From ad463501d3bdea4c24c17d792efc1c3e65c08c19 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 11 Dec 2014 10:49:39 +0100
Subject: [PATCH 6/7] IPA: verify group memberships of trusted domain users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Depending on the state of the cache group object a freshly created or
updates user entry for a trusted domain user might already be a member
of the group or not. This cache makes sure the requested user is a
member of all groups returned from the extdom request. Special care has
to be taken to cover cross-domain group-memberships properly.
Resolves https://fedorahosted.org/sssd/ticket/2529
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 144 insertions(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 0eab1afc36e4d2c1d770c596c512a641fd276425..677d1625860186ad02d4d8c7290d45b782bc4c38 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -568,7 +568,7 @@ static errno_t add_v1_user_data(BerElement *ber, struct resp_attrs *attrs)
attrs->ngroups++);
if (attrs->ngroups > 0) {
- attrs->groups = talloc_array(attrs, char *, attrs->ngroups);
+ attrs->groups = talloc_zero_array(attrs, char *, attrs->ngroups + 1);
if (attrs->groups == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
ret = ENOMEM;
@@ -1528,6 +1528,81 @@ done:
return;
}
+static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ char **name_list, char ***_dn_list)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx;
+ int c;
+ struct sss_domain_info *root_domain;
+ char **dn_list;
+
+ if (name_list == NULL) {
+ *_dn_list = NULL;
+ return EOK;
+ }
+
+ /* To handle cross-domain memberships we have to check the domain for
+ * each group the member should be added or deleted. Since sub-domains
+ * use fully-qualified names by default any short name can only belong
+ * to the root/head domain. find_domain_by_object_name() will return
+ * the domain given in the first argument if the second argument is a
+ * a short name hence we always use root_domain as first argument. */
+ root_domain = get_domains_head(dom);
+ if (root_domain->fqnames) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Root domain uses fully-qualified names, " \
+ "objects might not be correctly added to groups with " \
+ "short names.\n");
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ for (c = 0; name_list[c] != NULL; c++);
+
+ dn_list = talloc_zero_array(tmp_ctx, char *, c + 1);
+ if (dn_list == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (c = 0; name_list[c] != NULL; c++) {
+ dom = find_domain_by_object_name(root_domain, name_list[c]);
+ if (dom == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot find domain for [%s].\n", name_list[c]);
+ ret = ENOENT;
+ goto done;
+ }
+
+ /* This might fail if some unexpected cases are used. But current
+ * sysdb code which handles group membership constructs DNs this way
+ * as well, IPA names are lowercased and AD names by default will be
+ * lowercased as well. If there are really use-cases which cause an
+ * issue here, sysdb_group_strdn() has to be replaced by a proper
+ * search. */
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ if (dn_list[c] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ *_dn_list = talloc_steal(mem_ctx, dn_list);
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct req_input *req_input,
struct resp_attrs *attrs,
@@ -1548,6 +1623,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
const char *tmp_str;
struct ldb_result *res;
enum sysdb_member_type type;
+ char **sysdb_grouplist;
+ char **add_groups;
+ char **add_groups_dns;
+ char **del_groups;
+ char **del_groups_dns;
+ bool in_transaction = false;
+ int tret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -1716,6 +1798,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
gid = attrs->a.user.pw_gid;
}
+ ret = sysdb_transaction_start(dom->sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
+ goto done;
+ }
+ in_transaction = true;
+
ret = sysdb_store_user(dom, name, NULL,
attrs->a.user.pw_uid,
gid, attrs->a.user.pw_gecos,
@@ -1726,6 +1815,53 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
goto done;
}
+
+ if (attrs->response_type == RESP_USER_GROUPLIST) {
+ ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
+ &sysdb_grouplist);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
+ goto done;
+ }
+
+ ret = diff_string_lists(tmp_ctx, attrs->groups, sysdb_grouplist,
+ &add_groups, &del_groups, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
+ goto done;
+ }
+
+ ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
+ goto done;
+ }
+
+ ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
+ name);
+ ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
+ (const char *const *) add_groups_dns,
+ (const char *const *) del_groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Membership update failed [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ }
+
+ ret = sysdb_transaction_commit(dom->sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
+ goto done;
+ }
+ in_transaction = false;
+
break;
case RESP_GROUP:
case RESP_GROUP_MEMBERS:
@@ -1818,6 +1954,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
}
done:
+ if (in_transaction) {
+ tret = sysdb_transaction_cancel(dom->sysdb);
+ if (tret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
+ }
+ }
+
talloc_free(tmp_ctx);
return ret;
--
1.9.3