dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 2dfd383413d1c5bfc031f8396eccd1108c899e68 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 5 Nov 2014 15:58:04 +0100
Subject: [PATCH 101/104] IPA: check overrrides for IPA users as well

Currently overrides were only available for sub-domains, e.g. trusted AD
domains. With this patch overrides can be used for IPA users as well.

Related to https://fedorahosted.org/sssd/ticket/2481

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/ipa/ipa_id.c            | 405 +++++++++++++++++++++++++++++++++-
 src/providers/ipa/ipa_subdomains_id.c |  16 +-
 src/providers/ipa/ipa_views.c         |  15 ++
 3 files changed, 432 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
index cd65f5b462c102ed502a014789a7232a93389b68..5665a1835e8b0ab18325bfc68a8d8b5650730943 100644
--- a/src/providers/ipa/ipa_id.c
+++ b/src/providers/ipa/ipa_id.c
@@ -56,6 +56,13 @@ static const char *ipa_account_info_error_text(int ret, int *dp_error,
     return default_text;
 }
 
+static struct tevent_req *
+ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+                             struct ipa_id_ctx *ipa_ctx, struct be_req *be_req,
+                             struct be_acct_req *ar);
+
+static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);
+
 static struct tevent_req *ipa_id_get_netgroup_send(TALLOC_CTX *memctx,
                                                    struct tevent_context *ev,
                                                    struct ipa_id_ctx *ipa_ctx,
@@ -100,7 +107,9 @@ void ipa_account_info_handler(struct be_req *breq)
     } else {
         /* any account request is handled by sdap,
          * any invalid request is caught there. */
-        return sdap_handle_account_info(breq, ctx, ctx->conn);
+
+        req = ipa_id_get_account_info_send(breq, be_ctx->ev, ipa_ctx, breq,
+                                           ar);
     }
 
     if (!req) {
@@ -115,13 +124,18 @@ static void ipa_account_info_done(struct tevent_req *req)
     struct be_req *breq = tevent_req_callback_data(req, struct be_req);
     struct be_acct_req *ar = talloc_get_type(be_req_get_data(breq),
                                              struct be_acct_req);
+    struct be_ctx *be_ctx = be_req_get_be_ctx(breq);
     const char *error_text;
     int ret, dp_error;
 
     if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {
         ret = ipa_id_get_netgroup_recv(req, &dp_error);
     } else {
-        ret = ipa_subdomain_account_recv(req, &dp_error);
+        if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {
+            ret = ipa_subdomain_account_recv(req, &dp_error);
+        } else {
+            ret = ipa_id_get_account_info_recv(req, &dp_error);
+        }
     }
     talloc_zfree(req);
 
@@ -130,6 +144,393 @@ static void ipa_account_info_done(struct tevent_req *req)
     sdap_handler_done(breq, dp_error, ret, error_text);
 }
 
