list(domain, true, primary_subdir,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce attr_name, primary_count, primary);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not save %s. [%d][%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher primary_subdir, ret, strerror(ret)));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Second, save the groups */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (group_count > 0) {
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = ipa_hbac_save_list(domain, true, group_subdir,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce groupattr_name, group_count, groups);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not save %s. [%d][%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher group_subdir, ret, strerror(ret)));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_transaction_commit(domain->sysdb);
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek if (ret != EOK) {
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to commit transaction\n"));
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek goto done;
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher in_transaction = false;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (in_transaction) {
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce sret = sysdb_transaction_cancel(domain->sysdb);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (sret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(0, ("Could not cancel sysdb transaction\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(3, ("Error [%d][%s]\n", ret, strerror(ret)));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherreplace_attribute_name(const char *old_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *new_name, const size_t count,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_attrs **list)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher int ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher int i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < count; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_replace_name(list[i], old_name, new_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_attrs_replace_name failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozekstatic errno_t
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozekcreate_empty_grouplist(struct hbac_request_element *el)
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek{
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek el->groups = talloc_array(el, const char *, 1);
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek if (!el->groups) return ENOMEM;
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek el->groups[0] = NULL;
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek return EOK;
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/********************************************
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * Functions for handling conversion to the *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * HBAC evaluator format *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ********************************************/
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t index,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule **rule);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req **request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_rules(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule ***rules,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req **request)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule **new_rules;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req *new_request;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (!rules || !request) return EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First create an array of rules */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rules = talloc_array(tmp_ctx, struct hbac_rule *,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rule_count + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_rules == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Create each rule one at a time */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < hbac_ctx->rule_count ; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_attrs_to_rule(new_rules, hbac_ctx, i, &(new_rules[i]));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret == EPERM) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else if (ret != EOK) {
4a6a5421113ab662a665c62ed6a24b61a5a36950Jakub Hrozek DEBUG(1, ("Could not construct rules\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rules[i] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Create the eval request */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_ctx_to_eval_request(tmp_ctx, hbac_ctx, &new_request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not construct eval request\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *rules = talloc_steal(mem_ctx, new_rules);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *request = talloc_steal(mem_ctx, new_request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t idx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule **rule)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_rule *new_rule;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *rule_type;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule = talloc_zero(mem_ctx, struct hbac_rule);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_rule == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher IPA_CN, &el);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK || el->num_values == 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(4, ("rule has no name, assuming '(none)'.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name = talloc_strdup(new_rule, "(none)");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name = talloc_strndup(new_rule,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher (const char*) el->values[0].data,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher el->values[0].length);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("Processing rule [%s]\n", new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_bool(hbac_ctx->rules[idx], IPA_ENABLED_FLAG,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->enabled);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (!new_rule->enabled) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_string(hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher IPA_ACCESS_RULE_TYPE,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &rule_type);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp(rule_type, IPA_HBAC_ALLOW) != 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("Rule [%s] is not an ALLOW rule\n", new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EPERM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the users */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_user_attrs_to_rule(new_rule,
044868b388b4e47499f12a9105310b247bbe1ce2Simo Sorce hbac_ctx->be_req->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->users);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse users for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the services */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_service_attrs_to_rule(new_rule,
770896b194b7b66b09c2a30545b4d091fd86b1f4Simo Sorce hbac_ctx->be_req->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->services);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse services for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the target hosts */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_thost_attrs_to_rule(new_rule,
770896b194b7b66b09c2a30545b4d091fd86b1f4Simo Sorce hbac_ctx->be_req->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->targethosts);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse target hosts for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the source hosts */
6fb75e297bf7fc83e3db1f5ae8560624656ef319Jan Zeleny
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_shost_attrs_to_rule(new_rule,
770896b194b7b66b09c2a30545b4d091fd86b1f4Simo Sorce hbac_ctx->be_req->domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher hbac_ctx->rules[idx],
6fb75e297bf7fc83e3db1f5ae8560624656ef319Jan Zeleny dp_opt_get_bool(hbac_ctx->ipa_options,
6fb75e297bf7fc83e3db1f5ae8560624656ef319Jan Zeleny IPA_HBAC_SUPPORT_SRCHOST),
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &new_rule->srchosts);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse source hosts for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *rule = new_rule;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) talloc_free(new_rule);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallaghererrno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_get_category(struct sysdb_attrs *attrs,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *category_attr,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher uint32_t *_categories)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher uint32_t cats = HBAC_CATEGORY_NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char **categories;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx = talloc_new(NULL);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_string_array(attrs, category_attr,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx, &categories);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != ENOENT) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; categories[i]; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp("all", categories[i]) == 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(5, ("Category is set to 'all'.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher cats |= HBAC_CATEGORY_ALL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher continue;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(9, ("Unsupported user category [%s].\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher categories[i]));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *_categories = cats;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_user_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_ctx *sysdb,
