/* ========== Functions specific for the native sudo LDAP schema ========== */
static errno_t sdap_sudo_get_usn(TALLOC_CTX *mem_ctx,
struct sysdb_attrs *attrs,
struct sdap_attr_map *map,
const char *name,
char **_usn)
{
const char *usn;
errno_t ret;
if (_usn == NULL) {
return EINVAL;
}
ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_USN].sys_name, &usn);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Failed to retrieve USN value: [%s]\n", strerror(ret)));
return ret;
}
*_usn = talloc_strdup(mem_ctx, usn);
if (*_usn == NULL) {
return ENOMEM;
}
return EOK;
}
/* Both arrays must have the same length! */
static void compare_sysdb_string_array_noorder(struct sysdb_attrs **sysdb_array,
const char **string_array,
size_t len)
{
int i, ii;
errno_t ret;
const char *name;
/* Check the returned groups. The order is irrelevant. */
for (i = 0; i < len; i++) {
ret = sysdb_attrs_get_string(sysdb_array[i], SYSDB_NAME, &name);
assert_int_equal(ret, ERR_OK);
for (ii = 0; ii < len; ii++) {
if (string_array[ii] == NULL) {
continue;
}
if (strcmp(name, string_array[ii]) == 0) {
string_array[ii] = NULL;
break;
}
}
}
for (i = 0; i < len; i++) {
assert_null(string_array[i]);
}
}
static errno_t attr_name(TALLOC_CTX *mem_ctx,
struct sysdb_attrs *entry,
struct sss_domain_info *dom,
const char *attr,
const char **_value)
{
errno_t ret;
const char *orig_name;
char *tmp_name;
char *outname;
ret = sysdb_attrs_get_string(entry, attr, &orig_name);
if (ret != EOK) {
return ret;
}
tmp_name = sss_output_name(mem_ctx, orig_name, dom->case_preserve, 0);
if (tmp_name == NULL) {
return ENOMEM;
}
if (dom->fqnames) {
outname = sss_tc_fqname(mem_ctx, dom->names, dom, tmp_name);
talloc_free(tmp_name);
if (outname == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n");
return ENOMEM;
}
} else {
outname = tmp_name;
}
*_value = outname;
return EOK;
}
static void nested_groups_test_one_group_dup_users(void **state)
{
struct nested_groups_test_ctx *test_ctx = NULL;
struct sysdb_attrs *rootgroup = NULL;
struct tevent_req *req = NULL;
TALLOC_CTX *req_mem_ctx = NULL;
errno_t ret;
const char *name;
const char *users[] = { "cn=user1,"USER_BASE_DN,
"cn=user1,"USER_BASE_DN,
NULL };
const struct sysdb_attrs *user1_reply[2] = { NULL };
const struct sysdb_attrs *user2_reply[2] = { NULL };
test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx);
/* mock return values */
rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000,
"rootgroup", users);
user1_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1");
assert_non_null(user1_reply[0]);
will_return(sdap_get_generic_recv, 1);
will_return(sdap_get_generic_recv, user1_reply);
user2_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1");
assert_non_null(user2_reply[0]);
will_return(sdap_get_generic_recv, 1);
will_return(sdap_get_generic_recv, user2_reply);
sss_will_return_always(sdap_has_deref_support, false);
/* run test, check for memory leaks */
req_mem_ctx = talloc_new(global_talloc_context);
assert_non_null(req_mem_ctx);
check_leaks_push(req_mem_ctx);
req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev,
test_ctx->sdap_domain, test_ctx->sdap_opts,
test_ctx->sdap_handle, rootgroup);
assert_non_null(req);
tevent_req_set_callback(req, nested_groups_test_done, test_ctx);
ret = test_ev_loop(test_ctx->tctx);
assert_true(check_leaks_pop(req_mem_ctx) == true);
talloc_zfree(req_mem_ctx);
/* check return code */
assert_int_equal(ret, ERR_OK);
/* Check the users */
assert_int_equal(test_ctx->num_users, 1);
assert_int_equal(test_ctx->num_groups, 1);
ret = sysdb_attrs_get_string(test_ctx->users[0], SYSDB_NAME, &name);
assert_int_equal(ret, ERR_OK);
assert_string_equal(name, "user1");
}
errno_t
ipa_sudo_conv_cmds(struct ipa_sudo_conv *conv,
struct sysdb_attrs **cmds,
size_t num_cmds)
{
const char *key;
const char *cmd;
errno_t ret;
size_t i;
if (num_cmds == 0) {
/* We're done here. */
return EOK;
}
for (i = 0; i < num_cmds; i++) {
ret = sysdb_attrs_get_string(cmds[i], SYSDB_ORIG_DN, &key);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command DN, skipping "
"[%d]: %s\n", ret, sss_strerror(ret));
continue;
}
ret = sysdb_attrs_get_string(cmds[i], SYSDB_IPA_SUDOCMD_SUDOCMD, &cmd);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command, skipping "
"[%d]: %s\n", ret, sss_strerror(ret));
continue;
}
ret = ipa_sudo_conv_store(conv->cmds, key, discard_const(cmd));
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to store command into table "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
}
ret = EOK;
done:
return ret;
}
errno_t
ipa_sudo_conv_cmdgroups(struct ipa_sudo_conv *conv,
struct sysdb_attrs **cmdgroups,
size_t num_cmdgroups)
{
struct ipa_sudo_cmdgroup *cmdgroup = NULL;
const char *key;
errno_t ret;
size_t i;
if (num_cmdgroups == 0) {
/* We're done here. */
return EOK;
}
for (i = 0; i < num_cmdgroups; i++) {
ret = sysdb_attrs_get_string(cmdgroups[i], SYSDB_ORIG_DN, &key);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command group DN, "
"skipping [%d]: %s\n", ret, sss_strerror(ret));
continue;
}
cmdgroup = talloc_zero(conv->cmdgroups, struct ipa_sudo_cmdgroup);
if (cmdgroup == NULL) {
ret = ENOMEM;
goto done;
}
ret = process_cmdgroupmember(conv, cmdgroup, cmdgroups[i]);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to process member "
"[%d]: %s\n", ret, sss_strerror(ret));
return ret;
}
ret = ipa_sudo_conv_store(conv->cmdgroups, key, cmdgroup);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to store command group into "
"table [%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
cmdgroup = NULL;
}
ret = EOK;
done:
if (ret != EOK) {
talloc_free(cmdgroup);
}
return ret;
}
static errno_t
sdap_save_native_sudorule(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb_ctx,
struct sss_domain_info *domain,
struct sdap_attr_map *map,
struct sysdb_attrs *attrs,
int cache_timeout,
time_t now,
char **_usn)
{
errno_t ret;
const char *rule_name;
ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_NAME].sys_name,
&rule_name);
if (ret == ERANGE) {
DEBUG(SSSDBG_OP_FAILURE, ("Warning: found rule that contains none "
"or multiple CN values. It will be skipped.\n"));
return ret;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Could not get rule name [%d]: %s\n",
ret, strerror(ret)));
return ret;
}
ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
(cache_timeout ? (now + cache_timeout) : 0));
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, ("Could not set sysdb cache expire [%d]: %s\n",
ret, strerror(ret)));
return ret;
}
ret = sdap_sudo_get_usn(mem_ctx, attrs, map, rule_name, _usn);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, ("Could not read USN from %s\n", rule_name));
*_usn = NULL;
/* but we will store the rule anyway */
}
ret = sysdb_save_sudorule(sysdb_ctx, domain, rule_name, attrs);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Could not save sudorule %s\n", rule_name));
return ret;
}
return ret;
}
/* FIXME: support storing additional attributes */
int sdap_save_user(TALLOC_CTX *memctx,
struct sdap_options *opts,
struct sss_domain_info *dom,
struct sysdb_attrs *attrs,
char **_usn_value,
time_t now)
{
struct ldb_message_element *el;
int ret;
const char *user_name = NULL;
const char *fullname = NULL;
const char *pwd;
const char *gecos;
const char *homedir;
const char *shell;
const char *orig_dn = NULL;
uid_t uid;
gid_t gid;
struct sysdb_attrs *user_attrs;
char *upn = NULL;
size_t i;
int cache_timeout;
char *usn_value = NULL;
char **missing = NULL;
TALLOC_CTX *tmpctx = NULL;
bool use_id_mapping;
char *sid_str;
char *dom_sid_str = NULL;
struct sss_domain_info *subdomain;
DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");
tmpctx = talloc_new(NULL);
if (!tmpctx) {
ret = ENOMEM;
goto done;
}
user_attrs = sysdb_new_attrs(tmpctx);
if (user_attrs == NULL) {
ret = ENOMEM;
goto done;
}
/* Always store SID string if available */
ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs,
opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
&sid_str);
if (ret == EOK) {
ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Could not add SID string: [%s]\n",
sss_strerror(ret));
goto done;
}
} else if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "objectSID: not available for user\n");
sid_str = NULL;
} else {
DEBUG(SSSDBG_MINOR_FAILURE, "Could not identify objectSID: [%s]\n",
sss_strerror(ret));
sid_str = NULL;
}
/* Always store UUID if available */
ret = sysdb_handle_original_uuid(opts->user_map[SDAP_AT_USER_UUID].def_name,
attrs,
opts->user_map[SDAP_AT_USER_UUID].sys_name,
user_attrs, SYSDB_UUID);
if (ret != EOK) {
DEBUG((ret == ENOENT) ? SSSDBG_TRACE_ALL : SSSDBG_MINOR_FAILURE,
"Failed to retrieve UUID [%d][%s].\n", ret, sss_strerror(ret));
}
/* If this object has a SID available, we will determine the correct
* domain by its SID. */
if (sid_str != NULL) {
subdomain = find_domain_by_sid(get_domains_head(dom), sid_str);
if (subdomain) {
dom = subdomain;
} else {
DEBUG(SSSDBG_TRACE_FUNC, "SID %s does not belong to any known "
"domain\n", sid_str);
}
}
ret = sdap_get_user_primary_name(memctx, opts, attrs, dom, &user_name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to get user name\n");
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, "Processing user %s\n", user_name);
if (opts->schema_type == SDAP_SCHEMA_AD) {
ret = sysdb_attrs_get_string(attrs,
opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &fullname);
if (ret == EOK) {
ret = sysdb_attrs_add_string(user_attrs, SYSDB_FULLNAME, fullname);
if (ret != EOK) {
goto done;
}
} else if (ret != ENOENT) {
goto done;
}
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_PWD].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) pwd = NULL;
else pwd = (const char *)el->values[0].data;
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_GECOS].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) gecos = NULL;
else gecos = (const char *)el->values[0].data;
if (!gecos) {
/* Fall back to the user's full name */
ret = sysdb_attrs_get_el(
attrs,
opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &el);
if (ret) goto done;
if (el->num_values > 0) gecos = (const char *)el->values[0].data;
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_HOME].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) homedir = NULL;
else homedir = (const char *)el->values[0].data;
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_SHELL].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) shell = NULL;
else shell = (const char *)el->values[0].data;
use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx,
dom->name,
sid_str);
/* Retrieve or map the UID as appropriate */
if (use_id_mapping) {
if (sid_str == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "SID not available, cannot map a " \
"unix ID to user [%s].\n", user_name);
ret = ENOENT;
goto done;
}
DEBUG(SSSDBG_TRACE_LIBS,
"Mapping user [%s] objectSID [%s] to unix ID\n", user_name, sid_str);
/* Convert the SID into a UNIX user ID */
ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid);
if (ret == ENOTSUP) {
DEBUG(SSSDBG_TRACE_FUNC, "Skipping built-in object.\n");
ret = EOK;
goto done;
} else if (ret != EOK) {
goto done;
}
/* Store the UID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
*/
ret = sdap_replace_id(attrs, SYSDB_UIDNUM, uid);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n");
goto done;
}
} else {
ret = sysdb_attrs_get_uint32_t(attrs,
opts->user_map[SDAP_AT_USER_UID].sys_name,
&uid);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"no uid provided for [%s] in domain [%s].\n",
user_name, dom->name);
ret = EINVAL;
goto done;
}
}
/* check that the uid is valid for this domain */
if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
DEBUG(SSSDBG_OP_FAILURE,
"User [%s] filtered out! (uid out of range)\n",
user_name);
ret = EINVAL;
goto done;
}
if (use_id_mapping) {
ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str,
&gid);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot get the GID for [%s] in domain [%s].\n",
user_name, dom->name);
goto done;
}
if (IS_SUBDOMAIN(dom)) {
/* For subdomain users, only create the private group as
* the subdomain is an MPG domain.
* But we have to save the GID of the original primary group
* becasuse otherwise this information might be lost because
* typically (Unix and AD) the user is not listed in his primary
* group as a member.
*/
ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
(uint32_t) gid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
goto done;
}
gid = 0;
}
/* Store the GID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
*/
ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid);
if (ret != EOK) goto done;
} else {
ret = sysdb_attrs_get_uint32_t(attrs,
opts->user_map[SDAP_AT_USER_GID].sys_name,
&gid);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"no gid provided for [%s] in domain [%s].\n",
user_name, dom->name);
ret = EINVAL;
goto done;
}
}
/* check that the gid is valid for this domain */
if (IS_SUBDOMAIN(dom) == false &&
OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
DEBUG(SSSDBG_CRIT_FAILURE,
"User [%s] filtered out! (primary gid out of range)\n",
user_name);
ret = EINVAL;
goto done;
}
ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el);
if (ret) {
goto done;
}
if (!el || el->num_values == 0) {
DEBUG(SSSDBG_MINOR_FAILURE,
"originalDN is not available for [%s].\n", user_name);
} else {
orig_dn = (const char *) el->values[0].data;
DEBUG(SSSDBG_TRACE_INTERNAL, "Adding originalDN [%s] to attributes "
"of [%s].\n", orig_dn, user_name);
ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, orig_dn);
if (ret) {
goto done;
}
}
ret = sysdb_attrs_get_el(attrs, SYSDB_MEMBEROF, &el);
if (ret) {
goto done;
}
if (el->num_values == 0) {
DEBUG(SSSDBG_TRACE_FUNC,
"Original memberOf is not available for [%s].\n", user_name);
} else {
DEBUG(SSSDBG_TRACE_FUNC,
"Adding original memberOf attributes to [%s].\n", user_name);
for (i = 0; i < el->num_values; i++) {
ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
(const char *) el->values[i].data);
if (ret) {
goto done;
}
}
}
ret = sdap_attrs_add_string(attrs,
opts->user_map[SDAP_AT_USER_MODSTAMP].sys_name,
"original mod-Timestamp",
user_name, user_attrs);
if (ret != EOK) {
goto done;
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_USN].sys_name, &el);
if (ret) {
goto done;
}
if (el->num_values == 0) {
DEBUG(SSSDBG_TRACE_FUNC,
"Original USN value is not available for [%s].\n", user_name);
} else {
ret = sysdb_attrs_add_string(user_attrs,
opts->user_map[SDAP_AT_USER_USN].sys_name,
(const char*)el->values[0].data);
if (ret) {
goto done;
}
usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data);
if (!usn_value) {
ret = ENOMEM;
goto done;
}
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_PRINC].sys_name, &el);
if (ret) {
goto done;
}
if (el->num_values == 0) {
DEBUG(SSSDBG_TRACE_FUNC,
"User principal is not available for [%s].\n", user_name);
} else {
upn = talloc_strdup(user_attrs, (const char*) el->values[0].data);
if (!upn) {
ret = ENOMEM;
goto done;
}
if (dp_opt_get_bool(opts->basic, SDAP_FORCE_UPPER_CASE_REALM)) {
make_realm_upper_case(upn);
}
DEBUG(SSSDBG_TRACE_FUNC,
"Adding user principal [%s] to attributes of [%s].\n",
upn, user_name);
ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn);
if (ret) {
goto done;
}
}
for (i = SDAP_FIRST_EXTRA_USER_AT; i < opts->user_map_cnt; i++) {
ret = sdap_attrs_add_list(attrs, opts->user_map[i].sys_name,
NULL, user_name, user_attrs);
if (ret) {
goto done;
}
}
cache_timeout = dom->user_timeout;
ret = sdap_save_all_names(user_name, attrs, dom, user_attrs);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save user names\n");
goto done;
}
/* Make sure that any attributes we requested from LDAP that we
* did not receive are also removed from the sysdb
*/
ret = list_missing_attrs(user_attrs, opts->user_map, opts->user_map_cnt,
attrs, &missing);
if (ret != EOK) {
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, "Storing info for user %s\n", user_name);
ret = sysdb_store_user(dom, user_name, pwd, uid, gid,
gecos, homedir, shell, orig_dn,
user_attrs, missing, cache_timeout, now);
if (ret) goto done;
if (_usn_value) {
*_usn_value = talloc_steal(memctx, usn_value);
}
talloc_steal(memctx, user_attrs);
ret = EOK;
done:
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to save user [%s]\n",
user_name ? user_name : "Unknown");
}
talloc_free(tmpctx);
return ret;
}
static void test_sysdb_handle_original_uuid(void **state)
{
int ret;
struct sysdb_attrs *src_attrs;
struct sysdb_attrs *dest_attrs;
const char *guid;
uint8_t bin_guid[] = AD_GUID_BIN;
struct ldb_val guid_val = {bin_guid, 16};
ret = sysdb_handle_original_uuid(NULL, NULL, NULL, NULL, NULL);
assert_int_equal(ret, ENOENT);
src_attrs = sysdb_new_attrs(NULL);
assert_non_null(src_attrs);
dest_attrs = sysdb_new_attrs(NULL);
assert_non_null(dest_attrs);
ret = sysdb_handle_original_uuid("xyz", src_attrs, "abc", dest_attrs,
"def");
assert_int_equal(ret, ENOENT);
ret = sysdb_attrs_add_val(src_attrs, "GUID", &guid_val);
assert_int_equal(ret, EOK);
ret = sysdb_attrs_add_string(src_attrs, "UUID", IPA_UUID);
assert_int_equal(ret, EOK);
ret = sysdb_handle_original_uuid(NULL, src_attrs, "GUID",
dest_attrs, "def");
assert_int_equal(ret, ENOENT);
ret = sysdb_handle_original_uuid("objectGUID", NULL, "GUID",
dest_attrs, "def");
assert_int_equal(ret, EINVAL);
ret = sysdb_handle_original_uuid("objectGUID", src_attrs, "GUID",
dest_attrs, "def");
assert_int_equal(ret, EOK);
ret = sysdb_attrs_get_string(dest_attrs, "def", &guid);
assert_int_equal(ret, EOK);
assert_string_equal(guid, AD_GUID);
ret = sysdb_handle_original_uuid("ipaUniqueID", src_attrs, "UUID",
dest_attrs, "ghi");
assert_int_equal(ret, EOK);
ret = sysdb_attrs_get_string(dest_attrs, "ghi", &guid);
assert_int_equal(ret, EOK);
assert_string_equal(guid, IPA_UUID);
talloc_free(src_attrs);
src_attrs = sysdb_new_attrs(NULL);
assert_non_null(src_attrs);
/* check objectGUID with length other than 16 */
ret = sysdb_attrs_add_string(src_attrs, "GUID", IPA_UUID);
assert_int_equal(ret, EOK);
ret = sysdb_handle_original_uuid("objectGUID", src_attrs, "GUID",
dest_attrs, "jkl");
assert_int_equal(ret, EOK);
ret = sysdb_attrs_get_string(dest_attrs, "jkl", &guid);
assert_int_equal(ret, EOK);
assert_string_equal(guid, IPA_UUID);
talloc_free(src_attrs);
talloc_free(dest_attrs);
}
static errno_t sysdb_sudo_check_time(struct sysdb_attrs *rule,
time_t now,
bool *result)
{
TALLOC_CTX *tmp_ctx = NULL;
const char **values = NULL;
const char *name = NULL;
time_t notBefore = 0;
time_t notAfter = 0;
time_t converted;
errno_t ret;
int i;
if (!result) return EINVAL;
*result = false;
tmp_ctx = talloc_new(NULL);
NULL_CHECK(tmp_ctx, ret, done);
ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name);
if (ret == ENOENT) {
name = "<missing>";
} else if(ret != EOK) {
goto done;
}
/*
* From man sudoers.ldap:
*
* If multiple sudoNotBefore entries are present, the *earliest* is used.
* If multiple sudoNotAfter entries are present, the *last one* is used.
*
* From sudo sources, ldap.c:
* If either the sudoNotAfter or sudoNotBefore attributes are missing,
* no time restriction shall be imposed.
*/
/* check for sudoNotBefore */
ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTBEFORE,
tmp_ctx, &values);
if (ret == EOK) {
for (i=0; values[i] ; i++) {
ret = sysdb_sudo_convert_time(values[i], &converted);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Invalid time format in rule [%s]!\n",
name);
goto done;
}
/* Grab the earliest */
if (!notBefore) {
notBefore = converted;
} else if (notBefore > converted) {
notBefore = converted;
}
}
} else if (ret != ENOENT) {
goto done;
}
/* check for sudoNotAfter */
ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTAFTER,
tmp_ctx, &values);
if (ret == EOK) {
for (i=0; values[i] ; i++) {
ret = sysdb_sudo_convert_time(values[i], &converted);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Invalid time format in rule [%s]!\n",
name);
goto done;
}
/* Grab the latest */
if (!notAfter) {
notAfter = converted;
} else if (notAfter < converted) {
notAfter = converted;
}
}
} else if (ret != ENOENT) {
goto done;
}
if ((notBefore == 0 || now >= notBefore)
&& (notAfter == 0 || now <= notAfter)) {
*result = true;
}
if (*result) {
DEBUG(SSSDBG_TRACE_ALL, "Rule [%s] matches time restrictions\n",
name);
} else {
DEBUG(SSSDBG_TRACE_ALL, "Rule [%s] does not match time "
"restrictions\n", name);
}
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
static void hbac_get_rule_info_step(struct tevent_req *req)
{
errno_t ret;
size_t i;
const char *ipa_hostname;
const char *hostname;
struct hbac_ctx *hbac_ctx =
tevent_req_callback_data(req, struct hbac_ctx);
struct be_ctx *be_ctx = be_req_get_be_ctx(hbac_ctx->be_req);
ret = ipa_hbac_service_info_recv(req, hbac_ctx,
&hbac_ctx->service_count,
&hbac_ctx->services,
&hbac_ctx->servicegroup_count,
&hbac_ctx->servicegroups);
talloc_zfree(req);
if (!hbac_check_step_result(hbac_ctx, ret)) {
return;
}
/* Get the ipa_host attrs */
hbac_ctx->ipa_host = NULL;
ipa_hostname = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
if (ipa_hostname == NULL) {
DEBUG(1, ("Missing ipa_hostname, this should never happen.\n"));
goto fail;
}
for (i = 0; i < hbac_ctx->host_count; i++) {
ret = sysdb_attrs_get_string(hbac_ctx->hosts[i],
SYSDB_FQDN,
&hostname);
if (ret != EOK) {
DEBUG(1, ("Could not locate IPA host\n"));
goto fail;
}
if (strcasecmp(hostname, ipa_hostname) == 0) {
hbac_ctx->ipa_host = hbac_ctx->hosts[i];
break;
}
}
if (hbac_ctx->ipa_host == NULL) {
DEBUG(1, ("Could not locate IPA host\n"));
goto fail;
}
/* Get the list of applicable rules */
req = ipa_hbac_rule_info_send(hbac_ctx,
hbac_ctx->get_deny_rules,
be_ctx->ev,
sdap_id_op_handle(hbac_ctx->sdap_op),
hbac_ctx->sdap_ctx->opts,
hbac_ctx->search_bases,
hbac_ctx->ipa_host);
if (req == NULL) {
DEBUG(1, ("Could not get rules\n"));
goto fail;
}
tevent_req_set_callback(req, hbac_sysdb_save, hbac_ctx);
return;
fail:
ipa_access_reply(hbac_ctx, PAM_SYSTEM_ERR);
}
errno_t
ipa_sudo_conv_rules(struct ipa_sudo_conv *conv,
struct sysdb_attrs **rules,
size_t num_rules)
{
struct ipa_sudo_rule *rule = NULL;
const char *key;
errno_t ret;
size_t i;
if (num_rules == 0) {
/* We're done here. */
return EOK;
}
for (i = 0; i < num_rules; i++) {
ret = sysdb_attrs_get_string(rules[i], SYSDB_NAME, &key);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get rule name, skipping "
"[%d]: %s\n", ret, sss_strerror(ret));
continue;
}
rule = talloc_zero(conv->rules, struct ipa_sudo_rule);
if (rule == NULL) {
ret = ENOMEM;
goto done;
}
rule->attrs = rules[i];
ret = process_allowcmd(conv, rule);
if (ret != EOK && ret != EEXIST) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberAllowCmd "
"[%d]: %s\n", ret, sss_strerror(ret));
return ret;
}
ret = process_denycmd(conv, rule);
if (ret != EOK && ret != EEXIST) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberDenyCmd "
"[%d]: %s\n", ret, sss_strerror(ret));
return ret;
}
ret = ipa_sudo_conv_store(conv->rules, key, rule);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to store rule into table "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
talloc_steal(rule, rule->attrs);
rule = NULL;
}
ret = EOK;
done:
if (ret != EOK) {
talloc_free(rule);
}
return ret;
}
/* FIXME: support storing additional attributes */
int sdap_save_user(TALLOC_CTX *memctx,
struct sysdb_ctx *ctx,
struct sdap_options *opts,
struct sss_domain_info *dom,
struct sysdb_attrs *attrs,
bool is_initgr,
char **_usn_value,
time_t now)
{
struct ldb_message_element *el;
int ret;
const char *name = NULL;
const char *fullname = NULL;
const char *pwd;
const char *gecos;
const char *homedir;
const char *shell;
const char *orig_dn = NULL;
uid_t uid;
gid_t gid, primary_gid;
struct sysdb_attrs *user_attrs;
char *upn = NULL;
size_t i;
int cache_timeout;
char *usn_value = NULL;
char **missing = NULL;
TALLOC_CTX *tmpctx = NULL;
bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING);
char *sid_str;
char *dom_sid_str = NULL;
char *group_sid_str;
DEBUG(9, ("Save user\n"));
tmpctx = talloc_new(NULL);
if (!tmpctx) {
ret = ENOMEM;
goto done;
}
user_attrs = sysdb_new_attrs(tmpctx);
if (user_attrs == NULL) {
ret = ENOMEM;
goto done;
}
ret = sysdb_attrs_primary_name(ctx, attrs,
opts->user_map[SDAP_AT_USER_NAME].name,
&name);
if (ret != EOK) {
DEBUG(1, ("Failed to save the user - entry has no name attribute\n"));
goto done;
}
if (opts->schema_type == SDAP_SCHEMA_AD) {
ret = sysdb_attrs_get_string(attrs,
opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &fullname);
if (ret == EOK) {
ret = sysdb_attrs_add_string(user_attrs, SYSDB_FULLNAME, fullname);
if (ret != EOK) {
goto done;
}
} else if (ret != ENOENT) {
goto done;
}
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_PWD].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) pwd = NULL;
else pwd = (const char *)el->values[0].data;
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_GECOS].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) gecos = NULL;
else gecos = (const char *)el->values[0].data;
if (!gecos) {
/* Fall back to the user's full name */
ret = sysdb_attrs_get_el(
attrs,
opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &el);
if (ret) goto done;
if (el->num_values > 0) gecos = (const char *)el->values[0].data;
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_HOME].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) homedir = NULL;
else homedir = (const char *)el->values[0].data;
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_SHELL].sys_name, &el);
if (ret) goto done;
if (el->num_values == 0) shell = NULL;
else shell = (const char *)el->values[0].data;
/* Retrieve or map the UID as appropriate */
if (use_id_mapping) {
DEBUG(SSSDBG_TRACE_LIBS,
("Mapping user [%s] objectSID to unix ID\n", name));
ret = sdap_attrs_get_sid_str(
tmpctx, opts->idmap_ctx, attrs,
opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
&sid_str);
if (ret != EOK) goto done;
/* Add string representation to the cache for easier
* debugging
*/
ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str);
if (ret != EOK) goto done;
/* Convert the SID into a UNIX user ID */
ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid);
if (ret == ENOTSUP) {
DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
ret = EOK;
goto done;
} else if (ret != EOK) {
goto done;
}
/* Store the UID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
*/
ret = sdap_replace_id(attrs, SYSDB_UIDNUM, uid);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, ("Cannot set the id-mapped UID\n"));
goto done;
}
} else {
ret = sysdb_attrs_get_uint32_t(attrs,
opts->user_map[SDAP_AT_USER_UID].sys_name,
&uid);
if (ret != EOK) {
DEBUG(1, ("no uid provided for [%s] in domain [%s].\n",
name, dom->name));
ret = EINVAL;
goto done;
}
}
/* check that the uid is valid for this domain */
if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
DEBUG(2, ("User [%s] filtered out! (uid out of range)\n",
name));
ret = EINVAL;
goto done;
}
if (use_id_mapping) {
ret = sysdb_attrs_get_uint32_t(
attrs,
opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
&primary_gid);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("no primary group ID provided for [%s] in domain [%s].\n",
name, dom->name));
ret = EINVAL;
goto done;
}
/* The primary group ID is just the RID part of the objectSID
* of the group. Generate the GID by adding this to the domain
* SID value.
