providers/ipa/ipa_hbac_rules.c

	ipa_hbac_rules.c revision 6dff95bdfe437afc0b62b5270d0d84140981c786
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl/*
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    SSSD
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
5f5d1b4cc970b7f06ff8ef6526128e9a27303d88nd    Authors:
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        Stephen Gallagher <sgallagh@redhat.com>
1aa933455fcd538b1ee573f4566e1a78a89fce77nd
031b91a62d25106ae69d4693475c79618dd5e884fielding    Copyright (C) 2011 Red Hat
031b91a62d25106ae69d4693475c79618dd5e884fielding
031b91a62d25106ae69d4693475c79618dd5e884fielding    This program is free software; you can redistribute it and/or modify
031b91a62d25106ae69d4693475c79618dd5e884fielding    it under the terms of the GNU General Public License as published by
031b91a62d25106ae69d4693475c79618dd5e884fielding    the Free Software Foundation; either version 3 of the License, or
031b91a62d25106ae69d4693475c79618dd5e884fielding    (at your option) any later version.
1aa933455fcd538b1ee573f4566e1a78a89fce77nd
1aa933455fcd538b1ee573f4566e1a78a89fce77nd    This program is distributed in the hope that it will be useful,
1aa933455fcd538b1ee573f4566e1a78a89fce77nd    but WITHOUT ANY WARRANTY; without even the implied warranty of
1aa933455fcd538b1ee573f4566e1a78a89fce77nd    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
1aa933455fcd538b1ee573f4566e1a78a89fce77nd    GNU General Public License for more details.
1aa933455fcd538b1ee573f4566e1a78a89fce77nd
1aa933455fcd538b1ee573f4566e1a78a89fce77nd    You should have received a copy of the GNU General Public License
1aa933455fcd538b1ee573f4566e1a78a89fce77nd    along with this program.  If not, see <http://www.gnu.org/licenses/>.
1aa933455fcd538b1ee573f4566e1a78a89fce77nd*/
1aa933455fcd538b1ee573f4566e1a78a89fce77nd
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl#include "util/util.h"
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl#include "providers/ipa/ipa_hbac_private.h"
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl#include "providers/ipa/ipa_hbac_rules.h"
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl#include "providers/ldap/sdap_async.h"
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim
545805c4e49aafd8660829ddfd6ea32fea6a8f74jslstruct ipa_hbac_rule_state {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    struct tevent_context *ev;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    struct sdap_handle *sh;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    struct sdap_options *opts;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    int search_base_iter;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    struct sdap_search_base **search_bases;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    const char **attrs;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    char *rules_filter;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    char *cur_filter;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    size_t rule_count;
fd628bf6869709f4ecd354e849f23115ed7a8e04igalic    struct sysdb_attrs **rules;
fd628bf6869709f4ecd354e849f23115ed7a8e04igalic};
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jslstatic errno_t
545805c4e49aafd8660829ddfd6ea32fea6a8f74jslipa_hbac_rule_info_next(struct tevent_req *req,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                        struct ipa_hbac_rule_state *state);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jslstatic void
545805c4e49aafd8660829ddfd6ea32fea6a8f74jslipa_hbac_rule_info_done(struct tevent_req *subreq);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jslstruct tevent_req *
545805c4e49aafd8660829ddfd6ea32fea6a8f74jslipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                        struct tevent_context *ev,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                        struct sdap_handle *sh,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                        struct sdap_options *opts,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                        struct sdap_search_base **search_bases,
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim                        struct sysdb_attrs *ipa_host)
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl{
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    errno_t ret;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    size_t i;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    struct tevent_req *req = NULL;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    struct ipa_hbac_rule_state *state;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    TALLOC_CTX *tmp_ctx;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    const char *host_dn;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    char *host_dn_clean;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    char *host_group_clean;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    char *rule_filter;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    const char **memberof_list;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    if (ipa_host == NULL) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n");
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        return NULL;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    }
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    tmp_ctx = talloc_new(mem_ctx);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    if (tmp_ctx == NULL) return NULL;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    if (ret != EOK) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n");
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        goto error;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    }
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
b12ec3ef6851e503ee5575de7e056b7bd2eef871jsl    ret = sss_filter_sanitize(tmp_ctx, host_dn, &host_dn_clean);
b12ec3ef6851e503ee5575de7e056b7bd2eef871jsl    if (ret != EOK) goto error;
b12ec3ef6851e503ee5575de7e056b7bd2eef871jsl
b12ec3ef6851e503ee5575de7e056b7bd2eef871jsl    req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
f9197a60d124bd5e67034b2d96b38bd72457d05elgentis    if (req == NULL) {
b12ec3ef6851e503ee5575de7e056b7bd2eef871jsl        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
b12ec3ef6851e503ee5575de7e056b7bd2eef871jsl        return NULL;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    }
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->ev = ev;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->sh = sh;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->opts = opts;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->search_bases = search_bases;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->search_base_iter = 0;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs = talloc_zero_array(state, const char *, 15);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    if (state->attrs == NULL) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        ret = ENOMEM;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        goto immediate;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    }