+struct ipa_id_get_account_info_state {
+    struct tevent_context *ev;
+    struct ipa_id_ctx *ipa_ctx;
+    struct sdap_id_ctx *ctx;
+    struct sdap_id_op *op;
+    struct sysdb_ctx *sysdb;
+    struct sss_domain_info *domain;
+    struct be_req *be_req;
+    struct be_acct_req *ar;
+    const char *realm;
+
+    struct sysdb_attrs *override_attrs;
+    struct ldb_message *obj_msg;
+    int dp_error;
+};
+
+static void ipa_id_get_account_info_connected(struct tevent_req *subreq);
+static void ipa_id_get_account_info_got_override(struct tevent_req *subreq);
+static errno_t ipa_id_get_account_info_get_original_step(struct tevent_req *req,
+                                                        struct be_acct_req *ar);
+static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq);
+static void ipa_id_get_account_info_done(struct tevent_req *subreq);
+
+static struct tevent_req *
+ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+                             struct ipa_id_ctx *ipa_ctx, struct be_req *be_req,
+                             struct be_acct_req *ar)
+{
+    int ret;
+    struct tevent_req *req;
+    struct tevent_req *subreq;
+    struct ipa_id_get_account_info_state *state;
+
+    req = tevent_req_create(memctx, &state,
+                            struct ipa_id_get_account_info_state);
+    if (req == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
+        return NULL;
+    }
+
+    state->ev = ev;
+    state->ipa_ctx = ipa_ctx;
+    state->ctx = ipa_ctx->sdap_id_ctx;
+    state->dp_error = DP_ERR_FATAL;
+
+    state->op = sdap_id_op_create(state, state->ctx->conn->conn_cache);
+    if (state->op == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n");
+        ret = ENOMEM;
+        goto fail;
+    }
+
+    state->domain = find_domain_by_name(state->ctx->be->domain,
+                                        ar->domain, true);
+    if (state->domain == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
+        ret = ENOMEM;
+        goto fail;
+    }
+    state->sysdb = state->domain->sysdb;
+    state->be_req = be_req;
+    state->ar = ar;
+    state->realm = dp_opt_get_string(state->ipa_ctx->ipa_options->basic,
+                                     IPA_KRB5_REALM);
+    if (state->realm == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
+        ret = EINVAL;
+        goto fail;
+    }
+
+    /* We can skip the override lookup and go directly to the original object
+     * if
+     * - the lookup is by SID
+     * - there is no view set of it is the default view
+     * - if the EXTRA_INPUT_MAYBE_WITH_VIEW flag is not set
+     */
+    if (state->ipa_ctx->view_name == NULL
+            || state->ar->filter_type == BE_FILTER_SECID
+            || strcmp(state->ipa_ctx->view_name,
+                      SYSDB_DEFAULT_VIEW_NAME) == 0
+            || state->ar->extra_value == NULL
+            || strcmp(state->ar->extra_value,
+                      EXTRA_INPUT_MAYBE_WITH_VIEW) != 0 ) {
+        ret = ipa_id_get_account_info_get_original_step(req, ar);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "ipa_subdomain_account_get_original_step failed.\n");
+            goto fail;
+        }
+    } else {
+        subreq = sdap_id_op_connect_send(state->op, state, &ret);
+        if (subreq == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n");
+            goto fail;
+        }
+        tevent_req_set_callback(subreq, ipa_id_get_account_info_connected, req);
+    }
+
+    return req;
+
+fail:
+    tevent_req_error(req, ret);
+    tevent_req_post(req, ev);
+    return req;
+}
+
+static void ipa_id_get_account_info_connected(struct tevent_req *subreq)
+{
+    struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                struct tevent_req);
+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,
+                                          struct ipa_id_get_account_info_state);
+    int dp_error = DP_ERR_FATAL;
+    int ret;
+
+    ret = sdap_id_op_connect_recv(subreq, &dp_error);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect request failed.\n");
+        goto fail;
+    }
+
+    subreq = ipa_get_ad_override_send(state, state->ev, state->ctx,
+                                      state->ipa_ctx->ipa_options, state->realm,
+                                      state->ipa_ctx->view_name, state->ar);
+    if (subreq == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
+        ret = ENOMEM;
+        goto fail;
+    }
+
+    tevent_req_set_callback(subreq, ipa_id_get_account_info_got_override, req);
+
+    return;
+
+fail:
+    state->dp_error = dp_error;
+    tevent_req_error(req, ret);
+    return;
+}
+
+static void ipa_id_get_account_info_got_override(struct tevent_req *subreq)
+{
+    struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                struct tevent_req);
+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,
+                                          struct ipa_id_get_account_info_state);
+    int dp_error = DP_ERR_FATAL;
+    int ret;
+    const char *anchor = NULL;
+    char *anchor_domain;
+    char *ipa_uuid;
+
+    ret = ipa_get_ad_override_recv(subreq, &dp_error, state,
+                                   &state->override_attrs);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);
+        goto fail;
+    }
+
+    if (state->override_attrs != NULL) {
+        ret = sysdb_attrs_get_string(state->override_attrs,
+                                     SYSDB_OVERRIDE_ANCHOR_UUID,
+                                     &anchor);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
+            goto fail;
+        }
+
+        ret = split_ipa_anchor(state, anchor, &anchor_domain, &ipa_uuid);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unsupported override anchor [%s].\n", anchor);
+            ret = EINVAL;
+            goto fail;
+        }
+
+        if (strcmp(state->ar->domain, anchor_domain) == 0) {
+
+            ret = get_be_acct_req_for_uuid(state, ipa_uuid,
+                                           state->ar->domain,
+                                           &state->ar);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");
+                goto fail;
+            }
