providers/simple/simple_access_check.c

225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce/*
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   SSSD
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   Simple access control
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   Copyright (C) Sumit Bose <sbose@redhat.com> 2010
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   This program is free software; you can redistribute it and/or modify
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   it under the terms of the GNU General Public License as published by
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   the Free Software Foundation; either version 3 of the License, or
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   (at your option) any later version.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   This program is distributed in the hope that it will be useful,
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   but WITHOUT ANY WARRANTY; without even the implied warranty of
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   GNU General Public License for more details.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   You should have received a copy of the GNU General Public License
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce   along with this program.  If not, see <http://www.gnu.org/licenses/>.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce*/
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
cc2d77d5218c188119fa954c856e858cbde76947Pavel Březina#include "providers/backend.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce#include "providers/simple/simple_access.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce#include "util/sss_utf8.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce#include "db/sysdb.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_USR_DENY  "The user %s does not exist. Possible typo in simple_deny_users.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_GRP_DENY  "The group %s does not exist. Possible typo in simple_deny_groups.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic bool
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekis_posix(const struct ldb_message *group)
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char *val;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    val = ldb_msg_find_attr_as_string(group, SYSDB_POSIX, NULL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!val || /* Groups are posix by default */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        strcasecmp(val, "TRUE") == 0) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return true;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek/* Returns EOK if the result is definitive, EAGAIN if only partial result
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_users(struct simple_ctx *ctx, const char *username,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                   bool *access_granted)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina    struct sss_domain_info *domain = NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    int i;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    /* First, check whether the user is in the allowed users list */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    if (ctx->allow_users != NULL) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        for(i = 0; ctx->allow_users[i] != NULL; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl            domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl                                                ctx->allow_users[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                      ctx->allow_users[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                        ctx->allow_users[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                continue;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            if (sss_string_equal(domain->case_sensitive, username,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                                 ctx->allow_users[i])) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "User [%s] found in allow list, access granted.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      username);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                /* Do not return immediately on explicit allow
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                 * We need to make sure none of the user's groups
958037cf32ea156dfdde426a45ac1d972fe46618Pavel Reichl                 * are denied. But there's no need to check username
958037cf32ea156dfdde426a45ac1d972fe46618Pavel Reichl                 * matches any more.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                 */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                *access_granted = true;
958037cf32ea156dfdde426a45ac1d972fe46618Pavel Reichl                break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    } else if (!ctx->allow_groups) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        /* If neither allow rule is in place, we'll assume allowed
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce         * unless a deny rule disables us below.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce         */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "No allow rule, assumuing allow unless explicitly denied\n");
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        *access_granted = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    /* Next check whether this user has been specifically denied */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    if (ctx->deny_users != NULL) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        for(i = 0; ctx->deny_users[i] != NULL; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl            domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl                                                ctx->deny_users[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                      ctx->deny_users[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                        ctx->deny_users[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                return EINVAL;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            if (sss_string_equal(domain->case_sensitive, username,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                                 ctx->deny_users[i])) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "User [%s] found in deny list, access denied.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                        ctx->deny_users[i]);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                /* Return immediately on explicit denial */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                *access_granted = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                return EOK;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EAGAIN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozeksimple_check_groups(struct simple_ctx *ctx, const char **group_names,
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozek                    bool *access_granted)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina    struct sss_domain_info *domain = NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    bool matched;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    int i, j;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    /* Now process allow and deny group rules
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce     * If access was already granted above, we'll skip
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce     * this redundant rule check
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce     */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    if (ctx->allow_groups && !*access_granted) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        matched = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        for (i = 0; ctx->allow_groups[i]; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl            domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl                                                ctx->allow_groups[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                      ctx->allow_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                        ctx->allow_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                continue;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            for(j = 0; group_names[j]; j++) {
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                if (sss_string_equal(domain->case_sensitive,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                                     group_names[j], ctx->allow_groups[i])) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                    matched = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                    break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            /* If any group has matched, we can skip out on the
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce             * processing early
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce             */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            if (matched) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "Group [%s] found in allow list, access granted.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      group_names[j]);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                *access_granted = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    /* Finally, process the deny group rules */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    if (ctx->deny_groups) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        matched = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        for (i = 0; ctx->deny_groups[i]; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl            domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl                                                ctx->deny_groups[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                      ctx->deny_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl                        ctx->deny_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                return EINVAL;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina            }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            for(j = 0; group_names[j]; j++) {
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                if (sss_string_equal(domain->case_sensitive,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina                                     group_names[j], ctx->deny_groups[i])) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                    matched = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                    break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            /* If any group has matched, we can skip out on the
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce             * processing early
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce             */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            if (matched) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "Group [%s] found in deny list, access denied.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      group_names[j]);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                *access_granted = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce                break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce            }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce        }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce    }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct simple_resolve_group_state {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    struct sss_domain_info *domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    gid_t gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_ctx *ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char *name;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek};