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[0] = OBJECTCLASS;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[1] = IPA_CN;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[2] = IPA_UNIQUE_ID;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[3] = IPA_ENABLED_FLAG;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[4] = IPA_ACCESS_RULE_TYPE;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[5] = IPA_MEMBER_USER;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[6] = IPA_USER_CATEGORY;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[7] = IPA_MEMBER_SERVICE;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[8] = IPA_SERVICE_CATEGORY;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[9] = IPA_SOURCE_HOST;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[10] = IPA_SOURCE_HOST_CATEGORY;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[11] = IPA_EXTERNAL_HOST;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[12] = IPA_MEMBER_HOST;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[13] = IPA_HOST_CATEGORY;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    state->attrs[14] = NULL;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    rule_filter = talloc_asprintf(tmp_ctx,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                  "(&(objectclass=%s)"
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                  "(%s=%s)(%s=%s)"
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                  "(|(%s=%s)(%s=%s)",
869a6977d054c852bb7c5be97ce30037a3fbfe99nd                                  IPA_HBAC_RULE,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                  IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
fd628bf6869709f4ecd354e849f23115ed7a8e04igalic                                  IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                  IPA_HOST_CATEGORY, "all",
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                  IPA_MEMBER_HOST, host_dn_clean);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    if (rule_filter == NULL) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        ret = ENOMEM;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        goto immediate;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    }
869a6977d054c852bb7c5be97ce30037a3fbfe99nd
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    /* Add all parent groups of ipa_hostname to the filter */
fd628bf6869709f4ecd354e849f23115ed7a8e04igalic    ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                       tmp_ctx, &memberof_list);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    if (ret != EOK && ret != ENOENT) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n");
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    } if (ret == ENOENT) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        /* This host is not a member of any hostgroups */
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        memberof_list = talloc_array(tmp_ctx, const char *, 1);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        if (memberof_list == NULL) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl            ret = ENOMEM;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl            goto immediate;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        }
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        memberof_list[0] = NULL;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    }
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl    for (i = 0; memberof_list[i]; i++) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        ret = sss_filter_sanitize(tmp_ctx,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                  memberof_list[i],
fd628bf6869709f4ecd354e849f23115ed7a8e04igalic                                  &host_group_clean);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        if (ret != EOK) goto immediate;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                             IPA_MEMBER_HOST,
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl                                             host_group_clean);
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl        if (rule_filter == NULL) {
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl            ret = ENOMEM;
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl            goto immediate;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl        }
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    }
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    rule_filter = talloc_asprintf_append(rule_filter, "))");
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    if (rule_filter == NULL) {
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl        ret = ENOMEM;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl        goto immediate;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    }
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    state->rules_filter = talloc_steal(state, rule_filter);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    ret = ipa_hbac_rule_info_next(req, state);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    if (ret == EOK) {
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl        ret = EINVAL;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    }
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    if (ret != EAGAIN) {
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl        goto immediate;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    }
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    talloc_free(tmp_ctx);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    return req;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl
55c7c8aeb74b8c7736d5833e50d22a07134b23fejslimmediate:
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    if (ret == EOK) {
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl        tevent_req_done(req);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    } else {
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl        tevent_req_error(req, ret);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    }
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    tevent_req_post(req, ev);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    talloc_free(tmp_ctx);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    return req;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl
55c7c8aeb74b8c7736d5833e50d22a07134b23fejslerror:
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    talloc_free(tmp_ctx);
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl    return NULL;
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl}
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl
55c7c8aeb74b8c7736d5833e50d22a07134b23fejslstatic errno_t
55c7c8aeb74b8c7736d5833e50d22a07134b23fejslipa_hbac_rule_info_next(struct tevent_req *req,
55c7c8aeb74b8c7736d5833e50d22a07134b23fejsl                        struct ipa_hbac_rule_state *state)
545805c4e49aafd8660829ddfd6ea32fea6a8f74jsl{
    struct tevent_req *subreq;
    struct sdap_search_base *base;

