#include <stdlib.h>

#include <unistd.h>

#include <fcntl.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <netinet/tcp.h>

#include "config.h"

#include "providers/ldap/sdap.h"

#include "util/sss_ldap.h"

#include "util/util.h"

const char* sss_ldap_err2string(int err)

{

static const char *password_expired = "Password expired";

switch (err) {

case LDAP_X_SSSD_PASSWORD_EXPIRED:

return password_expired;

default:

return ldap_err2string(err);

}

}

int sss_ldap_get_diagnostic_msg(TALLOC_CTX *mem_ctx, LDAP *ld, char **_errmsg)

{

char *errmsg = NULL;

int optret;

optret = ldap_get_option(ld, SDAP_DIAGNOSTIC_MESSAGE, (void*)&errmsg);

if (optret != LDAP_SUCCESS) {

return EINVAL;

}

*_errmsg = talloc_strdup(mem_ctx, errmsg ? errmsg : "unknown error");

ldap_memfree(errmsg);

if (*_errmsg == NULL) {

return ENOMEM;

}

return EOK;

}

int sss_ldap_control_create(const char *oid, int iscritical,

struct berval *value, int dupval,

LDAPControl **ctrlp)

{

#ifdef HAVE_LDAP_CONTROL_CREATE

return ldap_control_create(oid, iscritical, value, dupval, ctrlp);

#else

LDAPControl *lc = NULL;

if (oid == NULL || ctrlp == NULL) {

return LDAP_PARAM_ERROR;

}

lc = calloc(sizeof(LDAPControl), 1);

if (lc == NULL) {

return LDAP_NO_MEMORY;

}

lc->ldctl_oid = strdup(oid);

if (lc->ldctl_oid == NULL) {

free(lc);

return LDAP_NO_MEMORY;

}

if (value != NULL && value->bv_val != NULL) {

if (dupval == 0) {

lc->ldctl_value = *value;

} else {

ber_dupbv(&lc->ldctl_value, value);

if (lc->ldctl_value.bv_val == NULL) {

free(lc->ldctl_oid);

free(lc);

return LDAP_NO_MEMORY;

}

}

}

lc->ldctl_iscritical = iscritical;

*ctrlp = lc;

return LDAP_SUCCESS;

#endif

}

#ifdef HAVE_LDAP_INIT_FD

struct sdap_async_sys_connect_state {

long old_flags;

struct tevent_fd *fde;

int fd;

socklen_t addr_len;

struct sockaddr_storage addr;

};

static void sdap_async_sys_connect_done(struct tevent_context *ev,

struct tevent_fd *fde, uint16_t flags,

void *priv);

static struct tevent_req *sdap_async_sys_connect_send(TALLOC_CTX *mem_ctx,

struct tevent_context *ev,

int fd,

const struct sockaddr *addr,

socklen_t addr_len)

{

struct tevent_req *req;

struct sdap_async_sys_connect_state *state;

long flags;

int ret;

int fret;

flags = fcntl(fd, F_GETFL, 0);

if (flags == -1) {

DEBUG(1, ("fcntl F_GETFL failed.\n"));

return NULL;

}

req = tevent_req_create(mem_ctx, &state,

struct sdap_async_sys_connect_state);

if (req == NULL) {

DEBUG(1, ("tevent_req_create failed.\n"));

return NULL;

}

state->old_flags = flags;

state->fd = fd;

state->addr_len = addr_len;

memcpy(&state->addr, addr, addr_len);

ret = fcntl(fd, F_SETFL, flags | O_NONBLOCK);

if (ret != EOK) {

DEBUG(1, ("fcntl F_SETFL failed.\n"));

goto done;

}

ret = connect(fd, addr, addr_len);

if (ret == EOK) {

goto done;

}

ret = errno;

switch(ret) {

case EINPROGRESS:

case EINTR:

state->fde = tevent_add_fd(ev, state, fd,

TEVENT_FD_READ | TEVENT_FD_WRITE,

sdap_async_sys_connect_done, req);

if (state->fde == NULL) {

DEBUG(1, ("tevent_add_fd failed.\n"));

ret = ENOMEM;

goto done;

}

return req;

break;

default:

DEBUG(1, ("connect failed [%d][%s].\n", ret, strerror(ret)));

}

done:

fret = fcntl(fd, F_SETFL, flags);

if (fret != EOK) {

DEBUG(1, ("fcntl F_SETFL failed.\n"));

}

if (ret == EOK) {

tevent_req_done(req);

} else {

tevent_req_error(req, ret);

}

tevent_req_post(req, ev);

return req;

}

static void sdap_async_sys_connect_done(struct tevent_context *ev,

struct tevent_fd *fde, uint16_t flags,

void *priv)

{

struct tevent_req *req = talloc_get_type(priv, struct tevent_req);

struct sdap_async_sys_connect_state *state = tevent_req_data(req,

struct sdap_async_sys_connect_state);

int ret;

int fret;

errno = 0;

ret = connect(state->fd, (struct sockaddr *) &state->addr,

state->addr_len);

if (ret != EOK) {

ret = errno;

if (ret == EINPROGRESS || ret == EINTR) {

return; /* Try again later */

}

DEBUG(1, ("connect failed [%d][%s].\n", ret, strerror(ret)));

}

talloc_zfree(fde);

fret = fcntl(state->fd, F_SETFL, state->old_flags);

if (fret != EOK) {

DEBUG(1, ("fcntl F_SETFL failed.\n"));

}

if (ret == EOK) {

tevent_req_done(req);

} else {

tevent_req_error(req, ret);

}

return;

}

static int sdap_async_sys_connect_recv(struct tevent_req *req)

{

TEVENT_REQ_RETURN_ON_ERROR(req);

return EOK;

}

static errno_t set_fd_flags_and_opts(int fd)

{

int ret;

long flags;

int dummy = 1;

flags = fcntl(fd, F_GETFD, 0);

if (flags == -1) {

ret = errno;

DEBUG(1, ("fcntl F_GETFD failed [%d][%s].\n", ret, strerror(ret)));

return ret;

}

flags = fcntl(fd, F_SETFD, flags| FD_CLOEXEC);

if (flags == -1) {

ret = errno;

DEBUG(1, ("fcntl F_SETFD failed [%d][%s].\n", ret, strerror(ret)));

return ret;

}

/* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but

ret = setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &dummy, sizeof(dummy));

if (ret != 0) {

ret = errno;

DEBUG(5, ("setsockopt SO_KEEPALIVE failed.[%d][%s].\n", ret,

strerror(ret)));

}

ret = setsockopt(fd, SOL_TCP, TCP_NODELAY, &dummy, sizeof(dummy));

if (ret != 0) {

ret = errno;

DEBUG(5, ("setsockopt TCP_NODELAY failed.[%d][%s].\n", ret,

strerror(ret)));

}

return EOK;

}

#define LDAP_PROTO_TCP 1 /* ldap:// */

#define LDAP_PROTO_UDP 2 /* reserved */

#define LDAP_PROTO_IPC 3 /* ldapi:// */

#define LDAP_PROTO_EXT 4 /* user-defined socket/sockbuf */

extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url, LDAP **ld);

static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq);

static void sdap_async_sys_connect_timeout(struct tevent_context *ev,

struct tevent_timer *te,

struct timeval tv, void *pvt);

#endif

struct sss_ldap_init_state {

LDAP *ldap;

int sd;

const char *uri;

#ifdef HAVE_LDAP_INIT_FD

struct tevent_timer *connect_timeout;

#endif

};

struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,

struct tevent_context *ev,

const char *uri,

struct sockaddr_storage *addr,

int addr_len, int timeout)

{

int ret = EOK;

struct tevent_req *req;

struct sss_ldap_init_state *state;

req = tevent_req_create(mem_ctx, &state, struct sss_ldap_init_state);

if (req == NULL) {

DEBUG(1, ("tevent_req_create failed.\n"));

return NULL;

}

state->ldap = NULL;

state->uri = uri;

#ifdef HAVE_LDAP_INIT_FD

struct tevent_req *subreq;

struct timeval tv;

state->sd = socket(addr->ss_family, SOCK_STREAM, 0);

if (state->sd == -1) {

ret = errno;

DEBUG(1, ("socket failed [%d][%s].\n", ret, strerror(ret)));

goto fail;

}

ret = set_fd_flags_and_opts(state->sd);

if (ret != EOK) {

DEBUG(1, ("set_fd_flags_and_opts failed.\n"));

goto fail;

}

DEBUG(9, ("Using file descriptor [%d] for LDAP connection.\n", state->sd));

subreq = sdap_async_sys_connect_send(state, ev, state->sd,

(struct sockaddr *) addr, addr_len);

if (subreq == NULL) {

ret = ENOMEM;

DEBUG(1, ("sdap_async_sys_connect_send failed.\n"));

goto fail;

}

DEBUG(6, ("Setting %d seconds timeout for connecting\n", timeout));

tv = tevent_timeval_current_ofs(timeout, 0);

state->connect_timeout = tevent_add_timer(ev, subreq, tv,

sdap_async_sys_connect_timeout,

subreq);

if (state->connect_timeout == NULL) {

DEBUG(1, ("tevent_add_timer failed.\n"));

ret = ENOMEM;

goto fail;

}

tevent_req_set_callback(subreq, sss_ldap_init_sys_connect_done, req);

return req;

fail:

if(state->sd >= 0) {

close(state->sd);

}

tevent_req_error(req, ret);

#else

DEBUG(3, ("ldap_init_fd not available, "

"will use ldap_initialize with uri [%s].\n", uri));

state->sd = -1;

ret = ldap_initialize(&state->ldap, uri);

if (ret == LDAP_SUCCESS) {

tevent_req_done(req);