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *username,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **user_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_service_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_ctx *sysdb,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher const char *servicename,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **svc_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_host_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_ctx *sysdb,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *hostname,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **host_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_ctx *hbac_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req **request)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct pam_data *pd = hbac_ctx->pd;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_eval_req *eval_req;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain = hbac_ctx_be(hbac_ctx)->domain;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *rhost;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *thost;
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose struct sss_domain_info *user_dom;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher eval_req = talloc_zero(tmp_ctx, struct hbac_eval_req);
1ea2e8bd370e0dc2f2c3fa09232cf67082ef748dStephen Gallagher if (eval_req == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher eval_req->request_time = time(NULL);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose /* Get user the user name and groups,
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose * take care of subdomain users as well */
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose if (strcasecmp(pd->domain, domain->name) != 0) {
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose user_dom = new_subdomain(tmp_ctx, domain, pd->domain, NULL, NULL);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose if (user_dom == NULL) {
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose ret = ENOMEM;
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose goto done;
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose }
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce ret = hbac_eval_user_element(eval_req, user_dom->sysdb, user_dom,
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose pd->user, &eval_req->user);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose } else {
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_user_element(eval_req, domain->sysdb, domain,
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose pd->user, &eval_req->user);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the PAM service and service groups */
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_service_element(eval_req, domain->sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher pd->service, &eval_req->service);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the source host */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (pd->rhost == NULL || pd->rhost[0] == '\0') {
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher /* If we haven't been passed an rhost,
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * the rhost is unknown. This will fail
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * to match any rule requiring the
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * source host.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher */
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher rhost = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher rhost = pd->rhost;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_host_element(eval_req, domain->sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher rhost, &eval_req->srchost);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* The target host is always the current machine */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher thost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (thost == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Missing ipa_hostname, this should never happen.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EINVAL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_host_element(eval_req, domain->sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher thost, &eval_req->targethost);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *request = talloc_steal(mem_ctx, eval_req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_user_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_ctx *sysdb,
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *username,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **user_element)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher unsigned int i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher unsigned int num_groups = 0;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *member_dn;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element *users;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message *msg;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users = talloc_zero(tmp_ctx, struct hbac_request_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (users == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->name = username;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Read the originalMemberOf attribute
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * This will give us the list of both POSIX and
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * non-POSIX groups that this user belongs to.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher */
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce ret = sysdb_search_user_by_name(tmp_ctx, sysdb, domain,
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce users->name, attrs, &msg);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not determine user memberships for [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (el == NULL || el->num_values == 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("No groups for [%s]\n", users->name));
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(users);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("[%d] groups for [%s]\n", el->num_values, users->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups = talloc_array(users, const char *, el->num_values + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (users->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < el->num_values; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher member_dn = (const char *)el->values[i].data;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = get_ipa_groupname(users->groups, sysdb, member_dn,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher &users->groups[num_groups]);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(3, ("Parse error on [%s]\n", member_dn));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else if (ret == EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("Added group [%s] for user [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups[num_groups], users->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher num_groups++;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher continue;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Skip entries that are not groups */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(8, ("Skipping non-group memberOf [%s]\n", member_dn));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups[num_groups] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (num_groups < el->num_values) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Shrink the array memory */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups = talloc_realloc(users, users->groups, const char *,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher num_groups+1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (users->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret == EOK) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *user_element = talloc_steal(mem_ctx, users);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_service_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_ctx *sysdb,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher const char *servicename,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **svc_element)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher size_t i, j, count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element *svc;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message **msgs;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_dn *svc_dn;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher char *name;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher svc = talloc_zero(tmp_ctx, struct hbac_request_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (svc == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->name = servicename;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
