/* ========== Functions specific for the native sudo LDAP schema ========== */ static errno_t sdap_sudo_get_usn(TALLOC_CTX *mem_ctx, struct sysdb_attrs *attrs, struct sdap_attr_map *map, const char *name, char **_usn) { const char *usn; errno_t ret; if (_usn == NULL) { return EINVAL; } ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_USN].sys_name, &usn); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to retrieve USN value: [%s]\n", strerror(ret))); return ret; } *_usn = talloc_strdup(mem_ctx, usn); if (*_usn == NULL) { return ENOMEM; } return EOK; }
/* Both arrays must have the same length! */ static void compare_sysdb_string_array_noorder(struct sysdb_attrs **sysdb_array, const char **string_array, size_t len) { int i, ii; errno_t ret; const char *name; /* Check the returned groups. The order is irrelevant. */ for (i = 0; i < len; i++) { ret = sysdb_attrs_get_string(sysdb_array[i], SYSDB_NAME, &name); assert_int_equal(ret, ERR_OK); for (ii = 0; ii < len; ii++) { if (string_array[ii] == NULL) { continue; } if (strcmp(name, string_array[ii]) == 0) { string_array[ii] = NULL; break; } } } for (i = 0; i < len; i++) { assert_null(string_array[i]); } }
static errno_t attr_name(TALLOC_CTX *mem_ctx, struct sysdb_attrs *entry, struct sss_domain_info *dom, const char *attr, const char **_value) { errno_t ret; const char *orig_name; char *tmp_name; char *outname; ret = sysdb_attrs_get_string(entry, attr, &orig_name); if (ret != EOK) { return ret; } tmp_name = sss_output_name(mem_ctx, orig_name, dom->case_preserve, 0); if (tmp_name == NULL) { return ENOMEM; } if (dom->fqnames) { outname = sss_tc_fqname(mem_ctx, dom->names, dom, tmp_name); talloc_free(tmp_name); if (outname == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n"); return ENOMEM; } } else { outname = tmp_name; } *_value = outname; return EOK; }
static void nested_groups_test_one_group_dup_users(void **state) { struct nested_groups_test_ctx *test_ctx = NULL; struct sysdb_attrs *rootgroup = NULL; struct tevent_req *req = NULL; TALLOC_CTX *req_mem_ctx = NULL; errno_t ret; const char *name; const char *users[] = { "cn=user1,"USER_BASE_DN, "cn=user1,"USER_BASE_DN, NULL }; const struct sysdb_attrs *user1_reply[2] = { NULL }; const struct sysdb_attrs *user2_reply[2] = { NULL }; test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); /* mock return values */ rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, "rootgroup", users); user1_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1"); assert_non_null(user1_reply[0]); will_return(sdap_get_generic_recv, 1); will_return(sdap_get_generic_recv, user1_reply); user2_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1"); assert_non_null(user2_reply[0]); will_return(sdap_get_generic_recv, 1); will_return(sdap_get_generic_recv, user2_reply); sss_will_return_always(sdap_has_deref_support, false); /* run test, check for memory leaks */ req_mem_ctx = talloc_new(global_talloc_context); assert_non_null(req_mem_ctx); check_leaks_push(req_mem_ctx); req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, test_ctx->sdap_domain, test_ctx->sdap_opts, test_ctx->sdap_handle, rootgroup); assert_non_null(req); tevent_req_set_callback(req, nested_groups_test_done, test_ctx); ret = test_ev_loop(test_ctx->tctx); assert_true(check_leaks_pop(req_mem_ctx) == true); talloc_zfree(req_mem_ctx); /* check return code */ assert_int_equal(ret, ERR_OK); /* Check the users */ assert_int_equal(test_ctx->num_users, 1); assert_int_equal(test_ctx->num_groups, 1); ret = sysdb_attrs_get_string(test_ctx->users[0], SYSDB_NAME, &name); assert_int_equal(ret, ERR_OK); assert_string_equal(name, "user1"); }