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_check(struct simple_resolve_group_state *state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_resolve_group_done(struct tevent_req *subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic struct tevent_req *
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_send(TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                          struct tevent_context *ev,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                          struct simple_ctx *ctx,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                          struct sss_domain_info *domain,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                          gid_t gid)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *subreq;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_resolve_group_state *state;
3d29430867cf92b2d71afa95abb679711231117cPavel Březina    struct dp_id_data *ar;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    req = tevent_req_create(mem_ctx, &state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                            struct simple_resolve_group_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!req) return NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    state->domain = domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->gid = gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->ctx = ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* First check if the group was updated already. If it was (maybe its
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek     * parent was updated first), then just shortcut */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ret = simple_resolve_group_check(state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret == EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_TRACE_LIBS, "Group already updated\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    } else if (ret != EAGAIN) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Cannot check if group was already updated [%d]: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* EAGAIN - still needs update */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
3d29430867cf92b2d71afa95abb679711231117cPavel Březina    ar = talloc(state, struct dp_id_data);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!ar) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ar->entry_type = BE_REQ_GROUP;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ar->attr_type = BE_ATTR_CORE;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ar->filter_type = BE_FILTER_IDNUM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    ar->domain = talloc_strdup(ar, state->domain->name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!ar->domain || !ar->filter_value) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina    subreq = dp_req_send(state, ctx->be_ctx->provider, NULL, ar->domain,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina                         "Simple Resolve Group", DPT_ID, DPM_ACCOUNT_HANDLER,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina                         0, ar, NULL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!subreq) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_set_callback(subreq, simple_resolve_group_done, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekdone:
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret == EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_post(req, ev);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_check(struct simple_resolve_group_state *state)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct ldb_message *group;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                  SYSDB_GIDNUM, NULL };
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* Check the cache by GID again and fetch the name */
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek    ret = sysdb_search_group_by_gid(state, state->domain, state->gid,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                    group_attrs, &group);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    if (ret == ENOENT) {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        /* The group is missing, we will try to update it. */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        return EAGAIN;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    } else if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               "Could not look up group by gid [%"SPRIgid"]: [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               state->gid, ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!state->name) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_OP_FAILURE, "No group name\n");
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek        return ERR_ACCOUNT_UNKNOWN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (is_posix(group) == false) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "The group is still non-POSIX\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return EAGAIN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_LIBS, "Got POSIX group\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_resolve_group_done(struct tevent_req *subreq)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_resolve_group_state *state;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina    struct dp_reply_std *reply;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    req = tevent_req_callback_data(subreq, struct tevent_req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state = tevent_req_data(req, struct simple_resolve_group_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina    ret = dp_req_recv_ptr(state, subreq, struct dp_reply_std, &reply);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    talloc_zfree(subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret) {
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina        DEBUG(SSSDBG_OP_FAILURE, "dp_req_recv failed\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina    if (reply->dp_error != DP_ERR_OK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Cannot refresh data from DP: %u,%u: %s\n",
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina              reply->dp_error, reply->error, reply->message);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_error(req, EIO);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* Check the cache by GID again and fetch the name */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ret = simple_resolve_group_check(state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_OP_FAILURE, "Refresh failed\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_recv(struct tevent_req *req,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                          TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                          const char **name)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_resolve_group_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state = tevent_req_data(req, struct simple_resolve_group_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    TEVENT_REQ_RETURN_ON_ERROR(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    *name = talloc_strdup(mem_ctx, state->name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březinastruct simple_group {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    struct sss_domain_info *domain;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    gid_t gid;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina};
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct simple_check_groups_state {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_context *ev;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_ctx *ctx;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    struct sss_domain_info *domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    struct simple_group *lookup_groups;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    size_t num_groups;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    size_t giter;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char **group_names;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    size_t num_names;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl    bool failed_to_resolve_groups;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek};
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_check_get_groups_next(struct tevent_req *subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_primary(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                gid_t gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_process_group(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                           struct ldb_message *group);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic struct tevent_req *
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_send(TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                             struct tevent_context *ev,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                             struct simple_ctx *ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                             const char *username)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *subreq;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_check_groups_state *state;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    const char *attrs[] = { SYSDB_NAME, SYSDB_POSIX, SYSDB_GIDNUM,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                            SYSDB_SID_STR, NULL };
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    size_t group_count;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct ldb_message *user;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct ldb_message **groups;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    int i;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    gid_t gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    req = tevent_req_create(mem_ctx, &state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                            struct simple_check_groups_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!req) return NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->ev = ev;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->ctx = ctx;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl    state->failed_to_resolve_groups = false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    /* get domain from username */
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl    state->domain = find_domain_by_object_name(ctx->domain, username);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    if (state->domain == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", username);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        ret = EINVAL;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        goto done;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    }
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek    ret = sysdb_search_user_by_name(state, state->domain, username, attrs,
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek                                    &user);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret == ENOENT) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_MINOR_FAILURE, "No such user %s\n", username);
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek        ret = ERR_ACCOUNT_UNKNOWN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    } else if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not look up username [%s]: [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              username, ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek    ret = sysdb_asq_search(state, state->domain,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                           user->dn, NULL, SYSDB_MEMBEROF,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                           attrs, &group_count, &groups);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    DEBUG(SSSDBG_TRACE_FUNC,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov          "User %s is a member of %zu supplemental groups\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov           username, group_count);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* One extra space for terminator, one extra space for private group */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->group_names = talloc_zero_array(state, const char *, group_count + 2);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    state->lookup_groups = talloc_zero_array(state, struct simple_group,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                                             group_count + 2);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    if (!state->group_names || !state->lookup_groups) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    for (i=0; i < group_count; i++) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        /* Some providers (like the AD provider) might perform initgroups
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * without resolving the group names. In order for the simple access
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * provider to work correctly, we need to resolve the groups before
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * performing the access check. In AD provider, the situation is
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * even more tricky b/c the groups HAVE name, but their name
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * attribute is set to SID and they are set as non-POSIX
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = simple_check_process_group(state, groups[i]);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!gid) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_MINOR_FAILURE, "User %s has no gid?\n", username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = EINVAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ret = simple_check_get_groups_primary(state, gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    if (state->num_groups == 0) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        /* If all groups could have been resolved by name, we are
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * done
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_TRACE_FUNC, "All groups had name attribute\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_FUNC, "Need to resolve %zu groups\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                              state->num_groups);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->giter = 0;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    subreq = simple_resolve_group_send(req, state->ev, state->ctx,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                                       state->lookup_groups[state->giter].domain,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                                       state->lookup_groups[state->giter].gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!subreq) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_set_callback(subreq, simple_check_get_groups_next, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return req;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorcedone:
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret == EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_post(req, ev);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_check_get_groups_next(struct tevent_req *subreq)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *req =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                        tevent_req_callback_data(subreq, struct tevent_req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_check_groups_state *state =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                        tevent_req_data(req, struct simple_check_groups_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ret = simple_resolve_group_recv(subreq, state->group_names,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                    &state->group_names[state->num_names]);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    talloc_zfree(subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not resolve name of group with GID %"SPRIgid"\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              state->lookup_groups[state->giter].gid);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl        state->failed_to_resolve_groups = true;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl    } else {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl        state->num_names++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->giter++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    if (state->giter < state->num_groups) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        subreq = simple_resolve_group_send(req, state->ev, state->ctx,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                                   state->lookup_groups[state->giter].domain,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                                   state->lookup_groups[state->giter].gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        if (!subreq) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            tevent_req_error(req, ENOMEM);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_set_callback(subreq, simple_check_get_groups_next, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_INTERNAL, "All groups resolved. Done.\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_process_group(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                           struct ldb_message *group)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char *name;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    const char *group_sid;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    struct sss_domain_info *domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    gid_t gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    bool posix;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    posix = is_posix(group);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    gid = ldb_msg_find_attr_as_uint64(group, SYSDB_GIDNUM, 0);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* With the current sysdb layout, every group has a name */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (name == NULL) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return EINVAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (gid == 0) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        if (posix == true) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov            DEBUG(SSSDBG_CRIT_FAILURE, "POSIX group without GID\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            return EINVAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        /* Non-posix group with a name. Still can be used for access
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * control as the name should point to the real name, no SID
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        state->group_names[state->num_names] = talloc_strdup(state->group_names,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                                             name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        if (!state->group_names[state->num_names]) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            return ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        }
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        state->num_names++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* Here are only groups with a name and gid. POSIX group can already
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek     * be used, non-POSIX groups can be resolved */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (posix) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        state->group_names[state->num_names] = talloc_strdup(state->group_names,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                                             name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        if (!state->group_names[state->num_names]) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            return ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        }
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        state->num_names++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    /* Try to get group SID and assign it a domain */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    group_sid = ldb_msg_find_attr_as_string(group, SYSDB_SID_STR, NULL);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    if (group_sid == NULL) {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        /* We will look it up in main domain. */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        domain = state->ctx->domain;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    } else {
9ca0071db0e226e4e65b2a80fdeddd5048ca8990Pavel Reichl        domain = find_domain_by_sid(state->ctx->domain, group_sid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        if (domain == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov            DEBUG(SSSDBG_CRIT_FAILURE, "There is no domain information for "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                                        "SID %s\n", group_sid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina            return ENOENT;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina        }
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    }
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    /* It is a non-posix group with a GID. Needs resolving */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    state->lookup_groups[state->num_groups].domain = domain;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    state->lookup_groups[state->num_groups].gid = gid;
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_INTERNAL, "Adding GID %"SPRIgid"\n", gid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina    state->num_groups++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_primary(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                gid_t gid)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina                                  SYSDB_GIDNUM, SYSDB_SID_STR, NULL };
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct ldb_message *msg;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek    ret = sysdb_search_group_by_gid(state, state->domain, gid, group_attrs,
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek                                    &msg);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not look up primary group [%"SPRIgid"]: [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               gid, ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        /* We have to treat this as non-fatal, because the primary
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * group may be local to the machine and not available in
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * our ID provider.
