From a3cc501e36f5cf1e4a8187d723b53111f5481b36 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 30 Nov 2015 12:14:55 +0100
Subject: [PATCH 08/15] LDAP: always store the certificate from the request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Store the certificate used to lookup a user as mapped attribute in the
cached user object.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/db/sysdb.h | 1 +
src/db/sysdb_ops.c | 4 ++--
src/providers/ldap/ldap_id.c | 19 ++++++++++++++++++-
src/tests/cmocka/test_nss_srv.c | 2 +-
src/tests/cmocka/test_pam_srv.c | 6 +++---
src/tests/sysdb-tests.c | 4 ++--
6 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 098f47f91187aac75c58c02f0af738c344765762..3db22b3689bf6ffd9a48e29c229916e3fac9ca1b 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -139,6 +139,7 @@
#define SYSDB_AUTH_TYPE "authType"
#define SYSDB_USER_CERT "userCertificate"
+#define SYSDB_USER_MAPPED_CERT "userMappedCertificate"
#define SYSDB_USER_EMAIL "mail"
#define SYSDB_SUBDOMAIN_REALM "realmName"
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 6c2254df2b75d3d3419528523103ad9cddb40c9d..8ae25764478e522255b177f9e8de1d3ca1ad43fd 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4660,7 +4660,7 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
int ret;
char *user_filter;
- ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
+ ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT,
&user_filter);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n");
@@ -4749,7 +4749,7 @@ errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain,
errno_t sysdb_remove_cert(struct sss_domain_info *domain,
const char *cert)
{
- struct ldb_message_element el = { 0, SYSDB_USER_CERT, 0, NULL };
+ struct ldb_message_element el = { 0, SYSDB_USER_MAPPED_CERT, 0, NULL };
struct sysdb_attrs del_attrs = { 1, &el };
const char *attrs[] = {SYSDB_NAME, NULL};
struct ldb_result *res = NULL;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 898ddb18689d55fcc3fdf021b38df0e574003eb2..a8b4bc2cfc6e9d4e0d74b0e3e036afbcbf7eb26e 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -60,6 +60,7 @@ struct users_get_state {
int dp_error;
int sdap_ret;
bool noexist_delete;
+ struct sysdb_attrs *extra_attrs;
};
static int users_get_retry(struct tevent_req *req);
@@ -99,6 +100,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
state->conn = conn;
state->dp_error = DP_ERR_FATAL;
state->noexist_delete = noexist_delete;
+ state->extra_attrs = NULL;
state->op = sdap_id_op_create(state, state->conn->conn_cache);
if (!state->op) {
@@ -251,6 +253,21 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
"sss_cert_derb64_to_ldap_filter failed.\n");
goto done;
}
+
+ state->extra_attrs = sysdb_new_attrs(state);
+ if (state->extra_attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_base64_blob(state->extra_attrs,
+ SYSDB_USER_MAPPED_CERT, filter_value);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
+ goto done;
+ }
+
break;
default:
ret = EINVAL;
@@ -442,7 +459,7 @@ static void users_get_search(struct tevent_req *req)
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
SDAP_SEARCH_TIMEOUT),
- lookup_type, NULL);
+ lookup_type, state->extra_attrs);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 72bbaf9bf35ebb3fc4208afaa3c7af95922afcb0..76b9c6fb05673130de0957e93291919c263a28f3 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -3508,7 +3508,7 @@ static void test_nss_getnamebycert(void **state)
der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size);
assert_non_null(der);
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
talloc_free(der);
assert_int_equal(ret, EOK);
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index ae2e555f7024027d1c0063031f8882bf81a31905..847419658bb983e6548722d6fa6fb22c63ee86b8 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -1598,7 +1598,7 @@ static int test_lookup_by_cert_cb(void *pvt)
der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
assert_non_null(der);
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
talloc_free(der);
assert_int_equal(ret, EOK);
@@ -1630,7 +1630,7 @@ static int test_lookup_by_cert_double_cb(void *pvt)
der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
assert_non_null(der);
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
talloc_free(der);
assert_int_equal(ret, EOK);
@@ -1658,7 +1658,7 @@ static int test_lookup_by_cert_wrong_user_cb(void *pvt)
der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
assert_non_null(der);
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
talloc_free(der);
assert_int_equal(ret, EOK);
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index c343c734a27a335303974b6866a5d9e88d4c307e..5bdd631fbfa1b4463fb169e5f07b65fb2c784096 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -5721,7 +5721,7 @@ START_TEST(test_sysdb_search_user_by_cert)
val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length);
fail_unless(val.data != NULL, "sss_base64_decode failed.");
- ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_CERT, &val);
+ ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_MAPPED_CERT, &val);
fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
ret, strerror(ret));
@@ -5750,7 +5750,7 @@ START_TEST(test_sysdb_search_user_by_cert)
data2 = test_data_new_user(test_ctx, 2345671);
fail_if(data2 == NULL);
- ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_CERT, &val);
+ ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_MAPPED_CERT, &val);
fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
ret, strerror(ret));
--
2.9.3