errno_t ipa_sudo_conv_cmds(struct ipa_sudo_conv *conv, struct sysdb_attrs **cmds, size_t num_cmds) { const char *key; const char *cmd; errno_t ret; size_t i; if (num_cmds == 0) { /* We're done here. */ return EOK; } for (i = 0; i < num_cmds; i++) { ret = sysdb_attrs_get_string(cmds[i], SYSDB_ORIG_DN, &key); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command DN, skipping " "[%d]: %s\n", ret, sss_strerror(ret)); continue; } ret = sysdb_attrs_get_string(cmds[i], SYSDB_IPA_SUDOCMD_SUDOCMD, &cmd); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command, skipping " "[%d]: %s\n", ret, sss_strerror(ret)); continue; } ret = ipa_sudo_conv_store(conv->cmds, key, discard_const(cmd)); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to store command into table " "[%d]: %s\n", ret, sss_strerror(ret)); goto done; } } ret = EOK; done: return ret; }
errno_t ipa_sudo_conv_cmdgroups(struct ipa_sudo_conv *conv, struct sysdb_attrs **cmdgroups, size_t num_cmdgroups) { struct ipa_sudo_cmdgroup *cmdgroup = NULL; const char *key; errno_t ret; size_t i; if (num_cmdgroups == 0) { /* We're done here. */ return EOK; } for (i = 0; i < num_cmdgroups; i++) { ret = sysdb_attrs_get_string(cmdgroups[i], SYSDB_ORIG_DN, &key); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command group DN, " "skipping [%d]: %s\n", ret, sss_strerror(ret)); continue; } cmdgroup = talloc_zero(conv->cmdgroups, struct ipa_sudo_cmdgroup); if (cmdgroup == NULL) { ret = ENOMEM; goto done; } ret = process_cmdgroupmember(conv, cmdgroup, cmdgroups[i]); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to process member " "[%d]: %s\n", ret, sss_strerror(ret)); return ret; } ret = ipa_sudo_conv_store(conv->cmdgroups, key, cmdgroup); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to store command group into " "table [%d]: %s\n", ret, sss_strerror(ret)); goto done; } cmdgroup = NULL; } ret = EOK; done: if (ret != EOK) { talloc_free(cmdgroup); } return ret; }
static errno_t sdap_save_native_sudorule(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb_ctx, struct sss_domain_info *domain, struct sdap_attr_map *map, struct sysdb_attrs *attrs, int cache_timeout, time_t now, char **_usn) { errno_t ret; const char *rule_name; ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_NAME].sys_name, &rule_name); if (ret == ERANGE) { DEBUG(SSSDBG_OP_FAILURE, ("Warning: found rule that contains none " "or multiple CN values. It will be skipped.\n")); return ret; } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Could not get rule name [%d]: %s\n", ret, strerror(ret))); return ret; } ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, (cache_timeout ? (now + cache_timeout) : 0)); if (ret) { DEBUG(SSSDBG_OP_FAILURE, ("Could not set sysdb cache expire [%d]: %s\n", ret, strerror(ret))); return ret; } ret = sdap_sudo_get_usn(mem_ctx, attrs, map, rule_name, _usn); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Could not read USN from %s\n", rule_name)); *_usn = NULL; /* but we will store the rule anyway */ } ret = sysdb_save_sudorule(sysdb_ctx, domain, rule_name, attrs); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Could not save sudorule %s\n", rule_name)); return ret; } return ret; }
/* FIXME: support storing additional attributes */ int sdap_save_user(TALLOC_CTX *memctx, struct sdap_options *opts, struct sss_domain_info *dom, struct sysdb_attrs *attrs, char **_usn_value, time_t now) { struct ldb_message_element *el; int ret; const char *user_name = NULL; const char *fullname = NULL; const char *pwd; const char *gecos; const char *homedir; const char *shell; const char *orig_dn = NULL; uid_t uid; gid_t gid; struct sysdb_attrs *user_attrs; char *upn = NULL; size_t i; int cache_timeout; char *usn_value = NULL; char **missing = NULL; TALLOC_CTX *tmpctx = NULL; bool use_id_mapping; char *sid_str; char *dom_sid_str = NULL; struct sss_domain_info *subdomain; DEBUG(SSSDBG_TRACE_FUNC, "Save user\n"); tmpctx = talloc_new(NULL); if (!tmpctx) { ret = ENOMEM; goto done; } user_attrs = sysdb_new_attrs(tmpctx); if (user_attrs == NULL) { ret = ENOMEM; goto done; } /* Always store SID string if available */ ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs, opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, &sid_str); if (ret == EOK) { ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Could not add SID string: [%s]\n", sss_strerror(ret)); goto done; } } else if (ret == ENOENT) { DEBUG(SSSDBG_TRACE_ALL, "objectSID: not available for user\n"); sid_str = NULL; } else { DEBUG(SSSDBG_MINOR_FAILURE, "Could not identify objectSID: [%s]\n", sss_strerror(ret)); sid_str = NULL; } /* Always store UUID if available */ ret = sysdb_handle_original_uuid(opts->user_map[SDAP_AT_USER_UUID].def_name, attrs, opts->user_map[SDAP_AT_USER_UUID].sys_name, user_attrs, SYSDB_UUID); if (ret != EOK) { DEBUG((ret == ENOENT) ? SSSDBG_TRACE_ALL : SSSDBG_MINOR_FAILURE, "Failed to retrieve UUID [%d][%s].\n", ret, sss_strerror(ret)); } /* If this object has a SID available, we will determine the correct * domain by its SID. */ if (sid_str != NULL) { subdomain = find_domain_by_sid(get_domains_head(dom), sid_str); if (subdomain) { dom = subdomain; } else { DEBUG(SSSDBG_TRACE_FUNC, "SID %s does not belong to any known " "domain\n", sid_str); } } ret = sdap_get_user_primary_name(memctx, opts, attrs, dom, &user_name); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to get user name\n"); goto done; } DEBUG(SSSDBG_TRACE_FUNC, "Processing user %s\n", user_name); if (opts->schema_type == SDAP_SCHEMA_AD) { ret = sysdb_attrs_get_string(attrs, opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &fullname); if (ret == EOK) { ret = sysdb_attrs_add_string(user_attrs, SYSDB_FULLNAME, fullname); if (ret != EOK) { goto done; } } else if (ret != ENOENT) { goto done; } } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_PWD].sys_name, &el); if (ret) goto done; if (el->num_values == 0) pwd = NULL; else pwd = (const char *)el->values[0].data; ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_GECOS].sys_name, &el); if (ret) goto done; if (el->num_values == 0) gecos = NULL; else gecos = (const char *)el->values[0].data; if (!gecos) { /* Fall back to the user's full name */ ret = sysdb_attrs_get_el( attrs, opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &el); if (ret) goto done; if (el->num_values > 0) gecos = (const char *)el->values[0].data; } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_HOME].sys_name, &el); if (ret) goto done; if (el->num_values == 0) homedir = NULL; else homedir = (const char *)el->values[0].data; ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_SHELL].sys_name, &el); if (ret) goto done; if (el->num_values == 0) shell = NULL; else shell = (const char *)el->values[0].data; use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, dom->name, sid_str); /* Retrieve or map the UID as appropriate */ if (use_id_mapping) { if (sid_str == NULL) { DEBUG(SSSDBG_MINOR_FAILURE, "SID not available, cannot map a " \ "unix ID to user [%s].\n", user_name); ret = ENOENT; goto done; } DEBUG(SSSDBG_TRACE_LIBS, "Mapping user [%s] objectSID [%s] to unix ID\n", user_name, sid_str); /* Convert the SID into a UNIX user ID */ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid); if (ret == ENOTSUP) { DEBUG(SSSDBG_TRACE_FUNC, "Skipping built-in object.\n"); ret = EOK; goto done; } else if (ret != EOK) { goto done; } /* Store the UID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. */ ret = sdap_replace_id(attrs, SYSDB_UIDNUM, uid); if (ret) { DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n"); goto done; } } else { ret = sysdb_attrs_get_uint32_t(attrs, opts->user_map[SDAP_AT_USER_UID].sys_name, &uid); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "no uid provided for [%s] in domain [%s].\n", user_name, dom->name); ret = EINVAL; goto done; } } /* check that the uid is valid for this domain */ if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) { DEBUG(SSSDBG_OP_FAILURE, "User [%s] filtered out! (uid out of range)\n", user_name); ret = EINVAL; goto done; } if (use_id_mapping) { ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str, &gid); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get the GID for [%s] in domain [%s].\n", user_name, dom->name); goto done; } if (IS_SUBDOMAIN(dom)) { /* For subdomain users, only create the private group as * the subdomain is an MPG domain. * But we have to save the GID of the original primary group * becasuse otherwise this information might be lost because * typically (Unix and AD) the user is not listed in his primary * group as a member. */ ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM, (uint32_t) gid); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n"); goto done; } gid = 0; } /* Store the GID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. */ ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid); if (ret != EOK) goto done; } else { ret = sysdb_attrs_get_uint32_t(attrs, opts->user_map[SDAP_AT_USER_GID].sys_name, &gid); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "no gid provided for [%s] in domain [%s].\n", user_name, dom->name); ret = EINVAL; goto done; } } /* check that the gid is valid for this domain */ if (IS_SUBDOMAIN(dom) == false && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) { DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] filtered out! (primary gid out of range)\n", user_name); ret = EINVAL; goto done; } ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el); if (ret) { goto done; } if (!el || el->num_values == 0) { DEBUG(SSSDBG_MINOR_FAILURE, "originalDN is not available for [%s].\n", user_name); } else { orig_dn = (const char *) el->values[0].data; DEBUG(SSSDBG_TRACE_INTERNAL, "Adding originalDN [%s] to attributes " "of [%s].\n", orig_dn, user_name); ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, orig_dn); if (ret) { goto done; } } ret = sysdb_attrs_get_el(attrs, SYSDB_MEMBEROF, &el); if (ret) { goto done; } if (el->num_values == 0) { DEBUG(SSSDBG_TRACE_FUNC, "Original memberOf is not available for [%s].\n", user_name); } else { DEBUG(SSSDBG_TRACE_FUNC, "Adding original memberOf attributes to [%s].\n", user_name); for (i = 0; i < el->num_values; i++) { ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, (const char *) el->values[i].data); if (ret) { goto done; } } } ret = sdap_attrs_add_string(attrs, opts->user_map[SDAP_AT_USER_MODSTAMP].sys_name, "original mod-Timestamp", user_name, user_attrs); if (ret != EOK) { goto done; } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_USN].sys_name, &el); if (ret) { goto done; } if (el->num_values == 0) { DEBUG(SSSDBG_TRACE_FUNC, "Original USN value is not available for [%s].\n", user_name); } else { ret = sysdb_attrs_add_string(user_attrs, opts->user_map[SDAP_AT_USER_USN].sys_name, (const char*)el->values[0].data); if (ret) { goto done; } usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data); if (!usn_value) { ret = ENOMEM; goto done; } } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_PRINC].sys_name, &el); if (ret) { goto done; } if (el->num_values == 0) { DEBUG(SSSDBG_TRACE_FUNC, "User principal is not available for [%s].\n", user_name); } else { upn = talloc_strdup(user_attrs, (const char*) el->values[0].data); if (!upn) { ret = ENOMEM; goto done; } if (dp_opt_get_bool(opts->basic, SDAP_FORCE_UPPER_CASE_REALM)) { make_realm_upper_case(upn); } DEBUG(SSSDBG_TRACE_FUNC, "Adding user principal [%s] to attributes of [%s].\n", upn, user_name); ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn); if (ret) { goto done; } } for (i = SDAP_FIRST_EXTRA_USER_AT; i < opts->user_map_cnt; i++) { ret = sdap_attrs_add_list(attrs, opts->user_map[i].sys_name, NULL, user_name, user_attrs); if (ret) { goto done; } } cache_timeout = dom->user_timeout; ret = sdap_save_all_names(user_name, attrs, dom, user_attrs); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save user names\n"); goto done; } /* Make sure that any attributes we requested from LDAP that we * did not receive are also removed from the sysdb */ ret = list_missing_attrs(user_attrs, opts->user_map, opts->user_map_cnt, attrs, &missing); if (ret != EOK) { goto done; } DEBUG(SSSDBG_TRACE_FUNC, "Storing info for user %s\n", user_name); ret = sysdb_store_user(dom, user_name, pwd, uid, gid, gecos, homedir, shell, orig_dn, user_attrs, missing, cache_timeout, now); if (ret) goto done; if (_usn_value) { *_usn_value = talloc_steal(memctx, usn_value); } talloc_steal(memctx, user_attrs); ret = EOK; done: if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save user [%s]\n", user_name ? user_name : "Unknown"); } talloc_free(tmpctx); return ret; }
static void test_sysdb_handle_original_uuid(void **state) { int ret; struct sysdb_attrs *src_attrs; struct sysdb_attrs *dest_attrs; const char *guid; uint8_t bin_guid[] = AD_GUID_BIN; struct ldb_val guid_val = {bin_guid, 16}; ret = sysdb_handle_original_uuid(NULL, NULL, NULL, NULL, NULL); assert_int_equal(ret, ENOENT); src_attrs = sysdb_new_attrs(NULL); assert_non_null(src_attrs); dest_attrs = sysdb_new_attrs(NULL); assert_non_null(dest_attrs); ret = sysdb_handle_original_uuid("xyz", src_attrs, "abc", dest_attrs, "def"); assert_int_equal(ret, ENOENT); ret = sysdb_attrs_add_val(src_attrs, "GUID", &guid_val); assert_int_equal(ret, EOK); ret = sysdb_attrs_add_string(src_attrs, "UUID", IPA_UUID); assert_int_equal(ret, EOK); ret = sysdb_handle_original_uuid(NULL, src_attrs, "GUID", dest_attrs, "def"); assert_int_equal(ret, ENOENT); ret = sysdb_handle_original_uuid("objectGUID", NULL, "GUID", dest_attrs, "def"); assert_int_equal(ret, EINVAL); ret = sysdb_handle_original_uuid("objectGUID", src_attrs, "GUID", dest_attrs, "def"); assert_int_equal(ret, EOK); ret = sysdb_attrs_get_string(dest_attrs, "def", &guid); assert_int_equal(ret, EOK); assert_string_equal(guid, AD_GUID); ret = sysdb_handle_original_uuid("ipaUniqueID", src_attrs, "UUID", dest_attrs, "ghi"); assert_int_equal(ret, EOK); ret = sysdb_attrs_get_string(dest_attrs, "ghi", &guid); assert_int_equal(ret, EOK); assert_string_equal(guid, IPA_UUID); talloc_free(src_attrs); src_attrs = sysdb_new_attrs(NULL); assert_non_null(src_attrs); /* check objectGUID with length other than 16 */ ret = sysdb_attrs_add_string(src_attrs, "GUID", IPA_UUID); assert_int_equal(ret, EOK); ret = sysdb_handle_original_uuid("objectGUID", src_attrs, "GUID", dest_attrs, "jkl"); assert_int_equal(ret, EOK); ret = sysdb_attrs_get_string(dest_attrs, "jkl", &guid); assert_int_equal(ret, EOK); assert_string_equal(guid, IPA_UUID); talloc_free(src_attrs); talloc_free(dest_attrs); }
static errno_t sysdb_sudo_check_time(struct sysdb_attrs *rule, time_t now, bool *result) { TALLOC_CTX *tmp_ctx = NULL; const char **values = NULL; const char *name = NULL; time_t notBefore = 0; time_t notAfter = 0; time_t converted; errno_t ret; int i; if (!result) return EINVAL; *result = false; tmp_ctx = talloc_new(NULL); NULL_CHECK(tmp_ctx, ret, done); ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name); if (ret == ENOENT) { name = "<missing>"; } else if(ret != EOK) { goto done; } /* * From man sudoers.ldap: * * If multiple sudoNotBefore entries are present, the *earliest* is used. * If multiple sudoNotAfter entries are present, the *last one* is used. * * From sudo sources, ldap.c: * If either the sudoNotAfter or sudoNotBefore attributes are missing, * no time restriction shall be imposed. */ /* check for sudoNotBefore */ ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTBEFORE, tmp_ctx, &values); if (ret == EOK) { for (i=0; values[i] ; i++) { ret = sysdb_sudo_convert_time(values[i], &converted); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Invalid time format in rule [%s]!\n", name); goto done; } /* Grab the earliest */ if (!notBefore) { notBefore = converted; } else if (notBefore > converted) { notBefore = converted; } } } else if (ret != ENOENT) { goto done; } /* check for sudoNotAfter */ ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTAFTER, tmp_ctx, &values); if (ret == EOK) { for (i=0; values[i] ; i++) { ret = sysdb_sudo_convert_time(values[i], &converted); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Invalid time format in rule [%s]!\n", name); goto done; } /* Grab the latest */ if (!notAfter) { notAfter = converted; } else if (notAfter < converted) { notAfter = converted; } } } else if (ret != ENOENT) { goto done; } if ((notBefore == 0 || now >= notBefore) && (notAfter == 0 || now <= notAfter)) { *result = true; } if (*result) { DEBUG(SSSDBG_TRACE_ALL, "Rule [%s] matches time restrictions\n", name); } else { DEBUG(SSSDBG_TRACE_ALL, "Rule [%s] does not match time " "restrictions\n", name); } ret = EOK; done: talloc_free(tmp_ctx); return ret; }
static void hbac_get_rule_info_step(struct tevent_req *req) { errno_t ret; size_t i; const char *ipa_hostname; const char *hostname; struct hbac_ctx *hbac_ctx = tevent_req_callback_data(req, struct hbac_ctx); struct be_ctx *be_ctx = be_req_get_be_ctx(hbac_ctx->be_req); ret = ipa_hbac_service_info_recv(req, hbac_ctx, &hbac_ctx->service_count, &hbac_ctx->services, &hbac_ctx->servicegroup_count, &hbac_ctx->servicegroups); talloc_zfree(req); if (!hbac_check_step_result(hbac_ctx, ret)) { return; } /* Get the ipa_host attrs */ hbac_ctx->ipa_host = NULL; ipa_hostname = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME); if (ipa_hostname == NULL) { DEBUG(1, ("Missing ipa_hostname, this should never happen.\n")); goto fail; } for (i = 0; i < hbac_ctx->host_count; i++) { ret = sysdb_attrs_get_string(hbac_ctx->hosts[i], SYSDB_FQDN, &hostname); if (ret != EOK) { DEBUG(1, ("Could not locate IPA host\n")); goto fail; } if (strcasecmp(hostname, ipa_hostname) == 0) { hbac_ctx->ipa_host = hbac_ctx->hosts[i]; break; } } if (hbac_ctx->ipa_host == NULL) { DEBUG(1, ("Could not locate IPA host\n")); goto fail; } /* Get the list of applicable rules */ req = ipa_hbac_rule_info_send(hbac_ctx, hbac_ctx->get_deny_rules, be_ctx->ev, sdap_id_op_handle(hbac_ctx->sdap_op), hbac_ctx->sdap_ctx->opts, hbac_ctx->search_bases, hbac_ctx->ipa_host); if (req == NULL) { DEBUG(1, ("Could not get rules\n")); goto fail; } tevent_req_set_callback(req, hbac_sysdb_save, hbac_ctx); return; fail: ipa_access_reply(hbac_ctx, PAM_SYSTEM_ERR); }
errno_t ipa_sudo_conv_rules(struct ipa_sudo_conv *conv, struct sysdb_attrs **rules, size_t num_rules) { struct ipa_sudo_rule *rule = NULL; const char *key; errno_t ret; size_t i; if (num_rules == 0) { /* We're done here. */ return EOK; } for (i = 0; i < num_rules; i++) { ret = sysdb_attrs_get_string(rules[i], SYSDB_NAME, &key); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get rule name, skipping " "[%d]: %s\n", ret, sss_strerror(ret)); continue; } rule = talloc_zero(conv->rules, struct ipa_sudo_rule); if (rule == NULL) { ret = ENOMEM; goto done; } rule->attrs = rules[i]; ret = process_allowcmd(conv, rule); if (ret != EOK && ret != EEXIST) { DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberAllowCmd " "[%d]: %s\n", ret, sss_strerror(ret)); return ret; } ret = process_denycmd(conv, rule); if (ret != EOK && ret != EEXIST) { DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberDenyCmd " "[%d]: %s\n", ret, sss_strerror(ret)); return ret; } ret = ipa_sudo_conv_store(conv->rules, key, rule); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to store rule into table " "[%d]: %s\n", ret, sss_strerror(ret)); goto done; } talloc_steal(rule, rule->attrs); rule = NULL; } ret = EOK; done: if (ret != EOK) { talloc_free(rule); } return ret; }
/* FIXME: support storing additional attributes */ int sdap_save_user(TALLOC_CTX *memctx, struct sysdb_ctx *ctx, struct sdap_options *opts, struct sss_domain_info *dom, struct sysdb_attrs *attrs, bool is_initgr, char **_usn_value, time_t now) { struct ldb_message_element *el; int ret; const char *name = NULL; const char *fullname = NULL; const char *pwd; const char *gecos; const char *homedir; const char *shell; const char *orig_dn = NULL; uid_t uid; gid_t gid, primary_gid; struct sysdb_attrs *user_attrs; char *upn = NULL; size_t i; int cache_timeout; char *usn_value = NULL; char **missing = NULL; TALLOC_CTX *tmpctx = NULL; bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING); char *sid_str; char *dom_sid_str = NULL; char *group_sid_str; DEBUG(9, ("Save user\n")); tmpctx = talloc_new(NULL); if (!tmpctx) { ret = ENOMEM; goto done; } user_attrs = sysdb_new_attrs(tmpctx); if (user_attrs == NULL) { ret = ENOMEM; goto done; } ret = sysdb_attrs_primary_name(ctx, attrs, opts->user_map[SDAP_AT_USER_NAME].name, &name); if (ret != EOK) { DEBUG(1, ("Failed to save the user - entry has no name attribute\n")); goto done; } if (opts->schema_type == SDAP_SCHEMA_AD) { ret = sysdb_attrs_get_string(attrs, opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &fullname); if (ret == EOK) { ret = sysdb_attrs_add_string(user_attrs, SYSDB_FULLNAME, fullname); if (ret != EOK) { goto done; } } else if (ret != ENOENT) { goto done; } } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_PWD].sys_name, &el); if (ret) goto done; if (el->num_values == 0) pwd = NULL; else pwd = (const char *)el->values[0].data; ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_GECOS].sys_name, &el); if (ret) goto done; if (el->num_values == 0) gecos = NULL; else gecos = (const char *)el->values[0].data; if (!gecos) { /* Fall back to the user's full name */ ret = sysdb_attrs_get_el( attrs, opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &el); if (ret) goto done; if (el->num_values > 0) gecos = (const char *)el->values[0].data; } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_HOME].sys_name, &el); if (ret) goto done; if (el->num_values == 0) homedir = NULL; else homedir = (const char *)el->values[0].data; ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_SHELL].sys_name, &el); if (ret) goto done; if (el->num_values == 0) shell = NULL; else shell = (const char *)el->values[0].data; /* Retrieve or map the UID as appropriate */ if (use_id_mapping) { DEBUG(SSSDBG_TRACE_LIBS, ("Mapping user [%s] objectSID to unix ID\n", name)); ret = sdap_attrs_get_sid_str( tmpctx, opts->idmap_ctx, attrs, opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, &sid_str); if (ret != EOK) goto done; /* Add string representation to the cache for easier * debugging */ ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str); if (ret != EOK) goto done; /* Convert the SID into a UNIX user ID */ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid); if (ret == ENOTSUP) { DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); ret = EOK; goto done; } else if (ret != EOK) { goto done; } /* Store the UID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. */ ret = sdap_replace_id(attrs, SYSDB_UIDNUM, uid); if (ret) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot set the id-mapped UID\n")); goto done; } } else { ret = sysdb_attrs_get_uint32_t(attrs, opts->user_map[SDAP_AT_USER_UID].sys_name, &uid); if (ret != EOK) { DEBUG(1, ("no uid provided for [%s] in domain [%s].\n", name, dom->name)); ret = EINVAL; goto done; } } /* check that the uid is valid for this domain */ if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) { DEBUG(2, ("User [%s] filtered out! (uid out of range)\n", name)); ret = EINVAL; goto done; } if (use_id_mapping) { ret = sysdb_attrs_get_uint32_t( attrs, opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name, &primary_gid); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("no primary group ID provided for [%s] in domain [%s].\n", name, dom->name)); ret = EINVAL; goto done; } /* The primary group ID is just the RID part of the objectSID * of the group. Generate the GID by adding this to the domain * SID value. */ /* First, get the domain SID if we didn't do so above */ if (!dom_sid_str) { ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str, &dom_sid_str); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Could not parse domain SID from [%s]\n", sid_str)); goto done; } } /* Add the RID to the end */ group_sid_str = talloc_asprintf(tmpctx, "%s-%lu", dom_sid_str, (unsigned long)primary_gid); if (!group_sid_str) { ret = ENOMEM; goto done; } /* Convert the SID into a UNIX group ID */ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, &gid); if (ret != EOK) goto done; /* Store the GID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. */ ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid); if (ret != EOK) goto done; } else { ret = sysdb_attrs_get_uint32_t(attrs, opts->user_map[SDAP_AT_USER_GID].sys_name, &gid); if (ret != EOK) { DEBUG(1, ("no gid provided for [%s] in domain [%s].