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = simple_check_process_group(state, msg);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov            DEBUG(SSSDBG_OP_FAILURE, "Cannot process primary group\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek            return ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_recv(struct tevent_req *req,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                             TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                             const char ***_group_names)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_check_groups_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state = tevent_req_data(req, struct simple_check_groups_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    TEVENT_REQ_RETURN_ON_ERROR(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    *_group_names = talloc_steal(mem_ctx, state->group_names);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl    if (state->failed_to_resolve_groups) {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl        return ERR_SIMPLE_GROUPS_MISSING;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct simple_access_check_state {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    bool access_granted;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_ctx *ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char *username;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    const char **group_names;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek};
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_access_check_done(struct tevent_req *subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                            struct tevent_context *ev,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                            struct simple_ctx *ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                                            const char *username)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *subreq;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_access_check_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    req = tevent_req_create(mem_ctx, &state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                            struct simple_access_check_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!req) return NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->access_granted = false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->ctx = ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    state->username = talloc_strdup(state, username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!state->username) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_FUNC_DATA, "Simple access check for %s\n", username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ret = simple_check_users(ctx, username, &state->access_granted);
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek    if (ret == EOK) {
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek        goto immediate;
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek    } else if (ret != EAGAIN) {
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek        ret = ERR_INTERNAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek    /* EAGAIN -- check groups */
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!ctx->allow_groups && !ctx->deny_groups) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        /* There are no group restrictions, so just return
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         * here with whatever we've decided.
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek         */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_TRACE_LIBS, "No group restrictions, end request\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        ret = EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* The group names might not be available. Fire a request to
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek     * gather them. In most cases, the request will just shortcut
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek     */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    subreq = simple_check_get_groups_send(state, ev, ctx, username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (!subreq) {
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek        ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_set_callback(subreq, simple_access_check_done, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekimmediate:
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret == EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_post(req, ev);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_access_check_done(struct tevent_req *subreq)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct tevent_req *req =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                        tevent_req_callback_data(subreq, struct tevent_req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_access_check_state *state =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                        tevent_req_data(req, struct simple_access_check_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* We know the names now. Run the check. */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    ret = simple_check_get_groups_recv(subreq, state, &state->group_names);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    talloc_zfree(subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret == ENOENT) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        /* If the user wasn't found, just shortcut */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        state->access_granted = false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl    } else if (ret == ERR_SIMPLE_GROUPS_MISSING) {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl        DEBUG(SSSDBG_OP_FAILURE,
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl              "Could not collect groups of user %s\n", state->username);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl        if (state->ctx->deny_groups == NULL) {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl            DEBUG(SSSDBG_TRACE_FUNC,
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl                  "But no deny groups were defined so we can continue.\n");
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl        } else {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl            DEBUG(SSSDBG_OP_FAILURE,
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl                  "Some deny groups were defined, we can't continue\n");
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl            tevent_req_error(req, ret);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl            return;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl        }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    } else if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not collect groups of user %s\n", state->username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozek    ret = simple_check_groups(state->ctx, state->group_names,
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozek                              &state->access_granted);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_OP_FAILURE, "Could not check group access [%d]: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              ret, sss_strerror(ret));
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek        tevent_req_error(req, ERR_INTERNAL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    /* Now just return whatever we decided */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    DEBUG(SSSDBG_TRACE_INTERNAL, "Group check done\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekerrno_t simple_access_check_recv(struct tevent_req *req, bool *access_granted)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    struct simple_access_check_state *state =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek                        tevent_req_data(req, struct simple_access_check_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    TEVENT_REQ_RETURN_ON_ERROR(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov          "Access %sgranted\n", state->access_granted ? "" : "not ");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    if (access_granted) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek        *access_granted = state->access_granted;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek    return EOK;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce}