simple_access_check.c revision cc2d77d5218c188119fa954c856e858cbde76947
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce/*
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce SSSD
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce Simple access control
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce Copyright (C) Sumit Bose <sbose@redhat.com> 2010
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce This program is free software; you can redistribute it and/or modify
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce it under the terms of the GNU General Public License as published by
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce the Free Software Foundation; either version 3 of the License, or
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce (at your option) any later version.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce This program is distributed in the hope that it will be useful,
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce but WITHOUT ANY WARRANTY; without even the implied warranty of
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce GNU General Public License for more details.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce You should have received a copy of the GNU General Public License
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce along with this program. If not, see <http://www.gnu.org/licenses/>.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce*/
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
cc2d77d5218c188119fa954c856e858cbde76947Pavel Březina#include "providers/backend.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce#include "providers/simple/simple_access.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce#include "util/sss_utf8.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce#include "db/sysdb.h"
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_USR_DENY "The user %s does not exist. Possible typo in simple_deny_users.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl#define NON_EXIST_GRP_DENY "The group %s does not exist. Possible typo in simple_deny_groups.\n"
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic bool
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekis_posix(const struct ldb_message *group)
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *val;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek val = ldb_msg_find_attr_as_string(group, SYSDB_POSIX, NULL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!val || /* Groups are posix by default */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek strcasecmp(val, "TRUE") == 0) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return true;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek/* Returns EOK if the result is definitive, EAGAIN if only partial result
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_users(struct simple_ctx *ctx, const char *username,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek bool *access_granted)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina struct sss_domain_info *domain = NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek int i;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* First, check whether the user is in the allowed users list */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce if (ctx->allow_users != NULL) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce for(i = 0; ctx->allow_users[i] != NULL; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl ctx->allow_users[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->allow_users[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->allow_users[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl continue;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (sss_string_equal(domain->case_sensitive, username,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina ctx->allow_users[i])) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "User [%s] found in allow list, access granted.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov username);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* Do not return immediately on explicit allow
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce * We need to make sure none of the user's groups
958037cf32ea156dfdde426a45ac1d972fe46618Pavel Reichl * are denied. But there's no need to check username
958037cf32ea156dfdde426a45ac1d972fe46618Pavel Reichl * matches any more.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce *access_granted = true;
958037cf32ea156dfdde426a45ac1d972fe46618Pavel Reichl break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce } else if (!ctx->allow_groups) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* If neither allow rule is in place, we'll assume allowed
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce * unless a deny rule disables us below.
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "No allow rule, assumuing allow unless explicitly denied\n");
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce *access_granted = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* Next check whether this user has been specifically denied */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce if (ctx->deny_users != NULL) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce for(i = 0; ctx->deny_users[i] != NULL; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl ctx->deny_users[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->deny_users[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->deny_users[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina return EINVAL;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (sss_string_equal(domain->case_sensitive, username,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina ctx->deny_users[i])) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "User [%s] found in deny list, access denied.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ctx->deny_users[i]);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* Return immediately on explicit denial */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce *access_granted = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce return EOK;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EAGAIN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozeksimple_check_groups(struct simple_ctx *ctx, const char **group_names,
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozek bool *access_granted)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina struct sss_domain_info *domain = NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek bool matched;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek int i, j;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* Now process allow and deny group rules
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce * If access was already granted above, we'll skip
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce * this redundant rule check
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce if (ctx->allow_groups && !*access_granted) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce matched = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce for (i = 0; ctx->allow_groups[i]; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl ctx->allow_groups[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->allow_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->allow_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl continue;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek for(j = 0; group_names[j]; j++) {
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (sss_string_equal(domain->case_sensitive,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina group_names[j], ctx->allow_groups[i])) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce matched = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* If any group has matched, we can skip out on the
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce * processing early
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce if (matched) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Group [%s] found in allow list, access granted.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov group_names[j]);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce *access_granted = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* Finally, process the deny group rules */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce if (ctx->deny_groups) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce matched = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce for (i = 0; ctx->deny_groups[i]; i++) {
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl domain = find_domain_by_object_name(ctx->domain,
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl ctx->deny_groups[i]);
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (domain == NULL) {
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->deny_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY,
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl ctx->deny_groups[i]);
79f128801d598ca57a6acebade01136525a47e00Pavel Reichl
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina return EINVAL;
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina }
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek for(j = 0; group_names[j]; j++) {
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina if (sss_string_equal(domain->case_sensitive,
a0d010f488bf15fb3e170ce04092013fa494401fPavel Březina group_names[j], ctx->deny_groups[i])) {
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce matched = true;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce /* If any group has matched, we can skip out on the
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce * processing early
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce */
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce if (matched) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Group [%s] found in deny list, access denied.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov group_names[j]);
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce *access_granted = false;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce break;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce }
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct simple_resolve_group_state {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina struct sss_domain_info *domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid_t gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_ctx *ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *name;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek};
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_check(struct simple_resolve_group_state *state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_resolve_group_done(struct tevent_req *subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic struct tevent_req *
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_send(TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_context *ev,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_ctx *ctx,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina struct sss_domain_info *domain,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid_t gid)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *subreq;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_resolve_group_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct be_acct_req *ar;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek req = tevent_req_create(mem_ctx, &state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_resolve_group_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!req) return NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->domain = domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->gid = gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->ctx = ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* First check if the group was updated already. If it was (maybe its
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * parent was updated first), then just shortcut */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_resolve_group_check(state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret == EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "Group already updated\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek } else if (ret != EAGAIN) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Cannot check if group was already updated [%d]: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* EAGAIN - still needs update */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ar = talloc(state, struct be_acct_req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!ar) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ar->entry_type = BE_REQ_GROUP;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ar->attr_type = BE_ATTR_CORE;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ar->filter_type = BE_FILTER_IDNUM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina ar->domain = talloc_strdup(ar, state->domain->name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!ar->domain || !ar->filter_value) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek subreq = be_get_account_info_send(state, ev, NULL, ctx->be_ctx, ar);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!subreq) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_set_callback(subreq, simple_resolve_group_done, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekdone:
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret == EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_post(req, ev);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_check(struct simple_resolve_group_state *state)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct ldb_message *group;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek SYSDB_GIDNUM, NULL };
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* Check the cache by GID again and fetch the name */
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek ret = sysdb_search_group_by_gid(state, state->domain, state->gid,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek group_attrs, &group);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina if (ret == ENOENT) {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina /* The group is missing, we will try to update it. */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina return EAGAIN;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina } else if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not look up group by gid [%"SPRIgid"]: [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov state->gid, ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!state->name) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "No group name\n");
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek return ERR_ACCOUNT_UNKNOWN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (is_posix(group) == false) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "The group is still non-POSIX\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EAGAIN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "Got POSIX group\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_resolve_group_done(struct tevent_req *subreq)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_resolve_group_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek int err_maj;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek int err_min;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *err_msg;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek req = tevent_req_callback_data(subreq, struct tevent_req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state = tevent_req_data(req, struct simple_resolve_group_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = be_get_account_info_recv(subreq, state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek &err_maj, &err_min, &err_msg);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek talloc_zfree(subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "be_get_account_info_recv failed\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (err_maj) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Cannot refresh data from DP: %u,%u: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov err_maj, err_min, err_msg);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, EIO);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* Check the cache by GID again and fetch the name */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_resolve_group_check(state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Refresh failed\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_resolve_group_recv(struct tevent_req *req,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char **name)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_resolve_group_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state = tevent_req_data(req, struct simple_resolve_group_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek TEVENT_REQ_RETURN_ON_ERROR(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek *name = talloc_strdup(mem_ctx, state->name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březinastruct simple_group {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina struct sss_domain_info *domain;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina gid_t gid;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina};
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct simple_check_groups_state {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_context *ev;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_ctx *ctx;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina struct sss_domain_info *domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina struct simple_group *lookup_groups;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina size_t num_groups;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek size_t giter;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char **group_names;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek size_t num_names;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl bool failed_to_resolve_groups;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek};
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_check_get_groups_next(struct tevent_req *subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_primary(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid_t gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_process_group(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct ldb_message *group);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic struct tevent_req *
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_send(TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_context *ev,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_ctx *ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *username)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *subreq;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_check_groups_state *state;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina const char *attrs[] = { SYSDB_NAME, SYSDB_POSIX, SYSDB_GIDNUM,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina SYSDB_SID_STR, NULL };
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek size_t group_count;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct ldb_message *user;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct ldb_message **groups;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek int i;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid_t gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek req = tevent_req_create(mem_ctx, &state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_check_groups_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!req) return NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->ev = ev;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->ctx = ctx;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl state->failed_to_resolve_groups = false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina /* get domain from username */
b011330c77168cdd864aaae54a75214935136c05Pavel Reichl state->domain = find_domain_by_object_name(ctx->domain, username);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina if (state->domain == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", username);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina ret = EINVAL;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina goto done;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina }
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek ret = sysdb_search_user_by_name(state, state->domain, username, attrs,
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek &user);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret == ENOENT) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "No such user %s\n", username);
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek ret = ERR_ACCOUNT_UNKNOWN;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek } else if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not look up username [%s]: [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov username, ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek ret = sysdb_asq_search(state, state->domain,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek user->dn, NULL, SYSDB_MEMBEROF,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek attrs, &group_count, &groups);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "User %s is a member of %zu supplemental groups\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov username, group_count);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* One extra space for terminator, one extra space for private group */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->group_names = talloc_zero_array(state, const char *, group_count + 2);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->lookup_groups = talloc_zero_array(state, struct simple_group,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina group_count + 2);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina if (!state->group_names || !state->lookup_groups) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek for (i=0; i < group_count; i++) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* Some providers (like the AD provider) might perform initgroups
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * without resolving the group names. In order for the simple access
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * provider to work correctly, we need to resolve the groups before
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * performing the access check. In AD provider, the situation is
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * even more tricky b/c the groups HAVE name, but their name
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * attribute is set to SID and they are set as non-POSIX
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_check_process_group(state, groups[i]);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!gid) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "User %s has no gid?\n", username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = EINVAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_check_get_groups_primary(state, gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina if (state->num_groups == 0) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* If all groups could have been resolved by name, we are
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * done
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "All groups had name attribute\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "Need to resolve %zu groups\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov state->num_groups);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->giter = 0;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek subreq = simple_resolve_group_send(req, state->ev, state->ctx,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->lookup_groups[state->giter].domain,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->lookup_groups[state->giter].gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!subreq) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto done;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_set_callback(subreq, simple_check_get_groups_next, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return req;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorcedone:
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret == EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_post(req, ev);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_check_get_groups_next(struct tevent_req *subreq)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *req =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_callback_data(subreq, struct tevent_req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_check_groups_state *state =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_data(req, struct simple_check_groups_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_resolve_group_recv(subreq, state->group_names,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek &state->group_names[state->num_names]);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek talloc_zfree(subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not resolve name of group with GID %"SPRIgid"\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov state->lookup_groups[state->giter].gid);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl state->failed_to_resolve_groups = true;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl } else {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl state->num_names++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->giter++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina if (state->giter < state->num_groups) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek subreq = simple_resolve_group_send(req, state->ev, state->ctx,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->lookup_groups[state->giter].domain,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->lookup_groups[state->giter].gid);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!subreq) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, ENOMEM);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_set_callback(subreq, simple_check_get_groups_next, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "All groups resolved. Done.\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_process_group(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct ldb_message *group)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *name;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina const char *group_sid;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina struct sss_domain_info *domain;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid_t gid;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek bool posix;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek posix = is_posix(group);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid = ldb_msg_find_attr_as_uint64(group, SYSDB_GIDNUM, 0);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* With the current sysdb layout, every group has a name */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (name == NULL) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EINVAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (gid == 0) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (posix == true) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "POSIX group without GID\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EINVAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* Non-posix group with a name. Still can be used for access
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * control as the name should point to the real name, no SID
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->group_names[state->num_names] = talloc_strdup(state->group_names,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!state->group_names[state->num_names]) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->num_names++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* Here are only groups with a name and gid. POSIX group can already
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * be used, non-POSIX groups can be resolved */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (posix) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->group_names[state->num_names] = talloc_strdup(state->group_names,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!state->group_names[state->num_names]) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->num_names++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina /* Try to get group SID and assign it a domain */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina group_sid = ldb_msg_find_attr_as_string(group, SYSDB_SID_STR, NULL);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina if (group_sid == NULL) {
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina /* We will look it up in main domain. */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina domain = state->ctx->domain;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina } else {
9ca0071db0e226e4e65b2a80fdeddd5048ca8990Pavel Reichl domain = find_domain_by_sid(state->ctx->domain, group_sid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina if (domain == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "There is no domain information for "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "SID %s\n", group_sid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina return ENOENT;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina }
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina }
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina /* It is a non-posix group with a GID. Needs resolving */
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->lookup_groups[state->num_groups].domain = domain;
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->lookup_groups[state->num_groups].gid = gid;
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Adding GID %"SPRIgid"\n", gid);
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina state->num_groups++;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_primary(struct simple_check_groups_state *state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek gid_t gid)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,
115241b0eeedd033d34d9721a896f031140944d7Pavel Březina SYSDB_GIDNUM, SYSDB_SID_STR, NULL };
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct ldb_message *msg;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek ret = sysdb_search_group_by_gid(state, state->domain, gid, group_attrs,
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek &msg);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not look up primary group [%"SPRIgid"]: [%d][%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov gid, ret, sss_strerror(ret));
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* We have to treat this as non-fatal, because the primary
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * group may be local to the machine and not available in
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * our ID provider.
