sdap_async_sudo.c revision d103c2e4a704b1dfffd39fea2b601c2f337d06d5
5089N/A/*
5089N/A SSSD
5089N/A
5089N/A Async LDAP Helper routines for sudo
5089N/A
5089N/A Authors:
5089N/A Pavel Březina <pbrezina@redhat.com>
5089N/A
5089N/A Copyright (C) 2012 Red Hat
5089N/A
5089N/A This program is free software; you can redistribute it and/or modify
5089N/A it under the terms of the GNU General Public License as published by
5089N/A the Free Software Foundation; either version 3 of the License, or
5089N/A (at your option) any later version.
5089N/A
5089N/A This program is distributed in the hope that it will be useful,
5089N/A but WITHOUT ANY WARRANTY; without even the implied warranty of
5089N/A MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
5089N/A GNU General Public License for more details.
5089N/A
5290N/A You should have received a copy of the GNU General Public License
5089N/A along with this program. If not, see <http://www.gnu.org/licenses/>.
5089N/A*/
5089N/A
5089N/A#include <errno.h>
5089N/A#include <talloc.h>
5089N/A#include <tevent.h>
5089N/A
5089N/A#include "providers/dp_backend.h"
5089N/A#include "providers/ldap/ldap_common.h"
5089N/A#include "providers/ldap/sdap.h"
5089N/A#include "providers/ldap/sdap_async.h"
5089N/A#include "providers/ldap/sdap_sudo.h"
5089N/A#include "providers/ldap/sdap_sudo_cache.h"
5089N/A#include "db/sysdb_sudo.h"
5089N/A
5089N/Astruct sdap_sudo_load_sudoers_state {
5089N/A struct tevent_context *ev;
5089N/A struct sdap_options *opts;
5385N/A struct sdap_handle *sh;
5385N/A
5385N/A int timeout;
5385N/A const char **attrs;
5385N/A const char *filter;
5385N/A size_t base_iter;
5385N/A struct sdap_search_base **search_bases;
5385N/A
5089N/A struct sysdb_attrs **rules;
5089N/A size_t num_rules;
5089N/A};
5089N/A
5089N/Astatic errno_t sdap_sudo_load_sudoers_next_base(struct tevent_req *req);
5089N/Astatic void sdap_sudo_load_sudoers_done(struct tevent_req *subreq);
5089N/A
5089N/Astatic struct tevent_req *
5089N/Asdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
5089N/A struct tevent_context *ev,
5089N/A struct sdap_options *opts,
5089N/A struct sdap_handle *sh,
5089N/A const char *ldap_filter)
5089N/A{
5089N/A struct tevent_req *req;
5089N/A struct sdap_sudo_load_sudoers_state *state;
5089N/A int ret;
5089N/A
5089N/A req = tevent_req_create(mem_ctx, &state,
5089N/A struct sdap_sudo_load_sudoers_state);
5089N/A if (!req) {
5124N/A return NULL;
5089N/A }
5089N/A
5089N/A state->ev = ev;
5290N/A state->opts = opts;
5124N/A state->sh = sh;
5124N/A state->base_iter = 0;
5124N/A state->search_bases = opts->sdom->sudo_search_bases;
5124N/A state->filter = ldap_filter;
5089N/A state->timeout = dp_opt_get_int(opts->basic, SDAP_SEARCH_TIMEOUT);
5089N/A state->rules = NULL;
5089N/A state->num_rules = 0;
5089N/A
5089N/A if (state->search_bases == NULL) {
5089N/A DEBUG(SSSDBG_CRIT_FAILURE,
5089N/A "SUDOERS lookup request without a search base\n");
5089N/A ret = EINVAL;
5089N/A goto immediately;
5089N/A }
5089N/A
5089N/A /* create attrs from map */
5089N/A ret = build_attrs_from_map(state, opts->sudorule_map, SDAP_OPTS_SUDO,
5089N/A NULL, &state->attrs, NULL);
5089N/A if (ret != EOK) {
5089N/A goto immediately;
5089N/A }
5089N/A
5089N/A /* begin search */
5089N/A ret = sdap_sudo_load_sudoers_next_base(req);
5089N/A if (ret == EAGAIN) {
5089N/A /* asynchronous processing */
5089N/A return req;
5089N/A }
5089N/A
5089N/Aimmediately:
5089N/A if (ret == EOK) {
5089N/A tevent_req_done(req);
5089N/A } else {
5089N/A tevent_req_error(req, ret);
5089N/A }
5089N/A tevent_req_post(req, ev);
5089N/A
5089N/A return req;
5089N/A}
5089N/A
5124N/Astatic errno_t sdap_sudo_load_sudoers_next_base(struct tevent_req *req)
5089N/A{
5089N/A struct sdap_sudo_load_sudoers_state *state;
5089N/A struct sdap_search_base *base;
5089N/A struct tevent_req *subreq;
5089N/A char *filter;
5089N/A
5089N/A state = tevent_req_data(req, struct sdap_sudo_load_sudoers_state);
5089N/A base = state->search_bases[state->base_iter];
5089N/A if (base == NULL) {
5089N/A return EOK;
5089N/A }
5089N/A
5089N/A /* Combine lookup and search base filters. */
5290N/A filter = sdap_get_id_specific_filter(state, state->filter, base->filter);
5452N/A if (filter == NULL) {
5089N/A return ENOMEM;
5089N/A }
5089N/A
5089N/A DEBUG(SSSDBG_TRACE_FUNC, "Searching for sudo rules with base [%s]\n",
5089N/A base->basedn);
subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
base->basedn, base->scope, filter,
state->attrs, state->opts->sudorule_map,
SDAP_OPTS_SUDO, state->timeout, true);
if (subreq == NULL) {
return ENOMEM;
}
tevent_req_set_callback(subreq, sdap_sudo_load_sudoers_done, req);
state->base_iter++;
return EAGAIN;
}
static void sdap_sudo_load_sudoers_done(struct tevent_req *subreq)
{
struct tevent_req *req;
struct sdap_sudo_load_sudoers_state *state;
struct sdap_search_base *search_base;
struct sysdb_attrs **attrs = NULL;
size_t count;
int ret;
int i;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct sdap_sudo_load_sudoers_state);
search_base = state->search_bases[state->base_iter - 1];
DEBUG(SSSDBG_TRACE_FUNC, "Receiving sudo rules with base [%s]\n",
search_base->basedn);
ret = sdap_get_generic_recv(subreq, state, &count, &attrs);
talloc_zfree(subreq);
if (ret != EOK) {
tevent_req_error(req, ret);
return;
}
/* Add rules to result. */
if (count > 0) {
state->rules = talloc_realloc(state, state->rules,
struct sysdb_attrs *,
state->num_rules + count);
if (state->rules == NULL) {
tevent_req_error(req, ENOMEM);
return;
}
for (i = 0; i < count; i++) {
state->rules[state->num_rules + i] = talloc_steal(state->rules,
attrs[i]);
}
state->num_rules += count;
}
/* Try next search base. */
ret = sdap_sudo_load_sudoers_next_base(req);
if (ret == EOK) {
tevent_req_done(req);
} else if (ret != EAGAIN) {
tevent_req_error(req, ret);
}
return;
}
static int sdap_sudo_load_sudoers_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
size_t *num_rules,
struct sysdb_attrs ***rules)
{
struct sdap_sudo_load_sudoers_state *state;
state = tevent_req_data(req, struct sdap_sudo_load_sudoers_state);
TEVENT_REQ_RETURN_ON_ERROR(req);
*num_rules = state->num_rules;
*rules = talloc_steal(mem_ctx, state->rules);
return EOK;
}
static int sdap_sudo_purge_sudoers(struct sss_domain_info *dom,
const char *filter,
struct sdap_attr_map *map,
size_t rules_count,
struct sysdb_attrs **rules)
{
const char *name;
int i;
errno_t ret;
if (filter == NULL) {
/* removes downloaded rules from the cache */
if (rules_count == 0 || rules == NULL) {
return EOK;
}
for (i = 0; i < rules_count; i++) {
ret = sysdb_attrs_get_string(rules[i],
map[SDAP_AT_SUDO_NAME].sys_name,
&name);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Failed to retrieve rule name: [%s]\n", strerror(ret));
continue;
}
ret = sysdb_sudo_purge_byname(dom, name);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Failed to delete rule %s: [%s]\n",
name, strerror(ret));
continue;
}
}
ret = EOK;
} else {
/* purge cache by provided filter */
ret = sysdb_sudo_purge_byfilter(dom, filter);
if (ret != EOK) {
goto done;
}
}
done:
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "failed to purge sudo rules [%d]: %s\n",
ret, strerror(ret));
}
return ret;
}
static int sdap_sudo_store_sudoers(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
struct sdap_options *opts,
size_t rules_count,
struct sysdb_attrs **rules,
int cache_timeout,
time_t now,
char **_usn)
{
errno_t ret;
/* Empty sudoers? Done. */
if (rules_count == 0 || rules == NULL) {
return EOK;
}
ret = sdap_save_native_sudorule_list(mem_ctx, domain,
opts->sudorule_map, rules,
rules_count, cache_timeout, now,
_usn);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "failed to save sudo rules [%d]: %s\n",
ret, strerror(ret));
return ret;
}
return EOK;
}
struct sdap_sudo_refresh_state {
struct tevent_context *ev;
struct sdap_options *opts;
struct sdap_id_op *sdap_op;
struct sysdb_ctx *sysdb;
struct sss_domain_info *domain;
const char *ldap_filter; /* search */
const char *sysdb_filter; /* delete */
int dp_error;
char *highest_usn;
size_t num_rules;
};
static errno_t sdap_sudo_refresh_retry(struct tevent_req *req);
static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq);
static void sdap_sudo_refresh_done(struct tevent_req *subreq);
struct tevent_req *sdap_sudo_refresh_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct sss_domain_info *domain,
struct sdap_options *opts,
struct sdap_id_conn_ctx *conn,
const char *ldap_filter,
const char *sysdb_filter)
{
struct tevent_req *req;
struct sdap_sudo_refresh_state *state;
int ret;
req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_refresh_state);
if (!req) {
return NULL;
}
/* if we don't have a search filter, this request is meaningless */
if (ldap_filter == NULL) {
ret = EINVAL;
goto immediately;
}
state->ev = ev;
state->opts = opts;
state->domain = domain;
state->sysdb = domain->sysdb;
state->dp_error = DP_ERR_FATAL;
state->highest_usn = NULL;
state->sdap_op = sdap_id_op_create(state, conn->conn_cache);
if (!state->sdap_op) {
DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n");
ret = ENOMEM;
goto immediately;
}
state->ldap_filter = talloc_strdup(state, ldap_filter);
if (state->ldap_filter == NULL) {
ret = ENOMEM;
goto immediately;
}
state->sysdb_filter = talloc_strdup(state, sysdb_filter);
if (sysdb_filter != NULL && state->sysdb_filter == NULL) {
ret = ENOMEM;
goto immediately;
}
ret = sdap_sudo_refresh_retry(req);
if (ret == EAGAIN) {
/* asynchronous processing */
return req;
}
immediately:
if (ret == EOK) {
tevent_req_done(req);
} else {
tevent_req_error(req, ret);
}
tevent_req_post(req, ev);
return req;
}
static errno_t sdap_sudo_refresh_retry(struct tevent_req *req)
{
struct sdap_sudo_refresh_state *state;
struct tevent_req *subreq;
int ret;
state = tevent_req_data(req, struct sdap_sudo_refresh_state);
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed: "
"%d(%s)\n", ret, strerror(ret));
return ret;
}
tevent_req_set_callback(subreq, sdap_sudo_refresh_connect_done, req);
return EAGAIN;
}
static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq)
{
struct tevent_req *req;
struct sdap_sudo_refresh_state *state;
int dp_error;
int ret;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct sdap_sudo_refresh_state);
ret = sdap_id_op_connect_recv(subreq, &dp_error);
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "SUDO LDAP connection failed "
"[%d]: %s\n", ret, strerror(ret));
state->dp_error = dp_error;
tevent_req_error(req, ret);
return;
}
DEBUG(SSSDBG_TRACE_FUNC, "SUDO LDAP connection successful\n");
subreq = sdap_sudo_load_sudoers_send(state, state->ev,
state->opts,
sdap_id_op_handle(state->sdap_op),
state->ldap_filter);
if (subreq == NULL) {
state->dp_error = DP_ERR_FATAL;
tevent_req_error(req, ENOMEM);
return;
}
tevent_req_set_callback(subreq, sdap_sudo_refresh_done, req);
return;
}
static void sdap_sudo_refresh_done(struct tevent_req *subreq)
{
struct tevent_req *req;
struct sdap_sudo_refresh_state *state;
struct sysdb_attrs **rules = NULL;
size_t rules_count = 0;
int dp_error;
int ret;
errno_t sret;
bool in_transaction = false;
time_t now;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct sdap_sudo_refresh_state);
ret = sdap_sudo_load_sudoers_recv(subreq, state, &rules_count, &rules);
talloc_zfree(subreq);
ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
if (dp_error == DP_ERR_OK && ret != EOK) {
/* retry */
ret = sdap_sudo_refresh_retry(req);
if (ret != EOK) {
tevent_req_error(req, ret);
}
return;
}
DEBUG(SSSDBG_TRACE_FUNC, "Received %zu rules\n", rules_count);
/* start transaction */
ret = sysdb_transaction_start(state->sysdb);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
goto done;
}
in_transaction = true;
/* purge cache */
ret = sdap_sudo_purge_sudoers(state->domain, state->sysdb_filter,
state->opts->sudorule_map, rules_count, rules);
if (ret != EOK) {
goto done;
}
/* store rules */
now = time(NULL);
ret = sdap_sudo_store_sudoers(state, state->domain,
state->opts, rules_count, rules,
state->domain->sudo_timeout, now,
&state->highest_usn);
if (ret != EOK) {
goto done;
}
/* commit transaction */
ret = sysdb_transaction_commit(state->sysdb);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
goto done;
}
in_transaction = false;
DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfuly stored in cache\n");
ret = EOK;
state->num_rules = rules_count;
done:
if (in_transaction) {
sret = sysdb_transaction_cancel(state->sysdb);
if (sret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");
}
}
state->dp_error = dp_error;
if (ret == EOK) {
tevent_req_done(req);
} else {
tevent_req_error(req, ret);
}
}
int sdap_sudo_refresh_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
int *dp_error,
char **usn,
size_t *num_rules)
{
struct sdap_sudo_refresh_state *state;
state = tevent_req_data(req, struct sdap_sudo_refresh_state);
TEVENT_REQ_RETURN_ON_ERROR(req);
*dp_error = state->dp_error;
if (usn != NULL && state->highest_usn != NULL) {
*usn = talloc_steal(mem_ctx, state->highest_usn);
}
if (num_rules != NULL) {
*num_rules = state->num_rules;
}
return EOK;
}