rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0059-IPA-lookup-AD-users-by-certificates-on-IPA-clients.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   bb7cd1535b208c22ad8c1541bee2b4b1f279474a
  2.   SOURCES
  3.   0059-IPA-lookup-AD-users-by-certificates-on-IPA-clients.patch
Blob History Raw
bb7cd1 
From 537e057ef3bd140e418381f2ce74397ab8c34a73 Mon Sep 17 00:00:00 2001
bb7cd1 
From: Sumit Bose <sbose@redhat.com>
bb7cd1 
Date: Fri, 24 Mar 2017 15:40:41 +0100
bb7cd1 
Subject: [PATCH 59/60] IPA: lookup AD users by certificates on IPA clients
bb7cd1
bb7cd1 
Get a list of users mapped to a certificate back from the IPA server,
bb7cd1 
look them up and store them together with the certificate used for the
bb7cd1 
search as mapped attribute to the cache.
bb7cd1
bb7cd1 
Related to https://pagure.io/SSSD/sssd/issue/3050
bb7cd1
bb7cd1 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
bb7cd1 
---
bb7cd1 
 src/providers/ipa/ipa_s2n_exop.c | 109 +++++++++++++++++++++++++++++++++++++--
bb7cd1 
 1 file changed, 105 insertions(+), 4 deletions(-)
bb7cd1
bb7cd1 
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
bb7cd1 
index 05c32a24d61947e62884f460069083fb81f40fe0..8a3391b4093f1547d84fe44a0f24b1d063d1e28c 100644
bb7cd1 
--- a/src/providers/ipa/ipa_s2n_exop.c
bb7cd1 
+++ b/src/providers/ipa/ipa_s2n_exop.c
bb7cd1 
@@ -52,7 +52,8 @@ enum response_types {
bb7cd1 
     RESP_USER,
bb7cd1 
     RESP_GROUP,
bb7cd1 
     RESP_USER_GROUPLIST,
bb7cd1 
-    RESP_GROUP_MEMBERS
bb7cd1 
+    RESP_GROUP_MEMBERS,
bb7cd1 
+    RESP_NAME_LIST
bb7cd1 
 };
bb7cd1
bb7cd1 
 /* ==Sid2Name Extended Operation============================================= */
bb7cd1 
@@ -366,8 +367,8 @@ static errno_t s2n_encode_request(TALLOC_CTX *mem_ctx,
bb7cd1 
             break;
bb7cd1 
         case BE_REQ_BY_CERT:
bb7cd1 
             if (req_input->type == REQ_INP_CERT) {
bb7cd1 
-            ret = ber_printf(ber, "{ees}", INP_CERT, request_type,
bb7cd1 
-                                           req_input->inp.cert);
bb7cd1 
+                ret = ber_printf(ber, "{ees}", INP_CERT, request_type,
bb7cd1 
+                                               req_input->inp.cert);
bb7cd1 
             } else {
bb7cd1 
                 DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n",
bb7cd1 
                                           req_input->type);
bb7cd1 
@@ -463,6 +464,11 @@ done:
bb7cd1 
  * GroupMemberList ::= SEQUENCE OF OCTET STRING
bb7cd1 
  */
bb7cd1
bb7cd1 
+struct name_list {
bb7cd1 
+    char *domain_name;
bb7cd1 
+    char *name;
bb7cd1 
+};
bb7cd1 
+
bb7cd1 
 struct resp_attrs {
bb7cd1 
     enum response_types response_type;
bb7cd1 
     char *domain_name;
bb7cd1 
@@ -475,6 +481,7 @@ struct resp_attrs {
bb7cd1 
     size_t ngroups;
bb7cd1 
     char **groups;
bb7cd1 
     struct sysdb_attrs *sysdb_attrs;
bb7cd1 
+    char **name_list;
bb7cd1 
 };
bb7cd1
bb7cd1 
 static errno_t get_extra_attrs(BerElement *ber, struct resp_attrs *resp_attrs)
bb7cd1 
@@ -782,6 +789,9 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
bb7cd1 
     struct resp_attrs *attrs = NULL;
bb7cd1 
     char *sid_str;
bb7cd1 
     bool is_v1 = false;
bb7cd1 
+    char **name_list = NULL;
bb7cd1 
+    ber_len_t ber_len;
bb7cd1 
+    char *fq_name = NULL;