*/
/* First, get the domain SID if we didn't do so above */
if (!dom_sid_str) {
ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str,
&dom_sid_str);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Could not parse domain SID from [%s]\n", sid_str));
goto done;
}
}
/* Add the RID to the end */
group_sid_str = talloc_asprintf(tmpctx, "%s-%lu",
dom_sid_str,
(unsigned long)primary_gid);
if (!group_sid_str) {
ret = ENOMEM;
goto done;
}
/* Convert the SID into a UNIX group ID */
ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, &gid);
if (ret != EOK) goto done;
/* Store the GID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
*/
ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid);
if (ret != EOK) goto done;
} else {
ret = sysdb_attrs_get_uint32_t(attrs,
opts->user_map[SDAP_AT_USER_GID].sys_name,
&gid);
if (ret != EOK) {
DEBUG(1, ("no gid provided for [%s] in domain [%s].\n",
name, dom->name));
ret = EINVAL;
goto done;
}
}
/* check that the gid is valid for this domain */
if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
DEBUG(2, ("User [%s] filtered out! (primary gid out of range)\n",
name));
ret = EINVAL;
goto done;
}
ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el);
if (ret) {
goto done;
}
if (!el || el->num_values == 0) {
DEBUG(SSSDBG_MINOR_FAILURE,
("originalDN is not available for [%s].\n", name));
} else {
orig_dn = (const char *) el->values[0].data;
DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding originalDN [%s] to attributes "
"of [%s].\n", orig_dn, name));
ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, orig_dn);
if (ret) {
goto done;
}
}
ret = sysdb_attrs_get_el(attrs, SYSDB_MEMBEROF, &el);
if (ret) {
goto done;
}
if (el->num_values == 0) {
DEBUG(7, ("Original memberOf is not available for [%s].\n",
name));
} else {
DEBUG(7, ("Adding original memberOf attributes to [%s].\n",
name));
for (i = 0; i < el->num_values; i++) {
ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
(const char *) el->values[i].data);
if (ret) {
goto done;
}
}
}
ret = sdap_attrs_add_string(attrs,
opts->user_map[SDAP_AT_USER_MODSTAMP].sys_name,
"original mod-Timestamp",
name, user_attrs);
if (ret != EOK) {
goto done;
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_USN].sys_name, &el);
if (ret) {
goto done;
}
if (el->num_values == 0) {
DEBUG(7, ("Original USN value is not available for [%s].\n",
name));
} else {
ret = sysdb_attrs_add_string(user_attrs,
opts->user_map[SDAP_AT_USER_USN].sys_name,
(const char*)el->values[0].data);
if (ret) {
goto done;
}
usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data);
if (!usn_value) {
ret = ENOMEM;
goto done;
}
}
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_PRINC].sys_name, &el);
if (ret) {
goto done;
}
if (el->num_values == 0) {
DEBUG(7, ("User principal is not available for [%s].\n", name));
} else {
upn = talloc_strdup(user_attrs, (const char*) el->values[0].data);
if (!upn) {
ret = ENOMEM;
goto done;
}
if (dp_opt_get_bool(opts->basic, SDAP_FORCE_UPPER_CASE_REALM)) {
make_realm_upper_case(upn);
}
DEBUG(7, ("Adding user principal [%s] to attributes of [%s].\n",
upn, name));
ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn);
if (ret) {
goto done;
}
}
for (i = SDAP_FIRST_EXTRA_USER_AT; i < SDAP_OPTS_USER; i++) {
ret = sdap_attrs_add_list(attrs, opts->user_map[i].sys_name,
NULL, name, user_attrs);
if (ret) {
goto done;
}
}
cache_timeout = dom->user_timeout;
if (is_initgr) {
ret = sysdb_attrs_add_time_t(user_attrs, SYSDB_INITGR_EXPIRE,
(cache_timeout ?
(time(NULL) + cache_timeout) : 0));
if (ret) {
goto done;
}
}
ret = sdap_save_all_names(name, attrs, !dom->case_sensitive, user_attrs);
if (ret != EOK) {
DEBUG(1, ("Failed to save user names\n"));
goto done;
}
/* Make sure that any attributes we requested from LDAP that we
* did not receive are also removed from the sysdb
*/
ret = list_missing_attrs(user_attrs, opts->user_map, SDAP_OPTS_USER,
attrs, &missing);
if (ret != EOK) {
goto done;
}
DEBUG(6, ("Storing info for user %s\n", name));
ret = sysdb_store_user(ctx, dom, name, pwd, uid, gid,
gecos, homedir, shell, orig_dn,
user_attrs, missing, cache_timeout, now);
if (ret) goto done;
if (_usn_value) {
*_usn_value = talloc_steal(memctx, usn_value);
}
talloc_steal(memctx, user_attrs);
ret = EOK;
done:
if (ret) {
DEBUG(2, ("Failed to save user [%s]\n",
name ? name : "Unknown"));
}
talloc_free(tmpctx);
return ret;
}
