From 0aeae1d16bedd0f39f788644167675a99d30c3b2 Mon Sep 17 00:00:00 2001

From: Nathaniel McCallum <npmccallum@redhat.com>

Date: Tue, 11 Nov 2014 12:05:23 -0500

Subject: [PATCH] Enable last token deletion when password auth type is

 configured

Also, ensure that the last token check only executes on DNs/entries that

are tokens. This resolves a large performance issue where a query was

being performed to load all the user's tokens on every del/mod operation.

https://fedorahosted.org/freeipa/ticket/4697

https://fedorahosted.org/freeipa/ticket/4719

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>

---

 .../ipa-otp-lasttoken/ipa_otp_lasttoken.c          | 243 +++++++++++++++------

 1 file changed, 173 insertions(+), 70 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c

index 19217ba7fbf562231dd74b25cfd13a0f4d930e7c..233813745795344f31a7dcf1931cf74a09f1e552 100644

--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c

+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c

@@ -46,112 +46,171 @@

 #include "util.h"

-#define PLUGIN_NAME               "ipa-otp-lasttoken"

-

-static void *plugin_id;

-static const Slapi_PluginDesc preop_desc = {

-    PLUGIN_NAME,

-    "FreeIPA",

-    "FreeIPA/1.0",

-    "Protect the user's last active token"

-};

-

-static bool

-target_is_only_enabled_token(Slapi_PBlock *pb)

+#define PLUGIN_NAME "ipa-otp-lasttoken"

+#define OTP_CONTAINER "cn=otp,%s"

+

+static struct otp_config *otp_config;

+

+static bool entry_is_token(Slapi_Entry *entry)

 {

-    Slapi_DN *target_sdn = NULL;

-    Slapi_DN *token_sdn = NULL;

-    struct otp_token **tokens;

-    char *user_dn = NULL;

-    bool match;

+    char **ocls;

-    /* Ignore internal operations. */

-    if (slapi_op_internal(pb))

+    ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);

+    for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {

+        if (strcasecmp(ocls[i], "ipaToken") == 0) {

+            slapi_ch_array_free(ocls);

+            return true;

+        }

+    }

+

+    return false;

+}

+

+static bool sdn_in_otp_container(Slapi_DN *sdn)

+{

+    const Slapi_DN *base;

+    Slapi_DN *container;

+    bool result;

+    char *dn;

+

+    base = slapi_get_suffix_by_dn(sdn);

+    if (base == NULL)

         return false;

-    /* Get the current user's SDN. */

-    slapi_pblock_get(pb, SLAPI_CONN_DN, &user_dn);

-    if (user_dn == NULL)

+    dn = slapi_ch_smprintf(OTP_CONTAINER, slapi_sdn_get_dn(base));

+    if (dn == NULL)

         return false;

-    /* Get the SDN of the only enabled token. */

-    tokens = otp_token_find(plugin_id, user_dn, NULL, true, NULL);

-    if (tokens != NULL && tokens[0] != NULL && tokens[1] == NULL)

-        token_sdn = slapi_sdn_dup(otp_token_get_sdn(tokens[0]));

+    container = slapi_sdn_new_dn_passin(dn);

+    result = slapi_sdn_issuffix(sdn, container);

+    slapi_sdn_free(&container);

+

+    return result;

+}

+

+static bool sdn_is_only_enabled_token(Slapi_DN *target_sdn, const char *user_dn)

+{

+    struct otp_token **tokens;

+    bool result = false;

+

+    tokens = otp_token_find(otp_config, user_dn, NULL, true, NULL);

+

+    if (tokens != NULL && tokens[0] != NULL && tokens[1] == NULL) {

+        const Slapi_DN *token_sdn = otp_token_get_sdn(tokens[0]);

+        if (token_sdn != NULL)

+            result = slapi_sdn_compare(token_sdn, target_sdn) == 0;

+    }

+

     otp_token_free_array(tokens);

-    if (token_sdn == NULL)

+    return result;

+}

+

+static bool is_pwd_enabled(const char *user_dn)

+{

+    char *attrs[] = { "ipaUserAuthType", NULL };

+    Slapi_Entry *entry = NULL;

+    uint32_t authtypes;

+    Slapi_DN *sdn;

+

+    sdn = slapi_sdn_new_dn_byval(user_dn);

+    if (sdn == NULL)

         return false;

-    /* Get the target SDN. */

-    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);

-    if (target_sdn == NULL) {

-        slapi_sdn_free(&token_sdn);

+    slapi_search_internal_get_entry(sdn, attrs, &entry,

+                                    otp_config_plugin_id(otp_config));

+    slapi_sdn_free(&sdn;;

+    if (entry == NULL)

+        return false;

+

+    authtypes = otp_config_auth_types(otp_config, entry);

+    slapi_entry_free(entry);

+

+    return authtypes & OTP_CONFIG_AUTH_TYPE_PASSWORD;

+}

+

+static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)

+{

+    Slapi_DN *target_sdn = NULL;

+    const char *bind_dn;

+

+    /* Ignore internal operations. */

+    if (slapi_op_internal(pb))

+        return true;

+

+    /* Load parameters. */

+    (void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);

+    (void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);

+    if (target_sdn == NULL || bind_dn == NULL) {

+        LOG_FATAL("Missing parameters!\n");

         return false;