bb7cd1
bb7cd1 
     if (retoid == NULL || retdata == NULL) {
bb7cd1 
         DEBUG(SSSDBG_OP_FAILURE, "Missing OID or data.\n");
bb7cd1 
@@ -947,6 +957,53 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
bb7cd1 
                 goto done;
bb7cd1 
             }
bb7cd1 
             break;
bb7cd1 
+        case RESP_NAME_LIST:
bb7cd1 
+            tag = ber_scanf(ber, "{");
bb7cd1 
+            if (tag == LBER_ERROR) {
bb7cd1 
+                DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n");
bb7cd1 
+                ret = EINVAL;
bb7cd1 
+                goto done;
bb7cd1 
+            }
bb7cd1 
+
bb7cd1 
+            while (ber_peek_tag(ber, &ber_len) ==  LBER_SEQUENCE) {
bb7cd1 
+                tag = ber_scanf(ber, "{aa}", &domain_name, &name);
bb7cd1 
+                if (tag == LBER_ERROR) {
bb7cd1 
+                    DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n");
bb7cd1 
+                    ret = EINVAL;
bb7cd1 
+                    goto done;
bb7cd1 
+                }
bb7cd1 
+
bb7cd1 
+                fq_name = sss_create_internal_fqname(attrs, name, domain_name);
bb7cd1 
+                if (fq_name == NULL) {
bb7cd1 
+                    DEBUG(SSSDBG_OP_FAILURE,
bb7cd1 
+                          "sss_create_internal_fqname failed.\n");
bb7cd1 
+                    ret = ENOMEM;
bb7cd1 
+                    goto done;
bb7cd1 
+                }
bb7cd1 
+                DEBUG(SSSDBG_TRACE_ALL, "[%s][%s][%s].\n", domain_name, name,
bb7cd1 
+                                                           fq_name);
bb7cd1 
+
bb7cd1 
+                ret = add_string_to_list(attrs, fq_name, &name_list);
bb7cd1 
+                ber_memfree(domain_name);
bb7cd1 
+                ber_memfree(name);
bb7cd1 
+                talloc_free(fq_name);
bb7cd1 
+                domain_name = NULL;
bb7cd1 
+                name = NULL;
bb7cd1 
+                fq_name = NULL;
bb7cd1 
+                if (ret != EOK) {
bb7cd1 
+                    DEBUG(SSSDBG_OP_FAILURE, "add_to_name_list failed.\n");
bb7cd1 
+                    goto done;
bb7cd1 
+                }
bb7cd1 
+            }
bb7cd1 
+
bb7cd1 
+            tag = ber_scanf(ber, "}}");
bb7cd1 
+            if (tag == LBER_ERROR) {
bb7cd1 
+                DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n");
bb7cd1 
+                ret = EINVAL;
bb7cd1 
+                goto done;
bb7cd1 
+            }
bb7cd1 
+            attrs->name_list = name_list;
bb7cd1 
+            break;
bb7cd1 
         default:
bb7cd1 
             DEBUG(SSSDBG_OP_FAILURE, "Unexpected response type [%d].\n",
bb7cd1 
                                       type);
bb7cd1 
@@ -955,7 +1012,7 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
bb7cd1 
     }
bb7cd1
bb7cd1 
     attrs->response_type = type;
bb7cd1 
-    if (type != RESP_SID) {
bb7cd1 
+    if (type != RESP_SID && type != RESP_NAME_LIST) {
bb7cd1 
         attrs->domain_name = talloc_strdup(attrs, domain_name);
bb7cd1 
         if (attrs->domain_name == NULL) {
bb7cd1 
             DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
bb7cd1 
@@ -969,6 +1026,7 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
bb7cd1 
 done:
bb7cd1 
     ber_memfree(domain_name);
bb7cd1 
     ber_memfree(name);
bb7cd1 
+    talloc_free(fq_name);
bb7cd1 
     ber_free(ber, 1);
bb7cd1
bb7cd1 
     if (ret == EOK) {
bb7cd1 
@@ -1332,6 +1390,7 @@ struct ipa_s2n_get_user_state {
bb7cd1 
     struct resp_attrs *attrs;
bb7cd1 
     struct resp_attrs *simple_attrs;
bb7cd1 
     struct sysdb_attrs *override_attrs;
bb7cd1 
+    struct sysdb_attrs *mapped_attrs;
bb7cd1 
     int exop_timeout;
bb7cd1 
 };
bb7cd1
bb7cd1 
@@ -1384,6 +1443,11 @@ struct tevent_req *ipa_s2n_get_acct_info_send(TALLOC_CTX *mem_ctx,
bb7cd1 
         goto fail;
bb7cd1 
     }
bb7cd1
bb7cd1 
+    if (entry_type == BE_REQ_BY_CERT) {
bb7cd1 
+        /* Only REQ_SIMPLE is supported for BE_REQ_BY_CERT */
bb7cd1 
+        state->request_type = REQ_SIMPLE;
bb7cd1 
+    }
bb7cd1 
+
bb7cd1 
     ret = s2n_encode_request(state, dom->name, entry_type, state->request_type,
bb7cd1 
                              req_input, &bv_req);
bb7cd1 
     if (ret != EOK) {
bb7cd1 
@@ -1785,6 +1849,43 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
bb7cd1 
             goto done;
bb7cd1 
         }
bb7cd1
bb7cd1 
+        if (state->simple_attrs->response_type == RESP_NAME_LIST
bb7cd1 
+                && state->req_input->type == REQ_INP_CERT) {
bb7cd1 
+            state->mapped_attrs = sysdb_new_attrs(state);
bb7cd1 
+            if (state->mapped_attrs == NULL) {
bb7cd1 
+                DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
bb7cd1 
+                ret = ENOMEM;
bb7cd1 
+                goto done;
bb7cd1 
+            }
bb7cd1 
+
bb7cd1 
+            ret = sysdb_attrs_add_base64_blob(state->mapped_attrs,
bb7cd1 
+                                              SYSDB_USER_MAPPED_CERT,
bb7cd1 
+                                              state->req_input->inp.cert);
bb7cd1 
+            if (ret != EOK) {
bb7cd1 
+                DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
bb7cd1 
+                goto done;
bb7cd1 
+            }
bb7cd1 
+
bb7cd1 
+            subreq = ipa_s2n_get_list_send(state, state->ev,
bb7cd1 
+                                           state->ipa_ctx, state->dom,
bb7cd1 
+                                           state->sh, state->exop_timeout,
bb7cd1 
+                                           BE_REQ_USER,
bb7cd1 
+                                           REQ_FULL_WITH_MEMBERS,
bb7cd1 
+                                           REQ_INP_NAME,
bb7cd1 
+                                           state->simple_attrs->name_list,
bb7cd1 
+                                           state->mapped_attrs);
bb7cd1 
+            if (subreq == NULL) {
bb7cd1 
+                DEBUG(SSSDBG_OP_FAILURE,
bb7cd1 
+                      "ipa_s2n_get_list_send failed.\n");
bb7cd1 
+                ret = ENOMEM;
bb7cd1 
+                goto done;
bb7cd1 
+            }
bb7cd1 
+            tevent_req_set_callback(subreq, ipa_s2n_get_list_done,
bb7cd1 
+                                    req);
bb7cd1 
+
bb7cd1 
+            return;
bb7cd1 
+        }
bb7cd1 
+
bb7cd1 
         break;
bb7cd1 
     default:
bb7cd1 
         DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected request type.\n");
bb7cd1 
--
bb7cd1 
2.9.3
bb7cd1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation