From 91c099a993252680f103084431b1d0f5798d8a24 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Tue, 21 Mar 2017 14:14:42 +0100

Subject: [PATCH 31/36] SECRETS: Store ccaches in secrets for the KCM responder

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Adds a new "hive" to the secrets responder whose base path is /kcm. Only

root can contact the /kcm hive, because the KCM responder only runs as

root and it must impersonate other users and store ccaches on their behalf.

Reviewed-by: Michal Židek <mzidek@redhat.com>

Reviewed-by: Simo Sorce <simo@redhat.com>

---

 src/responder/secrets/local.c          | 16 +++++++-

 src/responder/secrets/providers.c      | 71 ++++++++++++++++++++++++++++++----

 src/responder/secrets/secsrv_private.h | 10 ++++-

 3 files changed, 86 insertions(+), 11 deletions(-)

diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c

index 26c97a2849febbf0ac482d526cf927bfc103b4f2..02007ada8b673071ecba033df0eb3f81af93fcbd 100644

--- a/src/responder/secrets/local.c

+++ b/src/responder/secrets/local.c

@@ -26,6 +26,9 @@

 #define MKEY_SIZE (256 / 8)

+#define SECRETS_BASEDN  "cn=secrets"

+#define KCM_BASEDN      "cn=kcm"

+

 struct local_context {

     struct ldb_context *ldb;

     struct sec_data master_key;

@@ -119,6 +122,7 @@ static int local_encrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,

 static int local_db_dn(TALLOC_CTX *mem_ctx,

                        struct ldb_context *ldb,

+                       const char *basedn,

                        const char *req_path,

                        struct ldb_dn **req_dn)

 {

@@ -126,7 +130,7 @@ static int local_db_dn(TALLOC_CTX *mem_ctx,

     const char *s, *e;

     int ret;

-    dn = ldb_dn_new(mem_ctx, ldb, "cn=secrets");

+    dn = ldb_dn_new(mem_ctx, ldb, basedn);

     if (!dn) {

         ret = ENOMEM;

         goto done;

@@ -738,6 +742,11 @@ static int local_secrets_map_path(TALLOC_CTX *mem_ctx,

         lc_req->path = talloc_strdup(lc_req,

                                      secreq->mapped_path + (sizeof(SEC_BASEPATH) - 1));

         basedn = SECRETS_BASEDN;

+    } else if (strncmp(secreq->mapped_path,

+               SEC_KCM_BASEPATH, sizeof(SEC_KCM_BASEPATH) - 1) == 0) {

+        lc_req->path = talloc_strdup(lc_req,

+                                     secreq->mapped_path + (sizeof(SEC_KCM_BASEPATH) - 1));

+        basedn = KCM_BASEDN;

     } else {

         ret = EINVAL;

         goto done;

@@ -820,7 +829,10 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,

     DEBUG(SSSDBG_TRACE_LIBS, "Content-Type: %s\n", content_type);

     ret = local_secrets_map_path(state, lctx->ldb, secreq, &lc_req);

-    if (ret) goto done;

+    if (ret) {

+        DEBUG(SSSDBG_OP_FAILURE, "Cannot map request path to local path\n");

+        goto done;

+    }

     switch (secreq->method) {

     case HTTP_GET:

diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c

index eba555d2e422d08db211979422a2957e48b51589..94831c73036d269addca45c0117811a2c68873fd 100644

--- a/src/responder/secrets/providers.c

+++ b/src/responder/secrets/providers.c

@@ -24,6 +24,14 @@

 #include "responder/secrets/secsrv_proxy.h"

 #include <jansson.h>

+typedef int (*url_mapper_fn)(struct sec_req_ctx *secreq,

+                             char **mapped_path);

+

+struct url_pfx_router {

+    const char *prefix;

+    url_mapper_fn mapper_fn;

+};

+

 static int sec_map_url_to_user_path(struct sec_req_ctx *secreq,

                                     char **mapped_path)

 {

@@ -42,10 +50,43 @@ static int sec_map_url_to_user_path(struct sec_req_ctx *secreq,

         return ENOMEM;

     }

-    DEBUG(SSSDBG_TRACE_LIBS, "User-specific path is [%s]\n", *mapped_path);

+    DEBUG(SSSDBG_TRACE_LIBS,

+          "User-specific secrets path is [%s]\n", *mapped_path);

     return EOK;

 }

+static int kcm_map_url_to_path(struct sec_req_ctx *secreq,

+                               char **mapped_path)

+{

+    uid_t c_euid;

+

+    c_euid = client_euid(secreq->cctx->creds);

+    if (c_euid != KCM_PEER_UID) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "UID %"SPRIuid" is not allowed to access "

+              "the "SEC_KCM_BASEPATH" hive\n",

+              c_euid);

+        return EPERM;

+    }

+

+    *mapped_path = talloc_strdup(secreq, secreq->parsed_url.path );

+    if (!*mapped_path) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to map request to user specific url\n");

+        return ENOMEM;

+    }

+

+    DEBUG(SSSDBG_TRACE_LIBS,

+          "User-specific KCM path is [%s]\n", *mapped_path);

+    return EOK;

+}

+

+static struct url_pfx_router secrets_url_mapping[] = {

+    { SEC_BASEPATH, sec_map_url_to_user_path },

+    { SEC_KCM_BASEPATH, kcm_map_url_to_path },

+    { NULL, NULL },

+};

+

 int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq,

                     struct provider_handle **handle)

 {

@@ -55,21 +96,35 @@ int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq,

     char *provider;

     int num_sections;

     int ret;

+    url_mapper_fn mapper_fn = NULL;

     sctx = talloc_get_type(secreq->cctx->rctx->pvt_ctx, struct sec_ctx);

-    /* patch must start with /secrets/ for now */

-    ret = strncasecmp(secreq->parsed_url.path,

-                      SEC_BASEPATH, sizeof(SEC_BASEPATH) - 1);

-    if (ret != 0) {

+    for (int i = 0; secrets_url_mapping[i].prefix != NULL; i++) {

+        if (strncasecmp(secreq->parsed_url.path,

+                        secrets_url_mapping[i].prefix,

+                        strlen(secrets_url_mapping[i].prefix)) == 0) {

+            DEBUG(SSSDBG_TRACE_LIBS,

+                  "Mapping prefix %s\n", secrets_url_mapping[i].prefix);

+            mapper_fn = secrets_url_mapping[i].mapper_fn;

+            break;

+        }

+    }

+

+    if (mapper_fn == NULL) {

         DEBUG(SSSDBG_CRIT_FAILURE,

-              "Path [%s] does not start with "SEC_BASEPATH"\n",

+              "Path [%s] does not start with any allowed prefix\n",

               secreq->parsed_url.path);

         return EPERM;

     }

-    ret = sec_map_url_to_user_path(secreq, &secreq->mapped_path);

-    if (ret) return ret;

+    ret = mapper_fn(secreq, &secreq->mapped_path);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to map the user path [%d]: %s\n",

+              ret, sss_strerror(ret));

+        return ret;

+    }

     /* source default provider */

     ret = confdb_get_string(secreq->cctx->rctx->cdb, mem_ctx,

diff --git a/src/responder/secrets/secsrv_private.h b/src/responder/secrets/secsrv_private.h

index 1c3fbd8eadb237551233f048503ddc01b4ba00ae..a8544f656517a17fe4576247779bff4850beaf97 100644

--- a/src/responder/secrets/secsrv_private.h

+++ b/src/responder/secrets/secsrv_private.h

@@ -101,7 +101,15 @@ int sec_get_provider(struct sec_ctx *sctx, const char *name,

                      struct provider_handle **out_handle);

 int sec_add_provider(struct sec_ctx *sctx, struct provider_handle *handle);

-#define SEC_BASEPATH "/secrets/"

+#define SEC_BASEPATH            "/secrets/"

+#define SEC_KCM_BASEPATH        "/kcm/"

+

+/* The KCM responder must "impersonate" the owner of the credentials.

+ * Only a trusted UID can do that -- root by default, but unit

+ * tests might choose otherwise */

+#ifndef KCM_PEER_UID

+#define KCM_PEER_UID            0

+#endif /* KCM_PEER_UID */

 /* providers.c */

 int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq,

-- 

2.9.3