PromiseResult VerifyUsersPromise(EvalContext *ctx, Promise *pp)
{
Attributes a = { {0} };
CfLock thislock;
char lockname[CF_BUFSIZE];
a = GetUserAttributes(ctx, pp);
if (!UserSanityCheck(a, pp))
{
return PROMISE_RESULT_FAIL;
}
PromiseBanner(pp);
snprintf(lockname, CF_BUFSIZE - 1, "user-%s-%d", pp->promiser, a.users.policy);
thislock = AcquireLock(ctx, lockname, VUQNAME, CFSTARTTIME, a.transaction, pp, false);
if (thislock.lock == NULL)
{
return PROMISE_RESULT_SKIPPED;
}
PromiseResult result = PROMISE_RESULT_NOOP;
VerifyOneUsersPromise(pp->promiser, a.users, &result, a.transaction.action, ctx, &a, pp);
switch (result) {
case PROMISE_RESULT_NOOP:
cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_NOOP, pp, a, "User promise kept");
break;
case PROMISE_RESULT_FAIL:
case PROMISE_RESULT_DENIED:
case PROMISE_RESULT_TIMEOUT:
case PROMISE_RESULT_INTERRUPTED:
case PROMISE_RESULT_WARN:
cfPS(ctx, LOG_LEVEL_INFO, result, pp, a, "User promise not kept");
break;
case PROMISE_RESULT_CHANGE:
cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_CHANGE, pp, a, "User promise repaired");
break;
default:
ProgrammingError("Unknown promise result");
break;
}
YieldCurrentLock(thislock);
return result;
}
DWORD
CollectCurrentADAttributesForUser(
PSTR pszUserUPN,
PSTR pszUserDomain,
PSTR pszMessage,
BOOLEAN bOnlineLogon
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PGPUSER_AD_ATTRS pUserADAttrs = NULL;
PADU_CRED_CONTEXT pCredContext = NULL;
BOOLEAN bDeactivateCredContext = FALSE;
PSTR pszOrigCachePath = NULL;
HANDLE hDirectory = (HANDLE)NULL;
dwError = ADUBuildCredContext(
NULL,
pszUserUPN,
bOnlineLogon,
&pCredContext);
BAIL_ON_MAC_ERROR(dwError);
/* Update user logon message which is accessed and reported with LoginHook script */
dwError = CacheUserLoginMessage(pCredContext->pszHomeDirPath, pszMessage);
BAIL_ON_MAC_ERROR(dwError);
if (bOnlineLogon)
{
LOG("Connecting to AD using these credentials: path: %s, user: %s, domain: %s", pCredContext->pszCachePath, pszUserUPN, pszUserDomain);
/* Set default credentials to the user's */
dwError = ADUInitKrb5(pszUserDomain);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUKrb5SetDefaultCachePath(
pCredContext->pszCachePath,
&pszOrigCachePath);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUActivateCredContext(pCredContext);
BAIL_ON_MAC_ERROR(dwError);
bDeactivateCredContext = TRUE;
dwError = ADUOpenLwLdapDirectory(pszUserDomain, &hDirectory);
BAIL_ON_MAC_ERROR(dwError);
dwError = GetUserAttributes(hDirectory,
pCredContext->pszSID,
pszUserDomain,
&pUserADAttrs);
if (dwError)
{
LOG("Error (%d) while reading user AD attributes from domain DC", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = CacheUserAttributes(pCredContext->uid, pUserADAttrs);
if (dwError)
{
LOG("Error (%d) while saving user AD attributes to cache", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = FlushDirectoryServiceCache();
if (dwError)
{
LOG("Failed to flush the Mac DirectoryService cache. Error: %d", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
}
else
{
LOG("Offline logon, can't refresh AD user attributes for: user: %s, domain: %s", pszUserUPN, pszUserDomain);
}
cleanup:
FreeUserAttributes(pUserADAttrs);
if (hDirectory != (HANDLE)NULL)
{
LwLdapCloseDirectory(hDirectory);
}
if (pCredContext)
{
if (bDeactivateCredContext)
{
ADUDeactivateCredContext(pCredContext);
}
ADUFreeCredContext(pCredContext);
}
if (pszOrigCachePath)
{
DWORD dwError2 = ADUKrb5SetDefaultCachePath(pszOrigCachePath, NULL);
if (dwError2)
{
LOG_ERROR("Failed to revert kerberos cache path [code:%d]", dwError2);
}
LwFreeMemory(pszOrigCachePath);
}
return LWGetMacError(dwError);
error:
goto cleanup;
}