    base = state->search_bases[state->search_base_iter];
    if (base  == NULL) {
        return EOK;
    }

    talloc_zfree(state->cur_filter);
    state->cur_filter = sdap_get_id_specific_filter(state,
                                                    state->rules_filter,
                                                    base->filter);
    if (state->cur_filter == NULL) {
        return ENOMEM;
    }

    DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: "
                              "[%s][%d][%s]\n", base->basedn, base->scope,
                              state->cur_filter);

    subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
                                   base->basedn, base->scope,
                                   state->cur_filter, state->attrs,
                                   NULL, 0,
                                   dp_opt_get_int(state->opts->basic,
                                                  SDAP_ENUM_SEARCH_TIMEOUT),
                                   true);
    if (subreq == NULL) {
        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n");
        return ENOMEM;
    }
    tevent_req_set_callback(subreq, ipa_hbac_rule_info_done, req);

    return EAGAIN;
}

static void
ipa_hbac_rule_info_done(struct tevent_req *subreq)
{
    errno_t ret;
    struct tevent_req *req =
            tevent_req_callback_data(subreq, struct tevent_req);
    struct ipa_hbac_rule_state *state =
            tevent_req_data(req, struct ipa_hbac_rule_state);
    int i;
    size_t rule_count;
    size_t total_count;
    struct sysdb_attrs **rules;
    struct sysdb_attrs **target;

    ret = sdap_get_generic_recv(subreq, state,
                                &rule_count,
                                &rules);
    if (ret != EOK) {
        DEBUG(SSSDBG_MINOR_FAILURE, "Could not retrieve HBAC rules\n");
        goto fail;
    }

    if (rule_count > 0) {
        total_count = rule_count + state->rule_count;
        state->rules = talloc_realloc(state, state->rules,
                                      struct sysdb_attrs *,
                                      total_count);
        if (state->rules == NULL) {
            ret = ENOMEM;
            goto fail;
        }

        i = 0;
        while (state->rule_count < total_count) {
            target = &state->rules[state->rule_count];
            *target = talloc_steal(state->rules, rules[i]);

            state->rule_count++;
            i++;
        }
    }

    state->search_base_iter++;
    ret = ipa_hbac_rule_info_next(req, state);
    if (ret == EAGAIN) {
        return;
    } else if (ret != EOK) {
        goto fail;
    } else if (ret == EOK && state->rule_count == 0) {
        DEBUG(SSSDBG_MINOR_FAILURE, "No rules apply to this host\n");
        tevent_req_error(req, ENOENT);
        return;
    }

    /* We went through all search bases and we have some results */
    tevent_req_done(req);

    return;

fail:
    tevent_req_error(req, ret);
}

errno_t
ipa_hbac_rule_info_recv(struct tevent_req *req,
                        TALLOC_CTX *mem_ctx,
                        size_t *rule_count,
                        struct sysdb_attrs ***rules)
{
    struct ipa_hbac_rule_state *state =
            tevent_req_data(req, struct ipa_hbac_rule_state);

    TEVENT_REQ_RETURN_ON_ERROR(req);

    *rule_count = state->rule_count;
    *rules = talloc_steal(mem_ctx, state->rules);

    return EOK;
}