\n", name, dom->name)); ret = EINVAL; goto done; } } /* check that the gid is valid for this domain */ if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) { DEBUG(2, ("User [%s] filtered out! (primary gid out of range)\n", name)); ret = EINVAL; goto done; } ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el); if (ret) { goto done; } if (!el || el->num_values == 0) { DEBUG(SSSDBG_MINOR_FAILURE, ("originalDN is not available for [%s].\n", name)); } else { orig_dn = (const char *) el->values[0].data; DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding originalDN [%s] to attributes " "of [%s].\n", orig_dn, name)); ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, orig_dn); if (ret) { goto done; } } ret = sysdb_attrs_get_el(attrs, SYSDB_MEMBEROF, &el); if (ret) { goto done; } if (el->num_values == 0) { DEBUG(7, ("Original memberOf is not available for [%s].\n", name)); } else { DEBUG(7, ("Adding original memberOf attributes to [%s].\n", name)); for (i = 0; i < el->num_values; i++) { ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, (const char *) el->values[i].data); if (ret) { goto done; } } } ret = sdap_attrs_add_string(attrs, opts->user_map[SDAP_AT_USER_MODSTAMP].sys_name, "original mod-Timestamp", name, user_attrs); if (ret != EOK) { goto done; } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_USN].sys_name, &el); if (ret) { goto done; } if (el->num_values == 0) { DEBUG(7, ("Original USN value is not available for [%s].\n", name)); } else { ret = sysdb_attrs_add_string(user_attrs, opts->user_map[SDAP_AT_USER_USN].sys_name, (const char*)el->values[0].data); if (ret) { goto done; } usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data); if (!usn_value) { ret = ENOMEM; goto done; } } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_PRINC].sys_name, &el); if (ret) { goto done; } if (el->num_values == 0) { DEBUG(7, ("User principal is not available for [%s].\n", name)); } else { upn = talloc_strdup(user_attrs, (const char*) el->values[0].data); if (!upn) { ret = ENOMEM; goto done; } if (dp_opt_get_bool(opts->basic, SDAP_FORCE_UPPER_CASE_REALM)) { make_realm_upper_case(upn); } DEBUG(7, ("Adding user principal [%s] to attributes of [%s].\n", upn, name)); ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn); if (ret) { goto done; } } for (i = SDAP_FIRST_EXTRA_USER_AT; i < SDAP_OPTS_USER; i++) { ret = sdap_attrs_add_list(attrs, opts->user_map[i].sys_name, NULL, name, user_attrs); if (ret) { goto done; } } cache_timeout = dom->user_timeout; if (is_initgr) { ret = sysdb_attrs_add_time_t(user_attrs, SYSDB_INITGR_EXPIRE, (cache_timeout ? (time(NULL) + cache_timeout) : 0)); if (ret) { goto done; } } ret = sdap_save_all_names(name, attrs, !dom->case_sensitive, user_attrs); if (ret != EOK) { DEBUG(1, ("Failed to save user names\n")); goto done; } /* Make sure that any attributes we requested from LDAP that we * did not receive are also removed from the sysdb */ ret = list_missing_attrs(user_attrs, opts->user_map, SDAP_OPTS_USER, attrs, &missing); if (ret != EOK) { goto done; } DEBUG(6, ("Storing info for user %s\n", name)); ret = sysdb_store_user(ctx, dom, name, pwd, uid, gid, gecos, homedir, shell, orig_dn, user_attrs, missing, cache_timeout, now); if (ret) goto done; if (_usn_value) { *_usn_value = talloc_steal(memctx, usn_value); } talloc_steal(memctx, user_attrs); ret = EOK; done: if (ret) { DEBUG(2, ("Failed to save user [%s]\n", name ? name : "Unknown")); } talloc_free(tmpctx); return ret; }