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_check_process_group(state, msg);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Cannot process primary group\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic errno_t
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozeksimple_check_get_groups_recv(struct tevent_req *req,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char ***_group_names)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_check_groups_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state = tevent_req_data(req, struct simple_check_groups_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek TEVENT_REQ_RETURN_ON_ERROR(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek *_group_names = talloc_steal(mem_ctx, state->group_names);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl if (state->failed_to_resolve_groups) {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl return ERR_SIMPLE_GROUPS_MISSING;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct simple_access_check_state {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek bool access_granted;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_ctx *ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *username;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char **group_names;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek};
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_access_check_done(struct tevent_req *subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstruct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_context *ev,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_ctx *ctx,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek const char *username)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *subreq;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_access_check_state *state;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek req = tevent_req_create(mem_ctx, &state,
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_access_check_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!req) return NULL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->access_granted = false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->ctx = ctx;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->username = talloc_strdup(state, username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!state->username) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FUNC_DATA, "Simple access check for %s\n", username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_check_users(ctx, username, &state->access_granted);
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek if (ret == EOK) {
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek goto immediate;
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek } else if (ret != EAGAIN) {
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek ret = ERR_INTERNAL;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek /* EAGAIN -- check groups */
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!ctx->allow_groups && !ctx->deny_groups) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* There are no group restrictions, so just return
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * here with whatever we've decided.
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_LIBS, "No group restrictions, end request\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = EOK;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* The group names might not be available. Fire a request to
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek * gather them. In most cases, the request will just shortcut
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek subreq = simple_check_get_groups_send(state, ev, ctx, username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (!subreq) {
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek ret = ENOMEM;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek goto immediate;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_set_callback(subreq, simple_access_check_done, req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekimmediate:
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret == EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek } else {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_post(req, ev);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return req;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekstatic void simple_access_check_done(struct tevent_req *subreq)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct tevent_req *req =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_callback_data(subreq, struct tevent_req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_access_check_state *state =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_data(req, struct simple_access_check_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek errno_t ret;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* We know the names now. Run the check. */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek ret = simple_check_get_groups_recv(subreq, state, &state->group_names);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek talloc_zfree(subreq);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret == ENOENT) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* If the user wasn't found, just shortcut */
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek state->access_granted = false;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl } else if (ret == ERR_SIMPLE_GROUPS_MISSING) {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl DEBUG(SSSDBG_OP_FAILURE,
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl "Could not collect groups of user %s\n", state->username);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl if (state->ctx->deny_groups == NULL) {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl DEBUG(SSSDBG_TRACE_FUNC,
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl "But no deny groups were defined so we can continue.\n");
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl } else {
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl DEBUG(SSSDBG_OP_FAILURE,
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl "Some deny groups were defined, we can't continue\n");
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl tevent_req_error(req, ret);
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl return;
82a958e6592c4a4078e45b7197bbe4751b70f511Pavel Reichl }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek } else if (ret != EOK) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not collect groups of user %s\n", state->username);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_error(req, ret);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozek ret = simple_check_groups(state->ctx, state->group_names,
8e195a545d41647e591c1d06082133cbd25dc0a4Jakub Hrozek &state->access_granted);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Could not check group access [%d]: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ret, sss_strerror(ret));
18f01e63c1968c29bddb9e48c279b583c0444730Jakub Hrozek tevent_req_error(req, ERR_INTERNAL);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek /* Now just return whatever we decided */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Group check done\n");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_done(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek}
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozekerrno_t simple_access_check_recv(struct tevent_req *req, bool *access_granted)
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek{
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek struct simple_access_check_state *state =
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek tevent_req_data(req, struct simple_access_check_state);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek TEVENT_REQ_RETURN_ON_ERROR(req);
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Access %sgranted\n", state->access_granted ? "" : "not ");
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek if (access_granted) {
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek *access_granted = state->access_granted;
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek }
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek
c0bca1722d6f9dfb654ad78397be70f79ff39af1Jakub Hrozek return EOK;
225d845476b6136be9b77f528ed986bba7a7f732Simo Sorce}