de526c8425886ca3bed8f07a0f092ba5ac325654Simo Sorce svc_dn = sysdb_custom_dn(sysdb, tmp_ctx,
de526c8425886ca3bed8f07a0f092ba5ac325654Simo Sorce domain, svc->name, HBAC_SERVICES_SUBDIR);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (svc_dn == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Look up the service to get its originalMemberOf entries */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher ret = sysdb_search_entry(tmp_ctx, sysdb, svc_dn,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher LDB_SCOPE_BASE, NULL,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher memberof_attrs,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher &count, &msgs);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret == ENOENT || count == 0) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* We won't be able to identify any groups
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * This rule will only match the name or
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * a service category of ALL
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(svc);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher } else if (ret != EOK) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher } else if (count > 1) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher DEBUG(1, ("More than one result for a BASE search!\n"));
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher ret = EIO;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (!el) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Service is not a member of any groups
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * This rule will only match the name or
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * a service category of ALL
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(svc);
c3d09c0095a45de1973f320ce2045ac74d4e4f83Jakub Hrozek goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher }
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups = talloc_array(svc, const char *, el->num_values + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (svc->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher for (i = j = 0; i < el->num_values; i++) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher ret = get_ipa_servicegroupname(tmp_ctx, sysdb,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher (const char *)el->values[i].data,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher &name);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* ENOENT means we had a memberOf entry that wasn't a
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * service group. We'll just ignore those (could be
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * HBAC rules)
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret == EOK) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups[j] = talloc_steal(svc->groups, name);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher j++;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups[j] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret == EOK) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher *svc_element = talloc_steal(mem_ctx, svc);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherstatic errno_t
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_host_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sysdb_ctx *sysdb,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *hostname,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **host_element)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher{
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher errno_t ret;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher size_t i, j, count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher TALLOC_CTX *tmp_ctx;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element *host;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_message **msgs;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher struct ldb_message_element *el;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct ldb_dn *host_dn;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher char *name;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tmp_ctx = talloc_new(mem_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (tmp_ctx == NULL) return ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher host = talloc_zero(tmp_ctx, struct hbac_request_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (host == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher host->name = hostname;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher if (host->name == NULL) {
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher /* We don't know the host (probably an rhost)
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * So we can't determine it's groups either.
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(host);
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher goto done;
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
de526c8425886ca3bed8f07a0f092ba5ac325654Simo Sorce host_dn = sysdb_custom_dn(sysdb, tmp_ctx,
de526c8425886ca3bed8f07a0f092ba5ac325654Simo Sorce domain, host->name, HBAC_HOSTS_SUBDIR);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (host_dn == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* Look up the host to get its originalMemberOf entries */
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher ret = sysdb_search_entry(tmp_ctx, sysdb, host_dn,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher LDB_SCOPE_BASE, NULL,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher memberof_attrs,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher &count, &msgs);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (ret == ENOENT || count == 0) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* We won't be able to identify any groups
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * This rule will only match the name or
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * a host category of ALL
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(host);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher goto done;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher } else if (ret != EOK) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher goto done;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher } else if (count > 1) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher DEBUG(1, ("More than one result for a BASE search!\n"));
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher ret = EIO;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (!el) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* Host is not a member of any groups
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * This rule will only match the name or
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * a host category of ALL
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher */
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek ret = create_empty_grouplist(host);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups = talloc_array(host, const char *, el->num_values + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (host->groups == NULL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = ENOMEM;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher for (i = j = 0; i < el->num_values; i++) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher ret = get_ipa_hostgroupname(tmp_ctx, sysdb,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher (const char *)el->values[i].data,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher &name);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* ENOENT means we had a memberOf entry that wasn't a
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * host group. We'll just ignore those (could be
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * HBAC rules)
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher */
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (ret == EOK) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups[j] = talloc_steal(host->groups, name);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher j++;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher }
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups[j] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = EOK;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherdone:
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher if (ret == EOK) {
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher *host_element = talloc_steal(mem_ctx, host);
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher }
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_free(tmp_ctx);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher return ret;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher}