From 91c099a993252680f103084431b1d0f5798d8a24 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Mar 2017 14:14:42 +0100
Subject: [PATCH 31/36] SECRETS: Store ccaches in secrets for the KCM responder
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds a new "hive" to the secrets responder whose base path is /kcm. Only
root can contact the /kcm hive, because the KCM responder only runs as
root and it must impersonate other users and store ccaches on their behalf.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
---
src/responder/secrets/local.c | 16 +++++++-
src/responder/secrets/providers.c | 71 ++++++++++++++++++++++++++++++----
src/responder/secrets/secsrv_private.h | 10 ++++-
3 files changed, 86 insertions(+), 11 deletions(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index 26c97a2849febbf0ac482d526cf927bfc103b4f2..02007ada8b673071ecba033df0eb3f81af93fcbd 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -26,6 +26,9 @@
#define MKEY_SIZE (256 / 8)
+#define SECRETS_BASEDN "cn=secrets"
+#define KCM_BASEDN "cn=kcm"
+
struct local_context {
struct ldb_context *ldb;
struct sec_data master_key;
@@ -119,6 +122,7 @@ static int local_encrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,
static int local_db_dn(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
+ const char *basedn,
const char *req_path,
struct ldb_dn **req_dn)
{
@@ -126,7 +130,7 @@ static int local_db_dn(TALLOC_CTX *mem_ctx,
const char *s, *e;
int ret;
- dn = ldb_dn_new(mem_ctx, ldb, "cn=secrets");
+ dn = ldb_dn_new(mem_ctx, ldb, basedn);
if (!dn) {
ret = ENOMEM;
goto done;
@@ -738,6 +742,11 @@ static int local_secrets_map_path(TALLOC_CTX *mem_ctx,
lc_req->path = talloc_strdup(lc_req,
secreq->mapped_path + (sizeof(SEC_BASEPATH) - 1));
basedn = SECRETS_BASEDN;
+ } else if (strncmp(secreq->mapped_path,
+ SEC_KCM_BASEPATH, sizeof(SEC_KCM_BASEPATH) - 1) == 0) {
+ lc_req->path = talloc_strdup(lc_req,
+ secreq->mapped_path + (sizeof(SEC_KCM_BASEPATH) - 1));
+ basedn = KCM_BASEDN;
} else {
ret = EINVAL;
goto done;
@@ -820,7 +829,10 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_LIBS, "Content-Type: %s\n", content_type);
ret = local_secrets_map_path(state, lctx->ldb, secreq, &lc_req);
- if (ret) goto done;
+ if (ret) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot map request path to local path\n");
+ goto done;
+ }
switch (secreq->method) {
case HTTP_GET:
diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c
index eba555d2e422d08db211979422a2957e48b51589..94831c73036d269addca45c0117811a2c68873fd 100644
--- a/src/responder/secrets/providers.c
+++ b/src/responder/secrets/providers.c
@@ -24,6 +24,14 @@
#include "responder/secrets/secsrv_proxy.h"
#include <jansson.h>
+typedef int (*url_mapper_fn)(struct sec_req_ctx *secreq,
+ char **mapped_path);
+
+struct url_pfx_router {
+ const char *prefix;
+ url_mapper_fn mapper_fn;
+};
+
static int sec_map_url_to_user_path(struct sec_req_ctx *secreq,
char **mapped_path)
{
@@ -42,10 +50,43 @@ static int sec_map_url_to_user_path(struct sec_req_ctx *secreq,
return ENOMEM;
}
- DEBUG(SSSDBG_TRACE_LIBS, "User-specific path is [%s]\n", *mapped_path);
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "User-specific secrets path is [%s]\n", *mapped_path);
return EOK;
}
+static int kcm_map_url_to_path(struct sec_req_ctx *secreq,
+ char **mapped_path)
+{
+ uid_t c_euid;
+
+ c_euid = client_euid(secreq->cctx->creds);
+ if (c_euid != KCM_PEER_UID) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "UID %"SPRIuid" is not allowed to access "
+ "the "SEC_KCM_BASEPATH" hive\n",
+ c_euid);
+ return EPERM;
+ }
+
+ *mapped_path = talloc_strdup(secreq, secreq->parsed_url.path );
+ if (!*mapped_path) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to map request to user specific url\n");
+ return ENOMEM;
+ }
+
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "User-specific KCM path is [%s]\n", *mapped_path);
+ return EOK;
+}
+
+static struct url_pfx_router secrets_url_mapping[] = {
+ { SEC_BASEPATH, sec_map_url_to_user_path },
+ { SEC_KCM_BASEPATH, kcm_map_url_to_path },
+ { NULL, NULL },
+};
+
int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq,
struct provider_handle **handle)
{
@@ -55,21 +96,35 @@ int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq,
char *provider;
int num_sections;
int ret;
+ url_mapper_fn mapper_fn = NULL;
sctx = talloc_get_type(secreq->cctx->rctx->pvt_ctx, struct sec_ctx);
- /* patch must start with /secrets/ for now */
- ret = strncasecmp(secreq->parsed_url.path,
- SEC_BASEPATH, sizeof(SEC_BASEPATH) - 1);
- if (ret != 0) {
+ for (int i = 0; secrets_url_mapping[i].prefix != NULL; i++) {
+ if (strncasecmp(secreq->parsed_url.path,
+ secrets_url_mapping[i].prefix,
+ strlen(secrets_url_mapping[i].prefix)) == 0) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Mapping prefix %s\n", secrets_url_mapping[i].prefix);
+ mapper_fn = secrets_url_mapping[i].mapper_fn;
+ break;
+ }
+ }
+
+ if (mapper_fn == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Path [%s] does not start with "SEC_BASEPATH"\n",
+ "Path [%s] does not start with any allowed prefix\n",
secreq->parsed_url.path);
return EPERM;
}
- ret = sec_map_url_to_user_path(secreq, &secreq->mapped_path);
- if (ret) return ret;
+ ret = mapper_fn(secreq, &secreq->mapped_path);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to map the user path [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
/* source default provider */
ret = confdb_get_string(secreq->cctx->rctx->cdb, mem_ctx,
diff --git a/src/responder/secrets/secsrv_private.h b/src/responder/secrets/secsrv_private.h
index 1c3fbd8eadb237551233f048503ddc01b4ba00ae..a8544f656517a17fe4576247779bff4850beaf97 100644
--- a/src/responder/secrets/secsrv_private.h
+++ b/src/responder/secrets/secsrv_private.h
@@ -101,7 +101,15 @@ int sec_get_provider(struct sec_ctx *sctx, const char *name,
struct provider_handle **out_handle);
int sec_add_provider(struct sec_ctx *sctx, struct provider_handle *handle);
-#define SEC_BASEPATH "/secrets/"
+#define SEC_BASEPATH "/secrets/"
+#define SEC_KCM_BASEPATH "/kcm/"
+
+/* The KCM responder must "impersonate" the owner of the credentials.
+ * Only a trusted UID can do that -- root by default, but unit
+ * tests might choose otherwise */
+#ifndef KCM_PEER_UID
+#define KCM_PEER_UID 0
+#endif /* KCM_PEER_UID */
/* providers.c */
int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq,
--
2.9.3