Blame SOURCES/0012-PAM-add-certificate-matching-rules-from-all-domains.patch

71e593
From 3d2a1323cc24a2af3a0ebaa4bb6096ae49c3a12d Mon Sep 17 00:00:00 2001
71e593
From: Sumit Bose <sbose@redhat.com>
71e593
Date: Mon, 9 Jul 2018 18:56:26 +0200
71e593
Subject: [PATCH 12/19] PAM: add certificate matching rules from all domains
71e593
71e593
Currently the PAM responder only reads the certificate mapping and
71e593
matching rules from the first domain. To support Smartcard
71e593
authentication for local and remote users all configured domains must be
71e593
taken into account.
71e593
71e593
Related to https://pagure.io/SSSD/sssd/issue/3500
71e593
71e593
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593
(cherry picked from commit d42f44d54453d3ddb54875374c1b61dc1e7cd821)
71e593
---
71e593
 src/responder/pam/pamsrv.h     |  2 +-
71e593
 src/responder/pam/pamsrv_cmd.c |  2 +-
71e593
 src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
71e593
 3 files changed, 51 insertions(+), 30 deletions(-)
71e593
71e593
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
71e593
index d189cccbaa1db7c00d03cf138b290c7ce99ca9a9..5d877566fc7bacced4f6385f1eae344a9e6d8bd4 100644
71e593
--- a/src/responder/pam/pamsrv.h
71e593
+++ b/src/responder/pam/pamsrv.h
71e593
@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
71e593
 bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
71e593
 
71e593
 errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
71e593
-                                struct certmap_info **certmap_list);
71e593
+                                struct sss_domain_info *domains);
71e593
 
71e593
 errno_t
71e593
 pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
71e593
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
71e593
index a6bb2897b7b78ba6cc239adeea020e7ef49629cd..ed9ad57bd6d8c4eda30d8e18f83aeea96474551f 100644
71e593
--- a/src/responder/pam/pamsrv_cmd.c
71e593
+++ b/src/responder/pam/pamsrv_cmd.c
71e593
@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
71e593
         goto done;
71e593
     }
71e593
 
71e593
-    ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
71e593
+    ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
71e593
     if (ret != EOK) {
71e593
         DEBUG(SSSDBG_OP_FAILURE,
71e593
               "p11_refresh_certmap_ctx failed, "
71e593
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
71e593
index bf722074384d9cadd2303b71b5823b0bf47be081..ffa6787e967488ac408ce0f0a11b96066c29b630 100644
71e593
--- a/src/responder/pam/pamsrv_p11.c
71e593
+++ b/src/responder/pam/pamsrv_p11.c
71e593
@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
71e593
 }
71e593
 
71e593
 errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
71e593
-                                struct certmap_info **certmap_list)
71e593
+                                struct sss_domain_info *domains)
71e593
 {
71e593
     int ret;
71e593
     struct sss_certmap_ctx *sss_certmap_ctx = NULL;
71e593
     size_t c;
71e593
+    struct sss_domain_info *dom;
71e593
+    bool certmap_found = false;
71e593
+    struct certmap_info **certmap_list;
71e593
 
71e593
     ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
71e593
     if (ret != EOK) {
71e593
@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
71e593
         goto done;
71e593
     }
71e593
 
71e593
-    if (certmap_list == NULL || *certmap_list == NULL) {
71e593
+    DLIST_FOR_EACH(dom, domains) {
71e593
+        certmap_list = dom->certmaps;
71e593
+        if (certmap_list != NULL && *certmap_list != NULL) {
71e593
+            certmap_found = true;
71e593
+            break;
71e593
+        }
71e593
+    }
71e593
+
71e593
+    if (!certmap_found) {
71e593
         /* Try to add default matching rule */
71e593
         ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
71e593
                                    CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
71e593
@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
71e593
         goto done;
71e593
     }
71e593
 
71e593
-    for (c = 0; certmap_list[c] != NULL; c++) {
71e593
-        DEBUG(SSSDBG_TRACE_ALL,
71e593
-              "Trying to add rule [%s][%d][%s][%s].\n",
71e593
-              certmap_list[c]->name, certmap_list[c]->priority,
71e593
-              certmap_list[c]->match_rule, certmap_list[c]->map_rule);
71e593
-
71e593
-        ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
71e593
-                                   certmap_list[c]->match_rule,
71e593
-                                   certmap_list[c]->map_rule,
71e593
-                                   certmap_list[c]->domains);
71e593
-        if (ret != 0) {
71e593
-            DEBUG(SSSDBG_CRIT_FAILURE,
71e593
-                  "sss_certmap_add_rule failed for rule [%s] "
71e593
-                  "with error [%d][%s], skipping. "
71e593
-                  "Please check for typos and if rule syntax is supported.\n",
71e593
-                  certmap_list[c]->name, ret, sss_strerror(ret));
71e593
+    DLIST_FOR_EACH(dom, domains) {
71e593
+        certmap_list = dom->certmaps;
71e593
+        if (certmap_list == NULL || *certmap_list == NULL) {
71e593
             continue;
71e593
         }
71e593
+
71e593
+        for (c = 0; certmap_list[c] != NULL; c++) {
71e593
+            DEBUG(SSSDBG_TRACE_ALL,
71e593
+                  "Trying to add rule [%s][%d][%s][%s].\n",
71e593
+                  certmap_list[c]->name, certmap_list[c]->priority,
71e593
+                  certmap_list[c]->match_rule, certmap_list[c]->map_rule);
71e593
+
71e593
+            ret = sss_certmap_add_rule(sss_certmap_ctx,
71e593
+                                       certmap_list[c]->priority,
71e593
+                                       certmap_list[c]->match_rule,
71e593
+                                       certmap_list[c]->map_rule,
71e593
+                                       certmap_list[c]->domains);
71e593
+            if (ret != 0) {
71e593
+                DEBUG(SSSDBG_CRIT_FAILURE,
71e593
+                      "sss_certmap_add_rule failed for rule [%s] "
71e593
+                      "with error [%d][%s], skipping. "
71e593
+                      "Please check for typos and if rule syntax is supported.\n",
71e593
+                      certmap_list[c]->name, ret, sss_strerror(ret));
71e593
+                continue;
71e593
+            }
71e593
+        }
71e593
     }
71e593
 
71e593
     ret = EOK;
71e593
@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
71e593
     int ret;
71e593
     struct certmap_info **certmaps;
71e593
     bool user_name_hint;
71e593
-    struct sss_domain_info *dom = pctx->rctx->domains;
71e593
+    struct sss_domain_info *dom;
71e593
 
71e593
-    ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
71e593
-    if (ret != EOK) {
71e593
-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
71e593
-        return ret;
71e593
+    DLIST_FOR_EACH(dom, pctx->rctx->domains) {
71e593
+        ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
71e593
+        if (ret != EOK) {
71e593
+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
71e593
+            return ret;
71e593
+        }
71e593
+
71e593
+        dom->user_name_hint = user_name_hint;
71e593
+        talloc_free(dom->certmaps);
71e593
+        dom->certmaps = certmaps;
71e593
     }
71e593
 
71e593
-    dom->user_name_hint = user_name_hint;
71e593
-    talloc_free(dom->certmaps);
71e593
-    dom->certmaps = certmaps;
71e593
-
71e593
-    ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
71e593
+    ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
71e593
     if (ret != EOK) {
71e593
         DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
71e593
         return ret;
71e593
-- 
71e593
2.14.4
71e593