From 2e12cbdc8e2676b045a972045e9dae75b232dc76 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 2 Feb 2017 16:34:32 +0100 Subject: [PATCH 09/15] sss_cert_derb64_to_ldap_filter: add sss_certmap support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use certificate mapping library if available to lookup a user by certificate in LDAP. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek Reviewed-by: Lukáš Slebodník --- Makefile.am | 1 + src/db/sysdb_ops.c | 2 +- src/db/sysdb_views.c | 4 +- src/providers/ipa/ipa_views.c | 2 +- src/providers/ldap/ldap_id.c | 2 +- src/tests/cmocka/test_cert_utils.c | 4 +- src/util/cert.h | 3 ++ src/util/cert/cert_common.c | 76 ++++++++++++++++++++++++++++++++------ 8 files changed, 76 insertions(+), 18 deletions(-) diff --git a/Makefile.am b/Makefile.am index 7947b7a5fbe3ca1034baac1c13c53300994b1bf8..f262cc24832358910dbb92ccd46f93c9eda8a295 100644 --- a/Makefile.am +++ b/Makefile.am @@ -952,6 +952,7 @@ libsss_cert_la_LIBADD = \ $(TALLOC_LIBS) \ libsss_crypt.la \ libsss_debug.la \ + libsss_certmap.la \ $(NULL) libsss_cert_la_LDFLAGS = \ -avoid-version \ diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 8ae25764478e522255b177f9e8de1d3ca1ad43fd..919f22370ff87eff2bf0bb569ca90f1ee699a61e 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -4661,7 +4661,7 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx, char *user_filter; ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT, - &user_filter); + NULL, NULL, &user_filter); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n"); return ret; diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c index 9dc48f5b6c414bbc7c64bcd1fe73553f388588bd..1c416dd14049237e9f35d52f154035e3ff861469 100644 --- a/src/db/sysdb_views.c +++ b/src/db/sysdb_views.c @@ -862,8 +862,8 @@ errno_t sysdb_search_override_by_cert(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, cert, SYSDB_USER_CERT, - &cert_filter); + ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, cert, SYSDB_USER_CERT, NULL, + NULL, &cert_filter); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n"); diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c index 29f589ec1fd05f59175dcc4592e6395941e6e034..5b6fcbc9b7c6f2ea7dbeecb01a5a3fd11b8a6854 100644 --- a/src/providers/ipa/ipa_views.c +++ b/src/providers/ipa/ipa_views.c @@ -156,7 +156,7 @@ static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx, if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_CERT) { ret = sss_cert_derb64_to_ldap_filter(mem_ctx, ar->filter_value, ipa_opts->override_map[IPA_AT_OVERRIDE_USER_CERT].name, - &cert_filter); + NULL, NULL, &cert_filter); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n"); diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index a8b4bc2cfc6e9d4e0d74b0e3e036afbcbf7eb26e..8e60769d09383ac8ebe33e5f64fd4fd9788e82cd 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -247,7 +247,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, } ret = sss_cert_derb64_to_ldap_filter(state, filter_value, attr_name, - &user_filter); + NULL, NULL, &user_filter); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n"); diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c index 35e8cb7513968079861048a7e8b0631229f202c0..5830131754e4cf318273151b586ef36d6a349829 100644 --- a/src/tests/cmocka/test_cert_utils.c +++ b/src/tests/cmocka/test_cert_utils.c @@ -297,11 +297,11 @@ void test_sss_cert_derb64_to_ldap_filter(void **state) struct test_state *ts = talloc_get_type_abort(*state, struct test_state); assert_non_null(ts); - ret = sss_cert_derb64_to_ldap_filter(ts, NULL, NULL, NULL); + ret = sss_cert_derb64_to_ldap_filter(ts, NULL, NULL, NULL, NULL, NULL); assert_int_equal(ret, EINVAL); ret = sss_cert_derb64_to_ldap_filter(ts, "AAECAwQFBgcICQ==", "attrName", - &filter); + NULL, NULL, &filter); assert_int_equal(ret, EOK); assert_string_equal(filter, "(attrName=\\00\\01\\02\\03\\04\\05\\06\\07\\08\\09)"); diff --git a/src/util/cert.h b/src/util/cert.h index bb64d0d7a0a48207df60f6e6e554da5e16a16b03..4598aa8df0cd860fed71d9cd2e4beec7f1910578 100644 --- a/src/util/cert.h +++ b/src/util/cert.h @@ -21,6 +21,7 @@ #include #include "util/util.h" +#include "lib/certmap/sss_certmap.h" #ifndef __CERT_H__ #define __CERT_H__ @@ -39,6 +40,8 @@ errno_t sss_cert_pem_to_derb64(TALLOC_CTX *mem_ctx, const char *pem, errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, const char *attr_name, + struct sss_certmap_ctx *certmap_ctx, + struct sss_domain_info *dom, char **ldap_filter); errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, diff --git a/src/util/cert/cert_common.c b/src/util/cert/cert_common.c index a29696ed3cd9f2168f47323fac97d44e9b49f921..766877089429ff1c01000a3986316c74583e3fa4 100644 --- a/src/util/cert/cert_common.c +++ b/src/util/cert/cert_common.c @@ -72,12 +72,17 @@ errno_t sss_cert_pem_to_derb64(TALLOC_CTX *mem_ctx, const char *pem, errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, const char *attr_name, + struct sss_certmap_ctx *certmap_ctx, + struct sss_domain_info *dom, char **ldap_filter) { int ret; unsigned char *der; size_t der_size; char *val; + char *filter = NULL; + char **domains = NULL; + size_t c; if (derb64 == NULL || attr_name == NULL) { return EINVAL; @@ -89,18 +94,67 @@ errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, return EINVAL; } - ret = bin_to_ldap_filter_value(mem_ctx, der, der_size, &val); - talloc_free(der); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "bin_to_ldap_filter_value failed.\n"); - return ret; - } + if (certmap_ctx == NULL) { + ret = bin_to_ldap_filter_value(mem_ctx, der, der_size, &val); + talloc_free(der); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "bin_to_ldap_filter_value failed.\n"); + return ret; + } - *ldap_filter = talloc_asprintf(mem_ctx, "(%s=%s)", attr_name, val); - talloc_free(val); - if (*ldap_filter == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); - return ENOMEM; + *ldap_filter = talloc_asprintf(mem_ctx, "(%s=%s)", attr_name, val); + talloc_free(val); + if (*ldap_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + } else { + ret = sss_certmap_get_search_filter(certmap_ctx, der, der_size, + &filter, &domains); + talloc_free(der); + if (ret != 0) { + if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate does not match matching-rules.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sss_certmap_get_search_filter failed.\n"); + } + } else { + if (domains == NULL) { + if (IS_SUBDOMAIN(dom)) { + DEBUG(SSSDBG_TRACE_FUNC, + "Rule applies only to local domain.\n"); + ret = ENOENT; + } + } else { + for (c = 0; domains[c] != NULL; c++) { + if (strcasecmp(dom->name, domains[c]) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Rule applies to current domain [%s].\n", + dom->name); + ret = EOK; + break; + } + } + if (domains[c] == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Rule does not apply to current domain [%s].\n", + dom->name); + ret = ENOENT; + } + } + } + + if (ret == EOK) { + *ldap_filter = talloc_strdup(mem_ctx, filter); + if (*ldap_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + } + } + sss_certmap_free_filter_and_domains(filter, domains); + return ret; } return EOK; -- 2.9.3