+        } else {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Anchor from a different domain [%s], expected [%s]. " \
+                  "This is currently not supported, continue lookup in " \
+                  "local IPA domain.\n",
+                  anchor_domain, state->ar->domain);
+        }
+    }
+
+    ret = ipa_id_get_account_info_get_original_step(req, state->ar);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "ipa_subdomain_account_get_original_step failed.\n");
+        goto fail;
+    }
+
+    return;
+
+fail:
+    state->dp_error = dp_error;
+    tevent_req_error(req, ret);
+    return;
+}
+
+static errno_t ipa_id_get_account_info_get_original_step(struct tevent_req *req,
+                                                         struct be_acct_req *ar)
+{
+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,
+                                          struct ipa_id_get_account_info_state);
+    struct tevent_req *subreq;
+
+    subreq = sdap_handle_acct_req_send(state, state->be_req, ar,
+                                       state->ipa_ctx->sdap_id_ctx,
+                                       state->ipa_ctx->sdap_id_ctx->opts->sdom,
+                                       state->ipa_ctx->sdap_id_ctx->conn, true);
+    if (subreq == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct_req_send failed.\n");
+        return ENOMEM;
+    }
+    tevent_req_set_callback(subreq, ipa_id_get_account_info_orig_done, req);
+
+    return EOK;
+}
+
+static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq)
+{
+    struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                struct tevent_req);
+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,
+                                          struct ipa_id_get_account_info_state);
+    int dp_error = DP_ERR_FATAL;
+    int ret;
+    const char *uuid;
+    const char *class;
+    enum sysdb_member_type type;
+
+    ret = sdap_handle_acct_req_recv(subreq, &dp_error, NULL, NULL);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct request failed: %d\n", ret);
+        goto fail;
+    }
+
+    ret = get_object_from_cache(state, state->domain, state->ar,
+                                &state->obj_msg);
+    if (ret == ENOENT) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "Object not found, ending request\n");
+        tevent_req_done(req);
+        return;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n");
+        goto fail;
+    }
+
+    if (state->override_attrs == NULL) {
+        uuid = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_UUID, NULL);
+        if (uuid == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find a UUID.\n");
+            ret = EINVAL;
+            goto fail;
+        }
+
+        ret = get_be_acct_req_for_uuid(state, uuid, state->domain->name,
+                                       &state->ar);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");
+            goto fail;
+        }
+
+        subreq = ipa_get_ad_override_send(state, state->ev,
+                                          state->ipa_ctx->sdap_id_ctx,
+                                          state->ipa_ctx->ipa_options,
+                                          state->realm,
+                                          state->ipa_ctx->view_name,
+                                          state->ar);
+        if (subreq == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
+            ret = ENOMEM;
+            goto fail;
+        }
+        tevent_req_set_callback(subreq, ipa_id_get_account_info_done, req);
+        return;
+    } else {
+        class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCLASS,
+                                            NULL);
+        if (class == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find an objectclass.\n");
+            ret = EINVAL;
+            goto fail;
+        }
+
+        if (strcmp(class, SYSDB_USER_CLASS) == 0) {
+            type = SYSDB_MEMBER_USER;
+        } else {
+            type = SYSDB_MEMBER_GROUP;
+        }
+
+        ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,
+                                   type,
+                                   state->override_attrs, state->obj_msg->dn);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
+            goto fail;
+        }
+    }
+
+    state->dp_error = DP_ERR_OK;
+    tevent_req_done(req);
+    return;
+
+fail:
+    state->dp_error = dp_error;
+    tevent_req_error(req, ret);
+    return;
+}
+
+static void ipa_id_get_account_info_done(struct tevent_req *subreq)
+{
+    struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                struct tevent_req);
+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,
+                                          struct ipa_id_get_account_info_state);
+    int dp_error = DP_ERR_FATAL;
+    int ret;
+    const char *class;
+    enum sysdb_member_type type;
+
+    ret = ipa_get_ad_override_recv(subreq, &dp_error, state,
+                                   &state->override_attrs);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);
+        goto fail;
+    }
+
+    class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCLASS,
+                                        NULL);
+    if (class == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find an objectclass.\n");
+        ret = EINVAL;
+        goto fail;
+    }
+
+    if (strcmp(class, SYSDB_USER_CLASS) == 0) {
+        type = SYSDB_MEMBER_USER;
+    } else {
+        type = SYSDB_MEMBER_GROUP;
+    }
+
+    ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,
+                               type,
+                               state->override_attrs, state->obj_msg->dn);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
+        goto fail;
+    }
+
+    state->dp_error = DP_ERR_OK;
+    tevent_req_done(req);
+    return;
+
+fail:
+    state->dp_error = dp_error;
+    tevent_req_error(req, ret);
+    return;
+}
+
+static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)
+{
+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,
+                                          struct ipa_id_get_account_info_state);
+
+    if (dp_error) {
+        *dp_error = state->dp_error;
+    }
+
+    TEVENT_REQ_RETURN_ON_ERROR(req);
+
+    return EOK;
+}
 
 /* Request for netgroups
  * - first start here and then go to ipa_netgroups.c
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 891fc336483b507fd284b0c84b118534910ed9fc..ce5a6d1a1048eda4d8b7017bd92bc7ee76e66ef9 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -879,9 +879,21 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
 
         ret = EOK;
         goto done;
-    }
+    } else if (ar->filter_type == BE_FILTER_UUID) {
+        ret = sysdb_search_object_by_uuid(mem_ctx, dom, ar->filter_value, attrs,
+                                          &res);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Failed to make request to our cache: [%d]: [%s]\n",
+                   ret, sss_strerror(ret));
+            goto done;
+        }
 
-    if (ar->filter_type == BE_FILTER_IDNUM) {
+        *_msg = res->msgs[0];
+
+        ret = EOK;
+        goto done;
+    } else if (ar->filter_type == BE_FILTER_IDNUM) {
         errno = 0;
         id = strtouint32(ar->filter_value, NULL, 10);
         if (errno != 0) {
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
index ee586894ec61b1b1330816c628bbc9617d58e31e..c768186d7cf5e5a997e2ca27a167b62c8dc99b3f 100644
--- a/src/providers/ipa/ipa_views.c
+++ b/src/providers/ipa/ipa_views.c
@@ -125,6 +125,21 @@ static errno_t be_acct_req_to_override_filter(TALLOC_CTX *mem_ctx,
         }
         break;
 
+    case BE_FILTER_UUID:
+        if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_UUID) {
+            filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=:IPA:%s:%s))",
+                       ipa_opts->override_map[IPA_OC_OVERRIDE].name,
+                       ipa_opts->override_map[IPA_AT_OVERRIDE_ANCHOR_UUID].name,
+                       dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN),
+                       ar->filter_value);
+        } else {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unexpected entry type [%d] for UUID filter.\n",
+                  ar->entry_type);
+            return EINVAL;
+        }
+        break;
+
     default:
         DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n");
         return EINVAL;
-- 
1.9.3