ipa_hbac_common.c revision 4c08db0fb0dda3d27b1184248ca5c800d7ce23f0
/*
SSSD
Authors:
Stephen Gallagher <sgallagh@redhat.com>
Copyright (C) 2011 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "providers/ipa/ipa_hbac_private.h"
#include "providers/ipa/ipa_hbac.h"
#include "providers/ipa/ipa_common.h"
static errno_t
bool delete_subdir, const char *subdir,
struct sysdb_attrs **list)
{
int ret;
size_t c;
const char *object_name;
struct ldb_message_element *el;
return ENOMEM;
}
if (delete_subdir) {
goto done;
}
goto done;
}
}
for (c = 0; c < count; c++) {
goto done;
}
if (el->num_values == 0) {
goto done;
}
if (object_name == NULL) {
goto done;
}
goto done;
}
}
done:
return ret;
}
const char *primary_subdir, const char *attr_name,
const char *group_subdir, const char *groupattr_name,
{
bool in_transaction = false;
/* There always has to be at least one
* primary entry.
*/
return EINVAL;
}
/* Save the entries and groups to the cache */
goto done;
};
in_transaction = true;
/* First, save the specific entries */
goto done;
}
/* Second, save the groups */
if (group_count > 0) {
goto done;
}
}
goto done;
}
in_transaction = false;
done:
if (in_transaction) {
DEBUG(0, ("Could not cancel sysdb transaction\n"));
}
}
}
return ret;
}
replace_attribute_name(const char *old_name,
struct sysdb_attrs **list)
{
int ret;
int i;
for (i = 0; i < count; i++) {
return ret;
}
}
return EOK;
}
static errno_t
{
return EOK;
}
/********************************************
* Functions for handling conversion to the *
* HBAC evaluator format *
********************************************/
static errno_t
static errno_t
struct hbac_eval_req **request);
struct hbac_eval_req **request)
{
size_t i;
/* First create an array of rules */
goto done;
}
/* Create each rule one at a time */
for (i = 0; i < hbac_ctx->rule_count ; i++) {
goto done;
goto done;
}
}
/* Create the eval request */
goto done;
}
done:
return ret;
}
static errno_t
{
struct ldb_message_element *el;
const char *rule_type;
} else {
}
goto done;
}
&rule_type);
goto done;
}
/* Get the users */
goto done;
}
/* Get the services */
goto done;
}
/* Get the target hosts */
&new_rule->targethosts);
goto done;
}
/* Get the source hosts */
goto done;
}
done:
return ret;
}
const char *category_attr,
{
size_t i;
const char **categories;
tmp_ctx, &categories);
for (i = 0; categories[i]; i++) {
continue;
}
categories[i]));
}
}
*_categories = cats;
done:
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *username,
struct hbac_request_element **user_element);
static errno_t
struct sss_domain_info *domain,
const char *servicename,
struct hbac_request_element **svc_element);
static errno_t
struct sss_domain_info *domain,
const char *hostname,
struct hbac_request_element **host_element);
static errno_t
struct hbac_eval_req **request)
{
struct hbac_eval_req *eval_req;
const char *rhost;
const char *thost;
struct sss_domain_info *user_dom;
goto done;
}
/* Get user the user name and groups,
* take care of subdomain users as well */
goto done;
}
} else {
}
/* Get the PAM service and service groups */
/* Get the source host */
/* If we haven't been passed an rhost,
* the rhost is unknown. This will fail
* to match any rule requiring the
* source host.
*/
} else {
}
/* The target host is always the current machine */
goto done;
}
done:
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *username,
struct hbac_request_element **user_element)
{
unsigned int i;
unsigned int num_groups = 0;
const char *member_dn;
struct hbac_request_element *users;
struct ldb_message *msg;
struct ldb_message_element *el;
goto done;
}
/* Read the originalMemberOf attribute
* This will give us the list of both POSIX and
* non-POSIX groups that this user belongs to.
*/
goto done;
}
goto done;
}
goto done;
}
for (i = 0; i < el->num_values; i++) {
goto done;
num_groups++;
continue;
}
/* Skip entries that are not groups */
}
/* Shrink the array memory */
num_groups+1);
goto done;
}
}
done:
}
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *servicename,
struct hbac_request_element **svc_element)
{
struct hbac_request_element *svc;
struct ldb_message **msgs;
struct ldb_message_element *el;
char *name;
goto done;
}
goto done;
}
/* Look up the service to get its originalMemberOf entries */
/* We won't be able to identify any groups
* This rule will only match the name or
* a service category of ALL
*/
goto done;
goto done;
} else if (count > 1) {
goto done;
}
if (!el) {
/* Service is not a member of any groups
* This rule will only match the name or
* a service category of ALL
*/
goto done;
}
goto done;
}
for (i = j = 0; i < el->num_values; i++) {
&name);
/* ENOENT means we had a memberOf entry that wasn't a
* service group. We'll just ignore those (could be
* HBAC rules)
*/
j++;
}
}
done:
}
return ret;
}
static errno_t
struct sss_domain_info *domain,
const char *hostname,
struct hbac_request_element **host_element)
{
struct hbac_request_element *host;
struct ldb_message **msgs;
struct ldb_message_element *el;
char *name;
goto done;
}
/* We don't know the host (probably an rhost)
* So we can't determine it's groups either.
*/
goto done;
}
goto done;
}
/* Look up the host to get its originalMemberOf entries */
/* We won't be able to identify any groups
* This rule will only match the name or
* a host category of ALL
*/
goto done;
goto done;
} else if (count > 1) {
goto done;
}
if (!el) {
/* Host is not a member of any groups
* This rule will only match the name or
* a host category of ALL
*/
goto done;
}
goto done;
}
for (i = j = 0; i < el->num_values; i++) {
&name);
/* ENOENT means we had a memberOf entry that wasn't a
* host group. We'll just ignore those (could be
* HBAC rules)
*/
j++;
}
}
done:
}
return ret;
}