From a3cc501e36f5cf1e4a8187d723b53111f5481b36 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 30 Nov 2015 12:14:55 +0100 Subject: [PATCH 08/15] LDAP: always store the certificate from the request MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Store the certificate used to lookup a user as mapped attribute in the cached user object. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek Reviewed-by: Lukáš Slebodník --- src/db/sysdb.h | 1 + src/db/sysdb_ops.c | 4 ++-- src/providers/ldap/ldap_id.c | 19 ++++++++++++++++++- src/tests/cmocka/test_nss_srv.c | 2 +- src/tests/cmocka/test_pam_srv.c | 6 +++--- src/tests/sysdb-tests.c | 4 ++-- 6 files changed, 27 insertions(+), 9 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 098f47f91187aac75c58c02f0af738c344765762..3db22b3689bf6ffd9a48e29c229916e3fac9ca1b 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -139,6 +139,7 @@ #define SYSDB_AUTH_TYPE "authType" #define SYSDB_USER_CERT "userCertificate" +#define SYSDB_USER_MAPPED_CERT "userMappedCertificate" #define SYSDB_USER_EMAIL "mail" #define SYSDB_SUBDOMAIN_REALM "realmName" diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 6c2254df2b75d3d3419528523103ad9cddb40c9d..8ae25764478e522255b177f9e8de1d3ca1ad43fd 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -4660,7 +4660,7 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx, int ret; char *user_filter; - ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT, + ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT, &user_filter); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n"); @@ -4749,7 +4749,7 @@ errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain, errno_t sysdb_remove_cert(struct sss_domain_info *domain, const char *cert) { - struct ldb_message_element el = { 0, SYSDB_USER_CERT, 0, NULL }; + struct ldb_message_element el = { 0, SYSDB_USER_MAPPED_CERT, 0, NULL }; struct sysdb_attrs del_attrs = { 1, &el }; const char *attrs[] = {SYSDB_NAME, NULL}; struct ldb_result *res = NULL; diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 898ddb18689d55fcc3fdf021b38df0e574003eb2..a8b4bc2cfc6e9d4e0d74b0e3e036afbcbf7eb26e 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -60,6 +60,7 @@ struct users_get_state { int dp_error; int sdap_ret; bool noexist_delete; + struct sysdb_attrs *extra_attrs; }; static int users_get_retry(struct tevent_req *req); @@ -99,6 +100,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, state->conn = conn; state->dp_error = DP_ERR_FATAL; state->noexist_delete = noexist_delete; + state->extra_attrs = NULL; state->op = sdap_id_op_create(state, state->conn->conn_cache); if (!state->op) { @@ -251,6 +253,21 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, "sss_cert_derb64_to_ldap_filter failed.\n"); goto done; } + + state->extra_attrs = sysdb_new_attrs(state); + if (state->extra_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_base64_blob(state->extra_attrs, + SYSDB_USER_MAPPED_CERT, filter_value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n"); + goto done; + } + break; default: ret = EINVAL; @@ -442,7 +459,7 @@ static void users_get_search(struct tevent_req *req) state->attrs, state->filter, dp_opt_get_int(state->ctx->opts->basic, SDAP_SEARCH_TIMEOUT), - lookup_type, NULL); + lookup_type, state->extra_attrs); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c index 72bbaf9bf35ebb3fc4208afaa3c7af95922afcb0..76b9c6fb05673130de0957e93291919c263a28f3 100644 --- a/src/tests/cmocka/test_nss_srv.c +++ b/src/tests/cmocka/test_nss_srv.c @@ -3508,7 +3508,7 @@ static void test_nss_getnamebycert(void **state) der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size); assert_non_null(der); - ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size); + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); talloc_free(der); assert_int_equal(ret, EOK); diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index ae2e555f7024027d1c0063031f8882bf81a31905..847419658bb983e6548722d6fa6fb22c63ee86b8 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -1598,7 +1598,7 @@ static int test_lookup_by_cert_cb(void *pvt) der = sss_base64_decode(pam_test_ctx, pvt, &der_size); assert_non_null(der); - ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size); + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); talloc_free(der); assert_int_equal(ret, EOK); @@ -1630,7 +1630,7 @@ static int test_lookup_by_cert_double_cb(void *pvt) der = sss_base64_decode(pam_test_ctx, pvt, &der_size); assert_non_null(der); - ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size); + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); talloc_free(der); assert_int_equal(ret, EOK); @@ -1658,7 +1658,7 @@ static int test_lookup_by_cert_wrong_user_cb(void *pvt) der = sss_base64_decode(pam_test_ctx, pvt, &der_size); assert_non_null(der); - ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size); + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); talloc_free(der); assert_int_equal(ret, EOK); diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index c343c734a27a335303974b6866a5d9e88d4c307e..5bdd631fbfa1b4463fb169e5f07b65fb2c784096 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -5721,7 +5721,7 @@ START_TEST(test_sysdb_search_user_by_cert) val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length); fail_unless(val.data != NULL, "sss_base64_decode failed."); - ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_CERT, &val); + ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_MAPPED_CERT, &val); fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].", ret, strerror(ret)); @@ -5750,7 +5750,7 @@ START_TEST(test_sysdb_search_user_by_cert) data2 = test_data_new_user(test_ctx, 2345671); fail_if(data2 == NULL); - ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_CERT, &val); + ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_MAPPED_CERT, &val); fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].", ret, strerror(ret)); -- 2.9.3