     }

-    /* Does the target SDN match the only enabled token SDN? */

-    match = slapi_sdn_compare(token_sdn, target_sdn) == 0;

-    slapi_sdn_free(&token_sdn);

-    return match;

+    if (entry != NULL

+            ? !entry_is_token(entry)

+            : !sdn_in_otp_container(target_sdn))

+        return true;

+

+    if (!sdn_is_only_enabled_token(target_sdn, bind_dn))

+        return true;

+

+    if (is_pwd_enabled(bind_dn))

+        return true;

+

+    return false;

 }

-static inline int

-send_error(Slapi_PBlock *pb, int rc, char *errstr)

+static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)

 {

-    slapi_send_ldap_result(pb, rc, NULL, errstr, 0, NULL);

+    slapi_send_ldap_result(pb, rc, NULL, (char *) errstr, 0, NULL);

     if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {

         LOG_FATAL("slapi_pblock_set failed!\n");

     }

     return rc;

 }

-static int

-preop_del(Slapi_PBlock *pb)

+static int preop_del(Slapi_PBlock *pb)

 {

-    if (!target_is_only_enabled_token(pb))

+    if (is_allowed(pb, NULL))

         return 0;

     return send_error(pb, LDAP_UNWILLING_TO_PERFORM,

                       "Can't delete last active token");

 }

-static int

-preop_mod(Slapi_PBlock *pb)

+static int preop_mod(Slapi_PBlock *pb)

 {

-    LDAPMod **mods = NULL;

+    static const struct {

+        const char *attr;

+        const char *msg;

+    } errors[] = {

+        {"ipatokenDisabled",  "Can't disable last active token"},

+        {"ipatokenOwner",     "Can't change last active token's owner"},

+        {"ipatokenNotBefore", "Can't change last active token's start time"},

+        {"ipatokenNotAfter",  "Can't change last active token's end time"},

+        {}

+    };

-    if (!target_is_only_enabled_token(pb))

-        return 0;

+    const LDAPMod **mods = NULL;

+    Slapi_Entry *entry = NULL;

-    /* Do not permit deactivation of the last active token. */

-    slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods;;

-    for (int i = 0; mods != NULL && mods[i] != NULL; i++) {

-        if (strcasecmp(mods[i]->mod_type, "ipatokenDisabled") == 0) {

-            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,

-                              "Can't disable last active token");

-        }

+    (void) slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &entry);

+    (void) slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods;;

-        if (strcasecmp(mods[i]->mod_type, "ipatokenOwner") == 0) {

-            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,

-                              "Can't change last active token's owner");

-        }

-

-        if (strcasecmp(mods[i]->mod_type, "ipatokenNotBefore") == 0) {

-            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,

-                              "Can't change last active token's start time");

-        }

+    if (is_allowed(pb, entry))

+        return 0;

-        if (strcasecmp(mods[i]->mod_type, "ipatokenNotAfter") == 0) {

-            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,

-                              "Can't change last active token's end time");

+    /* If a protected attribute is modified, deny. */

+    for (int i = 0; mods != NULL && mods[i] != NULL; i++) {

+        for (int j = 0; errors[j].attr != NULL; j++) {

+            if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0)

+                return send_error(pb, LDAP_UNWILLING_TO_PERFORM, errors[j].msg);

         }

     }

     return 0;

 }

-static int

-preop_init(Slapi_PBlock *pb)

+static int preop_init(Slapi_PBlock *pb)

 {

     int ret = 0;

@@ -160,15 +219,59 @@ preop_init(Slapi_PBlock *pb)

     return ret;

 }

-int

-ipa_otp_lasttoken_init(Slapi_PBlock *pb)

+static int update_config(Slapi_PBlock *pb)

+{

+    otp_config_update(otp_config, pb);

+    return 0;

+}

+

+static int intpostop_init(Slapi_PBlock *pb)

+{

+    int ret = 0;

+

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN,    (void *) update_config);

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *) update_config);

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *) update_config);

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *) update_config);

+

+    return ret;

+}

+

+static int postop_init(Slapi_PBlock *pb)

 {

     int ret = 0;

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN,    (void *) update_config);

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *) update_config);

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) update_config);

+    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *) update_config);

+

+    return ret;

+}

+

+int ipa_otp_lasttoken_init(Slapi_PBlock *pb)

+{

+    static const Slapi_PluginDesc preop_desc = {

+        PLUGIN_NAME,

+        "FreeIPA",

+        "FreeIPA/1.0",

+        "Protect the user's last active token"

+    };

+

+    Slapi_ComponentId *plugin_id = NULL;

+    int ret = 0;

+

     ret |= slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_id);

     ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);

     ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &preop_desc);

     ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init,

-                                 PLUGIN_NAME, NULL, plugin_id);

+                                 PLUGIN_NAME " betxnpreoperation", NULL, plugin_id);

+    ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init,

+                                 PLUGIN_NAME " postoperation", NULL, plugin_id);

+    ret |= slapi_register_plugin("internalpostoperation", 1, __func__, intpostop_init,

+                                 PLUGIN_NAME " internalpostoperation", NULL, plugin_id);

+

+    /* NOTE: leak otp_config on process exit. */

+    otp_config = otp_config_init(plugin_id);

     return ret;

 }

-- 

2.1.0