} else {

DEBUG(1, ("ldap_initialize failed [%s].\n", sss_ldap_err2string(ret)));

if (ret == LDAP_SERVER_DOWN) {

tevent_req_error(req, ETIMEDOUT);

} else {

tevent_req_error(req, EIO);

}

}

#endif

tevent_req_post(req, ev);

return req;

}

#ifdef HAVE_LDAP_INIT_FD

static void sdap_async_sys_connect_timeout(struct tevent_context *ev,

struct tevent_timer *te,

struct timeval tv, void *pvt)

{

struct tevent_req *connection_request;

DEBUG(4, ("The LDAP connection timed out\n"));

connection_request = talloc_get_type(pvt, struct tevent_req);

tevent_req_error(connection_request, ETIMEDOUT);

}

static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct sss_ldap_init_state *state = tevent_req_data(req,

struct sss_ldap_init_state);

int ret;

int lret;

talloc_zfree(state->connect_timeout);

ret = sdap_async_sys_connect_recv(subreq);

talloc_zfree(subreq);

if (ret != EOK) {

DEBUG(1, ("sdap_async_sys_connect request failed.\n"));

close(state->sd);

tevent_req_error(req, ret);

return;

}

/* Initialize LDAP handler */

lret = ldap_init_fd(state->sd, LDAP_PROTO_TCP, state->uri, &state->ldap);

if (lret != LDAP_SUCCESS) {

DEBUG(1, ("ldap_init_fd failed: %s. [%ld][%s]\n",

sss_ldap_err2string(lret), state->sd, state->uri));

close(state->sd);

if (lret == LDAP_SERVER_DOWN) {

tevent_req_error(req, ETIMEDOUT);

} else {

tevent_req_error(req, EIO);

}

return;

}

if (ldap_is_ldaps_url(state->uri)) {

lret = ldap_install_tls(state->ldap);

if (lret != LDAP_SUCCESS) {

if (lret == LDAP_LOCAL_ERROR) {

DEBUG(5, ("TLS/SSL already in place.\n"));

} else {

DEBUG(1, ("ldap_install_tls failed: %s\n",

sss_ldap_err2string(lret)));

tevent_req_error(req, EIO);

return;

}

}

}

tevent_req_done(req);

return;

}

#endif

int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd)

{

struct sss_ldap_init_state *state = tevent_req_data(req,

struct sss_ldap_init_state);

TEVENT_REQ_RETURN_ON_ERROR(req);

*ldap = state->ldap;

*sd = state->sd;

return EOK;

}

bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx,

const char *dn,

struct sdap_search_base **search_bases,

char **_filter)

{

struct sdap_search_base *base;

int basedn_len, dn_len;

int len_diff;

int i, j;

bool base_confirmed = false;

bool comma_found = false;

bool backslash_found = false;

char *filter = NULL;

bool ret = false;

if (dn == NULL) {

DEBUG(SSSDBG_FUNC_DATA, ("dn is NULL\n"));

ret = false;

goto done;

}

if (search_bases == NULL) {

DEBUG(SSSDBG_FUNC_DATA, ("search_bases is NULL\n"));

ret = false;

goto done;

}

dn_len = strlen(dn);

for (i = 0; search_bases[i] != NULL; i++) {

base = search_bases[i];

basedn_len = strlen(base->basedn);

if (basedn_len > dn_len) {

continue;

}

len_diff = dn_len - basedn_len;

base_confirmed = (strncasecmp(&dn[len_diff], base->basedn, basedn_len) == 0);

if (!base_confirmed) {

continue;

}

switch (base->scope) {

case LDAP_SCOPE_BASE:

/* dn > base? */

if (len_diff != 0) {

continue;

}

break;

case LDAP_SCOPE_ONELEVEL:

if (len_diff == 0) {

/* Base object doesn't belong to scope=one

continue;

}

comma_found = false;

for (j = 0; j < len_diff - 1; j++) { /* ignore comma before base */

if (dn[j] == '\\') {

backslash_found = true;

} else if (dn[j] == ',' && !backslash_found) {

comma_found = true;

break;

} else {

backslash_found = false;

}

}

/* it has at least one more level */

if (comma_found) {

continue;

}

break;

case LDAP_SCOPE_SUBTREE:

/* dn length >= base dn length && base_confirmed == true */

break;

default:

DEBUG(SSSDBG_FUNC_DATA, ("Unsupported scope: %d\n", base->scope));

continue;

}

/*

ret = true;

if (base->filter == NULL || _filter == NULL) {

goto done;

} else {

filter = talloc_strdup_append(filter, base->filter);

if (filter == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup_append() failed\n"));

ret = false;

goto done;

}

}

}

if (_filter != NULL) {

if (filter != NULL) {

*_filter = talloc_asprintf(mem_ctx, "(|%s)", filter);

if (*_filter == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf_append() failed\n"));

ret = false;

goto done;

}

} else {

*_filter = NULL;

}

}

done:

talloc_free(filter);

return ret;

}